Although the results of the last thing are very depressed, the middle process is still some gains. When shellcode, it is important to find the function you want to use in memory, there are a lot of writing templates on the Internet.
It is found through PEB and SEH, and the template found is used in PEB. The main purpose is to find the location of kernel.dll in memory, and then find the location of getProcadDress (), there is two, you can
There is loadLibrary (), then other function address issues are solved.
FS: 0 teb is the position, an offset of 0x30 is teb pebtypedef struct _PEB {BOOLEAN InheritedAddressSpace; BOOLEAN ReadImageFileExecOptions; BOOLEAN BeingDebugged; BOOLEAN Spare; HANDLE Mutant; PVOID ImageBaseAddress; PPEB_LDR_DATA LoaderData; PRTL_USER_PROCESS_PARAMETERS ProcessParameters; PVOID SubSystemData; PVOID ProcessHeap; PVOID FastPebLock; PPEBLOCKROUTINE FastPebLockRoutine; PPEBLOCKROUTINE FastPebUnlockRoutine; ULONG EnvironmentUpdateCount; PVOID * KernelCallbackTable; PVOID EventLogSection; PVOID EventLog; PPEB_FREE_BLOCK FreeList; ULONG TlsExpansionCounter; PVOID TlsBitmap; ULONG TlsBitmapBits [0x2]; PVOID ReadOnlySharedMemoryBase; PVOID ReadOnlySharedMemoryHeap; PVOID * ReadOnlyStaticServerData; PVOID AnsiCodePageData; PVOID OemCodePageData; PVOID UnicodeCaseTableData; ULONG NumberOfProcessors; ULONG NtGlobalFlag; BYTE spare2 [0x4]; LARGE_INTEGER CriticalSectionTimeout; ULONG HeapSegmentReserve; ULONG HeapSegmentCommit; ULONG HeapDeCommitTotalFreeThreshold; ULONG HeapDeCommitFreeBlockThreshold; ULONG N umberOfHeaps; ULONG MaximumNumberOfHeaps; PVOID ** ProcessHeaps; PVOID GdiSharedHandleTable; PVOID ProcessStarterHelper; PVOID GdiDCAttributeList; PVOID LoaderLock; ULONG OSMajorVersion; ULONG OSMinorVersion; ULONG OSBuildNumber; ULONG OSPlatformId; ULONG ImageSubSystem; ULONG ImageSubSystemMajorVersion; ULONG ImageSubSystemMinorVersion; ULONG GdiHandleBuffer [0x22]; ULONG PostProcessinitRoutine; Ulong TLSEXPANSIONBITMAP; BYTE TLSEXPANSIONBITMAPBITS [0x80]; Ulong SessionID;} PEB, * PPEB;
Local PEB is offset 0x0c PPEB_LDR_DATA LoaderData; typedef struct _PEB_LDR_DATA {ULONG Length; BOOLEAN Initialized; PVOID SsHandle; LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList;} PEB_LDR_DATA, * PPEB_LDR_DATA; wherein there are three linked lists, each element structure typedef struct _LDR_MODULE {LIST_ENTRY InLoadOrderModuleList; LIST_ENTRY InMemoryOrderModuleList; LIST_ENTRY InInitializationOrderModuleList; PVOID BaseAddress; PVOID EntryPoint; ULONG SizeOfImage; UNICODE_STRING FullDllName; UNICODE_STRING BaseDllName; ULONG Flags; SHORT LoadCount; SHORT TlsIndex; LIST_ENTRY HashTableEntry; ULONG TimeDateStamp;} LDR_MODULE, * PLDR_MODULE; by LIST_ENTRY Try up each process, each module is an image of executable or DLL in memory. This connection can be taken over again through this connection, and shellcode needs kernel32.dll, It is always located in the list INITIALIZA
The first element MOV Eax, FS: 0x30 // PEB MOV ESI, [EAX 0x0c] // initorder.flink Lodsd
// Get the LDR_Module structure of the Kernel_Module structure MOV EAX, [EAX 8] // A list_entry8-byte now is the start position of the kernel.dll in the memory image, that is, its handle value
Found kernel.dll, the following section is related to the format of the PE file,
MOV EBX, EAX // Take Kernel32.dll's start address MOV ESI, DWORD PTR [EBX 0x3C] // U get Pe Header Mov ESI, DWORD PTR [ESI EBX 0x78] // u export Directory in E_LFANEW RVA Add ESI, EBX MOV EDI, DWORD PTR [ESI 0x20] // u Struct _Image_Export_Directory
// in AddressOfNames; // RVA from base of image add edi, ebx mov ecx, dword ptr [esi 0x14] // u AddressOfFunctions; // RVA from base of image xor ebp, ebp push esisearch_GetProcAddress: push edi push ecx mov EDI, DWORD PTR [EDI] Add Edi, EBX // Start the output function name table start address save people EDI MOV ESI, EDX // Instruction Table Start Address Save ESI // MOV ECX, 0EH // Function GetProcaddress length is 0EH push 0xE pop ecx repe cmps byte ptr [esi], byte ptr [edi] je search_GetProcAddress_ok pop ecx pop edi add edi, 4 inc ebp loop search_GetProcAddresssearch_GetProcAddress_ok: pop ecx pop edi pop esi mov ecx, ebp mov eax, dword ptr [esi 24h] // u addressofnameordinals; // RVA from base of Image Add Eax, EBX SHL ECX, 1 Add Eax, ECX XOR ECX, E CX MOV CX, Word PTR [EAX] MOV EAX, DWORD PTR [ESI 1CH] // Addressoffunctions; // RVA from Base of Image Add Eax, EBX SHL ECX, 2 Add Eax, ECX MOV EAX, DWORD PTR [EAX] Add Eax, EBX
