PMA 123: Importing DLLs (45 pts extra)

What you need

Purpose

To examine how DLL imports work, and practice repairing broken DLL Import headers.

Use the FLARE-VM

All these steps are done in your FLARE-VM, which is Windows 10 plus many malware analysis tools.

Getting the hello4.exe Program

Download this file:

hello4.exe

In a Command Prompt, execute the program. It prints out a short message, as shown below.

Here's the source code for that program. It uses only one function: printf. How complicated could that be?

IMPORT Address Table

Open the hello4.exe file in PEview.

Examine the IMPORT Address Table. As shown below, this program uses dozens of Windows API calls.

Scroll to the bottom to see the DLL name. All these API calls come from a single library: KERNEL32.dll, as shown below.

Understanding the Addresses

Notice the last API function in the image above: RaiseException. It has a pFile address of FF00 and Data of 1711C.

Examine the .rdata section, as shown below.

Here you see a raw hexadecimal dump of the file contents, with the 32-bit word at FF00 containing the value 1711C in little-endian order, as shown below.

pFile addresses are actual locations in the PE file itself, which you can verify by examining the file with HxD, as shown below.

Examine the "IMPORT Hints/Names & DLL Names" section. RaiseException is at address 15F1C, as shown below (preceded by a 2-byte hint).

This address is 1200 bytes lower than the Data of 1711C.

The value 1711C is a RVA (Relative Virtual Address) -- the location in RAM of the object, relative to its Base Address.

To understand that, examine the IMAGE_SECTION_HEADER for the .rdata section.

This section loads at an RVA of 11000, but the "Pointer to Raw Data" (pFile address) is FE00, 1200 bytes lower, as shown below.

Memory Map in OllyDbg

To see this another way, load the hello4.exe in OllyDbg. Click View, Memory to examine the Memory map.

The program loads at a Base Address different from the preferred address of 400000, as shown below.

That's an annoyance we don't need.

Using SetDLLCharacteristics

In your FLARE-VM, in Firefox, go to

https://blog.didierstevens.com/2010/10/17/setdllcharacteristics/

Download the file, as shown below.

Unzip the file you downloaded, and place the setdllcharacteristics.exe in the same folder you have the hello4.exe file in.

In a Comand Prompt, in that folder, execute this command:

setdllcharacteristics
A help message appears, showing that a -d flag will clear DYNAMIC_BASE (ASLR), as shown below.

Close PEview and OllyDbg, if they are still open.

Then, in the Comand Prompt, execute this command:

setdllcharacteristics -d hello4.exe
The program changes DYNAMIC_BASE from 1 to zero, as shown below.

Memory Map in OllyDbg

Load the hello4.exe file in OllyDbg again. Click View, Memory to examine the Memory map.

Now the code loads at 400000.

Left-click, then right-click the .rdata section, and click Dump, as shown below.

Scroll down and find the RaiseException data, at address 41711C, as shown below.

It's easy to see that this location is the RVA of 1711C plus the Base Address of 400000.

PMA 123.1: KERNEL32 "Hint" (10 pts)

In PEview, examine the "IMPORT Directory Table", as shown below.

In OllyDbg, find the text KERNEL32.dll, as shown below.

The flag is the two bytes preceding that text, covered by a green rectangle in the image below.

PMA 123.2: DLL Name (5 pts)

Download this file:

hello5.exe

The file uses two DLLs. One is KERNEL32.dll. The flag is the name of the other DLL.

PMA 123.3: KERNEL32 Address (10 pts)

Use the same file as the previous challenge.

Turn off ASLR, load the file in OllyDbg, and examine the .rdata section.

Find the address of the line containing KERNEL32, which is covered by a green rectangle in the image below.

That's the flag.

PMA 123.4: Broken (20 pts)

Download this file:

winsockh.exe

The file is damaged and cannot run.

Fix it and run it to see the flag.

Hint: here's some of the source code:

Sources

PE Format from Microsoft
PE File Format Offsets - by Sunshine
Understanding the Import Address Table
Understanding Import Tables #2 - Manually add imports - by Sunshine

Posted 9-29-2020