《逆向工程核心原理》<03-25> 通过修改PE加载DLL

原理

PART1. Ready to fix

1. PEView-> IMAGE_OPTIONAL_HEADER-> IDT(value of IMPORT_Table)
   IDT is the array of structs, the struct is IMAGE_IMPORT_DESCRIPTOR(IID)
   IDT end by a IID which padding with 0x00

   IMAGE_IMPORT_DESCRIPTOR(IID)
   typedef struct _IMAGE_IMPORT_DESCRIPTOR {
   union {
   DWORD Characteristics;
   DWORD OrignalFirstThunk; // RVA to Import Name Table(INT)
   };
   DWORD TimeDateStamp;
   DWORD ForwarderChain;
   DWORD Name; // RVA to DLL Name String
   DWORD FirstThunk; // RVA to Import Address Table(IAT)
   } IMAGE_IMPORT_DESCRIPTOR;

2. PEView-> SECTION. rdata(IDT)-> File Offset
   Find the raw of IDT

3. HexTools-> jump to the raw of IDT
   Try to find if here has some free place to write our Dll

Unfortunetly, place after the RVA [76CC]~ RVA [772F] is not free，so i should remove the IDT
There has three method to remove the IDT
1. Find the free place in the same section(eg. rdata)
2. Increase the size of the last section
3. Add a new section at the end-of-file

Here, choose the first method
4. PEview-> SECTION .rdata
Check the end of rdata, i need a adequate place with “Null-Padding”

1. PEView-> IMAGE_SECTION_HEADER .rdata
   Here, pay attention, Only define place in SECTION_HEADER can image to VA
   Null-Padding place means the place which not only padding with 0x00 but also it can be imaged

   Eg.
   Size of Raw Data 2E00
   Virtual size 2C56 //So, 2E00- 2C56 == 1AA, i can only use 1AA size to write IDT, but size:1AA is enough

   At last, we choose RVA: 8C80 (RAW: 7E80) to create the new IDT

PART2. Try to fix (u need to copy another one to fix)

1. Modify the RVA of IMPORT Table
   PEView-> IMPORT Table
   RVA: 84CC modify to 8C80
   Size: 64h modify to 78h(0x64+ 0x14)

2. Delete the BOUND IMPORT Table
   PEView-> BOUND IMPORT Table
   RVA: modify to 0x00
   Size: modify to 0x00

3. Create the new IDT
   HexTools-> Copy the original IDT to new place(RVA: 8C80 (RAW: 7E80))
   HexTools-> Add the IID which corresponding .Dll at end of IDT
   IMAGE_IMPORT_DESCRIPTOR(IID)
   typedef struct _IMAGE_IMPORT_DESCRIPTOR {
   union {
   DWORD Characteristics;
   DWORD OrignalFirstThunk; // 00008D00 => RVA to INT
   };
   DWORD TimeDateStamp;
   DWORD ForwarderChain;
   DWORD Name; // 00008D10 => RVA to DLL Name
   DWORD FirstThunk; // 00008D20 => RVA to IAT
   } IMAGE_IMPORT_DESCRIPTOR;

4. Set INT, DLL Name, IAT
   HexTools-> Set these
   INT(8D00)-> RVA[8D00]-> value of address modify: 00008D30 //INT is a RVA array, each array element is a RVA address, the value of this address has 2 parts: Ordinal(2 Bytes) + Func Name String, INT end by NULL
   RVA[8D30]-> 0000(Ordinal) + “dummy”(Func Name String)

   DLL Name(8D10)-> RVA[8D10]-> "myhack3.dll"IAT(8D20)-> RVA[8D20]-> same value as INT(RVA[8D00])

5. Modify the propertiy of IAT
   IAT need the WRITE propertiy
   HexTools-> SECTION .rdata
   Characteristics(40000040) bit OR the WRITE propertiy (80000000)

PART3. Check the fix

1. PEView-> check IDT
2. PEView-> check INT
3. Try to new