Está en la página 1de 75

..::[ARTeam Tutorial]::..

PORTABLE EXECUTABLE FILE FORMAT

Category : Level Author : : Test OS : Translated by :

Relates to cracking, unpacking, reverse engineering Intermediate XP Pro SP2 Goppit kienmanowar (REA-cRaCkErTeAm)

Tools Used: Hexeditor (any will do)

PEBrowse Pro http://www.smidgeonsoft.prohosting.com/download/PEBrowse.zip PeiD LordPE HexToText OllyDbg ResHacker BaseCalc http://www.secretashell.com/codomain/peid/download.html http://mitglied.lycos.de/yoda2k/LordPE/LPE-DLX.ZIP (get DLX-b update also) http://www.buttuglysoftware.com/HexToTextMFC.zip http://home.t-online.de/home/Ollydbg/odbg110.zip http://delphi.icm.edu.pl/ftp/tools/ResHack.zip included in this archive

...and metioned in the text: Snippet Creator First_Thunk Rebuilder http://win32assembly.online.fr/files/sc.zip http://www.angelfire.com/nt/teklord/FirstThunk.zip http://www.reteam.org/tools/tf23.zip http://sandsprite.com/CodeStuff/cavewriter.zip

IIDKing
Cavewriter

L im

u:

Bi vi t ny nh m m c ch i chi u thng tin t nhi u ngu n khc nhau v trnh by n theo m t ph ng php m nh ng ng i m i b t u c th ti p c n d dng nh t.M c d bi vi t c trnh by m t cch t m trong nhi u ph n, tuy nhin n c nh h ng theo m c ch reverse code engineering cho nn cc thng tin khng c n thi t s c b qua. B n s nh n th y r ng trong bi vi t ny ti vay m n r t nhi u t cc bi vi t khc nhau c cng b , ph bi n v t t c cc tc gi c a nh ng bi vi t c ti nh c n v i lng c m n su s c trong ph n ti li u tham kh o pha cu i c a bi vi t ny. PE l nh d ng file ring c a Win32. T t c cc file c th th c thi c trn Win32 (ngo i tr cc t p tin VxDs v cc file Dlls 16 bit) u s d ng nh d ng PE. Cc file Dlls 32 bit, cc file COMs, cc i u khi n OCX , cc ch ng trnh ng d ng nh trong Control Pannel (.CPL files) v cc ng d ng .NET t t c u l nh d ng PE. Th m ch cc ch ng trnh i u khi n Kernel mode c a cc h i u hnh NT c ng s d ng nh d ng PE. T i sao chng ta l i c n ph i tm hi u v n? C 2 l do chnh nh sau : Th nh t chng ta mu n thm cc o n code vo trong nh ng file th c thi (v d : k thu t Keygen Injection ho c thm cc ch c n ng) v th hai l th c hi n cng vi c unpacking b ng tay (manual unpacking) cc file th c thi. H u h t m i s quan tm u d n v l do th hai, l v ngy nay h u nh cc ph n m m shareware no c ng u c Packed l i v i m c ch l lm gi m kch th c c a file ng th i cung c p thm m t l p b o v cho file. bn trong m t file th c thi b Packed th cc b ng import tables th ng th ng l b thay i, lm m t hi u l c v ph n d li u th lun b m ha. Cc ch ng trnh packer s chn thm m l nh (code) unpack file trong b nh vo lc th c thi v sau nh y t i OEP (original entry point) ( y l n i m ch ng trnh g c th c s b t u th c thi, thi hnh.). N u chng ta tm c cch (dump) k t xu t vng nh ny sau khi m ch ng trnh packer hon t t c qu trnh unpacking file th c thi, ng th i thm vo chng ta c ng c n ph i ch nh s a l i Section v b ng import tables tr c khi m ng d ng c a chng ta s run. Lm th no chng ta c th th c hi n c i u ny n u nh chng ta khng c hi u bi t t t o no v nh d ng PE file ? Ch ng trnh th c thi c ti s d ng lm v d xuyn su t ton b bi vi t ny l BASECALC.EXE , m t ch ng trnh r t h u ch t trang Web c a Fravia, n cho php tnh ton v chuy n i gi a cc s h decimal, hex , binary v octal. Ch ng trnh ny c tc gi c a n coded b ng ngn ng Borland Dephi 2.0 , chnh v th m n l m t file l t ng ti l y lm v d minh h a lm th no trnh bin d ch Borland cho OriginalFirstThunks null. (Chi ti t h n s c c p ph n sau).

1. C u trc c b n (Basic Structure) :


Hnh minh h a d i y s cho chng ta th y c c u trc c b n c a m t PE file.

m c t i thi u nh t th m t PE file s c 2 Sections : 1 cho o n m (code) v 1 cho ph n d li u (data). M t ch ng trnh ng d ng ch y trn n n t ng Windows NT c 9 sections c xc nh tr c c tn l .text , .bss , .rdata , .data , .rsrc , .edata , .idata , .pdata , v .debug . M t s ch ng trnh ng d ng l i khng c n t t c nh ng sections ny, trong khi cc ch ng trnh khc c th c nh ngh a v i nhi u sections h n ph h p v i s c n thi t ring bi t c a chng. Nh ng sections m hi n th i ang t n t i v xu t hi n thng d ng nh t trong m t file th c thi l : 1. 2. 3. 4. 5. 6. Executable Code Section, c tn l .text (Micro$oft) ho c l CODE (Borland). Data Sections, c nh ng tn nh .data, .rdata ho c .bss (Micro$oft) hay DATA (Borland) Resources Section, c tn l .rsrc Export Data Section, c tn l .edata Import Data Section. c tn l .idata Debug Information Section, c tn l .debug

Nh ng ci tn ny th c s l khng thch h p khi chng b l i b i h i u hnh (OS) v chng l ti li u ph c v cho l i ch c a cc l p trnh vin. M t i m quan tr ng khc n a l c u trc c a mt PE file trn a l chnh xc , ng n gi ng h t nh khi n c n p vo trong b nh v v y b n c th xc nh thng tin chnh xc c a file trn a m b n c th s mu n tm ki m n khi file c n p vo trong b nh . Tuy nhin n khng c sao chp l i m t cch chnh xc bn trong b nh . Cc windows loader s quy t nh ph n no c n c nh x ln b nh v b qua nh ng ph n khc. Ph n d li u m khng c nh x ln c t t i pha cu i c a file sau b t k ph n no m s c nh x ln b nh v d Debug Information. C ng v y v tr c a m t m c trong file trn a s lun lun khc bi t v i v tr c a n khi c n p vo trong b nh b i v s qu n l b nh o d a trn cc trang m Windows s d ng. Khi cc sections c n p vo trong b nh RAM chng c c n kh p v i 4KB memory Pages, m i section s b t u trn 2

mt Page m i. M t tr ng trong PE header s thng bo cho h th ng bi t c bao nhiu b nh c n ring ra cho vi c nh x trong file. B nh o c gi i thch ph n d i y.

Thu t ng b nh o (virtual memory) thay th vi c cho Software truy c p tr c ti p ln b nh v t l (physical memory), b x l v h i u hnh t o ra m t l p v hnh (invisible layer) gi a chng. B t k l n no m t c g ng c t o ra truy c p t i b nh , b vi x l s tra c u m t page table bi t xem c nh ng Process m a ch b nh v t l ang th c s c s d ng. N s khng ph i l m t vi c lm thi t th c c m t table entry cho m i byte c a b nh (Page table s l n h n t ng b nh v t l), v v y thay th vi c b vi x l phn chia b nh thnh cc trang. i u ny c m t s l i th nh sau : 1. N cho php s t o thnh c a nh ng khng gian a ch ph c t p. M t khng gian a ch l m t page table c c l p ch cho php truy c p t i b nh m thch h p v i ch ng trnh hi n t i ho c process. N m b o r ng nh ng ch ng trnh b c l p , cch ly hon ton v i cc ch ng trnh khc v m t khi x y ra l i khi n cho m t ch ng trnh b crash th n s khng th nh h ng , h y ho i t i khng gian a ch c a cc ch ng trnh khc . 2. N cho php b vi x l p t nh ng lu t l no i v i vi c b nh c truy c p th no.Nh ng sections c i h i , yu c u trong PE file b i v nh ng khu v c khc nhau trong file c i x m t cch khc bi t b i ch ng trnh qu n l b nh khi m t module c n p. T i th i i m n p , ch ng trnh qu n l b nh thi t l p nh ng quy n truy c p ln cc trang b nh cho cc sections khc nhau d a trn nh ng thi t l p c a chng trong Section header. i u ny s quy t nh r m t section cho l c th c c (readable) , c th ghi c (writeable) hay c th th c thi c (executable). i u ny c ngh a l m i section ph i c b t u trn m t trang m i. Tuy nhin , kch th c trang m c nh cho h i u hnh Windows l 4096 bytes (1000h) v n s l lng ph s p cc file th c thi vo m t ranh gi i 4KB Page trn a khi m i u ny s lm cho chng tr nn qu l n h n m c c n thi t. B i v i u ny, PE header c hai tr ng alignment khc nhau l : Section alignment v file alignment. Section alignment l cch cc sections c s p trong b nh nh ni trn. Cn File Alignment (s d ng 512 bytes hay 200h) l cch cc section c s p trong file trn a v l kch th c c a nhi u sector t i u qu trnh loading (loading process). 3. N cho php m t file nh s trang (paging file) c s d ng trn c ng l u tr cc trang m t cch t m th i t b nh v t l khi chng khng c s d ng. L y v d nh sau, n u m t ng d ng c n p nh ng ang trong tnh tr ng r nh r i (idle) ,khng gian a ch c a n c th c nh trang bn ngoi a t o ra khng gian cho cc ng d ng khc c n cn p vp trong b nh RAM. N u nh tnh hnh o l n , h i u hnh c th n p m t cch d dng ng d ng u tin tr l i b nh RAM v h i ph c l i s thi hnh t i n i m n b ng ng l i . M t ng d ng c ng c th s d ng nhi u b nh h n l khng gian hi n c c a b nh v t l b i v h 3

th ng c th s d ng c ng nh l m t n i l u tr th c p b t c khi no m b nh v t l khng cn khng gian l u tr . Khi PE file c n p vo trong b nh b i windows loader, phin b n trong b nh ny c bi t n nh l m t module. a ch b t u n i m nh x file b t u c g i l m t HMODULE. M t module trong b nh bi u di n t t c o n m , d li u v ton b ti nguyn t m t file th c thi m i u ny l c n thi t cho s thi hnh khi m thu t ng Proccess v c b n tham chi u t i m t khng gian a ch c l p m c th c s d ng running nh l m t module.

2. The DOS Header :


T t c cc file PE b t u b ng DOS Header , vng ny chi m gi 64 bytes u tin c a file. N c dng trong tr ng h p ch ng trnh c a b n ch y trn n n DOS, do h i u hnh DOS c th nh n bi t n nh l m t file th c thi h p l v thi hnh DOS stub , ph n m c l u tr tr c ti p sau Header. H u h t DOS stub th ng s d ng hm 9 c a ng t int 21h hi n ra m t chu i k t thng bo t ng t nh sau : "This program must be run under Microsoft Windows" nh ng n c th l m t ch ng trnh DOS ang pht tri n m nh (full-blown DOS program) (Ni tm l i l DOS Stub ch l m t ch ng trnh DOS EXE nh hi n th m t thng bo l i th ng l nh trn, chnh do header ny c t n m u c a file , cho nn cc virus DOS c th ly nhi m vo PE image chnh xc t i DOS stub. Tuy nhin ch ng trnh DOS Stub v n cn c gi l i v l do t ng thch v i cc h th ng Windows 16bit). Khi xy d ng m t ng d ng pht tri n trn n n t ng Windows , ch ng trnh linker lin k t m t stub program m c nh c tn g i l WINSTUB.EXE vo trong file th c thi c a b n. B n c th ghi , ph quy t cch hnh s c a ch ng trnh linker m c nh ny b ng cch thay th m t ch ng trnh MS-DOSbased c a ring b n thay cho WINSTUB v s d ng STUB: m t ty ch n c a ch ng trnh linker khi lin k t file th c thi. DOS Header l m t c u trc c nh ngh a trong cc file windows.inc ho c winnt.h (N u nh b n c m t ch ng trnh d ch h p ng ho c m t trnh bin d ch c ci t trn my , b n s tm th y cc file ny trong th m c \include\). N c 19 thnh ph n (members) m trong thnh ph n magic v lfanew l ng ch .

Trong PE file , ph n magic c a DOS Header ch a gi tr 4Dh, 5Ah ( chnh l cc k t MZ , vi t t t c a Mark Zbikowsky m t trong nh ng ng i sng t o chnh c a MS-DOS), cc gi tr ny l d u hi u 4

thng bo cho chng ta bi t y l DOS Header h p l . MZ l 2 bytes u tin m b n s nhn th y trong b t k m t PE file no , khi file c m b ng m t ch ng trnh Hex editor. (Xem hinh minh h a pha d i). Nh b n nhn th y trong hnh minh h a pha trn, b n th y r ng ph n lfanview l m t gi tr DWORD (t c l m t Double Word = 4bytes) v n n m v tr cu i cng c a DOS Header v ng tr c c a n i b t u DOS Stub. N ch a offset c a PE Header, c lin quan n ph n u file (file beginning). Windows Loader s tm ki m offset ny v v y n c th b qua Dos Stub v i tr c ti p t i PE Header. Hnh minh h a trn gip ch cho chng ta r t nhi u khi n ch cho ta th y r kch th c c a t ng ph n t . i u ny cho php chng ta truy xu t nh ng thng tin m chng ta quan tm d a trn vi c m s l ng cc bytes t i m b t u c a section ho c m t i m c th nh n bi t c. Nh chng ta ni trn, DOS Header chi m 64 bytes u tin c a file v d 4 hng u c nhn th y trong m t ch ng trnh Hex Editor trong hnh minh h a d i y.Gi tr DWORD cu i cng tr c i m b t u DOS Stub ch a nh ng gi tr 00h 01h 00h 00h. n vi c reverse tr t t byte , i u ny s gip chng ta bi t 00 00 01 00h l nh ng offset n i m PE Header b t u. PE Header b t u v i ph n signatures c a n l 50h, 45h, 00h, 00h (Cc k t PE c i km b i cc gi tr t n cng l 0) N u t i tr ng Signature c a PE Header , b n tm th y m t NE signature ch khng ph i l PE , th lc ny b n ang lm vi c v i mt file NE Windows 16-bit. C ng t ng t nh vy, n u b n th y l LE n m t i Signature field th c ngh a l n cho ta bi t l m t trnh i u khi n thi t b o Window 3.x (VxD). Cn t i l m t LX th l d u hi u c a m t file cho OS/2 2.0

OKi.... t m ngh cht xu !! Chng ta s ti p t c th o lu n trong ph n ti p theo c a bi vi t ny. : )

3. The PE Header :
PE Header l thu t ng chung i di n cho m t c u trc c t tn l IMAGE_NT_HEADERS . C u trc ny bao g m nh ng thng tin thi t y u c s d ng b i loader. IMAGE_NT_HEADERS c 3 thnh ph n v c nh ngh a trong file windows.inc nh sau :

Signature l m t DWORD ch a nh ng gi tr nh sau 50h, 45h, 00h, 00h (Cc k t PE c i km b i cc gi tr t n cng l 0). FileHeader bao g m 20 bytes ti p theo c a PE file ,n ch a thng tin v s b tr v t l v nh ng c tnh c a file. V d : s l ng cc sections. OptionalHeader lun lun hi n di n v c t o thnh b i 224 bytes ti p theo . N ch a thng tin v s Logic bn trong c a m t file PE. V d : AddressOfEntryPoint. Kch th c c a n c qui nh b i m t thnh ph n c a FileHeader. Cc c u trc c a nh ng thnh ph n ny c ng c nh ngh a trong file windows.inc FileHeader c nh ngh a gi ng nh hnh minh h a d i dy :

H u h t nh ng thnh ph n ny khng cn h u ch i v i chng ta nh ng chng ta ph i thay i thnh ph n NumberOfSections n u nh chng ta mu n thm ho c xa b t k sections no trong m t PE File. Characteristics bao g m cc c m cc c ny xc nh nh ng th hi n chng ta bi t c PE File m chng ta lm vi c l m t file c th th c thi (executable) hay l m t file DLL. Quay tr l i v d c a chng ta trong mn hnh HexEditor, chng ta c th tm th y NumberOfSections b ng vi c m m t DWORD v m t WORD (6 bytes) t ch b t u c a PE Header (T c l gi tr DWORD chnh l Signature cn gi tr WORD chnh l Machine) (note : tr ng NumberOfSections c s d ng b i viruses v nhi u l do khc nhau. L y v d , tr ng ny c th b thay i b ng cch viruses s gia t ng n ln thm m t section m i vo PE image v t o n virus body vo section Cc h th ng Windows NT c th ch p nh n t i 96 sections trong m t PE file. Trn h th ng s d ng Win95 th khng ki m tra k ph n section number). . Xem hnh minh h a d i y :

i u ny c th PEBrowsePro

c ki m tra l i b ng cch s d ng b t c m t cng c PE no. V d : Cng c

Ho c s d ng m t cng c kh n i ti ng l LorDPE :

Ho c th m ch n u b n ang s d ng PEiD b n c ng c th ki m nghi m vo button l Subsystem :

c i u ny b ng cch nh n

Ch : PEiD l m t cng c c c k h u ch Ch c n ng chnh c a n l dng scan Executable files v ch cho chng ta bi t c lo i Packer m File ny c s d ng cho vi c nn v protect file. Ngoi ra i km v i PEiD l m t Plugin khng km ph n quan tr ng, chnh l Krypto ANALyser . Khi b n s d ng Plug-in ny th n s cho chng ta bi t c file c s d ng nh ng m t m (cryptography) g. Ch ng h n : CRC, MD4, MD5 ho c SHA v...v....Th m ch cng c ny c ng s d ng cc danh sch c ng i dng nh ngh a v cc Packer signatures. Tm l i PEiD l cng c u tin c s d ng khi chng ta b t tay vo cng vi c unpacking. Chng ta ti p t c nghin c u t i thnh ph n ti p theo l OptionalHeader, n chi m 224 bytes , trong 128 bytes cu i cng s ch a thng tin v Data Directory. N c nh ngh a gi ng nh hnh minh h a d i y :

AddressOfEntryPoint RVA ( a ch o t ng i) c a cu l nh u tin m s c th c thi khi ch ng trnh PE Loader s n sng run PE File (thng th ng n tr t i section .text hay CODE). N u nh b n mu n lm thay i lu ng c a th t th c hi n , b n c n ph i thay i l i gi tr trong tr ng ny thnh m t RVA m i v do cu l nh t i gi tr RVA m i ny s c th c thi u tin. Cc ch ng trnh Packer th ng thay th gi tr ny b ng gi tr decompression stub c a chng, sau s thi hnh s nh y tr v i m b t u c a ch ng trnh hay cn g i v i tn thng d ng l OEP. M t l u thm n a l ch b o v StarForce th CODE section s khng c m t , hi n di n trong file trn a nh ng l i c ghi ln b nh o trong qu trnh th c thi. V th m gi tr trong tr ng ny l m t VA (xem thm ph n ph l c s c c p bn d i). (note : y th c s l m t tr ng c t y u v c c k quan tr ng b i v tr ng ny s b thay i b i h u h t cc ki u ly nhi m virus tr t i i m th c thi th c s c a virus code) ImageBase a ch n p c u tin cho PE File. L y v d : N 400000h, PE Loader s c g ng n p file vo trong khng gian c u tin y c ngh a l PE Loader khng th n p file t i khc chi m gi vng a ch ny. 99 % cc tr ng h p gi tr c u nh gi tr trong tr ng ny l a ch o m b t u t i 400000h. T a ch n u nh c m t module no a ImageBase lun l 400000h

SectionAlignment Ph n lin k t c a cc Sections trong b nh . . Khi file th c thi c nh x vo trong b nh , th m i section ph i b t u t i m t a ch o m l m t b i s c a gi tr ny. Gi tr c a tr ng ny nh nh t l 0x1000(4096 bytes), nh ng trnh cc trnh linkers c a Borland th ng s d ng cc gi tr m c nh l n h n, v d nh l 0x10000(64KB). L y v d nh sau : N u gi tr t i tr ng ny l 4096 (1000h), th m i section ti p theo s ph i b t u t i v tr m section tr c c ng v i 4096 bytes. N u section u tin l t i 401000h v kch th c c a n l 10 bytes, v y section ti p theo l t i 402000h 9

cho d l khng gian a ch gi a 401000h v 402000h s h u nh khng c s d ng.(note: h u h t cc Win32 viruses s d ng tr ng ny tnh ton v tr chnh xc c a virus body nh ng l i khng thay i tr ng ny). FileAlignment Ph n lin k t c a cc Section trong file. L y v d : n u gi tr c th c a tr ng ny l 512 (200h), th m i section ti p theo s ph i b t u t i v tr m sections tr c c ng v i 200h. N u section u tin l t i offets 200h, v c kch th c l 10 bytes, v y th section ti p theo s c nh v ta i ch offet l 400h : Khng gian gi a file offsets 522 v 1024 l khng s d ng c/ho c khng c nh ngh a. SizeOfImage - Ton b kch th c c a PE image trong b nh . N l t ng c a t t c cc headers v sections c lin k t t i SectionAlignment. SizeOfHeaders - Kch th c c a t t c cc headers + section table.Ni tm l i , gi tr ny l b ng kch th c file tr i kch th c c t ng h p c a ton b sections trong file. B n c ng c th s d ng gi tr ny nh m t file offset c a Section u tin trong PE file. DataDirectory M t m ng ca 16 IMAGE_DATA_DIRECTORY structures, m i m t ph n c lin quan t i m t c u trc d li u quan tr ng trong PE File ch ng h n nh import address table. C u trc quan tr ng ny s c th o lu n chi ti t trong nh ng ph n ti p theo. Cch b tr m i th c a PE Header c th c quan st m t cch tr c quan thng qua hnh nh minh h a sau y trong ch ng trnh HexEditor. Ch r ng DOS Header v ph n c a PE Header l lun lun cng kch th c (and shape) khi c quan st trong ch ng trnh HexEditor. Ph n DOS Stub c th thay i theo kch th c :

10

Bn c nh cc cng c PE c c p trn, ch ng trnh debug c a thch l OllyDbg c ng c th phn tch c PE Headers thng qua vi c hi n th thng tin m t cch y v c ngh a. Dng OllyDbg load file v d c a chng ta vo trong Olly v nh n Alt + M ho c b m vo nt M m c a s Memory Map - c a s ny s cho chng ta th y c PE File c n p vo trong b nh .

Ti p theo b n nh n chu t ph i trn PE Header v ch n Dump in CPU . Sau trong c a s Hex window , l i nh n chu t ph i m t l n n a v ch n Special --> PE Header .

Chng ta s c

c thng tin nh sau :

11

4. The Data Directory :


Tm t t l i ph n tr c , chng ta bi t c r ng Data Directory l 128 bytes cu i cng c a OptionalHeader , v l n l t l nh ng thnh ph n cu i cng c a PE Header IMAGE_NT_HEADERS. Nh chng ta t ng ni, Data Directory l m t m ng c a 16 c u trc IMAGE_DATA_DIRECTORY structures, c m i 8 bytes th m i ph n l i c lin quan v i m t c u trc d li u quan tr ng trong PE File. M i m ng tham chi u t i m t m c c nh ngh a tr c , v d nh l import table . C u trc c a Data Directory c 2 thnh ph n m bao g m thng tin v v tr v kch th c c a c u trc d li u trong nh ng i u bn n :

VirtualAddress l m t a ch o t ng i (relative virtual address) c a c u trc d li u (xem ph n sau) isize bao g m kch th c theo bytes c a c u trc d li u. 16 directories m nh ng c u trc ny tham chi u n , b n thn chng c nh ngh a trong file window.inc :

12

L y v d , chng ta s d ng ch ng trnh LordPE. Trong LordPE , ph n Data Directory cho file v d c a chng ta ch ch a 4 thnh ph n ( c ti khoanh mu trong hnh v ). 12 thnh ph n cn l i khng c s d ng v c i n gi tr l 0 :

Nh cc b n th y trong hinh minh h a trn, tr ng import table bao g m thng tin v RVA v kch th c c a IMAGE_IMPORT_DESCRIPTOR array the Import Directory. Trong ch ng trnh HexEditor, hnh minh h a bn d i y ch cho chng ta th y PE Header v i ph n data directory c t nt ngoi b ng mu . M i m t khu v c c khoanh ny bi u di n cho m t c u trc IMAGE_DATA_DIRECTORY. Gi tr DWORD u tin chnh l VirtualAddress cn gi tr cu i cng chnh l isize.

13

Trong hnh minh h a trn, th Import Table c t b ng mu h ng. 4 bytes u tin l RVA 02D000h (NB reserver oder). Kch th c c a Import Table l 181Eh bytes. Nh chng ta ni trn th v tr c a nh ng data directories t ph n u c a PE Header l lun lun gi ng nhau. V d : gi tr DWORD 80 bytes t ph n u c a PE Header lun lun l RVA c a Import Table. xc nh c v tr c a m t directory c bi t, b n xc nh r a ch t ng i t data directory. Sau s d ng a ch o xc nh section no directory trong. M t khi b n phn tch section no ch a directory , th Section Header cho section sau s c s d ng tm ra offset chnh xc.

5. The Section Table :


Section Table l thnh ph n ti p theo ngay sau PE Header.N l m t m ng c a nh ng c u trc IMAGE_SECTION_HEADER, m i ph n t s ch a thng tin v m t section trong PE File v d nh thu c tnh c a n v offset o (virtual offset) . Cc b n hy nh l i r ng s l ng cc sections chnh l thnh ph n th 2 c a FileHeader (6 bytes t ch b t u c a PE Header). N u c 8 sections trong PE File, th s c 8 b n sao c a c u trc ny trong table.M i m t c u trc Header (header structure) l 40 bytes v s khng c thm padding gi a chng (Padding y c ngh a l s khng chn thm cc bytes c gi tr 00h vo).C u trc ny c nh ngh a trong file windows.inc nh sau :

14

Xin nh c l i m t l n n a , khng ph i t t c cc thnh ph n trn thnh ph n th c s l quan tr ng m thi.

u h u ch. Ti s ch miu t nh ng

Name1 - (NB this field is 8 bytes) Tn ny ch l l m t nhn v th m ch l c th tr ng. Ch r ng y khng ph i l m t chu i ASCII v v y n khng c n ph i k t thc b ng vi c thm cc s 0. VirtualSize (DWORD union) Kch th c th t s c a section's data theo bytes. N c th nh h n kch th c c a section trn a (SizeOfRawData) v s l nh ng g m trnh loader nh r v tr trong b nh cho section ny. VirtualAddress RVA c a section. Trnh PE loader s phn tch v s d ng gi tr trong tr n nh x section vo trong b nh . V v y n u gi tr trong tr ng ny l 1000h v PE File i ch 400000h , th section s c n p t i a ch l 401000h. SizeOfRawData Kch th c c a section s data trong file trn s lin k t file b i trnh bin d ch. a, ng ny khi cn pt i

c lm trn ln b i s ti p theo c a

PointerToRawData (Raw Offset) thnh ph n ny th c s r t h u d ng b i v n l offset t v tr b t u c a file cho t i ph n section s data. N u n c gi tr l 0 , th section s data khng c ch a trong file v s khng b b bu c vo th i gian n p (load time). Trnh PE Loader s s d ng gi tr trong tr ng ny tm ki m ph n data trong section l u trong file. Characteristics - Bao g m cc c v d nh section ny c th ch a executable code, initialized data , uninitialized data , c th c ghi ho c c (Xem thm ph n ph l c) NOTE : Khi b n ti n hnh tm ki m m t section c th no , n c th ph t l ton b PE Header v b t u phn tch section headers b ng cch tm ki m section name trong c a s ASCII c a ch ng trnh HexEditor c a b n. Quay tr l i v d c a chng ta , trong c a s HexEditor file c a chng ta c 8 sections nh chng ta nhn th y trong section PE Header.

15

Sau khi c c Section Headers chng ta s tm ki m cc sections.Trong file trn a , m i section b t u t i m t offset m l b i s l n c a gi tr FileAlignment c tm th y trong OptionalHeader. Gi a cc section s data s l cc byte 00 c thm vo. Khi c n p ln RAM , cc sections lun lun b t u trn m t ranh gi i trang (page boundary) v v y byte u tin c a m i section t ng ng v i m t trang b nh (memory page). Cc trang trn nh ng b vi x l x86 CPU l 4KB aligned , trong khi trn IA-64 l 8KB aligned. Gi tr lin k t (aligment value) ny c l u tr trong SectionAlignment , v c ng c l u trong OptionalHeader. L y m t v d , n u nh OptionalHeader k t thc t i file offset 981 v FileAlignment l 512, th section u tin s b t u t i byte 1024 . Ch r ng b n c th tm nh ng section thng qua PointerToRawData ho c l VirtualAddress, v v y khng c n ph i lo ng i b n kho n v alignments. Trong hnh minh h a trn , ImportData Section (.idata) s b t u t i offset 0002AC00h (highlighted pink, NB reverse byte order) t v tr b t u c a file. Kch th c c a n , do c qui nh l DWORD nn n s l 1A00h bytes.

6. The PE File Sections :


L nh ng sections ch a n i dung chnh c a file, bao g m code, data, resources v nh ng thng tin khc c a file th c thi. M i section c m t Header v m t body (d li u th raw data : l d li u ch a cx l ho c ch a c nh khun th c, n ch a c s p x p, bin t p s a ch a ho c ch a c bi u di n l i d i d ng d truy tm v phn tch). Nh ng Section Headers th c ch a trong Section Table nh ng nh ng Section Bodies l i khng c m t c u trc file c ng r n. Chng c th c s p x p h u nh theo b t k cch no khi m t trnh linker mu n t ch c chng , v i i u ki n l Header c i n thng tin y c th gi i m d li u. 16

M t ch ng trnh ng d ng c th trn h i u hnh Windows NT c 9 sections c nh ngh a tr c c tn l .text, .bss, .rdata, .rsrc, .edata, .idata, .pdata v .debug. M t vi ch ng trnh khng c n ph i c t t c c cc sections ny , trong khi m t s ch ng trnh ng d ng khc l i nh ngh a thm nhi u sections khc ph h p v i nh ng yu c u ring bi t c a chng.

Executable Code Section :


Trong h i u hn Windows NT t t c cc o n m (code segment) t p trung vo m t sections n l c g i l .text ho c l CODE . T khi h i u hnh Windows NT chuy n sang s d ng m t h th ng qu n l b nh o d a trn trang, th c m t section code l n d dng h n trong vi c qu n l i v i h i u hnh c ng nh i v i nh ng ng i pht tri n ng d ng. Section ny c ng ch a i m t nh p (entry point) m c c p ph n trn v b ng jump thunk table tr t i IAT (xem thm ph n import theory)

Data Sections :
Section .bss bi u di n d li u khng c kh i t o cho ng d ng , bao g m ton b cc bi n bo l bi n t nh trong m t hm ho c l m t module ngu n. Section .rdata bi u di n d li u ch th m c debug. c khai

c ra (read only) , v d nh nh ng chu i, cc h ng, v thng tin

T t c nh ng bi n khc (ngo i tr nh ng bi n t ng , m ch xu t hi n trn Stack ) Section .data . l nh ng ng d ng ho c l nh ng bi n ton c c module.

c l u tr trong

Resources Section :
Section .rsrc ch a cc thng tin resource cho m t module. 16 bytes u tin bao g m m t Header gi ng nh nh ng section khc, nh ng d li u c a Section ny h n n a c c u trc vo trong m t resource tree v c quan st t t nh t thng qua vi c s d ng m t ch ng trnh resource editor. M t ch ng trnh kh n i ti ng l ResHacker, y l m t ch ng trnh mi n ph cho php ch nh s a , thm m i, xa, thay th v sao chp cc Resources :

17

y l m t ch ng trnh r t m nh ph c v cho m c ch Cracking v n s hi n th m t cch nhanh chng cc h p tho i bao g m c nh ng chi ti t v vi c ng k sai c ng nh cc nag screens. M t ng d ng shareware c th th ng b Cracked ch b ng vi c xa b resource h p tho i nagscreen trong ResHacker.

Export Data Section :


Section .edata ch a Export Directory cho m t ch ng trnh ng d ng ho c file Dll. Khi bi u di n, section ny bao g m cc thng tin v tn v a ch c a nh ng hm exported functions. Chng ta s ni ti p v v n ny sau , m t ph n r t quan tr ng ti p theo.

Import Data Section :


Section .idata ch a nh ng thng tin khc nhau v nh ng hm imported functions bao g m c Import Directory v b ng Import Address Table. Chng ta c ng s ni ti p v v n ny ph n sau.

Debug Information Section :


Thng tin Debug c t ban u trong Section .debug . nh d ng PE File c ng h tr cc file debug khc nhau (th ng c nh n bi t v i ph n m r ng l .dbg) nh l m t cch th c c a vi c t p h p thng tin debug t i m t v tr t p trung. Section debug ch a thng tin debug , nh ng nh ng th m c debug l i n m trong Section .rdata nh c c p ph n trn. M i m t th m c s lin quan t i thng tin Debug trong Section .debug.

Base Relocations Section :


Khi m trnh linker t o ra m t file Exe, n chu n b m t n i m t i file s c nh x vo trong b nh . D a trn i u ny, trnh linker s t cc cc a ch th t c a o n m v nh ng m c d li u vo trong file th c thi. N u v b t c l do g file th c thi k t thc qu trnh n p m t n i no n u khng trong ph m vi khng gian a ch o , th nh ng a ch ny s b trnh linker t vo trong image khng ng. Thng tin c l u trong Section .reloc cho php trnh PE loader fix nh ng a ch ny trong loaded image v v y chng s l i chnh xc. M t khc, n u trnh loader c th n p file t i nh ng a ch base address c th a nh n b i trnh linker , th d li u Section .reloc l khng c n thi t v b l i. 18

Cc m c trong section .reloc c g i b i Base relocation v s s d ng c a chng ph thu c vo a ch base address c a loaded image. Base Relocation n gi n ch l m t danh sch c a cc v tr trong image m yu c u m t gi tr c thm vo chng. nh d ng c a d li u base relocation h i ph c t p . Cc m c base relocation c nn (packed) trong m t chu i c a cc ph n di bi n i. M i ph n di n t cc Relocation thay th cho m t trang 4KB trong image. Hy xem m t v d hi u cch h at ng c a base relocation. M t file th c thi c lin k t v i m t a ch c s c a 0x10000. T i offset 0x2134 bn trong image l m t con tr ch a a ch c a m t chu i. Chu i b t u t i a ch v t l l 0x14002, v v y con tr s ch a gi tr l 0x14002. Sau b n n p file, nh ng trnh loader quy t nh r ng n c n ph i nh x image b t u t i a ch v t l l 0x60000. S chnh l ch gi a trnh linker d a trn a ch n p v a ch n p th c s c g i l delta. Trong tr ng h p v d c a chng ta th delta l 0x50000 bytes cao trong b nh , nh v y l chu i (by gi t i a ch l 0x64002). Con tr t i chu i gi y khng cn ng n a. File th c thi ch a m t base relocation i di n cho v tr b nh (memory location) n i m con tr t i chu i tr v . gi i quy t m t base relocation , trnh loader c ng thm gi tr delta vo gi tr g c ban u t i a ch base relocation. Trong tr ng h p c a chng ta , trnh loader s c ng gi tr delta l 0x50000 vo gi tr con tr ban u l (0x14002) , v l u k t qu tr l i l (0x64002) vo trong b nh c a con tr . V th chu i by gi s c a ch th c l t i 0x64002 , v y l m i th ut t p.

7. The Export Sections :


Section ny c lin quan m t cch c bi t t i cc file Dlls. Ph n thng tin Programmer s Reference s gi i thch t i sao : c trch d i y t Win32

Cc hm c th c exported b i m t Dll theo hai cch : by name ho c by ordinal only . M t s th t hay m t ch s l m t s 16-bit (WORD sized) m duy nh t ch ra m t hm trong m t file Dll ring bi t. Con s ny l duy nh t ch bn trong file Dll n tham chi u t i. Chng ta s ni v exporting b ng s th t ph n sau. N u nh m t hm c exported b ng tn , khi cc file Dll khc ho c cc file th c thi mu n g i hm ny , chng s cng s d ng tn c a hm ho c ch s c a hm trong hm GetProcAddress m tr v a ch c a hm trong file Dll c a n. Ti li u Win32 Programmer s Reference s gi i thch thm v ph ng th c ho t ng c a hm GetProcAddress (M c d trong th c t thng tin v hm ny r t nhi u, khng ch nh ng ti li u c vi t b i M$, nh ng thng tin khc s c p sau). Cc b n hy ch n nh ng ph n m ti nh d u b ng vi n mu :

19

Hm GetProcAddress c th lm c i u ny b i v cc tn v a ch c a nh ng exported function c s p x p trong m t c u trc c nh ngh a r t t t trong Export Directory. Chng ta c th tm th y Export Directory b i v chng ta bi t n l thnh ph n u tin trong data directory v RVA c a n c ch a t i offset 78h t n i b t u c a PE Header. (Xin xem thm ph n ph l c) C u trc export c g i l IMAGE_EXPORT_DIRECTORY . C 11 thnh ph n trong c u trc ny nh ng c m t s khng quan tr ng :

20

nName Internal name c a module. Tr ng ny th c s c n thi t b i v tn c a file c th b thay b i ng i s d ng . N u i u x y ra , trnh PE loader s s d ng Internal name ny. nBase B t u c a s th t hay s ch s (Tr of-function array xem bn d i). NumberOfFunctions T ng s cc hm m ng ny c s d ng

l y nh ng index trong address-

c exported b i module.

NumberOfNames S l ng cc Symbols c exported b ng name. Gi tr ny khng ph i l s l ng c a t t c cc hm/symbols trong module. l y c con s ny, b n c n ph i ki m tra NumberOfFunctions .N c th l 0. Trong tr ng h p y, module c th export b ng ordinal only. N u khng c hm / symbol c exported trong tr ng h p u tin , th RVA c a b ng Export table trong data directory s l 0. AddressOfFunctions m t RVA tr t i m t m ng c a cc con tr t i cc hm trong module Export Address Table (EAT). s d ng n theo cch khc, nh ng RVA tr t i cc hm trong module c gi l i trong m t m ng v tr ng ny tr t i u c a m ng . AddressOfNames m t RVA tr t i m t m ng cc RVA c a tn cc hm Export Name Table (ENT). c l u trong module

AddressOfNameOrdinals m t RVA tr t i m t m ng 16 bit m ch a cc ordinals c a cc named functions Export Ordinal Table (EOT).

21

Nh v y c u trc IMAGE_EXPORT_DIRECTORY tr t i 3 m ng v m t b ng nh ng chu i k t ASCII. M ng quan tr ng l EAT, v n l m t m ng c a cc con tr hm m ch a a ch c a cc exported functions. Hai m ng th hai l (ENT v EOT) ch y song song theo th t s p x p t ng d n d a trn tn c a cc hm m t php tm ki m nh phn cho tn c a hm c th c th c hi n v s ak t qu l s th t c a hm c tm th y vo trong m t m ng khc.S th t ch n gi n l m t ch s bn trong EAT i v i hm .

Tr c y m ng EOT t n t i nh l m t lin k t gi a tn v a ch , n khng th ch a nhi u ph n t h n m ng ENT. V d : m i m t tn c th c m t v ch m t a ch t ng ng. i u ng c l i l khng ng : m t a ch c th c nhi u tn t ng ng v i n. N u l nh ng hm v i tn b danh tham chi u n cng m t a ch th ENT s c nhi u ph n t h n l EOT

22

L y v d , n u m t file Dll export 40 hm , th n ph i c 40 thnh ph n trong m ng c tr b i AddressOfFunctions (EAT) v tr ng NumberOfFunctions ph i ch a 40 gi tr . tm ki m m t hm t tn c a n, H i u hnh (OS) u tin s tm nh ng gi tr c a NumberOfFunction v NumberOfNames trong Export Directory. Ti p theo n s d o qua cc m ng c tr b i AddressOfNames (ENT) v AddressOfNameOrdinals (EOT) m t cch ng th i, tm ki m tn c a hm. N u nh tn c a hm c tm th y trong ENT, th gi tr t ng ng v i ph n t trong EOT c trch xu t v s d ng nh l ch m c bn trong EAT. L y v d , trong file Dll 40 hm c a chng ta trn chng ta mu n tm ki m hm X. N u chng ta tm tn hm X(gin ti p thng qua con tr khc) t i ph n t th 39 trong ENT , chng ta nhn vo ph n t th 39 c a EOT v th y 5 gi tr . Sau chng ta xt ph n t th 5 c a EAT tm ki m RVA c a hm X. N u nh b n s n c s th t c a m t hm , b n c th tm th y a ch c a n b ng cch i tr c ti p t i EAT. M c d c c a ch c a m t hm thng qua s th t c a n th d dng h n v nhanh h n r t nhi u so v i vi c s d ng tn c a hm , th ng c l i i u b t l i l s g p kh kh n trong vi c qu n l module. N u nh file Dll c nng c p / c p nh t v s th t c a cc hm b thay i, th cc ch ng trnh khc m ch y d a trn file Dll ny s b Break.

Exporting by Ordinal Only :


NumberOfFunctions ph i t nh t l b ng v i NumberOfNames. Tuy nhin th nh tho ng trong m t s tr ng h p th NumberOfNames l i t h n NumberOfFunctions . Khi m t hm c Exported thng qua s th t , n khng c danh sch trong c hai m ng ENT v EOT n khng c tn. Nh ng hm m khng c tn th c Exported thng qua s th t . L y v d nh sau , n u ta c 70 hm nh ng ch c duy nh t 40 m c trong ENT , v y th c ngh a l c 30 hm trong module m c Exported b ng s th t . V y by gi lm th no chng ta tm ra nh ng hm l g? i u ny khng d dng. B n ph i tm ra b ng ph ng php lo i tr , l y v d : nh ng m c trong EAT m khng c tham chi u b i EOT ch a RVAs c a cc hm c Exported b ng s th t . Ng i l p trnh vin c th ch r s th t b t u trong m t .def file. L y v d , cc b ng trong hnh minh h a trn c th b t u t i 200. m i ph tr c s c n thi t cho 200 ph n t r ng u tin trong m ng , thnh ph n nBase l u gi gi tr b t u v trnh loader tr cc s th t t n thu c ch m c th t trong EAT.

Export Forwarding :
i khi cc hm c v c Exported t m t file Dll c th, nh ng trn th c t cc hm ny l i n m trong m t file Dll hon ton khc. i u ny c g i l Export Forwarding . L y v d , trong h i u hnh WinNT , Win2k v WinXP, hm trong kernel32.dll l HeapAlloc c forwarded t hm RtlAllocHeap c Exported b i ntdll.dll. File NTDLL.DLL c ng ch a cc API b m sinh m t ng tc tr c ti p v i kernel windows . Forwarding c th c hi n t i th i i m lin k t thng qua m t cu l nh c bi t trong .DEF file. Forwarding l m t k thu t m Microsoft s d ng a ra m t t p h p cc API thng d ng v che d u s khc bi t n n t ng gi a h h i u hnh NT v i h 9X. Cc ng d ng khng c c nhi m v g i cc hm trong t p h p cc API b m sinh v i u ny s ph v kh n ng t ng thch gi a Win9x v 2K/XP. i u ny c th gi i thch t i sao cc file th c thi b Packed c th c unpacked v c b ng imports c a chng c xy d ng l i b ng tay trn m t OS c th khng run c trn OS khc b i h th nng API forwarding ho c m t vi chi ti t khc b ch nh s a. Khi m t Symbol (Hm) c Forwarded RVA c a n m t cch r rng khng th l m t an code ho c a ch d li u trong module hi n t i. thay th , b ng EAT ch a m t con tr t i m t chu i ASCII c a file DLL v tn hm m n c Forwarded. Trong v d tr c n s l NTDLL.RtlAllocHeap. 23

N u v y th m c EAT cho m t hm tr t i m t a ch bn trong Export Section (v d chu i ASCII) thay v h n l tr ra ngoi vo m t file DLL khc, th b n bi t r ng hm c forwarded.

8. The Import Section :


Import Section (th ng c bi t d i tn .idata) bao g m thng tin v t t c cc hm c imported b i file th c thi t cc file Dlls. Thng tin ny c l u tr trong m t vi c u trc d li u. Ph n quan trong nh t c a section ny l ImportDirectory v ImportAddressTable m chng ta s ni n ti p theo y. Trong m t s file th c thi c th c ng c cc directories l Bound_Import v Delay_Import. Delay_Import directory , v i chng ta n khng quan tr ng l m nh ng chng ta s c pt i Bound_Import directory ph n ti p sau. Trnh Windows loader ch u trch nhi m v vi c n p t t c cc file Dll m ng d ng s d ng v nh x chng vo trong khng gian a ch process. N ph i tm a ch c a t t c cc imported functions trong cc file Dlls khc nhau c a chng v s p t chng s n sng s d ng cho cc file th c thi c n p. a ch c a cc hm bn trong m t file Dll khng ph i l nh ng a ch t nh m thay i khi cc phin b n c c p nh t ha c a file Dll c released , v v y cc ng d ng khng th c xy d ng s d ng cc a ch hm hardcoded. B i v l m t c ch c pht tri n cho php nh ng thay i m khng c n ph i t o ra nhi u s thay i, ch nh s a i v i o n m c a file th c thi vo lc chay. i u ny c hon thnh thng qua vi c s d ng m t Import Address Table (IAT). y l m t b ng c a nh ng con tr t i cc a ch hm m c i n vo b i trnh Windows loader khi cc file Dll c n p. B ng vi c s d ng m t b ng con tr , trnh loader khng c n ph i thay i nh ng a ch c a cc imported functions trong o n m l nh m chng c g i. T t c nh ng th m n ph i lm l thm a ch chnh xc vo m t n i ring l trong b ng import v cng vi c c a n c hon t t.

The Import Directory :


Import Directory th c s l m t m ng c a cc c u trc IMAGE_IMPORT_DESCRIPTOR. M i c u trc l 20 bytes v ch a thng tin v m t DLL m PE file c a chng ta import cc hm vo. L y v d , n u PE file c a chng ta import cc hm t 10 file DLL khc nhau, th s c 10 c u trc IMAGE_IMPORT_DESCRIPTOR trong m ng ny. Khng c tr ng no ch cho ta bi t s l ng c a cc c u trc trong m ng ny. thay th , c u trc cu i cng s c cc tr ng c i n y cc gi tr 0 (zeros). Cng v i Export Directory, b n c th tm th y Import Directory u b ng vi c quan st t i Data Directory (80 bytes t ch b t u c a PE Header). Trong th thnh ph n u tin v cu i cng l quan tr ng nh t :

24

Thnh ph n u tin OriginalFirstThunk , l m t DWORD union, c th t i m t th i i m l m t t p h p c a cc c . Tuy nhin, Microsoft thay i ngh a c a n v khng bao gi lo l ng c p nh t file WINNT.H. Tr ng ny th c s ch a RVA c a m t m ng cc c u trc IMAGE_THUNK_DATA. [Ti n y c ng ni lun, t union c c p trn ch ng qua ch l m t s nh ngh a l i c a cng m t n i c a b nh . T union trn khng ch a 2 DWORDS nh ng ch duy nh t m t c th ch a ho c OriginalFirstThunk data hay Characteristics data m thi] Thnh ph n ti p theo l TimeDateStamp c t l 0 tr khi file th c thi c gi i h n khi n ch a -1 (xem bn d i). Thnh ph n ti p l ForwarderChain c s d ng cho vi c lin k t old-style v thnh ph n ny s khng c c p n y. Thnh ph n Name1 ch a m t con tr (RVA) t i chu i tn ACSII c a file DLL. Thnh ph n cu i cng l FirstThunk, n c ng ch a RVA c a m t m ng cc c u trc IMAGE_THUNK_DATA m t b n sao c a m ng u tin. N u nh hm c miu t l m t bound import (xem bn d i) th FirstThunk ch a a ch th c s c a hm thay v m t RVA t i m t IMAGE_THUNK_DATA. Nh ng c u trc ny c nh ngh a nh sau :

M i IMAGE_THUNK_DATA l m t DWORD union m th c t ch c m t c a hai gi tr . Trong file trn a n ch a s th t c a imported function ho c l m t RVA t i m t c u trc IMAGE_IMPORT_BY_NAME. M t khi c n p m t c u trc s c tr t i b i FirsThunk c vi t ln b ng a ch c a cc hm imported function.- vi c ny tr thnh Import Address Table. M i c u trc IMAGE_IMPORT_BY_NAME c nh ngh a nh hnh minh h a d i y :

Hint Ch a ch m c(index) bn trong Export Address Table c a file DLL cc hm hi n c trong . Tr ng ny c s d ng b i trnh PE Loader v v y n c th tm ki m hm trong Export Address Table c a DLL m t cch nhanh chng. Tn t i m ch m c c dng , v n u n khng t ng ng th m t php tm ki m nh phn c th c hi n tm ki m tn. Thng th ng gi tr ny khng c n thi t v m t vi trnh linker t tr ng ny l 0. Name1 bao g m tn c a imported function. Tn l m t null-terminated ASCII string. Ch r ng kch th c c a Name1 c nh ngh a l m t byte nh ng trn th c t n l m t tr ng c kch th c thay i. Do khng c ph ng php no bi u di n m t tr ng c kch th c thay i trong m t c u trc. C u trc m c cung c p cho b n c th tham chi u t i n thng qua cc tn miu t . Nh ng ph n quan tr ng nh t l cc tn imported DLL v cc m ng c a cc c u trc IMAGE_THUNK_DATA. M i c u trc IMAGE_THUNK_DATA t ng ng v i m t imported function t DLL. Cc m ng c tr t i b i OriginalFirstThunk v FirstThunk ch y song song v 25

c k t thc b ng m t Null DWORD. l c p phn tch c a cc m ng c a cc c u trc IMAGE_THUNK_DATA cho m i imported DLL. s d ng n theo m t cch khc, c nhi u cc c u trc IMAGE_IMPORT_BY_NAME . B n t o ra hai m ng , sau i n vo hai m ng ny cc RVAs c a cc c u trc IMAGE_IMPORT_BY_NAME, v v y c hai m ng ny cng ch a cc gi tr gi ng nh nhau. By gi b n c th gn RVA c a m ng u tin cho OriginalFirstThunk v RVA c a m ng th hai cho FirstThunk. S l ng cc ph n t trong cc m ng OriginalFirstThunk v FirstThunk ph thu c vo s l ng c a cc hm c imported t file DLL. L y v d , n u PE file import 10 hm t file dll l user32.dll, th thnh ph n Name1 trong c u trc IMAGE_IMPORT_DESCRIPTOR s ch a RVA c a chu i user32.dll v s l 10 IMAGE_THUNK_DATA trong m i m ng. Hai m ng song song , t ng ng c g i b i cc tn khc nhau nh ng ci tn chung nh t l Import Address Table ( cho m t c tr b i FirstThunk) v Import Name Table hay Import Lookup Table (cho m t c tr b i OriginalFirstThunk). T i sao l i c hai m ng t ng ng c a cc con tr t i nh ng c u trc IMAGE_IMPORT_BY_NAME ? Cc Import Name Table c nguyn v khng bao gi c ch nh s a. Cc Import Address Table c vi t l i v i nh ng a ch hm th c s b i trnh loader. Trnh loader l p l i thng qua m i con tr t i cc hm v tm ki m a ch c a hm m m i c u trc tham chi u t i. Trnh loader sau s vi t l i con tr t i IMAGE_IMPORT_BY_NAME b ng a ch c a hm. Cc m ng c a nh ng RVAs trong Import Name Tables gi nguyn khng b thay i v v y n u c n thi t tm tn c a cc hm imported , trnh PE loader c th v n tm th y chng. M c d IAT c tr t i b i entry number 12 trong Data Directory , m t vi ch ng trnh linkers khng thi t l p danh sch th m c ny v tuy nhin trnh ng d ng s ch y. Trnh loader ch s d ng i u ny nh d u m t cch t m th i IAT khi read-write trong lc import resolution v c th gi i quy t cc import m khng c n n. l cch th c m trnh Windows loader c th vi t l i IAT khi n hi n c trong m t section ch c (readonly section). T i th i i m n p h th ng thi t l p m t cch t m th i cc thu c tnh c a cc trang ch a d li u import c ho c ghi. Khi import table c kh i t o cc trang c thi t l p tr l i v i cc thu c tnh c b o v nguyn b n c a chng.

26

Cc l i g i t i cc hm c import x y ra thng qua m t con tr hm trong IAT. L y v d , hy t ng t ng r ng a ch 00405030 tham chi u t i 1 hm c a danh sc trong m ng FirstThunk m c vi t l i b i trnh loader b ng a c a hm GetMessage trong file USER32.DLL. Cch th c hi u qu 0040100C CALL g i hm GetMessage gi ng nh d DWORD PTR [00405030 ] i y :

Cn cch th c km hi u qu l nh sau : 0040100C ....... ....... 00402200 CALL [00402200]

JMP

DWORD PTR [00405030] ng t nh ng s d ng 5 byte thm vo c a

L y v d , ph ng php th hai c ng thu c m t k t qu t code v m t th i gian lu h n th c th b i v extra jump.

T i sao cc l i g i t i hm c imported l i c th c hi n theo cch ny? Ch ng trnh bin d ch c th khng phn bi t gi a cc l i g i hm thng th ng trong cng m t module v cc hm c imported cho ra cng m t u ra gi ng nhau : CALL [XXXXXXXX] T i y th XXXXXXXX ph i l m t a ch code th c s (khng ph i l m t con tr ) c i n vo sau b i ch ng trnh linker. Trnh linker khng bi t a ch c a hm c imported v v v y ph i cung c p ph n thay th c a o n m (code) The jump stub seen above. Cch t i u c s d ng l cch s d ng trnh the _declspec(dllimport) modifier thng bo cho ch ng trnh bin d ch r ng hm hi n c bn trong m t file DLL. N s c k t qu l CALL DWORD PTR [XXXXXXXX].

27

N u nh _declspec(dllimport) khng c s d ng khi bin d ch m t file th c thi th s c m t t p h p l n c a cc jump stubs cho cc hm c imported xc nh l n nhau n m u trong o n m l nh. i u ny c bi t b i cc tn khc nhau v d nh "transfer area", "trampoline" or "jump thunk table".

Functions Exported by Ordinal Only:


Nh chng ta th o lu n trong ph n v Export section, th m t s hm c exported thng qua s th t . Trong tr ng h p ny , s khng c c u trc IMAGE_IMPORT_BY_NAME cho hm trong module c a l i g i (caller s module). Thay vo , IMAGE_THUNK_DATA cho hm ch a s th t c a hm. Tr c khi file th c thi c n p, b n c th cho bi t n u m t c u trc IMAGE_THUNK_DATA ch a m t s th t ho c m t RVA b ng cch xem xt bit c ngh a quan tr ng nh t (MSB) hay bit cao.N u c thi t l p th 31 bits th p h n c xem nh l m t gi tr s th t .N u khng c set ,th gi tr l m t RVA t i m t IMAGE_IMPORT_BY_NAME. Microsoft cung c p m t h ng s c ch cho vi c ki m tra bit MSB c a m t DWORD, l IMAGE_ORDINAL_FLAG32. N c gi tr l 80000000h. L y v d , n u m t hm c exported thng qua s th t v s th t c a n l 1234h, th IMAGE_THUNK_DATA cho hm s l 80001234h.

Bound Imports :
Khi trnh Loader n p m t PE file vo trong b nh , n ki m tra b ng import table v n p cc file DLLs c yu c u vo khng gian a ch x l. Sau n d o qua m ng c tr b i FirstThunk v thay th IMAGE_THUNK_DATA b ng nh ng a ch th c s c a cc import functions. Giai o n ny t n kh nhi u th i gian. N u v m t l do ch a bi t ng i l p trnh c th d on a ch c a cc hm m t cch chnh xc, trnh PE loader khng ph i s a cc IMAGE_THUNK_DATA m i l n PE file th c thi y nh a ch chnh xc l c r i. S lin k t l k t qu c a t ng ny. C m t ti n ch c t tn l bind.exe i km v i cc trnh bin d ch c a Microsoft , ki m tra IAT (m ng FirstThunk) c a m t PE file v thay th cc IMAGE_THUNK_DATA Dword b ng a ch c a cc import functions. Khi file c n p, trnh PE loader ph i ki m tra cc a ch c h p l khng. N u phin b n c a file DLL khng kh p v i m t file trong PE file ho c n u cc file DLLs c n ph i c xy d ng l i, trnh PE loader bi t r ng cc a ch c lin k t l h t hi u l c v n d o qua b ng Import Name Table (Original FirstThunk array) tnh ton cc a ch m i. B i v y m c d INT l khng c n thi t cho m t file th c thi n p, n u n khng hi n di n file th c thi khng th c lin k t. Trong m t th i gian di trnh linker c a Borland l TLINK khng t o m t INT v v y cc file c t o b i Borland khng th c lin k t.Chng ta s xem xt t m quan tr ng khc c a vi c thi u INT trong cc section ti p theo.

The Bound_Import_Directory
Thng tin trnh loader s d ng xc nh n u a ch c lin k t l h p l c l u gi trong m t c u trc l IMAGE_BOUND_IMPORT_DESCRIPTOR. M t bound excutable ch a m t danh sch cc c u trc , m t cho m i DLL c imported m c lin k t :

28

Thnh ph n TimeDateStamp ph i kh p v i TimeDateStamp c a exporting DLL s header. N u nh khng kh p, trnh loader th a nh n r ng binary c lin k t t i l wrong DLL v s v l i danh sch import. i u ny c th x y ra n u phin b n c a exporting DLL khng kh p ho c n u n c n ph i c s p x p l i trong b nh . Thnh ph n OffsetModuleName ch a offset (khng ph i l RVA) t IMAGE_BOUND_IMPORT_DESCRIPTOR u tin cho t i tn c a DLL trong null-terminated ASCII. Thnh ph n NumberOfModuleForwarderRefs ch a s l ng cc c u trc IMAGE_BOUND_FORWARDER_REF m tr c ti p theo c u trc ny. C u trc ny nh sau :

nh ngh a

Nh b n c th nhn th y chng gi ng y h t nh c u trc bn trn ngo i tr thnh ph n cu i cng c dnh ring trong b t k tnh hu ng no.L do c hai c u trc t ng t nhau l khi lin k t ng c l i m t hm m c forwared t i m t file DLL khc, tnh ch t h p l c a forwared DLL ph i c ki m tra c ng t i th i gian n p. IMAGE_BOUND_FORWARDER_REF ch a thng tin chi ti t v cc forwarded DLLs. L y v d nh hm HeapAlloc trong kernel32.dll c forwarded t hm RtlAllocateHeap trong file ntldll.dll. N u chng ta t o ra m t ng d ng m import hm HeapAlloc v c s d ng bind.exe trong ng d ng, s l m t IMAGE_BOUND_IMPORT_DESCRIPTOR cho kernel32.dll c theo b i m t IMAGE_BOUND_FORWARDER_REF cho ntldll.dll. Ch : Tn c a cc hm b n thn chng khng c bao g m trong nh ng c u trc ny khi trnh loader bi t nh ng hm no c lin k t t IMAGE_IMPORT_DESCRIPTOR (xem trn).

9. The Windows Loader :


Ph n vi t ny tuy l khng c n thi t nh ng n dnh cho nh ng ai mu n i su nghin c u thm v s ho t ng c a h i u hnh (OS).

What The Loader Does


Khi m t file th c thi ch y, trnh windows loader s t o ra m t khng gian a ch o cho process v nh x executalble module t a vo trong khng gian a ch c a process. N c g ng n p image t i a ch c s c u tin v nh x cc section vo trong b nh (memory). Trnh loader s xem xt t m section table v nh x m i section t i a ch c tnh ton b ng cch cng thm RVA c a section v i a ch c s . Cc page attributes c thi t l p theo s yu c u c i m c a section. Sau khi nh x cc section vo trong b nh , trnh loader th c hi n b tr cc relocation n u a ch n p khng b ng v i a ch c s c u tin trong ImageBase. B ng import table sau c ki m tra v b t k file DLLs no c yu c u s c nh x vo trong khng gian a ch c a process. Sau t t c DLL modules c nh v v nh x vo, trnh loader ki m tra m i DLL s export section v sau IAT c ch nh s a tr t i a ch hm c imported th c s . 29

N u nh symbol khng t n t i ( y l tr ng h p r t hi m g p), trnh loader s thng bo l i. M t khi t t c cc module c yu c u c n p s thi hnh c chuy n t i entry point c a ng d ng. Ph n quan tr ng c a thch trong RCE chnh l vi c loading cc file DLLs v gi i quy t cc imports. Process ny b lm ph c t p b i r t nhi u cc hm internal (forwarded) v cc routines t p trung trong file ntdll.dll m khng h c ch ng minh b ng t i li u b i Micro$oft. Nh chng ta ni ph n tr c function forwarding l 1 cch cho M$ expose m t t p Win32 API thng d ng, ph bi n v che d u cc hm c p th p m c th khc nhau i v i t ng phin b n c a h i u hnh. Nhi u hm kernel32 quen thu c v d nh hm GetProcAddress n gi n ch bao b c xung quanh cc ntdll.dll exports v d nh LdrGetProcAddress (m hm ny th c hi n cng vi c chnh). c th th y r nh ng i u ny b n c n ci t ch ng trnh Windbg v Windows Symbol Package ( c cung c p b i M$) ho c m t ch ng trnh kernel-mode debugger gi ng nh SoftIce. B n ch c th xem nh ng hm ny trong Olly n u nh b n c u hnh Olly s d ng M$ symbolserver, n u khng th t t c nh ng g b n quan st th y ch l cc pointers v cc a ch b nh m khng c tn c a cc hm. Tuy nhin Olly l m t trnh debugger trn user-mode v n s ch cho cc b n th y c nh ng g ang x y ra khi ng d ng c a b n c n p v n s khng cho php b n quan st th y loading process. M c d ch c n ng c a ch ng trnh Windbg cn h n ch khng th so snh v i Olly nh ng n t ng thch t t v i h i u hnh v s cho ta th y c qu trnh loading process :

Nh cc b n th y c r t nhi u hm APIs c lin k t cng v i qu trnh n p m t file th c thi, t t c t p trung trn hm LoadLibraryExW trong kernel32.dll m l n l t d n n hm n i t i LdrpLoadDll trong ntdll.dll. Hm ny tr c ti p g i 6 subroutines n a l LdrpCheckForLoadedDll, LdrpMapDll, LdrpWalkImportDescriptor, LdrpUpdateLoadCount, LdrpRunInitializeRoutines, v LdrpClearLoadInProgress th c hi n nh ng nhi m v sau : 1. Ki m tra xem n u module s n sng n p vo. 2. nh x module v cc thng tin h tr vo trong b nh . 3. D o qua b ng import descriptor table c a module (find other modules this one is importing) . 4. Update the module's load count as well as any others brought in by this DLL 30

5. Kh i t o module 6. Xa some sort of flag, indicating that the load has finished

M t DLL c th import cc module khc m b t u m t t ng c a th vi n thm vo. Trnh loader s c n ph i l p l i t u n cu i m i module , ki m tra xem n u n c n c n p v sau ki m tra nh ng ph thu c c a n. l l do c s xu t hi n c a LdrpWalkImportDescriptor y. LdrpWalkImportDescriptor c hai subroutines l : LdrpLoadImportModule v LdrpSnapIAT. u tin n b t u b ng hai l i g i t i RtlImageDirectoryEntryToData xc nh v tr Bound Imports Descriptor v cc b ng Import Descriptor. Ch r ng trnh loader s ki m tra bound imports u tin- m t ng d ng khi th c thi nh ng khng c m t import directory c th c cc bound imports thay th . Ti p theo LdrpLoadImportModule xy d ng m t Unicode string cho m i DLL c tm th y trong Import Directory v sau giao cho LdrpCheckForLoadedDll nh n ra if they have already been loaded. Ti p n a LdrpSnapIAT routine ki m tra m i DLL c tham chi u t i trong Import Directory thay th cho 1 gi tr -1 (ie again checks for bound imports first). Sau n thay i memory protection c a IAT thnh PAGE_READWRITE v ti n hnh ki m tra m i entry trong IAT tr c khi chuy n t i LdrpSnapThunk subroutine. LdrpSnapThunk s d ng m t ch s c a hm xc nh a ch c a n v quy t nh n c c forward hay l khng. M t khc n g i LdrpNameToOrdinal s d ng m t php tm ki m nh phn trn export table xc nh ch s m t cch nhanh chng. N u hm khng c tm th y th n tr v STATUS_ENTRYPOINT_NOT_FOUND, ng c l i n u tm th y th n thay th entry trong IAT b ng entry point c a API v tr v cho LdrpSnapIAT khi ph c l i memory protection n thay i t i lc b t u cng vi c c a n, g i NtFlushInstructionCache b t bu c m t cache refresh trn memory block c ch a IAT, v sau tr v l i cho LdrpWalkImportDescriptor. l m t khc bi t c bi t gi a cc h i u hnh Window m trong Win2k nh n m nh r ng ntdll.dll c n p gi ng nh m t bound import ho c trong import directory bnh th ng tr c khi cho php m t 31

file th c thi imports no

c n p, nh ng ng cn p

cl ih

i u hnh Win9x hay XP s cho php mt ng d ng khng c

Ph n khi qut ng n g n ny c n gi n ha i r t nhi u nh ng v n minh h a c lm th no m t l i g i t i LoadLibrary lm t ng ln m t t ng c a vi c n cc subroutines n i t i which are deeply nested and recursive in places. Trnh loader ph i ki m tra m i API c imported tnh ton m t a ch th c trong b nh v ki m tra n u m t API c imported. M i DLL c imported c th d n n cc modules thm vo v process s b l p l i h t l n ny n l n khc cho t i khi t t c cc ph thu c u c ki m tra.

10. Navigating Imports :


Navigating Imports on Disk
N u nh cc b n mu n tm ki m thng tin v cc hm c imported t file DLL ("foo" from DLL "bar",), u tin cc b n tm RVA c a Import Directory t Data Directory, tm a ch trong ph n raw section data v by gi b n c m t m ng c a cc IMAGE_IMPORT_DESCRIPTORs. L y thnh vin c a m ng ny m lin quan t i bar.dll b ng cch ki m tra cc strings c tr t i b i tr ng Name . Khi b n tm th y IMAGE_IMPORT_DESCRIPTOR ng, follow FirstThunk c a n v n m l y con tr t i m ng cc m ng IMAGE_THUNK_DATAs, ki m tra k cc RVAs v tm ki m the function "foo". Quay tr l i v d c a chng ta trong ch ng trnh Hexeditor, chng ta s tm v tr c a b ng import table quan st nh ng g chng ta c n tm ki m. Nh chng ta ni ph n tr c, RVA c a Import Directory c l u trong DWORD 80h bytes t PE Header m trong v d c a chng ta l offset 180h v RVA l 2D000h (xem l i ph n Data Directory). By gi chng ta ph i chuy n i RVA sang m t raw offset nghin c u k ph m vi chnh xc c a file c a chng ta trn a. Ki m tra Section Table xem xt section no m a ch c a Import Directory n m trong .Trong tr ng h p c a chng ta, th Import Directory b t u t i n i b t u c a .idata section v chng ta bi t r ng section table l u gi cc raw offset trong PointerToRawData DWORD. Trong v d c a chng ta th offset l 2AC00h (xem ph n section table). B t k m t trnh PE Editor no c ng cho chng ta k t qu nh bn d i y. V d ta dng LordPE, ta c nh sau :

S khc bi t gi a RVA v Raw offset l 2D000h 2AC00h = 2400h. Hy ch t i i u ny b i v n s c ch cho vi c chuy n i cc offsets. Xem thm ph n ph l c c thm cc thng tin v vi c chuy n i cc RVAs. T i Offset 2AC00h chng ta c Import Directory m t m ng c a cc IMAGE_IMPORT_DESCRIPTORs m i m ng l 20 bytes v l p l i cho m i import library (DLL) cho t i khi c k t thc b i 20 bytes c gi tr 00h. Trong ch ng trnh HexEditor chng ta quan st th y c nh sau t i 2AC00h :

32

M i m t nhm 5 DWORDs bi u di n 1 IMAGE_IMPORT_DESCRIPTOR. Nhm u tin ch cho ta th y r ng trong file PE ny cc thnh ph n OriginalFirstThunk, TimeDateStamp v ForwarderChain c thi t l p l 0. Cu i cng l chng ta i n m t t p h p c a t t 5 DWORDs c thi t l p l 0.( trn hnh c t b ng mu ) m ch cho chng ta bi t y l k t thc c a m ng.Chng ta c th th y chng ta ang import cc hm t 8 DLLs

Ch quan tr ng : Cc tr ng OriginalFirstThunk fields trong v d c a chng ta t t c

u c set l 0. l i n hnh chung cho cc file th c thi c t o ra b ng trnh compiler &l inker c a Borland v l i u ng ghi nh trong l do s p c p sau y. Trong m t file th c thi b Packed th cc con tr FirstThunk pointers s b lm m t hi u l c nh ng c th th nh tho ng c xy d ng l i b ng cch sao chp l i b n sao OriginalFirstThunks(which many simple packers do not seem to bother removing). th c s l m t i u c ch c g i l First_Thunk Rebuilder by Lunar_Dust m s th c hi n i u ny. Tuy nhin, v i Borland khi t o file th i u ny l khng th b i v OriginalFirstThunks t t c u l Zero v khng c INT :

L i quay tr l i v d c a chng ta trn, tr ng Name1 field c a IMAGE_IMPORT_DESCRIPTOR u tin ch a RVA 00 02 D5 30h (NB reverse byte order). Chuy n i gi tr ny sang m t raw offset b ng cch tr i gi tr 2400h (nh ni trn) v chng ta c l 2B130h. N u chng ta quan st trong PE file c a chng ta chng ta s th y tn c a DLL :

33

Ti p t c , tr ng FirstThunk field ch a RVA 00 02 D0 B4h m sau khi convert chng s c c Raw offset l 2ACB4h. Hy ghi nh i u ny y l offset t i m ng c a cc c u trc DWORD-sized IMAGE_THUNK_DATA structures IAT. i u ny s khi n cho bit c ngh a quan tr ng nh t c a n c set (it will start with 8) v ph n th p h n s ch a s th t c a hm c imported, ho c n u MSB khng c set n s ch a RVA khc t i tn c a hm (IMAGE_IMPORT_BY_NAME). Trong file c a chng ta , gi tr DWORD t i 2ACB4h l 00 02 D5 3E:

y l m t RVA khc m khi convert sang RAW offset l 2B13E. Th i i m ny n s l m t nullterminated ASCII string. Nh chng ta quan st th y d i y :

V v y tn c a c a API u tin c imported t kernel32.dll l DeleteCriticalSection. C th b n n 2 zero bytes tr c tn c a hm. l ph n t Hint element m th ng c set l 00 00. T t c nh ng i u ny c th nh hnh minh h a d i y : c xc minh l i thng qua ch ng trnh PE Browse Pro

phn tch IAT

34

N u nh file c loaded vo trong b nh , c dumped v ki m tra b ng ch ng trnh Hex editor th gi tr DWORD t i RVA 2D0B4h m contained 3E D5 02 00 trn a s c overwritten b i trnh loader b ng a ch c a hm DeleteCriticalSection trong kernel32.dll :

Allowing for reverse byte order this is 7C91188A.

Ch quan tr ng : cc hm trong cc DLLs h th ng lun lun h ng v b t

u t i a ch 7XXXXXXX v cng t i ch gi ng nhau m i khi cc ch ng trnh c n p. Tuy nhin chng hay thay i n u b n ci t l i OS c a b n v khc nhau gi a my tnh ny v my tnh khc :

Cc

a ch c ng khc nhau ty theo t ng h

i u hnh, l y v d :

35

Trnh Windows Upadate c ng th nh tho ng thay i v tr c s c a cc DLLs h th ng. l l do t i sao m t s ng i th ng ch n vi c dnh th i gian tm cho c i m t breakpoint n i ti ng l point-h trn h th ng c a mnh (it is prone to change unexpectedly since it is in a function inside user32.dll.)

Navigating Imports in Memory


Load file c a chng ta vo trong Olly v m t l n n a hy quan st c a s Memory Map :

Ch r ng a ch c a .idata section l 42D000 t ng ng v i RVA 2D000 m chng ta ni tr c . Kch th c c lm trn ln l 2000 v a kht v i memory page boundaries.

ph n

C a s chnh c a Olly l CPU s ch cho chng ta th y nh ng a ch CODE section (from 401000 to 42AFFF). B n c ng c th ki m tra IAT trong c a s disassembly n u n n m trong CODE section. Trong h u h t cc tr ng h p n s n m trong section ring c a n . eg : .idata nh ng b n c th xem n trong c a s Hex-dump trong Olly b ng cch Right click vo v ch n Dump in CPU. C a s name (nh n Ctrl + N) s cho chng ta th y c cc hm c imported:

Rightclicking b t k m t hm no v sau ch n Find References to Import s cho b n th y jump thunk stub v the instances in the code n i m hm c g i (ch c 1 trong tr ng h p c a chng ta ):

Ch : trong c t Comment b n s th y r ng Olly xc nh l hm DeleteCriticalSection trong kernel32.dll l th c s c forwarded t i RtlDeleteCriticalSection trong ntdll.dll. (xem ph n gi i thch Export Fowarding) Ti p t c Rightclicking v ch n Follow Import in Disassembler, Olly s cho chng ta th y a ch trong DLL thch h p n i m code c a hm b t u . V d : b t u t i 7C91188A trong ntdll.DLL:

36

N u chng ta quan st t i l i g i t i hm DeleteCriticalSection t i 00401B12 chng ta s th y nh sau:

Nh cc b n th y trn hnh minh h a c m t l nh "CALL 00401314" nh ng Olly s thay th b ng tn c a hm cho chng ta. 401314 l a ch c a the jmp stub pointing to the IAT. Ch r ng n l ph n c a m t b ng jmp thunk table c ni n ph n tr c :

T i y chng ta l i quan st th y c m t l nh nh y "JMP DWORD PTR DS:[0042D0B4]" ,nh ng l i m t l n n a Olly thay th b ng symbolic name cho chng ta. a ch 0042D0B4 ch a c u trc Image_Thunk_Data structure trong IAT m c overwritten b i trnh loader b ng a ch th c s c a hm trong kernel32.DLL: 7C91188A. l nh ng g m chng ta tm th y thng qua vi c rightclicking and selecting Follow Import in Disassembler v c ng t dumped file ph n trn.

37

11. Adding Code to a PE File :


Vi c thm code vo m t PE file l m t i u r t c n thi t khng nh ng c th crack m t protection scheme m cn c th c ng d ng trong vi c thm cc ch c n ng vo trong PE file. C 3 ph ng php chnh c th add code vo trong m t file th c th l : 1. Thm vo m t section hi n t i khi c ch cho o n code c a b n. 2. M r ng section hi n t i khi khng ch . 3. Thm m t section m i hon ton.

