堆栈内存溢出
  简体   繁体   English

如何使用IDA Pro在DLL中找到静态链接的函数?

[英]How can I find a statically linked function in a DLL with IDA Pro?

 原文  2014-09-04 00:32:03       c++/ chromium/ dll-injection

问题描述

I'm currently trying to hook SSL write function of Chromium, but I have some difficulties to find where I should hook. 我目前正在尝试挂钩Chromium的SSL写入功能,但是我在寻找应该挂钩的地方遇到了一些困难。

Currently, I inject my DLL by using RtlCreateUserThread and allocating DLL path and making the target process loading it. 当前,我通过使用RtlCreateUserThread并分配DLL路径并使目标进程加载它来注入DLL。 Then, the DLL will load the targeted function by GetProcAddress and then the usually-you-know-overwritting-5-bytes-by-jmp-instruction. 然后,DLL将通过GetProcAddress加载目标函数,然后通过jmp指令通常会覆盖5字节。 I've succeed to do it with Firefox. 我已经成功地使用Firefox做到了。 But I have troubles with Chrome as he seems to use NSS/OpenSSL according to source code of Chromium (I see two impl of SSLSocket in the repo, but can't see which one is used with the binary). 但是我在Chrome上遇到了麻烦,因为他似乎根据Chromium的源代码使用NSS / OpenSSL(我在存储库中看到了两个SSLSocket的实现,但是看不到哪个与二进制文件一起使用)。

Thanks in advance. 提前致谢。

1 个解决方案

解决方案1
 1 已采纳  2014-09-18 04:44:58

sorry to be the bearer of bad news, but there really isn't a simple way to do this. 很抱歉成为坏消息的承担者,但是确实没有简单的方法来做到这一点。
The simplest way I've found to do this is to use the Chromium Symbol server, which is located at: 我发现最简单的方法是使用Chromium Symbol服务器,该服务器位于: 

http://chromium-browser-symsrv.commondatastorage.googleapis.com

The caveat is that the symbols seem to be missing for the release version of Chrome on 64 bit windows. 需要注意的是,在64位窗口上的Chrome发行版中似乎缺少这些符号。 At least I've had little luck getting them. 至少我运气不好。

In the general case you can follow some of the instructions below to get a good collection of symbols pre-loaded into your local cache. 在一般情况下,您可以按照以下一些说明操作,以获取大量预加载到本地缓存中的符号集合。

In order to use the symbol server functionality with IDA pro, you have to do a few things. 为了在IDA pro中使用符号服务器功能,您必须做一些事情。

First, you have to install the Windows Debugging tools. 首先,您必须安装Windows调试工具。 (The Windows 8.1 DDK is a good bet for these and is freely available from MicroSoft.) It includes the DLL that allows simple communication with the symbol servers. (Windows 8.1 DDK是这些产品的不错选择,可从MicroSoft免费获得。)它包括DLL,该DLL允许与符号服务器进行简单的通信。

Second, you need to add a global system environment variable as below: _NT_SYMBOL_PATH=srv*c:\\pdb_cache*msdl.microsoft.com/download/symbols;srv*c:\\pdb_cache* http://chromium-browser-symsrv.commondatastorage.googleapis.com 其次,您需要添加如下的全局系统环境变量:_NT_SYMBOL_PATH = srv * c:\\ pdb_cache * msdl.microsoft.com / download / symbols; srv * c:\\ pdb_cache * http:// chromium-browser-symsrv。 commondatastorage.googleapis.com

What this does is setup a symbol path and associated local cache for the storage of symbols. 这是为符号存储设置符号路径和关联的本地缓存。

Third, you can use the following command line to use a tool that ships with the WDK 8.1 and pulls the symbols: 第三,您可以使用以下命令行来使用WDK 8.1附带的工具并提取符号: 

"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Program Files (x86)\Google" /s symsrv*C:\pdb_cache\*http://chromium-browser-symsrv.commondatastorage.googleapis.com/

The above should force the symbols to load into the local symbol cache and you can select them (IDA may to this automatically, or it may not). 上面的代码应强制将符号加载到本地符号缓存中,并且您可以选择它们(IDA可能会自动选择,也可能不会)。 If it doesn't you can manually select the symbol file once WinDbg/symchk downloads it. 如果不是这样,一旦WinDbg / symchk下载了符号文件,便可以手动选择它。

At least that's the theory according to: http://www.chromium.org/developers/how-tos/debugging 至少根据以下理论是这样的: http : //www.chromium.org/developers/how-tos/debugging

I've had no luck getting the symbols to download correctly on the release version of Chromium. 我没有运气让符号在Chromium的发行版本上正确下载。 However, if you go to the http://chromium-browser-symsrv.commondatastorage.googleapis.com/ link, and examine the contents of the returned XML, you will note the "Truncated" flag is set. 但是,如果转到http://chromium-browser-symsrv.commondatastorage.googleapis.com/链接,并检查返回的XML的内容,则会注意到已设置“截断”标志。 You can use the filter expression (it's an Amazon S3 Bucket). 您可以使用过滤器表达式(这是一个Amazon S3存储桶)。 Digging around, there's even another symbol server at: http://chromium-browser-symbols.commondatastorage.googleapis.com/ It's quite old by the look of things, though. 到处挖掘,甚至还有另一个符号服务器: http : //chromium-browser-symbols.commondatastorage.googleapis.com/从外观上看,它已经很旧了。

I'll leave you with a script to pull all the symbols from my list of known symbol servers. 我将为您提供一个脚本,从我的已知符号服务器列表中提取所有符号。 It's useful to pre-load against anything on the system that you might need to debug. 预加载可能需要调试的系统上的任何内容,这很有用。 :-). :-)。 I've also noticed that no symbols download for the SysWOW64 subsystem on Window 7 x64. 我还注意到,在Windows 7 x64上没有为SysWOW64子系统下载任何符号。 If anyone else has any information about additional public symbol servers it would be welcome :-). 如果其他人有关于其他公共符号服务器的任何信息,将非常欢迎:-)。 

"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Program Files (x86)" /s symsrv*c:\symbols*hxtp://msdl.microsoft.com/download/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Program Files (x86)" /s symsrv*c:\symbols*hxtp://symbols.mozilla.org/firefox
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Program Files (x86)" /s symsrv*c:\symbols*hxtp://chromium-browser-symsrv.commondatastorage.googleapis.com
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Program Files (x86)" /s symsrv*c:\symbols*hxtp://ctxsym.citrix.com/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Program Files (x86)" /s symsrv*c:\symbols*hxtp://developer.apple.com/internet/safari/windows_symbols


"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Program Files" /s symsrv*c:\symbols*hxtp://msdl.microsoft.com/download/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Program Files" /s symsrv*c:\symbols*hxtp://symbols.mozilla.org/firefox
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Program Files" /s symsrv*c:\symbols*hxtp://chromium-browser-symsrv.commondatastorage.googleapis.com
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Program Files" /s symsrv*c:\symbols*hxtp://ctxsym.citrix.com/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Program Files" /s symsrv*c:\symbols*hxtp://developer.apple.com/internet/safari/windows_symbols


"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://msdl.microsoft.com/download/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://symbols.mozilla.org/firefox
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://chromium-browser-symsrv.commondatastorage.googleapis.com
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://ctxsym.citrix.com/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x86\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://developer.apple.com/internet/safari/windows_symbols


"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://msdl.microsoft.com/download/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://symbols.mozilla.org/firefox
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://chromium-browser-symsrv.commondatastorage.googleapis.com
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://ctxsym.citrix.com/symbols
"c:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64\symchk" /r "C:\Windows" /s symsrv*c:\symbols*hxtp://developer.apple.com/internet/safari/windows_symbols

StackOverflow won't let me use the http links, so just replace hxtp in your text editor with http and you're in business. StackOverflow不允许我使用http链接,因此只需将文本编辑器中的hxtp替换为http,就可以了。

You can also use this string to set the path in your environment, if you like. 如果愿意,还可以使用此字符串设置环境中的路径。 Hope this helps, mate! 希望这会有所帮助,队友!

Set _NT_SYMBOL_PATH=symsrv*c:\\symbols*hxtp://msdl.microsoft.com/download/symbols;symsrv*c:\\symbols*hxtp://symbols.mozilla.org/firefox;symsrv*c:\\symbols*hxtp://chromium-browser-symsrv.commondatastorage.googleapis.com;symsrv*c:\\symbols*hxtp://ctxsym.citrix.com/symbols;symsrv*c:\\symbols*hxtp://developer.apple.com/internet/safari/windows_symbols 设置_NT_SYMBOL_PATH = symsrv * c:\\ symbols * hxtp://msdl.microsoft.com/download/symbols; symsrv * c:\\ symbols * hxtp://symbols.mozilla.org/firefox; symsrv * c:\\ symbols * hxtp://chromium-browser-symsrv.commondatastorage.googleapis.com; symsrv * C:\\ *符号hxtp://ctxsym.citrix.com/symbols; symsrv * C:\\ *符号hxtp://developer.apple。 COM /互联网/狩猎/ windows_symbols

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 我可以加载与库静态链接的dll吗 - can I load a dll which is statically linked with a library 如何指定库X必须静态链接? - How can I specify that library X must be linked statically? 如何解释 IDA Pro 生成的这些代码? - How do I interpret these codes generated by IDA Pro? 静态链接的可执行文件需要 dll - Statically linked executable requires dll 如何静态链接到序数导出的DLL函数? - How to statically link to a DLL function that is exported by an ordinal? 挂钩ida Pro的用户调用功能 - Hooking a usercall function from ida pro 如何将库静态链接到DLL? - How do I statically link a library into a DLL? How to export a function of a regular MFC DLL that is statically linked to MFC to use with a non MFC Win32 Console App in C++ - How to export a function of a regular MFC DLL that is statically linked to MFC to use with a non MFC Win32 Console App in C++ IDA Pro,QT Nokia Library,dll调用,它实际上在做什么? - IDA Pro, QT Nokia Library, dll call, what is it actually doing? 如何静态链接.DLL? - How to link a .DLL statically?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM