- 200 -
tcef;(14) - IAT ESifh API Redirection
yHk(6)uawmh oufqdkif&m DLL xJrSm&SdaewJh API awG&JU address awGeJUtwl&SdaewJh IAT awG&Sd&m ae&myg/ uRefawmfwdkU erlemxm;wmuawmh ExitProcess API udkyg/
yHk(7) 'gaMumifhrdkUvJ VA 00402004 udkMunfhvdkuf&if yHk(7)twdkif;jrifae&ygw,f/ Highlight vkyfxm;wJh ae&muawmh uRefawmfwdkU API &Sd&mae&myg/ 7C81CAA2 uawmh API &Sd&m address yg/ (Endian enf;eJU pDwmtrSwf&yg/) olUaemufrSmawmh DWORD wefzdk;wpfck(oknawG) uyfvdkufaewmawGUrSmyg/ 'DoknawG aemufu DWORD wefzdk;awGuawmh aemuf DLL xJu API awGudk&nfnTef;ygw,f/ 'D DLL [m user32.dll jzpfygw,f/ DWORD wefzdk;awGudkMunfhvdkuf&if 7xxxxxxx awGeJUpwm owdxm;rdrSmyg/ ydkjyD; &Sif;vif;atmifvdkU 'gawGudk IAT xJrSmMunfhvdkufMu&atmif/ yHk(4)udkxyfMunfhvdkufyg/ kernel32.dll zdkifxJu API ESpfckudk import vkyfxm;wmawGUrSmyg/ rSwfxm;&rSmuawmh IAT eJU imports table wdkU[m rwlbl; qdkwmudkyg/ Info: : Imports table rSm oifhy&dk*&rftwGuf API awGudk link csdwfEdkifatmif Windows u vdktyfwJhtcsuf tvufawGtm;vHk;&Sdygw,f/ Imports table rSm tvGef&dk;&Sif;vSwJh structure wpfck&Sdygw,f/ Import vkyfxm;wJh DLL toD;oD;twGuf header wpfckpD&Sdygw,f/ olwdkU&JUtqHk;udk rSwfom;EdkifatmifvdkU vHk;vHk;MuD; udk bmrSr&SdwJh tydkwpfckvJ&Sdygao;w,f/ Header toD;oD;rSmawmh DLL twGuftcsuftvufawGtm;vHk; yg0ifygw,f/ ReverseMe.exe y&kd*&rftwGufqdk&ifawmh user32.dll eJU kernel32.dll u API awGudk import vkyfr,fqdk&if oifhtaeeJU header 3ckudk&SmawGUrSmyg/ wpfckuawmh kernel32.dll twGufjzpfjyD; wpfck uawmh user32.dll twGufjzpfygw,f/ tydkwpfckuawmh imports table &JUtqHk;udk rSwfom;zdkUjzpfygw,f/ Windows loader [m header toD;oD;uae tcsuftvufawGudkzwfjyD; 'DtcsuftvufawGudk IAT jznfhpGuf&mrSmtoHk;jyKygw,f/ IAT qdkwmuawmh DLL toD;oD;twGuf IAT awGzGJUpnf;xm;wmudk ajymwm yg/ DLL toD;oD;twGuf header udkawmh IMPORT_IMAGE_DIRECTORY vdkY ac:ygw,f/ IMAGE qdkwJhpum;vHk;uawmh rSwfOmPfxJrSmvkyfwJhudp枚&yfawGudk &nfnTef;wmjzpfjyD; offset awGtm;vHk;[m RVA awG jzpfygw,f/ olUrSm atmufyg structure &Sdygw,f/ IMAGE_IMPORT_DESCRIPTOR: OriginalFirstThunk TimeDateStamp ForwarderChain Name FirstThunk Info: : Windows loader u IMPORT_IMAGE_DESCRIPTOR udkzwfcsdefrSm ol[m DLL udk t&if ppfaq;ygw,f/ aemufrSom loader [m 'D DLL udk ul;wifwmjzpfjyD; IAT udkwnfaqmufzdkU pwifygw,f/ udkwnfaqmuf&wm[m enf;enf;av; vuf0ifygw,f/ Loader u yxrqHk; OriginalFirstThunk udk
ppfaq;wmjzpfayr,fh 'DtcsuftvufawGudk jy贸emMuHKrSom toHk;jyKwmjzpfygw,f/ aemufwpfckuawmh FirstThunk unTefjywJh trnftoD;oD;twGuf ol[m pointer udk API &JU address eJUtpm;xdk;wm jzpfyg w,f/ wu,fvdkU tcsdKUaomtaMumif;awGt& API udk&SmrawGUcJh&ifawmh OriginalFirstThunk qDoGm;jyD; tJ'D uae tcsuftvufawG&,lzdkU MudK;pm;ygw,f/ 'DaemufqHk;jzpfEdkifajcu tvkyfrvkyfcJh&ifawmh crash jzpfyg w,f/ 'gaMumifh rSwfOmPfxJrSm FirstThunk xJu pointer awGtm;vHk;rSm API awG&JUtrnfawGeJUqdkifwJh RVA awGtpm; vuf&Sd DLL uae API awGudknTef;wJh address awGyg0ifae&wmyg/ rSwfxm;&rSmuawmh rSwfOmPfxJrSm exe udk ae&mcsxm;jyD;wJhaemufrSmawmh IAT wnfaqmufjcif;[m jyD;pD;ygjyD/ Info: : Loader [m FirstThunk xJu API trnftoD;oD;udkzwfjyD; olU&JU address udk&SmazGygw,f/ wu,fvdkU address udk&SmawGUcJh&if trnfae&mrSm address eJUtpm;xdk;vdkufjyD; 'DvdkrSr[kwf&ifawmh OriginalFirstThunk qDoGm;jyD; xyfMudK;pm;ygw,f/ 'gaMumifhrdkU OriginalFirstThunk [m FirstThunk &JU backup wpfckjzpfjyD; jyoemMuHKwJhtcgrSm toHk;jyKygw,f/ FirstThunk uawmh uRefawmfwdkU import vkyfzdkU vdktyfwJh API awG&JUtrnfeJU ywfoufwJh pointer awGyg0ifwJh array wpfckjzpfygw,f/ wu,fvdkU ul;wif vdkufwJh process [m rSefuefpGm tvkyfvkyfEdkifjyDqdk&ifawmh FirstThunk eJUqdkifwJh pointer awGtm;vHk;[m