Results 1 to 14 of 14

Thread: DynLogger

  1. #1
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19

    DynLogger

    http://ntcore.com/dynlogger.php

    DynLogger logs all dynamically retrieved functions by reporting the module name and the requested function. It can come very handy when one wants to know a "hidden" function used by an application.

    I recycled the code of a bigger project to write this little application. It's a very small utility, but it might be of use after all. It was tested on XP and Vista, both x86 and x64. It works for .NET application as well. Just start the logging process, the log will be saved after you quit the monitored application.

    I wasn't really sure if I should have posted it here or not. But a friend of mine needed it, so I figured out that maybe even other people might need it.

  2. #2
    Registered User
    Join Date
    Aug 2005
    Location
    Italy
    Posts
    133
    Blog Entries
    31
    Nice work Daniel and thanks for sharing it!

    An handy tool for Malware Reversing, where tons of API hiding
    tricks are used.


    http://evilcry.netsons.org (Repository)
    http://evilcodecave.blogspot.com
    http://evilcodecave.wordpress.com

  3. #3
    yes really nice work..

  4. #4
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    Thanks evilcry and NeOXOeN, but it's really nothing.

    However, now that I think about it, it could be useful for malware reversing.

  5. #5
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    You mispelled "dynamically" in the screenshot with notepad :P

    Good job! Was quite useful for an unpackme I was working on.

  6. #6
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    Thanks rendari for notifying the mispelling. I fixed it both in the code and in the screenshot (with a simple paint operation =).

    Well, it seems to be useful after all.

  7. #7
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    CRCETL:
    http://www.woodmann.com/collaborative/tools/index.php/DynLogger

    Btw, Daniel, are you just hooking GetProcAddress or something more fancy? I think it would be great to log LoadLibrary calls separately, because a sneaky application can just load the DLL in question into the address space and then parse its export table manually to get the individual API addresses and then execute them. This makes the LoadLibrary function much more important than GetProcAddress I think.

    You can of course make a custom loader to bypass LoadLibrary too, but that's much harder and should be much more rare.
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  8. #8
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    I am hooking LoadLibrary as well, but as you already pointed out you could inject the module by yourself. You say it's hard.. well not for those who have read my Antimida article. There's a complete dll injection with relocation and IAT etc. But dll injection isn't possible when the dll is a system one and is already in the address space. Or better, it's possible, but extremely ugly.

  9. #9
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Quote Originally Posted by Daniel Pistelli View Post
    I am hooking LoadLibrary as well
    Great, but I don't see any separate log entries for this, and that's all I suggest.

    Something like: "Library xxx.dll was loaded"?


    Quote Originally Posted by Daniel Pistelli View Post
    but as you already pointed out you could inject the module by yourself. You say it's hard.. well not for those who have read my Antimida article.
    Actually, I only said it was harder than manually parsing an export table, which I still think holds true indeed.


    Quote Originally Posted by Daniel Pistelli View Post
    But dll injection isn't possible when the dll is a system one and is already in the address space. Or better, it's possible, but extremely ugly.
    Yes, that is great, and that also makes the suggested separate logging of LoadLibrary even more powerful and hard to circumvent. So, maybe this little feature could be added after all?
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

  10. #10
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    Uhm you convinced me, it's a good idea. Wait an ahour, I'll add this to the logging.

  11. #11
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    Ok done, took me 5 minutes. The new log looks something like:

    Functions dynamically retrieved by "C:\Programmi\IrfanView\i_view32.exe":

