..::[ARTeam Tutorial]::..PORTABLE EXECUTABLE FILE FORMAT
Category : Level : Test OS : Author : Translated by : Tools
Used: Hexeditor PEBrowse Pro PeiD LordPE
Relates to cracking, unpacking, reverse engineering Intermediate
XP Pro SP2 Goppit kienmanowar (REA-cRaCkErTeAm)
(any will do)
http://www.smidgeonsoft.prohosting.com/download/PEBrowse.zip
http://www.secretashell.com/codomain/peid/download.html
http://mitglied.lycos.de/yoda2k/LordPE/LPE-DLX.ZIP (get DLXb update
also)
HexToText http://www.buttuglysoftware.com/HexToTextMFC.zip
OllyDbg ResHacker BaseCalc
http://home.t-online.de/home/Ollydbg/odbg110.zip
http://delphi.icm.edu.pl/ftp/tools/ResHack.zip included in this
archive
...and metioned in the text: Snippet
http://win32assembly.online.fr/files/sc.zip Creator First_Thunk
http://www.angelfire.com/nt/teklord/FirstThunk.zip Rebuilder
IIDKing http://www.reteam.org/tools/tf23.zip
Cavewriter http://sandsprite.com/CodeStuff/cavewriter.zip
Li m u :
..........................................................................................................................
2 1. Cu trc c bn (Basic Structure) :
...................................................................................
3 2. The DOS Header :
.............................................................................................................
5 3. The PE Header
:.................................................................................................................
7 4. The Data Directory :
........................................................................................................
13 5. The Section Table
:..........................................................................................................
15 6. The PE File Sections :
.....................................................................................................
17 7. The Export Sections :
......................................................................................................
20 8. The Import Section :
........................................................................................................
25 9. The Windows Loader :
....................................................................................................
30 10. Navigating Imports :
......................................................................................................
33 11. Adding Code to a PE File
:............................................................................................
39 12. Adding Imports to an Executable :
................................................................................
46 13. Introduction to Packers
:................................................................................................
53 14. References & Further Reading :
....................................................................................
64 15. Complete PE Offset Reference :
...................................................................................
65 16. Relative Virtual Addressing Explained :
.......................................................................
71
1
Li m u :Bi vit ny nhm mc ch i chiu thng tin t nhiu ngun khc nhau
v trnh by n theo mt phng php m nhng ngi mi bt u c th tip cn d dng
nht.Mc d bi vit c trnh by mt cch t m trong nhiu phn, tuy nhin n c
nh hng theo mc ch reverse code engineering cho nn cc thng tin khng
cn thit s c b qua. Bn s nhn thy rng trong bi vit ny ti vay mn rt
nhiu t cc bi vit khc nhau c cng b , ph bin v tt c cc tc gi ca nhng
bi vit c ti nhc n vi lng cm n su sc trong phn ti liu tham kho pha
cui ca bi vit ny. PE l nh dng file ring ca Win32. Tt c cc file c th
thc thi c trn Win32 (ngoi tr cc tp tin VxDs v cc file Dlls 16 bit)
u s dng nh dng PE. Cc file Dlls 32 bit, cc file COMs, cc iu khin
OCX , cc chng trnh ng dng nh trong Control Pannel (.CPL files) v cc
ng dng .NET tt c u l nh dng PE. Thm ch cc chng trnh iu khin Kernel
mode ca cc h iu hnh NT cng s dng nh dng PE. Ti sao chng ta li cn
phi tm hiu v n? C 2 l do chnh nh sau : Th nht chng ta mun thm cc on
code vo trong nhng file thc thi (v d : k thut Keygen Injection hoc
thm cc chc nng) v th hai l thc hin cng vic unpacking bng tay
(manual unpacking) cc file thc thi. Hu ht mi s quan tm u dn v l do
th hai, l v ngy nay hu nh cc phn mm shareware no cng u c Packed li
vi mc ch l lm gim kch thc ca file ng thi cung cp thm mt lp bo v cho
file. bn trong mt file thc thi b Packed th cc bng import tables
thng thng l b thay i, lm mt hiu lc v phn d liu th lun b m ha. Cc
chng trnh packer s chn thm m lnh (code) unpack file trong b nh vo
lc thc thi v sau nhy ti OEP (original entry point) (y l ni m chng
trnh gc thc s bt u thc thi, thi hnh.). Nu chng ta tm c cch (dump)
kt xut vng nh ny sau khi m chng trnh packer hon tt c qu trnh
unpacking file thc thi, ng thi thm vo chng ta cng cn phi chnh sa li
Section v bng import tables trc khi m ng dng ca chng ta s run. Lm
th no chng ta c th thc hin c iu ny nu nh chng ta khng c hiu bit t
to no v nh dng PE file ? Chng trnh thc thi c ti s dng lm v d xuyn
sut ton b bi vit ny l BASECALC.EXE , mt chng trnh rt hu ch t trang
Web ca Fravia, n cho php tnh ton v chuyn i gia cc s h decimal, hex
, binary v octal. Chng trnh ny c tc gi ca n coded bng ngn ng
Borland Dephi 2.0 , chnh v th m n l mt file l tng ti ly lm v d minh
ha lm th no trnh bin dch Borland cho OriginalFirstThunks null. (Chi
tit hn s c cp phn sau).
2
1. Cu trc c bn (Basic Structure) :Hnh minh ha di y s cho chng ta
thy c cu trc c bn ca mt PE file.
mc ti thiu nht th mt PE file s c 2 Sections : 1 cho on m (code)
v 1 cho phn d liu (data). Mt chng trnh ng dng chy trn nn tng
Windows NT c 9 sections c xc nh trc c tn l .text , .bss , .rdata ,
.data , .rsrc , .edata , .idata , .pdata , v .debug . Mt s chng
trnh ng dng li khng cn tt c nhng sections ny, trong khi cc chng
trnh khc c th c nh ngha vi nhiu sections hn ph hp vi s cn thit ring
bit ca chng. Nhng sections m hin thi ang tn ti v xut hin thng dng
nht trong mt file thc thi l : 1. 2. 3. 4. 5. 6. Executable Code
Section, c tn l .text (Micro$oft) hoc l CODE (Borland). Data
Sections, c nhng tn nh .data, .rdata hoc .bss (Micro$oft) hay DATA
(Borland) Resources Section, c tn l .rsrc Export Data Section, c tn
l .edata Import Data Section. c tn l .idata Debug Information
Section, c tn l .debug
Nhng ci tn ny thc s l khng thch hp khi chng b l i bi h iu hnh
(OS) v chng l ti liu phc v cho li ch ca cc lp trnh vin. Mt im quan
trng khc na l cu trc ca mt PE file trn a l chnh xc , ng n ging ht
nh khi n c np vo trong b nh v vy bn c th xc nh thng tin chnh xc ca
file trn a m bn c th s mun tm kim n khi file c np vo trong b nh.
Tuy nhin n khng c sao chp li mt cch chnh xc bn trong b nh. Cc
windows loader s quyt nh phn no cn c nh x ln b nh v b qua nhng phn
khc. Phn d liu m khng c nh x ln c t ti pha cui ca file sau bt k phn
no m s c nh x ln b nh v d Debug Information. Cng vy v tr ca mt mc
trong file trn a s lun lun khc bit vi v tr ca n khi c np vo trong b
nh bi v s qun l b nh o da trn cc trang m Windows s dng. Khi cc
sections c np vo trong b nh RAM chng c cn khp vi 4KB memory Pages,
mi section s bt u trn 3
mt Page mi. Mt trng trong PE header s thng bo cho h thng bit c
bao nhiu b nh cn c ring ra cho vic nh x trong file. B nh o c gii
thch phn di y.
Thut ng b nh o (virtual memory) thay th vic cho Software truy cp
trc tip ln b nh vt l (physical memory), b x l v h iu hnh to ra mt
lp v hnh (invisible layer) gia chng. Bt k ln no mt c gng c to ra
truy cp ti b nh , b vi x l s tra cu mt page table bit xem c nhng
Process m a ch b nh vt l ang thc s c s dng. N s khng phi l mt vic
lm thit thc c mt table entry cho mi byte ca b nh (Page table s ln
hn tng b nh vt l), v vy thay th vic b vi x l phn chia b nh thnh cc
trang. iu ny c mt s li th nh sau : 1. N cho php s to thnh ca nhng
khng gian a ch phc tp. Mt khng gian a ch l mt page table c c lp ch
cho php truy cp ti b nh m thch hp vi chng trnh hin ti hoc process.
N m bo rng nhng chng trnh b c lp , cch ly hon ton vi cc chng trnh
khc v mt khi xy ra li khin cho mt chng trnh b crash th n s khng th
nh hng , hy hoi ti khng gian a ch ca cc chng trnh khc . 2. N cho
php b vi x l p t nhng lut l no i vi vic b nh c truy cp th no.Nhng
sections c i hi , yu cu trong PE file bi v nhng khu vc khc nhau
trong file c i x mt cch khc bit bi chng trnh qun l b nh khi mt
module c np. Ti thi im np , chng trnh qun l b nh thit lp nhng quyn
truy cp ln cc trang b nh cho cc sections khc nhau da trn nhng thit
lp ca chng trong Section header. iu ny s quyt nh r mt section cho l
c th c c (readable) , c th ghi c (writeable) hay c th thc thi c
(executable). iu ny c ngha l mi section phi c bt u trn mt trang mi.
Tuy nhin , kch thc trang mc nh cho h iu hnh Windows l 4096 bytes
(1000h) v n s l lng ph sp cc file thc thi vo mt ranh gii 4KB Page
trn a khi m iu ny s lm cho chng tr nn qu ln hn mc cn thit. Bi v iu
ny, PE header c hai trng alignment khc nhau l : Section alignment v
file alignment. Section alignment l cch cc sections c sp trong b nh
nh ni trn. Cn File Alignment (s dng 512 bytes hay 200h) l cch cc
section c sp trong file trn a v l kch thc ca nhiu sector ti u qu
trnh loading (loading process). 3. N cho php mt file nh s trang
(paging file) c s dng trn cng lu tr cc trang mt cch tm thi t b nh
vt l khi chng khng c s dng. Ly v d nh sau, nu mt ng dng c np nhng
ang trong tnh trng rnh ri (idle) ,khng gian a ch ca n c th c nh
trang bn ngoi a to ra khng gian cho cc ng dng khc cn c np vp trong
b nh RAM. Nu nh tnh hnh o ln , h iu hnh c th np mt cch d dng ng dng
u tin tr li b nh RAM v hi phc li s thi hnh ti ni m n b ngng li . Mt
ng dng cng c th s dng nhiu b nh hn l khng gian hin c ca b nh vt l
bi v h 4
thng c th s dng cng nh l mt ni lu tr th cp bt c khi no m b nh vt
l khng cn khng gian lu tr. Khi PE file c np vo trong b nh bi
windows loader, phin bn trong b nh ny c bit n nh l mt module. a ch
bt u ni m nh x file bt u c gi l mt HMODULE. Mt module trong b nh
biu din tt c on m , d liu v ton b ti nguyn t mt file thc thi m iu
ny l cn thit cho s thi hnh khi m thut ng Proccess v c bn tham chiu
ti mt khng gian a ch c lp m c th c s dng running nh l mt
module.
2. The DOS Header :Tt c cc file PE bt u bng DOS Header , vng ny
chim gi 64 bytes u tin ca file. N c dng trong trng hp chng trnh ca
bn chy trn nn DOS, do h iu hnh DOS c th nhn bit n nh l mt file thc
thi hp l v thi hnh DOS stub , phn m c lu tr trc tip sau Header. Hu
ht DOS stub thng s dng hm 9 ca ngt int 21h hin ra mt chui k t thng
bo tng t nh sau : "This program must be run under Microsoft
Windows" nhng n c th l mt chng trnh DOS ang pht trin mnh
(full-blown DOS program) (Ni tm li l DOS Stub ch l mt chng trnh DOS
EXE nh hin th mt thng bo li thng l nh trn, chnh do header ny c t nm
u ca file , cho nn cc virus DOS c th ly nhim vo PE image chnh xc ti
DOS stub. Tuy nhin chng trnh DOS Stub vn cn c gi li v l do tng thch
vi cc h thng Windows 16bit). Khi xy dng mt ng dng pht trin trn nn
tng Windows , chng trnh linker lin kt mt stub program mc nh c tn gi
l WINSTUB.EXE vo trong file thc thi ca bn. Bn c th ghi , ph quyt
cch hnh s ca chng trnh linker mc nh ny bng cch thay th mt chng trnh
MS-DOSbased ca ring bn thay cho WINSTUB v s dng STUB: mt ty chn ca
chng trnh linker khi lin kt file thc thi. DOS Header l mt cu trc c
nh ngha trong cc file windows.inc hoc winnt.h (Nu nh bn c mt chng
trnh dch hp ng hoc mt trnh bin dch c ci t trn my , bn s tm thy cc
file ny trong th mc \include\). N c 19 thnh phn (members) m trong
thnh phn magic v lfanew l ng ch .
5
Trong PE file , phn magic ca DOS Header cha gi tr 4Dh, 5Ah (
chnh l cc k t MZ, vit tt ca Mark Zbikowsky mt trong nhng ngi sng to
chnh ca MS-DOS), cc gi tr ny l du hiu thng bo cho chng ta bit y l
DOS Header hp l. MZ l 2 bytes u tin m bn s nhn thy trong bt k mt PE
file no , khi file c m bng mt chng trnh Hex editor. (Xem hinh minh
ha pha di). Nh bn nhn thy trong hnh minh ha pha trn, bn thy rng phn
lfanview l mt gi tr DWORD (tc l mt Double Word = 4bytes) v n nm v
tr cui cng ca DOS Header v ng trc ca ni bt u DOS Stub. N cha offset
ca PE Header, c lin quan n phn u file (file beginning). Windows
Loader s tm kim offset ny v vy n c th b qua Dos Stub v i trc tip ti
PE Header. Hnh minh ha trn gip ch cho chng ta rt nhiu khi n ch cho
ta thy r kch thc ca tng phn t. iu ny cho php chng ta truy xut nhng
thng tin m chng ta quan tm da trn vic m s lng cc bytes t im bt u ca
section hoc mt im c th nhn bit c. Nh chng ta ni trn, DOS Header
chim 64 bytes u tin ca file v d 4 hng u c nhn thy trong mt chng
trnh Hex Editor trong hnh minh ha di y.Gi tr DWORD cui cng trc im
bt u DOS Stub cha nhng gi tr 00h 01h 00h 00h. n vic reverse trt t
byte , iu ny s gip chng ta bit 00 00 01 00h l nhng offset ni m PE
Header bt u. PE Header bt u vi phn signatures ca n l 50h, 45h, 00h,
00h (Cc k t PE c i km bi cc gi tr tn cng l 0) Nu ti trng Signature
ca PE Header , bn tm thy mt NE signature ch khng phi l PE , th lc
ny bn ang lm vic vi mt file NE Windows 16-bit. Cng tng t nh vy, nu
bn thy l LE nm ti Signature field th c ngha l n cho ta bit l mt
trnh iu khin thit b o Window 3.x (VxD). Cn ti l mt LX th l du hiu
ca mt file cho OS/2 2.0
OKi.... tm ngh cht xu !! Chng ta s tip tc tho lun trong phn tip
theo ca bi vit ny. : )
6
3. The PE Header :PE Header l thut ng chung i din cho mt cu trc
c t tn l IMAGE_NT_HEADERS . Cu trc ny bao gm nhng thng tin thit yu
c s dng bi loader. IMAGE_NT_HEADERS c 3 thnh phn v c nh ngha trong
file windows.inc nh sau :
Signature l mt DWORD cha nhng gi tr nh sau 50h, 45h, 00h, 00h
(Cc k t PE c i km bi cc gi tr tn cng l 0). FileHeader bao gm 20
bytes tip theo ca PE file ,n cha thng tin v s b tr vt l v nhng c
tnh ca file. V d : s lng cc sections. OptionalHeader lun lun hin
din v c to thnh bi 224 bytes tip theo . N cha thng tin v s Logic bn
trong ca mt file PE. V d : AddressOfEntryPoint. Kch thc ca n c qui
nh bi mt thnh phn ca FileHeader. Cc cu trc ca nhng thnh phn ny cng
c nh ngha trong file windows.inc FileHeader c nh ngha ging nh hnh
minh ha di dy :
Hu ht nhng thnh phn ny khng cn hu ch i vi chng ta nhng chng ta
phi thay i thnh phn NumberOfSections nu nh chng ta mun thm hoc xa
bt k sections no trong mt PE File. Characteristics bao gm cc c m cc
c ny xc nh nhng th hin chng ta bit c PE File m chng ta lm vic l mt
file c th thc thi (executable) hay l mt file DLL. Quay tr li v d ca
chng ta trong mn hnh HexEditor, chng ta c th tm thy
NumberOfSections bng vic m mt DWORD v mt WORD (6 bytes) t ch bt u
ca PE Header (Tc l gi tr DWORD chnh l Signature cn gi tr WORD chnh
l Machine) (note : trng NumberOfSections c s dng bi viruses v nhiu
l do khc nhau. Ly v d , trng ny c th b thay i bng cch viruses s gia
tng n ln thm mt section mi vo PE image v t on virus body vo section
Cc h thng Windows NT c th chp nhn ti 96 sections trong mt PE file.
Trn h thng s dng Win95 th khng kim tra k phn section number). . Xem
hnh minh ha di y :
7
iu ny c th c kim tra li bng cch s dng bt c mt cng c PE no. V d :
Cng c PEBrowsePro
Hoc s dng mt cng c kh ni ting l LorDPE :
8
Hoc thm ch nu bn ang s dng PEiD bn cng c th kim nghim c iu ny
bng cch nhn vo button l Subsystem :
Ch : PEiD l mt cng c cc k hu ch Chc nng chnh ca n l dng scan
Executable files v ch cho chng ta bit c loi Packer m File ny c s
dng cho vic nn v protect file. Ngoi ra i km vi PEiD l mt Plugin
khng km phn quan trng, chnh l Krypto ANALyser . Khi bn s dng
Plug-in ny th n s cho chng ta bit c file c s dng nhng mt m
(cryptography) g. Chng hn : CRC, MD4, MD5 hoc SHA v...v....Thm ch
cng c ny cng s dng cc danh sch c ngi dng nh ngha v cc Packer
signatures. Tm li PEiD l cng c u tin c s dng khi chng ta bt tay vo
cng vic unpacking. Chng ta tip tc nghin cu ti thnh phn tip theo l
OptionalHeader, n chim 224 bytes , trong 128 bytes cui cng s cha
thng tin v Data Directory. N c nh ngha ging nh hnh minh ha di y
:
9
AddressOfEntryPoint RVA (a ch o tng i) ca cu lnh u tin m s c thc
thi khi chng trnh PE Loader sn sng run PE File (thng thng n tr ti
section .text hay CODE). Nu nh bn mun lm thay i lung ca th t thc
hin , bn cn phi thay i li gi tr trong trng ny thnh mt RVA mi v do
cu lnh ti gi tr RVA mi ny s c thc thi u tin. Cc chng trnh Packer
thng thay th gi tr ny bng gi tr decompression stub ca chng, sau s
thi hnh s nhy tr v im bt u ca chng trnh hay cn gi vi tn thng dng l
OEP. Mt lu thm na l ch bo v StarForce th CODE section s khng c mt ,
hin din trong file trn a nhng li c ghi ln b nh o trong qu trnh thc
thi. V th m gi tr trong trng ny l mt VA (xem thm phn ph lc s c cp
bn di). (note : y thc s l mt trng ct yu v cc k quan trng bi v trng
ny s b thay i bi hu ht cc kiu ly nhim virus tr ti im thc thi thc s
ca virus code) ImageBase a ch np c u tin cho PE File. Ly v d : Nu
nh gi tr trong trng ny l 400000h, PE Loader s c gng np file vo
trong khng gian a ch o m bt u ti 400000h. T c u tin y c ngha l PE
Loader khng th np file ti a ch nu nh c mt module no khc chim gi vng
a ch ny. 99 % cc trng hp gi tr ca ImageBase lun l 400000h
SectionAlignment Phn lin kt ca cc Sections trong b nh. . Khi file
thc thi c nh x vo trong b nh, th mi section phi bt u ti mt a ch o m
l mt bi s ca gi tr ny. Gi tr ca trng ny nh nht l 0x1000(4096
bytes), nhng trnh cc trnh linkers ca Borland thng s dng cc gi tr mc
nh ln hn, v d nh l 0x10000(64KB). Ly v d nh sau : Nu gi tr ti trng
ny l 4096 (1000h), th mi section tip theo s phi bt u ti v tr m
section trc cng vi 4096 bytes. Nu section u tin l ti 401000h v kch
thc ca n l 10 bytes, vy section tip theo l ti 402000h 10
cho d l khng gian a ch gia 401000h v 402000h s hu nh khng c s
dng.(note: hu ht cc Win32 viruses s dng trng ny tnh ton v tr chnh
xc ca virus body nhng li khng thay i trng ny). FileAlignment Phn
lin kt ca cc Section trong file. Ly v d : nu gi tr c th ca trng ny
l 512 (200h), th mi section tip theo s phi bt u ti v tr m sections
trc cng vi 200h. Nu section u tin l ti offets 200h, v c kch thc l
10 bytes, vy th section tip theo s c nh v ta i ch offet l 400h :
Khng gian gia file offsets 522 v 1024 l khng s dng c/hoc khng c nh
ngha. SizeOfImage - Ton b kch thc ca PE image trong b nh. N l tng
ca tt c cc headers v sections c lin kt ti SectionAlignment.
SizeOfHeaders - Kch thc ca tt c cc headers + section table.Ni tm li
, gi tr ny l bng kch thc file tr i kch thc c tng hp ca ton b
sections trong file. Bn cng c th s dng gi tr ny nh mt file offset
ca Section u tin trong PE file. DataDirectory Mt mng ca 16
IMAGE_DATA_DIRECTORY structures, mi mt phn c lin quan ti mt cu trc
d liu quan trng trong PE File chng hn nh import address table. Cu
trc quan trng ny s c tho lun chi tit trong nhng phn tip theo. Cch b
tr mi th ca PE Header c th c quan st mt cch trc quan thng qua hnh
nh minh ha sau y trong chng trnh HexEditor. Ch rng DOS Header v phn
ca PE Header l lun lun cng kch thc (and shape) khi c quan st trong
chng trnh HexEditor. Phn DOS Stub c th thay i theo kch thc :
11
Bn cnh cc cng c PE c cp trn, chng trnh debug c a thch l OllyDbg
cng c th phn tch c PE Headers thng qua vic hin th thng tin mt cch y
v c ngha. Dng OllyDbg load file v d ca chng ta vo trong Olly v nhn
Alt + M hoc bm vo nt M m ca s Memory Map - ca s ny s cho chng ta
thy c PE File c np vo trong b nh.
Tip theo bn nhn chut phi trn PE Header v chn Dump in CPU . Sau
trong ca s Hex window , li nhn chut phi mt ln na v chn Special
--> PE Header .
Chng ta s c c thng tin nh sau :
12
4. The Data Directory :Tm tt li phn trc , chng ta bit c rng Data
Directory l 128 bytes cui cng ca OptionalHeader , v ln lt l nhng
thnh phn cui cng ca PE Header IMAGE_NT_HEADERS. Nh chng ta tng ni,
Data Directory l mt mng ca 16 cu trc IMAGE_DATA_DIRECTORY
structures, c mi 8 bytes th mi phn li c lin quan vi mt cu trc d liu
quan trng trong PE File. Mi mng tham chiu ti mt mc c nh ngha trc ,
v d nh l import table . Cu trc ca Data Directory c 2 thnh phn m bao
gm thng tin v v tr v kch thc ca cu trc d liu trong nhng iu bn n
:
VirtualAddress l mt a ch o tng i (relative virtual address) ca
cu trc d liu (xem phn sau) isize bao gm kch thc theo bytes ca cu
trc d liu. 16 directories m nhng cu trc ny tham chiu n , bn thn
chng c nh ngha trong file window.inc :
13
Ly v d , chng ta s dng chng trnh LordPE. Trong LordPE , phn Data
Directory cho file v d ca chng ta ch cha 4 thnh phn ( c ti khoanh
mu trong hnh v). 12 thnh phn cn li khng c s dng v c in gi tr l 0
:
Nh cc bn thy trong hinh minh ha trn, trng import table bao gm
thng tin v RVA v kch thc ca IMAGE_IMPORT_DESCRIPTOR array the
Import Directory. Trong chng trnh HexEditor, hnh minh ha bn di y ch
cho chng ta thy PE Header vi phn data directory c t nt ngoi bng mu
. Mi mt khu vc c khoanh ny biu din cho mt cu trc
IMAGE_DATA_DIRECTORY. Gi tr DWORD u tin chnh l VirtualAddress cn gi
tr cui cng chnh l isize.
14
Trong hnh minh ha trn, th Import Table c t bng mu hng. 4 bytes u
tin l RVA 02D000h (NB reserver oder). Kch thc ca Import Table l
181Eh bytes. Nh chng ta ni trn th v tr ca nhng data directories t
phn u ca PE Header l lun lun ging nhau. V d : gi tr DWORD 80 bytes
t phn u ca PE Header lun lun l RVA ca Import Table. xc nh c v tr ca
mt directory c bit, bn xc nh r a ch tng i t data directory. Sau s
dng a ch o xc nh section no directory trong. Mt khi bn phn tch
section no cha directory , th Section Header cho section sau s c s
dng tm ra offset chnh xc.
5. The Section Table :Section Table l thnh phn tip theo ngay sau
PE Header.N l mt mng ca nhng cu trc IMAGE_SECTION_HEADER, mi phn t
s cha thng tin v mt section trong PE File v d nh thuc tnh ca n v
offset o (virtual offset) . Cc bn hy nh li rng s lng cc sections
chnh l thnh phn th 2 ca FileHeader (6 bytes t ch bt u ca PE
Header). Nu c 8 sections trong PE File, th s c 8 bn sao ca cu trc
ny trong table.Mi mt cu trc Header (header structure) l 40 bytes v
s khng c thm padding gia chng (Padding y c ngha l s khng chn thm cc
bytes c gi tr 00h vo).Cu trc ny c nh ngha trong file windows.inc nh
sau :
15
Xin nhc li mt ln na , khng phi tt c cc thnh phn trn u hu ch. Ti
s ch miu t nhng thnh phn thc s l quan trng m thi. Name1 - (NB this
field is 8 bytes) Tn ny ch l l mt nhn v thm ch l c th trng. Ch rng
y khng phi l mt chui ASCII v vy n khng cn phi kt thc bng vic thm cc
s 0. VirtualSize (DWORD union) Kch thc tht s ca section's data theo
bytes. N c th nh hn kch thc ca section trn a (SizeOfRawData) v s l
nhng g m trnh loader nh r v tr trong b nh cho section ny.
VirtualAddress RVA ca section. Trnh PE loader s phn tch v s dng gi
tr trong trng ny khi n nh x section vo trong b nh. V vy nu gi tr
trong trng ny l 1000h v PE File c np ti i ch 400000h , th section s
c np ti a ch l 401000h. SizeOfRawData Kch thc ca sections data
trong file trn a, c lm trn ln bi s tip theo ca s lin kt file bi
trnh bin dch. PointerToRawData (Raw Offset) thnh phn ny thc s rt hu
dng bi v n l offset t v tr bt u ca file cho ti phn sections data.
Nu n c gi tr l 0 , th sections data khng c cha trong file v s khng
b b buc vo thi gian np (load time). Trnh PE Loader s s dng gi tr
trong trng ny tm kim phn data trong section l u trong file.
Characteristics - Bao gm cc c v d nh section ny c th cha executable
code, initialized data , uninitialized data , c th c ghi hoc c (Xem
thm phn ph lc) NOTE : Khi bn tin hnh tm kim mt section c th no , n
c th pht l ton b PE Header v bt u phn tch section headers bng cch
tm kim section name trong ca s ASCII ca chng trnh HexEditor ca bn.
Quay tr li v d ca chng ta , trong ca s HexEditor file ca chng ta c
8 sections nh chng ta nhn thy trong section PE Header.
16
Sau khi c c Section Headers chng ta s tm kim cc sections.Trong
file trn a , mi section bt u ti mt offset m l bi s ln ca gi tr
FileAlignment c tm thy trong OptionalHeader. Gia cc sections data s
l cc byte 00 c thm vo. Khi c np ln RAM , cc sections lun lun bt u
trn mt ranh gii trang (page boundary) v vy byte u tin ca mi section
tng ng vi mt trang b nh (memory page). Cc trang trn nhng b vi x l
x86 CPU l 4KB aligned , trong khi trn IA-64 l 8KB aligned. Gi tr
lin kt (aligment value) ny c lu tr trong SectionAlignment , v cng c
lu trong OptionalHeader. Ly mt v d, nu nh OptionalHeader kt thc ti
file offset 981 v FileAlignment l 512, th section u tin s bt u ti
byte 1024 . Ch rng bn c th tm nhng section thng qua
PointerToRawData hoc l VirtualAddress, v vy khng cn phi lo ngi bn
khon v alignments. Trong hnh minh ha trn , ImportData Section
(.idata) s bt u ti offset 0002AC00h (highlighted pink, NB reverse
byte order) t v tr bt u ca file. Kch thc ca n , do c qui nh l DWORD
nn n s l 1A00h bytes.
6. The PE File Sections :L nhng sections cha ni dung chnh ca
file, bao gm code, data, resources v nhng thng tin khc ca file thc
thi. Mi section c mt Header v mt body (d liu th raw data : l d liu
cha c x l hoc cha c nh khun thc, n cha c sp xp, bin tp sa cha hoc
cha c biu din li di dng d truy tm v phn tch). Nhng Section Headers
th c cha trong Section Table nhng nhng Section Bodies li khng c mt
cu trc file cng rn. Chng c th c sp xp hu nh theo bt k cch no khi mt
trnh linker mun t chc chng , vi iu kin l Header c in thng tin y c
th gii m d liu. Mt chng trnh ng dng c th trn h iu hnh Windows NT c
9 sections c nh ngha trc c tn l .text, .bss, .rdata, .rsrc, .edata,
.idata, .pdata v .debug. Mt vi chng trnh khng cn phi c tt cc cc
sections ny , trong khi mt s chng trnh ng dng khc li nh ngha thm
nhiu sections khc ph hp vi nhng yu cu ring bit ca chng.
Executable Code Section :Trong h iu hn Windows NT tt c cc on m
(code segment) tp trung vo mt sections n l c gi l .text hoc l CODE
. T khi h iu hnh Windows NT chuyn sang s dng mt h thng qun l b nh o
da trn trang, th c mt section code ln d dng hn trong vic qun l i vi
h iu hnh cng nh i vi nhng ngi pht trin ng dng. Section ny cng cha
im t nhp (entry point) m c cp phn trn v bng jump thunk table tr ti
IAT (xem thm phn import theory)
Data Sections :Section .bss biu din d liu khng c khi to cho ng
dng , bao gm ton b cc bin c khai bo l bin tnh trong mt hm hoc l mt
module ngun. Section .rdata biu din d liu ch c ra (read only) , v d
nh nhng chui, cc hng, v thng tin th mc debug. 17
Tt c nhng bin khc (ngoi tr nhng bin t ng , m ch xut hin trn
Stack ) c lu tr trong Section .data . l nhng ng dng hoc l nhng bin
ton cc module.
Resources Section :Section .rsrc cha cc thng tin resource cho mt
module. 16 bytes u tin bao gm mt Header ging nh nhng section khc,
nhng d liu ca Section ny hn na c cu trc vo trong mt resource tree v
c quan st tt nht thng qua vic s dng mt chng trnh resource editor.
Mt chng trnh kh ni ting l ResHacker, y l mt chng trnh min ph cho
php chnh sa , thm mi, xa, thay th v sao chp cc Resources :
y l mt chng trnh rt mnh phc v cho mc ch Cracking v n s hin th mt
cch nhanh chng cc hp thoi bao gm c nhng chi tit v vic ng k sai cng
nh cc nag screens. Mt ng dng shareware c th thng b Cracked ch bng
vic xa b resource hp thoi nagscreen trong ResHacker.
Export Data Section :Section .edata cha Export Directory cho mt
chng trnh ng dng hoc file Dll. Khi biu din, section ny bao gm cc
thng tin v tn v a ch ca nhng hm exported functions. Chng ta s ni
tip v vn ny sau , mt phn rt quan trng tip theo. 18
Import Data Section :Section .idata cha nhng thng tin khc nhau v
nhng hm imported functions bao gm c Import Directory v bng Import
Address Table. Chng ta cng s ni tip v vn ny phn sau.
Debug Information Section :Thng tin Debug c t ban u trong
Section .debug . nh dng PE File cng h tr cc file debug khc nhau
(thng c nhn bit vi phn m rng l .dbg) nh l mt cch thc ca vic tp hp
thng tin debug ti mt v tr tp trung. Section debug cha thng tin
debug , nhng nhng th mc debug li nm trong Section .rdata nh c cp
phn trn. Mi mt th mc s lin quan ti thng tin Debug trong Section
.debug.
Base Relocations Section :Khi m trnh linker to ra mt file Exe, n
chun b mt ni m ti file s c nh x vo trong b nh. Da trn iu ny, trnh
linker s t cc cc a ch tht ca on m v nhng mc d liu vo trong file thc
thi. Nu v bt c l do g file thc thi kt thc qu trnh np mt ni no nu
khng trong phm vi khng gian a ch o , th nhng a ch ny s b trnh
linker t vo trong image khng ng. Thng tin c lu trong Section .reloc
cho php trnh PE loader fix nhng a ch ny trong loaded image v vy
chng s li chnh xc. Mt khc, nu trnh loader c th np file ti nhng a ch
base address c tha nhn bi trnh linker , th d liu Section .reloc l
khng cn thit v b l i. Cc mc trong section .reloc c gi bi Base
relocation v s s dng ca chng ph thuc vo a ch base address ca loaded
image. Base Relocation n gin ch l mt danh sch ca cc v tr trong
image m yu cu mt gi tr c thm vo chng.nh dng ca d liu base
relocation hi phc tp . Cc mc base relocation c nn (packed) trong mt
chui ca cc phn di bin i. Mi phn din t cc Relocation thay th cho mt
trang 4KB trong image. Hy xem mt v d hiu cch hat ng ca base
relocation. Mt file thc thi c lin kt vi mt a ch c s ca 0x10000. Ti
offset 0x2134 bn trong image l mt con tr cha a ch ca mt chui. Chui
bt u ti a ch vt l l 0x14002, v vy con tr s cha gi tr l 0x14002. Sau
bn np file, nhng trnh loader quyt nh rng n cn phi nh x image bt u
ti a ch vt l l 0x60000. S chnh lch gia trnh linker da trn a ch np v
a ch np thc s c gi l delta. Trong trng hp v d ca chng ta th delta l
0x50000 bytes cao trong b nh, nh vy l chui (by gi ti a ch l
0x64002). Con tr ti chui gi y khng cn ng na. File thc thi cha mt
base relocation i din cho v tr b nh (memory location) ni m con tr
ti chui tr v. gii quyt mt base relocation , trnh loader cng thm gi
tr delta vo gi tr gc ban u ti a ch base relocation. Trong trng hp
ca chng ta , trnh loader s cng gi tr delta l 0x50000 vo gi tr con
tr ban u l (0x14002) , v lu kt qu tr li l (0x64002) vo trong b nh
ca con tr. V th chui by gi s c a ch thc l ti 0x64002 , vy l mi th u
tt p .
19
7. The Export Sections :Section ny c lin quan mt cch c bit ti cc
file Dlls. Phn thng tin c trch di y t Win32 Programmers Reference s
gii thch ti sao :
Cc hm c th c exported bi mt Dll theo hai cch : by name hoc by
ordinal only . Mt s th t hay mt ch s l mt s 16-bit (WORD sized) m
duy nht ch ra mt hm trong mt file Dll ring bit. Con s ny l duy nht
ch bn trong file Dll n tham chiu ti. Chng ta s ni v exporting bng s
th t phn sau. Nu nh mt hm c exported bng tn , khi cc file Dll khc
hoc cc file thc thi mun gi hm ny , chng s cng s dng tn ca hm hoc ch
s ca hm trong hm GetProcAddress m tr v a ch ca hm trong file Dll ca
n. Ti liu Win32 Programmers Reference s gii thch thm v phng thc hot
ng ca hm GetProcAddress (Mc d trong thc t thng tin v hm ny rt nhiu,
khng ch nhng ti liu c vit bi M$, nhng thng tin khc s cp sau). Cc bn
hy ch n nhng phn m ti nh du bng vin mu :
20
Hm GetProcAddress c th lm c iu ny bi v cc tn v a ch ca nhng
exported function c sp xp trong mt cu trc c nh ngha rt tt trong
Export Directory. Chng ta c th tm thy Export Directory bi v chng ta
bit n l thnh phn u tin trong data directory v RVA ca n c cha ti
offset 78h t ni bt u ca PE Header. (Xin xem thm phn ph lc) Cu trc
export c gi l IMAGE_EXPORT_DIRECTORY . C 11 thnh phn trong cu trc
ny nhng c mt s khng quan trng :
21
nName Internal name ca module. Trng ny thc s cn thit bi v tn ca
file c th b thay i bi ngi s dng . Nu iu xy ra , trnh PE loader s s
dng Internal name ny. nBase Bt u ca s th t hay s ch s (Trng ny c s
dng ly nhng index trong addressof-function array xem bn di).
NumberOfFunctions Tng s cc hm m c exported bi module. NumberOfNames
S lng cc Symbols c exported bng name. Gi tr ny khng phi l s lng ca
tt c cc hm/symbols trong module. ly c con s ny, bn cn phi kim tra
NumberOfFunctions .N c th l 0. Trong trng hp y, module c th export
bng ordinal only. Nu khng c hm / symbol c exported trong trng hp u
tin , th RVA ca bng Export table trong data directory s l 0.
AddressOfFunctions mt RVA tr ti mt mng ca cc con tr ti cc hm trong
module Export Address Table (EAT). s dng n theo cch khc, nhng RVA
tr ti cc hm trong module c gi li trong mt mng v trng ny tr ti u ca
mng . AddressOfNames mt RVA tr ti mt mng cc RVA ca tn cc hm c lu
trong module Export Name Table (ENT). AddressOfNameOrdinals mt RVA
tr ti mt mng 16 bit m cha cc ordinals ca cc named functions Export
Ordinal Table (EOT).
22
Nh vy cu trc IMAGE_EXPORT_DIRECTORY tr ti 3 mng v mt bng nhng
chui k t ASCII. Mng quan trng l EAT, v n l mt mng ca cc con tr hm m
cha a ch ca cc exported functions. Hai mng th hai l (ENT v EOT) chy
song song theo th t sp xp tng dn da trn tn ca cc hm mt php tm kim
nh phn cho tn ca hm c th c thc hin v s a kt qu l s th t ca hm c tm
thy vo trong mt mng khc.S th t ch n gin l mt ch s bn trong EAT i vi
hm .
Trc y mng EOT tn ti nh l mt lin kt gia tn v a ch, n khng th cha
nhiu phn t hn mng ENT. V d : mi mt tn c th c mt v ch mt a ch tng
ng. iu ngc li l khng ng : mt a ch c th c nhiu tn tng ng vi n. Nu l
nhng hm vi tn b danh tham chiu n cng mt a ch th ENT s c nhiu phn t
hn l EOT
23
Ly v d , nu mt file Dll export 40 hm , th n phi c 40 thnh phn
trong mng c tr bi AddressOfFunctions (EAT) v trng NumberOfFunctions
phi cha 40 gi tr. tm kim mt hm t tn ca n, H iu hnh (OS) u tin s tm
nhng gi tr ca NumberOfFunction v NumberOfNames trong Export
Directory. Tip theo n s do qua cc mng c tr bi AddressOfNames (ENT)
v AddressOfNameOrdinals (EOT) mt cch ng thi, tm kim tn ca hm. Nu nh
tn ca hm c tm thy trong ENT, th gi tr tng ng vi phn t trong EOT c
trch xut v s dng nh l ch mc bn trong EAT. Ly v d , trong file Dll
40 hm ca chng ta trn chng ta mun tm kim hm X. Nu chng ta tm tn hm
X(gin tip thng qua con tr khc) ti phn t th 39 trong ENT , chng ta
nhn vo phn t th 39 ca EOT v thy 5 gi tr . Sau chng ta xt phn t th 5
ca EAT tm kim RVA ca hm X. Nu nh bn sn c s th t ca mt hm , bn c th
tm thy a ch ca n bng cch i trc tip ti EAT. Mc d c c a ch ca mt hm
thng qua s th t ca n th d dng hn v nhanh hn rt nhiu so vi vic s dng
tn ca hm , th ngc li iu bt li l s gp kh khn trong vic qun l module.
Nu nh file Dll c nng cp / cp nht v s th t ca cc hm b thay i, th cc
chng trnh khc m chy da trn file Dll ny s b Break.
