frame_get_proc_addr

1. EMET == EAF protection
2. Each data directory is basically a structure defined as an IMAGE_DATA_DIRECTORY. And although data directory entries themselves are the same, each specific directory type is entirely unique. The definition of each defined data directory is described in "Predefined Sections" later in this article.
3.  
4. DataDirectory is the final 128 bytes of OptionalHeader. the last member of IMAGE_NT_HEADERS
5.  
6. IMAGE_NT_HEADERS structure
7. Represents the PE header format.
8. Syntax
9. C++
10.  
11. typedef struct _IMAGE_NT_HEADERS {
12. DWORD Signature;
13. IMAGE_FILE_HEADER FileHeader;
14. IMAGE_OPTIONAL_HEADER OptionalHeader;
15. } IMAGE_NT_HEADERS, *PIMAGE_NT_HEADERS;
16.  
17. IMG: http://3.bp.blogspot.com/-oNSLW0H7hH4/TvOh03f3kiI/AAAAAAAAAFE/UXfbLYLBcZM/s640/PE_Structure.jpg
18.  
19.  
20. The DataDirectory is an array of 16 IMAGE_DATA_DIRECTORY structures, 8 bytes apiece, each relating to an important data structure in the PE file. Each array refers to a predefined item,such as the import table.
21. IMAGE_DATA_DIRECTORY
22. Each data directory entry specifies the size and relative virtual address of the directory. To locate a particular directory, you determine the relative address from the data directory array in the optional header. Then use the virtual address to determine which section the directory is in. Once you determine which section contains the directory, the section header for that section is then used to find the exact file offset location of the data directory.
23.  
24.  
25. IMAGE_DATA_DIRECTORY structure
26. Represents the data directory.
27. Syntax
28. C++
29.  
30. typedef struct _IMAGE_DATA_DIRECTORY {
31. DWORD VirtualAddress;
32. DWORD Size;
33. } IMAGE_DATA_DIRECTORY, *PIMAGE_DATA_DIRECTORY;
34.  
35. Members
36. VirtualAddress
37. The relative virtual address of the table.
38. Size
39. The size of the table, in bytes.
40.  
41.  
42. Data Directories :
43. // Directory Entries
44. // Export Directory
45. #define IMAGE_DIRECTORY_ENTRY_EXPORT 0
46. // Import Directory
47. #define IMAGE_DIRECTORY_ENTRY_IMPORT 1
48. // Resource Directory
49. #define IMAGE_DIRECTORY_ENTRY_RESOURCE 2
50. // Exception Directory
51. #define IMAGE_DIRECTORY_ENTRY_EXCEPTION 3
52. // Security Directory
53. #define IMAGE_DIRECTORY_ENTRY_SECURITY 4
54. // Base Relocation Table
55. #define IMAGE_DIRECTORY_ENTRY_BASERELOC 5
56. // Debug Directory
57. #define IMAGE_DIRECTORY_ENTRY_DEBUG 6
58. // Description String
59. #define IMAGE_DIRECTORY_ENTRY_COPYRIGHT 7
60. // Machine Value (MIPS GP)
61. #define IMAGE_DIRECTORY_ENTRY_GLOBALPTR 8
62. // TLS Directory
63. #define IMAGE_DIRECTORY_ENTRY_TLS 9
64. // Load Configuration Directory
65. #define IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 10
66.  
67. Import data section, .idata
68. The .idata section is import data, including the import directory and import address name table
69. IMAGE_DIRECTORY_ENTRY_IMPORT directory is defined
70. Export data section, .edata
71. The .edata section contains export data for an application or DLL. When present, this section contains an export directory for getting to the export information.
72. IMG_DATA_DIRECTORY = 128 byte, 16 entires
73.  
74. Microsoft
75. ImageDirectoryEntryToData function
76.  
77. PVOID WINAPI ImageDirectoryEntryToData(
78. _In_ PVOID Base,
79. _In_ BOOLEAN MappedAsImage,
80. _In_ USHORT DirectoryEntry,
81. _Out_ PULONG Size
82. );
83.  
84. Parameters
85. Base [in]
86. The base address of the image.
87. MappedAsImage [in]
88. If this parameter is TRUE, the file is mapped by the system as an image. If the flag is FALSE, the file is mapped as a data file by the MapViewOfFile function.
89. DirectoryEntry [in]
90. The index number of the desired directory entry. This parameter can be one of the following values.
91. For example
92.  
