WS2_32.dll, wsock32.dll Ordinal 이름에 대한 실제 함수 이름

안녕하세요.

악성 코드 내용을 보던 도중 Import Address Table에서 아래와 같은 것을 보게 되었습니다.

+ WS2_32.dll

Ord(12)

Ord(3)

Ord(11)

Ord(23)

Ord(20)

Ord(111)

Ord(17)

Ord(15)

Ord(115)

Ord(9)

이게 뭘까 하다가 찾아 보니깐 WS2_32.dll 의 함수에서 ordinal 이름으로 함수가 사용되어 저렇게 이름이 나오는 것을 알게 되었습니다. 그래서 WS2_32.dll과 wsock32.dll 에 대해 함수들이 ordinal 번호가 어떻게 맵핑이 되는지 찾아 보게 되었고 아래와 같음을 알 수 있었습니다.

사용한 툴은 Stud-PE 입니다 (http://www.cgsoftlabs.ro/dl.html)

WSOCK32.dll

Ord	Name
1	accept
2	bind
3	closesocket
4	connect
5	getpeername
6	getsockname
7	getsockopt
8	htonl
9	htons
10	inet_addr
11	inet_ntoa
12	ioctlsocket
13	listen
14	ntohl
15	ntohs
16	recv
17	recvfrom
18	select
19	send
20	sendto
21	setsockopt
22	shutdown
23	socket
24	MigrateWinsockConfiguration
25	gethostbyaddr
26	gethostbyname
27	getprotobyname
28	getprotobynumber
29	getservbyname
30	getservbyport
31	gethostname
32	WSAAsyncSelect
33	WSAAsyncGetHostByAddr
34	WSAAsyncGetHostByName
35	WSAAsyncGetProtoByNumber
36	WSAAsyncGetProtoByName
37	WSAAsyncGetServByPort
38	WSAAsyncGetServByName
39	WSACancelAsyncRequest
40	WSASetBlockingHook
41	WSAUnhookBlockingHook
42	WSAGetLastError
43	WSASetLastError
44	WSACancelBlockingCall
45	WSAIsBlocking
46	WSAStartup
47	WSACleanup
48	__WSAFDIsSet
49	WEP
50	WSApSetPostRoutine
51	inet_network
52	getnetbyname
53	rcmd
54	rexec
55	rresvport
56	sethostname
57	dn_expand
58	WSARecvEx
59	s_perror
60	GetAddressByNameA
61	GetAddressByNameW
62	EnumProtocolsA
63	EnumProtocolsW
64	GetTypeByNameA
65	GetTypeByNameW
66	GetNameByTypeA
67	GetNameByTypeW
68	SetServiceA
69	SetServiceW
70	GetServiceA
71	GetServiceW
72	NPLoadNameSpaces
73	TransmitFile
74	AcceptEx
75	GetAcceptExSockaddrs

WS2_32.dll

Ord	Name
1	accept
2	bind
3	closesocket
4	connect
5	getpeername
6	getsockname
7	getsockopt
8	htonl
9	htons
10	ioctlsocket
11	inet_addr
12	inet_ntoa
13	listen
14	ntohl
15	ntohs
16	recv
17	recvfrom
18	select
19	send
20	sendto
21	setsockopt
22	shutdown
23	socket
24	WSApSetPostRoutine
25	FreeAddrInfoEx
26	FreeAddrInfoExW
27	FreeAddrInfoW
28	GetAddrInfoExA
29	GetAddrInfoExW
30	GetAddrInfoW
31	GetNameInfoW
32	InetNtopW
33	InetPtonW
34	SetAddrInfoExA
35	SetAddrInfoExW
36	WPUCompleteOverlappedRequest
37	WSAAccept
38	WSAAddressToStringA
39	WSAAddressToStringW
40	WSAAdvertiseProvider
41	WSACloseEvent
42	WSAConnect
43	WSAConnectByList
44	WSAConnectByNameA
45	WSAConnectByNameW
46	WSACreateEvent
47	WSADuplicateSocketA
48	WSADuplicateSocketW
49	WSAEnumNameSpaceProvidersA
50	WSAEnumNameSpaceProvidersExA
51	gethostbyaddr
52	gethostbyname
53	getprotobyname
54	getprotobynumber
55	getservbyname
56	getservbyport
57	gethostname
58	WSAEnumNameSpaceProvidersExW
59	WSAEnumNameSpaceProvidersW
60	WSAEnumNetworkEvents
61	WSAEnumProtocolsA
62	WSAEnumProtocolsW
63	WSAEventSelect
64	WSAGetOverlappedResult
65	WSAGetQOSByName
66	WSAGetServiceClassInfoA
67	WSAGetServiceClassInfoW
68	WSAGetServiceClassNameByClassIdA
69	WSAGetServiceClassNameByClassIdW
70	WSAHtonl
71	WSAHtons
72	WSAInstallServiceClassA
73	WSAInstallServiceClassW
74	WSAIoctl
75	WSAJoinLeaf
76	WSALookupServiceBeginA
77	WSALookupServiceBeginW
78	WSALookupServiceEnd
79	WSALookupServiceNextA
80	WSALookupServiceNextW
81	WSANSPIoctl
82	WSANtohl
83	WSANtohs
84	WSAPoll
85	WSAProviderCompleteAsyncCall
86	WSAProviderConfigChange
87	WSARecv
88	WSARecvDisconnect
89	WSARecvFrom
90	WSARemoveServiceClass
91	WSAResetEvent
92	WSASend
93	WSASendDisconnect
94	WSASendMsg
95	WSASendTo
96	WSASetEvent
97	WSASetServiceA
98	WSASetServiceW
99	WSASocketA
100	WSASocketW
101	WSAAsyncSelect
102	WSAAsyncGetHostByAddr
103	WSAAsyncGetHostByName
104	WSAAsyncGetProtoByNumber
105	WSAAsyncGetProtoByName
106	WSAAsyncGetServByPort
107	WSAAsyncGetServByName
108	WSACancelAsyncRequest
109	WSASetBlockingHook
110	WSAUnhookBlockingHook
111	WSAGetLastError
112	WSASetLastError
113	WSACancelBlockingCall
114	WSAIsBlocking
115	WSAStartup
116	WSACleanup
117	WSAStringToAddressA
118	WSAStringToAddressW
119	WSAUnadvertiseProvider
120	WSAWaitForMultipleEvents
121	WSCDeinstallProvider
122	WSCDeinstallProvider32
123	WSCEnableNSProvider
124	WSCEnableNSProvider32
125	WSCEnumNameSpaceProviders32
126	WSCEnumNameSpaceProvidersEx32
127	WSCEnumProtocols
128	WSCEnumProtocols32
129	WSCGetApplicationCategory
130	WSCGetProviderInfo
131	WSCGetProviderInfo32
132	WSCGetProviderPath
133	WSCGetProviderPath32
134	WSCInstallNameSpace
135	WSCInstallNameSpace32
136	WSCInstallNameSpaceEx
137	WSCInstallNameSpaceEx32
138	WSCInstallProvider
139	WSCInstallProvider64_32
140	WSCInstallProviderAndChains64_32
141	WSCSetApplicationCategory
142	WSCSetProviderInfo
143	WSCSetProviderInfo32
144	WSCUnInstallNameSpace
145	WSCUnInstallNameSpace32
146	WSCUpdateProvider
147	WSCUpdateProvider32
148	WSCWriteNameSpaceOrder
149	WSCWriteNameSpaceOrder32
150	WSCWriteProviderOrder
151	__WSAFDIsSet
152	WSCWriteProviderOrder32
153	WahCloseApcHelper
154	WahCloseHandleHelper
155	WahCloseNotificationHandleHelper
156	WahCloseSocketHandle
157	WahCloseThread
158	WahCompleteRequest
159	WahCreateHandleContextTable
160	WahCreateNotificationHandle
161	WahCreateSocketHandle
162	WahDestroyHandleContextTable
163	WahDisableNonIFSHandleSupport
164	WahEnableNonIFSHandleSupport
165	WahEnumerateHandleContexts
166	WahInsertHandleContext
167	WahNotifyAllProcesses
168	WahOpenApcHelper
169	WahOpenCurrentThread
170	WahOpenHandleHelper
171	WahOpenNotificationHandleHelper
172	WahQueueUserApc
173	WahReferenceContextByHandle
174	WahRemoveHandleContext
175	WahWaitForNotification
176	WahWriteLSPEvent
177	freeaddrinfo
178	getaddrinfo
179	getnameinfo
180	inet_ntop
181	inet_pton
182	WEP

결론적으로 위의 내용은 아래와 같음을 알 수 있었습니다.

+ WS2_32.dll

Ord(12)    -> inet_ntoa()

Ord(3)     -> closesocket()

Ord(11)    -> inet_addr()

Ord(23)    -> socket()

Ord(20)    -> sendto()

Ord(111)   -> WSAGetLastError()

Ord(17)    -> recvfrom()

Ord(15)    -> ntohs()

Ord(115)   -> WSAStartup()

Ord(9)     -> htons()

이를 통해 뭔가 통신을 하고 있음을 알 수 있었습니다. 재미있네요 :D