首页
社区
课程
招聘
[求助]凑热闹。
发表于: 2008-10-2 02:33 2322

[求助]凑热闹。

2008-10-2 02:33
2322
得分多少不要紧,重要的是我把题目的意思理解错了。

1.

完成 1.为DLL文件新增输出表,同时增加输出函数OpenUrlA,没有什么现成的工具,可能我没有找到吧,用C写一个代码完成吧:

2.OpenUrlA函数功能是调用IE浏览器打开explorer.exe http://bbs.pediy.com,打开后无其他操作;
添加一个字符串其实挺好.

这一段ShellCode讲究一段代码改了改,没有仔细去优化,大概可以跑起来就得了.

不过PS  貌似我对题目意思不是很理解,加载WinExec应该可以用倒入表来引入吧?,
不过看到了 "如果期间有数据或者遍历的代码也算进去" 这句话,估计就是指引为ShellCode吧?
如果这样的话
例3:选手第一次提交的OpenUrlA函数大小是16字节,则得分:
得分=min[1.0,(13/16)]×100-(1-1)×5=81.25分

就不可能得分这么高,这段ShellCode少了100字节不可能完成

如果通过引入表我想也就是push 两个  call 一个  5 + 5 + 2 然后一个ret 刚好13个字节?

3.问题?
如果用IDA把这玩意儿弄成ASM然后再编译算不算作弊?

4.
测试平台 Windows XP Sp2,Windows Vista Ultimate

测试代码:

        HMODULE hModule = ::LoadLibraryA(strFilePath);
        if(hModule != NULL)
        {
                TCallTest * pCallTest = (TCallTest *) GetProcAddress(hModule,"OpenUrlA");
                pCallTest();
        }

完整代码:

// AddExportTable.cpp : Defines the entry point for the console application.
//

#include "stdafx.h"
#include <Windows.h>
const char strDllName[] = "fOx";
const char strExportName[] = "OpenUrlA";
const char strFilePath[] = "F:\\Debug\\Tencert\\Pediy\\01\\pediy_done.dll";
const BYTE ShellCodeData[] =
{
0x60, 0xFC, 0xE8, 0x45, 0x00, 0x00, 0x00, 0x8B, 0x45, 0x3C,
0x36, 0x8B, 0x7C, 0x28, 0x78, 0x03, 0xFD, 0x8B, 0x4F, 0x18,
0x8B, 0x5F, 0x20, 0x03, 0xDD, 0x49, 0x8B, 0x34, 0x8B, 0x03,
0xF5, 0x33, 0xC0, 0x99, 0xAC, 0x84, 0xC0, 0x74, 0x07, 0xC1,
0xCA, 0x0D, 0x03, 0xD0, 0xEB, 0xF4, 0x3B, 0x54, 0x24, 0x04,
0x75, 0xE5, 0x8B, 0x5F, 0x24, 0x03, 0xDD, 0x66, 0x8B, 0x0C,
0x4B, 0x8B, 0x5F, 0x1C, 0x03, 0xDD, 0x8B, 0x1C, 0x8B, 0x03,
0xDD, 0x89, 0x5C, 0x24, 0x04, 0xC3, 0x33, 0xC0, 0x64, 0x8B,
0x40, 0x30, 0x85, 0xC0, 0x78, 0x0C, 0x8B, 0x40, 0x0C, 0x8B,
0x70, 0x1C, 0xAD, 0x8B, 0x68, 0x08, 0xEB, 0x09, 0x8B, 0x80,
0xB0, 0x00, 0x00, 0x00, 0x8B, 0x68, 0x3C, 0x5F, 0x6A, 0x01,
0x8B, 0xC7, 0x05, 0x7B, 0x00, 0x00, 0x00, 0x50, 0x68, 0x98,
0xFE, 0x8A, 0x0E, 0xFF, 0xD7, 0x58, 0xFF, 0xD3, 0x61, 0xC3,
0x65, 0x78, 0x70, 0x6C, 0x6F, 0x72, 0x65, 0x72, 0x2E, 0x65,
0x78, 0x65, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F,
0x62, 0x62, 0x73, 0x2E, 0x70, 0x65, 0x64, 0x69, 0x79, 0x2E,
0x63, 0x6F, 0x6D, 0x00
};
const DWORD ShellCodeDataRva   = 0x4CA;  // From 04CAh -> 600h
const DWORD ShellCodeDataVa    = 0x10CA;
const DWORD ExportTableDataRva = 0x6AB;  // From 06ABh -> 800h;
const DWORD ExportTableDataVa  = 0x20AB;   // From 20ABh -> 3000h;
HANDLE hFile;
HANDLE hFileMapping;
LPVOID pFileData = NULL;
void InitializeVariables()
{
        hFileMapping = hFile = INVALID_HANDLE_VALUE;
        pFileData = NULL;
}
void OpenFile()
{
        hFile =
                ::CreateFileA(strFilePath,FILE_GENERIC_READ | FILE_GENERIC_WRITE,
                FILE_SHARE_READ,NULL,OPEN_EXISTING,NULL,NULL);
        DWORD err = GetLastError();
        hFileMapping = ::CreateFileMappingA(hFile,NULL,PAGE_READWRITE,NULL,NULL,NULL);
        err = GetLastError();
        pFileData = ::MapViewOfFile(hFileMapping,FILE_MAP_ALL_ACCESS,NULL,NULL,NULL);
        err = GetLastError();
}
void CloseFile()
{
        ::UnmapViewOfFile(pFileData);
        ::CloseHandle(hFileMapping);
        ::CloseHandle(hFile);
        InitializeVariables();
}
PIMAGE_DOS_HEADER pDosHeader;
PIMAGE_NT_HEADERS pNtHeaders;
PIMAGE_EXPORT_DIRECTORY pExportDir;
void OpenPE()
{
        pDosHeader = (PIMAGE_DOS_HEADER)pFileData;
        pNtHeaders = (PIMAGE_NT_HEADERS)(PBYTE(pDosHeader) + pDosHeader->e_lfanew);
        //DATA_
        IMAGE_DATA_DIRECTORY DataDir;
        DWORD Size = 0;
        Size += sizeof(IMAGE_EXPORT_DIRECTORY);
        pExportDir = PIMAGE_EXPORT_DIRECTORY((PBYTE)pFileData + ExportTableDataRva);
        LONG AdjustOffset = ExportTableDataRva - ExportTableDataVa + (DWORD)pFileData;
        //DWORD BaseVa = ExportTableDataVa;
        //DWORD OffsetSiz = Size;
        DWORD NameLength = sizeof(strDllName);
        //PBYTE pBase = (PBYTE)pExportDir;
       
