;anti trick Ⅲ --erase module
;by 来自轻院的狼[immlep]
;www.ptteam.com
;http://immlep.blogone.net
一个偶然的机会,在学习PEB的时候,发现擦除EXE文件的模块的话,ImpREC会找不到正确的输入表,因为它找不到那个DLL文件,API监视器无法正确监视API函数,因为它找不到那个DLL文件,当然这只不过是这些API监视器没有用到比较高深的东西,比如native api,所以它们用的信息都是从PEB来的。所以。。
PEB的更详细结构可以查询ntundoc.chm,或baidu查找。。。
PEB的结构:
kd> !strct PEB
!strct PEB
struct _PEB (sizeof=488)
+000
byte InheritedAddressSpace
+001
byte ReadImageFileExecOptions
+002
byte BeingDebugged
+003
byte SpareBool
+004 void *Mutant
+008 void *ImageBaseAddress
+00c struct _PEB_LDR_DATA *Ldr
+010 struct _RTL_USER_PROCESS_PARAMETERS *ProcessParameters
+014 void *SubSystemData
+018 void *ProcessHeap
+01c void *FastPebLock
+020 void *FastPebLockRoutine
+024 void *FastPebUnlockRoutine
+028 uint32 EnvironmentUpdateCount
+02c void *KernelCallbackTable
+030 uint32 SystemReserved[2]
+038 struct _PEB_FREE_BLOCK *FreeList
+03c uint32 TlsExpansionCounter
+040 void *TlsBitmap
+044 uint32 TlsBitmapBits[2]
+04c void *ReadOnlySharedMemoryBase
+050 void *ReadOnlySharedMemoryHeap
+054 void **ReadOnlyStaticServerData
+058 void *AnsiCodePageData
+05c void *OemCodePageData
+060 void *UnicodeCaseTableData
+064 uint32 NumberOfProcessors
+068 uint32 NtGlobalFlag
+070 union _LARGE_INTEGER CriticalSectionTimeout
+070 uint32 LowPart
+074 int32 HighPart
+070 struct __unnamed3 u
+070 uint32 LowPart
+074 int32 HighPart
+070 int64 QuadPart
+078 uint32 HeapSegmentReserve
+07c uint32 HeapSegmentCommit
+080 uint32 HeapDeCommitTotalFreeThreshold
+084 uint32 HeapDeCommitFreeBlockThreshold
+088 uint32 NumberOfHeaps
+08c uint32 MaximumNumberOfHeaps
+090 void **ProcessHeaps
+094 void *GdiSharedHandleTable
+098 void *ProcessStarterHelper
+09c uint32 GdiDCAttributeList
+0a0 void *LoaderLock
+0a4 uint32 OSMajorVersion
+0a8 uint32 OSMinorVersion
+0ac uint16 OSBuildNumber
+0ae uint16 OSCSDVersion
+0b0 uint32 OSPlatformId
+0b4 uint32 ImageSubsystem
+0b8 uint32 ImageSubsystemMajorVersion
+0bc uint32 ImageSubsystemMinorVersion
+0c0 uint32 ImageProcessAffinityMask
+0c4 uint32 GdiHandleBuffer[34]
+14c function *PostProcessInitRoutine
+150 void *TlsExpansionBitmap
+154 uint32 TlsExpansionBitmapBits[32]
+1d4 uint32 SessionId
+1d8 void *AppCompatInfo
+1dc struct _UNICODE_STRING CSDVersion
+1dc uint16 Length
+1de uint16 MaximumLength
+1e0 uint16 *Buffer
_PEB_LDR_DATA *Ldr的结构:
kd> !strct PEB_LDR_DATA
!strct PEB_LDR_DATA
struct _PEB_LDR_DATA (sizeof=36)
+00 uint32 Length
+04
byte Initialized
+08 void *SsHandle
+0c struct _LIST_ENTRY InLoadOrderModuleList ;存放着模块信息
+0c struct _LIST_ENTRY *Flink ;前一个链表成员地址
+10 struct _LIST_ENTRY *Blink ;后一个链表成员地址
+14 struct _LIST_ENTRY InMemoryOrderModuleList
+14 struct _LIST_ENTRY *Flink
+18 struct _LIST_ENTRY *Blink
+1c struct _LIST_ENTRY InInitializationOrderModuleList
+1c struct _LIST_ENTRY *Flink
+20 struct _LIST_ENTRY *Blink
typedef struct _LDR_MODULE {
LIST_ENTRY InLoadOrderModuleList;
LIST_ENTRY InMemoryOrderModuleList;
LIST_ENTRY InInitializationOrderModuleList;
PVOID BaseAddress;
PVOID EntryPoint;
ULONG SizeOfImage;
UNICODE_STRING FullDllName;
UNICODE_STRING BaseDllName;
ULONG Flags;
SHORT LoadCount;
SHORT TlsIndex;
LIST_ENTRY HashTableEntry;
ULONG TimeDateStamp;
} LDR_MODULE, *PLDR_MODULE;
代码如下,注意擦除模块有时可能会出现一些问题。。。。。请自己揣摩使用。。
mov eax,
fs:[30h]
;Peb
mov eax, [
eax+0Ch]
;Ldr
mov eax, [
eax+0Ch]
;InLoadOrderModuleList
mov [
ebp+
offset pfirstmod],
eax
continue:
mov ecx, [
eax+30h]
; BaseDllName 模块名
push eax
call @F
db 6Bh,00h,65h,00h,72h,00h,6Eh,00h,65h,00h,6Ch,00h,33h,00h,32h,00h,2Eh,00h,64h,00h,6Ch,00h,6Ch,00h,00h,00h
;kernal32.dll
;这里是unicode字符串,你也可以写ascii然后用MultiByteToWideChar转为字符串,或者用Four-F的$CTW0
@@:
push ecx
call [
ebp+_lstrcmpiW]
;比较是不是我们要擦除的模块,可以添加代码比较擦除多个模块。
;invoke lstrcmpiW, ecx, addr modn
test eax,
eax
pop eax
je wipemod
;是就把它擦了。。
mov eax, [
eax]
cmp eax, [
ebp+
offset pfirstmod]
jne continue
;继续取下一个模块。
jmp @F
wipemod:
push eax ;这段代码把链表中一个成员擦除,也就时要擦除的那个模块的信息。
mov eax, [
eax+4]
mov ebx, [
eax]
; Flink 要擦除
mov ebx, [
ebx]
mov dword ptr [
eax],
ebx
mov ebx, [
eax+4]
; Blink
mov ebx, [
ebx+4]
mov dword ptr [
eax+4],
ebx
pop eax
add eax, 8
mov eax, [
eax+4]
mov ebx, [
eax]
; Flink
mov ebx, [
ebx]
mov dword ptr [
eax],
ebx
mov ebx, [
eax+4]
; Blink
mov ebx, [
ebx+4]
mov dword ptr [
eax+4],
ebx
@@:
;;;;;;查完所有的模块,跳到这里收工。。。
附加是我把代码加到yoda里面去的了。。
附件:antiod&im.rar
[课程]Android-CTF解题方法汇总!