前面兩篇文章分別介紹了sqlite數據庫句柄和sqlite3_exec函數調用來查找數據庫內容。通過這種方式來查詢,需要一直hook目標軟件。如果目標軟件有檢測程序,就有可能被檢測到。本文分享另一種讀取數據庫內容的辦法:在線備份!
db文件存儲的數據,本質上都是二進制的。db文件由於被加密,在磁盤上的那個文件必須先解密,所以要先找到密鑰,這是個麻煩事!通過前面的分享可以看出:執行sqlite3_exec時其實db文件已經解密,所以才能查出來明文!這時的數據庫已經存在於內存,sqlite官方提供了備份數據庫的整套API(注意:完整的備份功能需要好幾個API,不止一個,這也為后續我們自己寫代碼備份帶來了很多麻煩事!),鏈接在這里: https://www.sqlite.org/backup.html ,根據官網的接口,自己寫一個備份的demo,先在自己本機試試看行不行!,如下:
#include <stdio.h> #include "sqlite3.h" int backupDb( sqlite3* pDb, /* Database to back up */ const char* zFilename, /* Name of file to back up to */ void(*xProgress)(int, int) /* Progress function to invoke */ ); void XProgress(int a, int b); int main() { printf("Hello World!\n"); sqlite3* db = NULL; int result = sqlite3_open("testDB.db", &db); const char* zFilename = "testDB_back.db"; backupDb(db, zFilename, XProgress); sqlite3_close(db); } int backupDb( sqlite3* pDb, /* Database to back up */ const char* zFilename, /* Name of file to back up to */ void(*xProgress)(int, int) /* Progress function to invoke */ ) { int rc; /* Function return code */ sqlite3* pFile; /* Database connection opened on zFilename */ sqlite3_backup* pBackup; /* Backup handle used to copy data */ /* Open the database file identified by zFilename. */ rc = sqlite3_open(zFilename, &pFile); if (rc == SQLITE_OK) { /* Open the sqlite3_backup object used to accomplish the transfer */ pBackup = sqlite3_backup_init(pFile, "main", pDb, "main"); if (pBackup) { /* Each iteration of this loop copies 5 database pages from database ** pDb to the backup database. If the return value of backup_step() ** indicates that there are still further pages to copy, sleep for ** 250 ms before repeating. */ do { rc = sqlite3_backup_step(pBackup, 5); xProgress( sqlite3_backup_remaining(pBackup), sqlite3_backup_pagecount(pBackup) ); if (rc == SQLITE_OK || rc == SQLITE_BUSY || rc == SQLITE_LOCKED) { sqlite3_sleep(250); } } while (rc == SQLITE_OK || rc == SQLITE_BUSY || rc == SQLITE_LOCKED); /* Release resources allocated by backup_init(). */ (void)sqlite3_backup_finish(pBackup); } rc = sqlite3_errcode(pFile); } /* Close the database connection opened on database file zFilename ** and return the result of this function. */ (void)sqlite3_close(pFile); return rc; } void XProgress(int a, int b) { printf("%d,%d\n",a,b); }
確實生成了db文件:用navicat也能順利查到表和數據,說明備份是成功的!先在新的問題來了:怎么才能在線備份xxxx的db文件了? 從內存備份完整的db文件后,也能用這些專業的軟件在本地輕松打開了!
上兩篇文章分析了通過openDataBase找到db句柄,在那里hook的話可以順利得到數據庫句柄。但是從上面的備份代碼看,還涉及到很多sqlite3開頭API的調用,這就麻煩了:
- 因為在目標進程空間執行,需要這些API在目標進程的地址,而不是上面那么備份demo進程的地址,這就要像上次找sqlite3_exec函數的入口地址一樣從新開始查找了,真麻煩!
- 原xxxx軟件大概率是沒用到備份功能的,所以這些備份的代碼應該是沒有的。如果要備份,這些備份的代碼都要自己在dll里面添加進去,里面涉及到sqlite3的API函數都要挨個從目標dll里面找到!
因為IDA分析PE文件時會增加引用、F5反編譯等功能,相對OD這種動態調試工具會方便一些,所以這里用IDA靜態查找這些關鍵函數的偏移位置;先用IDA打開關鍵的dll(這個dll放了很多函數,打開非常慢):dll原本只有27M,經過IDA分析,添加了好多查找功能,最后膨脹到650M了!
下面是需要挨個找的關鍵函數:
DWORD address_sqlite3_open = wxBaseAddress + ; DWORD address_sqlite3_backup_init = wxBaseAddress + ; DWORD address_sqlite3_backup_step = wxBaseAddress + ; DWORD address_sqlite3_sleep = wxBaseAddress + ; DWORD address_sqlite3_backup_finish = wxBaseAddress + ; DWORD address_sqlite3_close = wxBaseAddress + ; DWORD address_sqlite3_backup_remaining = wxBaseAddress + ; DWORD address_sqlite3_backup_pagecount = wxBaseAddress + ; DWORD address_sqlite3_errcode = wxBaseAddress + ;
- 先看第一個sqlite3_open: 前面已經找到了openDataBase的偏移,這里先根據偏移定位到openDataBase調用的地方,然后選擇jmp to xref,如下:
這里能看到所有的引用,根據sqlite3_open的源碼,其實就是簡單粗暴直接調用了openDataBase,所以第4、5兩個引用最像(距離最近嘛,偏移只有D和F);先看看這個,和sqlite3.c中的源碼極其類似,應該就是它了,先把函數改名標記一下,同時記住其偏移:0xA895B0
同理可以標記出另一個sqlite3_open_v2函數(其實就是緊接着上面這個函數,C語言里面是挨着的,編譯器大概率也會挨着翻譯成機器碼,shellcode也是根據這個原理生成的!后續也會根據這個原理查找其他關鍵的sqlite3函數),這里不再贅述;
- 接着看第二個sqlite3_backup_init函數:先在sqlite3.c源文件中找到這個函數 找到了一個比較明顯的特征:字符串:source and destination must be distinct
立馬在IDA中查找這個字符串:還真找到了!
跳轉到引用這里:
和源碼一比對,參數是能符合的,應該就是了:call sub_10A083F0應該就是sqlite3ErrorWithMsg了,這里先標記一下;
sqlite3ErrorWithMsg( pDestDb, SQLITE_ERROR, "source and destination must be distinct" );
往上溯源,找到函數入口,把函數名改成sqlite3_backup_init即可,記下這里的偏移:0xA26980
- 接着找sqlite3_backup_step函數
從sqlite3.c通讀額整個函數,沒有找到任何字符串,看來直接用字符串定位是不行的,只能換個思路:要么通過其他函數找(比如這個函數調用了很多其他函數,如果我們先找到了其他函數,就能根據調用關系、順藤摸瓜找到這個函數了),要么通過機器碼定位!;這里我們先用機器碼試試。由於是開源的,我們在自己本地先在sqlite3_backup_step函數入口下個斷點,再運行,然后轉到反匯編,提取一些機器碼,比如下面這個:先用前面6個byte的機器碼試試;
#ifdef SQLITE_ENABLE_API_ARMOR if( p==0 ) return SQLITE_MISUSE_BKPT; #endif sqlite3_mutex_enter(p->pSrcDb->mutex); 010603C0 8B 45 08 mov eax,dword ptr [p] 010603C3 8B 48 14 mov ecx,dword ptr [eax+14h] 010603C6 8B 51 0C mov edx,dword ptr [ecx+0Ch] 010603C9 52 push edx 010603CA E8 C8 40 FF FF call _sqlite3_mutex_enter (01054497h) 010603CF 83 C4 04 add esp,4
在IDA中菜單中選擇search->sequence of byte, 輸入8B 45 08 8B 48 14,找到了這3個地方:
和C的源碼比對,明顯不是,放棄;這里暫時沒有更好的思路了,暫時放棄,先找其他的函數;
- sqlite3_backup_finish:這里面也沒找到字符串,還是根據特征碼查找。同樣先在本地的工程下斷點,然后調試;由於沒有字符串,特征碼也沒有匹配上(可能是xxxx用的sqlite版本和我本地的不一樣,也有可能是編譯器翻譯成機器碼不一樣,總之是沒匹配上),和剛才那個一樣,暫時方式,繼續找其他函數;
- sqlite3_sleep: 既然是sleep,肯定涉及到時間的計算;從源碼看,有幾行比較明顯,比如下面的這行:有乘法,先轉換成毫秒,再除以1000,所以先根據69 45 08 E8 03 00 00 這一串特征碼在IDA中查找:
rc = (sqlite3OsSleep(pVfs, 1000*ms)/1000); 0105C66F 69 45 08 E8 03 00 00 imul eax,dword ptr [ms],3E8h 0105C676 50 push eax 0105C677 8B 4D F8 mov ecx,dword ptr [pVfs] 0105C67A 51 push ecx 0105C67B E8 D0 94 07 00 call sqlite3OsSleep (010D5B50h) 0105C680 83 C4 08 add esp,8
還真找到了:和本地匯編代碼比雖說不完全一樣,但邏輯結果是一樣的;再結合前面的代碼對比,就是這里了!記住函數入口的偏移:0xA89C80
- sqlite3_errcode:從源碼看,函數比較簡單,沒有字符串,但是調用了sqlite3SafetyCheckSickOrOk這個函數;
SQLITE_API int sqlite3_errcode(sqlite3 *db){ if( db && !sqlite3SafetyCheckSickOrOk(db) ){ return SQLITE_MISUSE_BKPT; } if( !db || db->mallocFailed ){ return SQLITE_NOMEM_BKPT; } return db->errCode & db->errMask; }
繼續進入sqlite3SafetyCheckSickOrOk函數,發現有invalid字符串了,但是比較短,感覺不夠;繼續進入logBadConnection函數:
SQLITE_PRIVATE int sqlite3SafetyCheckSickOrOk(sqlite3 *db){ u32 magic; magic = db->magic; if( magic!=SQLITE_MAGIC_SICK && magic!=SQLITE_MAGIC_OPEN && magic!=SQLITE_MAGIC_BUSY ){ testcase( sqlite3GlobalConfig.xLog!=0 ); logBadConnection("invalid"); return 0; }else{ return 1; } }
這次就有明顯的字符串了:API call with %s database connection pointer
static void logBadConnection(const char *zType){ sqlite3_log(SQLITE_MISUSE, "API call with %s database connection pointer", zType ); }
放入IDA搜查,一路跟蹤到這里:從參數來看,實錘就是這里了;
先把函數名改了,再往上層層追溯,再和源代碼比對,發現基址在這:0xA885D0;
- sqlite3_close:從C源碼看,是直接調用了sqlite3Close,遂進入sqlite3Close函數,發現了一個字符串:unable to close due to unfinalized;如法炮制,繼續用這個字符串在IDA里面找: 從參數和函數調用來看,確實是這里,實錘了!
往上找到函數入口,函數名改為sqlite3Close;這個函數又被調用了好多次,只有標紅的這兩個最接近入口,和在C源碼看到的接近,先看看這兩個函數:
第一個:從對比來看應該就是sqlite3_close了,在IDA中標記,並記錄下偏移: 0xA871F0;IDA中緊接這下面就是sqlite3_close_v2,也順便標記下!