Adding to an existing section


Chng ta c n m t section trong file m c nh x v i cc quy n th c thi trong b nh v v y n gi n nh t chng ta hy th c hnh v i CODE section. Sau chng ta c n m t vng ch a ton byte 00 (00 byte padding) trong section ny. Vng ny c g i v i m t tn chung l caves c th tm cm t cave ph h p v i nh ng g chng ta mong i , chng ta s quan st t i CODE section . Chi ti t thng qua ch ng trnh LorPE :

Trong hnh minh h a trn chng ta quan st th y VirtualSize nh h n SizeOfRawData.Virtual size bi u di n s l ng code th c s . Cn kch th c c a raw data xc nh s l ng c a khng gian c s d ng cho file trn a c ng c a b n. Ch r ng virtual size trong tr ng h p ny l th p h n v i virtual size trn a c ng. l b i v cc trnh compiler th ng lm trn kch th c ln s p x p m t section trn m t vi ranh gi i. Trong ch ng trnh Hexeditor quan st t i pha cu i c a CODE section (pha tr c c a DATA section b t u t i 2A400h) , chng ta c c nh sau :

38

Khng gian thm ny l hon ton khng c s d ng v khng c nh x vo trong b nh . Chng ta c n ph i b o m ch c ch n r ng nh ng cu l nh m chng ta t vo khng gian ny s c n p vo trong b nh . Chng ta th c hi n i u b ng cch b ng cch ch nh s a thu c tnh size (Size attribute). Ngay by gi chng ta th y l kch th c o c a Section ny l 29E88, l b i v t t c cc trnh compiler u c n.Cn i v i chng ta chng ta ph i c n t ng ln m t cht n a, v v y trong LordPE ta thay i virtual size c a CODE section ln thnh 29FFF , l kch th c l n nh t m chng ta c th s d ng (Ton b Raw size ch c 2A000). th c hi n c i u ny , chng ta chu t ph i t i dng CODE v ch n edit header, th c hi n thay i v i gi tr trn v save l i . Sau khi th c hi n xong chng ta c m t khng gian thch h p l u gi o n patch code c a chng ta. i u duy nh t m chng ta thay i l VirtualSize DWORD cho CODE section trong b ng Section Table. Chng ta c ng c th th c hi n c cng vi c ny b ng tay thng qua ch ng trnh HexEditor. minh h a thm n a cho cng vi c ny chng ta s ti n hnh thm vo ch ng trnh v d c a chng ta m t ch ng trnh ASM nh th c hi n vi c chi m l y i u khi n c a entry point v sau ch tr v s th c thi cho OriginalEntryPoint. T t c cng vi c ny c lm thng qua Ollydbg. u tin chng ta trong LordPE th EntryPoint l 0002ADB4 v ImageBase l 400000. Khi chng ta load ch ng trnh vo trong Olly th EP s l 0042ADB4. Chng ta s thm m t s dng sau v sau thay i entry point t i dng u tin c a o n code : MOV EAX,0042ADB4 JMP EAX ; Load in EAX the Original Entry Point (OEP) ; Jump to OEP

Chng ta s cc l nh trn t i a ch 0002A300h nh chng ta quan st trn ch ng trnh Hexeditor. convert RAW offset ny sang m t RVA s d ng cho Olly ta s s d ng cng th c sau y (Xem thm ph n ph l c) : RVA = raw offset - raw offset of section +virtual offset of section +ImageBase = 2A300h - 400h +1000h + 400000h = 42AF00h. 39

Sau ta load ch ng trnh vo trong Olly v nh y t i target section c a chng ta (nh n Ctrl + G v g vo gi tr tnh ton c trn l 42AF00h). Sau khi t i v tr ny, ta nh n Space, g vo dng u tin c a o n code trn sau nh n assemble. Ti p theo lm t ng t v i dng code th hai. Ta c c t ng t nh hnh minh h a d i y :

Ti p theo nh n chu t ph i, ch n ty ch n Copy to Executable and All modifications.Ti p theo ch n Cpy all, m t c a s m i s xu t hi n. Trn c a s m i ny ti p t c nh n chu t ph i v ch n Save File v v..By gi chng ta quay tr l i v i LordPE (hay ch ng trnh HexEditor) v thay i EntryPoint thnh 0002AF00 (ImageBase Subtracted), ch n Save v nh n OK. Chng ta Run ch ng trnh ki m tra v reopen n trong Olly xem New EntryPoint c a chng ta. Trong ch ng trnh HexEditor chng ta s quan st th y nh sau, ch o n c Highlight :

M c d y ch l m t o n tiny patch , nh ng chng ta hon ton c New code.

khng gian cho 386 bytes c a

Enlarging an Existing Section


N u nh khng c khng gian t i pha cu i c a section .text th chng ta c n ph i m r ng n. i u ny a ra m t s v n nh sau : 1. N u section c followed b i cc section khc th b n s c n ph i d ch chuy n cc following sections ln t o khng gian. 2. C r t nhi u cc references khc nhau bn trong cc file headers m s c n ph i b n thay i kch th c c a file. c i u ch nh n u

40

3. Cc References gi a cc sections khc nhau ( v d references t i data values t code section) s c n ph i c i u ch nh. V th c t l h u nh khng th th c hi n c n u nh th u vi c re-compiling and re-linking file g c. H u h t cc v n nu trn u c th trnh c b ng cch n i thm v section cu i cng trong file exe. N ch ng c lin quan g t i section n u nh chung ta c th thay i khi n n ph h p v i yu c u c a chng ta b ng cch thay i tr ng Characteristic trong Section Table b ng tay ho c b ng LordPE. u tin chng ta tm n section cu i cng v thay i n sao cho n thnh readable and executable. Nh chng ta ni trn code section ch l t ng cho m t patch b i v cc characteristics flags c a n l 60000020 , i u c ngh a l o n m c th th c thi c v c th c c (executable and readable) (Xin xem thm ph n ph l c). Tuy nhin n u chng ta t o n m v d li u vo trong section ny th chng ta s nh n c m t page fault v n khng ph i l writeable. thay i i u ny chng ta s c n ph i thm flag 800000000 m s cho ta m t gi tr m i l E0000020 cho code, executable, readable and writable. T ng t nh v y n u section cu i cng l .reloc th flags th ng s l 42000040 cho initialized data, discardable and read-only. c th s d ng c section ny chng ta ph i thm code, executable and writable v chng ta ph i tr discardable m b o ch c ch n r ng trnh loader s nh x section ny vo trong b nh . i u ny s cho chng ta m t gi tr m i l E0000060. Cc cng vi c trn c th th c hi n thnh cng b ng tay b ng cch thm flags v ch nh s a l i tr ng Characteristics c a Section header thng qua ch ng trnh HexEditor ho c LordPE. Trong v d c a chng ta th section cu i cng l Resources :

41

i u ny s cho chng ta m t gi tr Characteristics cu i cng l F0000060. Nh hnh minh h a trn chng ta quan st th y RawSize (on disk) c a section ny l 8E00h bytes nh ng t t c chng d ng nh ang c s d ng (the VirtualSize c ng gi ng h t). By gi chng ta ch nh l i chng v c ng 100h bytes vo c hai m r ng section , gi tr m i chng ta c c l 8F00h. C m t vi gi tr quan tr ng khc c ng c n c thay i. Tr ng SizeOfImage trong PE Header c n ph i c t ng ln b ng cch c ng thm vo gi tr gi ng nh chng ta thm m r ng cho section l 100h. Do gi tr SizeOfImage s thay i 0003CE00h thnh 0003CF00h. C 2 tr ng khc n a m khng c th hi n trong LordPE b i v chng t quan tr ng l : SizeOfCode v SizeOfInitialisedData trong Optional Header. ng d ng s v n th c thi m khng c n c ch nh s a nh ng c l b n nn thay i l i chng cho tr n v n.Chng ta s ph i thay i l i chng b ng tay. C hai u l DWORDs t i cc offset 1C v 20 t i m b t u c a PE header. (xem thm ph n ph l c).

42

Cc gi tr 0002A000 v 0000DE00 t ng ng v i cc v tr xc nh nh cc b n th y trn hnh minh h a.Khi chng ta c ng thm 100h vo th cc gi tr ny s l 0002A100 v 0000DF00.Sau chng ta s o ng c th t c a cac gi tr trn thnh 00 A1 02 00 v 00 00 DF 00. Cu i cng copy v paste 100h of 00 bytes (16 hng trong trnh Hexeditor) ln pha cu i c a Section v l u l i thay i. Ch y file ki m tra cc l i.

Adding a New Section


Trong m t vi tnh hu ng b n c th c n ph i t o ra m t b n sao c a m t section ang t n t i ph v cc self-checking procedures (V d nh SafeDisk) ho c t o ra m t section m i l u code khi cc thng tin thu c quy n s h u ring c b sung thm vo cu i c a file (as in Delphi compiled apps). Cng vi c u tin c n lm l ph i tm n tr ng NumberOfSections trong PE header v t ng tr ng ny ln 1.Nh ni trong nh ng ph n tr c h u h t m i s thay i c th c th c hi n b ng ch ng trnh LordPE ho c b ng tay thng qua ch ng trnh HexEditor.By gi trong ch ng trnh HexEditor c a b n hy copy v paste 100h of 00 bytes (16 rows) ln ph n cu i c a file v nh d u offset c a dng m i u tin. Trong tr ng h p c a chng ta l 00038200h. s l n i b t u section m i c a chng ta v s i t i tr ng RawOffset field c a Section Header.Khi chng ta y th ch c ch n l th i i m t t t ng SizeOfImage ln 100h nh chng ta lm tr c. Ti p theo chng ta s tm t i cc section headers b t u t i offset F8 t PE header. It is not necessary for these to be terminated by a header full of zeros. S l ng cc headers c a ra b i NumberOfSections v th ng l m t vi khng gian t i pha cu i tr c khi b n thn cc sections b t u.( aligned to the FileAlignment value). Tm n section cu i cng v thm m t gi tr m i sau n :

Ph n ti p theo m chng ta ph i lm l quy t nh xem cc thnh ph n Virtual Offset/Virtual Size/Raw Offset and Raw Size no c n c. c th quy t nh c i u ny chng ta xem xt cc gi tr sau : Virtual offset of formerly last section (.rsrc): 34000h Virtual size of formerly last section (.rsrc): 8E00h Raw offset of formerly last section (.rsrc): 2F400h Raw size of formerly last section (.rsrc): 8E00h Section Alignment: 1000h File Alignment: 200h

43

RVA v raw offset c a section m i c a chng ta ph i c c n ch nh v i boundaries trn.RAW Offset c a section l 00038200h nh chng ta ni trn (which luckily fits with FileAlignment). c c Virtual Offset c a section c a chng ta th chng ta ph i tnh ton gi tr ny : VirtualAddress of .rsrc + VirtualSize of .rsrc = 3CE00h. V SectionAlignment c a chng ta l 1000h chng ta ph i lm trn gi tr ny ln g n gi ng nh 1000 t c l 3D000h. V v y hy i n vo header c a section c a chng ta : The first 8 bytes will be Name1 (max. 8 chars e.g. "NEW" will be 4E 45 57 00 00 00 00 00 (byte order not reversed) The next DWORD is VirtualSize = 100h (with reverse byte order = 00 01 00 00) The next DWORD is VirtualAddress = 3D000h (with reverse byte order = 00 D0 03 00) The next DWORD is SizeOfRawData = 100h (with reverse byte order = 00 01 00 00) The next DWORD is PointerToRawData = 38200h (with reverse byte order = 00 82 03 00) The next 12 bytes can be left null The final DWORD is Characteristics = E0000060 (for code, executable, read and write as discussed above) Trong trnh HexEditor chng ta s th y nh sau :

L u l i thay

i , chng s run ch

ng trnh v ki m tra trong LordPE :

44

12. Adding Imports to an Executable :


Ph ng php ny th ng c s d ng nhi u nh t trong tr ng h p Patching m t App khi m chng ta khng c cc hm API m chng ta c n. thm section m i, th thng tin t i thi u nh t c yu c u b i trnh loader t o ra m t IAT h p l l : 1. M i Dll ph i c khai bo v i m t IMAGE_IMPORT_DESCRIPTOR (IID), nh k t thc Import Directory b ng m t null-filled. 2. M i IID c n t nh t 2 tr ng l Name1 v FirstThunk, ph n cn l i c th OriginalFirstThunk = FirstThunk i.e. duplicating the RVAs also works). c set l 0(setting

3. M i entry c a FirstThunk ph i l m t RVA t i m t Image_Thunk_Data (the IAT) m l n l t ch a m t further RVA t i API name.Tn ph i l m t chu i null terminated ASCII c a di c th thay i v c i tr c b i 2 bytes (hint) m c th c thi t l p l 0.

45

4. N u cc IIDs c thm th tr ng isize c a Import Table trong Data Directory c th c n ph i thay i. Cc IAT entries trong Data Directory khng c n ph i c ch nh s a. Vi c vi t import data m i trong m t ch ng trnh HexEditor v sau dn vo trong target c a b n c th s t n r t nhi u th i gian.C cc cng c c s n c th th c hi n c m t cch t ng qu trnh ny (V d : SnippetCreator, IIDKing, Cavewriter) nh ng vi c tm hi u cch th c hi n cng vi c ny b ng tay nh th no v n l t t h n c . Nhi m v chnh l n i thm m t IID m i ln ph n cu i c a b ng Import Table b n s c n c 20 bytes cho m i DLL c s d ng, ng qun 20 bytes dnh cho null-terminator. Trong h u h t t t c cc tr ng h p s khng c khng gian no t i pha cu i c a Import Table hi n hnh v v y chng ta s t o m t b n sao v xy d ng l i n m t n i no .

Step 1 - create space for new a new IID


Cng vi c ny lin quan n cc b c sau y : b t k u; pha

1. D ch chuy n t t c cc IIDs t i m t v tr m t i c khng gian.V tr ny c th cu i c a section .idata hi n th i ho c m t section m i hon ton. 2. C p nh t RVA c a Import Directory m i trong Data Directory c a PE Header.

3. N u c n thi t, lm trn kch th c c a section n i m b n t Import Table m i v v y m i th c nh x vo trong b nh (v d : VirtualSize of the .idata section rounded up 1000h).

4. Ch y n v n u nh n lm vi c th chuy n t i b c 2. N u n khng ki m tra cc injected descriptors c nh x vo trong b nh v RVA c a Import Directory l chnh xc .. IMPORTANT NOTE: Cc IIDs FirstThunk v OriginalFirstThunk ch a cc RVAs- RELATIVE ADDRESSES c ngh a l cc b n c th c t v dn Import Directory (IIDs) b t k u b n mu n trong PE file (taking into account the destination has to mapped into memory) v thay i RVA (v kch th c n u c n thi t) c a Import Directory trong Data Directory s khi n cho ng d ng ho t ng m t cch hon h o. Quay tr l i ng d ng c a chng ta trong trnh Hexeditor, IID u tin v null terminator c t b ng ng bao mu .Nh b n nhn th y trong hnh v d i y khng c khng gian tr ng no sau null IID:

Tuy nhin c m t s l ng khng gian l n t i ph n cu i c a section .idata tr c khi section .rdata b t u. Chng ta s copy v paste cc IIDs hi n th i c a ra pha trn t i offset 2C500h t i v tr m i ny :

46

convert m t offset m i thnh RVA (xem thm ph n ph l c) : VA = RawOffset - RawOffsetOfSection + VirtualOffsetOfSection = 2C500 - 2AC00 + 2D000 = 2E900h V y thay i a ch o c a import table trong Data Directory t 2D000 thnh 2E900. By gi ch nh s a l i header c a section .idata v thay i VirtualSize b ng v i RawSize v v y trnh loader s nh x ton b section vo. Ch y th ng d ng c a chng ta test.

Step 2 - Add the new DLL and function details


Cng vi c ny bao g m m t s b c sau :

1. Thm null-terminated ASCII strings cc tn c a DLL c a b n v hm vo khng gian cn tr ng trong section .idata. Tn hm s th c s l m t c u trc Image_Import_By_Name c preceded b i m t null DWORD. (the hint field). 2. Tnh ton cc RVAs c a cc string trn. 3. Thm RVA c a tn DLL vo tr ng Name1 c a IID m i c a b n.

