৽஛Ѩംఱఱٯ޲ ޻ఔ terrynini38514 terrynini

LAST WEEK ៺ঝ  2 vtable member1 member2 member3 human human_vtable FunA FunB FunC FunA code FunB code FunC code

LAST WEEK ៺ঝ  3 vtable member1 member2 member3 TW_member1 TW_member2 TW_member3 TW_member4 human Taiwanese_vtable Taiwanese FunA' FunB FunC' FunD FunE ୞༗WJSUVBMతGVODUJPO။ࡏWUBCMFத ׌ᙛ࢖༻ࢦඪ҃Ҿ༻ ࠽။ਅతڈ࢖༻WUBCMF FunA' code FunB code FunC' code FunD code FunE code

LAST WEEK )PXUPSFDPWFSUIFNFNCFSPGBTUSVDUVSF  4 #FIBWJPS

BASIC ANALYZE SKILL

BASIC ANALYZE SKILL YECH$IFBU4IFFU  6 暫存器 堆疊 記憶體 反組譯視窗 記憶體 位置 機器語言 組合語言 註解、標籤

BASIC ANALYZE SKILL YECH$IFBU4IFFU  7 按鍵 功能 按鍵 功能 F4 執⾏到指定的⾏為⽌ Ctrl+G 跳到某個address F7 單步執⾏(Step into) Enter 查看Function F8 單步執⾏(Step over) * 回到EIP的位置 F9 執⾏ -/+ 回到上/下⼀個位置 Ctrl+F2 重新開始 ;/: 新增註解/標籤 Ctrl+F9 執⾏到return後停⽌ f2 下斷點 alt+C disassemble alt+G Control flow graph

LAB

BABY STEP ෼ੳࡦུ ▸ ౟༻ቮ஌໛ܕ ▸ .BHJDOVNCFS ▸ ༬ଌఔࣜᛰ ▸ ந৅Խʂ  9

PE FILE FORMAT

PE FILE FORMAT 'JMFGPSNBU ▸ 8JOEPXT࢖༻1& 1PSUBCMF&YFDVUBCMF ࡞ҝ FYFDVUBCMFɺ%--ɺ%SJWFSత֨ࣜ Ґݩత൛ຊ᜝࡞1&҃1& Ґݩత൛ຊ᜝࡞1&҃ੋ1& ▸ .BD049࢖༻.BDI0 ▸ -JOVYٴ6OJY࢖༻&-' &YFDVUBCMF-JOLBCMF'PSNBU 
 USZUIJTGJMFCPPUFGJ&'*VCVOUVHSVCYFGJ  11

FILE FORMAT 4PNF1&WJFXFS ▸ FEJUPS ▸ 1&#FBS  12

PE FILE FORMAT 1&GJMFGPSNBU  13 File Process Offset Address 00000000 00400000 00401000 00402000 00403000 00404000 00000400 00000600 00000800 00000A00 NumberOfSections : 3 FileAlignment : 0x200 SectionAlignment: 0x1000 Header Null .text Null .data Null .rsrc Null Headers Null .text Null .data Null .rsrc Null

PE FILE FORMAT 1&GJMFGPSNBU  14 Dos Header Dos Stub NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null IMAGE_DOS_HEADER

PE FILE FORMAT 1&GJMFGPSNBU  15 Dos Header Dos Stub NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null

PE FILE FORMAT 1&GJMFGPSNBU  16 Dos Header Dos Stub NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null IMAGE_NT_HEADERS

File Header Machine NumberOfSections SizeOfOptionalHeader Characteristics ... more PE FILE FORMAT 1&GJMFGPSNBU  17 Dos Header Dos Stub NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Optional Header Magic AddressOfEntryPoint ImageBase SectionAlignment FileAlignment SizeOfImage SizeOfHeaders NumberOfRvaAndSizes ... more IMAGE_FILE_HEADER

File Header Machine NumberOfSections SizeOfOptionalHeader Characteristics ... more PE FILE FORMAT 1&GJMFGPSNBU  18 Dos Header Dos Stub NT Headers Section Headers MZ e_lfanew PE This program cannot run in DOS mode Optional Header Magic AddressOfEntryPoint ImageBase SectionAlignment FileAlignment SizeOfImage SizeOfHeaders NumberOfRvaAndSizes ... more IMAGE_OPTIONAL_HEADER

PE FILE FORMAT *."(&@015*0/"-@)&"%&3  19 DataDirectory[0] = Export Directory DataDirectory[1] = Import Directory DataDirectory[2] = Resource Directory DataDirectory[3] = Exception Directory DataDirectory[4] = Security Directory DataDirectory[5] = Base Relocation Table DataDirectory[6] = Debug Directory DataDirectory[7] = Architecture Specific Data DataDirectory[8] = RVA of GlobalPtr DataDirectory[9] = TLS Directory DataDirectory[10] = Load Configuration Directory DataDirectory[11] = Bound Import Directory DataDirectory[12] = Import Address Table DataDirectory[13] = Delay Load Import Descriptors DataDirectory[14] = .NET header DataDirectory[15] = Reversed Directory IMAGE_DATA_DIRECTORY

PE FILE FORMAT 1&GJMFGPSNBU  20 Dos Header Dos Stub NT Header Section Headers MZ e_lfanew PE This program cannot run in DOS mode Headers Null .text Null .data Null .rsrc Null IMAGE_SECTION_HEADER[]

File(offset) Process (Virtual Address) Header Null .text Null .data Null .rsrc Null Headers Null .text Null .data Null .rsrc Null PointerToRawData PointerToRawData PointerToRawData SizeOfRawData SizeOfRawData SizeOfRawData SizeOfHeaders ImageBase VirtualAddress VirtualAddress VirtualAddress VirtualSize VirtualSize VirtualSize VirtualSize SizeOfImage PE FILE FORMAT 1&GJMFGPSNBU  21

PE FILE FORMAT ޸໌ͷ᠘  22 PE ഝཫత Virtual Address ଖመੋ Relative Virtual Address VA = RVA + ImageBase Process (Virtual Address) Header Null .text Null .data Null .rsrc Null ImageBase VirtualAddress VirtualAddress VirtualAddress VirtualSize VirtualSize VirtualSize VirtualSize SizeOfImage

PE FILE FORMAT 4FDUJPOT ▸ UFYUఔࣜᛰ ▸ EBUB์EBUBత஍ํ ▸ SEBUB།ᩇతEBUB ▸ CTTᔒॳ࢝ԽతશҬ҃ᯩଶᏓᏐ  23 ▸ JEBUB᪑JNQPSU༗᮫త ▸ FEBUB᪑FYQPSU༗᮫ ▸ STSD᪑SFTPVSDF༗᮫ ▸ SFMPD᪑ॏఆҐ༗᮫ ▸ QEBUB᪑ྫ֎႔ཧ༗᮫

IMAGE_IMPORT_DESCRIPTOR OriginalFirstThunk TimeDataStamp ForwarderChain Name FirstThunk PE FILE FORMAT *"5 *NQPSU"EESFTT5BCMF  24 Kernel32.dll INT IAT 55e SetUnhandledExceptionFilter 271 GetModuleHandleW 376 IsDebuggerPresent

PE FILE FORMAT &"5 &YQPSU"EESFTT5BCMF  25 ... Name ... AddressOfFuncitons AddressOfNames AddressOfOrdinals 0 1 2 Kernel32.dll 92C57 92C90 92CC3 92c6f 92ca5 1e690 "FuncA" "FuncB" "FuncC"

PE FILE FORMAT (FU1SPD"EESFTT ೗Կ࢖༻&"5ਘፙGVODUJPOT ▸ 先從 AddressOfNames 找到名字 ▸ 使⽤第⼀步的 index 在 Ordinals 中找到對應的 ordinal 值 ▸ 使⽤第⼆步的 ordinal 在 Funcitons 中尋找 function offset  26

PE FILE FORMAT #BTF3FMPDBUJPO5BCMF  27 Hello.exe ImageBase: 0x7000 A.DLL ImageBase: 0x7000 B.DLL 0x7000 0xC000 ImageBase: 0x7000 B.DLL Relocate

PE FILE FORMAT #BTF3FMPDBUJPO5BCMF ▸ *."(&@#"4&@3&-0$"5*0/ ▸ ༝7JSUVBM"EESFTT 4J[F0G#MPDL 5ZQF0GGTFUߏ੒ ▸ 5ZQF0GGTFU CJU IJHICJUGPSUZQF MPXCJUGPSPGGTFU ▸ 7JSUVBM"EESFTTPGGTFUबੋधཁॏఆҐత஍ํ  28

PE FILE FORMAT STDT ▸ 3FTPVSDFIBDLFS  29

PE FILE FORMAT 3VO5JNF1BDLFS ▸ 5PDPNQSFTTUIFFYFDVUBCMF 
 FH619 "41BDL ▸ 5PQSPUFDUUIFFYFDVUBCMF 
 FH7.1SPUFDU "41SPUFDU 5IFNJEB  30

PE FILE FORMAT 3VO5JNF1BDLFS  31 Dos Header Dos Stub NT Header .text header .data header .rsrc header Null .text Null .data Null .rsrc Null Dos Header Dos Stub NT Header .UPX0 header .UPX1 header .rsrc header Null .UPX0 .UPX1 Null .rsrc Null Unpacking Packing File File