PEid插件——Generic OEP Finder 原理分析

PEid的这个小插件用了很久了，一直觉得功能不错，准确率也挺高的，自己在写壳的过程中也曾尝试避开其检测，但一直没有成功，于是抽了些时间看看它的实现原理，这才恍然大悟。
   下面是这个插件的一级输出函数：

10001870 ; Exported entry   1. DoMyJob
10001870
10001870 ; ************** S U B R O U T I N E *****************************************
10001870
10001870
10001870           public DoMyJob
10001870 DoMyJob   proc near
10001870
10001870 hWnd      = dword ptr  4
10001870 arg_4     = dword ptr  8
10001870 arg_8     = dword ptr  0Ch
10001870
10001870           mov   eax, [esp+arg_8]
10001874           push  ebx
10001875           push  esi
10001876           cmp   eax, 50456944h
1000187B           push  edi
1000187C           jz    short loc_10001889
1000187E           cmp   eax, 5852445Ah
10001883           jnz   loc_10001A81
10001889
10001889 loc_10001889:                           ; ...
10001889           mov   ebx, [esp+0Ch+arg_4]
1000188D           or    ecx, 0FFFFFFFFh
10001890           mov   edi, ebx
10001892           xor   eax, eax
10001894           repne scasb
10001896           not   ecx
10001898           dec   ecx
10001899           cmp   ecx, 1
1000189C           jnb   short loc_100018BE
1000189E           mov   eax, [esp+0Ch+hWnd]
100018A2           push  40000h                  ; uType
100018A7           push  offset szError          ; lpCaption
100018AC           push  offset szNoFileSpecifie ; lpText
100018B1           push  eax                     ; hWnd
100018B2           call  ds:MessageBoxA
100018B8           pop   edi
100018B9           pop   esi
100018BA           xor   eax, eax
100018BC           pop   ebx
100018BD           retn
100018BE ; ----------------------------------------------------------------------------
100018BE
100018BE loc_100018BE:                           ; ...
100018BE           push  0                       ; hTemplateFile
100018C0           push  80h                     ; dwFlagsAndAttributes
100018C5           push  3                       ; dwCreationDisposition
100018C7           push  0                       ; lpSecurityAttributes
100018C9           push  1                       ; dwShareMode
100018CB           push  80000000h               ; dwDesiredAccess
100018D0           push  ebx                     ; lpFileName
100018D1           call  ds:CreateFileA
100018D7           cmp   eax, 0FFFFFFFFh
100018DA           mov   ds:hObject, eax
100018DF           jnz   short loc_10001908
100018E1           push  eax                     ; hObject
100018E2           call  ds:CloseHandle
100018E8           mov   ecx, [esp+0Ch+hWnd]
100018EC           push  40000h                  ; uType
100018F1           push  offset szError          ; lpCaption
100018F6           push  offset szCouldNotOpenTh ; lpText
100018FB           push  ecx                     ; hWnd
100018FC           call  ds:MessageBoxA
10001902           pop   edi
10001903           pop   esi
10001904           xor   eax, eax
10001906           pop   ebx
10001907           retn
10001908 ; ----------------------------------------------------------------------------
10001908
10001908 loc_10001908:                           ; ...
10001908           push  0                       ; lpName
1000190A           push  0                       ; dwMaximumSizeLow
1000190C           push  0                       ; dwMaximumSizeHigh
1000190E           push  2                       ; flProtect
10001910           push  0                       ; lpFileMappingAttributes
10001912           push  eax                     ; hFile
10001913           call  ds:CreateFileMappingA
10001919           push  0                       ; dwNumberOfBytesToMap
1000191B           push  0                       ; dwFileOffsetLow
1000191D           mov   edi, eax
1000191F           push  0                       ; dwFileOffsetHigh
10001921           push  4                       ; dwDesiredAccess
10001923           push  edi                     ; hFileMappingObject
10001924           call  ds:MapViewOfFile
1000192A           mov   esi, eax
1000192C           test  esi, esi
1000192E           jnz   short MapViewCreated
10001930           mov   edx, ds:hObject
10001936           mov   esi, ds:CloseHandle
1000193C           push  edx                     ; hObject
1000193D           call  esi ; CloseHandle
1000193F           push  edi                     ; hObject
10001940           call  esi ; CloseHandle
10001942           mov   eax, [esp+0Ch+hWnd]
10001946           push  40000h                  ; uType
1000194B           push  offset szError          ; lpCaption
10001950           push  offset szMappingError__ ; lpText
10001955           push  eax                     ; hWnd
10001956           call  ds:MessageBoxA
1000195C           pop   edi
1000195D           pop   esi
1000195E           xor   eax, eax
10001960           pop   ebx
10001961           retn
10001962 ; ----------------------------------------------------------------------------
10001962
10001962 MapViewCreated:                         ; ...
10001962           mov   ds:lpFileHeader, esi
10001968           cmp   word ptr [esi], 5A4Dh   ; 是否为可执行文件
1000196D           jz    short IsExeFile
1000196F           mov   ecx, ds:hObject
10001975           mov   esi, ds:CloseHandle
1000197B           push  ecx                     ; hObject
1000197C           call  esi ; CloseHandle
1000197E           push  edi                     ; hObject
1000197F           call  esi ; CloseHandle
10001981           mov   edx, [esp+0Ch+hWnd]
10001985           push  40000h                  ; uType
1000198A           push  offset szError          ; lpCaption
1000198F           push  offset szNotADosExecuta ; lpText
10001994           push  edx                     ; hWnd
10001995           call  ds:MessageBoxA
1000199B           pop   edi
1000199C           pop   esi
1000199D           xor   eax, eax
1000199F           pop   ebx
100019A0           retn
100019A1 ; ----------------------------------------------------------------------------
100019A1
100019A1 IsExeFile:                              ; ...
100019A1           mov   eax, [esi+3Ch]
100019A4           push  4                       ; ucb
100019A6           add   eax, esi
100019A8           push  eax                     ; lp
100019A9           mov   ds:lpPEHeader, eax
100019AE           call  ds:IsBadReadPtr
100019B4           test  eax, eax
100019B6           jnz   ReadMemError
100019BC           mov   eax, ds:lpPEHeader
100019C1           cmp   dword ptr [eax], 4550h  ; 是否为PE文件
100019C7           jnz   ReadMemError
100019CD           lea   ecx, [eax+0F8h]
100019D3           push  ebp
100019D4           mov   ebp, [esp+10h+hWnd]
100019D8           mov   ds:lpScnNameInfo, ecx
100019DE           mov   ecx, [eax+50h]          ; SizeOfImage
100019E1           mov   edx, [eax+34h]          ; ImageBase
100019E4           push  ebx
100019E5           push  ecx
100019E6           push  ebp
100019E7           mov   ds:BaseAddress, edx
100019ED           call  GetOEP      ---------->这个函数是关键