|
| |
|
| <![CDATA[<span id="7ztzv"></span>]]><![CDATA[<form id="7ztzv"></form>]]> | | |
|
<![CDATA[<span id="7ztzv"></span>]]> |
|
|
|
|
<![CDATA[<address id="7ztzv"></address>]]>
| |
==Ph4nt0m Security Team==
Issue 0x02, Phile #0x0A of 0x0A
|=---------------------------------------------------------------------------=|
|=----------------------=[ pe/elf ???????????? ]=----------------------=|
|=---------------------------------------------------------------------------=|
|=---------------------------------------------------------------------------=|
|=--------------------------=[ By dummy ]=--------------------------=|
|=-----------------------=[ <dummy_at_ph4nt0m.org> ]=----------------------=|
|=---------------------------------------------------------------------------=|
????
????????????????????????????????????????????????????????????
??x86????win32 pe??linux elf ??????????????????????????????д???
???????????????????г?????????????????????????????????и????
ps: ??????Щ????????????????е?????????????????:)
?????
-------------------------------------------------------
slm x86 win32 r3 pe packer
mimisys x86 win32 r0 pe packer
elfp x86 linux r3 elf packer
-------------------------------------------------------
????????????
?????????????????? 2 ????????? packer ?? loader?????????????÷?????
(1) packer
??????????????????????????loaderд???????????????slm??pakcer
????????????????pe??Ч???ж???????????????????????????loader?????
?????????????????????oep????????д???????
(2) loader
??????????????????????????slm??loader??????????????????????
??λ?á???????????????н??????????????????λ??tls ?????????
????slm (x86 win32 r3 pe packer)
????:
http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx
?????
lordpe pe ??????????????
dumpbin vc ???coff????????????
ollydbg r3 ???????
??????
./slm/cm ?????????????
./slm/pk packer ???
./slm/sc loader ???
??????????? pe ???????????? slm ??????????????Щ????:)??????
??????????? slm ????????????????????????????????????????????Щ??????
(1) ????????
slm ????????????????????????????????????????????鰱???????
????????????????????????????????????????????????????????????
?????????????????:)
??IMAGE_NT_HEADERS.IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_RESOURCE]
?????????????res_rva?????????????????????IMAGE_RESOURCE_DIRECTORY
IMAGE_RESOURCE_DIRECTORY:
NumberOfIdEntries ???? id ????????????
NumberOfNamedEntries ???? name ????????????
?????IMAGE_RESOURCE_DIRECTORY??????IMAGE_RESOURCE_DIRECTORY_ENTRY??
???飬???????????????? NumberOfIdEntries + NumberOfNamedEntries??
IMAGE_RESOURCE_DIRECTORY_ENTRY:
Id ??id?????NameIsString???????Ч
NameIsString ????????????????????????NameOffset??Ч
NameOffset ????????????, ??????????res_rva*???
DataIsDirectory ?????? OffsetToData ??Ч??????OffsetToDirectory
??Ч
OffsetToData ??????????????????rva
OffsetToDirectory ????????????????rva
????????????????????????NameOffset???PIMAGE_RESOURCE_DIR_STRING_U
????????????unicode?????????????????β???????????????????????
??????id, ????????winnt.h ???塣????id??RT_ICON??RT_VERSION????
?????????????????е?????OffsetToDirectory??OffsetToData?????
???? DWORD ????????????????????
(2) ????????
??IMAGE_NT_HEADERS.IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_IMPORT]
???????????imp_rva?????????????????????IMAGE_IMPORT_DESCRIPTOR??
IMAGE_IMPORT_DESCRIPTOR:
Name ????? dll ?????????????? rva
FirstThunk ??? IMAGE_THUNK_DATA ???壬??????? rva
OriginalFirstThunk ???FirstThunk ?????, ??????????????? rva
??????IMAGE_IMPORT_DESCRIPTOR?????????????鳤???????Name???????
????????
FirstThunk??OriginalFirstThunk?????????IMAGE_THUNK_DATA????????????
?????????????????е?????????????FirstThunk??????????