Exporting by Ordinal Only :NumberOfFunctions phi t nht l bng vi
NumberOfNames. Tuy nhin thnh thong trong mt s trng hp th
NumberOfNames li t hn NumberOfFunctions . Khi mt hm c Exported thng
qua s th t , n khng c danh sch trong c hai mng ENT v EOT n khng c
tn. Nhng hm m khng c tn th c Exported thng qua s th t. Ly v d nh
sau , nu ta c 70 hm nhng ch c duy nht 40 mc trong ENT , vy th c
ngha l c 30 hm trong module m c Exported bng s th t. Vy by gi lm th
no chng ta tm ra nhng hm l g? iu ny khng d dng. Bn phi tm ra bng
phng php loi tr, ly v d : nhng mc trong EAT m khng c tham chiu bi
EOT cha RVAs ca cc hm c Exported bng s th t. Ngi lp trnh vin c th
ch r s th t bt u trong mt .def file. Ly v d , cc bng trong hnh minh
ha trn c th bt u ti 200. m i ph trc s cn thit cho 200 phn t rng u
tin trong mng , thnh phn nBase lu gi gi tr bt u v trnh loader tr cc
s th t t n thu c ch mc tht trong EAT.
Export Forwarding :i khi cc hm c v c Exported t mt file Dll c
th, nhng trn thc t cc hm ny li nm trong mt file Dll hon ton khc. iu
ny c gi l Export Forwarding . Ly v d , trong h iu hnh WinNT , Win2k
v WinXP, hm trong kernel32.dll l HeapAlloc c forwarded t hm
RtlAllocHeap c Exported bi ntdll.dll. File NTDLL.DLL cng cha cc API
bm sinh m tng tc trc tip vi kernel windows . Forwarding c thc hin
ti thi im lin kt thng qua mt cu lnh c bit trong .DEF file.
Forwarding l mt k thut m Microsoft s dng a ra mt tp hp cc API thng
dng v che du s khc bit nn tng gia h h iu hnh NT vi h 9X. Cc ng dng
khng c c nhim v gi cc hm trong tp hp cc API bm sinh v iu ny s ph v
kh nng tng thch gia Win9x v 2K/XP. iu ny c th gii thch ti sao cc
file thc thi b Packed c th c unpacked v c bng imports ca chng c xy
dng li bng tay trn mt OS c th khng run c trn OS khc bi h thnng API
forwarding hoc mt vi chi tit khc b chnh sa. Khi mt Symbol (Hm) c
Forwarded RVA ca n mt cch r rng khng th l mt an code hoc a ch d liu
trong module hin ti. thay th , bng EAT cha mt con tr ti mt chui
ASCII ca file DLL v tn hm m n c Forwarded. Trong v d trc n s l
NTDLL.RtlAllocHeap. 24
Nu vy th mc EAT cho mt hm tr ti mt a ch bn trong Export Section
(v d chui ASCII) thay v hn l tr ra ngoi vo mt file DLL khc, th bn
bit rng hm c forwarded.
8. The Import Section :Import Section (thng c bit di tn .idata)
bao gm thng tin v tt c cc hm c imported bi file thc thi t cc file
Dlls. Thng tin ny c lu tr trong mt vi cu trc d liu. Phn quan trong
nht ca section ny l ImportDirectory v ImportAddressTable m chng ta
s ni n tip theo y. Trong mt s file thc thi c th cng c cc
directories l Bound_Import v Delay_Import. Delay_Import directory ,
vi chng ta n khng quan trng lm nhng chng ta s cp ti Bound_Import
directory phn tip sau. Trnh Windows loader chu trch nhim v vic np
tt c cc file Dll m ng dng s dng v nh x chng vo trong khng gian a ch
process. N phi tm a ch ca tt c cc imported functions trong cc file
Dlls khc nhau ca chng v sp t chng sn sng s dng cho cc file thc thi
c np. a ch ca cc hm bn trong mt file Dll khng phi l nhng a ch tnh m
thay i khi cc phin bn c cp nht ha ca file Dll c released , v vy cc
ng dng khng th c xy dng s dng cc a ch hm hardcoded. Bi v l mt c ch
c pht trin cho php nhng thay i m khng cn phi to ra nhiu s thay i,
chnh sa i vi on m ca file thc thi vo lc chay. iu ny c hon thnh thng
qua vic s dng mt Import Address Table (IAT). y l mt bng ca nhng con
tr ti cc a ch hm m c in vo bi trnh Windows loader khi cc file Dll c
np. Bng vic s dng mt bng con tr, trnh loader khng cn phi thay i
nhng a ch ca cc imported functions trong on m lnh m chng c gi. Tt c
nhng th m n phi lm l thm a ch chnh xc vo mt ni ring l trong bng
import v cng vic ca n c hon tt.
The Import Directory :Import Directory thc s l mt mng ca cc cu
trc IMAGE_IMPORT_DESCRIPTOR. Mi cu trc l 20 bytes v cha thng tin v
mt DLL m PE file ca chng ta import cc hm vo. Ly v d, nu PE file ca
chng ta import cc hm t 10 file DLL khc nhau, th s c 10 cu trc
IMAGE_IMPORT_DESCRIPTOR trong mng ny. Khng c trng no ch cho ta bit
s lng ca cc cu trc trong mng ny. thay th, cu trc cui cng s c cc
trng c in y cc gi tr 0 (zeros). Cng vi Export Directory, bn c th tm
thy Import Directory u bng vic quan st ti Data Directory (80 bytes
t ch bt u ca PE Header). Trong th thnh phn u tin v cui cng l quan
trng nht :
25
Thnh phn u tin OriginalFirstThunk , l mt DWORD union, c th ti mt
thi im l mt tp hp ca cc c. Tuy nhin, Microsoft thay i ngha ca n v
khng bao gi lo lng cp nht file WINNT.H. Trng ny thc s cha RVA ca mt
mng cc cu trc IMAGE_THUNK_DATA. [Tin y cng ni lun, t union c cp trn
chng qua ch l mt s nh ngha li ca cng mt ni ca b nh. T union trn
khng cha 2 DWORDS nhng ch duy nht mt c th cha hoc
OriginalFirstThunk data hay Characteristics data m thi] Thnh phn
tip theo l TimeDateStamp c t l 0 tr khi file thc thi c gii hn khi n
cha -1 (xem bn di). Thnh phn tip l ForwarderChain c s dng cho vic
lin kt old-style v thnh phn ny s khng c cp n y. Thnh phn Name1 cha
mt con tr (RVA) ti chui tn ACSII ca file DLL. Thnh phn cui cng l
FirstThunk, n cng cha RVA ca mt mng cc cu trc IMAGE_THUNK_DATA mt
bn sao ca mng u tin. Nu nh hm c miu t l mt bound import (xem bn di)
th FirstThunk cha a ch thc s ca hm thay v mt RVA ti mt
IMAGE_THUNK_DATA. Nhng cu trc ny c nh ngha nh sau :
Mi IMAGE_THUNK_DATA l mt DWORD union m thc t ch c mt ca hai gi
tr. Trong file trn a n cha s th t ca imported function hoc l mt RVA
ti mt cu trc IMAGE_IMPORT_BY_NAME. Mt khi c np mt cu trc s c tr ti
bi FirsThunk c vit ln bng a ch ca cc hm imported function.- vic ny
tr thnh Import Address Table. Mi cu trc IMAGE_IMPORT_BY_NAME c nh
ngha nh hnh minh ha di y :
Hint Cha ch mc(index) bn trong Export Address Table ca file DLL
cc hm hin c trong . Trng ny c s dng bi trnh PE Loader v vy n c th
tm kim hm trong Export Address Table ca DLL mt cch nhanh chng. Tn
ti m ch mc c dng , v nu n khng tng ng th mt php tm kim nh phn c thc
hin tm kim tn. Thng thng gi tr ny khng cn thit v mt vi trnh linker
t trng ny l 0. Name1 bao gm tn ca imported function. Tn l mt
null-terminated ASCII string. Ch rng kch thc ca Name1 c nh ngha l
mt byte nhng trn thc t n l mt trng c kch thc thay i. Do khng c phng
php no biu din mt trng c kch thc thay i trong mt cu trc. Cu trc m c
cung cp cho bn c th tham chiu ti n thng qua cc tn miu t. Nhng phn
quan trng nht l cc tn imported DLL v cc mng ca cc cu trc
IMAGE_THUNK_DATA. Mi cu trc IMAGE_THUNK_DATA tng ng vi mt imported
function t DLL. Cc mng c tr ti bi OriginalFirstThunk v FirstThunk
chy song song v 26
c kt thc bng mt Null DWORD. l cp phn tch ca cc mng ca cc cu trc
IMAGE_THUNK_DATA cho mi imported DLL. s dng n theo mt cch khc, c
nhiu cc cu trc IMAGE_IMPORT_BY_NAME . Bn to ra hai mng , sau in vo
hai mng ny cc RVAs ca cc cu trc IMAGE_IMPORT_BY_NAME, v vy c hai
mng ny cng cha cc gi tr ging nh nhau. By gi bn c th gn RVA ca mng u
tin cho OriginalFirstThunk v RVA ca mng th hai cho FirstThunk. S
lng cc phn t trong cc mng OriginalFirstThunk v FirstThunk ph thuc
vo s lng ca cc hm c imported t file DLL. Ly v d , nu PE file import
10 hm t file dll l user32.dll, th thnh phn Name1 trong cu trc
IMAGE_IMPORT_DESCRIPTOR s cha RVA ca chui user32.dll v s l 10
IMAGE_THUNK_DATA trong mi mng. Hai mng song song , tng ng c gi bi
cc tn khc nhau nhng ci tn chung nht l Import Address Table ( cho mt
c tr bi FirstThunk) v Import Name Table hay Import Lookup Table
(cho mt c tr bi OriginalFirstThunk). Ti sao li c hai mng tng ng ca
cc con tr ti nhng cu trc IMAGE_IMPORT_BY_NAME ? Cc Import Name
Table c nguyn v khng bao gi c chnh sa. Cc Import Address Table c
vit li vi nhng a ch hm thc s bi trnh loader. Trnh loader lp li thng
qua mi con tr ti cc hm v tm kim a ch ca hm m mi cu trc tham chiu
ti. Trnh loader sau s vit li con tr ti IMAGE_IMPORT_BY_NAME bng a
ch ca hm. Cc mng ca nhng RVAs trong Import Name Tables gi nguyn
khng b thay i v vy nu cn thit tm tn ca cc hm imported , trnh PE
loader c th vn tm thy chng. Mc d IAT c tr ti bi entry number 12
trong Data Directory , mt vi chng trnh linkers khng thit lp danh
sch th mc ny v tuy nhin trnh ng dng s chy. Trnh loader ch s dng iu
ny nh du mt cch tm thi IAT khi read-write trong lc import
resolution v c th gii quyt cc import m khng cn n. l cch thc m trnh
Windows loader c th vit li IAT khi n hin c trong mt section ch c
(readonly section). Ti thi im np h thng thit lp mt cch tm thi cc
thuc tnh ca cc trang cha d liu import c hoc ghi. Khi import table c
khi to cc trang c thit lp tr li vi cc thuc tnh c bo v nguyn bn ca
chng.
27
Cc li gi ti cc hm c import xy ra thng qua mt con tr hm trong
IAT. Ly v d , hy tng tng rng a ch 00405030 tham chiu ti 1 hm ca
danh sc trong mng FirstThunk m c vit li bi trnh loader bng a ca hm
GetMessage trong file USER32.DLL. Cch thc hiu qu gi hm GetMessage
ging nh di y : 0040100C CALL DWORD PTR [00405030 ]
Cn cch thc km hiu qu l nh sau : 0040100C ....... .......
00402200 CALL [00402200]
JMP
DWORD PTR [00405030]
Ly v d , phng php th hai cng thu c mt kt qu tng t nhng s dng 5
byte thm vo ca code v mt thi gian lu hn thc th bi v extra jump. Ti
sao cc li gi ti hm c imported li c thc hin theo cch ny? Chng trnh
bin dch c th khng phn bit gia cc li gi hm thng thng trong cng mt
module v cc hm c imported cho ra cng mt u ra ging nhau : CALL
[XXXXXXXX] Ti y th XXXXXXXX phi l mt a ch code thc s (khng phi l mt
con tr) c in vo sau bi chng trnh linker. Trnh linker khng bit a ch
ca hm c imported v v vy phi cung cp phn thay th ca on m (code) The
jump stub seen above. Cch ti u c s dng l cch s dng trnh the
_declspec(dllimport) modifier thng bo cho chng trnh bin dch rng hm
hin c bn trong mt file DLL. N s c kt qu l CALL DWORD PTR
[XXXXXXXX].
28
Nu nh _declspec(dllimport) khng c s dng khi bin dch mt file thc
thi th s c mt tp hp ln ca cc jump stubs cho cc hm c imported xc nh
ln nhau nm u trong on m lnh. iu ny c bit bi cc tn khc nhau v d nh
"transfer area", "trampoline" or "jump thunk table".
Functions Exported by Ordinal Only:Nh chng ta tho lun trong phn
v Export section, th mt s hm c exported thng qua s th t. Trong trng
hp ny , s khng c cu trc IMAGE_IMPORT_BY_NAME cho hm trong module ca
li gi (callers module). Thay vo , IMAGE_THUNK_DATA cho hm cha s th
t ca hm. Trc khi file thc thi c np, bn c th cho bit nu mt cu trc
IMAGE_THUNK_DATA cha mt s th t hoc mt RVA bng cch xem xt bit c ngha
quan trng nht (MSB) hay bit cao.Nu c thit lp th 31 bits thp hn c
xem nh l mt gi tr s th t.Nu khng c set ,th gi tr l mt RVA ti mt
IMAGE_IMPORT_BY_NAME. Microsoft cung cp mt hng s c ch cho vic kim
tra bit MSB ca mt DWORD, l IMAGE_ORDINAL_FLAG32. N c gi tr l
80000000h. Ly v d, nu mt hm c exported thng qua s th t v s th t ca
n l 1234h, th IMAGE_THUNK_DATA cho hm s l 80001234h.
Bound Imports :Khi trnh Loader np mt PE file vo trong b nh, n
kim tra bng import table v np cc file DLLs c yu cu vo khng gian a
ch x l. Sau n do qua mng c tr bi FirstThunk v thay th
IMAGE_THUNK_DATA bng nhng a ch thc s ca cc import functions. Giai
on ny tn kh nhiu thi gian. Nu v mt l do cha bit ngi lp trnh c th d
on a ch ca cc hm mt cch chnh xc, trnh PE loader khng phi sa cc
IMAGE_THUNK_DATA mi ln PE file thc thi y nh a ch chnh xc l c ri. S
lin kt l kt qu ca tng ny. C mt tin ch c t tn l bind.exe i km vi cc
trnh bin dch ca Microsoft , kim tra IAT (mng FirstThunk) ca mt PE
file v thay th cc IMAGE_THUNK_DATA Dword bng a ch ca cc import
functions. Khi file c np, trnh PE loader phi kim tra cc a ch c hp l
khng. Nu phin bn ca file DLL khng khp vi mt file trong PE file hoc
nu cc file DLLs cn phi c xy dng li, trnh PE loader bit rng cc a ch
c lin kt l ht hiu lc v n do qua bng Import Name Table (Original
FirstThunk array) tnh ton cc a ch mi. Bi vy mc d INT l khng cn thit
cho mt file thc thi np, nu n khng hin din file thc thi khng th c
lin kt. Trong mt thi gian di trnh linker ca Borland l TLINK khng to
mt INT v vy cc file c to bi Borland khng th c lin kt.Chng ta s xem
xt tm quan trng khc ca vic thiu INT trong cc section tip theo.
The Bound_Import_DirectoryThng tin trnh loader s dng xc nh nu a
ch c lin kt l hp l c lu gi trong mt cu trc l
IMAGE_BOUND_IMPORT_DESCRIPTOR. Mt bound excutable cha mt danh sch
cc cu trc , mt cho mi DLL c imported m c lin kt :
29
Thnh phn TimeDateStamp phi khp vi TimeDateStamp ca exporting
DLLs header. Nu nh khng khp, trnh loader tha nhn rng binary c lin
kt ti l wrong DLL v s v li danh sch import. iu ny c th xy ra nu
phin bn ca exporting DLL khng khp hoc nu n cn phi c sp xp li trong
b nh. Thnh phn OffsetModuleName cha offset (khng phi l RVA) t
IMAGE_BOUND_IMPORT_DESCRIPTOR u tin cho ti tn ca DLL trong
null-terminated ASCII. Thnh phn NumberOfModuleForwarderRefs cha s
lng cc cu trc IMAGE_BOUND_FORWARDER_REF m trc tip theo cu trc ny.
Cu trc ny c nh ngha nh sau :
Nh bn c th nhn thy chng ging y ht nh cu trc bn trn ngoi tr thnh
phn cui cng c dnh ring trong bt k tnh hung no.L do c hai cu trc tng
t nhau l khi lin kt ngc li mt hm m c forwared ti mt file DLL khc,
tnh cht hp l ca forwared DLL phi c kim tra cng ti thi gian np.
IMAGE_BOUND_FORWARDER_REF cha thng tin chi tit v cc forwarded DLLs.
Ly v d nh hm HeapAlloc trong kernel32.dll c forwarded t hm
RtlAllocateHeap trong file ntldll.dll. Nu chng ta to ra mt ng dng m
import hm HeapAlloc v c s dng bind.exe trong ng dng, s l mt
IMAGE_BOUND_IMPORT_DESCRIPTOR cho kernel32.dll c theo bi mt
IMAGE_BOUND_FORWARDER_REF cho ntldll.dll. Ch : Tn ca cc hm bn thn
chng khng c bao gm trong nhng cu trc ny khi trnh loader bit nhng hm
no c lin kt t IMAGE_IMPORT_DESCRIPTOR (xem trn).
9. The Windows Loader :Phn vit ny tuy l khng cn thit nhng n dnh
cho nhng ai mun i su nghin cu thm v s hot ng ca h iu hnh (OS).
What The Loader DoesKhi mt file thc thi chy, trnh windows loader
s to ra mt khng gian a ch o cho process v nh x executalble module t
a vo trong khng gian a ch ca process. N c gng np image ti a ch c s
c u tin v nh x cc section vo trong b nh (memory). Trnh loader s xem
xt t m section table v nh x mi section ti a ch c tnh ton bng cch
cng thm RVA ca section vi a ch c s. Cc page attributes c thit lp
theo s yu cu c im ca section. Sau khi nh x cc section vo trong b
nh, trnh loader thc hin b tr cc relocation nu a ch np khng bng vi a
ch c s c u tin trong ImageBase. Bng import table sau c kim tra v bt
k file DLLs no c yu cu s c nh x vo trong khng gian a ch ca process.
Sau tt c DLL modules c nh v v nh x vo, trnh loader kim tra mi DLLs
export section v sau IAT c chnh sa tr ti a ch hm c imported thc s.
30
Nu nh symbol khng tn ti (y l trng hp rt him gp), trnh loader s
thng bo li. Mt khi tt c cc module c yu cu c np s thi hnh c chuyn ti
entry point ca ng dng. Phn quan trng c a thch trong RCE chnh l vic
loading cc file DLLs v gii quyt cc imports. Process ny b lm phc tp
bi rt nhiu cc hm internal (forwarded) v cc routines tp trung trong
file ntdll.dll m khng h c chng minh bng ti liu bi Micro$oft. Nh
chng ta ni phn trc function forwarding l 1 cch cho M$ expose mt tp
Win32 API thng dng, ph bin v che du cc hm cp thp m c th khc nhau i
vi tng phin bn ca h iu hnh. Nhiu hm kernel32 quen thuc v d nh hm
GetProcAddress n gin ch bao bc xung quanh cc ntdll.dll exports v d
nh LdrGetProcAddress (m hm ny thc hin cng vic chnh). c th thy r
nhng iu ny bn cn ci t chng trnh Windbg v Windows Symbol Package ( c
cung cp bi M$) hoc mt chng trnh kernel-mode debugger ging nh
SoftIce. Bn ch c th xem nhng hm ny trong Olly nu nh bn cu hnh Olly
s dng M$ symbolserver, nu khng th tt c nhng g bn quan st thy ch l
cc pointers v cc a ch b nh m khng c tn ca cc hm. Tuy nhin Olly l mt
trnh debugger trn user-mode v n s ch cho cc bn thy c nhng g ang xy
ra khi ng dng ca bn c np v n s khng cho php bn quan st thy loading
process. Mc d chc nng ca chng trnh Windbg cn hn ch khng th so snh
vi Olly nhng n tng thch tt vi h iu hnh v s cho ta thy c qu trnh
loading process :
Nh cc bn thy c rt nhiu hm APIs c lin kt cng vi qu trnh np mt
file thc thi, tt c tp trung trn hm LoadLibraryExW trong
kernel32.dll m ln lt dn n hm ni ti LdrpLoadDll trong ntdll.dll. Hm
ny trc tip gi 6 subroutines na l LdrpCheckForLoadedDll, LdrpMapDll,
LdrpWalkImportDescriptor, LdrpUpdateLoadCount,
LdrpRunInitializeRoutines, v LdrpClearLoadInProgress thc hin nhng
nhim v sau : 1. Kim tra xem nu module sn sng np vo. 2. nh x module
v cc thng tin h tr vo trong b nh. 3. Do qua bng import descriptor
table ca module (find other modules this one is importing) . 4.
Update the module's load count as well as any others brought in by
this DLL 31
5. Khi to module 6. Xa some sort of flag, indicating that the
load has finished
Mt DLL c th import cc module khc m bt u mt tng ca th vin thm vo.
Trnh loader s cn phi lp li t u n cui mi module , kim tra xem nu n
cn c np v sau kim tra nhng ph thuc ca n. l l do c s xut hin ca
LdrpWalkImportDescriptor y. LdrpWalkImportDescriptor c hai
subroutines l : LdrpLoadImportModule v LdrpSnapIAT. u tin n bt u
bng hai li gi ti RtlImageDirectoryEntryToData xc nh v tr Bound
Imports Descriptor v cc bng Import Descriptor. Ch rng trnh loader s
kim tra bound imports u tin- mt ng dng khi thc thi nhng khng c mt
import directory c th c cc bound imports thay th. Tip theo
LdrpLoadImportModule xy dng mt Unicode string cho mi DLL c tm thy
trong Import Directory v sau giao cho LdrpCheckForLoadedDll nhn ra
if they have already been loaded. Tip na LdrpSnapIAT routine kim
tra mi DLL c tham chiu ti trong Import Directory thay th cho 1 gi
tr -1 (ie again checks for bound imports first). Sau n thay i
memory protection ca IAT thnh PAGE_READWRITE v tin hnh kim tra mi
entry trong IAT trc khi chuyn ti LdrpSnapThunk subroutine.
LdrpSnapThunk s dng mt ch s ca hm xc nh a ch ca n v quyt nh n c c
forward hay l khng. Mt khc n gi LdrpNameToOrdinal s dng mt php tm
kim nh phn trn export table xc nh ch s mt cch nhanh chng. Nu hm
khng c tm thy th n tr v STATUS_ENTRYPOINT_NOT_FOUND, ngc li nu tm
thy th n thay th entry trong IAT bng entry point ca API v tr v cho
LdrpSnapIAT khi phc li memory protection n thay i ti lc bt u cng
vic ca n, gi NtFlushInstructionCache bt buc mt cache refresh trn
memory block c cha IAT, v sau tr v li cho LdrpWalkImportDescriptor.
l mt khc bit c bit gia cc h iu hnh Window m trong Win2k nhn mnh rng
ntdll.dll c np ging nh mt bound import hoc trong import directory
bnh thng trc khi cho php mt 32
file thc thi c np, nhng ngc li h iu hnh Win9x hay XP s cho php
mt ng dng khng c imports no c np Phn khi qut ngn gn ny c n gin ha i
rt nhiu nhng vn minh ha c lm th no mt li gi ti LoadLibrary lm tng
ln mt tng ca vic n cc subroutines ni ti which are deeply nested and
recursive in places. Trnh loader phi kim tra mi API c imported tnh
ton mt a ch thc trong b nh v kim tra nu mt API c imported. Mi DLL c
imported c th dn n cc modules thm vo v process s b lp li ht ln ny n
ln khc cho ti khi tt c cc ph thuc u c kim tra.
10. Navigating Imports :Navigating Imports on DiskNu nh cc bn
mun tm kim thng tin v cc hm c imported t file DLL ("foo" from DLL
"bar",), u tin cc bn tm RVA ca Import Directory t Data Directory,
tm a ch trong phn raw section data v by gi bn c mt mng ca cc
IMAGE_IMPORT_DESCRIPTORs. Ly thnh vin ca mng ny m lin quan ti
bar.dll bng cch kim tra cc strings c tr ti bi trng Name. Khi bn tm
thy IMAGE_IMPORT_DESCRIPTOR ng, follow FirstThunk ca n v nm ly con
tr ti mng cc mng IMAGE_THUNK_DATAs, kim tra k cc RVAs v tm kim the
function "foo". Quay tr li v d ca chng ta trong chng trnh
Hexeditor, chng ta s tm v tr ca bng import table quan st nhng g
chng ta cn tm kim. Nh chng ta ni phn trc, RVA ca Import Directory c
lu trong DWORD 80h bytes t PE Header m trong v d ca chng ta l
offset 180h v RVA l 2D000h (xem li phn Data Directory). By gi chng
ta phi chuyn i RVA sang mt raw offset nghin cu k phm vi chnh xc ca
file ca chng ta trn a. Kim tra Section Table xem xt section no m a
ch ca Import Directory nm trong .Trong trng hp ca chng ta, th
Import Directory bt u ti ni bt u ca .idata section v chng ta bit
rng section table lu gi cc raw offset trong PointerToRawData DWORD.
Trong v d ca chng ta th offset l 2AC00h (xem phn section table). Bt
k mt trnh PE Editor no cng cho chng ta kt qu nh bn di y. V d ta dng
LordPE, ta c nh sau :
S khc bit gia RVA v Raw offset l 2D000h 2AC00h = 2400h. Hy ch ti
iu ny bi v n s c ch cho vic chuyn i cc offsets. Xem thm phn ph lc c
thm cc thng tin v vic chuyn i cc RVAs. Ti Offset 2AC00h chng ta c
Import Directory mt mng ca cc IMAGE_IMPORT_DESCRIPTORs mi mng l 20
bytes v lp li cho mi import library (DLL) cho ti khi c kt thc bi 20
bytes c gi tr 00h. Trong chng trnh HexEditor chng ta quan st thy c
nh sau ti 2AC00h :
33
Mi mt nhm 5 DWORDs biu din 1 IMAGE_IMPORT_DESCRIPTOR. Nhm u tin
ch cho ta thy rng trong file PE ny cc thnh phn OriginalFirstThunk,
TimeDateStamp v ForwarderChain c thit lp l 0. Cui cng l chng ta i n
mt tp hp ca tt 5 DWORDs c thit lp l 0.( trn hnh c t bng mu ) m ch
cho chng ta bit y l kt thc ca mng.Chng ta c th thy chng ta ang
import cc hm t 8 DLLs
Ch quan trng : Cc trng OriginalFirstThunk fields trong v d ca
chng ta tt c u cset l 0. l in hnh chung cho cc file thc thi c to ra
bng trnh compiler &l inker ca Borland v l iu ng ghi nh trong l
do sp cp sau y. Trong mt file thc thi b Packed th cc con tr
FirstThunk pointers s b lm mt hiu lc nhng c th thnh thong c xy dng
li bng cch sao chp li bn sao OriginalFirstThunks(which many simple
packers do not seem to bother removing). thc s l mt iu c ch c gi l
First_Thunk Rebuilder by Lunar_Dust m s thc hin iu ny. Tuy nhin, vi
Borland khi to file th iu ny l khng th bi v OriginalFirstThunks tt
c u l Zero v khng c INT :
Li quay tr li v d ca chng ta trn, trng Name1 field ca
IMAGE_IMPORT_DESCRIPTOR u tin cha RVA 00 02 D5 30h (NB reverse byte
order). Chuyn i gi tr ny sang mt raw offset bng cch tr i gi tr
2400h (nh ni trn) v chng ta c l 2B130h. Nu chng ta quan st trong PE
file ca chng ta chng ta s thy tn ca DLL :
34
Tip tc , trng FirstThunk field cha RVA 00 02 D0 B4h m sau khi
convert chng s c c Raw offset l 2ACB4h. Hy ghi nh iu ny y l offset
ti mng ca cc cu trc DWORD-sized IMAGE_THUNK_DATA structures IAT. iu
ny s khin cho bit c ngha quan trng nht ca n c set (it will start
with 8) v phn thp hn s cha s th t ca hm c imported, hoc nu MSB khng
c set n s cha RVA khc ti tn ca hm (IMAGE_IMPORT_BY_NAME). Trong
file ca chng ta , gi tr DWORD ti 2ACB4h l 00 02 D5 3E:
y l mt RVA khc m khi convert sang RAW offset l 2B13E. Thi im ny
n s l mt nullterminated ASCII string. Nh chng ta quan st thy di y
:
V vy tn ca ca API u tin c imported t kernel32.dll l
DeleteCriticalSection. C th bn n 2 zero bytes trc tn ca hm. l phn t
Hint element m thng c set l 00 00. Tt c nhng iu ny c th c xc minh
li thng qua chng trnh PE Browse Pro phn tch IAT nh hnh minh ha di y
:
35
Nu nh file c loaded vo trong b nh, c dumped v kim tra bng chng
trnh Hex editor th gi tr DWORD ti RVA 2D0B4h m contained 3E D5 02
00 trn a s c overwritten bi trnh loader bng a ch ca hm
DeleteCriticalSection trong kernel32.dll :
Allowing for reverse byte order this is 7C91188A.