In the PE file, the most beginning is image_dos_header structure typedEf struct _image_dos_header {// DOS .EXE Header Word E_MAGIC; / / MAGIC NUMBER WORD E_CBLP; / / BYTES ON Last Page Of File Word E_CP; / / PAGES IN File Word E_CRLC; / / Relocations WORD e_cparhdr; // Size of header in paragraphs WORD e_minalloc; // Minimum extra paragraphs needed WORD e_maxalloc; // Maximum extra paragraphs needed WORD e_ss; // Initial (relative) SS value WORD e_sp; // Initial SP value WORD E_CSUM; // Checksum Word E_IP; // Initial IP Value Word E_CS; // Initial (Relative) CS Value Word E_LFARLC; // File Address Of Relocation Table Word E_ovno; // Overlay Number Word E_RES [4] ; // Reserved words WORD e_oemid; // OEM identifier (for e_oeminfo) WORD e_oeminfo; // OEM information; e_oemid specific WORD e_res2 [10]; // Reserved words LONG e_lfanew; // File address of new exe header} IMAGE_DOS_HEADER, * PIMAGE_DOS_HEADER; MOV ESI, DWORD PTR [EBX 0x3c] This sentence is to get Long E_LFANEW, ESI points to PE header, because it is relative to the file
Offset, so that the position in memory of esi ebx is kernell.dll pe head, plus 0x78, points to DAtADirectory, typedef struct _IMAGE_NT_HEADERS {DWORD Signature; IMAGE_FILE_HEADER FileHeader; IMAGE_OPTIONAL_HEADER32 OptionalHeader;} IMAGE_NT_HEADERS32, * PIMAGE_NT_HEADERS32; typedef Struct _image_optional_header {//// Standard Fields. //
WORD Magic; BYTE MajorLinkerVersion; BYTE MinorLinkerVersion; DWORD SizeOfCode; DWORD SizeOfInitializedData; DWORD SizeOfUninitializedData; DWORD AddressOfEntryPoint; DWORD BaseOfCode; DWORD BaseOfData;
/// Nt Additional fields. //
DWORD ImageBase; DWORD SectionAlignment; DWORD FileAlignment; WORD MajorOperatingSystemVersion; WORD MinorOperatingSystemVersion; WORD MajorImageVersion; WORD MinorImageVersion; WORD MajorSubsystemVersion; WORD MinorSubsystemVersion; DWORD Win32VersionValue; DWORD SizeOfImage; DWORD SizeOfHeaders; DWORD CheckSum; WORD Subsystem; WORD DllCharacteristics; DWORD SizeOfStackReserve; DWORD SizeOfStackCommit ; DWORD SizeOfHeapReserve; DWORD SizeOfHeapCommit; DWORD LoaderFlags; DWORD NumberOfRvaAndSizes; IMAGE_DATA_DIRECTORY DataDirectory [IMAGE_NUMBEROF_DIRECTORY_ENTRIES];} IMAGE_OPTIONAL_HEADER32, * PIMAGE_OPTIONAL_HEADER32;
The first is DAtADirectory add ebx ExportDirectory ,, is the location in memory, is the beginning of each Directory structure typedef struct _IMAGE_EXPORT_DIRECTORY {DWORD Characteristics; DWORD TimeDateStamp; WORD MajorVersion; WORD MinorVersion; DWORD Name; DWORD Base; DWORD NumberOfFunctions; DWORD NumberOfNames; DWORD AddressOfFunctions; // RVA from base of image DWORD AddressOfNames; // RVA from base of image DWORD AddressOfNameOrdinals; // RVA from base of image} IMAGE_EXPORT_DIRECTORY, * PIMAGE_EXPORT_DIRECTORY;
AddressOfNames and the following address are a pointer array, each element pointing to the RVA of a function name string, can be used
CHAR * ((* (int *) addr) baseaddress) addressofNameRDINALS corresponds to the addressofnames, is the serial number in Addressoffunctions
When calling the function in this, if you use a function name, you will find the corresponding item in addressofNames, get the location in this pointer array, use this location in the address of AddressOfNameRDinals, El, MOV ECX, EBP MOV EAX, DWORD PTR [ESI 24H] // U addressofnameordinals; add Eax, EBX SHL ECX, 1 Add Eax, ECX is also the meaning of these sentences, and each element size in the addressofNameordinals array is Word, so SHL ECX, 1 xor ECX, ECX MOV CX, Word PTR [EAX] Gets CX to index in addressoffunctions;, the content of each element in Addressoffunctions is the RVA of the function, plus the base address of Kernell.dll to get the address in memory Add Eax, EBX SHL ECX, 1 Add Eax, ECX XOR ECX, ECX MOV CX, WORD PTR [EAX] MOV EAX, DWORD PTR [ESI 1CH] // Addressoffunctions; // RVA from Base of Image Add Eax, EBX SHL ECX, 2 Add Eax, ECX MOV EAX, DWORD PTR [EAX] Add Eax, EBX
After getting the address of getProcadDress, use it to get the address of LoadLibrary, because LoadLibrary is also exported in kernel.dll.
Function, and then have these two functions, other 啥 functions are not worried