(3) TLS ????
???????tls????ν????tls(??pe?????????????)??????????tls???????
??windows ???????????????
1??tls ????????
???????vc?????????tls???????????__declspec(thread) int x = 0;??????
????????????????????.tls????С??????????????????????????????Ψ
?????????IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_TLS]????????????
???????????????????IMAGE_TLS_DIRECTORY??
IMAGE_TLS_DIRECTORY:
StartAddressOfRawData tls?????????????va
EndAddressOfRawData tls??????????????va
AddressOfIndex; tls slot?????????tls slot?0
AddressOfCallBacks ??????PIMAGE_TLS_CALLBACK?????飬???????
??0??β?????PIMAGE_TLS_CALLBACK????va????
SizeOfZeroFill ??????????????? 0 ??????С
Characteristics
2??????????????????exe??tls
????????????????λ???????????????????tls?????????tls_dir??
???tls??????СEndAddressOfRawData - StartAddressOfRawData +
SizeOfZeroFill, ?????С?????????棬???????(PDWORD)fs:[0x2c] +
tls_slot, ???????StartAddressOfRawData -> EndAddressOfRawData??????
????·????????У???????SizeOfZeroFill ??????μ?????????????????
??AddressOfCallBacks?е??????PIMAGE_TLS_CALLBACK??????DllMain??????
?????з??????
3??????????????????dll??tls
???????dll????????tls???Ψ???????AddressOfCallBacks???÷????
??Щ??????????dll???????????????????????????????????????????
???????tls callback????????LoadLibrary??????????????
(4) rva & raw ???
pe ?????????????????????rva, rva??pe?????????????????????
?????????????????????м?????????????map??????????????????????
????????rva?????????(?????pe?????????????????д??????????????????
????10?а汾???????????????????????? - -??
????????????μ?rva2raw?汾?????????????
????mimisys (x86 win32 r0 pe packer)
?????
Windows Research Kernel
wrk/base/ntos/mm/sysload.c:MmLoadSystemImage
????:
syser ??????????????????????????r0??????
vmware ??????????????????????????
?????????Щ????ο?slm, ?????????r0 pe??r3 pe???????????
(1) ????
r0??????泣?????????????sys section?????м?????????
1???????????????
????治????????????????????????????section object, ???????
pageout????????????????????????????????????????????????
???????棩????????VirtualAddress?????VirtualSize??????????????
???????????????????檔
2???????С????
?????sys?????????????С???????????????????????????????
?????????????????????????????????????????С???????
SizeOfRawData??????????VirtualSize?????????δ????????mimisys?????
??SizeOfImage????????????????δ?????????????????????????
(2) checksumУ??
??仰: ????????checksum sys???????????????
(3) win2k???????
win2k????????????????nt???м????????r3??r0???????Щ????????r3 pe
???????е????????????????r0 pe??????????λ?????????????????????
?????????????????????λ?????ɡ?
mimisys???????????????????????????????????????loader, ???
loader??????????????????????????????????????????????λ??????????
??????????????????????????????
???elfp (x86 linux r3 elf packer)
?????
Tool Interface Standard (TIS) Executable and Linking Format
http://www.x86.org/ftp/manuals/tools/elf.pdf
??2? ????????????8,9 ELF???????
http://linux.insigma.com.cn/jszl.asp?docid=132762762
http://linux.insigma.com.cn/jszl.asp?docid=133617926
linux ??????
linux/fs/binfmt_elf.c:load_elf_binary
????:
objdump ????elf???????????
http://www.gnu.org/software/binutils/binutils.html
ald ???????????gdb?????????е????????????
http://ald.sourceforge.net/
elfp????magiclinux????linux elf?????????
elf??????linux??????????????????????????coff????????????????????
pe????????????????????????????л?? pe ????????????????????
elf??????????????????Elf32_Ehdr???
