PE Tutorials

..::[ARTeam Tutorial]::..PORTABLE EXECUTABLE FILE FORMAT

Category : Level : Test OS : Author : Translated by : Tools Used: Hexeditor PEBrowse Pro PeiD LordPE

Relates to cracking, unpacking, reverse engineering Intermediate XP Pro SP2 Goppit kienmanowar (REA-cRaCkErTeAm)

(any will do) http://www.smidgeonsoft.prohosting.com/download/PEBrowse.zip http://www.secretashell.com/codomain/peid/download.html http://mitglied.lycos.de/yoda2k/LordPE/LPE-DLX.ZIP (get DLXb update also)

HexToText http://www.buttuglysoftware.com/HexToTextMFC.zip OllyDbg ResHacker BaseCalc http://home.t-online.de/home/Ollydbg/odbg110.zip http://delphi.icm.edu.pl/ftp/tools/ResHack.zip included in this archive

...and metioned in the text: Snippet http://win32assembly.online.fr/files/sc.zip Creator First_Thunk http://www.angelfire.com/nt/teklord/FirstThunk.zip Rebuilder IIDKing http://www.reteam.org/tools/tf23.zip

Cavewriter http://sandsprite.com/CodeStuff/cavewriter.zip

Li m u : .......................................................................................................................... 2 1. Cu trc c bn (Basic Structure) : ................................................................................... 3 2. The DOS Header : ............................................................................................................. 5 3. The PE Header :................................................................................................................. 7 4. The Data Directory : ........................................................................................................ 13 5. The Section Table :.......................................................................................................... 15 6. The PE File Sections : ..................................................................................................... 17 7. The Export Sections : ...................................................................................................... 20 8. The Import Section : ........................................................................................................ 25 9. The Windows Loader : .................................................................................................... 30 10. Navigating Imports : ...................................................................................................... 33 11. Adding Code to a PE File :............................................................................................ 39 12. Adding Imports to an Executable : ................................................................................ 46 13. Introduction to Packers :................................................................................................ 53 14. References & Further Reading : .................................................................................... 64 15. Complete PE Offset Reference : ................................................................................... 65 16. Relative Virtual Addressing Explained : ....................................................................... 71

1

Li m u :Bi vit ny nhm mc ch i chiu thng tin t nhiu ngun khc nhau v trnh by n theo mt phng php m nhng ngi mi bt u c th tip cn d dng nht.Mc d bi vit c trnh by mt cch t m trong nhiu phn, tuy nhin n c nh hng theo mc ch reverse code engineering cho nn cc thng tin khng cn thit s c b qua. Bn s nhn thy rng trong bi vit ny ti vay mn rt nhiu t cc bi vit khc nhau c cng b , ph bin v tt c cc tc gi ca nhng bi vit c ti nhc n vi lng cm n su sc trong phn ti liu tham kho pha cui ca bi vit ny. PE l nh dng file ring ca Win32. Tt c cc file c th thc thi c trn Win32 (ngoi tr cc tp tin VxDs v cc file Dlls 16 bit) u s dng nh dng PE. Cc file Dlls 32 bit, cc file COMs, cc iu khin OCX , cc chng trnh ng dng nh trong Control Pannel (.CPL files) v cc ng dng .NET tt c u l nh dng PE. Thm ch cc chng trnh iu khin Kernel mode ca cc h iu hnh NT cng s dng nh dng PE. Ti sao chng ta li cn phi tm hiu v n? C 2 l do chnh nh sau : Th nht chng ta mun thm cc on code vo trong nhng file thc thi (v d : k thut Keygen Injection hoc thm cc chc nng) v th hai l thc hin cng vic unpacking bng tay (manual unpacking) cc file thc thi. Hu ht mi s quan tm u dn v l do th hai, l v ngy nay hu nh cc phn mm shareware no cng u c Packed li vi mc ch l lm gim kch thc ca file ng thi cung cp thm mt lp bo v cho file. bn trong mt file thc thi b Packed th cc bng import tables thng thng l b thay i, lm mt hiu lc v phn d liu th lun b m ha. Cc chng trnh packer s chn thm m lnh (code) unpack file trong b nh vo lc thc thi v sau nhy ti OEP (original entry point) (y l ni m chng trnh gc thc s bt u thc thi, thi hnh.). Nu chng ta tm c cch (dump) kt xut vng nh ny sau khi m chng trnh packer hon tt c qu trnh unpacking file thc thi, ng thi thm vo chng ta cng cn phi chnh sa li Section v bng import tables trc khi m ng dng ca chng ta s run. Lm th no chng ta c th thc hin c iu ny nu nh chng ta khng c hiu bit t to no v nh dng PE file ? Chng trnh thc thi c ti s dng lm v d xuyn sut ton b bi vit ny l BASECALC.EXE , mt chng trnh rt hu ch t trang Web ca Fravia, n cho php tnh ton v chuyn i gia cc s h decimal, hex , binary v octal. Chng trnh ny c tc gi ca n coded bng ngn ng Borland Dephi 2.0 , chnh v th m n l mt file l tng ti ly lm v d minh ha lm th no trnh bin dch Borland cho OriginalFirstThunks null. (Chi tit hn s c cp phn sau).

2

1. Cu trc c bn (Basic Structure) :Hnh minh ha di y s cho chng ta thy c cu trc c bn ca mt PE file.

mc ti thiu nht th mt PE file s c 2 Sections : 1 cho on m (code) v 1 cho phn d liu (data). Mt chng trnh ng dng chy trn nn tng Windows NT c 9 sections c xc nh trc c tn l .text , .bss , .rdata , .data , .rsrc , .edata , .idata , .pdata , v .debug . Mt s chng trnh ng dng li khng cn tt c nhng sections ny, trong khi cc chng trnh khc c th c nh ngha vi nhiu sections hn ph hp vi s cn thit ring bit ca chng. Nhng sections m hin thi ang tn ti v xut hin thng dng nht trong mt file thc thi l : 1. 2. 3. 4. 5. 6. Executable Code Section, c tn l .text (Micro$oft) hoc l CODE (Borland). Data Sections, c nhng tn nh .data, .rdata hoc .bss (Micro$oft) hay DATA (Borland) Resources Section, c tn l .rsrc Export Data Section, c tn l .edata Import Data Section. c tn l .idata Debug Information Section, c tn l .debug

Nhng ci tn ny thc s l khng thch hp khi chng b l i bi h iu hnh (OS) v chng l ti liu phc v cho li ch ca cc lp trnh vin. Mt im quan trng khc na l cu trc ca mt PE file trn a l chnh xc , ng n ging ht nh khi n c np vo trong b nh v vy bn c th xc nh thng tin chnh xc ca file trn a m bn c th s mun tm kim n khi file c np vo trong b nh. Tuy nhin n khng c sao chp li mt cch chnh xc bn trong b nh. Cc windows loader s quyt nh phn no cn c nh x ln b nh v b qua nhng phn khc. Phn d liu m khng c nh x ln c t ti pha cui ca file sau bt k phn no m s c nh x ln b nh v d Debug Information. Cng vy v tr ca mt mc trong file trn a s lun lun khc bit vi v tr ca n khi c np vo trong b nh bi v s qun l b nh o da trn cc trang m Windows s dng. Khi cc sections c np vo trong b nh RAM chng c cn khp vi 4KB memory Pages, mi section s bt u trn 3

mt Page mi. Mt trng trong PE header s thng bo cho h thng bit c bao nhiu b nh cn c ring ra cho vic nh x trong file. B nh o c gii thch phn di y.

Thut ng b nh o (virtual memory) thay th vic cho Software truy cp trc tip ln b nh vt l (physical memory), b x l v h iu hnh to ra mt lp v hnh (invisible layer) gia chng. Bt k ln no mt c gng c to ra truy cp ti b nh , b vi x l s tra cu mt page table bit xem c nhng Process m a ch b nh vt l ang thc s c s dng. N s khng phi l mt vic lm thit thc c mt table entry cho mi byte ca b nh (Page table s ln hn tng b nh vt l), v vy thay th vic b vi x l phn chia b nh thnh cc trang. iu ny c mt s li th nh sau : 1. N cho php s to thnh ca nhng khng gian a ch phc tp. Mt khng gian a ch l mt page table c c lp ch cho php truy cp ti b nh m thch hp vi chng trnh hin ti hoc process. N m bo rng nhng chng trnh b c lp , cch ly hon ton vi cc chng trnh khc v mt khi xy ra li khin cho mt chng trnh b crash th n s khng th nh hng , hy hoi ti khng gian a ch ca cc chng trnh khc . 2. N cho php b vi x l p t nhng lut l no i vi vic b nh c truy cp th no.Nhng sections c i hi , yu cu trong PE file bi v nhng khu vc khc nhau trong file c i x mt cch khc bit bi chng trnh qun l b nh khi mt module c np. Ti thi im np , chng trnh qun l b nh thit lp nhng quyn truy cp ln cc trang b nh cho cc sections khc nhau da trn nhng thit lp ca chng trong Section header. iu ny s quyt nh r mt section cho l c th c c (readable) , c th ghi c (writeable) hay c th thc thi c (executable). iu ny c ngha l mi section phi c bt u trn mt trang mi. Tuy nhin , kch thc trang mc nh cho h iu hnh Windows l 4096 bytes (1000h) v n s l lng ph sp cc file thc thi vo mt ranh gii 4KB Page trn a khi m iu ny s lm cho chng tr nn qu ln hn mc cn thit. Bi v iu ny, PE header c hai trng alignment khc nhau l : Section alignment v file alignment. Section alignment l cch cc sections c sp trong b nh nh ni trn. Cn File Alignment (s dng 512 bytes hay 200h) l cch cc section c sp trong file trn a v l kch thc ca nhiu sector ti u qu trnh loading (loading process). 3. N cho php mt file nh s trang (paging file) c s dng trn cng lu tr cc trang mt cch tm thi t b nh vt l khi chng khng c s dng. Ly v d nh sau, nu mt ng dng c np nhng ang trong tnh trng rnh ri (idle) ,khng gian a ch ca n c th c nh trang bn ngoi a to ra khng gian cho cc ng dng khc cn c np vp trong b nh RAM. Nu nh tnh hnh o ln , h iu hnh c th np mt cch d dng ng dng u tin tr li b nh RAM v hi phc li s thi hnh ti ni m n b ngng li . Mt ng dng cng c th s dng nhiu b nh hn l khng gian hin c ca b nh vt l bi v h 4

thng c th s dng cng nh l mt ni lu tr th cp bt c khi no m b nh vt l khng cn khng gian lu tr. Khi PE file c np vo trong b nh bi windows loader, phin bn trong b nh ny c bit n nh l mt module. a ch bt u ni m nh x file bt u c gi l mt HMODULE. Mt module trong b nh biu din tt c on m , d liu v ton b ti nguyn t mt file thc thi m iu ny l cn thit cho s thi hnh khi m thut ng Proccess v c bn tham chiu ti mt khng gian a ch c lp m c th c s dng running nh l mt module.

2. The DOS Header :Tt c cc file PE bt u bng DOS Header , vng ny chim gi 64 bytes u tin ca file. N c dng trong trng hp chng trnh ca bn chy trn nn DOS, do h iu hnh DOS c th nhn bit n nh l mt file thc thi hp l v thi hnh DOS stub , phn m c lu tr trc tip sau Header. Hu ht DOS stub thng s dng hm 9 ca ngt int 21h hin ra mt chui k t thng bo tng t nh sau : "This program must be run under Microsoft Windows" nhng n c th l mt chng trnh DOS ang pht trin mnh (full-blown DOS program) (Ni tm li l DOS Stub ch l mt chng trnh DOS EXE nh hin th mt thng bo li thng l nh trn, chnh do header ny c t nm u ca file , cho nn cc virus DOS c th ly nhim vo PE image chnh xc ti DOS stub. Tuy nhin chng trnh DOS Stub vn cn c gi li v l do tng thch vi cc h thng Windows 16bit). Khi xy dng mt ng dng pht trin trn nn tng Windows , chng trnh linker lin kt mt stub program mc nh c tn gi l WINSTUB.EXE vo trong file thc thi ca bn. Bn c th ghi , ph quyt cch hnh s ca chng trnh linker mc nh ny bng cch thay th mt chng trnh MS-DOSbased ca ring bn thay cho WINSTUB v s dng STUB: mt ty chn ca chng trnh linker khi lin kt file thc thi. DOS Header l mt cu trc c nh ngha trong cc file windows.inc hoc winnt.h (Nu nh bn c mt chng trnh dch hp ng hoc mt trnh bin dch c ci t trn my , bn s tm thy cc file ny trong th mc \include\). N c 19 thnh phn (members) m trong thnh phn magic v lfanew l ng ch .