Ch quan trng : cc hm trong cc DLLs h thng lun lun hng v bt u ti
a ch7XXXXXXX v cng ti ch ging nhau mi khi cc chng trnh c np. Tuy
nhin chng hay thay i nu bn ci t li OS ca bn v khc nhau gia my tnh
ny v my tnh khc :
Cc a ch cng khc nhau ty theo tng h iu hnh, ly v d :
36
Trnh Windows Upadate cng thnh thong thay i v tr c s ca cc DLLs h
thng. l l do ti sao mt s ngi thng ch n vic dnh thi gian tm cho c im
t breakpoint ni ting l point-h trn h thng ca mnh (it is prone to
change unexpectedly since it is in a function inside
user32.dll.)
Navigating Imports in MemoryLoad file ca chng ta vo trong Olly v
mt ln na hy quan st ca s Memory Map :
Ch rng a ch ca .idata section l 42D000 tng ng vi RVA 2D000 m
chng ta ni phn trc . Kch thc c lm trn ln l 2000 va kht vi memory
page boundaries. Ca s chnh ca Olly l CPU s ch cho chng ta thy nhng
a ch CODE section (from 401000 to 42AFFF). Bn cng c th kim tra IAT
trong ca s disassembly nu n nm trong CODE section. Trong hu ht cc
trng hp n s nm trong section ring ca n . eg : .idata nhng bn c th
xem n trong ca s Hex-dump trong Olly bng cch Right click vo v chn
Dump in CPU. Ca s name (nhn Ctrl + N) s cho chng ta thy c cc hm c
imported:
Rightclicking bt k mt hm no v sau chn Find References to Import
s cho bn thy jump thunk stub v the instances in the code ni m hm c
gi (ch c 1 trong trng hp ca chng ta ):
Ch : trong ct Comment bn s thy rng Olly xc nh l hm
DeleteCriticalSection trong kernel32.dll l thc s c forwarded ti
RtlDeleteCriticalSection trong ntdll.dll. (xem phn gii thch Export
Fowarding) Tip tc Rightclicking v chn Follow Import in
Disassembler, Olly s cho chng ta thy a ch trong DLL thch hp ni m
code ca hm bt u . V d : bt u ti 7C91188A trong ntdll.DLL:
37
Nu chng ta quan st ti li gi ti hm DeleteCriticalSection ti
00401B12 chng ta s thy nh sau:
Nh cc bn thy trn hnh minh ha c mt lnh "CALL 00401314" nhng Olly
s thay th bng tn ca hm cho chng ta. 401314 l a ch ca the jmp stub
pointing to the IAT. Ch rng n l phn ca mt bng jmp thunk table c ni
n phn trc :
Ti y chng ta li quan st thy c mt lnh nhy "JMP DWORD PTR
DS:[0042D0B4]" ,nhng li mt ln na Olly thay th bng symbolic name cho
chng ta. a ch 0042D0B4 cha cu trc Image_Thunk_Data structure trong
IAT m c overwritten bi trnh loader bng a ch thc s ca hm trong
kernel32.DLL: 7C91188A. l nhng g m chng ta tm thy thng qua vic
rightclicking and selecting Follow Import in Disassembler v cng t
dumped file phn trn.
38
11. Adding Code to a PE File :Vic thm code vo mt PE file l mt iu
rt cn thit khng nhng c th crack mt protection scheme m cn c th c ng
dng trong vic thm cc chc nng vo trong PE file. C 3 phng php chnh c
th add code vo trong mt file thc th l : 1. Thm vo mt section hin ti
khi c ch cho on code ca bn. 2. M rng section hin ti khi khng ch. 3.
Thm mt section mi hon ton.
Adding to an existing sectionChng ta cn mt section trong file m
c nh x vi cc quyn thc thi trong b nh v vy n gin nht chng ta hy thc
hnh vi CODE section. Sau chng ta cn mt vng cha ton byte 00 (00 byte
padding) trong section ny. Vng ny c gi vi mt tn chung l caves c th
tm c mt cave ph hp vi nhng g chng ta mong i , chng ta s quan st ti
CODE section . Chi tit thng qua chng trnh LorPE :
Trong hnh minh ha trn chng ta quan st thy VirtualSize nh hn
SizeOfRawData.Virtual size biu din s lng code thc s. Cn kch thc ca
raw data xc nh s lng ca khng gian c s dng cho file trn a cng ca bn.
Ch rng virtual size trong trng hp ny l thp hn vi virtual size trn a
cng. l bi v cc trnh compiler thng lm trn kch thc ln sp xp mt
section trn mt vi ranh gii. Trong chng trnh Hexeditor quan st ti
pha cui ca CODE section (pha trc ca DATA section bt u ti 2A400h) ,
chng ta c c nh sau :
39
Khng gian thm ny l hon ton khng c s dng v khng c nh x vo trong b
nh. Chng ta cn phi bo m chc chn rng nhng cu lnh m chng ta t vo khng
gian ny s c np vo trong b nh. Chng ta thc hin iu bng cch bng cch
chnh sa thuc tnh size (Size attribute). Ngay by gi chng ta thy l
kch thc o ca Section ny l 29E88, l bi v tt c cc trnh compiler u
cn.Cn i vi chng ta chng ta phi cn tng ln mt cht na, v vy trong
LordPE ta thay i virtual size ca CODE section ln thnh 29FFF , l kch
thc ln nht m chng ta c th s dng (Ton b Raw size ch c 2A000). thc
hin c iu ny , chng ta chut phi ti dng CODE v chn edit header, thc
hin thay i vi gi tr trn v save li . Sau khi thc hin xong chng ta c
mt khng gian thch hp lu gi on patch code ca chng ta. iu duy nht m
chng ta thay i l VirtualSize DWORD cho CODE section trong bng
Section Table. Chng ta cng c th thc hin c cng vic ny bng tay thng
qua chng trnh HexEditor. minh ha thm na cho cng vic ny chng ta s
tin hnh thm vo chng trnh v d ca chng ta mt chng trnh ASM nh thc hin
vic chim ly iu khin ca entry point v sau ch tr v s thc thi cho
OriginalEntryPoint. Tt c cng vic ny c lm thng qua Ollydbg. u tin
chng ta trong LordPE th EntryPoint l 0002ADB4 v ImageBase l 400000.
Khi chng ta load chng trnh vo trong Olly th EP s l 0042ADB4. Chng
ta s thm mt s dng sau v sau thay i entry point ti dng u tin ca on
code : MOV EAX,0042ADB4 JMP EAX ; Load in EAX the Original Entry
Point (OEP) ; Jump to OEP
Chng ta s cc lnh trn ti a ch 0002A300h nh chng ta quan st trn
chng trnh Hexeditor. convert RAW offset ny sang mt RVA s dng cho
Olly ta s s dng cng thc sau y (Xem thm phn ph lc) : RVA = raw
offset - raw offset of section +virtual offset of section
+ImageBase = 2A300h - 400h +1000h + 400000h = 42AF00h. 40
Sau ta load chng trnh vo trong Olly v nhy ti target section ca
chng ta (nhn Ctrl + G v g vo gi tr tnh ton c trn l 42AF00h). Sau
khi ti v tr ny, ta nhn Space, g vo dng u tin ca on code trn sau nhn
assemble. Tip theo lm tng t vi dng code th hai. Ta c c tng t nh hnh
minh ha di y :
Tip theo nhn chut phi, chn ty chn Copy to Executable and All
modifications.Tip theo chn Cpy all, mt ca s mi s xut hin. Trn ca s
mi ny tip tc nhn chut phi v chn Save File vv..By gi chng ta quay tr
li vi LordPE (hay chng trnh HexEditor) v thay i EntryPoint thnh
0002AF00 (ImageBase Subtracted), chn Save v nhn OK. Chng ta Run
chng trnh kim tra v reopen n trong Olly xem New EntryPoint ca chng
ta. Trong chng trnh HexEditor chng ta s quan st thy nh sau, ch on c
Highlight :
Mc d y ch l mt on tiny patch , nhng chng ta hon ton c khng gian
cho 386 bytes ca New code.
Enlarging an Existing SectionNu nh khng c khng gian ti pha cui
ca section .text th chng ta cn phi m rng n.iu ny a ra mt s vn nh
sau : 1. Nu section c followed bi cc section khc th bn s cn phi dch
chuyn cc following sections ln to khng gian. 2. C rt nhiu cc
references khc nhau bn trong cc file headers m s cn phi c iu chnh
nu bn thay i kch thc ca file.
41
3. Cc References gia cc sections khc nhau ( v d references ti
data values t code section) s cn phi c iu chnh. V thc t l hu nh
khng th thc hin c nu nh thu vic re-compiling and re-linking file
gc. Hu ht cc vn nu trn u c th trnh c bng cch ni thm v section cui
cng trong file exe. N chng c lin quan g ti section nu nh chung ta c
th thay i khin n ph hp vi yu cu ca chng ta bng cch thay i trng
Characteristic trong Section Table bng tay hoc bng LordPE. u tin
chng ta tm n section cui cng v thay i n sao cho n thnh readable and
executable. Nh chng ta ni trn code section ch l tng cho mt patch bi
v cc characteristics flags ca n l 60000020 , iu c ngha l on m c th
thc thi c v c th c c (executable and readable) (Xin xem thm phn ph
lc). Tuy nhin nu chng ta t on m v d liu vo trong section ny th chng
ta s nhn c mt page fault v n khng phi l writeable. thay i iu ny
chng ta s cn phi thm flag 800000000 m s cho ta mt gi tr mi l
E0000020 cho code, executable, readable and writable. Tng t nh vy
nu section cui cng l .reloc th flags thng s l 42000040 cho
initialized data, discardable and read-only. c th s dng c section
ny chng ta phi thm code, executable and writable v chng ta phi tr
discardable m bo chc chn rng trnh loader s nh x section ny vo trong
b nh. iu ny s cho chng ta mt gi tr mi l E0000060. Cc cng vic trn c
th thc hin thnh cng bng tay bng cch thm flags v chnh sa li trng
Characteristics ca Section header thng qua chng trnh HexEditor hoc
LordPE. Trong v d ca chng ta th section cui cng l Resources :
42
iu ny s cho chng ta mt gi tr Characteristics cui cng l F0000060.
Nh hnh minh ha trn chng ta quan st thy RawSize (on disk) ca section
ny l 8E00h bytes nhng tt c chng dng nh ang c s dng (the VirtualSize
cng ging ht). By gi chng ta chnh li chng v cng 100h bytes vo c hai
m rng section , gi tr mi chng ta c c l 8F00h. C mt vi gi tr quan
trng khc cng cn c thay i. Trng SizeOfImage trong PE Header cn phi c
tng ln bng cch cng thm vo gi tr ging nh chng ta thm m rng cho
section l 100h. Do gi tr SizeOfImage s thay i 0003CE00h thnh
0003CF00h. C 2 trng khc na m khng c th hin trong LordPE bi v chng t
quan trng l : SizeOfCode v SizeOfInitialisedData trong Optional
Header. ng dng s vn thc thi m khng cn c chnh sa nhng c l bn nn thay
i li chng cho trn vn.Chng ta s phi thay i li chng bng tay. C hai u
l DWORDs ti cc offset 1C v 20 t im bt u ca PE header. (xem thm phn
ph lc).
43
Cc gi tr 0002A000 v 0000DE00 tng ng vi cc v tr xc nh nh cc bn
thy trn hnh minh ha.Khi chng ta cng thm 100h vo th cc gi tr ny s l
0002A100 v 0000DF00.Sau chng ta s o ngc th t ca cac gi tr trn thnh
00 A1 02 00 v 00 00 DF 00. Cui cng copy v paste 100h of 00 bytes
(16 hng trong trnh Hexeditor) ln pha cui ca Section v lu li thay i.
Chy file kim tra cc li.
