本節與PE文件格式相關的術語以<<微軟PE/COFF規範>>爲準([13]),再也不強調該點。
winnt.h中定義了部分相關數據結構,後面如未單獨註明來自哪一個頭文件,均隱指來
自winnt.h。執行vulnerable_0.exe,進入windbg調試狀態。
> !list -t _LIST_ENTRY.Flink -x "dd" -a "+18 L1" 241ec0
00241ed8 00400000
00241f30 77f50000
00241fd8 77e60000
... ...
從上節可知,ntdll.dll基址是0x77f50000,kernel32.dll基址是0x77e60000。最開
始的64字節按以下數據結構解析:
--------------------------------------------------------------------------
#define IMAGE_DOS_SIGNATURE 0x5A4D // MZ
typedef struct _IMAGE_DOS_HEADER // DOS .EXE header
{
WORD e_magic; // +0x00 Magic number
WORD e_cblp; // +0x02 Bytes on last page of file
WORD e_cp; // +0x04 Pages in file
WORD e_crlc; // +0x06 Relocations
WORD e_cparhdr; // +0x08 Size of header in paragraphs
WORD e_minalloc; // +0x0a Minimum extra paragraphs needed
WORD e_maxalloc; // +0x0c Maximum extra paragraphs needed
WORD e_ss; // +0x0e Initial (relative) SS value
WORD e_sp; // +0x10 Initial SP value
WORD e_csum; // +0x12 Checksum
WORD e_ip; // +0x14 Initial IP value
WORD e_cs; // +0x16 Initial (relative) CS value
WORD e_lfarlc; // +0x18 File address of relocation table
WORD e_ovno; // +0x1a Overlay number
WORD e_res[4]; // +0x1c Reserved words
WORD e_oemid; // +0x24 OEM identifier (for e_oeminfo)
WORD e_oeminfo; // +0x26 OEM information; e_oemid specific
WORD e_res2[10]; // +0x28 Reserved words
LONG e_lfanew; // +0x3c File address of new exe header
// +0x40
} IMAGE_DOS_HEADER, *PIMAGE_DOS_HEADER;
--------------------------------------------------------------------------
> db 77e60000 L0n64
77e60000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
77e60010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
77e60020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
77e60030 00 00 00 00 00 00 00 00-00 00 00 00 f8 00 00 00 ................
> dd 77e60000+3c L1 (顯示e_lfanew成員)
77e6003c 000000f8
其中e_lfanew成員用於定位PE頭。從註釋中理解,e_lfanew是File pointer,非RVA,
不過在這裏當成RVA處理也不要緊。e_lfanew值爲0x000000f8,PE頭在基址加0xf8的
位置。PE頭最開始是標識"PE\0\0",佔4字節,而後是20字節固定頭。
--------------------------------------------------------------------------
#define IMAGE_NT_SIGNATURE 0x00004550 // PE00
#define IMAGE_SIZEOF_FILE_HEADER 20
typedef struct _IMAGE_FILE_HEADER
{
WORD Machine; // +0x00
WORD NumberOfSections; // +0x02
DWORD TimeDateStamp; // +0x04
DWORD PointerToSymbolTable; // +0x08
DWORD NumberOfSymbols; // +0x0c
WORD SizeOfOptionalHeader; // +0x10
WORD Characteristics; // +0x12
// +0x14
} IMAGE_FILE_HEADER, *PIMAGE_FILE_HEADER;
--------------------------------------------------------------------------
> db 77e60000+f8 L0n24
77e600f8 50 45 00 00 4c 01 04 00-28 fa 6d 3d 00 00 00 00 PE..L...(.m=....
77e60108 00 00 00 00 e0 00 0e 21
^^^^^
接下來是可選頭,SizeOfOptionalHeader成員代表可選頭佔用了224字節(0x00e0)。
--------------------------------------------------------------------------
typedef struct _IMAGE_OPTIONAL_HEADER
{
WORD Magic; // +0x00
BYTE MajorLinkerVersion; // +0x02
BYTE MinorLinkerVersion; // +0x03
DWORD SizeOfCode; // +0x04
DWORD SizeOfInitializedData; // +0x08
DWORD SizeOfUninitializedData; // +0x0c
DWORD AddressOfEntryPoint; // +0x10
DWORD BaseOfCode; // +0x14
DWORD BaseOfData; // +0x18
DWORD ImageBase; // +0x1c
DWORD SectionAlignment; // +0x20
DWORD FileAlignment; // +0x24
WORD MajorOperatingSystemVersion; // +0x28
WORD MinorOperatingSystemVersion; // +0x2a
WORD MajorImageVersion; // +0x2c
WORD MinorImageVersion; // +0x2e
WORD MajorSubsystemVersion; // +0x30
WORD MinorSubsystemVersion; // +0x32
DWORD Win32VersionValue; // +0x34
DWORD SizeOfImage; // +0x38
DWORD SizeOfHeaders; // +0x3c
DWORD CheckSum; // +0x40
WORD Subsystem; // +0x44
WORD DllCharacteristics; // +0x46
DWORD SizeOfStackReserve; // +0x48
DWORD SizeOfStackCommit; // +0x4c
DWORD SizeOfHeapReserve; // +0x50
DWORD SizeOfHeapCommit; // +0x54
DWORD LoaderFlags; // +0x58
DWORD NumberOfRvaAndSizes; // +0x5c Number of data-dictionary entries in the remainder of the Optional Header
// +0x60
IMAGE_DATA_DIRECTORY DataDirectory[IMAGE_NUMBEROF_DIRECTORY_ENTRIES];
// +0xe0
} IMAGE_OPTIONAL_HEADER32, *PIMAGE_OPTIONAL_HEADER32;
typedef struct _IMAGE_DATA_DIRECTORY
{
DWORD VirtualAddress; // +0x00 RVA
DWORD Size; // +0x04 The size in bytes
// +0x08
} IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
#define IMAGE_NUMBEROF_DIRECTORY_ENTRIES 16
#define IMAGE_DIRECTORY_ENTRY_EXPORT 0 // Export Directory
#define IMAGE_DIRECTORY_ENTRY_IMPORT 1 // Import Directory
#define IMAGE_DIRECTORY_ENTRY_RESOURCE 2 // Resource Directory
#define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3 // Exception Directory
#define IMAGE_DIRECTORY_ENTRY_SECURITY 4 // Security Directory
#define IMAGE_DIRECTORY_ENTRY_BASERELOC 5 // Base Relocation Table
#define IMAGE_DIRECTORY_ENTRY_DEBUG 6 // Debug Directory
#define IMAGE_DIRECTORY_ENTRY_ARCHITECTURE 7 // Architecture Specific Data
#define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8 // RVA of GP
#define IMAGE_DIRECTORY_ENTRY_TLS 9 // TLS Directory
#define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10 // Load Configuration Directory
#define IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 11 // Bound Import Directory in headers
#define IMAGE_DIRECTORY_ENTRY_IAT 12 // Import Address Table
#define IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 13 // Delay Load Import Descriptors
#define IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 14 // COM Runtime descriptor
--------------------------------------------------------------------------
IMAGE_DATA_DIRECTORY.VirtualAddress是RVA。通常狀況DataDirectory[]是含有16
個元素的結構數組。前兩個元素分別對應Export Directory與Import Directory。但
是規範3.4.3小節指出元素個數不固定,須要檢查NumberOfRvaAndSizes成員肯定元素
個數。
此外,不要假設IMAGE_DATA_DIRECTORY.VirtualAddress指向所在section的起始位置,
好比Import Directory通常位於.idata section中,但不能假設RVA指向.idata的起
始位置。不要假設Import Directory所在section必定擁有".idata"這個名字。
> db 77e60000+f8+0n24 L0n224
77e60110 0b 01 07 00 00 56 07 00-00 dc 06 00 00 00 00 00 .....V..........
77e60120 60 ae 01 00 00 10 00 00-00 20 07 00 00 00 e6 77 `........ .....w
77e60130 00 10 00 00 00 02 00 00-05 00 01 00 05 00 01 00 ................
77e60140 04 00 00 00 00 00 00 00-00 60 0e 00 00 04 00 00 .........`......
77e60150 d3 7e 0e 00 03 00 00 00-00 00 04 00 00 10 00 00 .~..............
77e60160 00 00 10 00 00 10 00 00-00 00 00 00 10 00 00 00 ................
77e60170 40 d0 06 00 39 6b 00 00-7c 3b 07 00 28 00 00 00 @...9k..|;..(...
77e60180 00 a0 07 00 d8 5e 06 00-00 00 00 00 00 00 00 00 .....^..........
77e60190 00 00 00 00 00 00 00 00-00 00 0e 00 54 53 00 00 ............TS..
77e601a0 fc 63 07 00 38 00 00 00-00 00 00 00 00 00 00 00 .c..8...........
77e601b0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
77e601c0 a8 76 07 00 40 00 00 00-90 02 00 00 1c 00 00 00 .v..@...........
77e601d0 00 10 00 00 0c 06 00 00-00 00 00 00 00 00 00 00 ................
77e601e0 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
> dd 77e60000+f8+0n24+5c L1 (檢查NumberOfRvaAndSizes成員)
77e6016c 00000010
> dd 77e60000+f8+0n24+60 L2 (定位Export Directory,當前基是16)
77e60170 0006d040 00006b39
^^^^^^^^
> ? 77e60000+0006d040+00006b39
Evaluate expression: 2012035961 = 77ed3b79
> ? 77e60000+0006d040
Evaluate expression: 2012008512 = 77ecd040
如今咱們知道Export Directory在"77e60000+0006d040",格式以下:
--------------------------------------------------------------------------
typedef struct _IMAGE_EXPORT_DIRECTORY
{
DWORD Characteristics; // +0x00
DWORD TimeDateStamp; // +0x04
WORD MajorVersion; // +0x08
WORD MinorVersion; // +0x0a
DWORD Name; // +0x0c Name of the DLL
DWORD Base; // +0x10 Starting ordinal number for exports
DWORD NumberOfFunctions; // +0x14 Number of entries in the EAT
DWORD NumberOfNames; // +0x18 Number of entries in the ENPT/EOT
DWORD AddressOfFunctions; // +0x1c RVA from base of image
DWORD AddressOfNames; // +0x20 RVA from base of image
DWORD AddressOfNameOrdinals; // +0x24 RVA from base of image
// +0x28
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;
--------------------------------------------------------------------------
AddressOfFunctions
指向Export Address Table。
DWORD EAT[NumberOfFunctions];
EAT[i]
可選頭中IMAGE_DATA_DIRECTORY結構決定了引出信息範圍。若是EAT[i]的值不在
引出信息範圍,則爲函數地址(Export RVA)。不然,該值指向形如dllname.#27
或者dllname.exportfunc的ASCIZ串,用MS術語說,這是一個Forwarder RVA,表
示由另一個dll實際引出某函數。
AddressOfNames
指向Export Name Pointer Table
DWORD ENPT[NumberOfNames];
ENPT[i]
指向Export Name Table中某個位置
ENT由ASCIZ串構成
AddressOfNameOrdinals
指向Export Ordinal Table
WORD EOT[NumberOfNames];
參看規範6.3.4小節,這幾個數組之間的關係用僞C語言描述以下:
--------------------------------------------------------------------------
/*
* 懷疑該規範與MS最終實現有出入,規範中EOT[0]應該等於ordinal_base的,但MS
* 最終實現裏EOT[0]等於0。這裏的僞代碼符合MS的最終實現。看來,理論->實踐->
* 再理論的學習過程永遠都要牢記,不然死菜了都不知道怎麼死菜的。
*/
index = Search_ENPT( function_name );
index = EOT[ index ];
function_addr = EAT[ index ];
ordinal = ordinal_base + index;
--------------------------------------------------------------------------
爲什麼多出個EOT,由於可能不一樣的函數名對應同一個函數地址,參[14]的12.5小節。
假設源代碼中有以下聲明:
__declspec(dllexport) int __stdcall PublicFunc ( int a, int b, int c, int d );
假設沒有使用DEF文件:
EXPORTS
PublicFunc
同時卻又在源代碼出現:
#pragma comment( linker, "/EXPORT:PublicFunc=_PublicFunc@32" )
此時生成PE文件時會同時引出兩個符號,"PublicFunc"與"_PublicFunc@32",這兩個
符號對應同一個函數。反映在上述幾個數組中,即EOT[i]等於EOT[j]。
NumberOfFunctions與NumberOfNames在這種情形下不等。除此以外,還有一種不等情
形。NumberOfNames爲0,NumberOfFunctions不爲0,表示模塊僅經過ordinal引出函
數,這是至關極端卻有可能出現的情形。
VC有個現成的工具dumpbin,可用於觀察引出(export)信息:
> dumpbin X:\XP\system32\kernel32.dll /exports
Section contains the following exports for KERNEL32.dll
00000000 characteristics
3D6DE616 time date stamp Thu Aug 29 17:15:02 2002
0.00 version
1 ordinal base
942 number of functions
942 number of names
ordinal hint RVA name
1 0 000137E8 ActivateActCtx
2 1 000093FE AddAtomA
3 2 0000D496 AddAtomW
4 3 000607C5 AddConsoleAliasA
5 4 0006078E AddConsoleAliasW
6 5 0004E0A1 AddLocalAlternateComputerNameA
7 6 0004DF8C AddLocalAlternateComputerNameW
8 7 00035098 AddRefActCtx
9 8 AddVectoredExceptionHandler (forwarded to NTDLL.RtlAddVectoredExceptionHandler)
10 9 00036909 AllocConsole
... ...
401 190 0001B332 GetProcAddress
... ...
571 23A 0001D961 LoadLibraryA
572 23B 0001D941 LoadLibraryExA
573 23C 0001D839 LoadLibraryExW
574 23D 00013B38 LoadLibraryW
... ...
回windbg驗證一下:
> db 77e60000+0006d040 L28
77ecd040 00 00 00 00 16 e6 6d 3d-00 00 00 00 34 f5 06 00 ......m=....4...
77ecd050 01 00 00 00 ae 03 00 00-ae 03 00 00 68 d0 06 00 ............h...
77ecd060 20 df 06 00 d8 ed 06 00
> da 77e60000+poi(0x77e60000+0x0006d040+0xc) (Name)
77ecf534 "KERNEL32.dll"
> dd 0x77e60000+0x0006d040+0x10 L1 (Base)
77ecd050 00000001
> dd 0x77e60000+0x0006d040+0x14 L1 (NumberOfFunctions)
77ecd054 000003ae
> dd 0x77e60000+0x0006d040+0x18 L1 (NumberOfNames)
77ecd058 000003ae
> dd 0x77e60000+0x0006d040+0x1c L3 (AddressOfFunctions、AddressOfNames、AddressOfNameOrdinals)
77ecd05c 0006d068 0006df20 0006edd8
套用這個公式:
--------------------------------------------------------------------------
0x190 = Search_ENPT( "GetProcAddress" );
0x190 = EOT[ 0x190 ];
0x77e7b332 = EAT[ 0x190 ];
0x191 = 1 + 0x190;
--------------------------------------------------------------------------
> da 77e60000+poi(77e60000+0006df20+0x190*4) (訪問ENPT、ENT)
77ed1393 "GetProcAddress"
> dw 77e60000+0006edd8+0x190*2 L1 (訪問EOT)
77ecf0f8 0190
> ? 77e60000+poi(77e60000+0006d068+0x190*4) (訪問EAT)
Evaluate expression: 2011673394 = 77e7b332
> u 77e7b332 (這個地址不在[77ecd040, 77ed3b79)內)
kernel32!GetProcAddress:
77e7b332 55 push ebp
77e7b333 8bec mov ebp,esp
77e7b335 51 push ecx
77e7b336 51 push ecx
77e7b337 53 push ebx
77e7b338 57 push edi
77e7b339 8b7d0c mov edi,[ebp+0xc]
77e7b33c bbffff0000 mov ebx,0xffff
再來驗證一下Forwarder RVA的情形:
--------------------------------------------------------------------------
8 = Search_ENPT( "AddVectoredExceptionHandler" );
8 = EOT[ 8 ];
0x77ed38ad = EAT[ 8 ];
9 = 1 + 8;
--------------------------------------------------------------------------
