μƒˆμ†Œμ‹

인기 검색어

πŸ“  Secure

Window PE

  • -
λ°˜μ‘ν˜•

Windows PE ꡬ쑰


1. Windows Preinstallation Environment
2. Windows Portable Executable

1. Dos Header > μ‹œκ·Έλ‹ˆμ²˜ μ½”λ“œ : MZ (4D 5A)
2. Dos Stub > μ˜λ―Έ μ—†λŠ” μ½”λ“œλ‘œ λ§ˆμŒλŒ€λ‘œ λ³€κ²½ν•΄λ„ μ‹€ν–‰μ— λ¬Έμ œκ°€ μ—†λ‹€
3. NT Header
3-1) Signature > μ‹œκ·Έλ‹ˆμ²˜ μ½”λ“œ : PE(50 45)

3-2) File Header

WORD  Machine; > ν˜„μž¬ μ»΄ν“¨ν„°μ˜ μ’…λ₯˜ : 01 4C ( λ”λΈ”μ›Œλ“œ 후에 λ‚˜μ™”κΈ°μ— λ’€μ§‘νž˜ )
WORD  NumberOfSections; > μ„Ήμ…˜μ˜ κ°œμˆ˜ : 00 03 ( λ”λΈ”μ›Œλ“œ ν›„에 λ‚˜μ™”기에 λ’€μ§‘νž˜ )
DWORD TimeDateStamp; > μƒμ„± μ‹œκ°„ : 48 02 52 87 ( λ”λΈ”μ›Œλ“œ ν›„에 λ‚˜μ™”기에 λ’€μ§‘νž˜ )  https://opentechtips.com/integer8/ Mon, 01 Jan 1601 09:00:04 GMT
DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD  SizeOfOptionalHeader;> Optional Header의 ν¬κΈ° : 00 E0 ( λ”λΈ”μ›Œλ“œ ν›„에 λ‚˜μ™”기에 λ’€μ§‘νž˜ ) 224
WORD  Characteristics; > ν•΄λ‹Ή νŒŒμΌμ˜ κΈ°λŠ₯ 01 0F ( 0x0001 + 0x0002 + 0x0004 + 0x0008 + 0x0100 = 0x010F )

3-3) Optional Header

Windows PE

1. Windows Preinstallation Environment
2. Windows Portable Executable

1. Dos Header > μ‹œκ·Έλ‹ˆμ²˜ μ½”λ“œ : MZ (4D 5A)
2. Dos Stub > μ˜λ―Έ μ—†λŠ” μ½”λ“œλ‘œ λ§ˆμŒλŒ€λ‘œ λ³€κ²½ν•΄λ„ μ‹€ν–‰μ— λ¬Έμ œκ°€ μ—†λ‹€
3. NT Header
3-1) Signature > μ‹œκ·Έλ‹ˆμ²˜ μ½”λ“œ : PE(50 45)

3-2) File Header
WORD  Machine; > ν˜„μž¬ μ»΄ν“¨ν„°μ˜ μ’…λ₯˜ : 01 4C ( λ”λΈ”μ›Œλ“œ ν›„에 λ‚˜μ™”기에 λ’€μ§‘νž˜ )
WORD  NumberOfSections; > μ„Ήμ…˜μ˜ κ°œμˆ˜ : 00 03 ( λ”λΈ”μ›Œλ“œ ν›„에 λ‚˜μ™”기에 λ’€μ§‘νž˜ )
DWORD TimeDateStamp; > μƒμ„± μ‹œκ°„ : 48 02 52 87 ( λ”λΈ”μ›Œλ“œ ν›„에 λ‚˜μ™”기에 λ’€μ§‘νž˜ )  https://opentechtips.com/integer8/

Mon, 01 Jan 1601 09:00:04 GMT

DWORD PointerToSymbolTable;
DWORD NumberOfSymbols;
WORD  SizeOfOptionalHeader;> Optional Header의 ν¬κΈ° : 00 E0 ( λ”λΈ”μ›Œλ“œ ν›„에 λ‚˜μ™”기에 λ’€μ§‘νž˜ ) 224
WORD  Characteristics; > ν•΄λ‹Ή νŒŒμΌμ˜ κΈ°λŠ₯ 01 0F ( 0x0001 + 0x0002 + 0x0004 + 0x0008 + 0x0100 = 0x010F )

3-3) Optional Header
WORD Magic; > μ‹€ν–‰ νŒŒμΌμ˜ μ’…λ₯˜ 01 0B
BYTE MajorLinkerVersion;
BYTE MinorLinkerVersion;
DWORD SizeOfCode;
DWORD SizeOfInitializedData;
DWORD SizeOfUninitializedData;
DWORD AddressOfEntryPoint; > νŒŒμΌμ΄ λ©”λͺ¨λ¦¬ μœ„에 μ˜¬λΌκ°ˆ λ•Œ μ‹œμž‘점이 λ˜λŠ” μ£Όμ†Œ 00 00 73 9D
DWORD BaseOfCode; > μ½”λ“œ μ˜μ—­μ˜ μ‹œμž‘점
DWORD BaseOfData; > λ°μ΄ν„° μ˜μ—­μ˜ μ‹œμž‘점
DWORD ImageBase; > 01 00 00 00 ( κΈ°μ€€μ  )
DWORD SectionAlignment; > λ©”λͺ¨λ¦¬ ν˜•νƒœμΌ λ•Œ λ°°μˆ˜μ˜ κΈ°μ€€
DWORD  FileAlignment; > νŒŒμΌ ν˜•νƒœμΌ λ•Œ λ°°μˆ˜μ˜ κΈ°μ€€
WORD MajorOperatingSystemVersion; >
WORD MinorOperatingSystemVersion; >
WORD MajorImageVersion; >
WORD MinorImageVersion; >
WORD MajorSubsystemVersion; >
WORD MinorSubsystemVersion; >
DWORD Win32VersionValue; >
DWORD SizeOfImage; > λ©”λͺ¨λ¦¬ ν˜•νƒœμΌ λ•Œ ν¬κΈ°
DWORD SizeOfHeaders; > ν—€λ”μ˜ ν¬κΈ°
DWORD CheckSum; > 
WORD Subsystem; > μ‹€ν–‰ ν–ˆμ„λ•Œ μ‹€ν–‰ ν™”λ©΄ ( GUI, CUI )
WORD DllCharacteristics;
DWORD SizeOfStackReserve;
DWORD SizeOfStackCommit;
DWORD SizeOfHeapReserve;
DWORD SizeOfHeapCommit;
DWORD LoaderFlags;
DWORD NumberOfRvaAndSizes;
IMAGE_DATA_DIRECTORY DataDirectory

4. Text(Code) Header
5. Data Header
6. Resource Header

7. Text(Code) Section
8. Data Section
9. Resource Section

4. Text(Code) Header
5. Data Header
6. Resource Header

7. Text(Code) Section
8. Data Section
9. Resource Section

 

Image_NT_headers32

- Signature

- Image_File_headers32

- Image_Optional_header32
- address of entry point
- Image base

RVA (realative virture address) - μƒλŒ€ μ£Όμ†Œ
VA(virture address) - μ ˆλŒ€ μ£Όμ†Œ

32bit μ»΄ν“¨ν„° - μ΅œλŒ€ 4G λ©”λͺ¨λ¦¬ μ‚¬μš© κ°€λŠ₯

Section Alignment : 00 00 10 00 ( 1000 λ‹¨μœ„ )
File Alignment : 00 00 02 00 ( 200 λ‹¨μœ„ )
-- ν΄λŸ¬μŠ€ν„°μ™€ λΉ„μŠ·ν•œ μ—­ν• μ„ ν•œλ‹€
section = λ©”λͺ¨λ¦¬
file = νŒŒμΌ

Number Of Rva And Sizes : 00 00 00 10
- Image_DATA_DIRECTORY μ˜ λ°°μ—΄ κ°œμˆ˜

16개 Data Driectoryκ°€ μ‘΄μž¬ν•œλ‹€


158λΆ€ν„° μ‹œμž‘
Data Directory[0] > Export
> 0000 0000 / 0000 0000
Data Diretcory[1] > Import
> 0000 7604 / 0000 00C8
..
..
..
Data Directory[F] >
--- μœ„μ—μ„œ κ΅¬ν•œ μ£Όμ†Œκ°’은 λ‚˜μ€‘에 INT IAT와 EATμ—μ„œ μ‚¬μš©ν•  μ˜ˆμ •
INT = Import Name Table
IAT = Import Application Table
EAT = Export Application Table

 


각 μ˜μ—­λ³„(text,data,rsrc) 헀더 보기

μ˜μ—­λ³„ ν—€λ”μ˜ κ΅¬μ‘°λŠ” μ „λΆ€ λ™μΌν•˜λ‹€

typedef struct _IMAGE_SECTION_HEADER {
  BYTE  Name[IMAGE_SIZEOF_SHORT_NAME];
  union {
    DWORD PhysicalAddress;
    DWORD VirtualSize; 			# λ©”λͺ¨λ¦¬μ—μ„œ μ„Ήμ…˜μ΄ μ°¨μ§€ν•˜λŠ” 크기
  } Misc;
  DWORD VirtualAddress;			# λ©”λͺ¨λ¦¬μ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ ( RVA )
  DWORD SizeOfRawData;			# νŒŒμΌμ—μ„œ μ„Ήμ…˜μ΄ μ°¨μ§€ν•˜λŠ” 크기
  DWORD PointerToRawData;		# νŒŒμΌμ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ
  DWORD PointerToRelocations;
  DWORD PointerToLinenumbers;
  WORD  NumberOfRelocations;
  WORD  NumberOfLinenumbers;
  DWORD Characteristics;		# 속성
} IMAGE_SECTION_HEADER, *PIMAGE_SECTION_HEADER;

