定位kernel32.dll
2016-02-13 10:18
323 查看
此方法是通过TEB获得PEB结构地址,然后再获得PEB_LDR_DATA结构地址,然后遍历模块列表,查找kernel32.dll模块的基地址。
windbg启动目标程序
teb的0x30指向的是peb的地址
通过PEB结构来获得PEB_LDR_DATA
peb的
+0x00c Ldr : Ptr32 _PEB_LDR_DATA
得到
Ldr 778b8880
我们看到这个结构中的模块立标有3个_LIST_ENTRY结构,它们分别是
InLoadOrderModuleList (加载顺序模块列表)
InMemoryOrderModuleList(内存顺序模块排列)
InInitializationOrderModuleList(初始化顺序模块列表)
我们一般取它的初始化顺序结构(InInitializationOrderModuleList)的Flink成员指向的_LDR_MODULE结构的BaseAddress成员则为我们需要的基地址,当然由于第一个是
ntdll,所以取第二个则为我们的Kernel32.dll。
定位kernel32的方法如下
windbg启动目标程序
0:000> !teb TEB at 7ffdf000 ExceptionList: 0012fb40 StackBase: 00130000 StackLimit: 0012e000 SubSystemTib: 00000000 FiberData: 00001e00 ArbitraryUserPointer: 00000000 Self: 7ffdf000 EnvironmentPointer: 00000000 ClientId: 0000120c . 0000171c RpcHandle: 00000000 Tls Storage: 7ffdf02c PEB Address: 7ffd8000 LastErrorValue: 0 LastStatusValue: 0 Count Owned Locks: 0 HardErrorMode: 0
0:000> r fs fs=0000003b 0:000> dg fs P Si Gr Pr Lo Sel Base Limit Type l ze an es ng Flags ---- -------- -------- ---------- - -- -- -- -- -------- 003B 7ffdf000 00000fff Data RW Ac 3 Bg By P Nl 000004f3 TEB是线程环境块(Thread Environment Block)结构, 我们的fs段选择子所对应的段指向TEB,也就是fs:[0]指向TEB
0:000> dt _teb ntdll!_TEB +0x000 NtTib : _NT_TIB +0x01c EnvironmentPointer : Ptr32 Void +0x020 ClientId : _CLIENT_ID +0x028 ActiveRpcHandle : Ptr32 Void +0x02c ThreadLocalStoragePointer : Ptr32 Void +0x030 ProcessEnvironmentBlock : Ptr32 _PEB +0x034 LastErrorValue : Uint4B +0x038 CountOfOwnedCriticalSections : Uint4B +0x03c CsrClientThread : Ptr32 Void
teb的0x30指向的是peb的地址
0:000> !peb PEB at 7ffd8000 InheritedAddressSpace: No ReadImageFileExecOptions: No BeingDebugged: Yes ImageBaseAddress: 00400000 Ldr 778b8880 Ldr.Initialized: Yes Ldr.InInitializationOrderModuleList: 00162160 . 00162488 Ldr.InLoadOrderModuleList: 001620c0 . 00162590 Ldr.InMemoryOrderModuleList: 001620c8 . 00162598 Base TimeStamp Module 400000 46ecc8b0 Sep 16 14:09:52 2007 C:\Users\Administrator\Desktop\2_4_overflow_code_exec\Debug\stack_overflow_exec.exe 777e0000 5609fdaf Sep 29 10:55:43 2015 C:\windows\SYSTEM32\ntdll.dll 76ec0000 554d7aff May 09 11:11:59 2015 C:\windows\system32\kernel32.dll 75bd0000 554d7b00 May 09 11:12:00 2015 C:\windows\system32\KERNELBASE.dll SubSystemData: 00000000 ProcessHeap: 00160000 ProcessParameters: 00161610 CurrentDirectory: 'C:\Program Files\Debugging Tools for Windows (x86)\' WindowTitle: 'C:\Users\Administrator\Desktop\2_4_overflow_code_exec\Debug\stack_overflow_exec.exe' ImageFile: 'C:\Users\Administrator\Desktop\2_4_overflow_code_exec\Debug\stack_overflow_exec.exe' CommandLine: 'C:\Users\Administrator\Desktop\2_4_overflow_code_exec\Debug\stack_overflow_exec.exe' DllPath: 'C:\Users\Administrator\Desktop\2_4_overflow_code_exec\Debug;;C:\windows\system32;C:\windows\system;C:\windows;.;C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Python27;C:\Python27\Scripts;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\' Environment: 00160810 #envTSLOGRBCShellExt792=10479480 #envTSLOGsss792=10551744 #envTSLOGTSLOG792=10480080 #envTSLOGXMediaLibrary792=76318048 =::=::\ ALLUSERSPROFILE=C:\ProgramData APPDATA=C:\Users\Administrator\AppData\Roaming CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=WINZQ-20130806T ComSpec=C:\windows\system32\cmd.exe DEVMGR_SHOW_DETAILS=1 FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Users\Administrator LOCALAPPDATA=C:\Users\Administrator\AppData\Local LOGONSERVER=\\WINZQ-20130806T MOZ_PLUGIN_PATH=C:\Program Files\Foxit Software\Foxit Reader\plugins\ NUMBER_OF_PROCESSORS=4 OS=Windows_NT Path=C:\Program Files\Debugging Tools for Windows (x86)\winext\arcade;C:\Python27;C:\Python27\Scripts;C:\windows\system32;C:\windows;C:\windows\System32\Wbem;C:\windows\System32\WindowsPowerShell\v1.0\;C:\Program Files\Microsoft SQL Server\100\Tools\Binn\;C:\Program Files\Microsoft SQL Server\100\DTS\Binn\ PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 6 Model 58 Stepping 9, GenuineIntel PROCESSOR_LEVEL=6 PROCESSOR_REVISION=3a09 ProgramData=C:\ProgramData ProgramFiles=C:\Program Files PSModulePath=C:\windows\system32\WindowsPowerShell\v1.0\Modules\ PUBLIC=C:\Users\Public SESSIONNAME=Console ShellLaunch{A81BA54B-CCFE-4204-8E79-A68C0FDFA5CF}=ShellExt SystemDrive=C: SystemRoot=C:\windows TEMP=C:\Users\ADMINI~1\AppData\Local\Temp TMP=C:\Users\ADMINI~1\AppData\Local\Temp USERDOMAIN=WINZQ-20130806T USERNAME=Administrator USERPROFILE=C:\Users\Administrator VS100COMNTOOLS=D:\Program Files\Microsoft Visual Studio 10.0\Common7\Tools\ WINDBG_DIR=C:\Program Files\Debugging Tools for Windows (x86) windir=C:\windows windows_tracing_flags=3 windows_tracing_logfile=C:\BVTBin\Tests\installpackage\csilogfile.log
0:000> dt _peb ntdll!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 BitField : UChar +0x003 ImageUsesLargePages : Pos 0, 1 Bit +0x003 IsProtectedProcess : Pos 1, 1 Bit +0x003 IsLegacyProcess : Pos 2, 1 Bit +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit +0x003 SpareBits : Pos 5, 3 Bits +0x004 Mutant : Ptr32 Void +0x008 ImageBaseAddress : Ptr32 Void +0x00c Ldr : Ptr32 _PEB_LDR_DATA +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS +0x014 SubSystemData : Ptr32 Void +0x018 ProcessHeap : Ptr32 Void +0x01c FastPebLock : Ptr32 _RTL_CRITICAL_SECTION +0x020 AtlThunkSListPtr : Ptr32 Void +0x024 IFEOKey : Ptr32 Void +0x028 CrossProcessFlags : Uint4B +0x028 ProcessInJob : Pos 0, 1 Bit +0x028 ProcessInitializing : Pos 1, 1 Bit +0x028 ProcessUsingVEH : Pos 2, 1 Bit +0x028 ProcessUsingVCH : Pos 3, 1 Bit +0x028 ProcessUsingFTH : Pos 4, 1 Bit +0x028 ReservedBits0 : Pos 5, 27 Bits +0x02c KernelCallbackTable : Ptr32 Void +0x02c UserSharedInfoPtr : Ptr32 Void +0x030 SystemReserved : [1] Uint4B +0x034 AtlThunkSListPtr32 : Uint4B +0x038 ApiSetMap : Ptr32 Void +0x03c TlsExpansionCounter : Uint4B +0x040 TlsBitmap : Ptr32 Void +0x044 TlsBitmapBits : [2] Uint4B +0x04c ReadOnlySharedMemoryBase : Ptr32 Void +0x050 HotpatchInformation : Ptr32 Void +0x054 ReadOnlyStaticServerData : Ptr32 Ptr32 Void +0x058 AnsiCodePageData : Ptr32 Void +0x05c OemCodePageData : Ptr32 Void +0x060 UnicodeCaseTableData : Ptr32 Void +0x064 NumberOfProcessors : Uint4B +0x068 NtGlobalFlag : Uint4B +0x070 CriticalSectionTimeout : _LARGE_INTEGER +0x078 HeapSegmentReserve : Uint4B +0x07c HeapSegmentCommit : Uint4B +0x080 HeapDeCommitTotalFreeThreshold : Uint4B +0x084 HeapDeCommitFreeBlockThreshold : Uint4B +0x088 NumberOfHeaps : Uint4B +0x08c MaximumNumberOfHeaps : Uint4B +0x090 ProcessHeaps : Ptr32 Ptr32 Void +0x094 GdiSharedHandleTable : Ptr32 Void +0x098 ProcessStarterHelper : Ptr32 Void +0x09c GdiDCAttributeList : Uint4B +0x0a0 LoaderLock : Ptr32 _RTL_CRITICAL_SECTION +0x0a4 OSMajorVersion : Uint4B +0x0a8 OSMinorVersion : Uint4B +0x0ac OSBuildNumber : Uint2B +0x0ae OSCSDVersion : Uint2B +0x0b0 OSPlatformId : Uint4B +0x0b4 ImageSubsystem : Uint4B +0x0b8 ImageSubsystemMajorVersion : Uint4B +0x0bc ImageSubsystemMinorVersion : Uint4B +0x0c0 ActiveProcessAffinityMask : Uint4B +0x0c4 GdiHandleBuffer : [34] Uint4B +0x14c PostProcessInitRoutine : Ptr32 void +0x150 TlsExpansionBitmap : Ptr32 Void +0x154 TlsExpansionBitmapBits : [32] Uint4B +0x1d4 SessionId : Uint4B +0x1d8 AppCompatFlags : _ULARGE_INTEGER +0x1e0 AppCompatFlagsUser : _ULARGE_INTEGER +0x1e8 pShimData : Ptr32 Void +0x1ec AppCompatInfo : Ptr32 Void +0x1f0 CSDVersion : _UNICODE_STRING +0x1f8 ActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA +0x1fc ProcessAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP +0x200 SystemDefaultActivationContextData : Ptr32 _ACTIVATION_CONTEXT_DATA +0x204 SystemAssemblyStorageMap : Ptr32 _ASSEMBLY_STORAGE_MAP +0x208 MinimumStackCommit : Uint4B +0x20c FlsCallback : Ptr32 _FLS_CALLBACK_INFO +0x210 FlsListHead : _LIST_ENTRY +0x218 FlsBitmap : Ptr32 Void +0x21c FlsBitmapBits : [4] Uint4B +0x22c FlsHighIndex : Uint4B +0x230 WerRegistrationData : Ptr32 Void +0x234 WerShipAssertPtr : Ptr32 Void +0x238 pContextData : Ptr32 Void +0x23c pImageHeaderHash : Ptr32 Void +0x240 TracingFlags : Uint4B +0x240 HeapTracingEnabled : Pos 0, 1 Bit +0x240 CritSecTracingEnabled : Pos 1, 1 Bit +0x240 SpareTracingBits : Pos 2, 30 Bits
通过PEB结构来获得PEB_LDR_DATA
peb的
+0x00c Ldr : Ptr32 _PEB_LDR_DATA
得到
Ldr 778b8880
0:000> dt _PEB_LDR_DATA ntdll!_PEB_LDR_DATA +0x000 Length : Uint4B +0x004 Initialized : UChar +0x008 SsHandle : Ptr32 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY +0x014 InMemoryOrderModuleList : _LIST_ENTRY +0x01c InInitializationOrderModuleList : _LIST_ENTRY +0x024 EntryInProgress : Ptr32 Void +0x028 ShutdownInProgress : UChar +0x02c ShutdownThreadId : Ptr32 Void
我们看到这个结构中的模块立标有3个_LIST_ENTRY结构,它们分别是
InLoadOrderModuleList (加载顺序模块列表)
InMemoryOrderModuleList(内存顺序模块排列)
InInitializationOrderModuleList(初始化顺序模块列表)
0:000> dt _LIST_ENTRY ntdll!_LIST_ENTRY +0x000 Flink : Ptr32 _LIST_ENTRY +0x004 Blink : Ptr32 _LIST_ENTRY
我们一般取它的初始化顺序结构(InInitializationOrderModuleList)的Flink成员指向的_LDR_MODULE结构的BaseAddress成员则为我们需要的基地址,当然由于第一个是
ntdll,所以取第二个则为我们的Kernel32.dll。
定位kernel32的方法如下
xor edx,edx ; find base addr of kernel32.dll mov ebx, fs:[edx + 0x30] ; ebx = address of PEB mov ecx, [ebx + 0x0c] ; ecx = pointer to loader data mov ecx, [ecx + 0x1c] ; ecx = first entry in initialisation order list mov ecx, [ecx] ; ecx = second entry in list (kernel32.dll) ;mov ecx.[ecx] mov ebp, [ecx + 0x08] ; ebp = base address of kernel32.dll
相关文章推荐
- LeetCode -- Power of Three
- [LeetCode]142. Linked List Cycle II
- C++构造函数与析构函数
- 上传文件2.0--drp203
- play-framework的安装与使用
- 数据结构实验之链表七:单链表中重复元素的删除
- iOS-基础动画
- 第十章泛型算法
- Codeforces Round #342 (Div. 2) 625A Guest From the Past(贪心)
- 我也有博客了
- Machine Learning - An Introduction
- 【JAVA】7、运算符
- 树莓派 Raspberry Pi SD卡系统备份与还原
- 查找单链表的中间元素
- 一小球从100米高度自由落下,每次落地后反跳回原高度的一半,再落下。
- Hadoop 排序 SortData
- 数组的一个强大函数splice,[增,删,改]
- BlogApp之spring整合Guava中的AsyEventBus异步事件
- Monty Hall Simulations
- 软件开发技术:DRY