PE file format detailed (vi)

Source: Internet
Author: User

0x00 Preface

The previous two articles cover the contents of the output table and how toHexworkshopthe output table and input are found in theDLL, it feels like there are a few places that are not well understood, such as by the Data Catalog tableDatadirectory[16]after finding the output table table, I think I found the inputDLLin fact, the final function of this process is to enterDLLFind InputDLLcalled function, this step is done by the output table in the structure of theOriginalfristthunkorOriginalfristthunkThe point ofINTorIATstructure to find. It is to be explained that, although the general situation is throughOriginalfristthunkyes, but in some cases its value is set to0, so it can't be exploited, and the most trusted way is throughFristthunkThe point ofIATtable to find. The following is an example of how this process can be practiced.

0x01 searching for input DLLs and functions for input DLL calls

materials and tools: PE.exe executable file, tools hexwrokshop,LORDPE

idea: Find PE File Header--"Find Data Catalog Table second item--" Through address translation Find output table array-"read out the output table array originalfristthunk,fristthunk Value--" The name address of the called function is read out by INT or IAT--" The function name is found by the name address.

1) Drag the target file into thehexwrokshop, the shortcut key ctrl+g jumps to the load address 3ch , here is PE file header address, such as:

2) jump to 40h, where it is the file header, such as:

3) jump to the PE file header +80h , where the address of the input data table is stored, such as:

4) rva=2040h conversion bit fileoffset address, here we use LORDPE assisted conversion, converted value is 440h.

5) jump to 440h, which is the output table IID array of data, each of five pairs of double words, ending with five pairs of double word 0. I have this example of a total of two groups, such as:

the above statistics are based on the field data in the following table ( PS: Since the hex is from low to high level of the statistics should pay attention to the low and middle position of transposition):

Originalfristthunk

TimeStamp

Forwardchain

Name

Fristthunk

0000208C

00000000

00000000

00002174

00002010

0000207C

00000000

00000000

000021b4

00002000

using the table Name Field we can directly introduce the name of the input DLL , the first name of the RVA is 2174h , the conversion to fileoffset value is:574h, jump to 574h, We can see that the first DLL is USER32. DLLs, such as:

the second item The Name value is RVA value 21b4h, conversion bit fileoffset value is 5b4h, jump to 574h, we know that the second DLL is KERNEL32. DLLs, such as:

6)know the inputDllIt 's not the end of our goal, we need to know.DLLall of the function name addresses called, here are two fields available, the first one isOriginalfristthunk, it points to a table named input name (INTStructure , this structure is made up of multipleImage_thunk_datathe array that the structure is composed of. The second one isFristthunk, it points to a table of names called input addresses (IATStructure , this structure also has multipleImage_thunk_datathe array that the structure is composed of. Image_thunk_dataeach item of a double word group points to another structure--Image_import_by_name. Ultimately throughImage_import_by_namefound byDLLthe function that is called. In general, these two pointers to the array values are equal. We will then use two fields to find the next one. Let's start with the first item.Originalfristthunkto try and put208Ctranslates toFileoffsetGet48ch. Fall off and jump toward48ch, as a result, a total of 11 items, in double word0end.

we use Fristthunk to try, convert 2010h to fileoffset 410h, jump to 410h, you can get:

They all have the following values:

102100001c210000f4200000e0200000502100006421000002210000ce200000bc2000002e21000042210000, The following table splits the data by eight bytes and flips:

the first item points to the Iamge_thunk_data Array

00002164

TD valign= "Top" width= "143" >

00002110

0000211C

000020f4

000020E0

00002150

00002102

000020CE

000020BC

0000212E

00002142

 

 

 

 

 

Next, for address translation, the following table:

510

31%

4f4

4e0

550

564

502

4ce

4bc

52e

542

7) The name of the called function is queried one by one from the table above , such as:

Repeat the following table for the above actions:

Rva

Fileoffset

Hint

Name of function

00002110

510

019B

Loadicona

0000211C

31%

01DD

PostQuitMessage

000020f4

4f4

0128

Getmessagea

000020E0

4e0

0094

Dispatchmessagea

00002150

550

027D

TranslateMessage

00002164

564

028B

UpdateWindow

00002102

502

0197

Loadcursora

000020CE

4ce

0083

Defwindowproca

000020BC

4bc

0058

Createwindowexa

0000212E

52e

01EF

Registerclassexa

00002142

542

0265

ShowWindow

8) Of course you might think it's too much trouble to find the input table, but it's only after you've been able to figure out how the output table is going to be stored, and thus have a more thorough understanding of the PE file format. Next, we can easily find the input table and input functions through the powerful LORDPE. such as:

0x02 Summary

These two days look at encryption and decryption harvest is very large, for reverse cracking friends I strongly recommend reading this book, have the same interest of friends welcome comments Message Exchange.

PE file format detailed (vi)

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.