26 June 2012

semak IAT(import adress table)


File: msvcr71.dll
ASLR: no



DLL ni hanya import funtion dari kernel32.dll sahaja. 

PE_header.ImageBaseAddress = 7c340000 (dlm Optional Header)
PE_header.ImportTableAddress = 49298(rva) =7c389298(va)


[PE_header.ImportTableAddress + 0] = OFT
[PE_header.ImportTableAddress + 4] = TimeDateStamp
[PE_header.ImportTableAddress + 8] = ForwarderChain
[PE_header.ImportTableAddress + c] = NameRVA
[PE_header.ImportTableAddress + 10] = FT




1) OFT : 7c389298.
[7c389298] = 0492d0(va) = 7c3892d0(va)
7c3892d0 adalah permulaan array 4 byte yang mengandungi pointer ke string nama fungsi winAPI.


index Adr X Content of
X (rva)		 ImageBase
+ rva = (va)		 Content
(va)		 Content (va + 2)
0 7c3892d0 4953c 7c38953c 65 01 GetModuleFileNameA
1 7c3892d4 49552 7c389552 66 01 GetModuleFileNameW
2 7c3892d8 49568 7c389568 AB 00 ExitProcess






50 7c389410 49af4 7c389af4 5b 03 VirtualProtect


2) Nama RVA: 7c3892a8
    Pointer kepada nama module >> KERNEL32.dll

3) FT: 3A000
    Pointer ke array yg simpan alamat fungsi winapi. Indeks-nya sama turutan dengan OFT.

    contoh utk cari alamat VirtualProtect:
    Gelinter item dalam array OFT,
          jika pointer tersebut = NamaFungsi,
                simpan no Indeks pada eax.
    jmp [eax]



Posted by at
Labels:

No comments:

Post a Comment

Terima kasih

Subscribe to: Post Comments (Atom)