前言
搞iot搞久了,换个方向看看,改改口味。所以决定分析一下Cobaltstrike —— shellcode,顺便还可以提高一下逆向能力。
windows 常见结构体
在分析Cobaltstrike-shellcode之前我们得先了解一下windows下一些常见的结构体。
X86
Thread Environment Block 环境线程块 —— TEB
位于fs[0]的位置,结构如下:
typedef struct _NT_TEB { NT_TIB Tib; // 00h PVOID EnvironmentPointer; // 1Ch CLIENT_ID Cid; // 20h PVOID ActiveRpcInfo; // 28h PVOID ThreadLocalStoragePointer; // 2Ch PPEB Peb; // 30h <--注意这里 Process Environment Block ULONG LastErrorValue; // 34h ULONG CountOfOwnedCriticalSections; // 38h PVOID CsrClientThread; // 3Ch PVOID Win32ThreadInfo; // 40h ULONG Win32ClientInfo[0x1F]; // 44h PVOID WOW32Reserved; // C0h ULONG CurrentLocale; // C4h ULONG FpSoftwareStatusRegister; // C8h PVOID SystemReserved1[0x36]; // CCh PVOID Spare1; // 1A4h LONG ExceptionCode; // 1A8h ULONG SpareBytes1[0x28]; // 1ACh PVOID SystemReserved2[0xA]; // 1D4h GDI_TEB_BATCH GdiTebBatch; // 1FCh ... PVOID ReservedForOle; // F80h ULONG WaitingOnLoaderLock; // F84h PVOID StackCommit; // F88h PVOID StackCommitMax; // F8Ch PVOID StackReserve; // F90h PVOID MessageQueue; // ??? } Process Environment Block 线程信息块 —— PEB
位于TEB[0x30]的位置,结构如下:
typedef struct _PEB { UCHAR InheritedAddressSpace; // 00h UCHAR ReadImageFileExecOptions; // 01h UCHAR BeingDebugged; // 02h UCHAR Spare; // 03h PVOID Mutant; // 04h PVOID ImageBaseAddress; // 08h PPEB_LDR_DATA Ldr; // 0Ch <--注意这里 DllList 成员,此成员指向 _PEB_LDR_DATA(进程加载模块链表) PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // 10h PVOID SubSystemData; // 14h PVOID ProcessHeap; // 18h PVOID FastPebLock; // 1Ch PPEBLOCKROUTINE FastPebLockRoutine; // 20h PPEBLOCKROUTINE FastPebUnlockRoutine; // 24h ULONG EnvironmentUpdateCount; // 28h PVOID* KernelCallbackTable; // 2Ch PVOID EventLogSection; // 30h PVOID EventLog; // 34h PPEB_FREE_BLOCK FreeList; // 38h ULONG TlsExpansionCounter; // 3Ch PVOID TlsBitmap; // 40h ULONG TlsBitmapBits[0x2]; // 44h PVOID ReadOnlySharedMemoryBase; // 4Ch PVOID ReadOnlySharedMemoryHeap; // 50h PVOID* ReadOnlyStaticServerData; // 54h PVOID AnsiCodePageData; // 58h PVOID OemCodePageData; // 5Ch PVOID UnicodeCaseTableData; // 60h ULONG NumberOfProcessors; // 64h ULONG NtGlobalFlag; // 68h UCHAR Spare2[0x4]; // 6Ch LARGE_INTEGER CriticalSectionTimeout; // 70h ULONG HeapSegmentReserve; // 78h ULONG HeapSegmentCommit; // 7Ch ULONG HeapDeCommitTotalFreeThreshold; // 80h ULONG HeapDeCommitFreeBlockThreshold; // 84h ULONG NumberOfHeaps; // 88h ULONG MaximumNumberOfHeaps; // 8Ch PVOID** ProcessHeaps; // 90h PVOID GdiSharedHandleTable; // 94h PVOID ProcessStarterHelper; // 98h PVOID GdiDCAttributeList; // 9Ch PVOID LoaderLock; // A0h ULONG OSMajorVersion; // A4h ULONG OSMinorVersion; // A8h ULONG OSBuildNumber; // ACh ULONG OSPlatformId; // B0h ULONG ImageSubSystem; // B4h ULONG ImageSubSystemMajorVersion; // B8h ULONG ImageSubSystemMinorVersion; // C0h ULONG GdiHandleBuffer[0x22]; // C4h PVOID ProcessWindowStation; // ??? } _PEB_LDR_DATA 结构体
位于PEB[0xc]的位置,结构如下:
typedef struct _PEB_LDR_DATA { ULONG Length; // +0x00 BOOLEAN Initialized; // +0x04 PVOID SsHandle; // +0x08 LIST_ENTRY InLoadOrderModuleList; // +0x0c 模块加载顺序 LIST_ENTRY InMemoryOrderModuleList; // +0x14 模块在内存中的顺序 LIST_ENTRY InInitializationOrderModuleList; // +0x1c 模块初始化时的顺序 } PEB_LDR_DATA,*PPEB_LDR_DATA; // +0x24 _LIST_ENTRY 结构体如下
typedef struct _LIST_ENTRY { struct _LIST_ENTRY *Flink; struct _LIST_ENTRY *Blink; } LIST_ENTRY, *PLIST_ENTRY, *RESTRICTED_POINTER PRLIST_ENTRY; 三个双向链表(LIST_ENTRY)分别指向_LDR_DATA_TABLE_ENTRY结构体(但并不是都指向开始位置)。如InMemoryOrderList对应第一个模块的结构体,指向_LDR_DATA_TABLE_ENTRY[0x8]。
_LDR_DATA_TABLE_ENTRY 结构体
结构如下:
typedef struct _LDR_DATA_TABLE_ENTRY { LIST_ENTRY64 InLoadOrderLinks; // 0x0 LIST_ENTRY64 InMemoryOrderLinks; // 0x8 LIST_ENTRY64 InInitializationOrderLinks; // 0x10 PVOID DllBase; // 0x18 PVOID EntryPoint; // 0x20 ULONG SizeOfImage; // 0x28 UNICODE_STRING FullDllName; // 0x30 UNICODE_STRING BaseDllName; ULONG Flags; USHORT LoadCount; USHORT TlsIndex; PVOID SectionPointer; ULONG CheckSum; PVOID LoadeImports; PVOID EntryPointActivationContext; PVOID PatchInformation; LIST_ENTRY64 ForwarderLinks; LIST_ENTRY64 ServiceTagLinks; LIST_ENTRY64 StaticLinks; PVOID ContextInformation; ULONG OriginalBase; LARGE_INTEGER LoadTime; }LDR_DATA_TABLE_ENTRY,*PLDR_DATA_TABLE_ENYRY; X86-64
X86-64和X86大同小异,由于我们之后分析的是32位的程序,这里X86-64结构体我就先不介绍,等以后有机会碰到再补充。