> da 77e60000+poi(77e60000+0006df20+8*4) (訪問ENPT、ENT)
77ecf5cf "AddVectoredExceptionHandler"
> dw 77e60000+0006edd8+8*2 L1 (訪問EOT)
77ecede8 0008
> ? 77e60000+poi(77e60000+0006d068+8*4) (訪問EAT)
Evaluate expression: 2012035245 = 77ed38ad
> da 77e60000+poi(77e60000+0006d068+8*4) (這個地址在[77ecd040, 77ed3b79)內)
77ed38ad "NTDLL.RtlAddVectoredExceptionHan"
77ed38cd "dler"
如今總結一下"根據PE文件格式獲取LoadLibraryA()/GetProcAddress()地址"全過程:
a. 經過TEB/PEB獲取kernel32.dll基址
b. 在(基址+0x3c)處獲取e_lfanew
c. 在(基址+e_lfanew+0x78)處獲取Export Directory地址(後面爲描述方便簡稱export)
d. 在(基址+export+0x1c)處獲取AddressOfFunctions、AddressOfNames、AddressOfNameOrdinals
e. 搜索ENPT,肯定"LoadLibraryA"、"GetProcAddress"所對應的index
f. index = EOT[ index ];
g. function_addr = EAT[ index ];
下面是完整的C語言演示程序,彙編化留到編寫完整shellcode時進行。
--------------------------------------------------------------------------
/*
* -----------------------------------------------------------------------
* Compile : For x86/EWindows XP SP1 & VC 7
* : cl GetAddr.c /nologo /Os /G6 /W3 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /link /RELEASE
* :
* Create : 2003-08-14 15:11
* Modify :
* -----------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#pragma comment( linker, "/INCREMENTAL:NO" )
#pragma comment( linker, "/subsystem:console" )
static void * __stdcall SearchAPI ( char *BASE, DWORD *EAT, DWORD *ENPT, WORD *EOT, DWORD num, char *name )
{
DWORD index = 0;
char *function_name = NULL;
void *function_addr = NULL;
for ( index = 0; index < num; index++ )
{
function_name = ENPT[index] + BASE;
/*
* 大小寫敏感比較
*/
if ( 0 == strcmp( function_name, name ) )
{
index = EOT[index];
function_addr = EAT[index] + BASE;
return( function_addr );
}
} /* end of for */
return( NULL );
} /* end of SearchAPI */
int __cdecl main ( int argc, char * argv[] )
{
void *PEB = NULL,
*Ldr = NULL,
*Flink = NULL,
*kernel32_BaseAddress = NULL,
*kernel32_BaseDllName = NULL,
*ExportDirectory = NULL,
*PrivateLoadLibraryA = NULL,
*PrivateGetProcAddress = NULL;
DWORD NumberOfNames = 0,
*AddressOfFunctions = NULL,
*AddressOfNames = NULL;
WORD *AddressOfNameOrdinals = NULL;
LONG e_lfanew = 0;
__asm
{
mov eax,fs:[0x30]
mov PEB,eax
}
printf( "PEB = 0x%08X\n", PEB );
Ldr = *( ( void ** )( ( unsigned char * )PEB + 0x0c ) );
printf( "Ldr = 0x%08X\n", Ldr );
Flink = *( ( void ** )( ( unsigned char * )Ldr + 0x1c ) );
printf( "Flink = 0x%08X\n", Flink );
Flink = *( ( void ** )Flink );
kernel32_BaseAddress = *( ( void ** )( ( unsigned char * )Flink + 0x08 ) );
kernel32_BaseDllName = *( ( void ** )( ( unsigned char * )Flink + 0x20 ) );
printf( "kernel32_BaseAddress = 0x%08X\n", kernel32_BaseAddress );
wprintf( L"kernel32_BaseDllName = %s\n", kernel32_BaseDllName );
/*
* 根據PE文件格式進行解析
*/
e_lfanew = *( ( LONG * )( ( unsigned char * )kernel32_BaseAddress + 0x3c ) );
printf( "e_lfanew = 0x%08X\n", e_lfanew );