Adding a New SectionTrong mt vi tnh hung bn c th cn phi to ra mt
bn sao ca mt section ang tn ti ph v cc self-checking procedures (V
d nh SafeDisk) hoc to ra mt section mi lu code khi cc thng tin thuc
quyn s hu ring c b sung thm vo cui ca file (as in Delphi compiled
apps). Cng vic u tin cn lm l phi tm n trng NumberOfSections trong
PE header v tng trng ny ln 1.Nh ni trong nhng phn trc hu ht mi s
thay i c th c thc hin bng chng trnh LordPE hoc bng tay thng qua
chng trnh HexEditor.By gi trong chng trnh HexEditor ca bn hy copy v
paste 100h of 00 bytes (16 rows) ln phn cui ca file v nh du offset
ca dng mi u tin. Trong trng hp ca chng ta l 00038200h. s l ni bt u
section mi ca chng ta v s i ti trng RawOffset field ca Section
Header.Khi chng ta y th chc chn l thi im tt tng SizeOfImage ln 100h
nh chng ta lm trc. Tip theo chng ta s tm ti cc section headers bt u
ti offset F8 t PE header. It is not necessary for these to be
terminated by a header full of zeros. S lng cc headers c a ra bi
NumberOfSections v thng l mt vi khng gian ti pha cui trc khi bn thn
cc sections bt u.( aligned to the FileAlignment value). Tm n
section cui cng v thm mt gi tr mi sau n :
Phn tip theo m chng ta phi lm l quyt nh xem cc thnh phn Virtual
Offset/Virtual Size/Raw Offset and Raw Size no cn c. c th quyt nh c
iu ny chng ta xem xt cc gi tr sau : Virtual offset of formerly last
section (.rsrc): 34000h Virtual size of formerly last section
(.rsrc): 8E00h Raw offset of formerly last section (.rsrc): 2F400h
Raw size of formerly last section (.rsrc): 8E00h Section Alignment:
1000h File Alignment: 200h
44
RVA v raw offset ca section mi ca chng ta phi c cn chnh vi
boundaries trn.RAW Offset ca section l 00038200h nh chng ta ni trn
(which luckily fits with FileAlignment). c c Virtual Offset ca
section ca chng ta th chng ta phi tnh ton gi tr ny : VirtualAddress
of .rsrc + VirtualSize of .rsrc = 3CE00h. V SectionAlignment ca
chng ta l 1000h chng ta phi lm trn gi tr ny ln gn ging nh 1000 tc l
3D000h. V vy hy in vo header ca section ca chng ta : The first 8
bytes will be Name1 (max. 8 chars e.g. "NEW" will be 4E 45 57 00 00
00 00 00 (byte order not reversed) The next DWORD is VirtualSize =
100h (with reverse byte order = 00 01 00 00) The next DWORD is
VirtualAddress = 3D000h (with reverse byte order = 00 D0 03 00) The
next DWORD is SizeOfRawData = 100h (with reverse byte order = 00 01
00 00) The next DWORD is PointerToRawData = 38200h (with reverse
byte order = 00 82 03 00) The next 12 bytes can be left null The
final DWORD is Characteristics = E0000060 (for code, executable,
read and write as discussed above) Trong trnh HexEditor chng ta s
thy nh sau :
Lu li thay i , chng s run chng trnh v kim tra trong LordPE :
45
12. Adding Imports to an Executable :Phng php ny thng c s dng
nhiu nht trong trng hp Patching mt App khi m chng ta khng c cc hm
API m chng ta cn. thm section mi, th thng tin ti thiu nht c yu cu
bi trnh loader to ra mt IAT hp l l : 1. Mi Dll phi c khai bo vi mt
IMAGE_IMPORT_DESCRIPTOR (IID), nh kt thc Import Directory bng mt
null-filled. 2. Mi IID cn t nht 2 trng l Name1 v FirstThunk, phn cn
li c th c set l 0(setting OriginalFirstThunk = FirstThunk i.e.
duplicating the RVAs also works). 3. Mi entry ca FirstThunk phi l
mt RVA ti mt Image_Thunk_Data (the IAT) m ln lt cha mt further RVA
ti API name.Tn phi l mt chui null terminated ASCII ca di c th thay
i v c i trc bi 2 bytes (hint) m c th c thit lp l 0.
46
4. Nu cc IIDs c thm th trng isize ca Import Table trong Data
Directory c th cn phi thay i. Cc IAT entries trong Data Directory
khng cn phi c chnh sa. Vic vit import data mi trong mt chng trnh
HexEditor v sau dn vo trong target ca bn c th s tn rt nhiu thi
gian.C cc cng c c sn c th thc hin c mt cch t ng qu trnh ny (V d :
SnippetCreator, IIDKing, Cavewriter) nhng vic tm hiu cch thc hin
cng vic ny bng tay nh th no vn l tt hn c. Nhim v chnh l ni thm mt
IID mi ln phn cui ca bng Import Table bn s cn c 20 bytes cho mi DLL
c s dng, ng qun 20 bytes dnh cho null-terminator. Trong hu ht tt c
cc trng hp s khng c khng gian no ti pha cui ca Import Table hin hnh
v vy chng ta s to mt bn sao v xy dng li n mt ni no .
Step 1 - create space for new a new IIDCng vic ny lin quan n cc
bc sau y : 1. Dch chuyn tt c cc IIDs ti mt v tr m ti c khng gian.V
tr ny c th bt k u; pha cui ca section .idata hin thi hoc mt section
mi hon ton. 2. Cp nht RVA ca Import Directory mi trong Data
Directory ca PE Header. 3. Nu cn thit, lm trn kch thc ca section ni
m bn t Import Table mi v vy mi th u c nh x vo trong b nh (v d :
VirtualSize of the .idata section rounded up 1000h). 4. Chy n v nu
nh n lm vic th chuyn ti bc 2. Nu n khng kim tra cc injected
descriptors c nh x vo trong b nh v RVA ca Import Directory l chnh
xc.. IMPORTANT NOTE: Cc IIDs FirstThunk v OriginalFirstThunk cha cc
RVAs- RELATIVE ADDRESSES c ngha l cc bn c th ct v dn Import
Directory (IIDs) bt k u bn mun trong PE file (taking into account
the destination has to mapped into memory) v thay i RVA (v kch thc
nu cn thit) ca Import Directory trong Data Directory s khin cho ng
dng hot ng mt cch hon ho. Quay tr li ng dng ca chng ta trong trnh
Hexeditor, IID u tin v null terminator c t bng ng bao mu .Nh bn nhn
thy trong hnh v di y khng c khng gian trng no sau null IID:
Tuy nhin c mt s lng khng gian ln ti phn cui ca section .idata
trc khi section .rdata bt u. Chng ta s copy v paste cc IIDs hin thi
c a ra pha trn ti offset 2C500h ti v tr mi ny :
47
convert mt offset mi thnh RVA (xem thm phn ph lc) : VA =
RawOffset - RawOffsetOfSection + VirtualOffsetOfSection = 2C500 -
2AC00 + 2D000 = 2E900h Vy thay i a ch o ca import table trong Data
Directory t 2D000 thnh 2E900. By gi chnh sa li header ca section
.idata v thay i VirtualSize bng vi RawSize v vy trnh loader s nh x
ton b section vo. Chy th ng dng ca chng ta test.
Step 2 - Add the new DLL and function detailsCng vic ny bao gm
mt s bc sau : 1. Thm null-terminated ASCII strings cc tn ca DLL ca
bn v hm vo khng gian cn trng trong section .idata. Tn hm s thc s l
mt cu trc Image_Import_By_Name c preceded bi mt null DWORD. (the
hint field). 2. Tnh ton cc RVAs ca cc string trn. 3. Thm RVA ca tn
DLL vo trng Name1 ca IID mi ca bn. 4. Tm DWORD sized space khc na v
t vo n RVA ca hint/function name. N s tr thnh Image_Thunk_Data hoc
IAT ca DLL mi ca chng ta. 5. Tnh ton RVA ca Image_Thunk_Data DWORD
trn v thm n vo trng FirstThunk ca IID mi ca bn. 6. Chy ng dng test
API mi ca bn sn sng c gi in vo IDD mi ca chng ta , chng ta t nht
phi c cc trng l Name1 v FirstThunk (cc trng khc c th nulled). Nh
chng ta bit, trng Name1 cha thng tin RVA tn ca DLL trong
null-terminated ASCII. Trng FirstThunk cha RVA ca mt cu trc
Image_Thunk_Data m ln lt cha RVA khc na ca tn hm trong
null-terminated ASCII. Tn tuy nhin c i trc bi 2 bytes (Hint) m c
thit lp l zero. Ly mt v d , chng ta mun s dng hm LZCopy m copy ton
b mt file ngun ti mt file ch. Nu file ngun ca chng ta c nn bng trnh
ng dng Microsoft File Compression Utility 48
(COMPRESS.EXE), th hm ny to ra mt file ch c gii nn. Nu nh file
ngun khng b nn , th hm ny s nhn i file gc ln. Hm m chng ta ni trn
nm trong file dll l lz32.dll m hin thi khng c s dng bi chng trnh ng
dng ca chng ta. V vy u tin chng ta cn phi thm strings cho cc tn l
lz32.dll v LZCopy. Trong trnh Hexeditor chng ta cun ln trn t ch bng
import table mi ca chng ta v pha cui ca d liu tn ti trc v thm tn
DLL sau l tn hm ln phn cui ny . Ch , cc bytes null sau mi string v
null DWORD trc tn hm :
Chng ta cn phi tnh li cc RVA ca chng : RVA = RawOffset -
RawOffsetOfSection + VirtualOffsetOfSection + ImageBase RVA of DLL
name = 2C420 - 2AC00 + 2D000 = 2E820h (20 E8 02 00 in reverse) RVA
of function name = 2C430 - 2AC00 + 2D000 = 2E830h (30 E8 02 00 in
reverse) Gi tr u tin c th nm trong trng Name1 ca IDD mi ca chng ta
nhng gi tr th hai th phi nm trong mt cu trc Image_Thunk_Data
structure, vi RVA ca chng, chng ta sau c th t vo trong trng
FirstThunk (and OriginalFirstThunk) ca IDD mi ca chng ta.Chng ta s
t cu trc Image_Thunk_Data structure bn di tn hm ti offset 2C440 v
tnh ton RVA m chng ta s t vo FirstThunk. RVA of Image_Thunk_Data =
2C440 - 2AC00 + 2D000 = 2E840 (40 E8 02 00 in reverse)
Nu chng ta in d liu trong trnh HexEditor chng ta s thy nh sau
:
49
Cui cng chng ta lu li nhng g chng ta thc hin , chy th ng dng v
load n vo chng trnh PEBrowse :
50
c th gi c hm mi ca chng ta , chng ta cn phi s dng on code sau :
CALL DWORD PTR [XXXXXXXX] where XXXXXXXX = RVA of Image_Thunk_Data
+ ImageBase. Trong v d ca chng ta trn i vi hm LZCopy, XXXXXXXX =
2E840 + 400000 = 42E840 v vy chng ta s vit l : CALL DWORD PTR
[0042E840] Ch cui cng : D l nu chng ta thm mt hm c s dng bi mt DLL
m sn sng c dng trong kernel32.dll , chng ta s vn cn phi to ra mt
IDD mi cho n cho php chng ta c th to mt IAT mi ti mt v tr thun li
nh trn. Phn tip theo , y ch l mt phn c thm vo trong section ny. S c
mt cch t ng hon ton thc hin cc cng vic nh ni trn :
51
Ch , Chng trnh SnippetCreator thm cc jump-thunks stubs ca cc
imports mi vo trong code ca bn trong khi vi cc chng trnh khc bn hon
ton phi thc hin iu ny bng tay .
52
13. Introduction to Packers :Trong phn ny chng ta s m x s tc ng
ca mt chng trnh Packer n gin i vi ng dng ca chng ta v cp ti 2 phng
php chnh ca vic Patching mt file thc thi b Packed bng cch Unpacking
hoc inline-patching. Chng ta s s dng Packer UPX 1.25 bi v y thc s l
mt chng trnh nn file thc thi v khng s dng bt k mt mt c ch bo v cao
cp no.Tc gi ca chng trnh ny l Marcus & Laszlo. u tin chng ta
dng PeiD Scan file ca chng ta (file ban u cha b Packed) :
Tip theo chng ta s pack ng dng ca chng ta bng chng trnh UPX. y l
chng trnh s dng giao din command line do chng ta phi m n trong DOS
, sau chng ta g nh sau : "upx basecalc.exe":
53
Sau chng ta hy rng kch thc chng trnh ca chng ta gim xung t 225kb
xung cn 91kb v trong PeiD chng ta quan st thy nh sau :
S dng chng trnh PEBrowse Pro chng ta quan st thy trnh Packer s
thm vo app ca chng ta 3 sections l UPX0, UPX1 and .rsrc. Resource
section by gi cha import directory nhng cho mi DLL th ch c duy nht
mt hoc 2 hm c imported cc hm khc bin mt :
54
Ch rng section .rsrc c gi li tn gc ca n mc d thm ch cc phn khc b
thay i. Th v na l this dates back to a bug trong hm LoadTypeLibEx
trong oleaut32.dll in Win95 m rsrc s dng tm kim v np resource
section. iu ny gy ra mt li nu section b i tn. (This created an
error if the section was renamed. Although this bug has been fixed
it seems most packers do not rename the rsrc section for
compatibility reasons) Bng vic m ng dng ca chng ta trong LordPE v
nhn vo Compare button chng ta c th m bn gc ca ng dng v quan st s
thay i ca cc headers :
55
Khi chng ta m ng dng trong Olly , chng ta s nhn c mt Message Box
thng bo rng file thc thi ca chng ta b packed. Ch vic nhn Ok v chng
ta s ti EntryPoint :
56
Trnh Packer UPX nn ng dng ca chng ta v thm the code bng mt stub
c cha gii thut decompress.EntryPoint ca ng dng b thay i bt u on
stub v sau khi stub thc hin xong cng vic ca n , hng thc thi ca chng
trnh s nhy v original entrypoint (OEP) bt u chng trnh by gi c
unpacked ca chng ta. L do cn bn i ph vi n l cho chng trnh Sub
decompress ng dng ca chng ta vo trong b nh v sau dump vng nh ny vo
mt file c c bn sao ca chng trnh c unpacked. Tuy nhin ng dng s khng
thc thi theo ng cch ca n l bi v file c dumped s c cc sections ring
ca n c aligned to memory page boundaries ch khng phi file alignment
values, do entrypoint s vn tr ti decompression stub v Import
directory r rng l sai v s cn phi chnh sa li. Ch rng trong Olly
entrypoint ca chng ta nm ti cu lnh u tin l PUSHAD. Cu lnh PUSHAD ny
l vit tt ca PUSH ALL DOUBLE , thc hin vic lu tt c ni dung ca cc
thanh ghi 32 bit vo trong Stack , bt u t EAX cho n EDI.Theo Stub s
thc hin cng vic ca n v sau kt thc bng mt cu lnh POPAD trc lnh nhy
ti OEP. POPAD sao chp li ni dung ca cc thanh ghi t Stack. iu ny c
ngha l stub s phi phc hi li mi th v exited without trace trc khi
thc s Run ng dng. V vy phng php ny l tng cho nhiu packer thng dng
khc v d nh ASPack. T thi im ca cu lnh PUSHAD u tin, nhng ni dung ca
Stack ti level phi c hon ton khng c ng ti cho ti khi gp c cu lnh
POPAD.Nu nh chng ta t mt Hardware breakpoint ln 4 bytes u tin ca
stack ti thi im thc hin lnh PUSHAD th Olly s break ti thi im khi m
4 bytes ny c truy cp ti cu lnh POPAD v chng ta s ti ng cu lnh nhy
ti OEP ca chng ta. u tin chng phi thc hin cu lnh PUSHAD bng cch nhn
F7 mt ln. Tip theo chng ta s t mt BP ca chng ta.Thanh ghi ESP
(Stack Pointer) lun lun tr ti ca nh Stack do Right click ln ESP v
chn Follow in Dump Chng ta s c c nh sau :
Tip theo Highlight DWORD u tin ca Stack trong ca s Dump , chut
phi v chn BP>HardWare on Access>DWORD:
57
Tip theo nhn F9 n Run chng trnh v Olly s Break. Chng ta quan st
s thy c lnh JMP ti OEP. OEP m chng ta thy y c ImageBase l 400000h c
cng thm vo , do chng ta mun tm thy Real OEP th chng ta phi tr i gi
tr ImageBase trn. Cho nn ta c OEP l : 0002ADB4h.
Nu nh bn mun gian ln y c mt cch nhanh chng m lun lun c hiu qu vi
UPX. n gin ch l bn cun chut ti pha cui ca on code trong mn hnh CPU
trong Olly v pha trc tt c ch bt u ca zero padding th bn s thy c cu
lnh POPAD nh trn. NOTE: Cc Packer khc m cng s dng c ch PUSHAD/POPAD
c th nhy ti OEP bng cch s dng mt lnh PUSH y gi tr ca OEP ln trn nh
ca Stack c followed bi cu cu lnh RET. CPU s ngh l y l mt return t
mt hm call v theo thi quen th da ch tr v c t ln nh ca Stack. Bc tip
theo chng ta nhn F7 thc hin lnh JMP v chng ta s ti OEP. Ti y chng
ta s s dng Plugin ca Olly l OllyDump Dump file ny. Chut phi ti OEP
sau chn OllyDump, chng ta s c c mn hnh nh sau , thc hin nh hnh minh
ha : 58
Note that OllyDump has already worked out the base address and
size of image (which you could see by looking in the memory map
window) and has offered to correct the entrypoint for us (although
we could do this manually in the hexeditor). Nhn Dump v save file
vi tn no m bn mun (eg as basecalc_dmp.exe). Gi nguyn trng thi ca
Olly sau khi thc hin Dump. Tht khng may mn khi chng ta quan st file
c dump th thy n b mt icon v nu nh chng ta c tnh Run file th chng ta
s nhn c thng bo nh sau :
Chng ta nhn c thng bo trn l bi v hu qu ca vn alignment m ti cp
trn kch thc ca file cng tng. Chng ta m app ca chng ta trong LordPE
v quan st ti cc Sections. Cc gi tr Raw offset v Raw Size sai. Chng
ta s phi to cc gi tr Raw bng vi gi tr cc Virtual cho mi Section cho
ng dng ca chng ta cho n hat ng. Nhn chut phi ti UPX0 section v chn
edit header:
59
By gi chng ta s lm cho RawOffset bng VirtualAddress v RawSize
bng VirtualSize. Lp li thao tc ny cho mi Sections sau nhn Save v
Exit (this is what the "fix raw size" checkbox in OllyDump does
automatically). By gi chng ta quan st thy app c icon nhng khi chy
ng dng ca chng ta , ta s nhn c mt li khc l : "The application
failed to initialize properly". C li ny l bi v chng ta cha fix
imports. Vic Fix imports ny chng ta hon ton c th thc hin c bng tay
. Tuy nhin s tn rt nhiu thi gian v cng sc nu nh chng ta c nhiu hm c
imported v..v. Do y chng ta s s dng chng trnh ImpREC 1.6F by MackT
thc hin mt cch t ng. Chng trnh ImpREC cn phi attach ti mt process
ang chy v cng cn packed file tm imports. Khi ng ImpREC v thc hin
theo cc bc sau : 1. Chn Basecalc.exe trong danh sch Attach (it
should still be running in Olly). 2. Tip theo nhp OEP ca chng ta l
2ADB4 vo trong textbox OEP. 3. Nhn nt IAT AutoSearch v nhn OK trn
messagebox. 4. Nhn nt Get Imports. 5. Nhn Show Invalid trong trng
hp ca chng ta khng c invalid no. 6. Nhn Fix Dump v chn file m chng
ta dump l basecalc_dmp.exe. 7. Okie ..Thot khi ImpREC.
60
Chng trnh ImpREC s lu file fix vi tn nh sau : basecalc_dmp_.exe.
Chng ta chy th file ny kim tra. Nu nh chng ta phn tch file ny chng
ta s thy kch thc ca n tng ln v c thm mt section na c tn l mackt l
ni m ImpREC a import data mi :
V UPX ch l mt chng trnh nn, n n gin ch l ly existing import data
v lu n li trong resource section m khng encrypting or damaging it.
l l do ti sao ImpREC c th tm c tt c cc vaild imports m khng cn phi
resorting to tracing or rebuilding n ch ly import directory t file
thc thi b packed trong b nh v transfer n ti section mi trong file
thc thi c unpacked. Gi chng ta hy Scan file c unpacked trong PEID
xem :
61
Trn y ch l phn minh ha cc bc cn thit cho vic thc hin unpack mt
file thc thi b packed bng mt packer n gin. Tuy nhin c rt nhiu cc
packers cao cp m cc packer ny thm rt nhiu cc c ch bo v khc nhau v d
nh : antidebugging v anti-tampering tricks, encryption of code v
IAT, stolen bytes, API redirection, etc m trong phm vi ca bi vit ny
ti khng th cp ht c, mong cc bn b qu cho . Trong mt s trng hp nu nh
cn thit chng ta phi Patch mt file b packed , iu ny gip chng ta c th
trnh c vic khng cn phi unpacking file th c mt k thut c s dng l
inline patching. N lin quan n vic patching code ti thi im runtime
trong b nh sau khi qu trnh decompression stub hon thnh xong cng vic
ca mnh v cui cng nhy ti OEP thc thi ng dng. Ni cch khc ,chng ta i
cho n khi ng dng ca chng ta c unpacked trong b nh , th nhy ti
patching code m chng ta injected, cui cng sau nhy tr v OEP. minh ha
cho k thut ny chng ta s inject code vo trong file thc thi b packed
ca chng ta bn ra mt thng bo v cho chng ta bit khi ng dng c unpacked
trong b nh. Sau khi chng ta nhn OK th s nhy ti OEP v ng dng s thc
thi mt cch bnh thng. Nhim v u tin l chng ta phi tm kim mt ni cho on
code ca chng ta v vy hy m packed app vo trong trnh Hexeditor v tm
kim mt khong khng gian ph hp cn gi l suitable "cave". Khong khng
gian trng ny nm ti pha cui ca section l tt hn c bi v n t c s dng bi
packer v c th m rng c bng cch ni rng section nu thy cn thit (Xin
xem li phn adding code to a PE file.) Bn c th quan st thy hiu qu ca
Packer UPX khong khng gian chng ta cn l rt kh tuy nhin vn c mt
khong nh (small cave) tn ti y.By gi chng ta thm "Unpacked..." v
"Now back to OEP" trong ASCII column ca chng trnh HexEditor. Tng t
nh hnh minh ha di y :
62
iu ny s nh du du vt ca chng ta patch trong Olly m khng cn phi lo
lng v vic tnh ton cc VAs. Lu li nhng thay i v m ng dng ca chng ta
trong Olly. Chut phi ti ca s Hex window v chn search for binary
string. By gi nhp vo l "Unpacked" v ti VA ca 2 strings. Trong ca s
CPU Window, nhn chut phi v chn Goto expression. Nhp a ch ca string
u tin v bn s quan st 2 strings trong hexadecimal form. Olly khng
analysed n mt cch ng n do n hin th khng ra thnh mt on code khng c
ngha g. Highlight on code (the next free row underneath) v nhn
Space Bar assemble the following instructions : PUSH 0 PUSH 440C30
[address of first string] PUSH 440C40 [address of second string]
PUSH 0 CALL MessageBoxA JMP 42ADB4
Make a note of the address of our first PUSH instruction -
440C4E. on code ca chng ta s trng nh sau trong Olly :
Tip theo chut phi v chn copy to executable, selection. Trong ca
s mi xut hin , rightclick v chn save file etc. If we check in the
hexeditor we see our code has been added: 63
Cui cng chng ta cn phi thay i lnh JMP ti pha cui ca UPX stub nhy
ti on code ca chng ta. Tm lnh nhy ny nh cp phn trn, doubleclick vo
JMP instruction assemble v thay i address thnh 440C4E. Lu li thay i
mt ln na v run app ca chng ta test :
Clicking OK resumes BaseCalc.!!!!!!!!!!!!!
14. References & Further Reading :The Portable Executable
Format -- Micheal J. O'Leary The Portable Executable File Format
from Top to Bottom -- Randy Kath Peering Inside the PE: A Tour of
the Win32 Portable Executable File Format -- Matt Pietrek An
In-Depth Look into the Win32 Portable Executable File Format (2
parts)-- Matt Pietrek Windows 95 Programming Secrets -- Matt
Pietrek Linkers and Loaders -- John R Levine Secrets of Reverse
Engineering -- Eldad Eilam PE.TXT -- Bernd Luevelsmeyer Converting
virtual offsets to raw offsets and vice versa -- Rheingold PE
Tutorial -- Iczelion The Portable Executable File Format -- KGL PE
Notes, Understanding Imports -- yAtEs Win32 Programmer's Reference
What Goes On Inside Windows 2000: Solving the Mysteries of the
Loader -- Russ Osterlund Tool Interface Standard (TIS) Formats
Specification for Windows Adding Imports by Hand -- Eduardo Labir
(Havok), CBJ Enhancing functionality of programs by adding extra
code -- c0v3rt+ Working Manually with Import Tables -- Ricardo
Narvaja All tutorials concerning manual unpacking (especially those
from ARTeam, with special reference to the Beginner Olly series by
Shub and Gabri3l.
64
15. Complete PE Offset Reference :The DOS Header :OFFSET SIZE 00
02 04 06 08 0A 0C 0E 10 12 14 16 18 1A 1C 24 26 28 3C WORD WORD
WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD WORD
WORD WORD WORD NAME e_magic e_cblp e_cp e_crlc e_cparhdr e_minalloc
e_maxalloc e_ss e_sp e_csum e_ip e_cs e_lfarlc e_ovno e_res[4]
e_oemid e_oeminfo e_res2[10] EXPLANATION Magic DOS signature MZ
(4Dh 5Ah) Bytes on last page of file Pages in file Relocations Size
of header in paragraphs Minimum extra paragraphs needed Maximum
extra paragraphs needed Initial (relative) SS value Initial SP
value Checksum Initial IP value Initial (relative) CS value File
address of relocation table Overlay number Reserved words OEM
identifier (for e_oeminfo) OEM information; e_oemid specific
Reserved words Offset to start of PE header
DWORD e_lfanew
The PE Header :00 04 06 08 DWORD WORD WORD DWORD Signature
Machine NumberOfSections TimeDateStamp 65 PE Signature PE.. (50h
45h 00h 00h) 014Ch = Intel 386, 014Dh = Intel 486, 014Eh = Intel
586, 0200h = Intel 64-bit, 0162h=MIPS Number Of Sections Date &
time image was created by the linker
0C 10 14 16 18 18 1A 1B 1C 20 24 28 2C 30 34 38 3C 40 42 44 46
48 4A 4C
DWORD DWORD WORD WORD
PointerToSymbolTable NumberOfSymbols SizeOfOptionalHeader
Characteristics
Zero or offset of COFF symbol table in older files Number of
symbols in COFF symbol table Size of optional header in bytes (224
in 32bit exe) see below
********** START OF OPTIONAL HEADER
************************************** WORD BYTE BYTE DWORD DWORD
DWORD DWORD DWORD DWORD DWORD DWORD DWORD WORD WORD WORD WORD WORD
WORD DWORD Magic MajorLinkerVersion MinorLinkerVersion SizeOfCode
SizeOfInitializedData SizeOfUninitializedData AddressOfEntryPoint
BaseOfCode BaseOfData ImageBase SectionAlignment FileAlignment
MajorOperatingSystemVersion MinorOperatingSystemVersion
MajorImageVersion MinorImageVersion MajorSubsystemVersion
MinorSubsystemVersion Reserved1 66 010Bh=32-bit 020Bh=64-bit
0107h=ROM image executable executable image image
Major version number of the linker Minor version number of the
linker size of code section or sum if multiple code sections as
above as above Start of code execution, optional for DLLs, zero
when none present RVA of first byte of code when loaded into RAM
RVA of first byte of data when loaded into RAM Preferred load
address Alignment of sections when loaded in RAM Alignment of
sections in file on disk Major version no. of required operating
system Minor version no. of required opera