typedef struct
{
unsigned char e_ident[EI_NIDENT]; /* Magic number and other info */
Elf32_Half e_type; /* Object file type */
Elf32_Half e_machine; /* Architecture */
Elf32_Word e_version; /* Object file version */
Elf32_Addr e_entry; /* Entry point virtual address */
Elf32_Off e_phoff; /* Program header table file offset */
Elf32_Off e_shoff; /* Section header table file offset */
Elf32_Word e_flags; /* Processor-specific flags */
Elf32_Half e_ehsize; /* ELF header size in bytes */
Elf32_Half e_phentsize; /* Program header table entry size */
Elf32_Half e_phnum; /* Program header table entry count */
Elf32_Half e_shentsize; /* Section header table entry size */
Elf32_Half e_shnum; /* Section header table entry count */
Elf32_Half e_shstrndx; /* Section header string table index */
} Elf32_Ehdr;
e_ident ?? elf.h ?ж???? ELFMAG ??????????????
e_entry ??????????(??????? pe ??????? rva)
e_phoff Elf32_Phdr ???????????
e_shoff Elf32_Shdr ???????????
e_ehsize Elf32_Ehdr ?????С
e_phentsize Elf32_Phdr ????С
e_phnum Elf32_Phdr ??????????
e_shentsize Elf32_Shdr ????С
e_shnum Elf32_Shdr ??????????
??Elf32_Ehdr???Elf32_Phdr???飬Elf32_Phdr???????Elf32_Ehdr.e_ehsize??
?????Elf32_Ehdr???饗??жα?)????????phdr????pe?????
typedef struct
{
Elf32_Word p_type; /* Segment type */
Elf32_Off p_offset; /* Segment file offset */
Elf32_Addr p_vaddr; /* Segment virtual address */
Elf32_Addr p_paddr; /* Segment physical address */
Elf32_Word p_filesz; /* Segment size in file */
Elf32_Word p_memsz; /* Segment size in memory */
Elf32_Word p_flags; /* Segment flags */
Elf32_Word p_align; /* Segment alignment */
} Elf32_Phdr;
p_type ????????ε???????????
p_offset ?????????????????????pe???е?PointerToRawData
p_vaddr ????????????????????, ????pe???е?VirtualAddress
p_filesz ????????????д?С??????pe???е?SizeOfRawData
p_memsz ????????????????д?С??????pe???е?VirtualSize
p_flags ????????ε?????????????pe???е??????
p_align ?ζ???????
p_type???????????
PT_LOAD ?????????????????
PT_PHDR ????δ?????Elf32_Phdr????
PT_INTERP ????δ????????????????????????????????????????????
??????????????elf???????????????????windows??ntdll???
pe?????elf????????????????????λ??????????????
p_flags ?????????
PF_X ????ο????
PF_W ????ο?д
PF_R ????ο??
??Elf32_Ehdr(?α?)??????Elf32_Shdr????(???)????????????????????????
???н???????????pe??????????pe?????????????????????pe?е??????????
??e???????nt header??data_dir[]??????????????????????????????????????
?????????洢??????????汾???????????????elfp??????????????
?????????elfp??loader?????????????????????????elf??????????????
?????????????????л???????????push???Щ??????
// ???????
// +-------------------+
// | return address | ??????
// +-------------------+
// | argc | ????????
// +-------------------+
// | argv[?], NULL | ????????? NULL ??β
// +-------------------+
// | envp[?], NULL | ????????? NULL ??β
// +-------------------+
// | auxv[?] | ??????????????????????????????????,
// +-------------------+ ??????elf????????????????????????
?????????????д?????д??????????y???????
??????????????????????
elfp??loader????????????????:
???????-->??????ν?????????????-->????????????????-->????
??α????д auxv-->?????????-->???y?????
???? elf ?????????????ο????????????????????????????????????
?塢???
[1] ???????
./pstzine_0A_01.zip
-EOF-
|
| |
|
| <![CDATA[<span id="7ztzv"></span>]]><![CDATA[<form id="7ztzv"></form>]]> | | |
|
<![CDATA[<span id="7ztzv"></span>]]> |
|
|
|
|
<![CDATA[<address id="7ztzv"></address>]]>
| |