93. 0:000> dt IMAGE_EXPORT_DIRECTORY
94. ole32!IMAGE_EXPORT_DIRECTORY
95. +0x000 Characteristics : Uint4B
96. +0x004 TimeDateStamp : Uint4B
97. +0x008 MajorVersion : Uint2B
98. +0x00a MinorVersion : Uint2B
99. +0x00c Name : Uint4B
100. +0x010 Base : Uint4B
101. +0x014 NumberOfFunctions : Uint4B
102. +0x018 NumberOfNames : Uint4B
103. +0x01c AddressOfFunctions : Uint4B
104. +0x020 AddressOfNames : Uint4B
105. +0x024 AddressOfNameOrdinals : Uint4B
106. • AddressOfFunctions: an array of RVAs of the functions in the module
107. • AddressOfNames: an array of RVAs each corresponding to the function name strings of exported functions.
108. • AddressOfNameOrdinals: This array is in sync with the AddressOfNames array and there is a one to one correspondence between the two. It gives an index or an offset into the AddressOfFunctions array to get the Address of the Function Name.
109. IMG : http://1.bp.blogspot.com/-gvRkb9W-jOw/UxNOhSv_B9I/AAAAAAAAB_s/cVTUhOhyJ30/s1600/Cc301808.PE2fig03(en-us,MSDN.10).gif
110. getdik snippete
111.  
112. Base TimeStamp Module
113. 400000 47b806f4 Feb 17 14:05:40 2008 C:\Users\moveax\poolobject\rooter.exe
114. 00001000 size of heap commit
115. 0 DLL characteristics
116. 0 [ 0] address [size] of Export Directory
117. 65000 [ 260C] address [size] of Import Directory
118. 71000 [ 9C00] address [size] of Resource Directory
119. 0 [ 0] address [size] of Exception Directory
120. 0 [ 0] address [size] of Security Directory
121. 6A000 [ 6644] address [size] of Base Relocation Directory
122. 0 [ 0] address [size] of Debug Directory
123. 0 [ 0] address [size] of Description Directory
124. 0 [ 0] address [size] of Special Directory
125. 69000 [ 18] address [size] of Thread Storage Directory
126. 0 [ 0] address [size] of Load Configuration Directory
127. 0 [ 0] address [size] of Bound Import Directory
128. 65704 [ 5EC] address [size] of Import Address Table Directory
129. 0 [ 0] address [size] of Delay Import Directory
130. 0 [ 0] address [size] of COR20 Header Directory
131. 0 [ 0] address [size] of Reserved Directory
132.  
133. BASE+offset=RVA
134.  
135. 0:001> dps 400000+65704 L348/4
136. 00465704 76193ddc oleaut32!SysFreeString
137. 00465708 76198b29 oleaut32!SysReAllocStringLen
138. 0046570c 76194042 oleaut32!SysAllocStringLen
139. 00465710 00000000
140. 00465714 762211a8 advapi32!RegQueryValueExAStub
141. 00465718 76221197 advapi32!RegOpenKeyExAStub
142. 0046571c 76221164 advapi32!RegCloseKeyStub
143. 00465720 00000000
144. 00465724 754c2379 user32!GetKeyboardType
145. 00465728 752dc030 apphelp!DWM8AND16BitHook_DestroyWindow
146. 0046572c 754941cf user32!LoadStringA
147. 00465730 7532cfd9 apphelp!SrHook_MessageBoxA
148. 00465734 75489fbd user32!CharNextAStub
149. 00465738 00000000
150. 0046573c 75d39864 KERNEL32!GetACPStub
151. 00465740 75d398c0 KERNEL32!SleepStub
152. 00465744 75d337a0 KERNEL32!VirtualFreeStub
153. 00465748 75d337c0 KERNEL32!VirtualAllocStub
154. 0046574c 75d31960 KERNEL32!GetCurrentThreadId
155. 00465750 75d39067 KERNEL32!InterlockedDecrementStub
156. 00465754 75d38f69 KERNEL32!InterlockedIncrementStub
157. 00465758 75d39a6e KERNEL32!VirtualQueryStub
158.  
159. EMET bypass using function ImageDirectoryEntryToData (via IAT)
160.  
161.  
162.  
163. (bu yaxınlarda yeni hazırladığımız kernel ilə bağlı məqalələr yerləşdirəcəm)
164. references: http://bsodtutorials.blogspot.com/2014/03/import-address-tables-and-export.html
165. https://msdn.microsoft.com/en-us/magazine/cc301808.aspx
166. http://win32assembly.programminghorizon.com/pe-tut7.html
167. http://www.csn.ul.ie/~caolan/pub/winresdump/winresdump/doc/pefile2.html
168. http://trapmine.com/the-enfal-apt-is-back/
169.  
170. emingh _ ~köhnə günlərə qayıdırıq az qalıb ;)~