    Initally loaded modules:
    C:\Programmi\IrfanView\i_view32.exe
    C:\WINDOWS\system32\ntdll.dll
    C:\WINDOWS\system32\kernel32.dll
    C:\WINDOWS\WinSxS\X86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\comctl32.dll
    C:\WINDOWS\system32\msvcrt.dll
    C:\WINDOWS\system32\ADVAPI32.dll
    C:\WINDOWS\system32\RPCRT4.dll
    C:\WINDOWS\system32\Secur32.dll
    C:\WINDOWS\system32\GDI32.dll
    C:\WINDOWS\system32\USER32.dll
    C:\WINDOWS\system32\SHLWAPI.dll
    C:\WINDOWS\system32\winspool.drv
    C:\WINDOWS\system32\comdlg32.dll
    C:\WINDOWS\system32\SHELL32.dll
    C:\WINDOWS\system32\ole32.dll
    C:\WINDOWS\system32\IMM32.DLL
    C:\WINDOWS\system32\guard32.dll
    C:\WINDOWS\system32\fltLib.dll
    C:\WINDOWS\system32\winsta.dll
    C:\WINDOWS\system32\NETAPI32.dll

    The module "uxtheme.dll" was loaded

    Module: C:\WINDOWS\system32\USER32.dll Name: GetSystemMetrics
    Module: C:\WINDOWS\system32\USER32.dll Name: MonitorFromWindow
    Module: C:\WINDOWS\system32\USER32.dll Name: MonitorFromRect
    Module: C:\WINDOWS\system32\USER32.dll Name: MonitorFromPoint
    Module: C:\WINDOWS\system32\USER32.dll Name: EnumDisplayMonitors
    Module: C:\WINDOWS\system32\USER32.dll Name: GetMonitorInfoA
    Module: C:\WINDOWS\system32\ntdll.dll Name: NtQueryInformationProcess
    Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmCoUninitialize
    Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmLastEnabledWndDestroy
    Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmSetCiceroStartInThread
    Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmIsCiceroStartedInThread
    Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmIsCiceroEnabled
    Module: C:\WINDOWS\system32\IMM32.DLL Name: CtfImmIsTextFrameServiceDisabled

    [...]

    Module: C:\WINDOWS\system32\IMM32.DLL Name: ImmGetDescriptionW
    Module: C:\WINDOWS\system32\IMM32.DLL Name: ImmGetIMEFileNameA
    Module: C:\WINDOWS\system32\IMM32.DLL Name: ImmGetIMEFileNameW
    Module: C:\WINDOWS\system32\IMM32.DLL Name: ImmSetHotKey
    Module: C:\WINDOWS\system32\kernel32.dll Name: GetUserDefaultUILanguage

    The module "C:\WINDOWS\system32\MSCTF.dll" was loaded


    The module "version.dll" was loaded

    Module: version.dll Name: GetFileVersionInfoW
    Module: version.dll Name: GetFileVersionInfoSizeW
    Module: version.dll Name: VerQueryValueW

    The module "apphelp.dll" was loaded

    Module: apphelp.dll Name: ApphelpCheckIME
    Module: C:\WINDOWS\system32\ole32.dll Name: CoCreateInstance

    The module "C:\WINDOWS\system32\msctfime.ime" was loaded

    Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeCreateThreadMgr
    Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeDestroyThreadMgr
    Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeCreateInputContext
    Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeDestroyInputContext
    Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeSetActiveContextAlways
    Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeProcessCicHotkey
    Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeDispatchDefImeMessage
    Module: C:\WINDOWS\system32\msctfime.ime Name: CtfImeIsIME

    [etc.]

    Better? =)

  12. #12
    I'm sure many are trying to find a few moments to "drive" this new toy "around the block" a few times and see how she runs! Thanks for the quick response and the update. If you haven't already, you might want to update the comment in the CRCETL to mention the new functionality!

    Regards,
    JMI

  13. #13
    Registered User
    Join Date
    Jan 2008
    Posts
    163
    Blog Entries
    19
    Thanks JMI, updated! Well, I wouldn't encourage anyone to lose time to try this. It's really nothing.

  14. #14
    Administrator dELTA's Avatar
    Join Date
    Oct 2000
    Location
    Ring -1
    Posts
    4,206
    Blog Entries
    5
    Looks great Daniel, thanks!
    "Give a man a quote from the FAQ, and he'll ignore it. Print the FAQ, shove it up his ass, kick him in the balls, DDoS his ass and kick/ban him, and the point usually gets through eventually."

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •