You're reading from Windows APT Warfare Identify and prevent Windows APT attacks effectively

Product type Paperback

Published in Mar 2023

Publisher Packt

ISBN-13 9781804618110

Length 258 pages

Edition 1st Edition

Languages

C++

Tools

MiniGW

Concepts

Cybersecurity

Author (1):

Sheng-Hao Ma

View More author details

Table of Contents (17) Chapters

Preface

1. Part 1 – Modern Windows Compiler

2. Chapter 1: From Source to Binaries – The Journey of a C Program FREE CHAPTER

3. Chapter 2: Process Memory – File Mapping, PE Parser, tinyLinker, and Hollowing

4. Chapter 3: Dynamic API Calling – Thread, Process, and Environment Information

5. Part 2 – Windows Process Internals

6. Chapter 4: Shellcode Technique – Exported Function Parsing

7. Chapter 5: Application Loader Design

8. Chapter 6: PE Module Relocation

9. Part 3 – Abuse System Design and Red Team Tips

10. Chapter 7: PE to Shellcode – Transforming PE Files into Shellcode

11. Chapter 8: Software Packer Design

12. Chapter 9: Digital Signature – Authenticode Verification

13. Chapter 10: Reversing User Account Control and Bypassing Tricks

14. Index

Why subscribe?

15. Other Books You May Enjoy

Appendix – NTFS, Paths, and Symbols

Win32 and NT path specification

Windows linker – packing binary data into PE format

In the previous section, we assumed some memory distribution during the program's compilation. For example, the default EXE module image base should be at 0x400000 so that executable content should be placed. The .text section should be placed at 0x401000 above its image base. As we said, the .idata section is used to store the import address table, so the question is who or what is responsible for filling the import address table?

The answer is that every OS has an application loader, which is designed to fill all these tasks correctly when creating a process from a static program. However, there is a lot of information that will only be known at the compiling time and not by the system developer, such as the following:

Does the program want to enable Address Space Layout Randomization (ASLR) or Data Execution Prevention (DEP)?
Where is the main(int, char) function in the .text section written by the developer?
How much of the total memory is used by the execution module during the dynamic phase?

Microsoft has therefore introduced the PE format, which is essentially an extension to the COFF file, with an additional optional header structure to record the information required by the Windows program loader to correct the process. The following chapters will focus on playing with the various structures of the PE format so that you can write an executable file by hand on a whiteboard.

All you need to know now is that a PE executable has some key features:

Code content: Usually stored as machine code in the .text section
Import address tables: To allow the loader to fill in the function addresses and enable the program to get them correctly
Optional header: This structure allows the loader to read and know how to correct the current dynamic module

Here is an example in Figure 1.5:

Figure 1.5 – Minimalist architecture of the program

msgbox.exe is a minimalist Windows program with only three sections: .text, .rdata, and .idata. After dynamic execution, the system application loader sequentially extracts the content of the three sections and writes them each to the offset of 0x1000, 0x2000, and 0x3000 relative to the current PE module (msgbox.exe).

In this section, we learned that the application loader is responsible for correcting and filling the program content to create a static program file into a process.

You're reading from Windows APT Warfare Identify and prevent Windows APT attacks effectively

Table of Contents (17) Chapters

Windows linker – packing binary data into PE format

Authors (1)

Personalised recommendations for you