Injective Code inside Import Table(输入表代码注入).pdf

Injective Code inside Import Table 输入表代码注入 作者：Ashkbiz Danehkar 译者：小楼听雨 站点：http://www.xl7y.tk 本译文保留原文内容，您也可以直接点击下面链接阅读原文。 原文地址: /KB/system/inject2it.aspx Contents 1. Into Import Table 2. Import Descriptor at a glance 3. API redirection technique 4. Protection again reversion 5. Runtime Import Table Injection 6. Trojan horse 7. Consequences 目录 1. 输入表简介 2. 初识输入表描述符 3. API 重定位技术 4. 反逆向保护 5. 运行时输入表注入 6. 特洛伊木马 7. 总结 Lets imagine we could redirect the thoroughfare of the imported functions entrances into our especial routines by manipulating the import table thunks, it could be possible to filter the demands of the importations through our routines. Furthermore, we could settle our appropriate routine by this performance, which is done by the professional Portable Executable (PE) Protectors, additionally some sort of rootkits employ this approach to embed its malicious code inside the victim by a Trojan horse. 假如我们可以通过修改输入表thunks 控制函数的入口点，将其重定位到我们指定的例程，通过 我们的例程过滤对输入表的请求将成为可能。进一步说，我们可以使用这种性能去执行我们的例 程。这种技术早已为专业的PE 保护人员所用，而且某些rootkits 使用它嵌入恶意代码到受感 染程序中。 In the reverse engineering world, we describe it as API redirection technique. Nevertheless I am not going to accompany all viewpoints in this area by source code, this article merely represents a brief aspect of this technique by a simple code. I will describe other issues in the absence of the source code; I could not release code which is related to commercial projects or intended for malicious motivation, however, I think this article could be used as an introduction to this topic. 在逆向工程领域，我们把它描述为“API 重定向技术”。然而我将不会通过源代码这个领域的所 有观点，本文也仅仅通过一份简单的代码简述了这种技术的某一方面，在描述其他方面时不提供 源代码。我不能提供商业代码以及可能被恶意利用的代码，不过，本文可以用来入门。 1. Into Import Table The portable executable file structure consists of the MS-DOS header, the NT headers, the Sections headers and the Section images, as you observe in Figure 1. The MS-DOS header is common in all Mic