 

Text Section 

Virtual Size : 0000 7748 λ©”λͺ¨λ¦¬μ—μ„œ μ„Ήμ…˜μ΄ μ°¨μ§€ν•˜λŠ” 크기
Virtual Address : 0000 1000 λ©”λͺ¨λ¦¬μ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ ( RVA )
Size Of Raw Data : 0000 7800 νŒŒμΌμ—μ„œ μ„Ήμ…˜μ΄ μ°¨μ§€ν•˜λŠ” 크기
Pointer To Raw Data : 0000 0400 νŒŒμΌμ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ ( RVA )

 

Data Section

Virtual Size : 0000 1BA8 λ©”λͺ¨λ¦¬μ—μ„œ μ„Ήμ…˜μ΄ μ°¨μ§€ν•˜λŠ” 크기
Virtual Address : 0000 9000 λ©”λͺ¨λ¦¬μ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ ( RVA )
Size Of Raw Data : 0000 0800 νŒŒμΌμ—μ„œ μ„Ήμ…˜μ΄ μ°¨μ§€ν•˜λŠ” 크기
Pointer To Raw Data : 0000 7C00 νŒŒμΌμ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ ( RVA )

 

Rsrc Section

Virtual Size : 0000 8304 λ©”λͺ¨λ¦¬μ—μ„œ μ„Ήμ…˜μ΄ μ°¨μ§€ν•˜λŠ” 크기
Virtual Address : 0000 B000 λ©”λͺ¨λ¦¬μ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ ( RVA )
Size Of Raw Data : 0000 8400 νŒŒμΌμ—μ„œ μ„Ήμ…˜μ΄ μ°¨μ§€ν•˜λŠ” 크기
Pointer To Raw Data : 0000 8400 νŒŒμΌμ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ ( RVA )


 

RVA(λ©”λͺ¨λ¦¬) to RAW(νŒŒμΌμ— μžˆμ„λ•Œ)

νŠΉμ • κΈ°λŠ₯을 ν•˜λŠ” λ©”λͺ¨λ¦¬ μ£Όμ†Œκ°€ λ‚˜μ™”μ„ λ•Œ 이 μœ„μΉ˜(HxD둜 λ³Ό 수 μžˆλŠ”)λ₯Ό μ°Ύμ•„μ•Όν•œλ‹€

곡식 : λ‚΄κ°€ μ°ΎλŠ”(offsetμ£Όμ†Œ μΆ”μΆœ) RAW = RVA - Virtual Address + Point to Raw Data

 

RVA : 5000 일 λ•Œ RAW(offsetμ£Όμ†Œ)λŠ” λ¬΄μ—‡μΌκΉŒμš” ?

 RVA = 5000은 text λ©”λͺ¨λ¦¬ μ„Ήμ…˜μ— 쑴재

RAW = 5000 - 1000(λ©”λͺ¨λ¦¬μ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ) + 400(νŒŒμΌμ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ)

RAW = 4400

 

RVA : 13314일 λ•Œ RAW(offset μ£Όμ†Œ)λŠ” λ¬΄μ—‡μΌκΉŒμš” ?

RVA = 13314은 rscrc λ©”λͺ¨λ¦¬ μ„Ήμ…˜μ— 쑴재

RAW = 13314 - B000(λ©”λͺ¨λ¦¬μ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ) + 8400(νŒŒμΌμ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ)

RAW = 10714

 

RVA : ABA8일 λ•Œ RAW(offset μ£Όμ†Œ)λŠ” λ¬΄μ—‡μΌκΉŒμš” ?

RVA = ABA8은 data λ©”λͺ¨λ¦¬ μ„Ήμ…˜μ— 쑴재

RAW = ABA8 - 9000(λ©”λͺ¨λ¦¬μ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ)  + 7C00(νŒŒμΌμ—μ„œ μ„Ήμ…˜μ΄ μ‹œμž‘ν•˜λŠ” μ£Όμ†Œ)

RAW = 97A8

 

 

 

λ°˜μ‘ν˜•

'πŸ“  Secure' μΉ΄ν…Œκ³ λ¦¬μ˜ λ‹€λ₯Έ κΈ€

2022-06-20  (0) 2022.06.28
2022-06-16  (0) 2022.06.28
DLL Ejection  (0) 2022.06.28
Windows PE μ‹€μŠ΅ ( μˆ˜μ • ν•„μš” )  (0) 2022.06.27
INT / IAT  (0) 2022.06.23
Contents

ν¬μŠ€νŒ… μ£Όμ†Œλ₯Ό λ³΅μ‚¬ν–ˆμŠ΅λ‹ˆλ‹€

이 글이 도움이 λ˜μ—ˆλ‹€λ©΄ 곡감 λΆ€νƒλ“œλ¦½λ‹ˆλ‹€.