More often than not, when writing shellcode for Windows or otherwise dealing with Windows internals, you need to retrieve the kernel32.dll base address. When GetModuleHandle is not available (i.e. you don't know/can't retrieve it's address), a very common way to retrieve the kernel32.dll base address is to use the structures provided in the Thread and Process contexts.
At any time in the execution of a process, the TEB (Thread Environment Block), is pointed to by the FS segment register. Using WinDBG and a sample process (calc.exe), let's take a look at what resides in the TEB:
The point of interest here is the ProcessEnvironmentBlock entry, because that's the structure that holds loader information. The PEB looks like this:
Next we look at Ldr:
The module lists named InLoadOrderModuleList, InMemoryOrderModuleList, and InInitializationOrderModuleList hold information about the modules utilized by the process. The type however is not _LIST_ENTRY, but _LDR_DATA_TABLE_ENTRY (you can check this on MSDN).
Let's see how _LDR_DATA_TABLE_ENTRY is defined:
We seek the DllBase entry value for the kernel32.dll module. As it happens, kernel32.dll is always the third module in the InMemoryOrderModuleList (if it wasn't we could still walk all the list and find it by the FullDllName or BaseDllName entry). Let's actually examine the concrete structures in memory. Our starting point will be the TEB, as discussed:
There we have it, DllBase = 0x75540000.
Shellcode:
We can retrieve the DllBase of kernel32.dll under x64 in the same way, except that some offsets will be different, because of larger pointer sizes. After getting the equivalent offsets under x64, we come up with:
Shellcode:
At any time in the execution of a process, the TEB (Thread Environment Block), is pointed to by the FS segment register. Using WinDBG and a sample process (calc.exe), let's take a look at what resides in the TEB:
0:000> dt _TEB ntdll!_TEB +0x000 NtTib : _NT_TIB +0x01c EnvironmentPointer : Ptr32 Void +0x020 ClientId : _CLIENT_ID +0x028 ActiveRpcHandle : Ptr32 Void +0x02c ThreadLocalStoragePointer : Ptr32 Void +0x030 ProcessEnvironmentBlock : Ptr32 _PEB +0x034 LastErrorValue : Uint4B +0x038 CountOfOwnedCriticalSections : Uint4B ...
The point of interest here is the ProcessEnvironmentBlock entry, because that's the structure that holds loader information. The PEB looks like this:
0:000> dt _PEB ntdll!_PEB +0x000 InheritedAddressSpace : UChar +0x001 ReadImageFileExecOptions : UChar +0x002 BeingDebugged : UChar +0x003 BitField : UChar +0x003 ImageUsesLargePages : Pos 0, 1 Bit +0x003 IsProtectedProcess : Pos 1, 1 Bit +0x003 IsLegacyProcess : Pos 2, 1 Bit +0x003 IsImageDynamicallyRelocated : Pos 3, 1 Bit +0x003 SkipPatchingUser32Forwarders : Pos 4, 1 Bit +0x003 SpareBits : Pos 5, 3 Bits +0x004 Mutant : Ptr32 Void +0x008 ImageBaseAddress : Ptr32 Void +0x00c Ldr : Ptr32 _PEB_LDR_DATA +0x010 ProcessParameters : Ptr32 _RTL_USER_PROCESS_PARAMETERS +0x014 SubSystemData : Ptr32 Void +0x018 ProcessHeap : Ptr32 Void ...
Next we look at Ldr:
0:000> dt _PEB_LDR_DATA ntdll!_PEB_LDR_DATA +0x000 Length : Uint4B +0x004 Initialized : UChar +0x008 SsHandle : Ptr32 Void +0x00c InLoadOrderModuleList : _LIST_ENTRY +0x014 InMemoryOrderModuleList : _LIST_ENTRY +0x01c InInitializationOrderModuleList : _LIST_ENTRY +0x024 EntryInProgress : Ptr32 Void +0x028 ShutdownInProgress : UChar +0x02c ShutdownThreadId : Ptr32 Void
The module lists named InLoadOrderModuleList, InMemoryOrderModuleList, and InInitializationOrderModuleList hold information about the modules utilized by the process. The type however is not _LIST_ENTRY, but _LDR_DATA_TABLE_ENTRY (you can check this on MSDN).
