{"id":16,"date":"2010-08-17T14:39:00","date_gmt":"2010-08-17T14:39:00","guid":{"rendered":"http:\/\/oguzkartal.net\/blog\/?p=16"},"modified":"2021-10-31T16:05:13","modified_gmt":"2021-10-31T13:05:13","slug":"windows-7-ile-degisen-api-dinamik-ktphane-mimarisi","status":"publish","type":"post","link":"https:\/\/www.oguzkartal.net\/blog\/index.php\/2010\/08\/17\/windows-7-ile-degisen-api-dinamik-ktphane-mimarisi\/","title":{"rendered":"Windows 7 ile de\u011fi\u015fen API dinamik k\u00fct\u00fcphane mimarisi"},"content":{"rendered":"

Merhaba.<\/p>\n

Yine uzun bir aradan sonra bir ba\u015fka yaz\u0131 ile burday\u0131m. Bug\u00fcn de\u011finmek istedi\u011fim konu ba\u015fl\u0131ktan da anla\u015f\u0131labilece\u011fi \u00fczere Windows 7 (NT 6.1)\u2019de API sa\u011flayan dinamik k\u00fct\u00fcphanelerde yap\u0131lm\u0131\u015f de\u011fi\u015fiklik hakk\u0131nda.<\/p>\n

E\u011fer bir program yazd\u0131ysak ve bu program Windows API\u2019lar\u0131ndan herhangi birisini (Misal registry, file i\/o vs) kullanm\u0131\u015fsa bu i\u015fleri sizin program\u0131n\u0131za arac\u0131l\u0131k etmekle g\u00f6revli API Dinamik Ba\u011flan\u0131labilir K\u00fct\u00fcphane (DLL) dosyalar\u0131 linking a\u015famas\u0131nda program\u0131m\u0131za yerle\u015ftirilir. Bu DLL dosyalar\u0131 i\u00e7inde \u00e7a\u011f\u0131rd\u0131\u011f\u0131m\u0131z API\u2019y\u0131 ilk elden alarak gerekli \u00f6n i\u015flemlerini (Programc\u0131 taraf\u0131ndan ge\u00e7ilen verilerin do\u011frulu\u011fu veya hasars\u0131z oldu\u011fu gibi i\u015flemler olabilir) ge\u00e7erek ve e\u011fer \u00e7a\u011fr\u0131 Kernel mode alt\u0131nda \u00e7al\u0131\u015fmas\u0131 gereken bir \u015feyse kernel mode\u2019a ge\u00e7mesine arac\u0131l\u0131k ederler. Normalde bu i\u015fleri y\u00fcr\u00fcten kodlar bu DLL\u2019lerin i\u00e7erisinde statik olarak dururlar. Ancak Windows 7\u2019da bu b\u00f6yle de\u011fildir. Asl\u0131nda bu anlatacaklar\u0131m daha ziyade NT \u00e7ekirde\u011finin MinWin ad\u0131 verilen bir \u015fekle kayd\u0131r\u0131lmas\u0131. MinWin nedir diye soracak olursan\u0131z k\u0131saca NT \u00c7ekirde\u011finin \u00e7o\u011fu \u015feyden ar\u0131nd\u0131r\u0131l\u0131p k\u00fc\u00e7\u00fck ve h\u0131zl\u0131 bir kernel ortaya \u00e7\u0131karma fikrinin ad\u0131. Belki ilerde bununla alakal\u0131 bir\u015feyler de yazabilirim. Ama \u015fimdiki konumuz MinWin de\u011fil.<\/p>\n

Pek \u00e7o\u011fumuz herhangi bir Win32 API DLL\u2019ini incelerken \u015fu tarz bir \u015fey g\u00f6rm\u00fc\u015f olabilirsiniz.<\/p>\n

\"\"<\/a><\/p>\n

\u00d6rnek olarak inceledi\u011fimiz Task Manager (G\u00f6rev Y\u00f6neticisi) taskmgr.exe\u2019ye ba\u011flanm\u0131\u015f DLL\u2019leri g\u00f6r\u00fcyoruz. Misal bu uygulama advapi32.dll taraf\u0131ndan export edilmi\u015f bir ka\u00e7 API call yapm\u0131\u015f. Buraya kadar her\u015fey tamam. Ancak bakt\u0131\u011f\u0131m\u0131zda Advapi32.dll\u2019in de bir ka\u00e7 DLL\u2019den referans ald\u0131\u011f\u0131n\u0131 g\u00f6r\u00fcyoruz. Bu DLL isimlerine bakarsak belli bir prefix (\u00f6n ek) al\u0131p s\u0131n\u0131fland\u0131r\u0131lm\u0131\u015f. Peki bu DLL\u2019ler ne i\u015fe yar\u0131yor. Esas\u0131nda hi\u00e7bir i\u015fe yaram\u0131yorlar. Bu DLL\u2019ler s\u0131n\u0131flara ayr\u0131lm\u0131\u015f birer taslak. Yani mant\u0131ksal Dll dosyalar\u0131. API Fonksiyonlar\u0131n\u0131 i\u00e7eriyorlar ancak hi\u00e7bir\u015fey yapm\u0131yorlar.<\/p>\n

\u00d6rne\u011fin taskmgr.exe\u2019nin Advapi32.dll\u2019inde kulland\u0131\u011f\u0131 bir API\u2019\u0131 ele alal\u0131m.<\/p>\n

Bu API fonksiyonu OpenSCManagerW<\/strong> olsun. Bu fonksiyon belirtilen bir makineye ait servis y\u00f6netici veritaban\u0131 ile bir ba\u011flant\u0131 kurar. Bunu taskmgr.exe Advapi32.dll\u2019inden referans alm\u0131\u015ft\u0131.\u00a0 Se\u00e7ti\u011fimiz API fonksiyonu bir servis y\u00f6netici fonksiyonu oldu\u011fu i\u00e7in Service Management kategorisine ayr\u0131lm\u0131\u015f taslak DLL\u2019de bulunmal\u0131.<\/p>\n

\"\"<\/a><\/p>\n

G\u00f6rd\u00fc\u011f\u00fcn\u00fcz gibi API-MS-WIN-Service-Management-L1-1-0<\/span> taslak dll\u2019inde export edilmi\u015f. Peki taskmgr.exe b\u00fct\u00fcn bunlar\u0131 bilmeden sadece advapi32.dll\u2019ini ba\u011flam\u0131\u015f ve OpenSCManagerW<\/strong> API fonksiyonunu \u00e7a\u011f\u0131rm\u0131\u015ft\u0131. Peki bu \u00e7a\u011fr\u0131lan fonksiyon ne yap\u0131yor? Bu fonksiyon statik durumda iken bu referans ald\u0131\u011f\u0131 taslak dll\u2019deki ilgili fonksiyon implementasyonuna z\u0131pl\u0131yor.<\/p>\n

\"\"<\/a><\/p>\n

G\u00f6r\u00fcld\u00fc\u011f\u00fc gibi Advapi32.dll\u2019<\/span>deki<\/span> OpenSCManagerW<\/strong> API koduna bakarsak g\u00f6rd\u00fc\u011f\u00fcm\u00fcz taslak k\u0131sma z\u0131playan bir koddan ibaret. Peki taslak k\u0131s\u0131mda durum nas\u0131l.<\/p>\n

\"\"<\/a><\/p>\n

Taslak k\u0131sm\u0131ndaki API fonksiyonun yapt\u0131\u011f\u0131 \u015fey NULL d\u00f6ndermek. 3 adet parametre ald\u0131\u011f\u0131 i\u00e7in ret 0xc (12 byte) ile stack\u2019I dengeleyip NULL d\u00f6nderiyor. Bu fonksiyonun t\u00fcr\u00fcne g\u00f6re ufak farkl\u0131l\u0131k g\u00f6sterir ama pointer d\u00f6nderen fonksiyonlar i\u00e7in NULL, di\u011fer de\u011ferler i\u00e7in genel de 1 (TRUE) d\u00f6nderir.<\/p>\n

NT 6.1 Kernel bir k\u00fct\u00fcphane y\u00fcklenece\u011fi zaman prosese ait adres alan\u0131na bu statik kod yerine ger\u00e7ek fonksiyona ait koda dallanacak \u015fekilde dinamik olarak de\u011fi\u015ftirilir.<\/p>\n

Y\u00fckleyici k\u00fct\u00fcphaneleri y\u00fcklerken her zamanki gibi ntdll alt\u0131nda sa\u011flanm\u0131\u015f Loader fonksiyonlar\u0131n\u0131 \u00e7a\u011f\u0131r\u0131r. Windows 7 ile bu fonksiyonlara demin bahsetti\u011fimiz taslak dll\u2019leri \u00e7\u00f6zen rutinler eklenmi\u015f gerekli ise \u00e7\u00f6z\u00fcmlenerek e\u015flenmektedirler. \u00d6rne\u011fin bir k\u00fct\u00fcphane y\u00fcklemek istedi\u011fimiz (LoadLibraryEx<\/strong>) nas\u0131l bir i\u015flemden ge\u00e7mekedir?<\/p>\n

Y\u00fckleyici API fonksiyonunu \u00e7a\u011f\u0131rd\u0131\u011f\u0131m\u0131zda ilk elden i\u015flemi devralan ntdll fonksiyonu i\u015flemeye ba\u015flayacakt\u0131r.<\/p>\n

ntdll.dll<\/span>!_ApiSetResolveToHost<\/span>@20()\u00a0 + 0xf bytes
\nntdll.dll<\/span>!_LdrpApplyFileNameRedirection<\/span>@28()\u00a0 + 0x35 bytes
\nntdll.dll<\/span>!_LdrpLoadDll<\/span>@24()\u00a0 + 0xae bytes
\nntdll.dll<\/span>!_LdrLoadDll<\/span>@16()\u00a0 + 0x74 bytes
\nKernelBase.dll<\/span>!_LoadLibraryExW<\/span>@12()\u00a0 + 0x120 bytes<\/p>\n

Yukar\u0131da k\u00fct\u00fcphane y\u00fcklenmesi s\u0131ras\u0131nda bir callstack \u00e7\u0131kt\u0131s\u0131 g\u00f6r\u00fcyorsunuz. LdrpApplyFileNameRedirection<\/strong> ve sonraki k\u0131s\u0131m bahsetti\u011fimiz mekanizman\u0131n i\u015fletilmesi i\u00e7in gerekli rutinlerdir. LdrpApplyFileNameRedirection<\/strong> ile y\u00fcklenmek istenen Dll\u2019in taslak bir dll olup olmad\u0131\u011f\u0131 e\u011fer taslak bir dll ise o y\u00f6nde y\u00f6nlendirme yap\u0131lmas\u0131 i\u015flevlerini yapan ilk rutindir. Hemen sonras\u0131nda ise ger\u00e7ek anlamda bu kontrol ve \u00e7\u00f6z\u00fcmleme i\u015flemi ApiSetResolveToHost<\/strong> arac\u0131l\u0131\u011f\u0131 ile yap\u0131l\u0131yor.<\/p>\n

\"\"<\/a><\/p>\n

LdrpApplyFileNameRedirection<\/strong> fonksiyonun i\u00e7eri\u011fini g\u00f6rd\u00fc\u011f\u00fcm\u00fcz gibi esas kontrol rutini ApiSetResolveToHost<\/strong> \u00e7a\u011fr\u0131l\u0131yor. E\u011fer taslak bir k\u00fct\u00fcphane de\u011filse fonksiyondan \u00e7\u0131k\u0131l\u0131yor. Bir de ApiSetResolveToHost<\/strong> fonksiyonuna g\u00f6z atal\u0131m.<\/p>\n

\"\"<\/a><\/p>\n

ApiSetResolveToHost<\/strong> y\u00fcklenmek istenen k\u00fct\u00fcphane dosya ad\u0131n\u0131 kontrol ediyor. Yukarda bahsetmi\u015ftik taslak Dll dosyalar\u0131 API- \u015feklinde bir prefix\u2019e sahipti. Fonksiyon dosya ad\u0131n\u0131n ilk 4 k\u0131sm\u0131n\u0131n \u201cAPI-\u201c prefixi olup olmad\u0131\u011f\u0131n\u0131 kontrol ediyor. E\u011fer de\u011filse bu ba\u015ftan bir taslak dll’i olmad\u0131\u011f\u0131n\u0131 belirtiyor devam etmeye gerek yok ve \u00e7\u0131k\u0131yor. E\u011fer API prefix’i mevcutsa taslak dll ile ilgili \u00e7\u00f6z\u00fcmleme yapan kod blo\u011funa z\u0131playarak tam anlam\u0131 ile dosya ad\u0131n\u0131 par\u00e7alay\u0131p (parse) kategorilere ayr\u0131lm\u0131\u015f kar\u015f\u0131l\u0131klar\u0131 duran bir hashtable dan e\u015fleyerek ger\u00e7ek k\u00fct\u00fcphaneyi buluyor. E\u011fer zaten normal bir k\u00fct\u00fcphane dosyas\u0131 ise ba\u015far\u0131s\u0131z olarak d\u00f6n\u00fcp Y\u00fckleme i\u015flemine devam ediliyor. T\u00fcm bu kontrollerden sonra LdrpLoadDll<\/strong>, LdrpFindOrMapDll<\/strong> isimli fonksiyonu \u00e7a\u011f\u0131rarak ger\u00e7ek anlamda k\u00fct\u00fcphaneyi e\u015fleme i\u015flemini tamaml\u0131yor.<\/p>\n

ntdll.dll<\/span>!_LdrpFindOrMapDll<\/span>@24()\u00a0 + 0x56 bytes
\nntdll.dll<\/span>!_LdrpLoadDll<\/span>@24()\u00a0 + 0x145 bytes
\nntdll.dll<\/span>!_LdrLoadDll<\/span>@16()\u00a0 + 0x74 bytes
\nKernelBase.dll<\/span>!_LoadLibraryExW<\/span>@12()\u00a0 + 0x120 bytes<\/p>\n

