从EXE的资源段提取sys文件-转载自(rootkit:subverting the windows kernel)
来源:互联网 发布:淘宝卖家招代理吗 编辑:程序博客网 时间:2024/05/29 16:50
Windows PE executables allow multiple sections to be included in the binary file. Each section can be thought of as a folder. This allows developers to include various objects, such as graphics files, within the executablefile. Any arbitrary binary objects can be included within the PE executable, including additional files. For instance, an executable can contain both a .sys file and a configuration file with startup parameters for the rootkit. A clever attacker might even create a utility that sets configuration options "on the fly" before an exploit is used with the rootkit.
The following code illustrates how to access a named resource within the PE file and subsequently make a copy of the resource as a file on the hard drive. (The word decompress in the code is imprecise, as the embedded file is not actually compressed.)
//----------------------------------------------------------------// build a .sys file on disk from a resource//----------------------------------------------------------------bool _util_decompress_sysfile(char *theResourceName){ HRSRC aResourceH; HGLOBAL aResourceHGlobal; unsigned char * aFilePtr; unsigned long aFileSize; HANDLE file_handle;
The subsequent FindResource API call is used to obtain a handle to the embedded file. A resource has a type, in this case BINARY, and a name.
////////////////////////////////////////////////////////// // locate a named resource in the current binary EXE ////////////////////////////////////////////////////////// aResourceH = FindResource(NULL, theResourceName, "BINARY"); if(!aResourceH) { return false; }
The next step is to call LoadResource. This returns a handle that we use in subsequent calls.
aResourceHGlobal = LoadResource(NULL, aResourceH); if(!aResourceHGlobal) { return false; }
Using the SizeOfResource call, the length of the embedded file is obtained:
aFileSize = SizeofResource(NULL, aResourceH); aFilePtr = (unsigned char *)LockResource(aResourceHGlobal); if(!aFilePtr) { return false; }
The next loop simply copies the embedded file into a file on the hard drive, using the resource's name as the file name. For example, if the resource were named "test," then the resulting file would be called test.sys. In this way, an embedded resource can be made into a driver file.
char _filename[64]; snprintf(_filename, 62, "%s.sys", theResourceName); file_handle = CreateFile(filename, FILE_ALL_ACCESS, 0, NULL, CREATE_ALWAYS, 0, NULL); if(INVALID_HANDLE_VALUE == file_handle) { int err = GetLastError(); if( (ERROR_ALREADY_EXISTS == err) || (32 == err)) { // no worries, file exists and may be locked // due to exe return true; } printf("%s decompress error %d\n", _filename, err); return false; } // While loop to write resource to disk while(aFileSize--) { unsigned long numWritten; WriteFile(file_handle, aFilePtr, 1, &numWritten, NULL); aFilePtr++; } CloseHandle(file_handle); return true;}
After a .sys file has been decompressed to disk, it can be loaded using one of the rootkit loading methods we have already outlined. We now discuss some strategies to get your rootkit to load at boot time.
- 从EXE的资源段提取sys文件-转载自(rootkit:subverting the windows kernel)
- Rootkits: Subverting the Windows Kernel
- New book - Rootkits: Subverting the Windows Kernel
- Rootkits: Subverting the Windows Kernel--§1
- VC从EXE中提取资源文件
- 从EXE文件中提取音乐、图片等资源
- 今天终于找到《Rootkits: Subverting the Windows Kernel》可惜是E文版
- 如何将自己的文件作为资源文件放入VC工程中?如何在运行时,从EXE文件中提取(释放)出这个文件?
- (转载)Raising The Bar For Windows Rootkit Detection
- iOS: 从ipa提取图片资源文件及从iOS设备提取ipa文件的方法
- iOS: 从ipa提取图片资源文件及从iOS设备提取ipa文件的方法
- iOS: 从ipa提取图片资源文件及从iOS设备提取ipa文件的方法
- 从MTK的BIN文件里提取图片资源
- 从MTK的BIN文件里提取图片资源
- 提取exe文件的图标
- 提取exe资源
- exe手写资源段
- 从ipa提取图片资源文件
- MantisBT插件实践(查询Project)
- Linux输入子系统input_dev概述
- Spring到Java EE的迁移(一)
- Android中Ringtone播放详解【安卓源码解析五】
- 敏捷软件开发
- 从EXE的资源段提取sys文件-转载自(rootkit:subverting the windows kernel)
- 在ios中对定制的UIPickerView 进行数据定位
- linux内存管理概述
- 使用命令行启动服务
- 【VSFTPD】redhat Linux ftp配置(vsftpd)
- Android问题集锦_FAQ
- 类与类之间的关系
- C# 数据库连接
- 数据加密方法