Let's see how _LDR_DATA_TABLE_ENTRY is defined:
0:000> dt _LDR_DATA_TABLE_ENTRY ntdll!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY +0x008 InMemoryOrderLinks : _LIST_ENTRY +0x010 InInitializationOrderLinks : _LIST_ENTRY +0x018 DllBase : Ptr32 Void +0x01c EntryPoint : Ptr32 Void +0x020 SizeOfImage : Uint4B +0x024 FullDllName : _UNICODE_STRING +0x02c BaseDllName : _UNICODE_STRING +0x034 Flags : Uint4B +0x038 LoadCount : Uint2B +0x03a TlsIndex : Uint2B +0x03c HashLinks : _LIST_ENTRY +0x03c SectionPointer : Ptr32 Void +0x040 CheckSum : Uint4B +0x044 TimeDateStamp : Uint4B +0x044 LoadedImports : Ptr32 Void +0x048 EntryPointActivationContext : Ptr32 _ACTIVATION_CONTEXT +0x04c PatchInformation : Ptr32 Void +0x050 ForwarderLinks : _LIST_ENTRY +0x058 ServiceTagLinks : _LIST_ENTRY +0x060 StaticLinks : _LIST_ENTRY +0x068 ContextInformation : Ptr32 Void +0x06c OriginalBase : Uint4B +0x070 LoadTime : _LARGE_INTEGER
We seek the DllBase entry value for the kernel32.dll module. As it happens, kernel32.dll is always the third module in the InMemoryOrderModuleList (if it wasn't we could still walk all the list and find it by the FullDllName or BaseDllName entry). Let's actually examine the concrete structures in memory. Our starting point will be the TEB, as discussed:
0:000> dt _TEB @$teb ntdll!_TEB +0x000 NtTib : _NT_TIB +0x01c EnvironmentPointer : (null) +0x020 ClientId : _CLIENT_ID +0x028 ActiveRpcHandle : (null) +0x02c ThreadLocalStoragePointer : 0x7efdd02c Void +0x030 ProcessEnvironmentBlock : 0x7efde000 _PEB +0x034 LastErrorValue : 0 ... 0:000> dt _PEB 0x7efde000 ntdll!_PEB +0x000 InheritedAddressSpace : 0 '' +0x001 ReadImageFileExecOptions : 0 '' +0x002 BeingDebugged : 0x1 '' +0x003 BitField : 0x8 '' +0x003 ImageUsesLargePages : 0y0 +0x003 IsProtectedProcess : 0y0 +0x003 IsLegacyProcess : 0y0 +0x003 IsImageDynamicallyRelocated : 0y1 +0x003 SkipPatchingUser32Forwarders : 0y0 +0x003 SpareBits : 0y000 +0x004 Mutant : 0xffffffff Void +0x008 ImageBaseAddress : 0x00550000 Void +0x00c Ldr : 0x77ba0200 _PEB_LDR_DATA +0x010 ProcessParameters : 0x00341678 _RTL_USER_PROCESS_PARAMETERS +0x014 SubSystemData : (null) +0x018 ProcessHeap : 0x00340000 Void ... 0:000> dt _PEB_LDR_DATA 0x77ba0200 ntdll!_PEB_LDR_DATA +0x000 Length : 0x30 +0x004 Initialized : 0x1 '' +0x008 SsHandle : (null) +0x00c InLoadOrderModuleList : _LIST_ENTRY [ 0x692f10 - 0x696108 ] +0x014 InMemoryOrderModuleList : _LIST_ENTRY [ 0x692f18 - 0x696110 ] +0x01c InInitializationOrderModuleList : _LIST_ENTRY [ 0x692fb0 - 0x696118 ] +0x024 EntryInProgress : (null) +0x028 ShutdownInProgress : 0 '' +0x02c ShutdownThreadId : (null) 0:000> dt _LDR_DATA_TABLE_ENTRY 0x342f18-8 ntdll!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x342fa0 - 0x77ba020c ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x342fa8 - 0x77ba0214 ] +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x0 - 0x0 ] +0x018 DllBase : 0x00550000 Void +0x01c EntryPoint : 0x00562d6c Void +0x020 SizeOfImage : 0xc0000 +0x024 FullDllName : _UNICODE_STRING "C:\Windows\SysWOW64\calc.exe" +0x02c BaseDllName : _UNICODE_STRING "calc.exe" +0x034 Flags : 0x4000 +0x038 LoadCount : 0xffff +0x03a TlsIndex : 0 +0x03c HashLinks : _LIST_ENTRY [ 0x344044 - 0x77ba48e8 ] +0x03c SectionPointer : 0x00344044 Void +0x040 CheckSum : 0x77ba48e8 +0x044 TimeDateStamp : 0x4ce7979d +0x044 LoadedImports : 0x4ce7979d Void +0x048 EntryPointActivationContext : (null) +0x04c PatchInformation : (null) +0x050 ForwarderLinks : _LIST_ENTRY [ 0x342f60 - 0x342f60 ] +0x058 ServiceTagLinks : _LIST_ENTRY [ 0x342f68 - 0x342f68 ] +0x060 StaticLinks : _LIST_ENTRY [ 0x346320 - 0x345038 ] +0x068 ContextInformation : 0x77adc960 Void +0x06c OriginalBase : 0 +0x070 LoadTime : _LARGE_INTEGER 0x0 0:000> dt _LDR_DATA_TABLE_ENTRY 0x342fa8-8 ntdll!