Injection Code in Import table (i)

Source: Internet
Author: User
Tags zip

(Includes: Itview.zip (87.1 KB) pemaker6.zip (96.6 KB) pemaker7.zip (193 kb) Zimport.zip (130 kb). This article code can operate under VS2003 and WINDOWSXP+SP2, Windows2000 under the Itview function is abnormal. )

This article describes the Import table (import tables, also translated as "Introduction tables") technology that injects code into the file format of the PE (portable executable portable executable), also known as API redirection technology (API redirection technique).

Let's imagine: if we can thunks the import function's entry point (thoroughfare) to our specified routines by manipulating the import table, it is possible to filter the import (message) with our routines. In addition, we can through this function to arrange to give us the appropriate routines, professional portable executable (PE) protectors is exactly what to do, and some other kinds of rootkits use this method to embed their malicious code through a Trojan horse to the victim. In the reverse engineering world, we call it the API redirection technology, but I'm not going to describe all the ideas in this field through the source code, and this article is just a brief introduction to the technology. I'm going to describe some of the other issues that are not in this source code, and I can't expose the code because it's related to some commercial projects or may be exploited by a malicious person, but I think this article can be used as a primer on the topic.

1. Enter the import table

The PE file format includes: MS-DOS header, NT headers, Sections headers, and section images (as in many technical readings, the header can be translated as "head", image can be translated as "image", But the text does not affect the understanding of the premise, as far as possible to retain the original terminology, lest misunderstanding. As you can see in Figure 1. The MS-DOS header is publicly owned in all Microsoft Executable format (executable file format) from the DOS era to the Windows age. The idea of NT headers originates from the executable and linkable format (ELF) of the Unix system, and of course the portable executable (PE) format is Linux executable and linkable Fo Sister of the Rmat (ELF). The PE format includes the PE Signature, Common Object File Format (COFF) header, portable executable Optimal header, and section headers.

Figure 1-portable executable file format structure

The definition of NT headers can be found in the virtual C + + included directory <winnt.h> header file. This information can be obtained very easily by using the Imagentheader () function of DbgHelp.dll. You can also use the DOS header to get the NT headers, because the end position of the DOS header: E_lfanew, representing the NT headers offset. Add this offset to the base address of the memory-mapped file to get the PE header: pntheader=dosheader+ dosheader->e_lfanew;

typedef struct _IMAGE_NT_HEADERS {
DWORD Signature;
IMAGE_FILE_HEADER FileHeader;
IMAGE_OPTIONAL_HEADER OptionalHeader;
} IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.