ExportDirectory = *( ( DWORD * )( ( unsigned char * )kernel32_BaseAddress + e_lfanew + 0x78 ) ) +
( unsigned char * )kernel32_BaseAddress;
printf( "ExportDirectory = 0x%08X\n", ExportDirectory );
NumberOfNames = *( ( DWORD * )( ( unsigned char * )ExportDirectory + 0x18 ) );
printf( "NumberOfNames = %u\n", NumberOfNames );
AddressOfFunctions = ( DWORD * )
(
*( ( DWORD * )( ( unsigned char * )ExportDirectory + 0x1c ) ) +
( unsigned char * )kernel32_BaseAddress
);
printf( "AddressOfFunctions = 0x%08X\n", AddressOfFunctions );
AddressOfNames = ( DWORD * )
(
*( ( DWORD * )( ( unsigned char * )ExportDirectory + 0x20 ) ) +
( unsigned char * )kernel32_BaseAddress
);
printf( "AddressOfNames = 0x%08X\n", AddressOfNames );
AddressOfNameOrdinals = ( WORD * )
(
*( ( DWORD * )( ( unsigned char * )ExportDirectory + 0x24 ) ) +
( unsigned char * )kernel32_BaseAddress
);
printf( "AddressOfNameOrdinals = 0x%08X\n", AddressOfNameOrdinals );
PrivateLoadLibraryA = SearchAPI
(
kernel32_BaseAddress,
AddressOfFunctions,
AddressOfNames,
AddressOfNameOrdinals,
NumberOfNames,
"LoadLibraryA"
);
printf( "PrivateLoadLibraryA = 0x%08X\n", PrivateLoadLibraryA );
printf( "LoadLibraryA = 0x%08X\n", LoadLibraryA );
PrivateGetProcAddress = SearchAPI
(
kernel32_BaseAddress,
AddressOfFunctions,
AddressOfNames,
AddressOfNameOrdinals,
NumberOfNames,
"GetProcAddress"
);
printf( "PrivateGetProcAddress = 0x%08X\n", PrivateGetProcAddress );
printf( "GetProcAddress = 0x%08X\n", GetProcAddress );
return( EXIT_SUCCESS );
} /* end of main */
#if 0
/*
* 按初始化順序前向遍歷鏈表,第二個節點對應kernel32.dll。
*/
#include <stdio.h>
#include <stdlib.h>
#pragma comment( linker, "/INCREMENTAL:NO" )
#pragma comment( linker, "/subsystem:console" )
int __cdecl main ( int argc, char * argv[] )
{
void *PEB = NULL,
*Ldr = NULL,
*Flink = NULL,
*p = NULL,
*BaseAddress = NULL,
*BaseDllName = NULL;
__asm
{
mov eax,fs:[0x30]
mov PEB,eax
}
printf( "PEB = 0x%08X\n", PEB );
Ldr = *( ( void ** )( ( unsigned char * )PEB + 0x0c ) );
printf( "Ldr = 0x%08X\n", Ldr );
Flink = *( ( void ** )( ( unsigned char * )Ldr + 0x1c ) );
printf( "Flink = 0x%08X\n", Flink );
p = Flink;
do
{
BaseAddress = *( ( void ** )( ( unsigned char * )p + 0x08 ) );
BaseDllName = *( ( void ** )( ( unsigned char * )p + 0x20 ) );
printf( "p = 0x%08X 0x%08X ", p, BaseAddress );
wprintf( L"%s\n", BaseDllName );
p = *( ( void ** )p );
}
while ( Flink != p );
return( EXIT_SUCCESS );
} /* end of main */
#endif
--------------------------------------------------------------------------
執行效果以下,對比PrivateLoadLibraryA與LoadLibraryA的值,應該相等。
> GetAddr
PEB = 0x7FFDF000
Ldr = 0x00241E90
Flink = 0x00241F28
kernel32_BaseAddress = 0x77E60000
kernel32_BaseDllName = kernel32.dll
e_lfanew = 0x000000F8
ExportDirectory = 0x77ECD040
NumberOfNames = 942
AddressOfFunctions = 0x77ECD068
AddressOfNames = 0x77ECDF20
AddressOfNameOrdinals = 0x77ECEDD8
PrivateLoadLibraryA = 0x77E7D961
LoadLibraryA = 0x77E7D961
PrivateGetProcAddress = 0x77E7B332
GetProcAddress = 0x77E7B332
這裏演示的技巧不僅用於exploit、shellcode、virus,還大量用於特殊Driver編程
中。根據PE文件格式解析內存中的模塊映像是很基礎的知識,我今天才接觸了一下,
慚愧。
SearchAPI()用到了被搜索函數名,直接在shellcode中保存完整函數名會佔用很多空
間。能夠考慮在shellcode中保存函數名的某種哈希值,同時SearchAPI()比較哈希值
而非函數名。任何一種哈希算法都會丟失部分原有信息,以至不一樣函數名產生的哈希
值相同,所謂"碰撞"。virus編程中爲此經常使用標準CRC32算法([8]),參29A-4.227。
可是LSD認爲CRC32的彙編算法太長了([15]),他們用了一個至關簡單的算法:
while ( *c )
{
h = ( ( h << 5 ) | ( h >> 27 ) ) + *c++;
}
不超過10行彙編代碼。據LSD的報告稱,對超過5000個不一樣的dll測試,覆蓋50000個
不一樣的函數名,該哈希算法未產生一次碰撞。若真是如此,對於編寫shellcode來說,
徹底足夠了。
下面是完整的C語言演示程序,真正彙編化後應提早計算函數名的哈希值。
--------------------------------------------------------------------------
/*
* -----------------------------------------------------------------------
* Compile : For x86/EWindows XP SP1 & VC 7
* : cl GetAddr_0.c /nologo /Os /G6 /W3 /D "WIN32" /D "NDEBUG" /D "_CONSOLE" /link /RELEASE
* :
* Create : 2003-08-14 17:24
* Modify :
* -----------------------------------------------------------------------
*/
#include <stdio.h>
#include <stdlib.h>
#include <windows.h>
#pragma comment( linker, "/INCREMENTAL:NO" )
#pragma comment( linker, "/subsystem:console" )
static DWORD __stdcall GetHash ( char *c )
{
DWORD h = 0;
while ( *c )
{
h = ( ( h << 5 ) | ( h >> 27 ) ) + *c++;
}
return( h );
} /* end of GetHash */
static void * __stdcall SearchAPI ( char *BASE, DWORD *EAT, DWORD *ENPT, WORD *EOT, DWORD num, DWORD NameHash )
{
DWORD index = 0,
h = 0;
char *function_name = NULL;
void *function_addr = NULL;
for ( index = 0; index < num; index++ )
{
function_name = ENPT[index] + BASE;
h = GetHash( function_name );
if ( h == NameHash )
{
index = EOT[index];
function_addr = EAT[index] + BASE;
return( function_addr );
}
} /* end of for */
return( NULL );
} /* end of SearchAPI */
int __cdecl main ( int argc, char * argv[] )
{
void *PEB = NULL,
*Ldr = NULL,
*Flink = NULL,
*kernel32_BaseAddress = NULL,
*kernel32_BaseDllName = NULL,
*ExportDirectory = NULL,
*PrivateLoadLibraryA = NULL,
*PrivateGetProcAddress = NULL;
DWORD NumberOfNames = 0,
*AddressOfFunctions = NULL,
*AddressOfNames = NULL,
NameHash = 0;
WORD *AddressOfNameOrdinals = NULL;
LONG e_lfanew = 0;
__asm
{
mov eax,fs:[0x30]
mov PEB,eax
}
printf( "PEB = 0x%08X\n", PEB );
Ldr = *( ( void ** )( ( unsigned char * )PEB + 0x0c ) );
printf( "Ldr = 0x%08X\n", Ldr );
Flink = *( ( void ** )( ( unsigned char * )Ldr + 0x1c ) );
printf( "Flink = 0x%08X\n", Flink );
Flink = *( ( void ** )Flink );
kernel32_BaseAddress = *( ( void ** )( ( unsigned char * )Flink + 0x08 ) );
kernel32_BaseDllName = *( ( void ** )( ( unsigned char * )Flink + 0x20 ) );
printf( "kernel32_BaseAddress = 0x%08X\n", kernel32_BaseAddress );
wprintf( L"kernel32_BaseDllName = %s\n", kernel32_BaseDllName );
/*
* 根據PE文件格式進行解析
*/
e_lfanew = *( ( LONG * )( ( unsigned char * )kernel32_BaseAddress + 0x3c ) );
printf( "e_lfanew = 0x%08X\n", e_lfanew );
ExportDirectory = *( ( DWORD * )( ( unsigned char * )kernel32_BaseAddress + e_lfanew + 0x78 ) ) +
( unsigned char * )kernel32_BaseAddress;
printf( "ExportDirectory = 0x%08X\n", ExportDirectory );
NumberOfNames = *( ( DWORD * )( ( unsigned char * )ExportDirectory + 0x18 ) );
printf( "NumberOfNames = %u\n", NumberOfNames );
AddressOfFunctions = ( DWORD * )
(
*( ( DWORD * )( ( unsigned char * )ExportDirectory + 0x1c ) ) +
( unsigned char * )kernel32_BaseAddress
);
printf( "AddressOfFunctions = 0x%08X\n", AddressOfFunctions );
AddressOfNames = ( DWORD * )
(
*( ( DWORD * )( ( unsigned char * )ExportDirectory + 0x20 ) ) +
( unsigned char * )kernel32_BaseAddress
);
printf( "AddressOfNames = 0x%08X\n", AddressOfNames );
AddressOfNameOrdinals = ( WORD * )
(
*( ( DWORD * )( ( unsigned char * )ExportDirectory + 0x24 ) ) +
( unsigned char * )kernel32_BaseAddress
);
printf( "AddressOfNameOrdinals = 0x%08X\n", AddressOfNameOrdinals );
NameHash = GetHash( "LoadLibraryA" );
printf( "NameHash = 0x%08X\n", NameHash );
PrivateLoadLibraryA = SearchAPI
(
kernel32_BaseAddress,
AddressOfFunctions,
AddressOfNames,
AddressOfNameOrdinals,
NumberOfNames,
NameHash
);
printf( "PrivateLoadLibraryA = 0x%08X\n", PrivateLoadLibraryA );
printf( "LoadLibraryA = 0x%08X\n", LoadLibraryA );
NameHash = GetHash( "GetProcAddress" );
printf( "NameHash = 0x%08X\n", NameHash );
PrivateGetProcAddress = SearchAPI
(
kernel32_BaseAddress,
AddressOfFunctions,
AddressOfNames,
AddressOfNameOrdinals,
NumberOfNames,
NameHash
);
printf( "PrivateGetProcAddress = 0x%08X\n", PrivateGetProcAddress );
printf( "GetProcAddress = 0x%08X\n", GetProcAddress );
return( EXIT_SUCCESS );
} /* end of main */
--------------------------------------------------------------------------
> GetAddr_0
PEB = 0x7FFDF000
Ldr = 0x00241E90
Flink = 0x00241F28
kernel32_BaseAddress = 0x77E60000
kernel32_BaseDllName = kernel32.dll
e_lfanew = 0x000000F8
ExportDirectory = 0x77ECD040
NumberOfNames = 942
AddressOfFunctions = 0x77ECD068
AddressOfNames = 0x77ECDF20
AddressOfNameOrdinals = 0x77ECEDD8
NameHash = 0x331ADDDC <- "LoadLibraryA"的哈希值
PrivateLoadLibraryA = 0x77E7D961
LoadLibraryA = 0x77E7D961
NameHash = 0x99C95590 <- "GetProcAddress"的哈希值
PrivateGetProcAddress = 0x77E7B332
GetProcAddress = 0x77E7B332
☆ 參考資源
[13] Microsoft Portable Executable and Common Object File Format Specification
http://www.microsoft.com/whdc/hwdev/download/hardware/pecoff.doc
http://www.microsoft.com/whdc/hwdev/download/hardware/pecoff.pdf
[14] <<Programming Applications for Microsoft Windows, Fourth Edition>> - Jeffrey Richter
[15] http://www.lsd-pl.net/documents/winasm-1.0.1.pdf
http://www.lsd-pl.net/documents/winasm.ppt
http://lsd-pl.net/projects/winasm-1.0.1.tar.gzc++