04 July 2012

jelajah PEB

1) struktur: PEB_LDR_DATA
typedef struct _PEB_LDR_DATA
{
0x0      ULONG Length;
0x4      BOOLEAN Initialized;
0x8      PVOID SsHandle;
0xc      LIST_ENTRY InLoadOrderModuleList;
0x14     LIST_ENTRY InMemoryOrderModuleList;
0x1c     LIST_ENTRY InInitializationOrderModuleList;
} PEB_LDR_DATA, *PPEB_LDR_DATA;

Cara nak dapatkan struktur ini adalah:
mov eax, fs:[30]  ; -> eax adalah lokasi PEB
mov eax, [ eax + 0xc] ; ->  eax adalah lokasi PEB_LDR_DATA berada

[PEB_LDR_DATA.InInitializationOrderModuleList] -> First LDR_DATA_TABLE_ENTRY struktur


2) struktur: LDR_DATA_TABLE_ENTRY
typedef struct _LDR_DATA_TABLE_ENTRY
{
0x0    LIST_ENTRY InLoadOrderLinks;
0x8    LIST_ENTRY InMemoryOrderLinks;
0x10   LIST_ENTRY InInitializationOrderLinks;
0x18   PVOID DllBase;
0x1c   PVOID EntryPoint;
0x20   ULONG SizeOfImage;
0x24   UNICODE_STRING FullDllName;
0x2c   UNICODE_STRING BaseDllName;
       ULONG Flags;
       WORD LoadCount;
       WORD TlsIndex;
       union
       {
            LIST_ENTRY HashLinks;
            struct
            {
                 PVOID SectionPointer;
                 ULONG CheckSum;
            };
       };
       union
       {
            ULONG TimeDateStamp;
            PVOID LoadedImports;
       };
       _ACTIVATION_CONTEXT * EntryPointActivationContext;
       PVOID PatchInformation;
       LIST_ENTRY ForwarderLinks;
       LIST_ENTRY ServiceTagLinks;
       LIST_ENTRY StaticLinks;
} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;

FullDllName -> nama dll beserta lokasi file (UNICODE "C:\Windows\system32\kernel32.dll")
BaseDllName -> hanya nama dll   (UNICODE "kernel32.dll")

*note: dlm libemu, FullDllName adalah empty, so kalau shellcode guna FullDllName instead of BaseDllName, libemu tak dapat simulasikan shellcode. Boleh consider sebagai anti-libemu features


3) UNICODE_STRING (8 byte)

typedef struct _UNICODE_STRING
{
     WORD Length;                2 byte
     WORD MaximumLength;         2 byte
     WORD * Buffer;              4 byte (pointer to word)
} UNICODE_STRING, *PUNICODE_STRING;

Maka, offset utk BaseDLLName : 0x2c + 4 = 0x30
ref  http://undocumented.ntinternals.net/UserMode/Structures/PEB_LDR_DATA.html
ref >> http://www.nirsoft.net/kernel_struct/vista/LDR_DATA_TABLE_ENTRY.html
Posted by at No comments:
Labels: , , ,

IMAGE_EXPORT_DIRECTORY (struktur)

public struct IMAGE_EXPORT_DIRECTORY
{
0x00    public UInt32 Characteristics;
0x04    public UInt32 TimeDateStamp;
0x08    public UInt16 MajorVersion;
0x0a    public UInt16 MinorVersion;
0x0c    public UInt32 Name;
0x10    public UInt32 Base;
0x14    public UInt32 NumberOfFunctions;
0x18    public UInt32 NumberOfNames;
0x1c    public UInt32 AddressOfFunctions; // RVA from base of image
0x20    public UInt32 AddressOfNames; // RVA from base of image
0x24    public UInt32 AddressOfNameOrdinals; // RVA from base of image
}


imageBase + DataDirectories[ExportDir RVA]  = adalah pointer kepada struktur kat atas


Posted by at No comments:
Labels: ,

opcode kepada assembly

objdump -b binary -m i386 -D shellcode.bin

refer to http://siperdana.blogspot.com/2012/05/convert-assembly-to-opcode.html
Posted by at No comments:
Labels: ,

02 July 2012

mysql hex dan reverse

SELECT HEX( 65 ) , CAST( 0x41 AS UNSIGNED )
>>
hex(65)cast(0x41 as unsigned)
4165
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)