-
-
[求助]凑热闹。
-
2008-10-2 02:33
-
得分多少不要紧,重要的是我把题目的意思理解错了。
1.
完成 1.为DLL文件新增输出表,同时增加输出函数OpenUrlA,没有什么现成的工具,可能我没有找到吧,用C写一个代码完成吧:
2.OpenUrlA函数功能是调用IE浏览器打开explorer.exe http://bbs.pediy.com,打开后无其他操作;
添加一个字符串其实挺好.
这一段ShellCode讲究一段代码改了改,没有仔细去优化,大概可以跑起来就得了.
不过PS 貌似我对题目意思不是很理解,加载WinExec应该可以用倒入表来引入吧?,
不过看到了 "如果期间有数据或者遍历的代码也算进去" 这句话,估计就是指引为ShellCode吧?
如果这样的话
例3:选手第一次提交的OpenUrlA函数大小是16字节,则得分:
得分=min[1.0,(13/16)]×100-(1-1)×5=81.25分
就不可能得分这么高,这段ShellCode少了100字节不可能完成
如果通过引入表我想也就是push 两个 call 一个 5 + 5 + 2 然后一个ret 刚好13个字节?
3.问题?
如果用IDA把这玩意儿弄成ASM然后再编译算不算作弊?
4.
测试平台 Windows XP Sp2,Windows Vista Ultimate
测试代码:
HMODULE hModule = ::LoadLibraryA(strFilePath);
if(hModule != NULL)
{
TCallTest * pCallTest = (TCallTest *) GetProcAddress(hModule,"OpenUrlA");
pCallTest();
}
完整代码:
// AddExportTable.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <Windows.h>
const char strDllName[] = "fOx";
const char strExportName[] = "OpenUrlA";
const char strFilePath[] = "F:\\Debug\\Tencert\\Pediy\\01\\pediy_done.dll";
const BYTE ShellCodeData[] =
{
0x60, 0xFC, 0xE8, 0x45, 0x00, 0x00, 0x00, 0x8B, 0x45, 0x3C,
0x36, 0x8B, 0x7C, 0x28, 0x78, 0x03, 0xFD, 0x8B, 0x4F, 0x18,
0x8B, 0x5F, 0x20, 0x03, 0xDD, 0x49, 0x8B, 0x34, 0x8B, 0x03,
0xF5, 0x33, 0xC0, 0x99, 0xAC, 0x84, 0xC0, 0x74, 0x07, 0xC1,
0xCA, 0x0D, 0x03, 0xD0, 0xEB, 0xF4, 0x3B, 0x54, 0x24, 0x04,
0x75, 0xE5, 0x8B, 0x5F, 0x24, 0x03, 0xDD, 0x66, 0x8B, 0x0C,
0x4B, 0x8B, 0x5F, 0x1C, 0x03, 0xDD, 0x8B, 0x1C, 0x8B, 0x03,
0xDD, 0x89, 0x5C, 0x24, 0x04, 0xC3, 0x33, 0xC0, 0x64, 0x8B,
0x40, 0x30, 0x85, 0xC0, 0x78, 0x0C, 0x8B, 0x40, 0x0C, 0x8B,
0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0xEB, 0x09, 0x8B, 0x80,
0xB0, 0x00, 0x00, 0x00, 0x8B, 0x68, 0x3C, 0x5F, 0x6A, 0x01,
0x8B, 0xC7, 0x05, 0x7B, 0x00, 0x00, 0x00, 0x50, 0x68, 0x98,
0xFE, 0x8A, 0x0E, 0xFF, 0xD7, 0x58, 0xFF, 0xD3, 0x61, 0xC3,
0x65, 0x78, 0x70, 0x6C, 0x6F, 0x72, 0x65, 0x72, 0x2E, 0x65,
0x78, 0x65, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F,
0x62, 0x62, 0x73, 0x2E, 0x70, 0x65, 0x64, 0x69, 0x79, 0x2E,
0x63, 0x6F, 0x6D, 0x00
};
const DWORD ShellCodeDataRva = 0x4CA; // From 04CAh -> 600h
const DWORD ShellCodeDataVa = 0x10CA;
const DWORD ExportTableDataRva = 0x6AB; // From 06ABh -> 800h;
const DWORD ExportTableDataVa = 0x20AB; // From 20ABh -> 3000h;
HANDLE hFile;
HANDLE hFileMapping;
LPVOID pFileData = NULL;
void InitializeVariables()
{
hFileMapping = hFile = INVALID_HANDLE_VALUE;
pFileData = NULL;
}
void OpenFile()
{
hFile =
::CreateFileA(strFilePath,FILE_GENERIC_READ | FILE_GENERIC_WRITE,
FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL);
DWORD err = GetLastError();
hFileMapping = ::CreateFileMappingA(hFile,NULL,PAGE_READWRITE,NULL,NULL,NULL);
err = GetLastError();
pFileData = ::MapViewOfFile(hFileMapping,FILE_MAP_ALL_ACCESS,NULL,NULL,NULL);
err = GetLastError();
}
void CloseFile()
{
::UnmapViewOfFile(pFileData);
::CloseHandle(hFileMapping);
::CloseHandle(hFile);
InitializeVariables();
}
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNtHeaders;
PIMAGE_EXPORT_DIRECTORY pExportDir;
void OpenPE()
{
pDosHeader = (PIMAGE_DOS_HEADER)pFileData;
pNtHeaders = (PIMAGE_NT_HEADERS)(PBYTE(pDosHeader) + pDosHeader->e_lfanew);
//DATA_
IMAGE_DATA_DIRECTORY DataDir;
DWORD Size = 0;
Size += sizeof(IMAGE_EXPORT_DIRECTORY);
pExportDir = PIMAGE_EXPORT_DIRECTORY((PBYTE)pFileData + ExportTableDataRva);
LONG AdjustOffset = ExportTableDataRva - ExportTableDataVa + (DWORD)pFileData;
//DWORD BaseVa = ExportTableDataVa;
//DWORD OffsetSiz = Size;
DWORD NameLength = sizeof(strDllName);
//PBYTE pBase = (PBYTE)pExportDir;
pExportDir->NumberOfFunctions = 1;
pExportDir->NumberOfNames = 1;
pExportDir->TimeDateStamp = NULL;
pExportDir->Base = NULL;
pExportDir->Characteristics = NULL;
pExportDir->MajorVersion = 0;
pExportDir->MinorVersion = 0;
pExportDir->Name = Size + ExportTableDataVa;
memcpy(PBYTE(pExportDir->Name + AdjustOffset),strDllName,sizeof(strDllName));
Size += NameLength;
pExportDir->AddressOfNameOrdinals = Size + ExportTableDataVa;//Force to Import from names
Size += sizeof(DWORD) * pExportDir->NumberOfFunctions;
WORD * pWordArray = (WORD *)(pExportDir->AddressOfNameOrdinals + AdjustOffset);
pWordArray[0] = 0;
pExportDir->AddressOfFunctions = Size + ExportTableDataVa;
Size += sizeof(DWORD) * pExportDir->NumberOfFunctions;
DWORD * pArray = pArray = (DWORD *)(pExportDir->AddressOfFunctions + AdjustOffset);
pArray[0] = ShellCodeDataVa;
pExportDir->AddressOfNames = Size + ExportTableDataVa;
Size += sizeof(DWORD) * pExportDir->NumberOfNames;
pArray = (DWORD *)(pExportDir->AddressOfNames + AdjustOffset);
DWORD OffsetName = Size + ExportTableDataVa;
pArray[0] = OffsetName;
Size += sizeof(strExportName);
memcpy(PBYTE(OffsetName + AdjustOffset),strExportName,sizeof(strExportName));
//DWORD OffsetFunctions = OffsetName + NameLength;
//DWORD OffsetFunctionNames = OffsetFunctions +
//pExportDir->
//pExportDir->AddressOfFunctions
PIMAGE_SECTION_HEADER pSectionHeader;
pSectionHeader = IMAGE_FIRST_SECTION(pNtHeaders);
DataDir.Size = Size;
pSectionHeader[1].Misc.VirtualSize += DataDir.Size;//Fix VirtualSize Of the second section which is the import table section
DataDir.VirtualAddress = ExportTableDataVa;
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT] = DataDir;
memcpy(ShellCodeDataRva + (PBYTE)pFileData ,ShellCodeData,sizeof(ShellCodeData));
pSectionHeader[0].Misc.VirtualSize += sizeof(ShellCodeData);
//pExportDir
}
typedef VOID TCallTest();
int _tmain(int argc, _TCHAR* argv[])
{
InitializeVariables();
OpenFile();
OpenPE();
CloseFile();
HMODULE hModule = ::LoadLibraryA(strFilePath);
if(hModule != NULL)
{
TCallTest * pCallTest = (TCallTest *) GetProcAddress(hModule,"OpenUrlA");
pCallTest();
}
return 0;
}
-- by fOx
1.
