Jump to content
Nytro

Many roads to IAT

By Nytro, in Tutoriale in engleza

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=2]Many roads to IAT[/h]

Published December 1, 2011 | postauthoricon.pngBy Dinos

[h=3]Introduction[/h] A few days ago a friend approached me and asked how he could see the import address table under immunity debugger and if this could be done using the command line.

I figured this would be a good time to take a look at what the IAT is, how we can list the IAT and what common reversing hurdles could be with regards to the IAT.

Let’s see first what is IAT and why it’s good to know what is in there.

IAT stands for Import Address Table and according to wikipedia,

“One section of note is the
import address table
(IAT), which is used as a lookup table when the application is calling a function in a different module. It can be in form of both
import by ordinal and import by name
. Because a compiled program cannot know the memory location of the libraries it depends upon, an indirect jump is required whenever an API call is made. As the dynamic linker loads modules and joins them together, it writes actual addresses into the IAT slots, so that they point to the memory locations of the corresponding library functions. Though this adds an extra jump over the cost of an intra-module call resulting in a performance penalty, it provides a key benefit: The number of memory pages that need to be copy-on-write changed by the loader is minimized, saving memory and disk I/O time. If the compiler knows ahead of time that a call will be inter-module (via a dllimport attribute) it can produce more optimized code that simply results in an indirect call
opcode
.”

By knowing what’s inside IAT we can identify functions that are called from other modules in a program, look for possibly unwanted or strange behavior ( cases on virus / malware ) make the code under the debugger easier to read and find address location from functions of interest ( VirtualAlloc, HeapCreate, SetProcessDEPPolicy, NtSetInformationProcess, VirtualProtect, WriteProcessMemory ). In case you haven’t figured it out, you can use those functions to bypass DEP. Having an accurate pointer in the IAT to one of the functions will make it trivial to call the function in a ROP chain.

[h=3]How can we query or list entries in the IAT ?[/h] [h=4]Windbg[/h] Windbg is many times the debugger of my choice, not because it’s the easiest to use, but mostly I got used to the interface and the fast response. Doing things under windbg in most cases will take far less time, if you know the way and far more time if you are trying to find your way now.

After launching windbg, this is what you’ll get:

windbg1.jpg

You can start a debugging process under windbg by launching an application in the debugger (File – Open) or by attaching the debugger to a running application (File – Attach). For the purpose of this example we are going to use notepad.exe as test file,

windbg-notepad.jpg

windbg will load the modules and it will stop just before the execution of the program waiting for command. All modules loaded at this moment can be viewed in the screen.

As opposed to the other two debuggers, windbg lacks the easy drop down menu commands and identifying IAT requires a bit more time. First we need to locate the address of the Import Address Table in our executable, to do so the command !dh will be used:

IAT-location2.jpg

!dh command will Display the Headers of the requested module, (more for the commands at : http://windbg.info/doc/1-common-cmds.html) where we can identify the location, address of IAT. In my example IAT for notepad is located at memory address 1000 of the module notepad.exe.

Dumping the content of the address we need to add the image base of our file plus the memory address of the IAT table, this can be done easily using two ways, either by using “dps notepad+1000 l1000/8 “ or by giving the image base address, “dps 00c10000+1000 l1000/8 “. dps command stands for display pointer-sized contents of memory in the given range.

The output of the dps command will give us a lengthy result with the contents of the IAT table and the location of the functions.

windbg-notepad-dps.jpg

Another method again for windbg and a bit more elegant is described at OSR's windbg List: Import Table Functions, using the following windbg script,

1: r $t0 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xd8)
2: r $t1 = poi(${$arg1}+poi(${$arg1}+0x3c)+0xdc)
3: dps ${$arg1}+$t0 l? (($t1+4)/4)

saving the script under a name, eg: test1.txt in windbg directory and calling the script from windbg with $$>a< test1.txt notepad, we will have the following output on the debugger:

0:000> $$>a< test1.txt notepad
00121000  760e14d6 ADVAPI32!RegSetValueExWStub
00121004  760e46ad ADVAPI32!RegQueryValueExWStub
00121008  760e469d ADVAPI32!RegCloseKeyStub
0012100c  760e1514 ADVAPI32!RegCreateKeyW
00121010  760e468d ADVAPI32!RegOpenKeyExWStub
00121014  760e448e ADVAPI32!IsTextUnicode
00121018  760e369c ADVAPI32!CloseServiceHandleStub
0012101c  760db537 ADVAPI32!QueryServiceConfigWStub
00121020  760dca4c ADVAPI32!OpenServiceWStub
00121024  760dca64 ADVAPI32!OpenSCManagerWStub
00121028  00000000
0012102c  763d55de kernel32!FindNLSStringStub
00121030  763ba125 kernel32!GlobalAllocStub
00121034  763ba183 kernel32!GlobalUnlock
00121038  763ba235 kernel32!GlobalLock
0012103c  763bafc0 kernel32!GetTimeFormatW
00121040  763bb1a2 kernel32!GetDateFormatW
00121044  763baaef kernel32!GetLocalTimeStub
00121048  763b2b7b kernel32!GetUserDefaultUILanguageStub
0012104c  763bc3c0 kernel32!HeapFree
00121050  77a82dd6 ntdll!RtlAllocateHeap
00121054  763bfcdd kernel32!GetProcessHeapStub
00121058  763bbdad kernel32!GetFileInformationByHandleStub
0012105c  763bc452 kernel32!InterlockedExchangeStub
00121060  763b0368 kernel32!FreeLibraryAndExitThreadStub
00121064  763c4c14 kernel32!GetFileAttributesWStub
00121068  763ffd71 kernel32!Wow64RevertWow64FsRedirectionStub
... <snip> ...
001213e0  77a64168 ntdll!RtlInitUnicodeString
001213e4  77a760f8 ntdll!NtQueryLicenseValue
001213e8  77a504a5 ntdll!WinSqmAddToStream
001213ec  00000000
001213f0  74f91a15 VERSION!GetFileVersionInfoExW
001213f4  74f918e9 VERSION!GetFileVersionInfoSizeExW
001213f8  74f91b51 VERSION!VerQueryValueW
001213fc  00000000
00121400  90909090

Common commands for windbg, Common WinDBG Commands Reference - Willy's Cave - Site Home - MSDN Blogs

Tutorial:

https://www.corelan.be/index.php/2011/12/01/roads-iat/

vbulletin de cacat.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...