4. Tm DWORD sized space khc n a v t vo n RVA c a hint/function name. N s tr thnh Image_Thunk_Data ho c IAT c a DLL m i c a chng ta. 5. Tnh ton RVA c a Image_Thunk_Data DWORD m i c a b n. 6. Ch y ng d ng test trn v thm n vo tr ng FirstThunk c a IID

API m i c a b n s n sng

cg i

i n vo IDD m i c a chng ta , chng ta t nh t ph i c cc tr ng l Name1 v FirstThunk (cc tr ng khc c th nulled). Nh chng ta bi t, tr ng Name1 ch a thng tin RVA tn c a DLL trong null-terminated ASCII. Tr ng FirstThunk ch a RVA c a m t c u trc Image_Thunk_Data m l n l t ch a RVA khc n a c a tn hm trong null-terminated ASCII. Tn tuy nhin c i tr c b i 2 bytes (Hint) m c thi t l p l zero. L y m t v d , chng ta mu n s d ng hm LZCopy m copy ton b m t file ngu n t i m t file ch. N u file ngu n c a chng ta c nn b ng trnh ng d ng Microsoft File Compression Utility 47

(COMPRESS.EXE), th hm ny t o ra m t file ch th hm ny s nhn i file g c ln.

c gi i nn. N u nh file ngu n khng b nn ,

Hm m chng ta ni trn n m trong file dll l lz32.dll m hi n th i khng c s d ng b i ch ng trnh ng d ng c a chng ta. V v y u tin chng ta c n ph i thm strings cho cc tn l lz32.dll v LZCopy . Trong trnh Hexeditor chng ta cu n ln trn t ch b ng import table m i c a chng ta v pha cu i c a d li u t n t i tr c v thm tn DLL sau l tn hm ln ph n cu i ny . Ch , cc bytes null sau m i string v null DWORD tr c tn hm :

Chng ta c n ph i tnh l i cc RVA c a chng : RVA = RawOffset - RawOffsetOfSection + VirtualOffsetOfSection + ImageBase RVA of DLL name = 2C420 - 2AC00 + 2D000 = 2E820h (20 E8 02 00 in reverse) RVA of function name = 2C430 - 2AC00 + 2D000 = 2E830h (30 E8 02 00 in reverse) Gi tr u tin c th n m trong tr ng Name1 c a IDD m i c a chng ta nh ng gi tr th hai th ph i n m trong m t c u trc Image_Thunk_Data structure, v i RVA c a chng, chng ta sau c th t vo trong tr ng FirstThunk (and OriginalFirstThunk) c a IDD m i c a chng ta.Chng ta s tc u trc Image_Thunk_Data structure bn d i tn hm t i offset 2C440 v tnh ton RVA m chng ta s t vo FirstThunk. RVA of Image_Thunk_Data = 2C440 - 2AC00 + 2D000 = 2E840 (40 E8 02 00 in reverse)

N u chng ta i n d li u trong trnh HexEditor chng ta s th y nh sau :

48

Cu i cng chng ta l u l i nh ng g chng ta th c hi n , ch y th trnh PEBrowse :

ng d ng v load n vo ch

ng

49

c th g i

c hm m i c a chng ta , chng ta c n ph i s d ng o n code sau :

CALL DWORD PTR [XXXXXXXX] where XXXXXXXX = RVA of Image_Thunk_Data + ImageBase. Trong v d c a chng ta chng ta s vi t l : trn i v i hm LZCopy, XXXXXXXX = 2E840 + 400000 = 42E840 v v y

CALL DWORD PTR [0042E840] Ch cu i cng : D l n u chng ta thm m t hm c s d ng b i m t DLL m s n sng c dng trong kernel32.dll , chng ta s v n c n ph i t o ra m t IDD m i cho n cho php chng ta c th t o m t IAT m i t i m t v tr thu n l i nh trn. Ph n ti p theo , y ch l m t ph n c thm vo trong section ny. S c m t cch t th c hi n cc cng vi c nh ni trn : ng hon ton

50

Ch , Ch ng trnh SnippetCreator thm cc jump-thunks stubs c a cc imports m i vo trong code c a b n trong khi v i cc ch ng trnh khc b n hon ton ph i th c hi n i u ny b ng tay .

51

13. Introduction to Packers :


Trong ph n ny chng ta s m x s tc ng c a m t ch ng trnh Packer n gi c a chng ta v c p t i 2 ph ng php chnh c a vi c Patching m t file th c thi cch Unpacking ho c inline-patching. Chng ta s s d ng Packer UPX 1.25 b i v ch ng trnh nn file th c thi v khng s d ng b t k m t m t c ch b o v cao c ch ng trnh ny l Marcus & Laszlo. u tin chng ta dng PeiD Scan file c a chng ta (file ban n i v i ng d ng b Packed b ng y th c s l m t p no.Tc gi c a

u ch a b Packed) :

Ti p theo chng ta s pack ng d ng c a chng ta b ng ch ng trnh UPX. y l ch ng trnh s d ng giao di n command line do chng ta ph i m n trong DOS , sau chng ta g nh sau : "upx basecalc.exe":

52

Sau chng ta hy r ng kch th c ch ng trnh c a chng ta gi m xu ng t 225kb xu ng cn 91kb v trong PeiD chng ta quan st th y nh sau :

S d ng ch ng trnh PEBrowse Pro chng ta quan st th y trnh Packer s thm vo app c a chng ta 3 sections l UPX0, UPX1 and .rsrc. Resource section by gi ch a import directory nh ng cho m i DLL th ch c duy nh t m t ho c 2 hm c imported cc hm khc bi n m t :

53

Ch r ng section .rsrc c gi l i tn g c c a n m c d th m ch cc ph n khc b thay i. Th v n a l this dates back to a bug trong hm LoadTypeLibEx trong oleaut32.dll in Win95 m rsrc s d ng tm ki m v n p resource section. i u ny gy ra m t l i n u section b i tn. (This created an error if the section was renamed. Although this bug has been fixed it seems most packers do not rename the rsrc section for compatibility reasons) B ng vi c m ng d ng c a chng ta trong LordPE v nh n vo Compare button chng ta c th m b n g c c a ng d ng v quan st s thay i c a cc headers :

54

Khi chng ta m ng d ng trong Olly , chng ta s nh n c m t Message Box thng bo r ng file th c thi c a chng ta b packed. Ch vi c nh n Ok v chng ta s t i EntryPoint :

55

Trnh Packer UPX nn ng d ng c a chng ta v thm the code b ng m t stub c ch a gi i thu t decompress.EntryPoint c a ng d ng b thay i b t u o n stub v sau khi stub th c hi n xong cng vi c c a n , h ng th c thi c a ch ng trnh s nh y v original entrypoint (OEP) b t u ch ng trnh by gi c unpacked c a chng ta. L do c n b n i ph v i n l cho ch ng trnh Sub decompress ng d ng c a chng ta vo trong b nh v sau dump vng nh ny vo m t file c c b n sao c a ch ng trnh c unpacked. Tuy nhin ng d ng s khng th c thi theo ng cch c a n l b i v file c dumped s c cc sections ring c a n c aligned to memory page boundaries ch khng ph i file alignment values, do entrypoint s v n tr t i decompression stub v Import directory r rng l sai v s c n ph i ch nh s a l i. Ch r ng trong Olly entrypoint c a chng ta n m t i cu l nh u tin l PUSHAD. Cu l nh PUSHAD ny l vi t t t c a PUSH ALL DOUBLE , th c hi n vi c l u t t c n i dung c a cc thanh ghi 32 bit vo trong Stack , b t u t EAX cho n EDI.Theo Stub s th c hi n cng vi c c a n v sau k t thc b ng m t cu l nh POPAD tr c l nh nh y t i OEP. POPAD sao chp l i n i dung c a cc thanh ghi t Stack. i u ny c ngh a l stub s ph i ph c h i l i m i th v exited without trace tr c khi th c s Run ng d ng. V v y ph ng php ny l t ng cho nhi u packer thng d ng khc v d nh ASPack. T th i i m c a cu l nh PUSHAD u tin, nh ng n i dung c a Stack t i level ph i c hon ton khng c ng t i cho t i khi g p c cu l nh POPAD.N u nh chng ta t m t Hardware breakpoint ln 4 bytes u tin c a stack t i th i i m th c hi n l nh PUSHAD th Olly s break t i th i i m khi m 4 bytes ny c truy c p t i cu l nh POPAD v chng ta s t i ng cu l nh nh y t i OEP c a chng ta. u tin chng ph i th c hi n cu l nh PUSHAD b ng cch nh n F7 m t l n. Ti p theo chng ta s t m t BP c a chng ta.Thanh ghi ESP (Stack Pointer) lun lun tr t i c a nh Stack do Right click ln ESP v ch n Follow in Dump Chng ta s c c nh sau :

Ti p theo Highlight DWORD on Access>DWORD:

u tin c a Stack trong c a s Dump , chu t ph i v ch n BP>HardWare

56

Ti p theo nh n F9 n Run ch ng trnh v Olly s Break. Chng ta quan st s th y c l nh JMP t i OEP. OEP m chng ta th y y c ImageBase l 400000h c c ng thm vo , do chng ta mu n tm th y Real OEP th chng ta ph i tr i gi tr ImageBase trn. Cho nn ta c OEP l : 0002ADB4h.

N u nh b n mu n gian l n y c m t cch nhanh chng m lun lun c hi u qu v i UPX. n gi n ch l b n cu n chu t t i pha cu i c a o n code trong mn hnh CPU trong Olly v pha tr c t t c ch b t u c a zero padding th b n s th y c cu l nh POPAD nh trn. NOTE: Cc Packer khc m c ng s d ng c ch PUSHAD/POPAD c th nh y t i OEP b ng cch s d ng m t l nh PUSH y gi tr c a OEP ln trn nh c a Stack c followed b i cu cu l nh RET. CPU s ngh l y l m t return t m t hm call v theo thi quen th d a ch tr v c t ln nh c a Stack. B c ti p theo chng ta nh n F7 th c hi n l nh JMP v chng ta s t i OEP. T i y chng ta s s d ng Plugin c a Olly l OllyDump Dump file ny. Chu t ph i t i OEP sau ch n OllyDump, chng ta s c c mn hnh nh sau , th c hi n nh hnh minh h a : 57

Note that OllyDump has already worked out the base address and size of image (which you could see by looking in the memory map window) and has offered to correct the entrypoint for us (although we could do this manually in the hexeditor). Nh n Dump v save file v i tn no m b n mu n (eg as basecalc_dmp.exe). Gi nguyn tr ng thi c a Olly sau khi th c hi n Dump. Th t khng may m n khi chng ta quan st file c dump th th y n b m t icon v n u nh chng ta c tnh Run file th chng ta s nh n c thng bo nh sau :

Chng ta nh n c thng bo trn l b i v h u qu c a v n alignment m ti c p trn kch th c c a file c ng t ng. Chng ta m app c a chng ta trong LordPE v quan st t i cc Sections. Cc gi tr Raw offset v Raw Size sai. Chng ta s ph i t o cc gi tr Raw b ng v i gi tr cc Virtual cho m i Section cho ng d ng c a chng ta cho n h at ng. Nh n chu t ph i t i UPX0 section v ch n edit header:

58

By gi chng ta s lm cho RawOffset b ng VirtualAddress v RawSize b ng VirtualSize. L p l i thao tc ny cho m i Sections sau nh n Save v Exit (this is what the "fix raw size" checkbox in OllyDump does automatically). By gi chng ta quan st th y app c icon nh ng khi ch y ng d ng c a chng ta , ta s nh n c m t l i khc l : "The application failed to initialize properly". C l i ny l b i v chng ta ch a fix imports. Vi c Fix imports ny chng ta hon ton c th th c hi n c b ng tay . Tuy nhin s t n r t nhi u th i gian v cng s c n u nh chng ta c nhi u hm c imported v..v. Do y chng ta s s d ng ch ng trnh ImpREC 1.6F by MackT th c hi n m t cch t ng. Ch ng trnh ImpREC c n ph i attach t i m t process ang ch y v c ng c n packed file tm imports. Kh i ng ImpREC v th c hi n theo cc b c sau : 1. Ch n Basecalc.exe trong danh sch Attach (it should still be running in Olly). 2. Ti p theo nh p OEP c a chng ta l 2ADB4 vo trong textbox OEP. 3. Nh n nt IAT AutoSearch v nh n OK trn messagebox. 4. Nh n nt Get Imports . 5. Nh n Show Invalid trong tr ng h p c a chng ta khng c invalid no. 6. Nh n Fix Dump v ch n file m chng ta dump l basecalc_dmp.exe. 7. Okie ..Thot kh i ImpREC.

59

Ch

ng trnh ImpREC s l u file fix v i tn nh sau : basecalc_dmp_.exe. Chng ta ch y th file ny ki m tra. N u nh chng ta phn tch file ny chng ta s th y kch th c c a n t ng ln v c thm m t section n a c tn l mackt l n i m ImpREC a import data m i :

V UPX ch l m t ch ng trnh nn, n n gi n ch l l y existing import data v l u n l i trong resource section m khng encrypting or damaging it. l l do t i sao ImpREC c th tm ct tc cc vaild imports m khng c n ph i resorting to tracing or rebuilding n ch l y import directory t file th c thi b packed trong b nh v transfer n t i section m i trong file th c thi c unpacked. Gi chng ta hy Scan file c unpacked trong PEID xem :

60

Trn y ch l ph n minh h a cc b c c n thi t cho vi c th c hi n unpack m t file th c thi b packed b ng m t packer n gi n. Tuy nhin c r t nhi u cc packers cao c p m cc packer ny thm r t nhi u cc c ch b o v khc nhau v d nh : antidebugging v anti-tampering tricks, encryption of code v IAT, stolen bytes, API redirection, etc m trong ph m vi c a bi vi t ny ti khng th c ph t c, mong cc b n b qu cho . Trong m t s tr ng h p n u nh c n thi t chng ta ph i Patch m t file b packed , i u ny gip chng ta c th trnh c vi c khng c n ph i unpacking file th c m t k thu t c s d ng l inline patching . N lin quan n vi c patching code t i th i i m runtime trong b nh sau khi qu trnh decompression stub hon thnh xong cng vi c c a mnh v cu i cng nh y t i OEP th c thi ng d ng. Ni cch khc ,chng ta i cho n khi ng d ng c a chng ta c unpacked trong b nh , th nh y t i patching code m chng ta injected, cu i cng sau nh y tr v OEP. minh h a cho k thu t ny chng ta s inject code vo trong file th c thi b packed c a chng ta b n ra m t thng bo v cho chng ta bi t khi ng d ng c unpacked trong b nh . Sau khi chng ta nh n OK th s nh y t i OEP v ng d ng s th c thi m t cch bnh th ng. Nhi m v u tin l chng ta ph i tm ki m m t n i cho o n code c a chng ta v v y hy m packed app vo trong trnh Hexeditor v tm ki m m t kho ng khng gian ph h p cn g i l suitable "cave". Kho ng khng gian tr ng ny n m t i pha cu i c a section l t t h n c b i v n t c s d ng b i packer v c th m r ng c b ng cch n i r ng section n u th y c n thi t (Xin xem l i ph n adding code to a PE file.) B n c th quan st th y hi u qu c a Packer UPX kho ng khng gian chng ta c n l r t kh tuy nhin v n c m t kho ng nh (small cave) t n t i y.By gi chng ta thm "Unpacked..." v "Now back to OEP" trong ASCII column c a ch ng trnh HexEditor. T ng t nh hnh minh h a d i y :

61

i u ny s nh d u d u v t c a chng ta patch trong Olly m khng c n ph i lo l ng v vi c tnh ton cc VAs. L u l i nh ng thay i v m ng d ng c a chng ta trong Olly. Chu t ph i t i c a s Hex window v ch n search for binary string. By gi nh p vo l "Unpacked" v t i VA c a 2 strings. Trong c a s CPU Window, nh n chu t ph i v ch n Goto expression. Nh p a ch c a string u tin v b n s quan st 2 strings trong hexadecimal form. Olly khng analysed n m t cch ng n do n hi n th khng ra thnh m t o n code khng c ngh a g. Highlight o n code (the next free row underneath) v nh n Space Bar assemble the following instructions : PUSH 0 PUSH 440C30 [address of first string] PUSH 440C40 [address of second string] PUSH 0 CALL MessageBoxA JMP 42ADB4

Make a note of the address of our first PUSH instruction - 440C4E. o n code c a chng ta s trng nh sau trong Olly :

Ti p theo chu t ph i v ch n copy to executable, selection. Trong c a s m i xu t hi n , rightclick v ch n save file etc. If we check in the hexeditor we see our code has been added: 62

Cu i cng chng ta c n ph i thay i l nh JMP t i pha cu i c a UPX stub nh y t i o n code c a chng ta. Tm l nh nh y ny nh c p ph n trn, doubleclick vo JMP instruction assemble v thay i address thnh 440C4E. L u l i thay i m t l n n a v run app c a chng ta test :

Clicking OK resumes BaseCalc.!!!!!!!!!!!!!

14. References & Further Reading :


The Portable Executable Format -- Micheal J. O'Leary The Portable Executable File Format from Top to Bottom -- Randy Kath Peering Inside the PE: A Tour of the Win32 Portable Executable File Format -- Matt Pietrek An In-Depth Look into the Win32 Portable Executable File Format (2 parts)-- Matt Pietrek Windows 95 Programming Secrets -- Matt Pietrek Linkers and Loaders -- John R Levine Secrets of Reverse Engineering -- Eldad Eilam PE.TXT -- Bernd Luevelsmeyer Converting virtual offsets to raw offsets and vice versa -- Rheingold PE Tutorial -- Iczelion The Portable Executable File Format -- KGL PE Notes, Understanding Imports -- yAtEs Win32 Programmer's Reference What Goes On Inside Windows 2000: Solving the Mysteries of the Loader -- Russ Osterlund Tool Interface Standard (TIS) Formats Specification for Windows Adding Imports by Hand -- Eduardo Labir (Havok), CBJ Enhancing functionality of programs by adding extra code -- c0v3rt+ Working Manually with Import Tables -- Ricardo Narvaja All tutorials concerning manual unpacking (especially those from ARTeam, with special reference to the Beginner Olly series by Shub and Gabri3l.

63

15. Complete PE Offset Reference :


The DOS Header :
OFFSET SIZE 00 02 04 06 08 0A 0C 0E 10 12 14 16 18 1A 1C 24 26 28 3C WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD NAME e_magic e_cblp e_cp e_crlc e_cparhdr e_minalloc e_maxalloc e_ss e_sp e_csum e_ip e_cs e_lfarlc e_ovno e_res[4] e_oemid e_oeminfo e_res2[10] EXPLANATION Magic DOS signature MZ (4Dh 5Ah) Bytes on last page of file Pages in file Relocations Size of header in paragraphs Minimum extra paragraphs needed Maximum extra paragraphs needed Initial (relative) SS value Initial SP value Checksum Initial IP value Initial (relative) CS value File address of relocation table Overlay number Reserved words OEM identifier (for e_oeminfo) OEM information; e_oemid specific Reserved words Offset to start of PE header

DWORD e_lfanew

The PE Header :
00 04 06 08 DWORD WORD WORD DWORD Signature Machine NumberOfSections TimeDateStamp 64 PE Signature PE.. (50h 45h 00h 00h) 014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel 586, 0200h = Intel 64-bit, 0162h=MIPS Number Of Sections Date & time image was created by the linker

0C 10 14 16 18 18 1A 1B 1C 20 24 28 2C 30 34 38 3C 40 42 44 46 48 4A 4C

DWORD DWORD WORD WORD

PointerToSymbolTable NumberOfSymbols SizeOfOptionalHeader Characteristics

Zero or offset of COFF symbol table in older files Number of symbols in COFF symbol table Size of optional header in bytes (224 in 32bit exe) see below

********** START OF OPTIONAL HEADER ************************************** WORD BYTE BYTE DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD WORD WORD WORD WORD WORD WORD DWORD Magic MajorLinkerVersion MinorLinkerVersion SizeOfCode SizeOfInitializedData SizeOfUninitializedData AddressOfEntryPoint BaseOfCode BaseOfData ImageBase SectionAlignment FileAlignment MajorOperatingSystemVersion MinorOperatingSystemVersion MajorImageVersion MinorImageVersion MajorSubsystemVersion MinorSubsystemVersion Reserved1 65 010Bh=32-bit executable image 020Bh=64-bit executable image 0107h=ROM image Major version number of the linker Minor version number of the linker size of code section or sum if multiple code sections as above as above Start of code execution, optional for DLLs, zero when none present RVA of first byte of code when loaded into RAM RVA of first byte of data when loaded into RAM Preferred load address Alignment of sections when loaded in RAM Alignment of sections in file on disk Major version no. of required operating system Minor version no. of required operating system Major version number of the image Minor version number of the image Major version number of the subsystem Minor version number of the subsystem

50 54 58 5C

DWORD DWORD DWORD WORD

SizeOfImage SizeOfHeaders CheckSum Subsystem

Amount of memory allocated by loader for image. Must be a multiple of SectionAlignment Offset of first section, multiple of FileAlignment Image checksum (only required for kernel-mode drivers and some system DLLs). 0002h=Windows GUI, 0003h=console 0001h=per-process library initialization 0002h=per-process library termination 0003h=per-thread library initialization 0004h=per-thread library termination Number of bytes reserved for the stack Number of bytes actually used for the stack Number of bytes to reserve for the local heap Number of bytes actually used for local heap This member is obsolete. Number of directory entries. ************************************** RVA of Export Directory size of Export Directory

5E

WORD

DllCharacteristics

60 64 68 6C 70 74 78 78 7C 80 84 88 8C 90 94 98 9C A0

DWORD DWORD DWORD DWORD DWORD DWORD

SizeOfStackReserve SizeOfStackCommit SizeOfHeapReserve SizeOfHeapCommit LoaderFlags NumberOfRvaAndSizes

********** START OF DATA DIRECTORY DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD IMAGE_DATA_DIRECTORY5 IMAGE_DATA_DIRECTORY4 IMAGE_DATA_DIRECTORY3 IMAGE_DATA_DIRECTORY2 IMAGE_DATA_DIRECTORY1 IMAGE_DATA_DIRECTORY0

RVA of Import Directory (array of IIDs) size of Import Directory (array of IIDs) RVA of Resource Directory size of Resource Directory RVA of Exception Directory size of Exception Directory Raw Offset of Security Directory size of Security Directory RVA of Base Relocation Directory

66

A4 A8 AC B0 B4 B8 BC C0 C4 C8 CC D0 D4 D8 DC E0 E4 E8 EC F0 F4 F8 00 08

DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD ZERO (Reserved) ZERO (Reserved) IMAGE_DATA_DIRECTORY14 IMAGE_DATA_DIRECTORY13 IMAGE_DATA_DIRECTORY12 IMAGE_DATA_DIRECTORY11 IMAGE_DATA_DIRECTORY10 IMAGE_DATA_DIRECTORY9 IMAGE_DATA_DIRECTORY8 IMAGE_DATA_DIRECTORY7 IMAGE_DATA_DIRECTORY6

size of Base Relocation Directory RVA of Debug Directory size of Debug Directory RVA of Copyright Note size of Copyright Note RVA to be used as Global Pointer (IA-64 only) Not used RVA of Thread Local Storage Directory size of Thread Local Storage Directory RVA of Load Configuration Directory size of Load Configuration Directory RVA of Bound Import Directory size of Bound Import Directory RVA of first Import Address Table total size of all Import Address Tables RVA of Delay Import Directory size of Delay Import Directory RVA of COM Header (top level info & metadata... size of COM Header Reserved Reserved *******Offsets shown from here******** Name of first section header Actual size of data in section ...in .NET executables)

********** START OF SECTION TABLE 8 Bytes DWORD Name1 misc (VirtualSize)

67

0C 10 14 18 1C 20 22 24 00

DWORD DWORD DWORD DWORD DWORD WORD WORD DWORD 8 Bytes

virtual address SizeOfRawData pointerToRawData pointerToRelocations PointerToLinenumbers NumberOfRelocations NumberOfLineNumbers Characteristics Name1

RVA where section begins in memory Size of data on disk (multiple of FileAlignment) Raw offset of section on disk Start of relocation entries for section, zero if none Start of line-no. entries for section, zero if none This value is zero for executable images. Number of line-number entries for section. see end of page below Name of second section header **************************************

********** Repeats for rest of sections

The Export Table :


OFFSET SIZE 00 04 08 0A 0C 10 14 18 1C 20 24 NAME EXPLANATION Set to zero (currently none defined) often set to zero user-defined version number, otherwise zero as above RVA of DLL name in null-terminated ASCII First valid exported ordinal, normally=1 Number of entries in EAT Number of entries in ENT RVA of EAT (export address table) RVA of ENT (export name table)

DWORD Characteristics DWORD TimeDateStamp WORD WORD MajorVersion MinorVersion

DWORD Name DWORD Base DWORD NumberOfFunctions DWORD NumberOfNames DWORD AddressOfFunctions DWORD AddressOfNames

DWORD AddressOfNameOrdinals RVA of EOT (export ordinal table)

The Import Table :


OFFSET SIZE 00 04 08 0C 10 NAME EXPLANATION RVA to Image_Thunk_Data zero unless bound against imported DLL pointer to 1st redirected function (or 0) RVA to name in null-terminated ASCII RVA to Image_Thunk_Data 68

DWORD OriginalFirstThunk DWORD TimeDateStamp DWORD ForwarderChain DWORD Name1 DWORD FirstThunk

Image Characteristics Flags :


FLAG 0001 0002 0004 0008 0010 0020 0080 0100 0200 0400 0800 1000 2000 4000 8000 EXPLANATION Relocation info stripped from file File is executable (no unresolved external references) Line numbers stripped from file Local symbols stripped from file Lets OS aggressively trim working set App can handle >2Gb addresses Low bytes of machine word are reversed requires 32-bit WORD machine Debugging info stripped from file into .DBG file If image is on removable media, copy and run from swap file If image is on a network, copy and run from swap file System file File is a DLL File should only be run on a single-processor machine High bytes of machine word are reversed

Section Characteristics Flags :


FLAG 00000008 00000020 00000040 00000080 00000200 00000800 00001000 00008000 00100000 to 00800000 01000000 02000000 04000000 08000000 10000000 20000000 40000000 EXPLANATION Section should not be padded to next boundary Section contains code Section contains initialised data (which will become initialised with real values before the file is launched) Section contains uninitialised data (which will be initialised as 00 byte values before launch) Section contains comments for the linker Section contents will not become part of image Section contents comdat (Common Block Data) Section contents cannot be accessed relative to GP Boundary alignment settings Section contains extended relocations Section can be discarded (e.g. .reloc) Section is not cacheable Section is pageable Section is shareable Section is executable Section is readable 69

80000000

Section is writable

16. Relative Virtual Addressing Explained :


Trong m t file th c thi hay m t file DLL, th RVA lun lun l a ch c a m t item khi c n p vo trong b nh , v i base address (ImageBase) c a imaging file c tr i : RVA = VA ImageBase do d VA = RVA + ImageBase. It's exactly the same thing as file offset but it's relative to a point in virtual address space, not the beginning of the PE file. V d :N u m t PE file n p t i a ch 400000h trong virtual address (VA) space v ch ng trnh b t u th c thi t i virtual address 401000h, chng ta c th ni r ng ch ng trnh b t u th c thi t i RVA 1000h. An VA is relative to the starting VA of the module. The RVA of an item will almost always differ from its position within the file on disk - the offset. This is a pitfall for newcomers to PE programming. Most of the addresses in the PE file are RVAs and are meaningful only when the PE file is loaded into memory by the PE loader Thu t ng "Virtual Address" c s d ng b i v Windows t o ra m t khng gian a ch o ring bi t cho m i process, khng l thu c vo physical memory. Cho h u h t t t c cc m c ch , m t virtual address c xem xt ch l m t address. Nh ni trn, m t virtual address l khng th d on tr c c nh m t RVA, b i v trnh loader khng th load the image at its preferred base address. T i sao PE file format l i s d ng RVA? l lm gi m b t qu trnh n p c a trnh loader. l b i v n u m t module c th c relocated b t k v tr no trong khng gian a ch o , n s gy tr ng i cho trnh loader fix m i hardcoded address trong module. Nh ng ng c l i , n u t t c relocatable items trong file use RVA, there is no need for the loader to fix anything: n ch n gi n relocates ton b moduel t i m t new starting VA.

Converting virtual offsets to raw offsets and vice versa (from Rheingold)
Chuy n i cc raw offsets (the one in a file you see in a HexEditor) thnh virtual offsets (the one you see in a debugger) l c c k h u ch n u nh b n lm vi c v i PE Header. Chnh v l do ny b n c n ph i bi t m t vi gi tr t PE Header. B n c n ph i bi t ImageBase, the name of the section in which your offset lies. D i y b n s xem m t v d c a m t PE Header t i m b t u c a file (where it is actually a MZ header until offset 80h) cho t i ph n cu i nh ngh a cc sections (offset 23Fh). V d ny c minh h a b ng ch ng trnh notepad.exe.

70

V d 1 - Converting raw offset 7800h to a virtual offset: ImageBase (DWORD value 34h bytes after the PE header begins, in our case B4h) l 40000h. The Section Table starts F8h bytes after the PE header starts, in our case 178h. It is this part:

The colored values tell us the following values : 71

The Virtual Size v cc gi tr c nh mu da cam trong output c a trnh Hexeditor trn l khng quan tr ng i v i qu trnh chuy n i nh ng s c nh ng ch c n ng khc(see Section Table page). Chng ta mu n convert raw offset 7800h. i u ny d ng nh l r rng b i offset ny n m trong .rsrc section b i v .rsrc b t u t i 7000h (Raw Offset) v 6000h bytes long (Raw Size). Offset 7800h is located 800h bytes sau ch b t u c a section trong file. V t t c cc sections c copy vo trong memory just like they are in the file, this address will be found 800h bytes after the section starts in memory (7000h; Virtual Offset). The offset we search is at 7800h. This is absolutely not common that the raw offset equals the virtual offset (without ImageBase). In this case it is only because the sections start at the same offset in memory and in the file. Cng th c chung l : RVA = RawOffset_YouHave - RawOffsetOfSection + VirtualOffsetOfSection + ImageBase (ImageBase = DWORD value 34h bytes after the PE header begins) The conversion from a virtual offset to a raw offset just goes the other way round. The general formula is: Raw Offset = RVA_YouHave - ImageBase - VirtualOffsetOfSection + RawOffsetOfSection For 40A000 that is: 40A000-400000-7000+7000 = A000 There are also automated tools to perform the above conversions. Pressing the "FLC" button on the PE Trnh Editor c a LordPE s cho php chng ta convert an RVA to an offset:

Ch

ng trnh Offset Calculator c ng cho php m t conversion one-way from RVA to Raw Offset.

72

Ch

ng trnh RVA Calculator cho php onversion both ways:

..::[The End]::..

03/08/2005
--++--==[ Greatz Thanks To ]==--++-- Thank to my family, Computer_Angel, Moonbaby , Zombie_Deathman, Littleboy, Benina, QHQCrker, the_Lighthouse, Hoadongnoi, Nini ... all REA s members, HacNho,RongChauA,Deux, tlandn, dqtln , ARTEAM (especially Goppit) .... all my friend, and YOU. --++--==[ Special Thanks To ]==--++-- coruso_trac, patmsvn, trm_tr v..v.. and all brothers in VSEC 73

>>>> If you have any suggestions, comments or corrections email me: kienbigmummy[at]gmail.com

74

También podría gustarte