完成 1.为DLL文件新增输出表,同时增加输出函数OpenUrlA,没有什么现成的工具,可能我没有找到吧,用C写一个代码完成吧:
2.OpenUrlA函数功能是调用IE浏览器打开explorer.exe http://bbs.pediy.com,打开后无其他操作;
添加一个字符串其实挺好.
这一段ShellCode讲究一段代码改了改,没有仔细去优化,大概可以跑起来就得了.
不过PS 貌似我对题目意思不是很理解,加载WinExec应该可以用倒入表来引入吧?,
不过看到了 "如果期间有数据或者遍历的代码也算进去" 这句话,估计就是指引为ShellCode吧?
如果这样的话
例3:选手第一次提交的OpenUrlA函数大小是16字节,则得分:
得分=min[1.0,(13/16)]×100-(1-1)×5=81.25分
就不可能得分这么高,这段ShellCode少了100字节不可能完成
如果通过引入表我想也就是push 两个 call 一个 5 + 5 + 2 然后一个ret 刚好13个字节?
3.问题?
如果用IDA把这玩意儿弄成ASM然后再编译算不算作弊?
4.
测试平台 Windows XP Sp2,Windows Vista Ultimate
测试代码:
HMODULE hModule = ::LoadLibraryA(strFilePath);
if(hModule != NULL)
{
TCallTest * pCallTest = (TCallTest *) GetProcAddress(hModule,"OpenUrlA");
pCallTest();
}
完整代码:
// AddExportTable.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include <Windows.h>
const char strDllName[] = "fOx";
const char strExportName[] = "OpenUrlA";
const char strFilePath[] = "F:\\Debug\\Tencert\\Pediy\\01\\pediy_done.dll";
const BYTE ShellCodeData[] =
{
0x60, 0xFC, 0xE8, 0x45, 0x00, 0x00, 0x00, 0x8B, 0x45, 0x3C,
0x36, 0x8B, 0x7C, 0x28, 0x78, 0x03, 0xFD, 0x8B, 0x4F, 0x18,
0x8B, 0x5F, 0x20, 0x03, 0xDD, 0x49, 0x8B, 0x34, 0x8B, 0x03,
0xF5, 0x33, 0xC0, 0x99, 0xAC, 0x84, 0xC0, 0x74, 0x07, 0xC1,
0xCA, 0x0D, 0x03, 0xD0, 0xEB, 0xF4, 0x3B, 0x54, 0x24, 0x04,
0x75, 0xE5, 0x8B, 0x5F, 0x24, 0x03, 0xDD, 0x66, 0x8B, 0x0C,
0x4B, 0x8B, 0x5F, 0x1C, 0x03, 0xDD, 0x8B, 0x1C, 0x8B, 0x03,
0xDD, 0x89, 0x5C, 0x24, 0x04, 0xC3, 0x33, 0xC0, 0x64, 0x8B,
0x40, 0x30, 0x85, 0xC0, 0x78, 0x0C, 0x8B, 0x40, 0x0C, 0x8B,
0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0xEB, 0x09, 0x8B, 0x80,
0xB0, 0x00, 0x00, 0x00, 0x8B, 0x68, 0x3C, 0x5F, 0x6A, 0x01,
0x8B, 0xC7, 0x05, 0x7B, 0x00, 0x00, 0x00, 0x50, 0x68, 0x98,
0xFE, 0x8A, 0x0E, 0xFF, 0xD7, 0x58, 0xFF, 0xD3, 0x61, 0xC3,
0x65, 0x78, 0x70, 0x6C, 0x6F, 0x72, 0x65, 0x72, 0x2E, 0x65,
0x78, 0x65, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F,
0x62, 0x62, 0x73, 0x2E, 0x70, 0x65, 0x64, 0x69, 0x79, 0x2E,
0x63, 0x6F, 0x6D, 0x00
};
const DWORD ShellCodeDataRva = 0x4CA; // From 04CAh -> 600h
const DWORD ShellCodeDataVa = 0x10CA;
const DWORD ExportTableDataRva = 0x6AB; // From 06ABh -> 800h;
const DWORD ExportTableDataVa = 0x20AB; // From 20ABh -> 3000h;
HANDLE hFile;
HANDLE hFileMapping;
LPVOID pFileData = NULL;
void InitializeVariables()
{
hFileMapping = hFile = INVALID_HANDLE_VALUE;
pFileData = NULL;
}
void OpenFile()
{
hFile =
::CreateFileA(strFilePath,FILE_GENERIC_READ | FILE_GENERIC_WRITE,
FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL);
DWORD err = GetLastError();
hFileMapping = ::CreateFileMappingA(hFile,NULL,PAGE_READWRITE,NULL,NULL,NULL);
err = GetLastError();
pFileData = ::MapViewOfFile(hFileMapping,FILE_MAP_ALL_ACCESS,NULL,NULL,NULL);
err = GetLastError();
}
void CloseFile()
{
::UnmapViewOfFile(pFileData);
::CloseHandle(hFileMapping);
::CloseHandle(hFile);