5

Trong PE file , phn magic ca DOS Header cha gi tr 4Dh, 5Ah ( chnh l cc k t MZ, vit tt ca Mark Zbikowsky mt trong nhng ngi sng to chnh ca MS-DOS), cc gi tr ny l du hiu thng bo cho chng ta bit y l DOS Header hp l. MZ l 2 bytes u tin m bn s nhn thy trong bt k mt PE file no , khi file c m bng mt chng trnh Hex editor. (Xem hinh minh ha pha di). Nh bn nhn thy trong hnh minh ha pha trn, bn thy rng phn lfanview l mt gi tr DWORD (tc l mt Double Word = 4bytes) v n nm v tr cui cng ca DOS Header v ng trc ca ni bt u DOS Stub. N cha offset ca PE Header, c lin quan n phn u file (file beginning). Windows Loader s tm kim offset ny v vy n c th b qua Dos Stub v i trc tip ti PE Header. Hnh minh ha trn gip ch cho chng ta rt nhiu khi n ch cho ta thy r kch thc ca tng phn t. iu ny cho php chng ta truy xut nhng thng tin m chng ta quan tm da trn vic m s lng cc bytes t im bt u ca section hoc mt im c th nhn bit c. Nh chng ta ni trn, DOS Header chim 64 bytes u tin ca file v d 4 hng u c nhn thy trong mt chng trnh Hex Editor trong hnh minh ha di y.Gi tr DWORD cui cng trc im bt u DOS Stub cha nhng gi tr 00h 01h 00h 00h. n vic reverse trt t byte , iu ny s gip chng ta bit 00 00 01 00h l nhng offset ni m PE Header bt u. PE Header bt u vi phn signatures ca n l 50h, 45h, 00h, 00h (Cc k t PE c i km bi cc gi tr tn cng l 0) Nu ti trng Signature ca PE Header , bn tm thy mt NE signature ch khng phi l PE , th lc ny bn ang lm vic vi mt file NE Windows 16-bit. Cng tng t nh vy, nu bn thy l LE nm ti Signature field th c ngha l n cho ta bit l mt trnh iu khin thit b o Window 3.x (VxD). Cn ti l mt LX th l du hiu ca mt file cho OS/2 2.0

OKi.... tm ngh cht xu !! Chng ta s tip tc tho lun trong phn tip theo ca bi vit ny. : )

6

3. The PE Header :PE Header l thut ng chung i din cho mt cu trc c t tn l IMAGE_NT_HEADERS . Cu trc ny bao gm nhng thng tin thit yu c s dng bi loader. IMAGE_NT_HEADERS c 3 thnh phn v c nh ngha trong file windows.inc nh sau :

Signature l mt DWORD cha nhng gi tr nh sau 50h, 45h, 00h, 00h (Cc k t PE c i km bi cc gi tr tn cng l 0). FileHeader bao gm 20 bytes tip theo ca PE file ,n cha thng tin v s b tr vt l v nhng c tnh ca file. V d : s lng cc sections. OptionalHeader lun lun hin din v c to thnh bi 224 bytes tip theo . N cha thng tin v s Logic bn trong ca mt file PE. V d : AddressOfEntryPoint. Kch thc ca n c qui nh bi mt thnh phn ca FileHeader. Cc cu trc ca nhng thnh phn ny cng c nh ngha trong file windows.inc FileHeader c nh ngha ging nh hnh minh ha di dy :

Hu ht nhng thnh phn ny khng cn hu ch i vi chng ta nhng chng ta phi thay i thnh phn NumberOfSections nu nh chng ta mun thm hoc xa bt k sections no trong mt PE File. Characteristics bao gm cc c m cc c ny xc nh nhng th hin chng ta bit c PE File m chng ta lm vic l mt file c th thc thi (executable) hay l mt file DLL. Quay tr li v d ca chng ta trong mn hnh HexEditor, chng ta c th tm thy NumberOfSections bng vic m mt DWORD v mt WORD (6 bytes) t ch bt u ca PE Header (Tc l gi tr DWORD chnh l Signature cn gi tr WORD chnh l Machine) (note : trng NumberOfSections c s dng bi viruses v nhiu l do khc nhau. Ly v d , trng ny c th b thay i bng cch viruses s gia tng n ln thm mt section mi vo PE image v t on virus body vo section Cc h thng Windows NT c th chp nhn ti 96 sections trong mt PE file. Trn h thng s dng Win95 th khng kim tra k phn section number). . Xem hnh minh ha di y :

7

iu ny c th c kim tra li bng cch s dng bt c mt cng c PE no. V d : Cng c PEBrowsePro

Hoc s dng mt cng c kh ni ting l LorDPE :

8

Hoc thm ch nu bn ang s dng PEiD bn cng c th kim nghim c iu ny bng cch nhn vo button l Subsystem :

Ch : PEiD l mt cng c cc k hu ch Chc nng chnh ca n l dng scan Executable files v ch cho chng ta bit c loi Packer m File ny c s dng cho vic nn v protect file. Ngoi ra i km vi PEiD l mt Plugin khng km phn quan trng, chnh l Krypto ANALyser . Khi bn s dng Plug-in ny th n s cho chng ta bit c file c s dng nhng mt m (cryptography) g. Chng hn : CRC, MD4, MD5 hoc SHA v...v....Thm ch cng c ny cng s dng cc danh sch c ngi dng nh ngha v cc Packer signatures. Tm li PEiD l cng c u tin c s dng khi chng ta bt tay vo cng vic unpacking. Chng ta tip tc nghin cu ti thnh phn tip theo l OptionalHeader, n chim 224 bytes , trong 128 bytes cui cng s cha thng tin v Data Directory. N c nh ngha ging nh hnh minh ha di y :

9

AddressOfEntryPoint RVA (a ch o tng i) ca cu lnh u tin m s c thc thi khi chng trnh PE Loader sn sng run PE File (thng thng n tr ti section .text hay CODE). Nu nh bn mun lm thay i lung ca th t thc hin , bn cn phi thay i li gi tr trong trng ny thnh mt RVA mi v do cu lnh ti gi tr RVA mi ny s c thc thi u tin. Cc chng trnh Packer thng thay th gi tr ny bng gi tr decompression stub ca chng, sau s thi hnh s nhy tr v im bt u ca chng trnh hay cn gi vi tn thng dng l OEP. Mt lu thm na l ch bo v StarForce th CODE section s khng c mt , hin din trong file trn a nhng li c ghi ln b nh o trong qu trnh thc thi. V th m gi tr trong trng ny l mt VA (xem thm phn ph lc s c cp bn di). (note : y thc s l mt trng ct yu v cc k quan trng bi v trng ny s b thay i bi hu ht cc kiu ly nhim virus tr ti im thc thi thc s ca virus code) ImageBase a ch np c u tin cho PE File. Ly v d : Nu nh gi tr trong trng ny l 400000h, PE Loader s c gng np file vo trong khng gian a ch o m bt u ti 400000h. T c u tin y c ngha l PE Loader khng th np file ti a ch nu nh c mt module no khc chim gi vng a ch ny. 99 % cc trng hp gi tr ca ImageBase lun l 400000h SectionAlignment Phn lin kt ca cc Sections trong b nh. . Khi file thc thi c nh x vo trong b nh, th mi section phi bt u ti mt a ch o m l mt bi s ca gi tr ny. Gi tr ca trng ny nh nht l 0x1000(4096 bytes), nhng trnh cc trnh linkers ca Borland thng s dng cc gi tr mc nh ln hn, v d nh l 0x10000(64KB). Ly v d nh sau : Nu gi tr ti trng ny l 4096 (1000h), th mi section tip theo s phi bt u ti v tr m section trc cng vi 4096 bytes. Nu section u tin l ti 401000h v kch thc ca n l 10 bytes, vy section tip theo l ti 402000h 10

cho d l khng gian a ch gia 401000h v 402000h s hu nh khng c s dng.(note: hu ht cc Win32 viruses s dng trng ny tnh ton v tr chnh xc ca virus body nhng li khng thay i trng ny). FileAlignment Phn lin kt ca cc Section trong file. Ly v d : nu gi tr c th ca trng ny l 512 (200h), th mi section tip theo s phi bt u ti v tr m sections trc cng vi 200h. Nu section u tin l ti offets 200h, v c kch thc l 10 bytes, vy th section tip theo s c nh v ta i ch offet l 400h : Khng gian gia file offsets 522 v 1024 l khng s dng c/hoc khng c nh ngha. SizeOfImage - Ton b kch thc ca PE image trong b nh. N l tng ca tt c cc headers v sections c lin kt ti SectionAlignment. SizeOfHeaders - Kch thc ca tt c cc headers + section table.Ni tm li , gi tr ny l bng kch thc file tr i kch thc c tng hp ca ton b sections trong file. Bn cng c th s dng gi tr ny nh mt file offset ca Section u tin trong PE file. DataDirectory Mt mng ca 16 IMAGE_DATA_DIRECTORY structures, mi mt phn c lin quan ti mt cu trc d liu quan trng trong PE File chng hn nh import address table. Cu trc quan trng ny s c tho lun chi tit trong nhng phn tip theo. Cch b tr mi th ca PE Header c th c quan st mt cch trc quan thng qua hnh nh minh ha sau y trong chng trnh HexEditor. Ch rng DOS Header v phn ca PE Header l lun lun cng kch thc (and shape) khi c quan st trong chng trnh HexEditor. Phn DOS Stub c th thay i theo kch thc :

11

Bn cnh cc cng c PE c cp trn, chng trnh debug c a thch l OllyDbg cng c th phn tch c PE Headers thng qua vic hin th thng tin mt cch y v c ngha. Dng OllyDbg load file v d ca chng ta vo trong Olly v nhn Alt + M hoc bm vo nt M m ca s Memory Map - ca s ny s cho chng ta thy c PE File c np vo trong b nh.

Tip theo bn nhn chut phi trn PE Header v chn Dump in CPU . Sau trong ca s Hex window , li nhn chut phi mt ln na v chn Special --> PE Header .

Chng ta s c c thng tin nh sau :

12

4. The Data Directory :Tm tt li phn trc , chng ta bit c rng Data Directory l 128 bytes cui cng ca OptionalHeader , v ln lt l nhng thnh phn cui cng ca PE Header IMAGE_NT_HEADERS. Nh chng ta tng ni, Data Directory l mt mng ca 16 cu trc IMAGE_DATA_DIRECTORY structures, c mi 8 bytes th mi phn li c lin quan vi mt cu trc d liu quan trng trong PE File. Mi mng tham chiu ti mt mc c nh ngha trc , v d nh l import table . Cu trc ca Data Directory c 2 thnh phn m bao gm thng tin v v tr v kch thc ca cu trc d liu trong nhng iu bn n :

VirtualAddress l mt a ch o tng i (relative virtual address) ca cu trc d liu (xem phn sau) isize bao gm kch thc theo bytes ca cu trc d liu. 16 directories m nhng cu trc ny tham chiu n , bn thn chng c nh ngha trong file window.inc :

13

Ly v d , chng ta s dng chng trnh LordPE. Trong LordPE , phn Data Directory cho file v d ca chng ta ch cha 4 thnh phn ( c ti khoanh mu trong hnh v). 12 thnh phn cn li khng c s dng v c in gi tr l 0 :

Nh cc bn thy trong hinh minh ha trn, trng import table bao gm thng tin v RVA v kch thc ca IMAGE_IMPORT_DESCRIPTOR array the Import Directory. Trong chng trnh HexEditor, hnh minh ha bn di y ch cho chng ta thy PE Header vi phn data directory c t nt ngoi bng mu . Mi mt khu vc c khoanh ny biu din cho mt cu trc IMAGE_DATA_DIRECTORY. Gi tr DWORD u tin chnh l VirtualAddress cn gi tr cui cng chnh l isize.

14

Trong hnh minh ha trn, th Import Table c t bng mu hng. 4 bytes u tin l RVA 02D000h (NB reserver oder). Kch thc ca Import Table l 181Eh bytes. Nh chng ta ni trn th v tr ca nhng data directories t phn u ca PE Header l lun lun ging nhau. V d : gi tr DWORD 80 bytes t phn u ca PE Header lun lun l RVA ca Import Table. xc nh c v tr ca mt directory c bit, bn xc nh r a ch tng i t data directory. Sau s dng a ch o xc nh section no directory trong. Mt khi bn phn tch section no cha directory , th Section Header cho section sau s c s dng tm ra offset chnh xc.

5. The Section Table :Section Table l thnh phn tip theo ngay sau PE Header.N l mt mng ca nhng cu trc IMAGE_SECTION_HEADER, mi phn t s cha thng tin v mt section trong PE File v d nh thuc tnh ca n v offset o (virtual offset) . Cc bn hy nh li rng s lng cc sections chnh l thnh phn th 2 ca FileHeader (6 bytes t ch bt u ca PE Header). Nu c 8 sections trong PE File, th s c 8 bn sao ca cu trc ny trong table.Mi mt cu trc Header (header structure) l 40 bytes v s khng c thm padding gia chng (Padding y c ngha l s khng chn thm cc bytes c gi tr 00h vo).Cu trc ny c nh ngha trong file windows.inc nh sau :

15

Xin nhc li mt ln na , khng phi tt c cc thnh phn trn u hu ch. Ti s ch miu t nhng thnh phn thc s l quan trng m thi. Name1 - (NB this field is 8 bytes) Tn ny ch l l mt nhn v thm ch l c th trng. Ch rng y khng phi l mt chui ASCII v vy n khng cn phi kt thc bng vic thm cc s 0. VirtualSize (DWORD union) Kch thc tht s ca section's data theo bytes. N c th nh hn kch thc ca section trn a (SizeOfRawData) v s l nhng g m trnh loader nh r v tr trong b nh cho section ny. VirtualAddress RVA ca section. Trnh PE loader s phn tch v s dng gi tr trong trng ny khi n nh x section vo trong b nh. V vy nu gi tr trong trng ny l 1000h v PE File c np ti i ch 400000h , th section s c np ti a ch l 401000h. SizeOfRawData Kch thc ca sections data trong file trn a, c lm trn ln bi s tip theo ca s lin kt file bi trnh bin dch. PointerToRawData (Raw Offset) thnh phn ny thc s rt hu dng bi v n l offset t v tr bt u ca file cho ti phn sections data. Nu n c gi tr l 0 , th sections data khng c cha trong file v s khng b b buc vo thi gian np (load time). Trnh PE Loader s s dng gi tr trong trng ny tm kim phn data trong section l u trong file. Characteristics - Bao gm cc c v d nh section ny c th cha executable code, initialized data , uninitialized data , c th c ghi hoc c (Xem thm phn ph lc) NOTE : Khi bn tin hnh tm kim mt section c th no , n c th pht l ton b PE Header v bt u phn tch section headers bng cch tm kim section name trong ca s ASCII ca chng trnh HexEditor ca bn. Quay tr li v d ca chng ta , trong ca s HexEditor file ca chng ta c 8 sections nh chng ta nhn thy trong section PE Header.

16

Sau khi c c Section Headers chng ta s tm kim cc sections.Trong file trn a , mi section bt u ti mt offset m l bi s ln ca gi tr FileAlignment c tm thy trong OptionalHeader. Gia cc sections data s l cc byte 00 c thm vo. Khi c np ln RAM , cc sections lun lun bt u trn mt ranh gii trang (page boundary) v vy byte u tin ca mi section tng ng vi mt trang b nh (memory page). Cc trang trn nhng b vi x l x86 CPU l 4KB aligned , trong khi trn IA-64 l 8KB aligned. Gi tr lin kt (aligment value) ny c lu tr trong SectionAlignment , v cng c lu trong OptionalHeader. Ly mt v d, nu nh OptionalHeader kt thc ti file offset 981 v FileAlignment l 512, th section u tin s bt u ti byte 1024 . Ch rng bn c th tm nhng section thng qua PointerToRawData hoc l VirtualAddress, v vy khng cn phi lo ngi bn khon v alignments. Trong hnh minh ha trn , ImportData Section (.idata) s bt u ti offset 0002AC00h (highlighted pink, NB reverse byte order) t v tr bt u ca file. Kch thc ca n , do c qui nh l DWORD nn n s l 1A00h bytes.

6. The PE File Sections :L nhng sections cha ni dung chnh ca file, bao gm code, data, resources v nhng thng tin khc ca file thc thi. Mi section c mt Header v mt body (d liu th raw data : l d liu cha c x l hoc cha c nh khun thc, n cha c sp xp, bin tp sa cha hoc cha c biu din li di dng d truy tm v phn tch). Nhng Section Headers th c cha trong Section Table nhng nhng Section Bodies li khng c mt cu trc file cng rn. Chng c th c sp xp hu nh theo bt k cch no khi mt trnh linker mun t chc chng , vi iu kin l Header c in thng tin y c th gii m d liu. Mt chng trnh ng dng c th trn h iu hnh Windows NT c 9 sections c nh ngha trc c tn l .text, .bss, .rdata, .rsrc, .edata, .idata, .pdata v .debug. Mt vi chng trnh khng cn phi c tt cc cc sections ny , trong khi mt s chng trnh ng dng khc li nh ngha thm nhiu sections khc ph hp vi nhng yu cu ring bit ca chng.

Executable Code Section :Trong h iu hn Windows NT tt c cc on m (code segment) tp trung vo mt sections n l c gi l .text hoc l CODE . T khi h iu hnh Windows NT chuyn sang s dng mt h thng qun l b nh o da trn trang, th c mt section code ln d dng hn trong vic qun l i vi h iu hnh cng nh i vi nhng ngi pht trin ng dng. Section ny cng cha im t nhp (entry point) m c cp phn trn v bng jump thunk table tr ti IAT (xem thm phn import theory)

Data Sections :Section .bss biu din d liu khng c khi to cho ng dng , bao gm ton b cc bin c khai bo l bin tnh trong mt hm hoc l mt module ngun. Section .rdata biu din d liu ch c ra (read only) , v d nh nhng chui, cc hng, v thng tin th mc debug. 17

Tt c nhng bin khc (ngoi tr nhng bin t ng , m ch xut hin trn Stack ) c lu tr trong Section .data . l nhng ng dng hoc l nhng bin ton cc module.

Resources Section :Section .rsrc cha cc thng tin resource cho mt module. 16 bytes u tin bao gm mt Header ging nh nhng section khc, nhng d liu ca Section ny hn na c cu trc vo trong mt resource tree v c quan st tt nht thng qua vic s dng mt chng trnh resource editor. Mt chng trnh kh ni ting l ResHacker, y l mt chng trnh min ph cho php chnh sa , thm mi, xa, thay th v sao chp cc Resources :

y l mt chng trnh rt mnh phc v cho mc ch Cracking v n s hin th mt cch nhanh chng cc hp thoi bao gm c nhng chi tit v vic ng k sai cng nh cc nag screens. Mt ng dng shareware c th thng b Cracked ch bng vic xa b resource hp thoi nagscreen trong ResHacker.

Export Data Section :Section .edata cha Export Directory cho mt chng trnh ng dng hoc file Dll. Khi biu din, section ny bao gm cc thng tin v tn v a ch ca nhng hm exported functions. Chng ta s ni tip v vn ny sau , mt phn rt quan trng tip theo. 18

Import Data Section :Section .idata cha nhng thng tin khc nhau v nhng hm imported functions bao gm c Import Directory v bng Import Address Table. Chng ta cng s ni tip v vn ny phn sau.

Debug Information Section :Thng tin Debug c t ban u trong Section .debug . nh dng PE File cng h tr cc file debug khc nhau (thng c nhn bit vi phn m rng l .dbg) nh l mt cch thc ca vic tp hp thng tin debug ti mt v tr tp trung. Section debug cha thng tin debug , nhng nhng th mc debug li nm trong Section .rdata nh c cp phn trn. Mi mt th mc s lin quan ti thng tin Debug trong Section .debug.

Base Relocations Section :Khi m trnh linker to ra mt file Exe, n chun b mt ni m ti file s c nh x vo trong b nh. Da trn iu ny, trnh linker s t cc cc a ch tht ca on m v nhng mc d liu vo trong file thc thi. Nu v bt c l do g file thc thi kt thc qu trnh np mt ni no nu khng trong phm vi khng gian a ch o , th nhng a ch ny s b trnh linker t vo trong image khng ng. Thng tin c lu trong Section .reloc cho php trnh PE loader fix nhng a ch ny trong loaded image v vy chng s li chnh xc. Mt khc, nu trnh loader c th np file ti nhng a ch base address c tha nhn bi trnh linker , th d liu Section .reloc l khng cn thit v b l i. Cc mc trong section .reloc c gi bi Base relocation v s s dng ca chng ph thuc vo a ch base address ca loaded image. Base Relocation n gin ch l mt danh sch ca cc v tr trong image m yu cu mt gi tr c thm vo chng.nh dng ca d liu base relocation hi phc tp . Cc mc base relocation c nn (packed) trong mt chui ca cc phn di bin i. Mi phn din t cc Relocation thay th cho mt trang 4KB trong image. Hy xem mt v d hiu cch hat ng ca base relocation. Mt file thc thi c lin kt vi mt a ch c s ca 0x10000. Ti offset 0x2134 bn trong image l mt con tr cha a ch ca mt chui. Chui bt u ti a ch vt l l 0x14002, v vy con tr s cha gi tr l 0x14002. Sau bn np file, nhng trnh loader quyt nh rng n cn phi nh x image bt u ti a ch vt l l 0x60000. S chnh lch gia trnh linker da trn a ch np v a ch np thc s c gi l delta. Trong trng hp v d ca chng ta th delta l 0x50000 bytes cao trong b nh, nh vy l chui (by gi ti a ch l 0x64002). Con tr ti chui gi y khng cn ng na. File thc thi cha mt base relocation i din cho v tr b nh (memory location) ni m con tr ti chui tr v. gii quyt mt base relocation , trnh loader cng thm gi tr delta vo gi tr gc ban u ti a ch base relocation. Trong trng hp ca chng ta , trnh loader s cng gi tr delta l 0x50000 vo gi tr con tr ban u l (0x14002) , v lu kt qu tr li l (0x64002) vo trong b nh ca con tr. V th chui by gi s c a ch thc l ti 0x64002 , vy l mi th u tt p .

19

7. The Export Sections :Section ny c lin quan mt cch c bit ti cc file Dlls. Phn thng tin c trch di y t Win32 Programmers Reference s gii thch ti sao :

Cc hm c th c exported bi mt Dll theo hai cch : by name hoc by ordinal only . Mt s th t hay mt ch s l mt s 16-bit (WORD sized) m duy nht ch ra mt hm trong mt file Dll ring bit. Con s ny l duy nht ch bn trong file Dll n tham chiu ti. Chng ta s ni v exporting bng s th t phn sau. Nu nh mt hm c exported bng tn , khi cc file Dll khc hoc cc file thc thi mun gi hm ny , chng s cng s dng tn ca hm hoc ch s ca hm trong hm GetProcAddress m tr v a ch ca hm trong file Dll ca n. Ti liu Win32 Programmers Reference s gii thch thm v phng thc hot ng ca hm GetProcAddress (Mc d trong thc t thng tin v hm ny rt nhiu, khng ch nhng ti liu c vit bi M$, nhng thng tin khc s cp sau). Cc bn hy ch n nhng phn m ti nh du bng vin mu :

20

Hm GetProcAddress c th lm c iu ny bi v cc tn v a ch ca nhng exported function c sp xp trong mt cu trc c nh ngha rt tt trong Export Directory. Chng ta c th tm thy Export Directory bi v chng ta bit n l thnh phn u tin trong data directory v RVA ca n c cha ti offset 78h t ni bt u ca PE Header. (Xin xem thm phn ph lc) Cu trc export c gi l IMAGE_EXPORT_DIRECTORY . C 11 thnh phn trong cu trc ny nhng c mt s khng quan trng :

21

nName Internal name ca module. Trng ny thc s cn thit bi v tn ca file c th b thay i bi ngi s dng . Nu iu xy ra , trnh PE loader s s dng Internal name ny. nBase Bt u ca s th t hay s ch s (Trng ny c s dng ly nhng index trong addressof-function array xem bn di). NumberOfFunctions Tng s cc hm m c exported bi module. NumberOfNames S lng cc Symbols c exported bng name. Gi tr ny khng phi l s lng ca tt c cc hm/symbols trong module. ly c con s ny, bn cn phi kim tra NumberOfFunctions .N c th l 0. Trong trng hp y, module c th export bng ordinal only. Nu khng c hm / symbol c exported trong trng hp u tin , th RVA ca bng Export table trong data directory s l 0. AddressOfFunctions mt RVA tr ti mt mng ca cc con tr ti cc hm trong module Export Address Table (EAT). s dng n theo cch khc, nhng RVA tr ti cc hm trong module c gi li trong mt mng v trng ny tr ti u ca mng . AddressOfNames mt RVA tr ti mt mng cc RVA ca tn cc hm c lu trong module Export Name Table (ENT). AddressOfNameOrdinals mt RVA tr ti mt mng 16 bit m cha cc ordinals ca cc named functions Export Ordinal Table (EOT).

22

Nh vy cu trc IMAGE_EXPORT_DIRECTORY tr ti 3 mng v mt bng nhng chui k t ASCII. Mng quan trng l EAT, v n l mt mng ca cc con tr hm m cha a ch ca cc exported functions. Hai mng th hai l (ENT v EOT) chy song song theo th t sp xp tng dn da trn tn ca cc hm mt php tm kim nh phn cho tn ca hm c th c thc hin v s a kt qu l s th t ca hm c tm thy vo trong mt mng khc.S th t ch n gin l mt ch s bn trong EAT i vi hm .

Trc y mng EOT tn ti nh l mt lin kt gia tn v a ch, n khng th cha nhiu phn t hn mng ENT. V d : mi mt tn c th c mt v ch mt a ch tng ng. iu ngc li l khng ng : mt a ch c th c nhiu tn tng ng vi n. Nu l nhng hm vi tn b danh tham chiu n cng mt a ch th ENT s c nhiu phn t hn l EOT

23

Ly v d , nu mt file Dll export 40 hm , th n phi c 40 thnh phn trong mng c tr bi AddressOfFunctions (EAT) v trng NumberOfFunctions phi cha 40 gi tr. tm kim mt hm t tn ca n, H iu hnh (OS) u tin s tm nhng gi tr ca NumberOfFunction v NumberOfNames trong Export Directory. Tip theo n s do qua cc mng c tr bi AddressOfNames (ENT) v AddressOfNameOrdinals (EOT) mt cch ng thi, tm kim tn ca hm. Nu nh tn ca hm c tm thy trong ENT, th gi tr tng ng vi phn t trong EOT c trch xut v s dng nh l ch mc bn trong EAT. Ly v d , trong file Dll 40 hm ca chng ta trn chng ta mun tm kim hm X. Nu chng ta tm tn hm X(gin tip thng qua con tr khc) ti phn t th 39 trong ENT , chng ta nhn vo phn t th 39 ca EOT v thy 5 gi tr . Sau chng ta xt phn t th 5 ca EAT tm kim RVA ca hm X. Nu nh bn sn c s th t ca mt hm , bn c th tm thy a ch ca n bng cch i trc tip ti EAT. Mc d c c a ch ca mt hm thng qua s th t ca n th d dng hn v nhanh hn rt nhiu so vi vic s dng tn ca hm , th ngc li iu bt li l s gp kh khn trong vic qun l module. Nu nh file Dll c nng cp / cp nht v s th t ca cc hm b thay i, th cc chng trnh khc m chy da trn file Dll ny s b Break.

Exporting by Ordinal Only :NumberOfFunctions phi t nht l bng vi NumberOfNames. Tuy nhin thnh thong trong mt s trng hp th NumberOfNames li t hn NumberOfFunctions . Khi mt hm c Exported thng qua s th t , n khng c danh sch trong c hai mng ENT v EOT n khng c tn. Nhng hm m khng c tn th c Exported thng qua s th t. Ly v d nh sau , nu ta c 70 hm nhng ch c duy nht 40 mc trong ENT , vy th c ngha l c 30 hm trong module m c Exported bng s th t. Vy by gi lm th no chng ta tm ra nhng hm l g? iu ny khng d dng. Bn phi tm ra bng phng php loi tr, ly v d : nhng mc trong EAT m khng c tham chiu bi EOT cha RVAs ca cc hm c Exported bng s th t. Ngi lp trnh vin c th ch r s th t bt u trong mt .def file. Ly v d , cc bng trong hnh minh ha trn c th bt u ti 200. m i ph trc s cn thit cho 200 phn t rng u tin trong mng , thnh phn nBase lu gi gi tr bt u v trnh loader tr cc s th t t n thu c ch mc tht trong EAT.

Export Forwarding :i khi cc hm c v c Exported t mt file Dll c th, nhng trn thc t cc hm ny li nm trong mt file Dll hon ton khc. iu ny c gi l Export Forwarding . Ly v d , trong h iu hnh WinNT , Win2k v WinXP, hm trong kernel32.dll l HeapAlloc c forwarded t hm RtlAllocHeap c Exported bi ntdll.dll. File NTDLL.DLL cng cha cc API bm sinh m tng tc trc tip vi kernel windows . Forwarding c thc hin ti thi im lin kt thng qua mt cu lnh c bit trong .DEF file. Forwarding l mt k thut m Microsoft s dng a ra mt tp hp cc API thng dng v che du s khc bit nn tng gia h h iu hnh NT vi h 9X. Cc ng dng khng c c nhim v gi cc hm trong tp hp cc API bm sinh v iu ny s ph v kh nng tng thch gia Win9x v 2K/XP. iu ny c th gii thch ti sao cc file thc thi b Packed c th c unpacked v c bng imports ca chng c xy dng li bng tay trn mt OS c th khng run c trn OS khc bi h thnng API forwarding hoc mt vi chi tit khc b chnh sa. Khi mt Symbol (Hm) c Forwarded RVA ca n mt cch r rng khng th l mt an code hoc a ch d liu trong module hin ti. thay th , bng EAT cha mt con tr ti mt chui ASCII ca file DLL v tn hm m n c Forwarded. Trong v d trc n s l NTDLL.RtlAllocHeap. 24

Nu vy th mc EAT cho mt hm tr ti mt a ch bn trong Export Section (v d chui ASCII) thay v hn l tr ra ngoi vo mt file DLL khc, th bn bit rng hm c forwarded.

8. The Import Section :Import Section (thng c bit di tn .idata) bao gm thng tin v tt c cc hm c imported bi file thc thi t cc file Dlls. Thng tin ny c lu tr trong mt vi cu trc d liu. Phn quan trong nht ca section ny l ImportDirectory v ImportAddressTable m chng ta s ni n tip theo y. Trong mt s file thc thi c th cng c cc directories l Bound_Import v Delay_Import. Delay_Import directory , vi chng ta n khng quan trng lm nhng chng ta s cp ti Bound_Import directory phn tip sau. Trnh Windows loader chu trch nhim v vic np tt c cc file Dll m ng dng s dng v nh x chng vo trong khng gian a ch process. N phi tm a ch ca tt c cc imported functions trong cc file Dlls khc nhau ca chng v sp t chng sn sng s dng cho cc file thc thi c np. a ch ca cc hm bn trong mt file Dll khng phi l nhng a ch tnh m thay i khi cc phin bn c cp nht ha ca file Dll c released , v vy cc ng dng khng th c xy dng s dng cc a ch hm hardcoded. Bi v l mt c ch c pht trin cho php nhng thay i m khng cn phi to ra nhiu s thay i, chnh sa i vi on m ca file thc thi vo lc chay. iu ny c hon thnh thng qua vic s dng mt Import Address Table (IAT). y l mt bng ca nhng con tr ti cc a ch hm m c in vo bi trnh Windows loader khi cc file Dll c np. Bng vic s dng mt bng con tr, trnh loader khng cn phi thay i nhng a ch ca cc imported functions trong on m lnh m chng c gi. Tt c nhng th m n phi lm l thm a ch chnh xc vo mt ni ring l trong bng import v cng vic ca n c hon tt.

The Import Directory :Import Directory thc s l mt mng ca cc cu trc IMAGE_IMPORT_DESCRIPTOR. Mi cu trc l 20 bytes v cha thng tin v mt DLL m PE file ca chng ta import cc hm vo. Ly v d, nu PE file ca chng ta import cc hm t 10 file DLL khc nhau, th s c 10 cu trc IMAGE_IMPORT_DESCRIPTOR trong mng ny. Khng c trng no ch cho ta bit s lng ca cc cu trc trong mng ny. thay th, cu trc cui cng s c cc trng c in y cc gi tr 0 (zeros). Cng vi Export Directory, bn c th tm thy Import Directory u bng vic quan st ti Data Directory (80 bytes t ch bt u ca PE Header). Trong th thnh phn u tin v cui cng l quan trng nht :

25

Thnh phn u tin OriginalFirstThunk , l mt DWORD union, c th ti mt thi im l mt tp hp ca cc c. Tuy nhin, Microsoft thay i ngha ca n v khng bao gi lo lng cp nht file WINNT.H. Trng ny thc s cha RVA ca mt mng cc cu trc IMAGE_THUNK_DATA. [Tin y cng ni lun, t union c cp trn chng qua ch l mt s nh ngha li ca cng mt ni ca b nh. T union trn khng cha 2 DWORDS nhng ch duy nht mt c th cha hoc OriginalFirstThunk data hay Characteristics data m thi] Thnh phn tip theo l TimeDateStamp c t l 0 tr khi file thc thi c gii hn khi n cha -1 (xem bn di). Thnh phn tip l ForwarderChain c s dng cho vic lin kt old-style v thnh phn ny s khng c cp n y. Thnh phn Name1 cha mt con tr (RVA) ti chui tn ACSII ca file DLL. Thnh phn cui cng l FirstThunk, n cng cha RVA ca mt mng cc cu trc IMAGE_THUNK_DATA mt bn sao ca mng u tin. Nu nh hm c miu t l mt bound import (xem bn di) th FirstThunk cha a ch thc s ca hm thay v mt RVA ti mt IMAGE_THUNK_DATA. Nhng cu trc ny c nh ngha nh sau :

Mi IMAGE_THUNK_DATA l mt DWORD union m thc t ch c mt ca hai gi tr. Trong file trn a n cha s th t ca imported function hoc l mt RVA ti mt cu trc IMAGE_IMPORT_BY_NAME. Mt khi c np mt cu trc s c tr ti bi FirsThunk c vit ln bng a ch ca cc hm imported function.- vic ny tr thnh Import Address Table. Mi cu trc IMAGE_IMPORT_BY_NAME c nh ngha nh hnh minh ha di y :

Hint Cha ch mc(index) bn trong Export Address Table ca file DLL cc hm hin c trong . Trng ny c s dng bi trnh PE Loader v vy n c th tm kim hm trong Export Address Table ca DLL mt cch nhanh chng. Tn ti m ch mc c dng , v nu n khng tng ng th mt php tm kim nh phn c thc hin tm kim tn. Thng thng gi tr ny khng cn thit v mt vi trnh linker t trng ny l 0. Name1 bao gm tn ca imported function. Tn l mt null-terminated ASCII string. Ch rng kch thc ca Name1 c nh ngha l mt byte nhng trn thc t n l mt trng c kch thc thay i. Do khng c phng php no biu din mt trng c kch thc thay i trong mt cu trc. Cu trc m c cung cp cho bn c th tham chiu ti n thng qua cc tn miu t. Nhng phn quan trng nht l cc tn imported DLL v cc mng ca cc cu trc IMAGE_THUNK_DATA. Mi cu trc IMAGE_THUNK_DATA tng ng vi mt imported function t DLL. Cc mng c tr ti bi OriginalFirstThunk v FirstThunk chy song song v 26

c kt thc bng mt Null DWORD. l cp phn tch ca cc mng ca cc cu trc IMAGE_THUNK_DATA cho mi imported DLL. s dng n theo mt cch khc, c nhiu cc cu trc IMAGE_IMPORT_BY_NAME . Bn to ra hai mng , sau in vo hai mng ny cc RVAs ca cc cu trc IMAGE_IMPORT_BY_NAME, v vy c hai mng ny cng cha cc gi tr ging nh nhau. By gi bn c th gn RVA ca mng u tin cho OriginalFirstThunk v RVA ca mng th hai cho FirstThunk. S lng cc phn t trong cc mng OriginalFirstThunk v FirstThunk ph thuc vo s lng ca cc hm c imported t file DLL. Ly v d , nu PE file import 10 hm t file dll l user32.dll, th thnh phn Name1 trong cu trc IMAGE_IMPORT_DESCRIPTOR s cha RVA ca chui user32.dll v s l 10 IMAGE_THUNK_DATA trong mi mng. Hai mng song song , tng ng c gi bi cc tn khc nhau nhng ci tn chung nht l Import Address Table ( cho mt c tr bi FirstThunk) v Import Name Table hay Import Lookup Table (cho mt c tr bi OriginalFirstThunk). Ti sao li c hai mng tng ng ca cc con tr ti nhng cu trc IMAGE_IMPORT_BY_NAME ? Cc Import Name Table c nguyn v khng bao gi c chnh sa. Cc Import Address Table c vit li vi nhng a ch hm thc s bi trnh loader. Trnh loader lp li thng qua mi con tr ti cc hm v tm kim a ch ca hm m mi cu trc tham chiu ti. Trnh loader sau s vit li con tr ti IMAGE_IMPORT_BY_NAME bng a ch ca hm. Cc mng ca nhng RVAs trong Import Name Tables gi nguyn khng b thay i v vy nu cn thit tm tn ca cc hm imported , trnh PE loader c th vn tm thy chng. Mc d IAT c tr ti bi entry number 12 trong Data Directory , mt vi chng trnh linkers khng thit lp danh sch th mc ny v tuy nhin trnh ng dng s chy. Trnh loader ch s dng iu ny nh du mt cch tm thi IAT khi read-write trong lc import resolution v c th gii quyt cc import m khng cn n. l cch thc m trnh Windows loader c th vit li IAT khi n hin c trong mt section ch c (readonly section). Ti thi im np h thng thit lp mt cch tm thi cc thuc tnh ca cc trang cha d liu import c hoc ghi. Khi import table c khi to cc trang c thit lp tr li vi cc thuc tnh c bo v nguyn bn ca chng.

27

Cc li gi ti cc hm c import xy ra thng qua mt con tr hm trong IAT. Ly v d , hy tng tng rng a ch 00405030 tham chiu ti 1 hm ca danh sc trong mng FirstThunk m c vit li bi trnh loader bng a ca hm GetMessage trong file USER32.DLL. Cch thc hiu qu gi hm GetMessage ging nh di y : 0040100C CALL DWORD PTR [00405030 ]

Cn cch thc km hiu qu l nh sau : 0040100C ....... ....... 00402200 CALL [00402200]

JMP

DWORD PTR [00405030]

Ly v d , phng php th hai cng thu c mt kt qu tng t nhng s dng 5 byte thm vo ca code v mt thi gian lu hn thc th bi v extra jump. Ti sao cc li gi ti hm c imported li c thc hin theo cch ny? Chng trnh bin dch c th khng phn bit gia cc li gi hm thng thng trong cng mt module v cc hm c imported cho ra cng mt u ra ging nhau : CALL [XXXXXXXX] Ti y th XXXXXXXX phi l mt a ch code thc s (khng phi l mt con tr) c in vo sau bi chng trnh linker. Trnh linker khng bit a ch ca hm c imported v v vy phi cung cp phn thay th ca on m (code) The jump stub seen above. Cch ti u c s dng l cch s dng trnh the _declspec(dllimport) modifier thng bo cho chng trnh bin dch rng hm hin c bn trong mt file DLL. N s c kt qu l CALL DWORD PTR [XXXXXXXX].

28

Nu nh _declspec(dllimport) khng c s dng khi bin dch mt file thc thi th s c mt tp hp ln ca cc jump stubs cho cc hm c imported xc nh ln nhau nm u trong on m lnh. iu ny c bit bi cc tn khc nhau v d nh "transfer area", "trampoline" or "jump thunk table".

Functions Exported by Ordinal Only:Nh chng ta tho lun trong phn v Export section, th mt s hm c exported thng qua s th t. Trong trng hp ny , s khng c cu trc IMAGE_IMPORT_BY_NAME cho hm trong module ca li gi (callers module). Thay vo , IMAGE_THUNK_DATA cho hm cha s th t ca hm. Trc khi file thc thi c np, bn c th cho bit nu mt cu trc IMAGE_THUNK_DATA cha mt s th t hoc mt RVA bng cch xem xt bit c ngha quan trng nht (MSB) hay bit cao.Nu c thit lp th 31 bits thp hn c xem nh l mt gi tr s th t.Nu khng c set ,th gi tr l mt RVA ti mt IMAGE_IMPORT_BY_NAME. Microsoft cung cp mt hng s c ch cho vic kim tra bit MSB ca mt DWORD, l IMAGE_ORDINAL_FLAG32. N c gi tr l 80000000h. Ly v d, nu mt hm c exported thng qua s th t v s th t ca n l 1234h, th IMAGE_THUNK_DATA cho hm s l 80001234h.

Bound Imports :Khi trnh Loader np mt PE file vo trong b nh, n kim tra bng import table v np cc file DLLs c yu cu vo khng gian a ch x l. Sau n do qua mng c tr bi FirstThunk v thay th IMAGE_THUNK_DATA bng nhng a ch thc s ca cc import functions. Giai on ny tn kh nhiu thi gian. Nu v mt l do cha bit ngi lp trnh c th d on a ch ca cc hm mt cch chnh xc, trnh PE loader khng phi sa cc IMAGE_THUNK_DATA mi ln PE file thc thi y nh a ch chnh xc l c ri. S lin kt l kt qu ca tng ny. C mt tin ch c t tn l bind.exe i km vi cc trnh bin dch ca Microsoft , kim tra IAT (mng FirstThunk) ca mt PE file v thay th cc IMAGE_THUNK_DATA Dword bng a ch ca cc import functions. Khi file c np, trnh PE loader phi kim tra cc a ch c hp l khng. Nu phin bn ca file DLL khng khp vi mt file trong PE file hoc nu cc file DLLs cn phi c xy dng li, trnh PE loader bit rng cc a ch c lin kt l ht hiu lc v n do qua bng Import Name Table (Original FirstThunk array) tnh ton cc a ch mi. Bi vy mc d INT l khng cn thit cho mt file thc thi np, nu n khng hin din file thc thi khng th c lin kt. Trong mt thi gian di trnh linker ca Borland l TLINK khng to mt INT v vy cc file c to bi Borland khng th c lin kt.Chng ta s xem xt tm quan trng khc ca vic thiu INT trong cc section tip theo.

The Bound_Import_DirectoryThng tin trnh loader s dng xc nh nu a ch c lin kt l hp l c lu gi trong mt cu trc l IMAGE_BOUND_IMPORT_DESCRIPTOR. Mt bound excutable cha mt danh sch cc cu trc , mt cho mi DLL c imported m c lin kt :

29

Thnh phn TimeDateStamp phi khp vi TimeDateStamp ca exporting DLLs header. Nu nh khng khp, trnh loader tha nhn rng binary c lin kt ti l wrong DLL v s v li danh sch import. iu ny c th xy ra nu phin bn ca exporting DLL khng khp hoc nu n cn phi c sp xp li trong b nh. Thnh phn OffsetModuleName cha offset (khng phi l RVA) t IMAGE_BOUND_IMPORT_DESCRIPTOR u tin cho ti tn ca DLL trong null-terminated ASCII. Thnh phn NumberOfModuleForwarderRefs cha s lng cc cu trc IMAGE_BOUND_FORWARDER_REF m trc tip theo cu trc ny. Cu trc ny c nh ngha nh sau :

Nh bn c th nhn thy chng ging y ht nh cu trc bn trn ngoi tr thnh phn cui cng c dnh ring trong bt k tnh hung no.L do c hai cu trc tng t nhau l khi lin kt ngc li mt hm m c forwared ti mt file DLL khc, tnh cht hp l ca forwared DLL phi c kim tra cng ti thi gian np. IMAGE_BOUND_FORWARDER_REF cha thng tin chi tit v cc forwarded DLLs. Ly v d nh hm HeapAlloc trong kernel32.dll c forwarded t hm RtlAllocateHeap trong file ntldll.dll. Nu chng ta to ra mt ng dng m import hm HeapAlloc v c s dng bind.exe trong ng dng, s l mt IMAGE_BOUND_IMPORT_DESCRIPTOR cho kernel32.dll c theo bi mt IMAGE_BOUND_FORWARDER_REF cho ntldll.dll. Ch : Tn ca cc hm bn thn chng khng c bao gm trong nhng cu trc ny khi trnh loader bit nhng hm no c lin kt t IMAGE_IMPORT_DESCRIPTOR (xem trn).

9. The Windows Loader :Phn vit ny tuy l khng cn thit nhng n dnh cho nhng ai mun i su nghin cu thm v s hot ng ca h iu hnh (OS).

What The Loader DoesKhi mt file thc thi chy, trnh windows loader s to ra mt khng gian a ch o cho process v nh x executalble module t a vo trong khng gian a ch ca process. N c gng np image ti a ch c s c u tin v nh x cc section vo trong b nh (memory). Trnh loader s xem xt t m section table v nh x mi section ti a ch c tnh ton bng cch cng thm RVA ca section vi a ch c s. Cc page attributes c thit lp theo s yu cu c im ca section. Sau khi nh x cc section vo trong b nh, trnh loader thc hin b tr cc relocation nu a ch np khng bng vi a ch c s c u tin trong ImageBase. Bng import table sau c kim tra v bt k file DLLs no c yu cu s c nh x vo trong khng gian a ch ca process. Sau tt c DLL modules c nh v v nh x vo, trnh loader kim tra mi DLLs export section v sau IAT c chnh sa tr ti a ch hm c imported thc s. 30

Nu nh symbol khng tn ti (y l trng hp rt him gp), trnh loader s thng bo li. Mt khi tt c cc module c yu cu c np s thi hnh c chuyn ti entry point ca ng dng. Phn quan trng c a thch trong RCE chnh l vic loading cc file DLLs v gii quyt cc imports. Process ny b lm phc tp bi rt nhiu cc hm internal (forwarded) v cc routines tp trung trong file ntdll.dll m khng h c chng minh bng ti liu bi Micro$oft. Nh chng ta ni phn trc function forwarding l 1 cch cho M$ expose mt tp Win32 API thng dng, ph bin v che du cc hm cp thp m c th khc nhau i vi tng phin bn ca h iu hnh. Nhiu hm kernel32 quen thuc v d nh hm GetProcAddress n gin ch bao bc xung quanh cc ntdll.dll exports v d nh LdrGetProcAddress (m hm ny thc hin cng vic chnh). c th thy r nhng iu ny bn cn ci t chng trnh Windbg v Windows Symbol Package ( c cung cp bi M$) hoc mt chng trnh kernel-mode debugger ging nh SoftIce. Bn ch c th xem nhng hm ny trong Olly nu nh bn cu hnh Olly s dng M$ symbolserver, nu khng th tt c nhng g bn quan st thy ch l cc pointers v cc a ch b nh m khng c tn ca cc hm. Tuy nhin Olly l mt trnh debugger trn user-mode v n s ch cho cc bn thy c nhng g ang xy ra khi ng dng ca bn c np v n s khng cho php bn quan st thy loading process. Mc d chc nng ca chng trnh Windbg cn hn ch khng th so snh vi Olly nhng n tng thch tt vi h iu hnh v s cho ta thy c qu trnh loading process :

Nh cc bn thy c rt nhiu hm APIs c lin kt cng vi qu trnh np mt file thc thi, tt c tp trung trn hm LoadLibraryExW trong kernel32.dll m ln lt dn n hm ni ti LdrpLoadDll trong ntdll.dll. Hm ny trc tip gi 6 subroutines na l LdrpCheckForLoadedDll, LdrpMapDll, LdrpWalkImportDescriptor, LdrpUpdateLoadCount, LdrpRunInitializeRoutines, v LdrpClearLoadInProgress thc hin nhng nhim v sau : 1. Kim tra xem nu module sn sng np vo. 2. nh x module v cc thng tin h tr vo trong b nh. 3. Do qua bng import descriptor table ca module (find other modules this one is importing) . 4. Update the module's load count as well as any others brought in by this DLL 31

5. Khi to module 6. Xa some sort of flag, indicating that the load has finished

Mt DLL c th import cc module khc m bt u mt tng ca th vin thm vo. Trnh loader s cn phi lp li t u n cui mi module , kim tra xem nu n cn c np v sau kim tra nhng ph thuc ca n. l l do c s xut hin ca LdrpWalkImportDescriptor y. LdrpWalkImportDescriptor c hai subroutines l : LdrpLoadImportModule v LdrpSnapIAT. u tin n bt u bng hai li gi ti RtlImageDirectoryEntryToData xc nh v tr Bound Imports Descriptor v cc bng Import Descriptor. Ch rng trnh loader s kim tra bound imports u tin- mt ng dng khi thc thi nhng khng c mt import directory c th c cc bound imports thay th. Tip theo LdrpLoadImportModule xy dng mt Unicode string cho mi DLL c tm thy trong Import Directory v sau giao cho LdrpCheckForLoadedDll nhn ra if they have already been loaded. Tip na LdrpSnapIAT routine kim tra mi DLL c tham chiu ti trong Import Directory thay th cho 1 gi tr -1 (ie again checks for bound imports first). Sau n thay i memory protection ca IAT thnh PAGE_READWRITE v tin hnh kim tra mi entry trong IAT trc khi chuyn ti LdrpSnapThunk subroutine. LdrpSnapThunk s dng mt ch s ca hm xc nh a ch ca n v quyt nh n c c forward hay l khng. Mt khc n gi LdrpNameToOrdinal s dng mt php tm kim nh phn trn export table xc nh ch s mt cch nhanh chng. Nu hm khng c tm thy th n tr v STATUS_ENTRYPOINT_NOT_FOUND, ngc li nu tm thy th n thay th entry trong IAT bng entry point ca API v tr v cho LdrpSnapIAT khi phc li memory protection n thay i ti lc bt u cng vic ca n, gi NtFlushInstructionCache bt buc mt cache refresh trn memory block c cha IAT, v sau tr v li cho LdrpWalkImportDescriptor. l mt khc bit c bit gia cc h iu hnh Window m trong Win2k nhn mnh rng ntdll.dll c np ging nh mt bound import hoc trong import directory bnh thng trc khi cho php mt 32

file thc thi c np, nhng ngc li h iu hnh Win9x hay XP s cho php mt ng dng khng c imports no c np Phn khi qut ngn gn ny c n gin ha i rt nhiu nhng vn minh ha c lm th no mt li gi ti LoadLibrary lm tng ln mt tng ca vic n cc subroutines ni ti which are deeply nested and recursive in places. Trnh loader phi kim tra mi API c imported tnh ton mt a ch thc trong b nh v kim tra nu mt API c imported. Mi DLL c imported c th dn n cc modules thm vo v process s b lp li ht ln ny n ln khc cho ti khi tt c cc ph thuc u c kim tra.

10. Navigating Imports :Navigating Imports on DiskNu nh cc bn mun tm kim thng tin v cc hm c imported t file DLL ("foo" from DLL "bar",), u tin cc bn tm RVA ca Import Directory t Data Directory, tm a ch trong phn raw section data v by gi bn c mt mng ca cc IMAGE_IMPORT_DESCRIPTORs. Ly thnh vin ca mng ny m lin quan ti bar.dll bng cch kim tra cc strings c tr ti bi trng Name. Khi bn tm thy IMAGE_IMPORT_DESCRIPTOR ng, follow FirstThunk ca n v nm ly con tr ti mng cc mng IMAGE_THUNK_DATAs, kim tra k cc RVAs v tm kim the function "foo". Quay tr li v d ca chng ta trong chng trnh Hexeditor, chng ta s tm v tr ca bng import table quan st nhng g chng ta cn tm kim. Nh chng ta ni phn trc, RVA ca Import Directory c lu trong DWORD 80h bytes t PE Header m trong v d ca chng ta l offset 180h v RVA l 2D000h (xem li phn Data Directory). By gi chng ta phi chuyn i RVA sang mt raw offset nghin cu k phm vi chnh xc ca file ca chng ta trn a. Kim tra Section Table xem xt section no m a ch ca Import Directory nm trong .Trong trng hp ca chng ta, th Import Directory bt u ti ni bt u ca .idata section v chng ta bit rng section table lu gi cc raw offset trong PointerToRawData DWORD. Trong v d ca chng ta th offset l 2AC00h (xem phn section table). Bt k mt trnh PE Editor no cng cho chng ta kt qu nh bn di y. V d ta dng LordPE, ta c nh sau :

S khc bit gia RVA v Raw offset l 2D000h 2AC00h = 2400h. Hy ch ti iu ny bi v n s c ch cho vic chuyn i cc offsets. Xem thm phn ph lc c thm cc thng tin v vic chuyn i cc RVAs. Ti Offset 2AC00h chng ta c Import Directory mt mng ca cc IMAGE_IMPORT_DESCRIPTORs mi mng l 20 bytes v lp li cho mi import library (DLL) cho ti khi c kt thc bi 20 bytes c gi tr 00h. Trong chng trnh HexEditor chng ta quan st thy c nh sau ti 2AC00h :

33

Mi mt nhm 5 DWORDs biu din 1 IMAGE_IMPORT_DESCRIPTOR. Nhm u tin ch cho ta thy rng trong file PE ny cc thnh phn OriginalFirstThunk, TimeDateStamp v ForwarderChain c thit lp l 0. Cui cng l chng ta i n mt tp hp ca tt 5 DWORDs c thit lp l 0.( trn hnh c t bng mu ) m ch cho chng ta bit y l kt thc ca mng.Chng ta c th thy chng ta ang import cc hm t 8 DLLs

Ch quan trng : Cc trng OriginalFirstThunk fields trong v d ca chng ta tt c u cset l 0. l in hnh chung cho cc file thc thi c to ra bng trnh compiler &l inker ca Borland v l iu ng ghi nh trong l do sp cp sau y. Trong mt file thc thi b Packed th cc con tr FirstThunk pointers s b lm mt hiu lc nhng c th thnh thong c xy dng li bng cch sao chp li bn sao OriginalFirstThunks(which many simple packers do not seem to bother removing). thc s l mt iu c ch c gi l First_Thunk Rebuilder by Lunar_Dust m s thc hin iu ny. Tuy nhin, vi Borland khi to file th iu ny l khng th bi v OriginalFirstThunks tt c u l Zero v khng c INT :

Li quay tr li v d ca chng ta trn, trng Name1 field ca IMAGE_IMPORT_DESCRIPTOR u tin cha RVA 00 02 D5 30h (NB reverse byte order). Chuyn i gi tr ny sang mt raw offset bng cch tr i gi tr 2400h (nh ni trn) v chng ta c l 2B130h. Nu chng ta quan st trong PE file ca chng ta chng ta s thy tn ca DLL :

34

Tip tc , trng FirstThunk field cha RVA 00 02 D0 B4h m sau khi convert chng s c c Raw offset l 2ACB4h. Hy ghi nh iu ny y l offset ti mng ca cc cu trc DWORD-sized IMAGE_THUNK_DATA structures IAT. iu ny s khin cho bit c ngha quan trng nht ca n c set (it will start with 8) v phn thp hn s cha s th t ca hm c imported, hoc nu MSB khng c set n s cha RVA khc ti tn ca hm (IMAGE_IMPORT_BY_NAME). Trong file ca chng ta , gi tr DWORD ti 2ACB4h l 00 02 D5 3E:

y l mt RVA khc m khi convert sang RAW offset l 2B13E. Thi im ny n s l mt nullterminated ASCII string. Nh chng ta quan st thy di y :

V vy tn ca ca API u tin c imported t kernel32.dll l DeleteCriticalSection. C th bn n 2 zero bytes trc tn ca hm. l phn t Hint element m thng c set l 00 00. Tt c nhng iu ny c th c xc minh li thng qua chng trnh PE Browse Pro phn tch IAT nh hnh minh ha di y :

35

Nu nh file c loaded vo trong b nh, c dumped v kim tra bng chng trnh Hex editor th gi tr DWORD ti RVA 2D0B4h m contained 3E D5 02 00 trn a s c overwritten bi trnh loader bng a ch ca hm DeleteCriticalSection trong kernel32.dll :

Allowing for reverse byte order this is 7C91188A.

Ch quan trng : cc hm trong cc DLLs h thng lun lun hng v bt u ti a ch7XXXXXXX v cng ti ch ging nhau mi khi cc chng trnh c np. Tuy nhin chng hay thay i nu bn ci t li OS ca bn v khc nhau gia my tnh ny v my tnh khc :

Cc a ch cng khc nhau ty theo tng h iu hnh, ly v d :

36

Trnh Windows Upadate cng thnh thong thay i v tr c s ca cc DLLs h thng. l l do ti sao mt s ngi thng ch n vic dnh thi gian tm cho c im t breakpoint ni ting l point-h trn h thng ca mnh (it is prone to change unexpectedly since it is in a function inside user32.dll.)

Navigating Imports in MemoryLoad file ca chng ta vo trong Olly v mt ln na hy quan st ca s Memory Map :

Ch rng a ch ca .idata section l 42D000 tng ng vi RVA 2D000 m chng ta ni phn trc . Kch thc c lm trn ln l 2000 va kht vi memory page boundaries. Ca s chnh ca Olly l CPU s ch cho chng ta thy nhng a ch CODE section (from 401000 to 42AFFF). Bn cng c th kim tra IAT trong ca s disassembly nu n nm trong CODE section. Trong hu ht cc trng hp n s nm trong section ring ca n . eg : .idata nhng bn c th xem n trong ca s Hex-dump trong Olly bng cch Right click vo v chn Dump in CPU. Ca s name (nhn Ctrl + N) s cho chng ta thy c cc hm c imported:

Rightclicking bt k mt hm no v sau chn Find References to Import s cho bn thy jump thunk stub v the instances in the code ni m hm c gi (ch c 1 trong trng hp ca chng ta ):

Ch : trong ct Comment bn s thy rng Olly xc nh l hm DeleteCriticalSection trong kernel32.dll l thc s c forwarded ti RtlDeleteCriticalSection trong ntdll.dll. (xem phn gii thch Export Fowarding) Tip tc Rightclicking v chn Follow Import in Disassembler, Olly s cho chng ta thy a ch trong DLL thch hp ni m code ca hm bt u . V d : bt u ti 7C91188A trong ntdll.DLL:

37

Nu chng ta quan st ti li gi ti hm DeleteCriticalSection ti 00401B12 chng ta s thy nh sau:

Nh cc bn thy trn hnh minh ha c mt lnh "CALL 00401314" nhng Olly s thay th bng tn ca hm cho chng ta. 401314 l a ch ca the jmp stub pointing to the IAT. Ch rng n l phn ca mt bng jmp thunk table c ni n phn trc :

Ti y chng ta li quan st thy c mt lnh nhy "JMP DWORD PTR DS:[0042D0B4]" ,nhng li mt ln na Olly thay th bng symbolic name cho chng ta. a ch 0042D0B4 cha cu trc Image_Thunk_Data structure trong IAT m c overwritten bi trnh loader bng a ch thc s ca hm trong kernel32.DLL: 7C91188A. l nhng g m chng ta tm thy thng qua vic rightclicking and selecting Follow Import in Disassembler v cng t dumped file phn trn.

38

11. Adding Code to a PE File :Vic thm code vo mt PE file l mt iu rt cn thit khng nhng c th crack mt protection scheme m cn c th c ng dng trong vic thm cc chc nng vo trong PE file. C 3 phng php chnh c th add code vo trong mt file thc th l : 1. Thm vo mt section hin ti khi c ch cho on code ca bn. 2. M rng section hin ti khi khng ch. 3. Thm mt section mi hon ton.

Adding to an existing sectionChng ta cn mt section trong file m c nh x vi cc quyn thc thi trong b nh v vy n gin nht chng ta hy thc hnh vi CODE section. Sau chng ta cn mt vng cha ton byte 00 (00 byte padding) trong section ny. Vng ny c gi vi mt tn chung l caves c th tm c mt cave ph hp vi nhng g chng ta mong i , chng ta s quan st ti CODE section . Chi tit thng qua chng trnh LorPE :

Trong hnh minh ha trn chng ta quan st thy VirtualSize nh hn SizeOfRawData.Virtual size biu din s lng code thc s. Cn kch thc ca raw data xc nh s lng ca khng gian c s dng cho file trn a cng ca bn. Ch rng virtual size trong trng hp ny l thp hn vi virtual size trn a cng. l bi v cc trnh compiler thng lm trn kch thc ln sp xp mt section trn mt vi ranh gii. Trong chng trnh Hexeditor quan st ti pha cui ca CODE section (pha trc ca DATA section bt u ti 2A400h) , chng ta c c nh sau :

39

Khng gian thm ny l hon ton khng c s dng v khng c nh x vo trong b nh. Chng ta cn phi bo m chc chn rng nhng cu lnh m chng ta t vo khng gian ny s c np vo trong b nh. Chng ta thc hin iu bng cch bng cch chnh sa thuc tnh size (Size attribute). Ngay by gi chng ta thy l kch thc o ca Section ny l 29E88, l bi v tt c cc trnh compiler u cn.Cn i vi chng ta chng ta phi cn tng ln mt cht na, v vy trong LordPE ta thay i virtual size ca CODE section ln thnh 29FFF , l kch thc ln nht m chng ta c th s dng (Ton b Raw size ch c 2A000). thc hin c iu ny , chng ta chut phi ti dng CODE v chn edit header, thc hin thay i vi gi tr trn v save li . Sau khi thc hin xong chng ta c mt khng gian thch hp lu gi on patch code ca chng ta. iu duy nht m chng ta thay i l VirtualSize DWORD cho CODE section trong bng Section Table. Chng ta cng c th thc hin c cng vic ny bng tay thng qua chng trnh HexEditor. minh ha thm na cho cng vic ny chng ta s tin hnh thm vo chng trnh v d ca chng ta mt chng trnh ASM nh thc hin vic chim ly iu khin ca entry point v sau ch tr v s thc thi cho OriginalEntryPoint. Tt c cng vic ny c lm thng qua Ollydbg. u tin chng ta trong LordPE th EntryPoint l 0002ADB4 v ImageBase l 400000. Khi chng ta load chng trnh vo trong Olly th EP s l 0042ADB4. Chng ta s thm mt s dng sau v sau thay i entry point ti dng u tin ca on code : MOV EAX,0042ADB4 JMP EAX ; Load in EAX the Original Entry Point (OEP) ; Jump to OEP

Chng ta s cc lnh trn ti a ch 0002A300h nh chng ta quan st trn chng trnh Hexeditor. convert RAW offset ny sang mt RVA s dng cho Olly ta s s dng cng thc sau y (Xem thm phn ph lc) : RVA = raw offset - raw offset of section +virtual offset of section +ImageBase = 2A300h - 400h +1000h + 400000h = 42AF00h. 40

Sau ta load chng trnh vo trong Olly v nhy ti target section ca chng ta (nhn Ctrl + G v g vo gi tr tnh ton c trn l 42AF00h). Sau khi ti v tr ny, ta nhn Space, g vo dng u tin ca on code trn sau nhn assemble. Tip theo lm tng t vi dng code th hai. Ta c c tng t nh hnh minh ha di y :

Tip theo nhn chut phi, chn ty chn Copy to Executable and All modifications.Tip theo chn Cpy all, mt ca s mi s xut hin. Trn ca s mi ny tip tc nhn chut phi v chn Save File vv..By gi chng ta quay tr li vi LordPE (hay chng trnh HexEditor) v thay i EntryPoint thnh 0002AF00 (ImageBase Subtracted), chn Save v nhn OK. Chng ta Run chng trnh kim tra v reopen n trong Olly xem New EntryPoint ca chng ta. Trong chng trnh HexEditor chng ta s quan st thy nh sau, ch on c Highlight :

Mc d y ch l mt on tiny patch , nhng chng ta hon ton c khng gian cho 386 bytes ca New code.

Enlarging an Existing SectionNu nh khng c khng gian ti pha cui ca section .text th chng ta cn phi m rng n.iu ny a ra mt s vn nh sau : 1. Nu section c followed bi cc section khc th bn s cn phi dch chuyn cc following sections ln to khng gian. 2. C rt nhiu cc references khc nhau bn trong cc file headers m s cn phi c iu chnh nu bn thay i kch thc ca file.

41

3. Cc References gia cc sections khc nhau ( v d references ti data values t code section) s cn phi c iu chnh. V thc t l hu nh khng th thc hin c nu nh thu vic re-compiling and re-linking file gc. Hu ht cc vn nu trn u c th trnh c bng cch ni thm v section cui cng trong file exe. N chng c lin quan g ti section nu nh chung ta c th thay i khin n ph hp vi yu cu ca chng ta bng cch thay i trng Characteristic trong Section Table bng tay hoc bng LordPE. u tin chng ta tm n section cui cng v thay i n sao cho n thnh readable and executable. Nh chng ta ni trn code section ch l tng cho mt patch bi v cc characteristics flags ca n l 60000020 , iu c ngha l on m c th thc thi c v c th c c (executable and readable) (Xin xem thm phn ph lc). Tuy nhin nu chng ta t on m v d liu vo trong section ny th chng ta s nhn c mt page fault v n khng phi l writeable. thay i iu ny chng ta s cn phi thm flag 800000000 m s cho ta mt gi tr mi l E0000020 cho code, executable, readable and writable. Tng t nh vy nu section cui cng l .reloc th flags thng s l 42000040 cho initialized data, discardable and read-only. c th s dng c section ny chng ta phi thm code, executable and writable v chng ta phi tr discardable m bo chc chn rng trnh loader s nh x section ny vo trong b nh. iu ny s cho chng ta mt gi tr mi l E0000060. Cc cng vic trn c th thc hin thnh cng bng tay bng cch thm flags v chnh sa li trng Characteristics ca Section header thng qua chng trnh HexEditor hoc LordPE. Trong v d ca chng ta th section cui cng l Resources :

42

iu ny s cho chng ta mt gi tr Characteristics cui cng l F0000060. Nh hnh minh ha trn chng ta quan st thy RawSize (on disk) ca section ny l 8E00h bytes nhng tt c chng dng nh ang c s dng (the VirtualSize cng ging ht). By gi chng ta chnh li chng v cng 100h bytes vo c hai m rng section , gi tr mi chng ta c c l 8F00h. C mt vi gi tr quan trng khc cng cn c thay i. Trng SizeOfImage trong PE Header cn phi c tng ln bng cch cng thm vo gi tr ging nh chng ta thm m rng cho section l 100h. Do gi tr SizeOfImage s thay i 0003CE00h thnh 0003CF00h. C 2 trng khc na m khng c th hin trong LordPE bi v chng t quan trng l : SizeOfCode v SizeOfInitialisedData trong Optional Header. ng dng s vn thc thi m khng cn c chnh sa nhng c l bn nn thay i li chng cho trn vn.Chng ta s phi thay i li chng bng tay. C hai u l DWORDs ti cc offset 1C v 20 t im bt u ca PE header. (xem thm phn ph lc).

43

Cc gi tr 0002A000 v 0000DE00 tng ng vi cc v tr xc nh nh cc bn thy trn hnh minh ha.Khi chng ta cng thm 100h vo th cc gi tr ny s l 0002A100 v 0000DF00.Sau chng ta s o ngc th t ca cac gi tr trn thnh 00 A1 02 00 v 00 00 DF 00. Cui cng copy v paste 100h of 00 bytes (16 hng trong trnh Hexeditor) ln pha cui ca Section v lu li thay i. Chy file kim tra cc li.