至此,還有sqlite3_backup_step、sqlite3_backup_finish、sqlite3_backup_remaining、sqlite3_backup_pagecount 4個函數沒找到,原因都一樣:(1)沒有字符串 (2)特征碼沒匹配上(可能是xxxx用的sqlite版本和我本地做demo的sqlite不一樣,也有可能是編譯器翻譯成機器碼不一樣);這該怎么辦了?繼續從C源碼入手,找打了一個新的突破口:
sqlite3_backup_init已經找到了,剩下這4個函數互相挨着的,sqlite3_backup_step在最前面,sqlite3_backup_pagecount在最后面;sqlite3_backup_init和sqlite3_backup_step之間只間隔了4個函數;前面說過了:編譯器會按照順利編譯(可以利用此特性生成shellcode),也就是說這sqlite3_backup_init后面第5個函數很有可能就是sqlite3_backup_step,然后緊接着就是sqlite3_backup_finish、sqlite3_backup_remaining、sqlite3_backup_pagecount;在只讀的數據段找到sqlite3_backup_init,如下:
我們順着先看前兩個函數: 這兩個函數代碼幾乎是一樣的,不同的僅僅是返回值,分別是[eax+20h]和[eax+24h];沒有其他任何代碼了,看起來和sqlite3_backup_remaining、sqlite3_backup_pagecount很像,那么這兩個是不是了? 就需要進一步驗證參數了!
參數類型如下:非常湊巧的是nRemaining偏移在0x20處,nPagecount偏移在0x24h處,那么這里實錘了這兩個就是sqlite3_backup_remaining、sqlite3_backup_pagecount;偏移分別是0xA275C0、0xA275D0;
struct sqlite3_backup { sqlite3* pDestDb; /* Destination database handle */ Btree *pDest; /* Destination b-tree file */ u32 iDestSchema; /* Original schema cookie in destination */ int bDestLocked; /* True once a write-transaction is open on pDest */ Pgno iNext; /* Page number of the next source page to copy */ sqlite3* pSrcDb; /* Source database handle */ Btree *pSrc; /* Source b-tree file */ int rc; /* Backup process error code */ /* These two variables are set by every call to backup_step(). They are ** read by calls to backup_remaining() and backup_pagecount(). */ Pgno nRemaining; /* Number of pages left to copy */ Pgno nPagecount; /* Total number of pages to copy */ int isAttached; /* True once backup has been registered with pager */ sqlite3_backup *pNext; /* Next backup associated with source pager */ };
先在只剩sqlite3_backup_step、sqlite3_backup_finish這兩個函數沒找到了;既然這個函數自身沒有字符串,特征碼也不對,那我們先在源碼看看這些函數都在哪些地方被引用了,說不定能從這些引用的函數找到突破口了!很明顯紅框那個才是引用,其他的都是申明或我們自己的代碼;
進入引用,發現一個有趣的現象: 我們還缺的sqlite3_backup_step、sqlite3_backup_finish居然在同一個函數被調用了,這個函數就是sqlite3BtreeCopyFile;也就是說只要找到sqlite3BtreeCopyFile,就找到了我們想要的函數;
/* 0x7FFFFFFF is the hard limit for the number of pages in a database ** file. By passing this as the number of pages to copy to ** sqlite3_backup_step(), we can guarantee that the copy finishes ** within a single call (unless an error occurs). The assert() statement ** checks this assumption - (p->rc) should be set to either SQLITE_DONE ** or an error code. */ sqlite3_backup_step(&b, 0x7FFFFFFF); assert( b.rc!=SQLITE_OK ); rc = sqlite3_backup_finish(&b); if( rc==SQLITE_OK ){ pTo->pBt->btsFlags &= ~BTS_PAGESIZE_FIXED; }else{ sqlite3PagerClearCache(sqlite3BtreePager(b.pDest)); }
繼續查找sqlite3BtreeCopyFile的引用:發現在sqlite3RunVacuum函數內,更讓人驚喜的是,這個函數內部有大量的sql查詢語句:
rc = execSqlF(db, pzErrMsg, "SELECT sql FROM \"%w\".sqlite_master" " WHERE type='index' AND length(sql)>10", zDbMain ); if( rc!=SQLITE_OK ) goto end_of_vacuum; db->init.iDb = 0; /* Loop through the tables in the main database. For each, do ** an "INSERT INTO vacuum_db.xxx SELECT * FROM main.xxx;" to copy ** the contents to the temporary database. */ rc = execSqlF(db, pzErrMsg, "SELECT'INSERT INTO vacuum_db.'||quote(name)" "||' SELECT*FROM\"%w\".'||quote(name)" "FROM vacuum_db.sqlite_master " "WHERE type='table'AND coalesce(rootpage,1)>0", zDbMain ); assert( (db->flags & SQLITE_Vacuum)!=0 ); db->flags &= ~SQLITE_Vacuum; if( rc!=SQLITE_OK ) goto end_of_vacuum; /* Copy the triggers, views, and virtual tables from the main database ** over to the temporary database. None of these objects has any ** associated storage, so all we have to do is copy their entries ** from the SQLITE_MASTER table. */ rc = execSqlF(db, pzErrMsg, "INSERT INTO vacuum_db.sqlite_master" " SELECT*FROM \"%w\".sqlite_master" " WHERE type IN('view','trigger')" " OR(type='table'AND rootpage=0)", zDbMain ); if( rc ) goto end_of_vacuum; /* At this point, there is a write transaction open on both the ** vacuum database and the main database. Assuming no error occurs, ** both transactions are closed by this block - the main database ** transaction by sqlite3BtreeCopyFile() and the other by an explicit ** call to sqlite3BtreeCommit(). */ { u32 meta; int i; /* This array determines which meta meta values are preserved in the ** vacuum. Even entries are the meta value number and odd entries ** are an increment to apply to the meta value after the vacuum. ** The increment is used to increase the schema cookie so that other ** connections to the same database will know to reread the schema. */ static const unsigned char aCopy[] = { BTREE_SCHEMA_VERSION, 1, /* Add one to the old schema cookie */ BTREE_DEFAULT_CACHE_SIZE, 0, /* Preserve the default page cache size */ BTREE_TEXT_ENCODING, 0, /* Preserve the text encoding */ BTREE_USER_VERSION, 0, /* Preserve the user version */ BTREE_APPLICATION_ID, 0, /* Preserve the application id */ }; assert( 1==sqlite3BtreeIsInTrans(pTemp) ); assert( 1==sqlite3BtreeIsInTrans(pMain) ); /* Copy Btree meta values */ for(i=0; i<ArraySize(aCopy); i+=2){ /* GetMeta() and UpdateMeta() cannot fail in this context because ** we already have page 1 loaded into cache and marked dirty. */ sqlite3BtreeGetMeta(pMain, aCopy[i], &meta); rc = sqlite3BtreeUpdateMeta(pTemp, aCopy[i], meta+aCopy[i+1]); if( NEVER(rc!=SQLITE_OK) ) goto end_of_vacuum; } rc = sqlite3BtreeCopyFile(pMain, pTemp);
繼續如法炮制,根據這些語句先找到sqlite3RunVacuum函數,再進一步找到sqlite3BtreeCopyFile函數(從源碼看,這個函數調用了memset,這也是比較明顯的特征之一);
