Results 1 to 4 of 4

Thread: Reverse Engineering a DLL, assembler problems

  1. #1
    Kane49
    Guest

    Reverse Engineering a DLL, assembler problems

    Code:
    .main
    .text:0040123F                 push    3
    .text:00401241                 push    offset return0
    .text:00401246                 mov     eax, ds:aGetUserNameA
    .text:0040124B                 push    eax
    .text:0040124C                 push    0E9h
    .text:00401251                 call    UseOfVP
    
    .useOfVP
    .text:00401286 UseOfVP         proc near               
    .text:00401286                                        
    .text:00401286                 mov     eax, esp
    .text:00401288                 push    ebx
    .text:00401289                 push    eax
    .text:0040128A                 push    eax
    .text:0040128B                 push    esp    ;OldProtectionStatus (not relevant)
    .text:0040128C                 push    40h    ;NewProtectionStatus         
    .text:0040128E                 mov     ecx, [eax+10h]
    .text:00401291                 add     ecx, 5 ;SizeOfProtection
    .text:00401294                 push    ecx             
    .text:00401295                 push    dword ptr [eax+8] ;StartingAddressOfProtection 
    .text:00401298                 call    ds:VirtualProtect_0
    .text:004012C7 EndOfUseOfVP:                           
    
    .Referenced Data
    .idata:004030A2 aGetUserNameA   dd 30AEh                
    .idata:004030A6 AGetUserNameW   dd 30BEh                
    .idata:004030AA                 align 10h
    .idata:004030B0 aGetusernamea   db 'GetUserNameA',0
    .idata:004030BD                 align 10h
    .idata:004030C0 aGetusernamew   db 'GetUserNameW',0
    .idata:004030CD                 align 2
    Virtual Protect http://msdn.microsoft.com/en-us/library/aa366898%28VS.85%29.aspx

    This should be the relevant code for this purpose, i cut out non relevant stuff so dont worry when the Adresses are not coherent. Im pretty confused by the calculation he does to determine the Size and Address of the protection Area for VirtualProtect as i want to use the exact same call in my C++ Program.

    My own thoughts, which are probably wrong, in the form of pseudocode !
    eax = 004030A2
    dwSize = [004030B2]+5
    lpAddress = [004030AA] (32bit)
    dwSize = t+5 ??
    lpAddress = 10 GetUserNameA 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

    Since the t+5 part doesn't make any sense im stuck !

    Anybody here willing to help a poor noob ?
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    looks to be hooking code..
    I am kinda lost as to what your doing but

    I think your trying to hook those functions..
    hopefully this compact prolly wrong code helps

    Code:
    VirtualProtect(GetProcAddress(GetModuleHandle("Advapi32.dll"),"GetUserNameW"),5,PAGE_EXECUTE_READWRITE,&OldProtect);
    regards BanMe
    Last edited by BanMe; July 27th, 2009 at 12:00.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

  3. #3
    Kane49
    Guest
    its a proxy dll for a dll which is called by an evil rootkit that mistreats my memory and i'd like to have full control over my computer again

    And your code is not wrong at all, i effectively did the same thing after a while just not as compact and im not really sure about the size.

    Thanks for helping though !
    Last edited by Kane49; July 27th, 2009 at 15:28.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    |< x != '+' BanMe's Avatar
    Join Date
    Oct 2008
    Location
    Farmington NH
    Posts
    510
    Blog Entries
    4
    next time include a smidge more details

    and Anytime..
    to explain the size it is more then likely 5 because that is the size of a hook..for example..heres a small somewhat abstracted example..of how i think 'it' looks..
    VirtualProtect the Start of the function..you got that..so

    maybe this can help if your injecting a dll and then hooking.. or you are hooking yourself.. :d
    Code:
    pushad
    lea        eax,HkParams
    lea        edi,ByteArray
    mov        esi,[eax]HkParams.hkTAddress
    mov        ecx,0x5
    push       esi
    rep        movsb
    pop        esi
    push       eax
    mov        al,byte ptr [eax]HkParams.Opcode
    mov        byte ptr [esi],al
    pop        eax
    mov        ebx,[eax]HkParams.hkAddress
    add        esi,5
    sub        ebx,esi
    sub        esi,4
    mov        dword ptr [esi],ebx
    popad
    this is a small snippet from hkHooking Namespace I coded..that still needs work.. the other methods besides apc injection are easily implemented... IM currently toying with seeing if I can add a section to a Files in Memory image sections in runtime.. or preruntime.. need to mimic the base concept of rebuilding everything for a "attached section" but this shouldn't be to hard a task for the Ldr Routines... but this topic is widely talked about and now documented partly by piotr bania..

    known 'hooking' methods and some concept methods...
    the old '5 byte overwrite'..

    2 byte hooking ebf9
    mov edi,edi

    old 5 byte overwrite with a spin
    hooking of iether the "int3's or the nop's"..If now if you cant locate them up,you can search down..jmp up 7 or down the length of the function..

    single byte hooks the Kernel Call Routines Service Identifier..use a kernel driver similar to stoned's 'service adding' features ....at least i would do that..havent analysed any of his code yet..

    Shared Section Code used as hook routine..and the 'client' part of the subsystem implements the hooks.. preruntime..havent tested the client by injecting it yet though, but i have successfully hooked myself in some of the various tests to accomplish this..

    IAT Hooking hooking the ImportAddress Table..
    basicly hooks the Import Address Table to 'filter or hooking' the function upon call from the 'host' process..and can be used to gain information from a remote process..
    IAT hooking can be easily bypassed by GetProcessAddress or a similar routine as well as signature scanning for the function..

    EAT (or AddressLookupHooking)used for GetProcessAddress or other type lookup that retrieve the address from the EAT..
    SigScanning for the function bypasses EAT.

    Ghostwriting..on rootkit.com

    .Mapped memory double checking with a gathered 'mapped' signature can detect runtime hooking and most of these types hooks not IAT or EAT..unless you modify the original module,then it becomes the tactic that they verify your system version and then download the dll,and do another mapped checking...and then you got issues with gathering the file from the socket securely..

    Modified Stack hooking(im working on it..)with 'code' that searchs for and uses the found code to bulid itself..this can be done by providing a usable 'Stack swapping and Context poisoning' methodolgy..searching for places to use these Mentioned methods will be the fun part ..as well as chaining them together.. :d


    BanMe
    Last edited by BanMe; August 1st, 2009 at 19:13.
    No hate for the lost children;
    more love for the paths we walk,
    'words' shatter the truth we seek.
    from the heart and mind of Me
    me, to you.. down and across

    No more words from me, to you...
    Hate and love shatter the heart and Mind of Me.
    For the Lost Children;For the paths we walk; the real truth we seek!

Similar Threads

  1. JAvA Byte Code Reverse Engineering: problems while patching
    By ronnie291983 in forum The Newbie Forum
    Replies: 7
    Last Post: March 19th, 2010, 05:23
  2. CSI x Reverse Engineering
    By funtikar in forum Off Topic
    Replies: 24
    Last Post: September 8th, 2009, 22:59
  3. VB Reverse Engineering
    By asifpervez in forum The Newbie Forum
    Replies: 6
    Last Post: July 23rd, 2008, 00:13
  4. Reverse Engineering C++ DLL
    By tabacky in forum Advanced Reversing and Programming
    Replies: 7
    Last Post: June 6th, 2005, 15:44
  5. Reverse Engineering forum down?
    By Antipodean in forum Advanced Reversing and Programming
    Replies: 1
    Last Post: March 1st, 2001, 14:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •