📄 747.html
字号:
uchar *pMap; /* 0x2a4 ptr to MemoryMap array */<br />
DWORD dwInDebugger; /* 0x2a8 !0 when in debugger */<br />
PTHREAD pCurFPUOwner; /* 0x2ac current FPU owner */<br />
PPROCESS pCpuASIDPrc; /* 0x2b0 current ASID proc */<br />
long nMemForPT; /* 0x2b4 - Memory used for PageTables */<br />
<br />
long alPad[18]; /* 0x2b8 - padding */<br />
DWORD aInfo[32]; /* 0x300 - misc. kernel info */<br />
// PUBLIC/COMMON/OAK/INC/pkfuncs.h<br />
0x300 KINX_PROCARRAY address of process array<br />
0x304 KINX_PAGESIZE system page size<br />
0x308 KINX_PFN_SHIFT shift for page # in PTE<br />
0x30c KINX_PFN_MASK mask for page # in PTE<br />
0x310 KINX_PAGEFREE # of free physical pages<br />
0x314 KINX_SYSPAGES # of pages used by kernel<br />
0x318 KINX_KHEAP ptr to kernel heap array<br />
0x31c KINX_SECTIONS ptr to SectionTable array<br />
0x320 KINX_MEMINFO ptr to system MemoryInfo struct<br />
0x324 KINX_MODULES ptr to module list<br />
0x328 KINX_DLL_LOW lower bound of DLL shared space<br />
0x32c KINX_NUMPAGES total # of RAM pages<br />
0x330 KINX_PTOC ptr to ROM table of contents<br />
0x334 KINX_KDATA_ADDR kernel mode version of KData<br />
0x338 KINX_GWESHEAPINFO Current amount of gwes heap in use<br />
0x33c KINX_TIMEZONEBIAS Fast timezone bias info<br />
0x340 KINX_PENDEVENTS bit mask for pending interrupt events<br />
0x344 KINX_KERNRESERVE number of kernel reserved pages<br />
0x348 KINX_API_MASK bit mask for registered api sets<br />
0x34c KINX_NLS_CP hiword OEM code page, loword ANSI code page<br />
0x350 KINX_NLS_SYSLOC Default System locale<br />
0x354 KINX_NLS_USERLOC Default User locale<br />
0x358 KINX_HEAP_WASTE Kernel heap wasted space<br />
0x35c KINX_DEBUGGER For use by debugger for protocol communication<br />
0x360 KINX_APISETS APIset pointers<br />
0x364 KINX_MINPAGEFREE water mark of the minimum number of free pages<br />
0x368 KINX_CELOGSTATUS CeLog status flags<br />
0x36c KINX_NKSECTION Address of NKSection<br />
0x370 KINX_PWR_EVTS Events to be set after power on<br />
0x37c KINX_NKSIG last entry of KINFO -- signature when NK is ready<br />
<br />
/* 0x380 - interlocked api code */<br />
/* 0x400 - end */<br />
}<br />
<br />
Win32下可以通过PEB结构定位kernel32.dll的基址,然后通过PE文件结构查找Windows API。在Windows CE下,coredll.dll的作用相当于Win32的kernel32.dll,由于KDataStruct结构开始于0xFFFFC800,偏移0x324的aInfo[KINX_MODULES]是一个指向模块链表的指针,通过这个链表能否找到coredll.dll模块呢?让我们来看一下模块的结构:<br />
<br />
// PRIVATE/WINCEOS/COREOS/NK/INC/kernel.h<br />
typedef struct Module {<br />
LPVOID lpSelf; /* 0x00 Self pointer for validation */<br />
PMODULE pMod; /* 0x04 Next module in chain */<br />
LPWSTR lpszModName; /* 0x08 Module name */<br />
DWORD inuse; /* 0x0c Bit vector of use */<br />
DWORD calledfunc; /* 0x10 Called entry but not exit */<br />
WORD refcnt[MAX_PROCESSES]; /* 0x14 Reference count per process*/<br />
LPVOID BasePtr; /* 0x54 Base pointer of dll load (not 0 based) */<br />
DWORD DbgFlags; /* 0x58 Debug flags */<br />
LPDBGPARAM ZonePtr; /* 0x5c Debug zone pointer */<br />
ulong startip; /* 0x60 0 based entrypoint */<br />
openexe_t oe; /* 0x64 Pointer to executable file handle */<br />
typedef struct openexe_t {<br />
union {<br />
int hppfs; // ppfs handle<br />
HANDLE hf; // object store handle<br />
TOCentry *tocptr; // rom entry pointer<br />
}; // 0x64<br />
BYTE filetype; // 0x68<br />
BYTE bIsOID; // 0x69<br />
WORD pagemode; // 0x6a<br />
union {<br />
DWORD offset;<br />
DWORD dwExtRomAttrib;<br />
}; // 0x6c<br />
union {<br />
Name *lpName;<br />
CEOID ceOid;<br />
}; // 0x70<br />
} openexe_t;<br />
e32_lite e32; /* 0x74 E32 header */<br />
// PUBLIC/COMMON/OAK/INC/pehdr.h<br />
typedef struct e32_lite { /* PE 32-bit .EXE header */<br />
unsigned short e32_objcnt; /* 0x74 Number of memory objects */<br />
BYTE e32_cevermajor; /* 0x76 version of CE built for */<br />
BYTE e32_ceverminor; /* 0x77 version of CE built for */<br />
unsigned long e32_stackmax; /* 0x78 Maximum stack size */<br />
unsigned long e32_vbase; /* 0x7c Virtual base address of module */<br />
unsigned long e32_vsize; /* 0x80 Virtual size of the entire image */<br />
unsigned long e32_sect14rva; /* 0x84 section 14 rva */<br />
unsigned long e32_sect14size; /* 0x88 section 14 size */<br />
struct info e32_unit[LITE_EXTRA]; /* 0x8c Array of extra info units */<br />
struct info { /* Extra information header block */<br />
unsigned long rva; /* Virtual relative address of info */<br />
unsigned long size; /* Size of information block */<br />
}<br />
0x8c EXP Export table position <br />
0x94 IMP Import table position <br />
0x9c RES Resource table position <br />
0xa4 EXC Exception table position <br />
0xac SEC Security table position <br />
0xb4 FIX Fixup table position <br />
} e32_lite, *LPe32_list;<br />
<br />
o32_lite *o32_ptr; /* 0xbc O32 chain ptr */<br />
DWORD dwNoNotify; /* 0xc0 1 bit per process, set if notifications disabled */<br />
WORD wFlags; // 0xc4<br />
BYTE bTrustLevel; // 0xc6<br />
BYTE bPadding; // 0xc7<br />
PMODULE pmodResource; /* 0xc8 module that contains the resources */<br />
DWORD rwLow; /* 0xcc base address of RW section for ROM DLL */<br />
DWORD rwHigh; /* 0xd0 high address RW section for ROM DLL */<br />
PGPOOL_Q pgqueue; /* 0xcc list of the page owned by the module */<br />
typedef struct _PGPOOL_Q {<br />
WORD idxHead; /* head of the queue */<br />
WORD idxTail; /* tail of the queue */<br />
} PGPOOL_Q, *PPGPOOL_Q;<br />
} Module;<br />
<br />
模块结构偏移0x08是指向模块名字的指针,偏移0x04指向链表里的下一个模块,通过这个模块名字可以在模块链表里找到我们需要的coredll.dll。而偏移0x7c就是该模块的虚拟基址,偏移0x8c是导出表的相对地址。Windows CE使用的PE结构和Win32是一样,那么有写Win32 shellcode经验的朋友自然会想着从coredll.dll的基址按照PE结构顺藤摸瓜来搜索函数地址。但是我们用EVC实际调试时发现coredll.dll找到的基址是0x01F60000,而这个地址的内存是没有分配的(调试器里都是问号),可以访问的地址是从0x01F61000,这和IDAPro反汇编coredll.dll(从rom文件中dump出来,wince下系统在使用的文件连读的权限都没有)出的起始地址一样。Windows CE可能为了节省内存,没有加载文件最开始的0x1000字节头结构。不过没有关系,因为我们已经从模块结构得到该模块的导出表相对地址,直接从导出表就可以查找函数地址了。<br />
<br />
--[ 3. Windows CE演示实例<br />
<br />
Ratter/29A的WinCE4.Dust代码可能是为了减少体积,他给出的方法是把要搜索函数的序数索引硬编码到程序里,然后根据导出表的地址定位导出地址表,再用硬编码的序数索引来算出函数地址。这种方法让人感觉挺别扭的,虽然代码减少了,可是通用性可能会打折扣,象编写Win32 shellcode一样通过函数名来搜索的方法可能更通用一些。下面的代码就是实现这样的功能。<br />
<br />
; armasm test.asm<br />
; link /MACHINE:ARM /SUBSYSTEM:WINDOWSCE test.obj <br />
<br />
CODE32<br />
<br />
EXPORT WinMainCRTStartup<br />
<br />
AREA .text, CODE, ARM<br />
<br />
test_start<br />
<br />
; r11 - base pointer<br />
test_code_start PROC<br />
stmdb sp!, {r0 - r12, lr, pc}<br />
<br />
bl get_export_section<br />
adr r2, mb<br />
bl lookup_imports<br />
<br />
mov r0, #0<br />
adr r1, text<br />
adr r2, text<br />
mov r3, #0 ; MB_OK<br />
mov lr, pc<br />
mov pc, r9 ; MessageBoxW<br />
<br />
bl get_export_section<br />
adr r2, tp<br />
bl lookup_imports<br />
<br />
mov r0, #-1<br />
mov r1, #0<br />
mov lr, pc<br />
mov pc, r9<br />
<br />
; basic wide string compare<br />
wstrcmp PROC<br />
wstrcmp_iterate<br />
ldrh r2, [r0], #2<br />
ldrh r3, [r1], #2<br />
<br />
cmp r2, #0<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -