Now Reading
Extracting IP from getaddrinfo name

Extracting IP from getaddrinfo name

2023-10-11 09:38:04

Abstract

This brief put up paperwork monitoring down the IP tackle location and worth resolved by the getaddrinfo perform name with the assistance of x64dbg.

Instruments

To comply with alongside you have to to construct 32-bit WinSock server and client supplied by Microsoft and x64dbg.

Getaddrinfo

The getaddrinfo perform resolves the supplied hostname to the IP tackle and its prototype is:

INT WSAAPI getaddrinfo(
  [in, optional] PCSTR           pNodeName,
  [in, optional] PCSTR           pServiceName,
  [in, optional] const ADDRINFOA *pHints,
  [out]          PADDRINFOA      *ppResult
);

The third parameter handed to getaddrinfo is the pointer to the addrinfo construction that comprises information in regards to the socket kind the caller helps. And the fourth parameter is the pointer to the place the tackle of the returned addrinfo construction might be saved after the getaddrinfo execution. The addrinfo construction is outlined like so:

typedef struct addrinfo {
  int             ai_flags;
  int             ai_family;
  int             ai_socktype;
  int             ai_protocol;
  size_t          ai_addrlen;
  char            *ai_canonname;
  struct sockaddr *ai_addr;
  struct addrinfo *ai_next;
} ADDRINFOA, *PADDRINFOA;

The sockaddr construction for TCP/IP seems to be like this:

struct sockaddr {
        ushort  sa_family;
        char    sa_data[14];
};

struct sockaddr_in {
        brief   sin_family;
        u_short sin_port;
        struct  in_addr sin_addr;
        char    sin_zero[8];
};

Getaddrinfo and x64dbg

Now let’s begin the server app supplied by MSDN and open the shopper app in x64dbg.

To offer the command line arguments to the shopper app in x64dbg I up to date the main input parameters earlier than the principle began to execute. The argc worth was modified from 0x1 to 0x2 and the command line saved in argv was up to date to seem like this path_to_client.exe localhost:

x64dbg: we have to replace argc and argv handed to foremost
x64dbg: argv earlier than the replace
x64dbg: argv after the replace

Now we are able to step into foremost and comply with alongside till we hit the decision to getaddrinfo which is preceded by the call to ZeroMemory making ready the hints buffer:

x64dbg after ZeroMemory execution. Dump window reveals the zeroed out hints buffer. 

As soon as ZeroMemory (or memset operating behind the scene) is executed now we have a hints buffer of kind addrinfo that must be populated earlier than we execute getaddrinfo:

x64dbg: ai_family, ai_socktype and ai_protocol of the hints buffer at the moment are set

Now the parameters for getaddrinfo are pushed on the stack. Within the picture beneath 0x009FFCF0 will retailer the tackle of the addrinfo res construction, 0x009FFCBC shops the hints buffer that was populated above, 0x00437B80 shops the port worth and the final parameter pushed on the stack is 0x00000000 since we might be resolving the localhost hostname:

x64dbg: getaddringo parameters are pushed on the stack

After the getaddrinfo execution the 0x009FFCF0 tackle shops the tackle of the returned res construction of kind addrinfo  (0x00EA1D28 ):

x64dbg: 0x00EA1D28 returned after getaddinfo execution

Let’s comply with it in reminiscence and break down the information returned:

See Also

(4 bytes) int ai_flags; 00 00 00 00
          int ai_family; 02 00 00 00 (AF_INET)
          int ai_socktype; 01 00 00 00 (SOCK_STREAM)
          int ai_protocol; 06 00 00 00 (TCP)
          size_t ai_addrlen; 10 00 00 00 (16 bytes)
          char *ai_canonname; 00 00 00 00
          struct sockaddr *ai_addr; 58 7E EA 00 (0x00EA7E58)
          struct sockaddr *ai_next; 00 00 00 00

x64dbg: addrinfo construction at 0x00EA1D28 reminiscence tackle

The returned IP tackle is saved in ai_addr member of the addrinfo construction at reminiscence tackle 0x00EA7E58 so we have to comply with it in reminiscence to get the precise IP tackle worth:

x64dbg: sockaddr construction at 0x00EA7E58 reminiscence tackle

Information saved at aforementioned 0x00EA7E58 reminiscence tackle symbolize the sockaddr structure for TCP/IP. Let’s break it down too:

brief sin_family;  02 00
u_short sin_port;  69 87 (hex worth for our 27015 default port)
struct in_addr sin_addr; 7F 00 00 01 (IP worth in hex type)
char sin_zero[8]

So 0x7F000001 is the returned IP worth however it’s in hex type and we in all probability wish to convert it:

0x7F000001 binary type is:
01111111 00000000 00000000 00000001
or should you convert every 8 bits into decimal
127 0 0 1

So right here you go. The localhost hostname was resolved to 127.0.0.1 IP as anticipated by the decision to getaddrinfo =)

References

Source Link

What's Your Reaction?
Excited
0
Happy
0
In Love
0
Not Sure
0
Silly
0
View Comments (0)

Leave a Reply

Your email address will not be published.

2022 Blinking Robots.
WordPress by Doejo

Scroll To Top