【微步在线报告】Metaploit的payload特征
获取函数地址
Windows系统下采用的方式是PEB寻址原理,Linux下是采用SysCall 系统调用号,这里阐释Windows的方式。
在NT内核系统中fs寄存器指向TEB结构,TEB+0x30处指向PEB结构,PEB+0x0c处指向PEB_LDR_DATA结构,PEB_LDR_DATA结构中包含本程序调用的dll链表,遍历链表,逐个遍历dll导出表的函数名称,算出其hash,对比传入的hash相等即获取到函数地址。
常见的函数Hash
| Dll名称 | 函数名称 | Hash | 二进制(小尾) |
|---|---|---|---|
| kernel32.dll | LoadLibraryA | 0726774C | 4C 77 26 07 |
| Virtualalloc | E553A458 | 58 A4 53 E5 | |
| Sleep | E035F044 | 44 F0 35 E0 | |
| VirtualFree | 300F2F0B | C2 DB 37 67 | |
| CreateFileA | 4FDAF6DA | DA F6 DA 4F | |
| ReadFile | BB5F9EAD | AD 9E 5F BB | |
| InternetOpenA | A779563A | 3A 56 79 A7 | |
| InternetConnectA | C69F8957 | 57 89 9F C6 | |
| wininet.dll | HttpOpenRequestA | 3B2E55EB | EB 55 2E 3B |
| HttpSendRequestA | 7B18062D | 2D 06 18 7B | |
| InternetReadFile | E2899612 | 12 96 89 E2 | |
| InternetSetOptionA | 869E4675 | 75 46 9E 86 | |
| crypt32.dll | CertGetCertificateContextProperty | C3A96E2D | 2D 6E A9 C3 |
| ws2_32 | WSAStartup | 006B8029 | 29 80 6B 00 |
| WSASocketA | E0DF0FEA | EA 0F DF E0 | |
| connect | 6174A599 | 99 A5 74 61 | |
| recv | 5FC8D902 | 02 D9 C8 5F | |
| bind | 6737DBC2 | C2 DB 37 67 | |
| closesocket | 614D6E75 | 75 6E 4D 61 | |
| send | 5F38EBC2 | C2 EB 38 5F | |
| gethostbyname | 803428A9 | A9 28 34 80 | |
| winhttp.dll | WinHttpOpen | BB9D1F04 | 04 1F 9D BB |
| WinHttpConnect | C21E9B46 | 46 9B 1E C2 | |
| WinHttpOpenRequest | 5BB31098 | 98 10 B3 5B | |
| WinHttpSendRequest | 91BB5895 | 95 58 BB 91 | |
| WinHttpGetIEProxyConfigForCurrentUser | 600BA721 | 21 A7 0B 60 | |
| WinHttpReadData | 7E24296C | 6C 29 24 7E | |
| WinHttpSetCredentials | CEA829DD | DD 29 A8 CE | |
| WinHttpQueryOption | 272F0478 | 78 04 2F 27 | |
| WinHttpReceiveResponse | 709D8805 | 05 88 9D 70 | |
| WinHttpGetProxyForUrl | 49EADDDA | DA DD EA 49 | |
| WinHttpSetOption | CE9D58D3 | D3 58 9D CE |
若有收获,就点个赞吧
0 人点赞
