์ƒˆ์†Œ์‹

์ธ๊ธฐ ๊ฒ€์ƒ‰์–ด

๐Ÿ“  Secure

INT / IAT

  • -
๋ฐ˜์‘ํ˜•

INT / IAT ( Import ๊ด€๋ จ Table )

๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ / DLL ํŒŒ์ผ SYS ํŒŒ์ผ
์• ํ”Œ๋ฆฌ์ผ€์ด์…˜์ด ์‹คํ–‰ํ•  ๋•Œ
DOS ์‹œ์ ˆ์— ๊ด€๋ จ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋„ ์ „๋ถ€ ํฌํ•จํ•ด์„œ ์ฝ”๋”ฉ

ํ•จ์ˆ˜๋ฅผ ๋ถˆ๋Ÿฌ์˜ค๋Š” ์‹์œผ๋กœ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ๋งŒ๋“ค์ž

kernel32.dll ๋ผ๋Š” ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ์•ˆ์— ์—ฌ๋Ÿฌ๊ฐœ์˜ ํ•จ์ˆ˜๋“ค
Import Name Table > DLL ์ด๋ฆ„์„ ์ฐพ๊ณ 
Import Application Table > ํ•จ์ˆ˜๋ฅผ ์ฐพ๋Š”๋‹ค

MAGE_IMPORT_DESCRIPTOR {
    union {
        DWORD   Characteristics;            
        DWORD   OriginalFirstThunk;       // INT(Import Name Table) address (RVA)
    };
    DWORD   TimeDateStamp;
    DWORD   ForwarderChain;
    DWORD   Name;                         // library name string address (RVA)
    DWORD   FirstThunk;                   // IAT(Import Address Table) address (RVA)
} IMAGE_IMPORT_DESCRIPTOR;



1. NAME์˜ ์œ„์น˜๋ฅผ ๋”ฐ๋ผ๊ฐ€์„œ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ(DLL)์˜ ์ด๋ฆ„์„ ํŒŒ์•…ํ•œ๋‹ค
2. OriginalFirstThunk(INT)์˜ ์ฃผ์†Œ๋ฅผ ๋”ฐ๋ผ๊ฐ€์„œ ํ•จ์ˆ˜ ์‹œ์ž‘ ์ฃผ์†Œ๋ฅผ ํŒŒ์•…ํ•œ๋‹ค
3. FirstThunk(IAT)์˜ ์ฃผ์†Œ๋ฅผ ๋”ฐ๋ผ๊ฐ€์„œ ์‹ค์ œ ๋กœ๋”ฉ ์ฃผ์†Œ๋ฅผ ํŒŒ์•…ํ•œ๋‹ค.

 

comdlg32.dll ์ค‘ PageSetupDlgW ํ•จ์ˆ˜ ํ˜ธ์ถœ

Original First Thunk 0000 7990
7990(RVA) > 7990-1000+400 = 6D90
6D90 > 6D90-1000+400 : 6E7A : PageSetupDlgW

 

๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ํ™•์ธ

Name 0000 7AAC
7AAC > 7AAC-1000+400 = 6EAC : comdlg32.dll

 

IAT ์‹ค์ œ ๋กœ๋”ฉ ์ฃผ์†Œ ํŒŒ์•…

FirstThunk 0000 12C4
12C4-1000+400=6C4 >76 32 48 D6


EAT

 

EAT ์‹œ์ž‘ ์ฃผ์†Œ : 0000 262C
262C - 1000 + 400 = 1A2C
EAT ์‚ฌ์ด์ฆˆ : 0000 6CFD

 

 

EAT์™€ IAT์˜ ์ฐจ์ด์ 

IAT๋Š” Import์ด๋ฏ€๋กœ ์—ฌ๋Ÿฌ๊ฐœ์˜ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ๊ฐ€์ ธ์˜ด

EAT๋Š” ๋ณด๋‚ด๋Š” ์—ญํ• ๋งŒ ํ•˜๊ธฐ ๋•Œ๋ฌธ์— ๋‹จ ํ•œ๊ฐœ๋งŒ ์กด์žฌ

์ด ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ์•ˆ์— ๋‹ค์ˆ˜์˜ ํ•จ์ˆ˜ ์กด์žฌ

๊ทธ ํ•จ์ˆ˜๋ณ„๋กœ ๋ฐฐ์—ด(Oridnal,์„œ์ˆ˜)์ด ์กด์žฌ

typedef struct _IMAGE_EXPORT_DIRECTORY {

DWORD Characteristics
DWORD TimeDateStamp
WORD MajorVersion
WORD MinorVersion
DWORD Name // kernel32.dll
DWORD Base
DWORD NumberOfFunctions // kernel32.dll์˜ ํ•จ์ˆ˜ ๊ฐœ์ˆ˜ 03B9
DWORD NumberOfNames // kernel32.dll์˜ ์ด๋ฆ„์„ ๊ฐ€์ง„ ํ•จ์ˆ˜ ๊ฐœ์ˆ˜ 03B9

DWORD AddressOfFunctions // ํ•จ์ˆ˜ ์ฃผ์†Œ ๋ฐฐ์—ด(EAT) RVA 2654 > RAW 1A54
DWORD AddressOfNames //ํ•จ์ˆ˜๋ช… ๋ฐฐ์—ด RVA 3538 > RAW 2938
DWORD AddressOfNameOrdinals // ํ•จ์ˆ˜ ์„œ์ˆ˜ ๋ฐฐ์—ด RVA 441C > RAW 381C

} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY

1. AddressOfNames์œผ๋กœ kernel32.dll ํŒŒ์ผ์˜ ํ•จ์ˆ˜ ๋ฐฐ์—ด๋กœ ์ด๋™

> 3๋ฒˆ์งธ ๋ฐฐ์—ด์ธ index[2] 4BB3๋กœ ์ด๋™

> 4B3B - 1000 + 400 = 3FB3

 

3FB3์œผ๋กœ ์ด๋™ํ•˜๋ฉด AddAtomW๋ผ๋Š” ํ•จ์ˆ˜๊ฐ€ ๋‚˜์˜จ๋‹ค > ordinal 2๋ฒˆ์ธ ํ•จ์ˆ˜

 

2. AdderessOfNameOrdinals๋กœ ordinal์„ ํ™•์ธํ•œ๋‹ค

 

3. AddressOfFunctions์œผ๋กœ ์‹ค์ œ ๋ฉ”๋ชจ๋ฆฌ์—์„œ ๋กœ๋”ฉ๋˜๋Š” ๊ฐ’์„ ๊ตฌํ•œ๋‹ค

 

 

7C80 0000 + 0003 26D9 = 7C83 26D9
ollydbg์—์„œ ctrl + g ๋ˆŒ๋Ÿฌ์„œ 7C83 26D9 ๊ฒ€์ƒ‰

๋ฐ˜์‘ํ˜•

'๐Ÿ“  Secure' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

2022-06-20  (0) 2022.06.28
2022-06-16  (0) 2022.06.28
DLL Ejection  (0) 2022.06.28
Windows PE ์‹ค์Šต ( ์ˆ˜์ • ํ•„์š” )  (0) 2022.06.27
Window PE  (0) 2022.06.22
Contents

ํฌ์ŠคํŒ… ์ฃผ์†Œ๋ฅผ ๋ณต์‚ฌํ–ˆ์Šต๋‹ˆ๋‹ค

์ด ๊ธ€์ด ๋„์›€์ด ๋˜์—ˆ๋‹ค๋ฉด ๊ณต๊ฐ ๋ถ€ํƒ๋“œ๋ฆฝ๋‹ˆ๋‹ค.