I tried to write a peloader.I first load the executable image and all it's dependent dlls(include kernel32.dll and ntdll.dll) into memory, process all import address table, rewrite all data which need relocation.
I know the windows system already load ntdll.dll and kernel32.dll into process memory when the process is created.My question is how can I load another copy of ntdll.dll and kernel32.dll into memory, and link my module to the copy ones.
The System Dll Kernel32.dll Was Relocated In Memory Windows Xp
It works by accident. It is a very common accident, Microsoft makes a great deal of effort to ensure that the operating system DLLs, like kernel32.dll, have a base address that doesn't conflict with any other DLLs. Further enhanced by kernel32.dll getting loaded very early at process initialization so low odds that it has to fight to get its preferred base address.
You'll get away with easily. It is notable that this has gone wrong in the past, there was an XP security update oops that caused gdi32.dll to get relocated and made lots of machines fall over at boot. The correct way is fairly painful, CreateToolhelp32Snapshot() + Module32First/Next() to find the relocation offset isn't great joy. Frankly, you probably ought to not do this at all if the operating system is "weird" like that.
Theoretically you can make the injector, the malicious program that attempts to inject your program, fail if you link some kernel32.lib that doesn't load kernel32.dll's LoadLibrary procedure into the memory of your program.
I once ported similar program ( from sco unix/hpux era). I mapped known file to some address ( some where predetermined) and relocated the pointers there. Then saved the file as as strem to the original file ( the relocation address as stream name, relocation was expensive operation). Loading process mapped one of those streams to correct address and if failed create new stream. Maximum 4 streams was ever generated ( in windows xp era). One could also disable ASLR for relevant processes, that might help.
By the time this change to WinSrv and Ctrl-C processing was made, though, the application compatibility impact of removing the kernel32 base address to be the same system-wide would have been too severe to eliminate the restriction (virtually all third party code injection code now relies heavily on this assumption). Thus, for this (and other) reasons, kernel32 still remains with the restriction that it may not be relocated to a different base address cross-process.
The documented functions from the Windows API are stored in kernel32.dll, advapi32.dll, gdi32.dll and others. The base services (like working with file systems, processes, devices, etc.) are provided by kernel32.dll.
[0x04] I took inspiration from this blog, that has great illustration, but uses the older technique with InInitializationOrderModuleList (which still works for ntdll.dll, but not for kernel32.dll) -playground.dk/2012/06/understanding-windows-shellcode.html
DEP first saw widespread adoption in the Windows world with the advent of Windows XP SP2 in 2004 and has since become a ubiquitous characteristic of virtually every modern application and operating system in use today. It is enforced through the use of a special bit in the PTE header of memory pages on the hardware layer (the NX aka Non-eXecutable bit) which is set by default on all newly allocated memory in Windows. This means that executable memory must be explicitly created, either by allocating new memory with executable permissions through an API such as KERNEL32.DLL!VirtualAlloc or by modifying existing non-executable memory to be executable through use of an API such as KERNEL32.DLL!VirtualProtect. An implicit side-effect of this, is that the stack and heap will both be non-executable by default, meaning that we cannot directly execute shellcode from these locations and must first carve out an executable enclave for it.
If the value of the Base Relocation Directory Size field is 0x3FFFFFFE or larger, then OllyDbg will write the relocated values to unallocated heap memory. On certain platforms, this can result in the execution of arbitrary code. The mitigating factor for the relocation table problem is the fact that it requires a file in excess of one gigabyte in size, because OllyDbg reads the relocation data directly from the file.
At some point, X.dll has to ask the operating system what the current time is. Windows provides the functionsGetSystemTime, GetSystemTimeAsFileTime and GetLocalTime for this purpose. If we werelucky, we would find a direct call to one of these functions in X.dll. If we were unlucky, X would descramblethe desired function name at run time (so that you couldn't find the name in the binary) and dynamically link to kernel32.dllin order to call the function.
(This reference is stored so the OS loader can fix up addresses when the DLL is loaded. Because DLLs can be loaded at different addresses in memory (and becausekernel32.dll is different in different versions of Windows), the actual location ofthe GetLocalTime function can't be hardcoded in X.dll. Instead, a relocation table is used.The relocation table basically looks like this (well, in pseudo-code):
The DLL's compiled code calls the GetLocalTimeStub stub function instead of the real kernel32.dll function.At load time, the OS walks the relocation table and fills in the actual address of the functions in other DLLs. Since thoseDLLs have already been loaded into memory, the real addresses of the functions are known.)I suddenly realised that I didn't know how to read relocation tables. I wanted to put a breakpoint onGetLocalTimeStub so that I could debug the program at the point where it called this function, but I didn'tknow where this function was located in X.dll. However, Dependency Walker told me thatGetLocalTime is located at an offset of 0x15A68 in kernel32.dll. Combine that withProcess Explorer telling me that LDLS.exeloaded kernel32.dll at 0x77E60000 and we know that the code for GetLocalTime is located at0x77E75A68.
fixed: sending 32bit IPC from system to user failed fixed: sending IPC from RuntimeBroker.exe could fail fixed: ProcessIdToFileName sometimes missed full path fixed: memory leak in ProcessIdToFileName [driver] fixed: potential stack overflow [driver] fixed: authenticode check sometimes incorrectly failed [driver] fixed: couldn't verify drv certificate in system32 folder [driver] some tweaks to make Microsoft HLK happy
Version 11.0.5 [21945] Fixed permission error when creating a workflow with an empty task through the wizard by an Administrators Group member.
[21953] OnError 'Start Task' action has been removed from Automate Enterprise.
[22965] Importing a task into v11 will run as expected when there are hyphens at the end of message.
[23102] Fixed v11 ability to log on/unlock a logged off/locked system when Security Interactive Screen or Splash Screen is present upon log on.
[23318] Fixed issue of first tasks failing to run after a successful log in by a triggered workflow in Automate Enterprise.
[23355] Web Browser 'Set Value' activity, 'Set Text' value of 'Change to' field will now import from previous versions as expected.
[23358] The calendar in Management Console will show task names as expected.
[23457] The calendar in Management Console will show workflows as expected.
[23586] Importing a task from v9 to v11 with the 'Send Email' action will transfer correctly.
[23587] Workflow status will be cleared in Execution Events after a 'Log Out' action.
[23590] User can call custom function from variable.
[23591] BASIC Scripting action window will now prompt to save changes when closing the window.
[23598] 'Close SQL Connection' action will ignore the "Session could not be found" exception when selected in Error Causes exceptions.
[23600] Task selection dropdown in "Logs" now allows a "/" in the Task Names.
[23633] Managed Task Logon Properties imports to v11 correctly.
[23649] SQL Query Host steps will import from v9 to v11 correctly.
[23683] The disabled users are no longer allowed to log in to Management Console.
[23694] Import Tasks with 'Network: Disconnect' action will be imported correctly from v9 to v11.
[23696] Stored Procedure actions retrieve the list of the stored procedures in the database correctly if System radio button is selected in the action.
[23699] A subtask failure within Managed Task will stop and error on the step in the sub task, and the parent task will not continue.
[23700] Terminal 'Send Text' action will import correctly.
[23713] Management Console Ports set to 9700 will migrate correctly from v10 to v11.
[23714] 'Focus window' action set focus to windows correctly when brought to foreground.
[23717] The SQL query statement boxes import/migrate correctly using the 11.0.2.22 version of the datastore migration utility.
[23740] When the 'BASIC Script: Execute' action has an Embeded/External 'For Each' statement, it will not fail while executing.
[23741] 'Set Variable' step does not fail when the task has a BASIC Script action.
[23743] New, unsaved workflows will run successfully from Work Flow Designer.
[23745] User and user group permissions maintained after migrating to v11 with Data Store Migration.
[23746] V8 tasks can now be imported into v10 and v11.
[23747] Tasks will not randomly fail due task step logging on the agent.
[23749 and 24046] When scrolling on the 'Constants', 'SQL Connections' for Server and Agent properties pages, the column headers and 'New, Modify, Remove' buttons will be remain visible.
[23750] User folders will be correctly created and unduplicated when migrating database from v10.7.0 to v11.
[23751] Constants will migrate successfully from v10.7.0 to v11 using Data Migration Utility.
[23802] Import: Database (SQL Query): Dataset.field will show value correctly in Task Builder pane.
[23809] Shared Variable values are now updated in run time without the need to save the workflow.
[23832] Unassociated 'End Case' in a 'Loop' action will show 'Expecting Select step' message as expected.
[23835] 'Loop' actions from v8 and v9 will import correctly into v11.
[23837] CreateGuid() function will work correctly in BASIC Script action.
[23840] SMC in v11.0.5 will successfully connect to earlier versions of v11 servers with a warning but will not cause a database corruption.
[23841] Window title bar in Task Builder will now accept all characters for the name field, including illegal characters such as .
[23854] 'FTP:Connect' action will load the Proxy setting correctly from System Default properties if default is selected.
[23861] SQL Injection attack prevented with proper use of parameters.
[23862] Data will pass to LDAP securely using AntiXSS methods LdapFilterEncode and LdapDistinguishedNameEncode.
[23865] All paths are checked and validated before being sent to file API.
[23867] All areas in code expected to have low-memory situations are now handled in code correctly.
[23868] System Libraries will always be loaded using the correct full path returned by the system.
[23908, 23910, and 23911] Trigger objects are working as expected when referenced in the task.
[23909] 'Computer:Log Off' action runs as expected.
[23933] Amazon S3: Create Bucket drop down list is populated correctly.
[23934] Encrypting files with an AES algorithm works as expected.
[23935] Browser Registry Connection Profile Log File Option works as expected.
[23936] 'Split File' activity preserves the destination and works as expected when importing from v8 and v10 to v11.
[23937] Azure Storage Timeout values work as expected in v11.
[23958] Fixed SQL Server cpu usage when querying the Instances table.
[23959] Fixed CPU/memory/thread count issue when querying workflows/lists from an API.
[23966] Importing types from web services will not cause a circular dependency error.
[23974] Moving the scroll viewer in Management Console Constants page with a large number of constants will not lead to a slow down.
[24006] In Task Builder, stopping a Start Task subtask will stop the entire parent task as well.
[24025] SQL Server will not run into deadlocks in the instances and execution event tables.
[24087] In the 'Web Browser > Set Value' activity, the user is now able to successfully set Interaction to "text" when the "Locate by attributes" option is selected.
[24092] The FTP Logon step description correctly identifies the set proxy type.
[24095] The FTP Logon step from v8 will now import certificate sources correctly.
2ff7e9595c
Opmerkingen