Adding a New SectionTrong mt vi tnh hung bn c th cn phi to ra mt bn sao ca mt section ang tn ti ph v cc self-checking procedures (V d nh SafeDisk) hoc to ra mt section mi lu code khi cc thng tin thuc quyn s hu ring c b sung thm vo cui ca file (as in Delphi compiled apps). Cng vic u tin cn lm l phi tm n trng NumberOfSections trong PE header v tng trng ny ln 1.Nh ni trong nhng phn trc hu ht mi s thay i c th c thc hin bng chng trnh LordPE hoc bng tay thng qua chng trnh HexEditor.By gi trong chng trnh HexEditor ca bn hy copy v paste 100h of 00 bytes (16 rows) ln phn cui ca file v nh du offset ca dng mi u tin. Trong trng hp ca chng ta l 00038200h. s l ni bt u section mi ca chng ta v s i ti trng RawOffset field ca Section Header.Khi chng ta y th chc chn l thi im tt tng SizeOfImage ln 100h nh chng ta lm trc. Tip theo chng ta s tm ti cc section headers bt u ti offset F8 t PE header. It is not necessary for these to be terminated by a header full of zeros. S lng cc headers c a ra bi NumberOfSections v thng l mt vi khng gian ti pha cui trc khi bn thn cc sections bt u.( aligned to the FileAlignment value). Tm n section cui cng v thm mt gi tr mi sau n :

Phn tip theo m chng ta phi lm l quyt nh xem cc thnh phn Virtual Offset/Virtual Size/Raw Offset and Raw Size no cn c. c th quyt nh c iu ny chng ta xem xt cc gi tr sau : Virtual offset of formerly last section (.rsrc): 34000h Virtual size of formerly last section (.rsrc): 8E00h Raw offset of formerly last section (.rsrc): 2F400h Raw size of formerly last section (.rsrc): 8E00h Section Alignment: 1000h File Alignment: 200h

44

RVA v raw offset ca section mi ca chng ta phi c cn chnh vi boundaries trn.RAW Offset ca section l 00038200h nh chng ta ni trn (which luckily fits with FileAlignment). c c Virtual Offset ca section ca chng ta th chng ta phi tnh ton gi tr ny : VirtualAddress of .rsrc + VirtualSize of .rsrc = 3CE00h. V SectionAlignment ca chng ta l 1000h chng ta phi lm trn gi tr ny ln gn ging nh 1000 tc l 3D000h. V vy hy in vo header ca section ca chng ta : The first 8 bytes will be Name1 (max. 8 chars e.g. "NEW" will be 4E 45 57 00 00 00 00 00 (byte order not reversed) The next DWORD is VirtualSize = 100h (with reverse byte order = 00 01 00 00) The next DWORD is VirtualAddress = 3D000h (with reverse byte order = 00 D0 03 00) The next DWORD is SizeOfRawData = 100h (with reverse byte order = 00 01 00 00) The next DWORD is PointerToRawData = 38200h (with reverse byte order = 00 82 03 00) The next 12 bytes can be left null The final DWORD is Characteristics = E0000060 (for code, executable, read and write as discussed above) Trong trnh HexEditor chng ta s thy nh sau :

Lu li thay i , chng s run chng trnh v kim tra trong LordPE :

45

12. Adding Imports to an Executable :Phng php ny thng c s dng nhiu nht trong trng hp Patching mt App khi m chng ta khng c cc hm API m chng ta cn. thm section mi, th thng tin ti thiu nht c yu cu bi trnh loader to ra mt IAT hp l l : 1. Mi Dll phi c khai bo vi mt IMAGE_IMPORT_DESCRIPTOR (IID), nh kt thc Import Directory bng mt null-filled. 2. Mi IID cn t nht 2 trng l Name1 v FirstThunk, phn cn li c th c set l 0(setting OriginalFirstThunk = FirstThunk i.e. duplicating the RVAs also works). 3. Mi entry ca FirstThunk phi l mt RVA ti mt Image_Thunk_Data (the IAT) m ln lt cha mt further RVA ti API name.Tn phi l mt chui null terminated ASCII ca di c th thay i v c i trc bi 2 bytes (hint) m c th c thit lp l 0.

46

4. Nu cc IIDs c thm th trng isize ca Import Table trong Data Directory c th cn phi thay i. Cc IAT entries trong Data Directory khng cn phi c chnh sa. Vic vit import data mi trong mt chng trnh HexEditor v sau dn vo trong target ca bn c th s tn rt nhiu thi gian.C cc cng c c sn c th thc hin c mt cch t ng qu trnh ny (V d : SnippetCreator, IIDKing, Cavewriter) nhng vic tm hiu cch thc hin cng vic ny bng tay nh th no vn l tt hn c. Nhim v chnh l ni thm mt IID mi ln phn cui ca bng Import Table bn s cn c 20 bytes cho mi DLL c s dng, ng qun 20 bytes dnh cho null-terminator. Trong hu ht tt c cc trng hp s khng c khng gian no ti pha cui ca Import Table hin hnh v vy chng ta s to mt bn sao v xy dng li n mt ni no .

Step 1 - create space for new a new IIDCng vic ny lin quan n cc bc sau y : 1. Dch chuyn tt c cc IIDs ti mt v tr m ti c khng gian.V tr ny c th bt k u; pha cui ca section .idata hin thi hoc mt section mi hon ton. 2. Cp nht RVA ca Import Directory mi trong Data Directory ca PE Header. 3. Nu cn thit, lm trn kch thc ca section ni m bn t Import Table mi v vy mi th u c nh x vo trong b nh (v d : VirtualSize of the .idata section rounded up 1000h). 4. Chy n v nu nh n lm vic th chuyn ti bc 2. Nu n khng kim tra cc injected descriptors c nh x vo trong b nh v RVA ca Import Directory l chnh xc.. IMPORTANT NOTE: Cc IIDs FirstThunk v OriginalFirstThunk cha cc RVAs- RELATIVE ADDRESSES c ngha l cc bn c th ct v dn Import Directory (IIDs) bt k u bn mun trong PE file (taking into account the destination has to mapped into memory) v thay i RVA (v kch thc nu cn thit) ca Import Directory trong Data Directory s khin cho ng dng hot ng mt cch hon ho. Quay tr li ng dng ca chng ta trong trnh Hexeditor, IID u tin v null terminator c t bng ng bao mu .Nh bn nhn thy trong hnh v di y khng c khng gian trng no sau null IID:

Tuy nhin c mt s lng khng gian ln ti phn cui ca section .idata trc khi section .rdata bt u. Chng ta s copy v paste cc IIDs hin thi c a ra pha trn ti offset 2C500h ti v tr mi ny :

47

convert mt offset mi thnh RVA (xem thm phn ph lc) : VA = RawOffset - RawOffsetOfSection + VirtualOffsetOfSection = 2C500 - 2AC00 + 2D000 = 2E900h Vy thay i a ch o ca import table trong Data Directory t 2D000 thnh 2E900. By gi chnh sa li header ca section .idata v thay i VirtualSize bng vi RawSize v vy trnh loader s nh x ton b section vo. Chy th ng dng ca chng ta test.

Step 2 - Add the new DLL and function detailsCng vic ny bao gm mt s bc sau : 1. Thm null-terminated ASCII strings cc tn ca DLL ca bn v hm vo khng gian cn trng trong section .idata. Tn hm s thc s l mt cu trc Image_Import_By_Name c preceded bi mt null DWORD. (the hint field). 2. Tnh ton cc RVAs ca cc string trn. 3. Thm RVA ca tn DLL vo trng Name1 ca IID mi ca bn. 4. Tm DWORD sized space khc na v t vo n RVA ca hint/function name. N s tr thnh Image_Thunk_Data hoc IAT ca DLL mi ca chng ta. 5. Tnh ton RVA ca Image_Thunk_Data DWORD trn v thm n vo trng FirstThunk ca IID mi ca bn. 6. Chy ng dng test API mi ca bn sn sng c gi in vo IDD mi ca chng ta , chng ta t nht phi c cc trng l Name1 v FirstThunk (cc trng khc c th nulled). Nh chng ta bit, trng Name1 cha thng tin RVA tn ca DLL trong null-terminated ASCII. Trng FirstThunk cha RVA ca mt cu trc Image_Thunk_Data m ln lt cha RVA khc na ca tn hm trong null-terminated ASCII. Tn tuy nhin c i trc bi 2 bytes (Hint) m c thit lp l zero. Ly mt v d , chng ta mun s dng hm LZCopy m copy ton b mt file ngun ti mt file ch. Nu file ngun ca chng ta c nn bng trnh ng dng Microsoft File Compression Utility 48

(COMPRESS.EXE), th hm ny to ra mt file ch c gii nn. Nu nh file ngun khng b nn , th hm ny s nhn i file gc ln. Hm m chng ta ni trn nm trong file dll l lz32.dll m hin thi khng c s dng bi chng trnh ng dng ca chng ta. V vy u tin chng ta cn phi thm strings cho cc tn l lz32.dll v LZCopy. Trong trnh Hexeditor chng ta cun ln trn t ch bng import table mi ca chng ta v pha cui ca d liu tn ti trc v thm tn DLL sau l tn hm ln phn cui ny . Ch , cc bytes null sau mi string v null DWORD trc tn hm :

Chng ta cn phi tnh li cc RVA ca chng : RVA = RawOffset - RawOffsetOfSection + VirtualOffsetOfSection + ImageBase RVA of DLL name = 2C420 - 2AC00 + 2D000 = 2E820h (20 E8 02 00 in reverse) RVA of function name = 2C430 - 2AC00 + 2D000 = 2E830h (30 E8 02 00 in reverse) Gi tr u tin c th nm trong trng Name1 ca IDD mi ca chng ta nhng gi tr th hai th phi nm trong mt cu trc Image_Thunk_Data structure, vi RVA ca chng, chng ta sau c th t vo trong trng FirstThunk (and OriginalFirstThunk) ca IDD mi ca chng ta.Chng ta s t cu trc Image_Thunk_Data structure bn di tn hm ti offset 2C440 v tnh ton RVA m chng ta s t vo FirstThunk. RVA of Image_Thunk_Data = 2C440 - 2AC00 + 2D000 = 2E840 (40 E8 02 00 in reverse)

Nu chng ta in d liu trong trnh HexEditor chng ta s thy nh sau :

49

Cui cng chng ta lu li nhng g chng ta thc hin , chy th ng dng v load n vo chng trnh PEBrowse :

50

c th gi c hm mi ca chng ta , chng ta cn phi s dng on code sau : CALL DWORD PTR [XXXXXXXX] where XXXXXXXX = RVA of Image_Thunk_Data + ImageBase. Trong v d ca chng ta trn i vi hm LZCopy, XXXXXXXX = 2E840 + 400000 = 42E840 v vy chng ta s vit l : CALL DWORD PTR [0042E840] Ch cui cng : D l nu chng ta thm mt hm c s dng bi mt DLL m sn sng c dng trong kernel32.dll , chng ta s vn cn phi to ra mt IDD mi cho n cho php chng ta c th to mt IAT mi ti mt v tr thun li nh trn. Phn tip theo , y ch l mt phn c thm vo trong section ny. S c mt cch t ng hon ton thc hin cc cng vic nh ni trn :

51

Ch , Chng trnh SnippetCreator thm cc jump-thunks stubs ca cc imports mi vo trong code ca bn trong khi vi cc chng trnh khc bn hon ton phi thc hin iu ny bng tay .

52

13. Introduction to Packers :Trong phn ny chng ta s m x s tc ng ca mt chng trnh Packer n gin i vi ng dng ca chng ta v cp ti 2 phng php chnh ca vic Patching mt file thc thi b Packed bng cch Unpacking hoc inline-patching. Chng ta s s dng Packer UPX 1.25 bi v y thc s l mt chng trnh nn file thc thi v khng s dng bt k mt mt c ch bo v cao cp no.Tc gi ca chng trnh ny l Marcus & Laszlo. u tin chng ta dng PeiD Scan file ca chng ta (file ban u cha b Packed) :

Tip theo chng ta s pack ng dng ca chng ta bng chng trnh UPX. y l chng trnh s dng giao din command line do chng ta phi m n trong DOS , sau chng ta g nh sau : "upx basecalc.exe":

53

Sau chng ta hy rng kch thc chng trnh ca chng ta gim xung t 225kb xung cn 91kb v trong PeiD chng ta quan st thy nh sau :

S dng chng trnh PEBrowse Pro chng ta quan st thy trnh Packer s thm vo app ca chng ta 3 sections l UPX0, UPX1 and .rsrc. Resource section by gi cha import directory nhng cho mi DLL th ch c duy nht mt hoc 2 hm c imported cc hm khc bin mt :

54

Ch rng section .rsrc c gi li tn gc ca n mc d thm ch cc phn khc b thay i. Th v na l this dates back to a bug trong hm LoadTypeLibEx trong oleaut32.dll in Win95 m rsrc s dng tm kim v np resource section. iu ny gy ra mt li nu section b i tn. (This created an error if the section was renamed. Although this bug has been fixed it seems most packers do not rename the rsrc section for compatibility reasons) Bng vic m ng dng ca chng ta trong LordPE v nhn vo Compare button chng ta c th m bn gc ca ng dng v quan st s thay i ca cc headers :

55

Khi chng ta m ng dng trong Olly , chng ta s nhn c mt Message Box thng bo rng file thc thi ca chng ta b packed. Ch vic nhn Ok v chng ta s ti EntryPoint :

56

Trnh Packer UPX nn ng dng ca chng ta v thm the code bng mt stub c cha gii thut decompress.EntryPoint ca ng dng b thay i bt u on stub v sau khi stub thc hin xong cng vic ca n , hng thc thi ca chng trnh s nhy v original entrypoint (OEP) bt u chng trnh by gi c unpacked ca chng ta. L do cn bn i ph vi n l cho chng trnh Sub decompress ng dng ca chng ta vo trong b nh v sau dump vng nh ny vo mt file c c bn sao ca chng trnh c unpacked. Tuy nhin ng dng s khng thc thi theo ng cch ca n l bi v file c dumped s c cc sections ring ca n c aligned to memory page boundaries ch khng phi file alignment values, do entrypoint s vn tr ti decompression stub v Import directory r rng l sai v s cn phi chnh sa li. Ch rng trong Olly entrypoint ca chng ta nm ti cu lnh u tin l PUSHAD. Cu lnh PUSHAD ny l vit tt ca PUSH ALL DOUBLE , thc hin vic lu tt c ni dung ca cc thanh ghi 32 bit vo trong Stack , bt u t EAX cho n EDI.Theo Stub s thc hin cng vic ca n v sau kt thc bng mt cu lnh POPAD trc lnh nhy ti OEP. POPAD sao chp li ni dung ca cc thanh ghi t Stack. iu ny c ngha l stub s phi phc hi li mi th v exited without trace trc khi thc s Run ng dng. V vy phng php ny l tng cho nhiu packer thng dng khc v d nh ASPack. T thi im ca cu lnh PUSHAD u tin, nhng ni dung ca Stack ti level phi c hon ton khng c ng ti cho ti khi gp c cu lnh POPAD.Nu nh chng ta t mt Hardware breakpoint ln 4 bytes u tin ca stack ti thi im thc hin lnh PUSHAD th Olly s break ti thi im khi m 4 bytes ny c truy cp ti cu lnh POPAD v chng ta s ti ng cu lnh nhy ti OEP ca chng ta. u tin chng phi thc hin cu lnh PUSHAD bng cch nhn F7 mt ln. Tip theo chng ta s t mt BP ca chng ta.Thanh ghi ESP (Stack Pointer) lun lun tr ti ca nh Stack do Right click ln ESP v chn Follow in Dump Chng ta s c c nh sau :

Tip theo Highlight DWORD u tin ca Stack trong ca s Dump , chut phi v chn BP>HardWare on Access>DWORD:

57

Tip theo nhn F9 n Run chng trnh v Olly s Break. Chng ta quan st s thy c lnh JMP ti OEP. OEP m chng ta thy y c ImageBase l 400000h c cng thm vo , do chng ta mun tm thy Real OEP th chng ta phi tr i gi tr ImageBase trn. Cho nn ta c OEP l : 0002ADB4h.

Nu nh bn mun gian ln y c mt cch nhanh chng m lun lun c hiu qu vi UPX. n gin ch l bn cun chut ti pha cui ca on code trong mn hnh CPU trong Olly v pha trc tt c ch bt u ca zero padding th bn s thy c cu lnh POPAD nh trn. NOTE: Cc Packer khc m cng s dng c ch PUSHAD/POPAD c th nhy ti OEP bng cch s dng mt lnh PUSH y gi tr ca OEP ln trn nh ca Stack c followed bi cu cu lnh RET. CPU s ngh l y l mt return t mt hm call v theo thi quen th da ch tr v c t ln nh ca Stack. Bc tip theo chng ta nhn F7 thc hin lnh JMP v chng ta s ti OEP. Ti y chng ta s s dng Plugin ca Olly l OllyDump Dump file ny. Chut phi ti OEP sau chn OllyDump, chng ta s c c mn hnh nh sau , thc hin nh hnh minh ha : 58

Note that OllyDump has already worked out the base address and size of image (which you could see by looking in the memory map window) and has offered to correct the entrypoint for us (although we could do this manually in the hexeditor). Nhn Dump v save file vi tn no m bn mun (eg as basecalc_dmp.exe). Gi nguyn trng thi ca Olly sau khi thc hin Dump. Tht khng may mn khi chng ta quan st file c dump th thy n b mt icon v nu nh chng ta c tnh Run file th chng ta s nhn c thng bo nh sau :

Chng ta nhn c thng bo trn l bi v hu qu ca vn alignment m ti cp trn kch thc ca file cng tng. Chng ta m app ca chng ta trong LordPE v quan st ti cc Sections. Cc gi tr Raw offset v Raw Size sai. Chng ta s phi to cc gi tr Raw bng vi gi tr cc Virtual cho mi Section cho ng dng ca chng ta cho n hat ng. Nhn chut phi ti UPX0 section v chn edit header:

59

By gi chng ta s lm cho RawOffset bng VirtualAddress v RawSize bng VirtualSize. Lp li thao tc ny cho mi Sections sau nhn Save v Exit (this is what the "fix raw size" checkbox in OllyDump does automatically). By gi chng ta quan st thy app c icon nhng khi chy ng dng ca chng ta , ta s nhn c mt li khc l : "The application failed to initialize properly". C li ny l bi v chng ta cha fix imports. Vic Fix imports ny chng ta hon ton c th thc hin c bng tay . Tuy nhin s tn rt nhiu thi gian v cng sc nu nh chng ta c nhiu hm c imported v..v. Do y chng ta s s dng chng trnh ImpREC 1.6F by MackT thc hin mt cch t ng. Chng trnh ImpREC cn phi attach ti mt process ang chy v cng cn packed file tm imports. Khi ng ImpREC v thc hin theo cc bc sau : 1. Chn Basecalc.exe trong danh sch Attach (it should still be running in Olly). 2. Tip theo nhp OEP ca chng ta l 2ADB4 vo trong textbox OEP. 3. Nhn nt IAT AutoSearch v nhn OK trn messagebox. 4. Nhn nt Get Imports. 5. Nhn Show Invalid trong trng hp ca chng ta khng c invalid no. 6. Nhn Fix Dump v chn file m chng ta dump l basecalc_dmp.exe. 7. Okie ..Thot khi ImpREC.

60

Chng trnh ImpREC s lu file fix vi tn nh sau : basecalc_dmp_.exe. Chng ta chy th file ny kim tra. Nu nh chng ta phn tch file ny chng ta s thy kch thc ca n tng ln v c thm mt section na c tn l mackt l ni m ImpREC a import data mi :

V UPX ch l mt chng trnh nn, n n gin ch l ly existing import data v lu n li trong resource section m khng encrypting or damaging it. l l do ti sao ImpREC c th tm c tt c cc vaild imports m khng cn phi resorting to tracing or rebuilding n ch ly import directory t file thc thi b packed trong b nh v transfer n ti section mi trong file thc thi c unpacked. Gi chng ta hy Scan file c unpacked trong PEID xem :

61

Trn y ch l phn minh ha cc bc cn thit cho vic thc hin unpack mt file thc thi b packed bng mt packer n gin. Tuy nhin c rt nhiu cc packers cao cp m cc packer ny thm rt nhiu cc c ch bo v khc nhau v d nh : antidebugging v anti-tampering tricks, encryption of code v IAT, stolen bytes, API redirection, etc m trong phm vi ca bi vit ny ti khng th cp ht c, mong cc bn b qu cho . Trong mt s trng hp nu nh cn thit chng ta phi Patch mt file b packed , iu ny gip chng ta c th trnh c vic khng cn phi unpacking file th c mt k thut c s dng l inline patching. N lin quan n vic patching code ti thi im runtime trong b nh sau khi qu trnh decompression stub hon thnh xong cng vic ca mnh v cui cng nhy ti OEP thc thi ng dng. Ni cch khc ,chng ta i cho n khi ng dng ca chng ta c unpacked trong b nh , th nhy ti patching code m chng ta injected, cui cng sau nhy tr v OEP. minh ha cho k thut ny chng ta s inject code vo trong file thc thi b packed ca chng ta bn ra mt thng bo v cho chng ta bit khi ng dng c unpacked trong b nh. Sau khi chng ta nhn OK th s nhy ti OEP v ng dng s thc thi mt cch bnh thng. Nhim v u tin l chng ta phi tm kim mt ni cho on code ca chng ta v vy hy m packed app vo trong trnh Hexeditor v tm kim mt khong khng gian ph hp cn gi l suitable "cave". Khong khng gian trng ny nm ti pha cui ca section l tt hn c bi v n t c s dng bi packer v c th m rng c bng cch ni rng section nu thy cn thit (Xin xem li phn adding code to a PE file.) Bn c th quan st thy hiu qu ca Packer UPX khong khng gian chng ta cn l rt kh tuy nhin vn c mt khong nh (small cave) tn ti y.By gi chng ta thm "Unpacked..." v "Now back to OEP" trong ASCII column ca chng trnh HexEditor. Tng t nh hnh minh ha di y :

62

iu ny s nh du du vt ca chng ta patch trong Olly m khng cn phi lo lng v vic tnh ton cc VAs. Lu li nhng thay i v m ng dng ca chng ta trong Olly. Chut phi ti ca s Hex window v chn search for binary string. By gi nhp vo l "Unpacked" v ti VA ca 2 strings. Trong ca s CPU Window, nhn chut phi v chn Goto expression. Nhp a ch ca string u tin v bn s quan st 2 strings trong hexadecimal form. Olly khng analysed n mt cch ng n do n hin th khng ra thnh mt on code khng c ngha g. Highlight on code (the next free row underneath) v nhn Space Bar assemble the following instructions : PUSH 0 PUSH 440C30 [address of first string] PUSH 440C40 [address of second string] PUSH 0 CALL MessageBoxA JMP 42ADB4

Make a note of the address of our first PUSH instruction - 440C4E. on code ca chng ta s trng nh sau trong Olly :

Tip theo chut phi v chn copy to executable, selection. Trong ca s mi xut hin , rightclick v chn save file etc. If we check in the hexeditor we see our code has been added: 63

Cui cng chng ta cn phi thay i lnh JMP ti pha cui ca UPX stub nhy ti on code ca chng ta. Tm lnh nhy ny nh cp phn trn, doubleclick vo JMP instruction assemble v thay i address thnh 440C4E. Lu li thay i mt ln na v run app ca chng ta test :

Clicking OK resumes BaseCalc.!!!!!!!!!!!!!

14. References & Further Reading :The Portable Executable Format -- Micheal J. O'Leary The Portable Executable File Format from Top to Bottom -- Randy Kath Peering Inside the PE: A Tour of the Win32 Portable Executable File Format -- Matt Pietrek An In-Depth Look into the Win32 Portable Executable File Format (2 parts)-- Matt Pietrek Windows 95 Programming Secrets -- Matt Pietrek Linkers and Loaders -- John R Levine Secrets of Reverse Engineering -- Eldad Eilam PE.TXT -- Bernd Luevelsmeyer Converting virtual offsets to raw offsets and vice versa -- Rheingold PE Tutorial -- Iczelion The Portable Executable File Format -- KGL PE Notes, Understanding Imports -- yAtEs Win32 Programmer's Reference What Goes On Inside Windows 2000: Solving the Mysteries of the Loader -- Russ Osterlund Tool Interface Standard (TIS) Formats Specification for Windows Adding Imports by Hand -- Eduardo Labir (Havok), CBJ Enhancing functionality of programs by adding extra code -- c0v3rt+ Working Manually with Import Tables -- Ricardo Narvaja All tutorials concerning manual unpacking (especially those from ARTeam, with special reference to the Beginner Olly series by Shub and Gabri3l.

64

15. Complete PE Offset Reference :The DOS Header :OFFSET SIZE 00 02 04 06 08 0A 0C 0E 10 12 14 16 18 1A 1C 24 26 28 3C WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD NAME e_magic e_cblp e_cp e_crlc e_cparhdr e_minalloc e_maxalloc e_ss e_sp e_csum e_ip e_cs e_lfarlc e_ovno e_res[4] e_oemid e_oeminfo e_res2[10] EXPLANATION Magic DOS signature MZ (4Dh 5Ah) Bytes on last page of file Pages in file Relocations Size of header in paragraphs Minimum extra paragraphs needed Maximum extra paragraphs needed Initial (relative) SS value Initial SP value Checksum Initial IP value Initial (relative) CS value File address of relocation table Overlay number Reserved words OEM identifier (for e_oeminfo) OEM information; e_oemid specific Reserved words Offset to start of PE header

DWORD e_lfanew

The PE Header :00 04 06 08 DWORD WORD WORD DWORD Signature Machine NumberOfSections TimeDateStamp 65 PE Signature PE.. (50h 45h 00h 00h) 014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel 586, 0200h = Intel 64-bit, 0162h=MIPS Number Of Sections Date & time image was created by the linker

0C 10 14 16 18 18 1A 1B 1C 20 24 28 2C 30 34 38 3C 40 42 44 46 48 4A 4C

DWORD DWORD WORD WORD

PointerToSymbolTable NumberOfSymbols SizeOfOptionalHeader Characteristics

Zero or offset of COFF symbol table in older files Number of symbols in COFF symbol table Size of optional header in bytes (224 in 32bit exe) see below

********** START OF OPTIONAL HEADER ************************************** WORD BYTE BYTE DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD DWORD WORD WORD WORD WORD WORD WORD DWORD Magic MajorLinkerVersion MinorLinkerVersion SizeOfCode SizeOfInitializedData SizeOfUninitializedData AddressOfEntryPoint BaseOfCode BaseOfData ImageBase SectionAlignment FileAlignment MajorOperatingSystemVersion MinorOperatingSystemVersion MajorImageVersion MinorImageVersion MajorSubsystemVersion MinorSubsystemVersion Reserved1 66 010Bh=32-bit 020Bh=64-bit 0107h=ROM image executable executable image image

Major version number of the linker Minor version number of the linker size of code section or sum if multiple code sections as above as above Start of code execution, optional for DLLs, zero when none present RVA of first byte of code when loaded into RAM RVA of first byte of data when loaded into RAM Preferred load address Alignment of sections when loaded in RAM Alignment of sections in file on disk Major version no. of required operating system Minor version no. of required opera