среда, 7 августа 2013 г.

how to find ntdll!LdrpHashTable

Old article (warning - it is written in French and has eye-breaking font) describes a good idea of loaded modules cross-scaning using LdrpHashTable. But Ivanlef0u did not show how you can find address of LdrpHashTable with static analysis
It seems that this is not easy task - xrefs to LdrpHashTable are not inside exported functions and they called too deeply from nearest export:
  • LdrpResolveDllName
  • LdrpFindLoadedDllByName
  • LdrpInsertDataTableEntry
so ordinary code-flow graph analysis is very difficult. But actually there is more easy way to find address of LdrpHashTable
Lets check function LdrpFindLoadedDllByName (code was taken from windows 8.1 preview):
  call    _RtlHashUnicodeString@16 
  mov     edx, [ebp+var_8]
  mov     eax, edx
  and     eax, 1Fh
  mov     [ebp+var_14], STATUS_DLL_NOT_FOUND
  cmp     _LdrInitState, 3
  lea     eax, _LdrpHashTable[eax*8]

Here is first calculated hash of the name of the module and then it is taken the only 5 bits and used as index in LdrpHashTable. So we can just find all calls to RtlHashUnicodeString, next instruction "and reg, 0x1f" and next check for instruction "lea reg, [mem + reg * 8]"

The main problem here is that under different versions of windows you must find calls to different exported functions - under w8/w.1 RtlHashUnicodeString, under w7 - ZwQuerySection, and on more old windows - RtlUpcaseUnicodeChar

Комментариев нет:

Отправить комментарий