Windows에서 특정 프로그램을 실행할 때 로딩되는 라이브러리 목록과
각 라이브러리들의 ASLR과 DEP flag 설정 여부를 보여준다.
원래는 누군가가 만든 툴처럼 여기에 gadget finder를 추가해서 windows 환경에서 exploit 만들 때 쓸려고 했었다.
mfc는 분석만 해보고 만져본적이 없어서 api로 만들었는데,
기능을 더 추가하면 ui 배치를 어떻게 할지가 고민도 되고 해서 걍 팽개침.
마저 해볼까 라는 생각에 또 버려둘까 두려워 이렇게 올려둠.
#include <Windows.h>
#include <stdio.h>
#include <TlHelp32.h>
#include <Psapi.h>
#include <time.h>
#include "resource.h"
#include <commctrl.h>
#include <time.h>
#pragma comment(lib, "psapi.lib")
#define ID_LISTBOX 100
LRESULT CALLBACK WndProc(HWND,UINT,WPARAM,LPARAM);
DWORD checkTarget(char *modName, int iNumber);
HINSTANCE g_hInst;
HWND hList;
OPENFILENAME OFN;
const char* lpszClass="ASLR&DEP Viewer";
DWORD i;
LVCOLUMN COL;
LVITEM LI;
HMODULE hMod;
HMODULE hModules[1024] = {0};
HANDLE hProcess;
DWORD ProcArray[1024] = {0};
DWORD nBytes, NumProc, nPid, cbNeeded;
char szModName[MAX_PATH];
STARTUPINFO si;
PROCESS_INFORMATION pi;
char str[300];
char lpstrFile[MAX_PATH] = "";
int APIENTRY WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpszCmdParam,int nCmdShow)
{
HWND hWnd;
MSG Message;
WNDCLASS WndClass;
g_hInst=hInstance;
WndClass.cbClsExtra=0;
WndClass.cbWndExtra=0;
WndClass.hbrBackground=(HBRUSH)GetStockObject(WHITE_BRUSH);
WndClass.hCursor=LoadCursor(NULL,IDC_ARROW);
WndClass.hIcon=LoadIcon(NULL,IDI_APPLICATION);
WndClass.hInstance=hInstance;
WndClass.lpfnWndProc=WndProc;
WndClass.lpszClassName=lpszClass;
WndClass.lpszMenuName=MAKEINTRESOURCE(IDR_MENU1);
WndClass.style=CS_HREDRAW | CS_VREDRAW;
RegisterClass(&WndClass);
hWnd=CreateWindow(lpszClass,lpszClass,WS_OVERLAPPEDWINDOW|WS_VSCROLL,CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,CW_USEDEFAULT,NULL,(HMENU)NULL,hInstance,NULL);
ShowWindow(hWnd,nCmdShow);
while (GetMessage(&Message,NULL,0,0)) {
TranslateMessage(&Message);
DispatchMessage(&Message);
}
return (int)Message.wParam;
}
void SetListViewStyle(HWND hList, DWORD dwView)
{
DWORD dwStyle;
dwStyle=GetWindowLong(hList, GWL_STYLE);
if ((dwStyle & LVS_TYPEMASK) != dwView) {
SetWindowLong(hList, GWL_STYLE, (dwStyle & ~LVS_TYPEMASK) | dwView);
}
}
LRESULT CALLBACK WndProc(HWND hWnd,UINT iMessage,WPARAM wParam,LPARAM lParam)
{
switch (iMessage) {
case WM_CREATE:
hList=CreateWindow(WC_LISTVIEW,NULL,WS_VISIBLE|WS_CHILD|WS_BORDER|LVS_REPORT,10,10,600,300,hWnd,NULL,g_hInst,NULL);
COL.mask = LVCF_FMT | LVCF_WIDTH | LVCF_TEXT | LVCF_SUBITEM;
COL.fmt = LVCFMT_LEFT;
COL.cx=150;
COL.pszText="Name";
COL.iSubItem=0;
ListView_InsertColumn(hList,0,&COL);
COL.pszText="ASLR";
COL.iSubItem=1;
ListView_InsertColumn(hList,1,&COL);
COL.pszText="DEP";
COL.iSubItem=2;
ListView_InsertColumn(hList,2,&COL);
return 0;
case WM_COMMAND:
switch(LOWORD(wParam))
{
case ID_FILE_OPEN1:
memset(&OFN, 0, sizeof(OPENFILENAME));
OFN.lStructSize = sizeof(OPENFILENAME);
OFN.hwndOwner=hWnd;
OFN.lpstrFilter="Exe file\0*.exe\0Dll file\0*.dll\0";
OFN.lpstrFile=lpstrFile;
OFN.nMaxFile=255;
OFN.lpstrInitialDir="c:\\";
#if 1
if (GetOpenFileName(&OFN)!=0) {
//wsprintf(str,"You select %s .",OFN.lpstrFile);
//MessageBox(hWnd,str,"Yeah",MB_OK);
}
else {
MessageBox(hWnd, "You should select file.", "Error", MB_OK);
return 0;
}
#endif
if( !CreateProcess( NULL,
lpstrFile,
NULL,
NULL,
FALSE,
//CREATE_NO_WINDOW|CREATE_SUSPENDED,
CREATE_NO_WINDOW,
NULL,
NULL,
&si,
&pi )
)
{
MessageBox(hWnd, "CreateProcess failed.", "Error", MB_OK);
}
hProcess = pi.hProcess;
nPid = pi.dwProcessId;
Sleep(1000);
if(EnumProcessModules(hProcess, hModules, sizeof(hModules), &cbNeeded))
{
for (i=0; i < (signed)(cbNeeded / sizeof(HMODULE)); i++)
{
if (GetModuleFileNameEx(hProcess, hModules[i], szModName, sizeof(szModName)/sizeof(char))&&i!=0)
{
checkTarget(szModName, i);
}
}
}
else
{
MessageBox(hWnd, "EnumProcessModule failed.", "Error", MB_OK);
}
break;
case ID_FILE_EXIT1:
break;
}
return 0;
case WM_DESTROY:
PostQuitMessage(0);
return 0;
}
return(DefWindowProc(hWnd,iMessage,wParam,lParam));
}
DWORD error(const char* message){
MessageBox(NULL,message,"ERROR",MB_OK);
return 1;
}
DWORD checkTarget(char *modName, int iNumber){
HANDLE h = CreateFileA(modName,GENERIC_READ,FILE_SHARE_READ,0,OPEN_EXISTING,FILE_ATTRIBUTE_NORMAL,NULL);
if(h==INVALID_HANDLE_VALUE)
return error("Cannot open file.");
BYTE headers[1000];
DWORD read;
ReadFile(h,headers,1000,&read,NULL);
IMAGE_DOS_HEADER* idh = (IMAGE_DOS_HEADER*)headers;
if(read<sizeof(IMAGE_DOS_HEADER))
return error("Invalid DOS header");
IMAGE_NT_HEADERS* inh =(IMAGE_NT_HEADERS*)(headers+idh->e_lfanew);
if(read < idh->e_lfanew + sizeof(IMAGE_NT_HEADERS))
return error("Invalid NT header");
if(inh->Signature!=0x00004550)
return error("Invalid NT header");
BOOL aslr = inh->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE;
BOOL dep = inh->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT;
DWORD listNum = ListView_GetItemCount(hList);
LI.mask = LVIF_TEXT;
LI.state = 0;
LI.stateMask = 0;
LI.iSubItem=0;
LI.iItem=iNumber;
LI.pszText = modName;
ListView_InsertItem(hList, &LI);
if (aslr) {
ListView_SetItemText(hList,listNum,1,"ASLR");
}
else {
ListView_SetItemText(hList, listNum, 1, "No ASLR");
}
if (dep) {
ListView_SetItemText(hList, listNum, 2, "DEP");
}
else {
ListView_SetItemText(hList, listNum, 2, "No DEP");
}
return 0;
}
isec3.exe
badcob_WinAppDbg.pdf
Bruteforce.py
