티스토리 뷰
안녕하세요.
악성 코드 내용을 보던 도중 Import Address Table에서 아래와 같은 것을 보게 되었습니다.
+ WS2_32.dll
Ord(12)
Ord(3)
Ord(11)
Ord(23)
Ord(20)
Ord(111)
Ord(17)
Ord(15)
Ord(115)
Ord(9)
이게 뭘까 하다가 찾아 보니깐 WS2_32.dll 의 함수에서 ordinal 이름으로 함수가 사용되어 저렇게 이름이 나오는 것을 알게 되었습니다. 그래서 WS2_32.dll과 wsock32.dll 에 대해 함수들이 ordinal 번호가 어떻게 맵핑이 되는지 찾아 보게 되었고 아래와 같음을 알 수 있었습니다.
사용한 툴은 Stud-PE 입니다 (http://www.cgsoftlabs.ro/dl.html)
WSOCK32.dll
Ord |
Name |
1 | accept |
2 | bind |
3 | closesocket |
4 | connect |
5 | getpeername |
6 | getsockname |
7 | getsockopt |
8 | htonl |
9 | htons |
10 | inet_addr |
11 | inet_ntoa |
12 | ioctlsocket |
13 | listen |
14 | ntohl |
15 | ntohs |
16 | recv |
17 | recvfrom |
18 | select |
19 | send |
20 | sendto |
21 | setsockopt |
22 | shutdown |
23 | socket |
24 | MigrateWinsockConfiguration |
25 | gethostbyaddr |
26 | gethostbyname |
27 | getprotobyname |
28 | getprotobynumber |
29 | getservbyname |
30 | getservbyport |
31 | gethostname |
32 | WSAAsyncSelect |
33 | WSAAsyncGetHostByAddr |
34 | WSAAsyncGetHostByName |
35 | WSAAsyncGetProtoByNumber |
36 | WSAAsyncGetProtoByName |
37 | WSAAsyncGetServByPort |
38 | WSAAsyncGetServByName |
39 | WSACancelAsyncRequest |
40 | WSASetBlockingHook |
41 | WSAUnhookBlockingHook |
42 | WSAGetLastError |
43 | WSASetLastError |
44 | WSACancelBlockingCall |
45 | WSAIsBlocking |
46 | WSAStartup |
47 | WSACleanup |
48 | __WSAFDIsSet |
49 | WEP |
50 | WSApSetPostRoutine |
51 | inet_network |
52 | getnetbyname |
53 | rcmd |
54 | rexec |
55 | rresvport |
56 | sethostname |
57 | dn_expand |
58 | WSARecvEx |
59 | s_perror |
60 | GetAddressByNameA |
61 | GetAddressByNameW |
62 | EnumProtocolsA |
63 | EnumProtocolsW |
64 | GetTypeByNameA |
65 | GetTypeByNameW |
66 | GetNameByTypeA |
67 | GetNameByTypeW |
68 | SetServiceA |
69 | SetServiceW |
70 | GetServiceA |
71 | GetServiceW |
72 | NPLoadNameSpaces |
73 | TransmitFile |
74 | AcceptEx |
75 | GetAcceptExSockaddrs |
WS2_32.dll
Ord | Name |
1 | accept |
2 | bind |
3 | closesocket |
4 | connect |
5 | getpeername |
6 | getsockname |
7 | getsockopt |
8 | htonl |
9 | htons |
10 | ioctlsocket |
11 | inet_addr |
12 | inet_ntoa |
13 | listen |
14 | ntohl |
15 | ntohs |
16 | recv |
17 | recvfrom |
18 | select |
19 | send |
20 | sendto |
21 | setsockopt |
22 | shutdown |
23 | socket |
24 | WSApSetPostRoutine |
25 | FreeAddrInfoEx |
26 | FreeAddrInfoExW |
27 | FreeAddrInfoW |
28 | GetAddrInfoExA |
29 | GetAddrInfoExW |
30 | GetAddrInfoW |
31 | GetNameInfoW |
32 | InetNtopW |
33 | InetPtonW |
34 | SetAddrInfoExA |
35 | SetAddrInfoExW |
36 | WPUCompleteOverlappedRequest |
37 | WSAAccept |
38 | WSAAddressToStringA |
39 | WSAAddressToStringW |
40 | WSAAdvertiseProvider |
41 | WSACloseEvent |
42 | WSAConnect |
43 | WSAConnectByList |
44 | WSAConnectByNameA |
45 | WSAConnectByNameW |
46 | WSACreateEvent |
47 | WSADuplicateSocketA |
48 | WSADuplicateSocketW |
49 | WSAEnumNameSpaceProvidersA |
50 | WSAEnumNameSpaceProvidersExA |
51 | gethostbyaddr |
52 | gethostbyname |
53 | getprotobyname |
54 | getprotobynumber |
55 | getservbyname |
56 | getservbyport |
57 | gethostname |
58 | WSAEnumNameSpaceProvidersExW |
59 | WSAEnumNameSpaceProvidersW |
60 | WSAEnumNetworkEvents |
61 | WSAEnumProtocolsA |
62 | WSAEnumProtocolsW |
63 | WSAEventSelect |
64 | WSAGetOverlappedResult |
65 | WSAGetQOSByName |
66 | WSAGetServiceClassInfoA |
67 | WSAGetServiceClassInfoW |
68 | WSAGetServiceClassNameByClassIdA |
69 | WSAGetServiceClassNameByClassIdW |
70 | WSAHtonl |
71 | WSAHtons |
72 | WSAInstallServiceClassA |
73 | WSAInstallServiceClassW |
74 | WSAIoctl |
75 | WSAJoinLeaf |
76 | WSALookupServiceBeginA |
77 | WSALookupServiceBeginW |
78 | WSALookupServiceEnd |
79 | WSALookupServiceNextA |
80 | WSALookupServiceNextW |
81 | WSANSPIoctl |
82 | WSANtohl |
83 | WSANtohs |
84 | WSAPoll |
85 | WSAProviderCompleteAsyncCall |
86 | WSAProviderConfigChange |
87 | WSARecv |
88 | WSARecvDisconnect |
89 | WSARecvFrom |
90 | WSARemoveServiceClass |
91 | WSAResetEvent |
92 | WSASend |
93 | WSASendDisconnect |
94 | WSASendMsg |
95 | WSASendTo |
96 | WSASetEvent |
97 | WSASetServiceA |
98 | WSASetServiceW |
99 | WSASocketA |
100 | WSASocketW |
101 | WSAAsyncSelect |
102 | WSAAsyncGetHostByAddr |
103 | WSAAsyncGetHostByName |
104 | WSAAsyncGetProtoByNumber |
105 | WSAAsyncGetProtoByName |
106 | WSAAsyncGetServByPort |
107 | WSAAsyncGetServByName |
108 | WSACancelAsyncRequest |
109 | WSASetBlockingHook |
110 | WSAUnhookBlockingHook |
111 | WSAGetLastError |
112 | WSASetLastError |
113 | WSACancelBlockingCall |
114 | WSAIsBlocking |
115 | WSAStartup |
116 | WSACleanup |
117 | WSAStringToAddressA |
118 | WSAStringToAddressW |
119 | WSAUnadvertiseProvider |
120 | WSAWaitForMultipleEvents |
121 | WSCDeinstallProvider |
122 | WSCDeinstallProvider32 |
123 | WSCEnableNSProvider |
124 | WSCEnableNSProvider32 |
125 | WSCEnumNameSpaceProviders32 |
126 | WSCEnumNameSpaceProvidersEx32 |
127 | WSCEnumProtocols |
128 | WSCEnumProtocols32 |
129 | WSCGetApplicationCategory |
130 | WSCGetProviderInfo |
131 | WSCGetProviderInfo32 |
132 | WSCGetProviderPath |
133 | WSCGetProviderPath32 |
134 | WSCInstallNameSpace |
135 | WSCInstallNameSpace32 |
136 | WSCInstallNameSpaceEx |
137 | WSCInstallNameSpaceEx32 |
138 | WSCInstallProvider |
139 | WSCInstallProvider64_32 |
140 | WSCInstallProviderAndChains64_32 |
141 | WSCSetApplicationCategory |
142 | WSCSetProviderInfo |
143 | WSCSetProviderInfo32 |
144 | WSCUnInstallNameSpace |
145 | WSCUnInstallNameSpace32 |
146 | WSCUpdateProvider |
147 | WSCUpdateProvider32 |
148 | WSCWriteNameSpaceOrder |
149 | WSCWriteNameSpaceOrder32 |
150 | WSCWriteProviderOrder |
151 | __WSAFDIsSet |
152 | WSCWriteProviderOrder32 |
153 | WahCloseApcHelper |
154 | WahCloseHandleHelper |
155 | WahCloseNotificationHandleHelper |
156 | WahCloseSocketHandle |
157 | WahCloseThread |
158 | WahCompleteRequest |
159 | WahCreateHandleContextTable |
160 | WahCreateNotificationHandle |
161 | WahCreateSocketHandle |
162 | WahDestroyHandleContextTable |
163 | WahDisableNonIFSHandleSupport |
164 | WahEnableNonIFSHandleSupport |
165 | WahEnumerateHandleContexts |
166 | WahInsertHandleContext |
167 | WahNotifyAllProcesses |
168 | WahOpenApcHelper |
169 | WahOpenCurrentThread |
170 | WahOpenHandleHelper |
171 | WahOpenNotificationHandleHelper |
172 | WahQueueUserApc |
173 | WahReferenceContextByHandle |
174 | WahRemoveHandleContext |
175 | WahWaitForNotification |
176 | WahWriteLSPEvent |
177 | freeaddrinfo |
178 | getaddrinfo |
179 | getnameinfo |
180 | inet_ntop |
181 | inet_pton |
182 | WEP |
결론적으로 위의 내용은 아래와 같음을 알 수 있었습니다.
+ WS2_32.dll
Ord(12) -> inet_ntoa()
Ord(3) -> closesocket()
Ord(11) -> inet_addr()
Ord(23) -> socket()
Ord(20) -> sendto()
Ord(111) -> WSAGetLastError()
Ord(17) -> recvfrom()
Ord(15) -> ntohs()
Ord(115) -> WSAStartup()
Ord(9) -> htons()
이를 통해 뭔가 통신을 하고 있음을 알 수 있었습니다. 재미있네요 :D
'FAQ' 카테고리의 다른 글
[IDA] Decompilation failure: xx: positive sp value has been found (0) | 2014.02.25 |
---|---|
[IDA] Decompilation failure: FFFFFFFF: wrong basic type sizes in compiler settings (0) | 2014.02.04 |
프로퍼티 리스트파일(plist) 시그니처와 관련 툴 (0) | 2014.01.27 |
CIL (Common Intermediate Language) 명령어 집합 (0) | 2014.01.20 |
댓글
최근에 올라온 글
최근에 달린 댓글
- Total
- Today
- Yesterday
링크
TAG
- School CTF Writeup
- IE 10 God Mode
- IE 10 익스플로잇
- IE 11 UAF
- 2014 SU CTF Write UP
- School CTF Write up
- WinDbg
- 2015 School CTF
- CTF Write up
- IE UAF
- expdev 번역
- Use after free
- 데이터 마이닝
- Windows Exploit Development
- data mining
- heap spraying
- shellcode
- TenDollar CTF
- 윈도우즈 익스플로잇 개발
- UAF
- IE 11 exploit development
- shellcode writing
- IE 10 Exploit Development
- Mona 2
- 힙 스프레잉
- IE 10 리버싱
- TenDollar
- 쉘 코드
- IE 11 exploit
- 쉘 코드 작성
일 | 월 | 화 | 수 | 목 | 금 | 토 |
---|---|---|---|---|---|---|
1 | 2 | 3 | 4 | 5 | 6 | 7 |
8 | 9 | 10 | 11 | 12 | 13 | 14 |
15 | 16 | 17 | 18 | 19 | 20 | 21 |
22 | 23 | 24 | 25 | 26 | 27 | 28 |
29 | 30 | 31 |
글 보관함