我的书签
添加书签
移除书签Calling Windows APIs
Due playing with MS-Windows Exploitation development, I was using some C applications that calling Windows APIs and I wanted to give it a try and take it step by step.
The simplest example came to my mind is calling the MessageBoxA function. If we take a look at the MSDN of MessageBoxA function, we’ll find at very beginning the function description and its arguments and returns. At the Requirements section, we’ll find the required DLL to call MessageBoxA function which is User32.dll library.
int WINAPI MessageBox(_In_opt_ HWND hWnd,_In_opt_ LPCTSTR lpText,_In_opt_ LPCTSTR lpCaption,_In_ UINT uType);
Let’s do it,
require "Win32API"title = "Rubyfu!"message = "You've called the Windows API Successfully! \n\n@Runyfu"api = Win32API.new('user32', 'MessageBoxA',['L', 'P', 'P', 'L'],'I')api.call(0,message,title,0)
That’s was really easy! but, Win32API is going to be deprecated or it’s already deprecated at the moment you read this part. Ruby have moved all dealing with C, dll functions to Fiddle class which is a wrapper of libffi C library which provides a portable interface to allow languages to call code from another language.
If we build our MessageBoxA script again using Fiddle it will be like
# Load importer part of fiddle (ffi) libraryrequire 'fiddle/import'# int WINAPI MessageBox(# _In_opt_ HWND hWnd,# _In_opt_ LPCTSTR lpText,# _In_opt_ LPCTSTR lpCaption,# _In_ UINT uType# );# Create module as body for an importer instancemodule User32# Extend this module to an importerextend Fiddle::Importer# Load 'user32' dynamic library into this importerdlload 'user32'# Set C aliases to this importer for further understanding of function signaturestypealias 'HWND', 'HANDLE'typealias 'LPCSTR', 'const char*'typealias 'LPCWSTR', 'const wchar_t*'typealias 'UINT', 'unsigned int'typealias 'HANDLE', 'void*'# Import C functions from loaded libraries and set them as module functionsextern 'int MessageBoxA(HWND, LPCSTR, LPCSTR, UINT)'endtitle = "Rubyfu!"message = "You've called the Windows API Successfully! \n\n@Runyfu"User32::MessageBoxA(nil, message, title, 0)
As you can the script is getting much bigger but, important thing to mention is, Using Win32API is going to be a real pain for bigger or more complicated tasks, in another hand Fiddle is more elegant and readable than Win32API
At that point, I was wondering if I can write something like an old frind application call arwin which finds a Function location in a Windows library. With the help of MSDN LoadLibrary and GetProcAddress documentations let’s do it.
arwin.rb
require 'fiddle/import'## KING SABRI | @KINGSABRI#if ARGV.size == 2lpfilename = ARGV[0] # Library Namelpprocname = ARGV[1] # Function Nameelseputs "ruby arwin.rb <Library Name> <Function Name>"puts "example:\n arwin.rb user32.dll MessageBoxA"exit 0endmodule Kernel32# Extend this module to an importerextend Fiddle::Importer# Load 'user32' dynamic library into this importerdlload 'kernel32'# HMODULE WINAPI LoadLibrary(# _In_ LPCTSTR lpFileName# );typealias 'lpfilename', 'char*'extern 'unsigned char* LoadLibrary(lpfilename)'# FARPROC WINAPI GetProcAddress(# _In_ HMODULE hModule,# _In_ LPCSTR lpProcName# );typealias 'lpfilename', 'char*'typealias 'lpprocname', 'char*'extern 'unsigned char* GetProcAddress(lpfilename, lpprocname)'endaddress = Kernel32::GetProcAddress(Kernel32::LoadLibrary(lpfilename), lpprocname).inspect.scan(/0x[\h]+/i)[1]unless address.hex.zero?puts "\n[+] #{lpprocname} is location at #{address} in #{lpfilename}\n"elseputs "[!] Could find #{lpprocname} in #{lpfilename}!"puts "[-] Function's name is case sensitive"end
Results
[+] MessageBoxA is location at 0x77d8050b in user32.dll