Taslak kontrol sonras\u0131 e\u015fleme fonksiyonu \u00e7a\u011fr\u0131s\u0131 sonras\u0131 callstack g\u00f6r\u00fcn\u00fcm\u00fc. Bu i\u015flem ard\u0131ndan e\u011fer ge\u00e7erli bir k\u00fct\u00fcphane ise bu k\u00fct\u00fcphanenin mod\u00fcl tutama\u00e7 (module handle) bilgisi d\u00f6nderiliyor.<\/p>\n

Peki ya programlar bundan etkilenmiyor mu?<\/p>\n

Hay\u0131r. \u00c7\u00fcnk\u00fc geriye uyumluluk mevcut. G\u00f6rece eski bir uygulama Kernel32.dll \u2018den bir API kulland\u0131ysa yine yukardaki \u015fekilde kernel32.dll taraf\u0131ndan taslak DLL\u2019ler arac\u0131l\u0131\u011f\u0131 ile y\u00f6nlendirilmektedir. Bu sebeple \u00f6nceki versiyon Windows i\u015fletim sistemlerinde kulland\u0131\u011f\u0131n\u0131z programlar\u0131 s\u0131k\u0131nt\u0131 ya\u015famadan kullanabiliyorsunuz.<\/p>\n

\u015eimdilik benden bu kadar. \u0130yi g\u00fcnler.<\/p>\n","protected":false},"excerpt":{"rendered":"

Merhaba. Yine uzun bir aradan sonra bir ba\u015fka yaz\u0131 ile burday\u0131m. Bug\u00fcn de\u011finmek istedi\u011fim konu ba\u015fl\u0131ktan da anla\u015f\u0131labilece\u011fi \u00fczere Windows 7 (NT 6.1)\u2019de API sa\u011flayan dinamik k\u00fct\u00fcphanelerde yap\u0131lm\u0131\u015f de\u011fi\u015fiklik hakk\u0131nda. E\u011fer bir program yazd\u0131ysak ve bu program Windows API\u2019lar\u0131ndan herhangi birisini (Misal registry, file i\/o vs) kullanm\u0131\u015fsa bu i\u015fleri sizin program\u0131n\u0131za arac\u0131l\u0131k etmekle g\u00f6revli API…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"twitterCardType":"","cardImageID":0,"cardImage":"","cardTitle":"","cardDesc":"","cardImageAlt":"","cardPlayer":"","cardPlayerWidth":0,"cardPlayerHeight":0,"cardPlayerStream":"","cardPlayerCodec":"","footnotes":""},"categories":[34],"tags":[33,32,21,31,18,7],"class_list":["post-16","post","type-post","status-publish","format-standard","hentry","category-oses","tag-api","tag-dll","tag-kernel","tag-minwin","tag-nt","tag-windows-7"],"_links":{"self":[{"href":"https:\/\/www.oguzkartal.net\/blog\/index.php\/wp-json\/wp\/v2\/posts\/16","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oguzkartal.net\/blog\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oguzkartal.net\/blog\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oguzkartal.net\/blog\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oguzkartal.net\/blog\/index.php\/wp-json\/wp\/v2\/comments?post=16"}],"version-history":[{"count":5,"href":"https:\/\/www.oguzkartal.net\/blog\/index.php\/wp-json\/wp\/v2\/posts\/16\/revisions"}],"predecessor-version":[{"id":923,"href":"https:\/\/www.oguzkartal.net\/blog\/index.php\/wp-json\/wp\/v2\/posts\/16\/revisions\/923"}],"wp:attachment":[{"href":"https:\/\/www.oguzkartal.net\/blog\/index.php\/wp-json\/wp\/v2\/media?parent=16"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oguzkartal.net\/blog\/index.php\/wp-json\/wp\/v2\/categories?post=16"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oguzkartal.net\/blog\/index.php\/wp-json\/wp\/v2\/tags?post=16"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}