PE file format detailed (vi)

0x00 Preface

The previous two articles cover the contents of the output table and how toHexworkshopthe output table and input are found in theDLL, it feels like there are a few places that are not well understood, such as by the Data Catalog tableDatadirectory[16]after finding the output table table, I think I found the inputDLLin fact, the final function of this process is to enterDLLFind InputDLLcalled function, this step is done by the output table in the structure of theOriginalfristthunkorOriginalfristthunkThe point ofINTorIATstructure to find. It is to be explained that, although the general situation is throughOriginalfristthunkyes, but in some cases its value is set to0, so it can't be exploited, and the most trusted way is throughFristthunkThe point ofIATtable to find. The following is an example of how this process can be practiced.

0x01 searching for input DLLs and functions for input DLL calls

materials and tools: PE.exe executable file, tools hexwrokshop,LORDPE

idea: Find PE File Header--"Find Data Catalog Table second item--" Through address translation Find output table array-"read out the output table array originalfristthunk,fristthunk Value--" The name address of the called function is read out by INT or IAT--" The function name is found by the name address.

1) Drag the target file into thehexwrokshop, the shortcut key ctrl+g jumps to the load address 3ch , here is PE file header address, such as:

2) jump to 40h, where it is the file header, such as:

3) jump to the PE file header +80h , where the address of the input data table is stored, such as:

4) rva=2040h conversion bit fileoffset address, here we use LORDPE assisted conversion, converted value is 440h.

5) jump to 440h, which is the output table IID array of data, each of five pairs of double words, ending with five pairs of double word 0. I have this example of a total of two groups, such as:

the above statistics are based on the field data in the following table ( PS: Since the hex is from low to high level of the statistics should pay attention to the low and middle position of transposition):

Originalfristthunk	TimeStamp	Forwardchain	Name	Fristthunk
0000208C	00000000	00000000	00002174	00002010
0000207C	00000000	00000000	000021b4	00002000

using the table Name Field we can directly introduce the name of the input DLL , the first name of the RVA is 2174h , the conversion to fileoffset value is:574h, jump to 574h, We can see that the first DLL is USER32. DLLs, such as:

the second item The Name value is RVA value 21b4h, conversion bit fileoffset value is 5b4h, jump to 574h, we know that the second DLL is KERNEL32. DLLs, such as:

6)know the inputDllIt 's not the end of our goal, we need to know.DLLall of the function name addresses called, here are two fields available, the first one isOriginalfristthunk, it points to a table named input name (INTStructure , this structure is made up of multipleImage_thunk_datathe array that the structure is composed of. The second one isFristthunk, it points to a table of names called input addresses (IATStructure , this structure also has multipleImage_thunk_datathe array that the structure is composed of. Image_thunk_dataeach item of a double word group points to another structure--Image_import_by_name. Ultimately throughImage_import_by_namefound byDLLthe function that is called. In general, these two pointers to the array values are equal. We will then use two fields to find the next one. Let's start with the first item.Originalfristthunkto try and put208Ctranslates toFileoffsetGet48ch. Fall off and jump toward48ch, as a result, a total of 11 items, in double word0end.

we use Fristthunk to try, convert 2010h to fileoffset 410h, jump to 410h, you can get:

They all have the following values:

102100001c210000f4200000e0200000502100006421000002210000ce200000bc2000002e21000042210000, The following table splits the data by eight bytes and flips:

the first item points to the Iamge_thunk_data Array

00002164

TD valign= "Top" width= "143" >

00002110	0000211C	000020f4	000020E0
00002150	00002102	000020CE
000020BC	0000212E	00002142

Next, for address translation, the following table:

510	31%	4f4	4e0
550	564	502	4ce
4bc	52e	542

7) The name of the called function is queried one by one from the table above , such as:

Repeat the following table for the above actions:

Rva	Fileoffset	Hint	Name of function
00002110	510	019B	Loadicona
0000211C	31%	01DD	PostQuitMessage
000020f4	4f4	0128	Getmessagea
000020E0	4e0	0094	Dispatchmessagea
00002150	550	027D	TranslateMessage
00002164	564	028B	UpdateWindow
00002102	502	0197	Loadcursora
000020CE	4ce	0083	Defwindowproca
000020BC	4bc	0058	Createwindowexa
0000212E	52e	01EF	Registerclassexa
00002142	542	0265	ShowWindow

8) Of course you might think it's too much trouble to find the input table, but it's only after you've been able to figure out how the output table is going to be stored, and thus have a more thorough understanding of the PE file format. Next, we can easily find the input table and input functions through the powerful LORDPE. such as:

0x02 Summary

These two days look at encryption and decryption harvest is very large, for reverse cracking friends I strongly recommend reading this book, have the same interest of friends welcome comments Message Exchange.

PE file format detailed (vi)