当前位置:网站首页>[reverse] repair IAT and close ASLR after shelling
[reverse] repair IAT and close ASLR after shelling
2022-07-06 17:22:00 【TiggerRun】
0x1 seek OEP
OEP Eight methods … It's not specific here …
0x2 Shell program IAT
If the program cannot run normally after shelling (XP Environmental Science ), It may be because the import table is corrupted , Need manual repair .
adopt PC Study of file format , You can know the import table RVA In the optional header DataDirectory Array
The picture shows the shelling program DESCRIPTOR The migration 18008, size 64
Locate according to the information in the section header IAT In the 6 A section .aspack in
Through the known virtual offset and physical offset of the node, we can calculate DESCRIPTOR Location in file .
offset = A008
Find the location of the exported table , You can know that two DLL file , Can be calculated separately Name and IAT The migration
NAME(1) = 9FC8
NAME(2) = A044
IAT(1) = 9FB8
IAT(2) = A04F
Of course, if it's right PC The head doesn't understand , Can use PE View To view the .
In this way, you can clearly see the functions imported by the shelled program at startup
0x3 The principle of runtime compression
There may be questions , Why do you need to repair manually after shelling IAT.
IAT It is mainly used for DLL Relocation of files ,IAT Compared with 16 position dos Program You no longer need to include library files , Instead, map in the form of a table . If IAT inaccurate , Then the program cannot execute the functions of the related Library .
The compression shell compresses the section , hold IAT Change to shell itself IAT, In the last step of decompression, it will be restored IAT Make the program run normally , Therefore, shelling needs to be done IAT Repair of .
adopt OD Check the after run program IAT.
Compared with the shell program IAT, After running the shell program, the real IAT Much more , If we only shelled , Instead of IAT Repair of ( As shown in the figure below )
programmatic IAT Is damaged
0x4 IAT Repair
Use ImportREC Tools , Load in OEP The program process
Correctly filled IAT Information
Get... In memory IAT Information , Then delete the invalid function and transfer it to the shelled program , The program can run normally .
0x5 Shelling program cannot be in WIN7 The above platforms are running
windows vista / win7 The system starts to use ASLR Technology prevents overflow attacks . Make each loader load to a random virtual address .ASLR Rely on the relocation table to locate , about EXE Procedure , Relocation is optional , By closing ASLR Can solve .
take 40 81 Change it to 00 81
边栏推荐
- DOS 功能调用
- 唯有学C不负众望 TOP4 S1E6:数据类型
- Some feelings of brushing leetcode 300+ questions
- MySQL digital function
- Alibaba cloud server builds SVN version Library
- DOS function call
- Instructions for Redux
- Eight part essay that everyone likes
- The difference between URI and URL
- Only learning C can live up to expectations Top1 environment configuration
猜你喜欢
Activiti目录(三)部署流程、发起流程
JVM 垃圾回收器之Garbage First
JVM garbage collector part 1
C# WinForm系列-Button简单使用
Notes on how the network is connected
Prototype chain inheritance
Introduction to spring trick of ByteDance: senior students, senior students, senior students, and the author "brocade bag"
吴军三部曲见识(四) 大家智慧
微信防撤回是怎么实现的?
Activiti目录(四)查询代办/已办、审核
随机推荐
8086 CPU internal structure
手把手带你做强化学习实验--敲级详细
基于Infragistics.Document.Excel导出表格的类
Activiti目录(四)查询代办/已办、审核
Akamai anti confusion
C# WinForm中DataGridView单元格显示图片
Redis installation on centos7
Data transfer instruction
8086 memory
逻辑运算指令
唯有学C不负众望 TOP5 S1E8|S1E9:字符和字符串&&算术运算符
Mongodb在node中的使用
SQL tuning notes
关于Stream和Map的巧用
Wu Jun's trilogy insight (V) refusing fake workers
微信防撤回是怎么实现的?
JVM garbage collection overview
mysql的合计/统计函数
Connect to LAN MySQL
Only learning C can live up to expectations top3 demo exercise