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x343320 - 0x342f10 ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x343328 - 0x342f18 ] +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x343448 - 0x77ba021c ] +0x018 DllBase : 0x77aa0000 Void +0x01c EntryPoint : (null) +0x020 SizeOfImage : 0x180000 +0x024 FullDllName : _UNICODE_STRING "C:\Windows\SysWOW64\ntdll.dll" +0x02c BaseDllName : _UNICODE_STRING "ntdll.dll" +0x034 Flags : 0x4004 +0x038 LoadCount : 0xffff +0x03a TlsIndex : 0 +0x03c HashLinks : _LIST_ENTRY [ 0x77ba48c0 - 0x77ba48c0 ] +0x03c SectionPointer : 0x77ba48c0 Void +0x040 CheckSum : 0x77ba48c0 +0x044 TimeDateStamp : 0x4ec49b8f +0x044 LoadedImports : 0x4ec49b8f Void +0x048 EntryPointActivationContext : (null) +0x04c PatchInformation : (null) +0x050 ForwarderLinks : _LIST_ENTRY [ 0x342ff0 - 0x342ff0 ] +0x058 ServiceTagLinks : _LIST_ENTRY [ 0x342ff8 - 0x342ff8 ] +0x060 StaticLinks : _LIST_ENTRY [ 0x343000 - 0x343000 ] +0x068 ContextInformation : (null) +0x06c OriginalBase : 0x7de70000 +0x070 LoadTime : _LARGE_INTEGER 0x0 0:000> dt _LDR_DATA_TABLE_ENTRY 0x343328-8 ntdll!_LDR_DATA_TABLE_ENTRY +0x000 InLoadOrderLinks : _LIST_ENTRY [ 0x343438 - 0x342fa0 ] +0x008 InMemoryOrderLinks : _LIST_ENTRY [ 0x343440 - 0x342fa8 ] +0x010 InInitializationOrderLinks : _LIST_ENTRY [ 0x343cf8 - 0x343448 ] +0x018 DllBase : 0x75540000 Void +0x01c EntryPoint : 0x755532a3 Void +0x020 SizeOfImage : 0x110000 +0x024 FullDllName : _UNICODE_STRING "C:\Windows\syswow64\kernel32.dll" +0x02c BaseDllName : _UNICODE_STRING "kernel32.dll" +0x034 Flags : 0x84004 +0x038 LoadCount : 0xffff +0x03a TlsIndex : 0 +0x03c HashLinks : _LIST_ENTRY [ 0x346144 - 0x77ba4880 ] +0x03c SectionPointer : 0x00346144 Void +0x040 CheckSum : 0x77ba4880 +0x044 TimeDateStamp : 0x4e211318 +0x044 LoadedImports : 0x4e211318 Void +0x048 EntryPointActivationContext : (null) +0x04c PatchInformation : (null) +0x050 ForwarderLinks : _LIST_ENTRY [ 0x343ed0 - 0x343ed0 ] +0x058 ServiceTagLinks : _LIST_ENTRY [ 0x343378 - 0x343378 ] +0x060 StaticLinks : _LIST_ENTRY [ 0x3434f0 - 0x3433b0 ] +0x068 ContextInformation : 0x77adc960 Void +0x06c OriginalBase : 0x7dd60000 +0x070 LoadTime : _LARGE_INTEGER 0x01cd6f77`c1f63851
There we have it, DllBase = 0x75540000.
The assembly code
; assemble with `nasm k32base.asm -o k32base` bits 32 xor edx, edx mov edx, [fs:edx+0x30] ; edx = address of PEB mov edx, [edx+0x0c] ; edx = address of Ldr mov edx, [edx+0x14] ; edx = first module entry address mov edx, [edx] ; edx = second module entry address mov edx, [edx] ; edx = third module entry address mov edx, [edx+0x10] ; edx = DllBase of kernel32.dll
Shellcode:
/* 19 bytes */ char shellcode[] = "\x31\xd2\x64\x8b\x52\x30\x8b\x52\x0c\x8b" "\x52\x14\x8b\x12\x8b\x12\x8b\x52\x10";
We can retrieve the DllBase of kernel32.dll under x64 in the same way, except that some offsets will be different, because of larger pointer sizes. After getting the equivalent offsets under x64, we come up with:
; assemble with `nasm k32base_x64.asm -o k32base_x64` bits 64 xor rdx, rdx mov rdx, [fs:rdx+0x60] ; rdx = address of PEB mov rdx, [rdx+0x18] ; rdx = address of Ldr mov rdx, [rdx+0x20] ; rdx = first module entry address mov rdx, [rdx] ; rdx = second module entry address mov rdx, [rdx] ; rdx = third module entry address mov rdx, [rdx+0x20] ; rdx = DllBase of kernel32.dll
Shellcode:
/* 26 bytes */ char shellcode[] = "\x48\x31\xd2\x64\x48\x8b\x52\x60\x48\x8b" "\x52\x18\x48\x8b\x52\x20\x48\x8b\x12\x48" "\x8b\x12\x48\x8b\x52\x20";
~ Dmitry
thanks this is great detail, very helpful
ReplyDelete