        pExportDir->NumberOfFunctions = 1;
        pExportDir->NumberOfNames = 1;
        pExportDir->TimeDateStamp = NULL;
        pExportDir->Base = NULL;
        pExportDir->Characteristics = NULL;
        pExportDir->MajorVersion = 0;
        pExportDir->MinorVersion = 0;
        pExportDir->Name = Size + ExportTableDataVa;
        memcpy(PBYTE(pExportDir->Name + AdjustOffset),strDllName,sizeof(strDllName));
        Size += NameLength;
        pExportDir->AddressOfNameOrdinals = Size + ExportTableDataVa;//Force to Import from names
        Size += sizeof(DWORD) * pExportDir->NumberOfFunctions;
        WORD * pWordArray = (WORD *)(pExportDir->AddressOfNameOrdinals + AdjustOffset);
        pWordArray[0] = 0;
        pExportDir->AddressOfFunctions = Size + ExportTableDataVa;
        Size += sizeof(DWORD) * pExportDir->NumberOfFunctions;
        DWORD * pArray = pArray = (DWORD *)(pExportDir->AddressOfFunctions + AdjustOffset);
        pArray[0] = ShellCodeDataVa;

        pExportDir->AddressOfNames = Size + ExportTableDataVa;
        Size += sizeof(DWORD) * pExportDir->NumberOfNames;
        pArray = (DWORD *)(pExportDir->AddressOfNames + AdjustOffset);
        DWORD OffsetName = Size + ExportTableDataVa;
        pArray[0] = OffsetName;
        Size += sizeof(strExportName);
        memcpy(PBYTE(OffsetName + AdjustOffset),strExportName,sizeof(strExportName));

        //DWORD OffsetFunctions = OffsetName + NameLength;
        //DWORD OffsetFunctionNames = OffsetFunctions +
       
        //pExportDir->
        //pExportDir->AddressOfFunctions
        PIMAGE_SECTION_HEADER pSectionHeader;
        pSectionHeader = IMAGE_FIRST_SECTION(pNtHeaders);
       
        DataDir.Size = Size;
        pSectionHeader[1].Misc.VirtualSize += DataDir.Size;//Fix VirtualSize Of the second section which is the import table section

        DataDir.VirtualAddress = ExportTableDataVa;
        pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT] = DataDir;

        memcpy(ShellCodeDataRva + (PBYTE)pFileData ,ShellCodeData,sizeof(ShellCodeData));
        pSectionHeader[0].Misc.VirtualSize += sizeof(ShellCodeData);

        //pExportDir
}
typedef VOID TCallTest();
int _tmain(int argc, _TCHAR* argv[])
{
        InitializeVariables();
        OpenFile();
        OpenPE();
        CloseFile();
        HMODULE hModule = ::LoadLibraryA(strFilePath);
        if(hModule != NULL)
        {
                TCallTest * pCallTest = (TCallTest *) GetProcAddress(hModule,"OpenUrlA");
                pCallTest();
        }
        return 0;
}

-- by fOx

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

上传的附件:
收藏
免费 0
支持
分享
最新回复 (1)
雪    币: 264
活跃值: (30)
能力值: ( LV12,RANK:250 )
在线值:
发帖
回帖
粉丝
2
题目是否理解错了!!!
2008-10-2 20:05
0
游客
登录 | 注册 方可回帖
返回
//