Explanation of the output table (export table) of the small turtle PE (PE description 09)
When the PE file is executed, the Windows loader loads the file into the memory and loads the dynamic link library (usually in DLL format) file registered in the import table into the address space, then, modify the IAT of the executed File Based on the function export information in the DLL file.
(Basic addition: many of my friends may see that it is a bit difficult here. You should allow the minor turtles to give up and take care of beginners. We all understand that after Windows loads a program, it will open up a separate virtual address space for the program in the memory. In this way, each program itself will have the right to allocate almost any address, so he has the final say on which address his function wants to put it. Some functions are used by many programs. writing the same function for each program seems to be a waste of space. Therefore, the concept of dynamic link library is integrated in windows, encapsulate some common functions into a dynamic link library. When necessary, load the dynamic link library directly and integrate the required functions into itself, this greatly saves the storage of resources in the memory.
There is an important concept to remember: the dynamic link library is mapped to the address space of other applications for execution. It and the application can be seen as "one, the dynamic link library can use the resources of the application, and its resources can be used by the application. Any operation of the dynamic link library represents the application, after the Dynamic Link Library Opens files, allocates memory, and creates windows, these files, memory, and windows are all owned by the application. Therefore, the dynamic link library, in the words of the turtle, is a "Parasite "! )
What is the purpose of exporting tables? The export table records the export information of the dynamic link library. By exporting a table, the DLL file can provide the system with information such as the name, serial number, and entry address of the exported function, which is used by the Windows loader to complete the dynamic connection process.
Tip: the PE file with the extension name ".exe" does not usually contain an export table, but most. DLL files contain an export table. But note that this is not absolute. For example, if the. dll file is purely used as a resource, the export function exists in the. exe file with some special functions. So there is no such thing as absolute ...... Now, we will analyze the structure of the exported table.
Export table structure
The main component of an export table is a table containing the function name and output sequence number. The ordinal number is the 16-digit number of a function in the specified DLL. It is unique in the DLL file to which it is pointed. In this case, we do not advocate indexing functions by ordinal numbers alone, which will cause problems to the maintenance of DLL files. For example, once a DLL file is upgraded or modified, the program that calls the DLL file cannot be loaded to the required function.
The first member of the Data Directory table points to the export table. It is an image_export_directory (hereinafter referred to as IED) structure. The IED structure is defined as follows:
Characteristicsdword ?; Unused, always defined as 0
Timedatestampdword? ; File generation time
Majorversionword ?; Unused, always defined as 0
Minorversionword ?; Unused, always defined as 0
Namedword ?; Real Module name
Base DWORD ?; Base number. The ordinal number is the index value of the function address array.
Numberoffunctionsdword ?; Total number of exported Functions
Numberofnamesdword ?; Total number of functions exported by name
Addressoffunctionsdword ?; RVA pointing to the output function address
Addressofnamesdword ?; RVA pointing to the name of the output function
Addressofnameordinalsdword ?; RVA pointing to the output function serial number
Some fields in this structure are not used. Meaningful fields are described as follows.
- Name: An RVA value that points to a string that defines the module name. For example, even if the kernel32.dll file is renamed as "ker. dll", you can still find that the file name in this string is "kernel32.dll" during compilation ".
- Numberoffunctions: Total number of exported functions contained in the file.
- Numberofnames: Total number of exported functions with the defined function name. Obviously, only functions with this number can be exported using the function name. You can also use the serial number method to export data. The remaining numberoffunctions minus the number of numberofnames functions can only be exported using the serial number method. The value of this field is only smaller than or equal to the value of the numberoffunctions field. If this value is 0, all functions are exported as serial numbers.
- Addressoffunctions: An RVA value that points to a two-word group containing all export function entry addresses. Each item in the array is an RVA value, and the number of items in the array is equal to the value of the numberoffunctions field.
- Base: export the start value of the function sequence number. Add the index number of the entry Address Table pointed to by the addressoffunctions field to the start value of the corresponding function. If the base field value is X, the number of the 1st export functions specified in the entry address table is X, and the number of the 2nd export functions is x + 1. In short, the export sequence number of an export function is equal to the base field value plus its position index value in the entry address table.
- Addressofnames and addressofnameordinals: both are RVA values. The former points to the function name string address table. This address table is a dual-word group. Each item in the array points to the RVA of a function name string. The number of items in the array is equal to the value of the numberofnames field. The name strings of all the named export functions are defined in this table. The latter points to an array of another word type (note that it is not a double-word group ). The array project corresponds to the project in the file name address table. The project value represents the index of the function entry address table. In this way, the function entry name is associated with the function entry address. (For example, if the nth entry of the function name string Address Table points to a string "myfunction", you can find the nth entry of the array pointed to by addressofnameordinals, if the value stored in item n is X, it indicates that the name corresponding to the entry address of function X in the address table described by the addressoffunctions field is "myfunction? It's okay. You'll understand it later. Don't give up ~)
The whole process is as complicated as other PE structures, but it is quite easy to look at the figure. Therefore, the turtle is still in the spirit of seeking truth from facts &...... % ￥ # Draw a picture in a down-to-earth manner to make everyone better understand it. Come on, please:
1. Search for the function entry address from the serial number
The following section describes how to use the Windows loader to find the export function entry address. If we know the export sequence number of the function, how can we get the function entry address?
The procedure of the Windows loader is as follows:
- Locate PE File Header
- Retrieve the data directory table from the image_optional_header32 structure in the PE file header, and obtain the RVA of the exported table from the first data directory.
- Obtain the Starting sequence number from the base field of the exported table.
- Subtract the start sequence number from the exported sequence number to obtain the index of the function in the entry address table.
- Check whether the index value is greater than the numberoffunctions field value of the exported table. If the index value is greater than the latter, the input sequence number is invalid.
- Use this index value to retrieve the corresponding project from the export function entry Address Table pointed to by the addressoffunctions field. This is the RVA value of the function entry address. When the function is loaded into the memory, this RVA value is added with the base address actually loaded by the module, and the real entry address of the function is obtained.
2. Find the entry address from the function name
If the function name is known, how can I get the function entry address? This process is more complex than getting the entry address using the serial number!
The procedure of the Windows loader is as follows:
- The original steps are the same, that is, the address of the exported table is obtained first.
- Obtain the total number of named functions from the numberofnames field of the exported table, and use this number as the number of cycles to construct a loop.
- Starting from the addressofnames field pointing to the first item of the obtained function name address table, the function name defined for each item in the loop is compared with the function name to be searched, if no function name is correct, it indicates that no function is specified in the file.
- If a defined function name matches the name of the function to be searched, write down the index value of this function name in the string address table, then, retrieve the value of the array item with the same index value in the array pointed to by addressofnamesordinals. We assume that the value is X
- Finally, take the X value as the index value. The RVA obtained in the function entry Address Table pointed to by the addressoffunctions field is the function entry address.
In a bunch of cases, a virus program searches for the entry address through the function name, because the virus program is appended to the executable file as an additional code. If the virus code uses some APIs, the addresses of these Apis cannot be prepared for virus code in the export table of the host file. Therefore, you can only obtain the API address by dynamically searching in the memory. Concerning the specific implementation and analysis of virus code, I will discuss this topic with you in the future ~
Analyze the output table structure instance (the specific process will be demonstrated in the video. This is not a big deal ~)
Tool: peinfo.exe, ultraedit, w32dasmv10.0
Anatomy: counter. dll