学习《加密解密》的时候,第十四章,找到进程块的export table导出表,通过hash过的function name ,和导出表中的function name做hash运算,然后对比两个hash值,最后找到对应的funtion address。
由于加密解密没给如何hash function name,这里通过网上整理相关代码,复现了其生成过程:
#include <stdio.h>
#include <windows.h>
// hash function name
DWORD GetHash(char *fun_name)
{
DWORD digest = 0;
while(*fun_name)
{
__asm__(
".intel_syntax \n\t"
"mov ebx,%0 \n\t"
"ror ebx, 7 \n\t"
"mov %0,ebx \n\t"
: "=r" (digest)
: "r" (digest)
:
);
// printf("ror ebp, 7 is 0x%p\n", digest);
digest += *fun_name;
// printf("digest += *fun_name is 0x%p\n", digest);
fun_name++;
}
return digest;
}
// print hashed function name
void print_char_data(DWORD hash){
char char_hash[8];
sprintf(char_hash, "%.8x", hash); // convert DWORD to CHAR
printf("\"\\x%c%c\\x%c%c\\x%c%c\\x%c%c\"\n",char_hash[6],char_hash[7],char_hash[4],char_hash[5],char_hash[2],char_hash[3],char_hash[0],char_hash[1]);
}
int main(int argc, char *argv[], char *envp[])
{
// for(int i=0;i<argc;i++)
// {
// DWORD hash;
// hash = GetHash(argv[i+1]);
// printf("The hash of Function is 0x%.8x\n", hash);
// }
printf("char Datas[] =\n");
for(int i=0;i<argc;i++)
{
DWORD hash;
hash = GetHash(argv[i+1]);
// printf("The hash of Function is 0x%.8x\n", hash);
print_char_data(hash);
}
getchar();
return 0;
}
编译(MinGW):
PS C:\Users\IEUser\Desktop\shellcode > g++.exe .\hash.cpp -o hash -masm=intel使用:
PS C:\Users\IEUser\Desktop\shellcode > .\hash.exe LoadLibraryA VirtualAlloc VirtualFree GetTempPathA WinExec Sleep TerminateProcess URLDownloadToFileA
char Datas[] =
"\x32\x74\x91\x0c"
"\x67\x59\xde\x1e"
"\x05\xaa\x44\x61"
"\x39\xe2\x7d\x83"
"\x51\x2f\xa2\x01"
"\xa0\x65\x97\xcb"
"\x8f\xf2\x18\x61"
"\x80\xd6\xaf\x9a"
COMMANDO 12/30/2019 11:12:41 PM
PS C:\Users\IEUser\Desktop\shellcode >
可以看到和 加密解密 的 hash data 完全一致。