0x00 Preface
The previous two articles cover the contents of the output table and how toHexworkshopthe output table and input are found in theDLL, it feels like there are a few places that are not well understood, such as by the Data Catalog tableDatadirectory[16]after finding the output table table, I think I found the inputDLLin fact, the final function of this process is to enterDLLFind InputDLLcalled function, this step is done by the output table in the structure of theOriginalfristthunkorOriginalfristthunkThe point ofINTorIATstructure to find. It is to be explained that, although the general situation is throughOriginalfristthunkyes, but in some cases its value is set to0, so it can't be exploited, and the most trusted way is throughFristthunkThe point ofIATtable to find. The following is an example of how this process can be practiced.
0x01 searching for input DLLs and functions for input DLL calls
materials and tools: PE.exe executable file, tools hexwrokshop,LORDPE
idea: Find PE File Header--"Find Data Catalog Table second item--" Through address translation Find output table array-"read out the output table array originalfristthunk,fristthunk Value--" The name address of the called function is read out by INT or IAT--" The function name is found by the name address.
1) Drag the target file into thehexwrokshop, the shortcut key ctrl+g jumps to the load address 3ch , here is PE file header address, such as:
2) jump to 40h, where it is the file header, such as:
3) jump to the PE file header +80h , where the address of the input data table is stored, such as:
4) rva=2040h conversion bit fileoffset address, here we use LORDPE assisted conversion, converted value is 440h.
5) jump to 440h, which is the output table IID array of data, each of five pairs of double words, ending with five pairs of double word 0. I have this example of a total of two groups, such as:
the above statistics are based on the field data in the following table ( PS: Since the hex is from low to high level of the statistics should pay attention to the low and middle position of transposition):
Originalfristthunk |
TimeStamp |
Forwardchain |
Name |
Fristthunk |
0000208C |
00000000 |
00000000 |
00002174 |
00002010 |
0000207C |
00000000 |
00000000 |
000021b4 |
00002000 |
using the table Name Field we can directly introduce the name of the input DLL , the first name of the RVA is 2174h , the conversion to fileoffset value is:574h, jump to 574h, We can see that the first DLL is USER32. DLLs, such as:
the second item The Name value is RVA value 21b4h, conversion bit fileoffset value is 5b4h, jump to 574h, we know that the second DLL is KERNEL32. DLLs, such as:
6)know the inputDllIt 's not the end of our goal, we need to know.DLLall of the function name addresses called, here are two fields available, the first one isOriginalfristthunk, it points to a table named input name (INTStructure , this structure is made up of multipleImage_thunk_datathe array that the structure is composed of. The second one isFristthunk, it points to a table of names called input addresses (IATStructure , this structure also has multipleImage_thunk_datathe array that the structure is composed of. Image_thunk_dataeach item of a double word group points to another structure--Image_import_by_name. Ultimately throughImage_import_by_namefound byDLLthe function that is called. In general, these two pointers to the array values are equal. We will then use two fields to find the next one. Let's start with the first item.Originalfristthunkto try and put208Ctranslates toFileoffsetGet48ch. Fall off and jump toward48ch, as a result, a total of 11 items, in double word0end.
we use Fristthunk to try, convert 2010h to fileoffset 410h, jump to 410h, you can get:
They all have the following values:
102100001c210000f4200000e0200000502100006421000002210000ce200000bc2000002e21000042210000, The following table splits the data by eight bytes and flips:
the first item points to the Iamge_thunk_data Array
00002164
00002110 |
0000211C |
000020f4 |
000020E0 |
00002150 | TD valign= "Top" width= "143" >
00002102 |
000020CE |
000020BC |
0000212E |
00002142 |
|
|
|
|
|
Next, for address translation, the following table:
510 |
31% |
4f4 |
4e0 |
550 |
564 |
502 |
4ce |
4bc |
52e |
542 |
|
7) The name of the called function is queried one by one from the table above , such as:
Repeat the following table for the above actions:
Rva |
Fileoffset |
Hint |
Name of function |
00002110 |
510 |
019B |
Loadicona |
0000211C |
31% |
01DD |
PostQuitMessage |
000020f4 |
4f4 |
0128 |
Getmessagea |
000020E0 |
4e0 |
0094 |
Dispatchmessagea |
00002150 |
550 |
027D |
TranslateMessage |
00002164 |
564 |
028B |
UpdateWindow |
00002102 |
502 |
0197 |
Loadcursora |
000020CE |
4ce |
0083 |
Defwindowproca |
000020BC |
4bc |
0058 |
Createwindowexa |
0000212E |
52e |
01EF |
Registerclassexa |
00002142 |
542 |
0265 |
ShowWindow |
|
|
|
|
8) Of course you might think it's too much trouble to find the input table, but it's only after you've been able to figure out how the output table is going to be stored, and thus have a more thorough understanding of the PE file format. Next, we can easily find the input table and input functions through the powerful LORDPE. such as:
0x02 Summary
These two days look at encryption and decryption harvest is very large, for reverse cracking friends I strongly recommend reading this book, have the same interest of friends welcome comments Message Exchange.
PE file format detailed (vi)