text:10A276E8 E8 13 FA 86 00 call _memset .text:10A276ED 8B 07 mov eax, [edi] .text:10A276EF 83 C4 0C add esp, 0Ch .text:10A276F2 89 45 DC mov [ebp+var_24], eax .text:10A276F5 8B 47 04 mov eax, [edi+4] .text:10A276F8 89 7D E0 mov [ebp+var_20], edi .text:10A276FB 89 75 CC mov [ebp+var_34], esi .text:10A276FE C7 45 D8 01 00 00 00 mov [ebp+var_28], 1 .text:10A27705 8B 08 mov ecx, [eax] .text:10A27707 8B 46 04 mov eax, [esi+4] .text:10A2770A 8B 10 mov edx, [eax] .text:10A2770C 0F B7 81 8E 00 00 00 movzx eax, word ptr [ecx+8Eh] .text:10A27713 66 39 82 8E 00 00 00 cmp [edx+8Eh], ax .text:10A2771A 74 24 jz short loc_10A27740 .text:10A2771C 8B 8A D4 00 00 00 mov ecx, [edx+0D4h] .text:10A27722 66 89 82 8E 00 00 00 mov [edx+8Eh], ax .text:10A27729 85 C9 test ecx, ecx .text:10A2772B 74 13 jz short loc_10A27740 .text:10A2772D 98 cwde .text:10A2772E 50 push eax .text:10A2772F FF B2 98 00 00 00 push dword ptr [edx+98h] .text:10A27735 FF B2 DC 00 00 00 push dword ptr [edx+0DCh] .text:10A2773B FF D1 call ecx .text:10A2773D 83 C4 0C add esp, 0Ch .text:10A27740 .text:10A27740 loc_10A27740: ; CODE XREF: sqlite3BtreeCopyFile+BA↑j .text:10A27740 ; sqlite3BtreeCopyFile+CB↑j .text:10A27740 8D 45 C8 lea eax, [ebp+var_38] .text:10A27743 68 FF FF FF 7F push 7FFFFFFFh .text:10A27748 50 push eax .text:10A27749 E8 E2 F5 FF FF call sub_10A26D30 .text:10A2774E 8D 45 C8 lea eax, [ebp+var_38] .text:10A27751 50 push eax .text:10A27752 E8 69 FD FF FF call sub_10A274C0
再對比源碼,根據0x7FFFFFFF很容易找到sqlite3_backup_step和sqlite3_backup_finish,偏移分別是0xA26D30、0xA274C0
memset(&b, 0, sizeof(b)); b.pSrcDb = pFrom->db; b.pSrc = pFrom; b.pDest = pTo; b.iNext = 1; #ifdef SQLITE_HAS_CODEC sqlite3PagerAlignReserve(sqlite3BtreePager(pTo), sqlite3BtreePager(pFrom)); #endif /* 0x7FFFFFFF is the hard limit for the number of pages in a database ** file. By passing this as the number of pages to copy to ** sqlite3_backup_step(), we can guarantee that the copy finishes ** within a single call (unless an error occurs). The assert() statement ** checks this assumption - (p->rc) should be set to either SQLITE_DONE ** or an error code. */ sqlite3_backup_step(&b, 0x7FFFFFFF); assert( b.rc!=SQLITE_OK ); rc = sqlite3_backup_finish(&b);
至此,所有關鍵函數的偏移都已經找到,總結如下:
//.text:10A895B0 DWORD address_sqlite3_open = wxBaseAddress + 0xA895B0; //.text:10A26980 DWORD address_sqlite3_backup_init = wxBaseAddress + 0xA26980; //.text:10A89C80 DWORD address_sqlite3_sleep = wxBaseAddress + 0xA89C80; //.text:10A871F0 DWORD address_sqlite3_close = wxBaseAddress + 0xA871F0; //.text:10A26D30 DWORD address_sqlite3_backup_step = wxBaseAddress + 0xA26D30; //.text:10A274C0 DWORD address_sqlite3_backup_finish = wxBaseAddress + 0xA274C0; //.text:10A275C0 DWORD address_sqlite3_backup_remaining = wxBaseAddress + 0xA275C0; //.text:10A275D0 DWORD address_sqlite3_backup_pagecount = wxBaseAddress + 0xA275D0; //.text:10A885D0 DWORD address_sqlite3_errcode = wxBaseAddress + 0xA885D0;
效果展示:能hook到所有的db數據庫:
選擇msg0導出,然后放入sqlite export:所有表、字段和數據都能看到了!用戶的隱私盪然無存!
最后,做了這么久的逆向,自己總結的要點如下:關於調試和反調試,xxxx逆向時並未遇到,后續逆向過TP時再分享!
參考:
1、https://github.com/zmrbak 2019 PC xxxx探秘/SQLite_L37; 注意:不同版本中函數的偏移是不一樣的,不能直接照抄,需要重新找偏移!