Locating Win32 Functions

To recap, in the first two shellcoding posts we Located EIP/RIP and Located the base address of Kernel32. In this post we will attempt to locate Microsoft Win32 API functions. The ability to locate specific functions will allow us to perform virtually anything task that is required to gain a shell.

Locating the Image Export Directory Structure

To locate the addresses of the APIs needed our shellcode must loop through the named functions in the IMAGE_EXPORT_DIRECTORY of a DLL. In this instance the kernel32.dll is going to be searched to locate the desired APIs. The IMAGE_EXPORT_DIRECTORY structure is defined in the winnt.h header file as follows:

1
2
3
4
5
6
7
8
9
10
11
12
13
typedef struct _IMAGE_EXPORT_DIRECTORY {
    DWORD   Characteristics;
    DWORD   TimeDateStamp;
    WORD    MajorVersion;
    WORD    MinorVersion;
    DWORD   Name;
    DWORD   Base;
    DWORD   NumberOfFunctions;
    DWORD   NumberOfNames;
    DWORD   AddressOfFunctions;     // RVA from base of image
    DWORD   AddressOfNames;         // RVA from base of image
    DWORD   AddressOfNameOrdinals;  // RVA from base of image
} IMAGE_EXPORT_DIRECTORY, *PIMAGE_EXPORT_DIRECTORY;

Locating the Export Table

The first task that must be completed before the IMAGE_EXPORT_DIRECTORY structure can be searched for the APIs is to locate it. To do this, the shellcode uses the following instructions. For the purposes of this blog post we will assume that the base address of kernel32.dll is stored in the EBX register:

1
2
3
4
5
push ebx                        ; Preserve EBX
mov ebp, [esp]                  ; DLL Base Address  
mov eax, [ebp + 0x3c]           ; eax = PE header offset  
mov edx, [ebp + eax * 1 + 0x78]
add edx, ebp                    ; edx = exports directory table
  1. The shellcode begins by preserving the EBX register so that it can be restored later.
  2. Next the PE header is located at an offset of 0x3C (60) bytes from the base address of the DLL.
  3. Next the IMAGE_EXPORT_DIRECTORY address is located at an offset of 0x78 (120) bytes from the base address of the PE header.

NOTE: To view the whole PE file structure, check out the excellent image included in Wikipedia’s Portable Executable article: https://en.wikipedia.org/wiki/Portable_Executable

Loc

Figure 1: IMAGE_EXPORT_DIRECTORY Visualization

Figure 1: IMAGE_EXPORT_DIRECTORY Visualization

Written on