InitializeVariables();
}
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNtHeaders;
PIMAGE_EXPORT_DIRECTORY pExportDir;
void OpenPE()
{
pDosHeader = (PIMAGE_DOS_HEADER)pFileData;
pNtHeaders = (PIMAGE_NT_HEADERS)(PBYTE(pDosHeader) + pDosHeader->e_lfanew);
//DATA_
IMAGE_DATA_DIRECTORY DataDir;
DWORD Size = 0;
Size += sizeof(IMAGE_EXPORT_DIRECTORY);
pExportDir = PIMAGE_EXPORT_DIRECTORY((PBYTE)pFileData + ExportTableDataRva);
LONG AdjustOffset = ExportTableDataRva - ExportTableDataVa + (DWORD)pFileData;
//DWORD BaseVa = ExportTableDataVa;
//DWORD OffsetSiz = Size;
DWORD NameLength = sizeof(strDllName);
//PBYTE pBase = (PBYTE)pExportDir;
pExportDir->NumberOfFunctions = 1;
pExportDir->NumberOfNames = 1;
pExportDir->TimeDateStamp = NULL;
pExportDir->Base = NULL;
pExportDir->Characteristics = NULL;
pExportDir->MajorVersion = 0;
pExportDir->MinorVersion = 0;
pExportDir->Name = Size + ExportTableDataVa;
memcpy(PBYTE(pExportDir->Name + AdjustOffset),strDllName,sizeof(strDllName));
Size += NameLength;
pExportDir->AddressOfNameOrdinals = Size + ExportTableDataVa;//Force to Import from names
Size += sizeof(DWORD) * pExportDir->NumberOfFunctions;
WORD * pWordArray = (WORD *)(pExportDir->AddressOfNameOrdinals + AdjustOffset);
pWordArray[0] = 0;
pExportDir->AddressOfFunctions = Size + ExportTableDataVa;
Size += sizeof(DWORD) * pExportDir->NumberOfFunctions;
DWORD * pArray = pArray = (DWORD *)(pExportDir->AddressOfFunctions + AdjustOffset);
pArray[0] = ShellCodeDataVa;
pExportDir->AddressOfNames = Size + ExportTableDataVa;
Size += sizeof(DWORD) * pExportDir->NumberOfNames;
pArray = (DWORD *)(pExportDir->AddressOfNames + AdjustOffset);
DWORD OffsetName = Size + ExportTableDataVa;
pArray[0] = OffsetName;
Size += sizeof(strExportName);
memcpy(PBYTE(OffsetName + AdjustOffset),strExportName,sizeof(strExportName));
//DWORD OffsetFunctions = OffsetName + NameLength;
//DWORD OffsetFunctionNames = OffsetFunctions +
//pExportDir->
//pExportDir->AddressOfFunctions
PIMAGE_SECTION_HEADER pSectionHeader;
pSectionHeader = IMAGE_FIRST_SECTION(pNtHeaders);
DataDir.Size = Size;
pSectionHeader[1].Misc.VirtualSize += DataDir.Size;//Fix VirtualSize Of the second section which is the import table section
DataDir.VirtualAddress = ExportTableDataVa;
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT] = DataDir;
memcpy(ShellCodeDataRva + (PBYTE)pFileData ,ShellCodeData,sizeof(ShellCodeData));
pSectionHeader[0].Misc.VirtualSize += sizeof(ShellCodeData);
//pExportDir
}
typedef VOID TCallTest();
int _tmain(int argc, _TCHAR* argv[])
{
InitializeVariables();
OpenFile();
OpenPE();
CloseFile();
HMODULE hModule = ::LoadLibraryA(strFilePath);
if(hModule != NULL)
{
TCallTest * pCallTest = (TCallTest *) GetProcAddress(hModule,"OpenUrlA");
pCallTest();
}
return 0;
}
-- by fOx
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
