                          ==Ph4nt0m Security Team==
 
                       Issue 0x02, Phile #0x0A of 0x0A
 

|=---------------------------------------------------------------------------=|
|=----------------------=[  pe/elf ļӿʱĴ  ]=----------------------=|
|=---------------------------------------------------------------------------=|
|=---------------------------------------------------------------------------=|
|=--------------------------=[      By dummy     ]=--------------------------=|
|=-----------------------=[  <dummy_at_ph4nt0m.org>  ]=----------------------=|
|=---------------------------------------------------------------------------=|
	
                
ǰԣ

    ĿڸȾ͵ĲϷչģӿĿһѹܡҪ
x86ƽ̨win32 pelinux elf ӿǳʵ򵥽ܺܽᣬԼǰд
гԴǿԴģȤѿԼиĽ

    ps: Щطܾûеط󣬻:)

ģ

    -------------------------------------------------------
    slm        x86 win32 r3 pe packer
    mimisys    x86 win32 r0 pe packer
    elfp       x86 linux r3 elf packer
    -------------------------------------------------------

һһǵ

    һĿǳҪ 2  packer  loaderǾ÷ֱǣ

    (1) packer
        
    𽫴ӿǳѹͼܴloaderдӿǳϡslmpakcer
    ΪpeЧжϡŻѹݡѹͼܡloader
    ӿǲʹӿǳԭݣoepȵȣдڵȵȡ

    (2) loader
        
    ҪǽѹܱӿǵĳslmloaderΪĲȡ
    λáȡӿǲнѹܡ䵼ضλtls ʼȵȡ

slm (x86 win32 r3 pe packer)

:
    http://www.microsoft.com/whdc/system/platform/firmware/PECOFF.mspx

ߣ
    lordpe    pe ļʽ鿴༭
    dumpbin    vc Դcoffļʽ鿴
    ollydbg    r3 Թ

Դṹ
    ./slm/cm ͷļģ
    ./slm/pk    packer ʵ
    ./slm/sc    loader ʵ

    ʱ pe ҲǸո˽⣬ slm ܶطڿЩ:)ڵһ
Ѿ slm Ḷ́ҪҵʱһЩ

    (1) ԴĴ
        
    slm ԴıȽϷĿΪ˰ѿѹԴݹ鲢һ𣬽
    һѹѹš򵥽һԴĿ¼ݸʽϸǿ
    ΢ĵԴ:)
        
        IMAGE_NT_HEADERS.IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_RESOURCE]
    ȡԴݵĵַres_rvaתһṹIMAGE_RESOURCE_DIRECTORY

        IMAGE_RESOURCE_DIRECTORY:

            NumberOfIdEntries       Ŀ¼ id 
            NumberOfNamedEntries    Ŀ¼ name 

        IMAGE_RESOURCE_DIRECTORYIMAGE_RESOURCE_DIRECTORY_ENTRYṹ
    飬Ԫظ NumberOfIdEntries + NumberOfNamedEntries

        IMAGE_RESOURCE_DIRECTORY_ENTRY:

            Id                  Ŀ¼idֻNameIsStringЧ
            NameIsString        Ŀ¼ǷַΪNameOffsetЧ
            NameOffset          Ŀ¼ƴƫ, ƫres_rva*ġ
            DataIsDirectory     Ϊ OffsetToData ЧOffsetToDirectory
                                Ч
            OffsetToData        ָԴݣƫrva
            OffsetToDirectory   ָĿ¼ƫrva

        Ŀ¼ַͨNameOffsetȡPIMAGE_RESOURCE_DIR_STRING_U
    Ľṹָ룬Ŀ¼unicodeʽҲβַĿ¼ַ
    id, ôֵwinnt.h 塣idRT_ICONRT_VERSIONȵȡ

        ṹ¼ˣеҪעOffsetToDirectoryOffsetToData޸ʱҪ
     DWORD 룬ֵ

    (2) 

        IMAGE_NT_HEADERS.IMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_IMPORT]
    ȡĵַimp_rvaתһṹIMAGE_IMPORT_DESCRIPTOR
        
    IMAGE_IMPORT_DESCRIPTOR:

            Name               ָ dll ƣƫ rva
            FirstThunk         ָ IMAGE_THUNK_DATA ṹ壬ƫ rva
            OriginalFirstThunk ָFirstThunk ĸ, Ϊաƫ rva
        
        IMAGE_IMPORT_DESCRIPTORṹɣ鳤һNameΪյĽ
    
        
        FirstThunkOriginalFirstThunkָIMAGE_THUNK_DATAɵ
    ṹϵͳļڽеʱFirstThunkָĽṹ޸ĵ

    (3) TLS 

        ˵tlsνľ̬tls(peļṹϽʵ)ʲôtlsԿ
    windows ı̡߳¡
        
        1tls 

        ҪvcһtlsҪ__declspec(thread) int x = 0;
    ʱᱻ.tlsĽСڴ߿ĽûʲôͬΨ
    һIMAGE_DATA_DIRECTORY[IMAGE_DIRECTORY_ENTRY_TLS]ָһṹ
    ˽ڽṹIMAGE_TLS_DIRECTORY 

        IMAGE_TLS_DIRECTORY:

            StartAddressOfRawData   tlsݿʼַva
            EndAddressOfRawData     tlsݽַva
            AddressOfIndex;         tls slotĵַĬtls slotΪ0

            AddressOfCallBacks      ָһPIMAGE_TLS_CALLBACK飬
                                    0βÿPIMAGE_TLS_CALLBACKva
            
            SizeOfZeroFill          Ҫ 0 ݵĴС
            Characteristics
        
        2ϵͳexetls

            ϵͳضλ󣬾Ϳʼtlstls_dir
    tlsݵĴСEndAddressOfRawData - StartAddressOfRawData + 
    SizeOfZeroFill, մСһڴ棬ַ(PDWORD)fs:[0x2c] + 
    tls_slot, ſStartAddressOfRawData -> EndAddressOfRawData֮
    ݵ·ڴУȻʹSizeOfZeroFill ʣµݣȻѭ
    AddressOfCallBacksеĺPIMAGE_TLS_CALLBACKDllMainԭͺ
    ֻûзֵ

        3ϵͳdlltls

            ȷdllǿʹtlsģΨһĲͬAddressOfCallBacks÷ʽ
    ЩĿdllǱӵļϣڽ̴ʱأ
    ôtls callbackᴥLoadLibraryʽزᴥ

    (4) rva & raw ת

        pe ļṹָrva, rvapeļϵͳغ󣬷
    ݵƫǽмӿǴʱֱmapļݷʶʹļָ
    룬Ҫrvaת(ÿpeعʱҶϰдһĺ
    10а汾ȻûһԱ֤ȷ - -

        µrva2raw汾֤ȷԡ

mimisys (x86 win32 r0 pe packer)

ϣ
    Windows Research Kernel
        wrk/base/ntos/mm/sysload.c:MmLoadSystemImage
:
    syser     ں˵Ҳѡr0
    vmware    ƵҪһ

    ļʽһЩοslm, Ҫr0 per3 peܣ

    (1) ںҳ

        r0ռڴ泣ܽţ͵sys sectionмط

        1ɻͽֹ
            
        ڴ治ʱϵͳڴöѼصsection object, 
    pageoutԣôϵͳڴͻỻڶӦҳھϵͳҳ
    󻻳ڴ棩ڶԭVirtualAddressϡVirtualSize¡ֹ
    ڽפڴ档

        2ڶСһҳ
            
        sysĽڶָСһҳϵͳڴļʱ൱
    򵥡غļʹϵļֻһ¡ڶСһҳʱ
    SizeOfRawDataڵVirtualSize֧δʼڡmimisysͨ
    SizeOfImageļغһδʼĻ֤ѹ̡

    (2) checksumУ

        һ仰: ֻȷchecksum sysļء

    (3) win2k

        win2kϵͳntϵͳмͬr3r0һЩ𣬱r3 pe
    ıҪеܾأr0 peҪضλϢҲܾء
    ҪһյضλĿ¼ɡ

        mimisysȡǺϲڣ¼ӿǺֻʣڣһloader, 
    loader͸ּӿǲڶԭŻѹݣƶضλƶԴ
    ȣڵԶǲġ

ġelfp (x86 linux r3 elf packer)

ϣ
    Tool Interface Standard (TIS) Executable and Linking Format
        http://www.x86.org/ftp/manuals/tools/elf.pdf
    ë² ̸ں˼ݡ8,9 ELFӳװ
        http://linux.insigma.com.cn/jszl.asp?docid=132762762
        http://linux.insigma.com.cn/jszl.asp?docid=133617926
    linux ںԴ
        linux/fs/binfmt_elf.c:load_elf_binary

:
    objdump    elfļʽĽṹ鿴
               http://www.gnu.org/software/binutils/binutils.html
                
    ald        ༶gdb޷ûеϢļġ
               http://ald.sourceforge.net/
    
    elfpmagiclinuxɵlinux elfļѹǡ

    elfĸʽlinuxҪĿִļʽҲcoffϻƵģ
peļĸʽƣл pe ļԶԱʽ

    elfļĵһݽṹElf32_Ehdrʼ

    typedef struct
    {
      unsigned char e_ident[EI_NIDENT];     /* Magic number and other info */
      Elf32_Half    e_type;                 /* Object file type */
      Elf32_Half    e_machine;              /* Architecture */
      Elf32_Word    e_version;              /* Object file version */
      Elf32_Addr    e_entry;                /* Entry point virtual address */
      Elf32_Off     e_phoff;                /* Program header table file offset */
      Elf32_Off     e_shoff;                /* Section header table file offset */
      Elf32_Word    e_flags;                /* Processor-specific flags */
      Elf32_Half    e_ehsize;               /* ELF header size in bytes */
      Elf32_Half    e_phentsize;            /* Program header table entry size */
      Elf32_Half    e_phnum;                /* Program header table entry count */
      Elf32_Half    e_shentsize;            /* Section header table entry size */
      Elf32_Half    e_shnum;                /* Section header table entry count */
      Elf32_Half    e_shstrndx;             /* Section header string table index */
    } Elf32_Ehdr;

    e_ident         elf.h жӦ ELFMAG ꣬ĸֽ
    e_entry        ڵӳƫ(ӳƫƼ pe ˵ rva)
    e_phoff        Elf32_Phdr ļƫ
    e_shoff        Elf32_Shdr ļƫ
    e_ehsize       Elf32_Ehdr ṹĴС
    e_phentsize    Elf32_Phdr ṹС
    e_phnum        Elf32_Phdr Ա
    e_shentsize    Elf32_Shdr ṹС
    e_shnum        Elf32_Shdr Ա
    
    Elf32_Ehdr֮Elf32_Phdr飬Elf32_PhdrĵַͨElf32_Ehdr.e_ehsize
ȷElf32_Ehdr飨жα)԰phdrpeĽڱ

    typedef struct
    {
      Elf32_Word    p_type;            /* Segment type */
      Elf32_Off     p_offset;        /* Segment file offset */
      Elf32_Addr    p_vaddr;        /* Segment virtual address */
      Elf32_Addr    p_paddr;        /* Segment physical address */
      Elf32_Word    p_filesz;        /* Segment size in file */
      Elf32_Word    p_memsz;        /* Segment size in memory */
      Elf32_Word    p_flags;        /* Segment flags */
      Elf32_Word    p_align;        /* Segment alignment */
    } Elf32_Phdr;
    
    p_type    εļΪ
    p_offset  ļƫƣpeеPointerToRawData
    p_vaddr   ݼغӳƫ, peеVirtualAddress
    p_filesz  ļдСpeеSizeOfRawData
    p_memsz   ݼغӳдСpeеVirtualSize
    p_flags   εڴԣpeеĽ
    p_align   ζ

    p_typeҪ

        PT_LOAD      Ҫװصڴ
        PT_PHDR      δŵElf32_Phdr
        PT_INTERP    δһϵͳӳװת
	             elfĽ⣬Ϊwindowsntdllװ
		     peļelfļĽҪضλȲ

    p_flags Ҫ

        PF_X         οִ
        PF_W         οд
        PF_R         οɶ

    Elf32_Ehdr(α)֮Elf32_Shdr(ڱ)ܵˣô
нڱϤpeӦ֪ڱpeļҪԣɲpeеǸڱ
Ӧðnt headerdata_dir[]ṹȹ߻ͨȷھ
;洢Ϣ汾Ϣַȵȡelfpڼӿǹ̻ᶪڱ

    򵥽elfploadeṛӿǹ̺ܼ򵥣һelfļغ
ڵִ֮ǰջлϵͳpushһЩ

    //  ջṹ
    //  +-------------------+
    //  |   return address  |        صַ
    //  +-------------------+
    //  |   argc            |        
    //  +-------------------+
    //  |   argv[?], NULL   |         NULL β
    //  +-------------------+
    //  |   envp[?], NULL   |         NULL β
    //  +-------------------+
    //  |   auxv[?]         |        Ĳ֪ʲôҪǸʹ,
    //  +-------------------+        elfϢӿǳҪ
                                     Ҫдȷдý
				     ȷҵݵĵַ
                                     
    elfploader̴ִ:

        ڴ-->ÿνѹָĵַ-->ȡӿǳԭʼϢ-->ԭ
    ʼαд auxv-->ؽ-->ý

     elf ĽԲοϵ֣

塢¼

[1] Ĵ
    ./pstzine_0A_01.zip
    
-EOF-