Reverse Engineering a DLL, assembler problems

[Kane49]

Code:

.main
.text:0040123F                 push    3
.text:00401241                 push    offset return0
.text:00401246                 mov     eax, ds:aGetUserNameA
.text:0040124B                 push    eax
.text:0040124C                 push    0E9h
.text:00401251                 call    UseOfVP

.useOfVP
.text:00401286 UseOfVP         proc near               
.text:00401286                                        
.text:00401286                 mov     eax, esp
.text:00401288                 push    ebx
.text:00401289                 push    eax
.text:0040128A                 push    eax
.text:0040128B                 push    esp    ;OldProtectionStatus (not relevant)
.text:0040128C                 push    40h    ;NewProtectionStatus         
.text:0040128E                 mov     ecx, [eax+10h]
.text:00401291                 add     ecx, 5 ;SizeOfProtection
.text:00401294                 push    ecx             
.text:00401295                 push    dword ptr [eax+8] ;StartingAddressOfProtection 
.text:00401298                 call    ds:VirtualProtect_0
.text:004012C7 EndOfUseOfVP:                           

.Referenced Data
.idata:004030A2 aGetUserNameA   dd 30AEh                
.idata:004030A6 AGetUserNameW   dd 30BEh                
.idata:004030AA                 align 10h
.idata:004030B0 aGetusernamea   db 'GetUserNameA',0
.idata:004030BD                 align 10h
.idata:004030C0 aGetusernamew   db 'GetUserNameW',0
.idata:004030CD                 align 2

Virtual Protect http://msdn.microsoft.com/en-us/library/aa366898%28VS.85%29.aspx

This should be the relevant code for this purpose, i cut out non relevant stuff so dont worry when the Adresses are not coherent. Im pretty confused by the calculation he does to determine the Size and Address of the protection Area for VirtualProtect as i want to use the exact same call in my C++ Program.

My own thoughts, which are probably wrong, in the form of pseudocode !
eax = 004030A2
dwSize = [004030B2]+5
lpAddress = [004030AA] (32bit)
dwSize = t+5 ??
lpAddress = 10 GetUserNameA 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Since the t+5 part doesn't make any sense im stuck !

Anybody here willing to help a poor noob ?

[BanMe]

looks to be hooking code..
I am kinda lost as to what your doing but

I think your trying to hook those functions..
hopefully this compact prolly wrong code helps

Code:

VirtualProtect(GetProcAddress(GetModuleHandle("Advapi32.dll"),"GetUserNameW"),5,PAGE_EXECUTE_READWRITE,&OldProtect);

regards BanMe

[Kane49]

its a proxy dll for a dll which is called by an evil rootkit that mistreats my memory and i'd like to have full control over my computer again

And your code is not wrong at all, i effectively did the same thing after a while just not as compact and im not really sure about the size.

Thanks for helping though !

[BanMe]

next time include a smidge more details

and Anytime..
to explain the size it is more then likely 5 because that is the size of a hook..for example..heres a small somewhat abstracted example..of how i think 'it' looks..
VirtualProtect the Start of the function..you got that..so

maybe this can help if your injecting a dll and then hooking.. or you are hooking yourself.. :d

Code:

pushad
lea        eax,HkParams
lea        edi,ByteArray
mov        esi,[eax]HkParams.hkTAddress
mov        ecx,0x5
push       esi
rep        movsb
pop        esi
push       eax
mov        al,byte ptr [eax]HkParams.Opcode
mov        byte ptr [esi],al
pop        eax
mov        ebx,[eax]HkParams.hkAddress
add        esi,5
sub        ebx,esi
sub        esi,4
mov        dword ptr [esi],ebx
popad

this is a small snippet from hkHooking Namespace I coded..that still needs work.. the other methods besides apc injection are easily implemented... IM currently toying with seeing if I can add a section to a Files in Memory image sections in runtime.. or preruntime.. need to mimic the base concept of rebuilding everything for a "attached section" but this shouldn't be to hard a task for the Ldr Routines... but this topic is widely talked about and now documented partly by piotr bania..

known 'hooking' methods and some concept methods...
the old '5 byte overwrite'..

2 byte hooking ebf9
mov edi,edi

old 5 byte overwrite with a spin
hooking of iether the "int3's or the nop's"..If now if you cant locate them up,you can search down..jmp up 7 or down the length of the function..

single byte hooks the Kernel Call Routines Service Identifier..use a kernel driver similar to stoned's 'service adding' features ....at least i would do that..havent analysed any of his code yet..

Shared Section Code used as hook routine..and the 'client' part of the subsystem implements the hooks.. preruntime..havent tested the client by injecting it yet though, but i have successfully hooked myself in some of the various tests to accomplish this..

IAT Hooking hooking the ImportAddress Table..
basicly hooks the Import Address Table to 'filter or hooking' the function upon call from the 'host' process..and can be used to gain information from a remote process..
IAT hooking can be easily bypassed by GetProcessAddress or a similar routine as well as signature scanning for the function..

EAT (or AddressLookupHooking)used for GetProcessAddress or other type lookup that retrieve the address from the EAT..
SigScanning for the function bypasses EAT.

Ghostwriting..on rootkit.com

.Mapped memory double checking with a gathered 'mapped' signature can detect runtime hooking and most of these types hooks not IAT or EAT..unless you modify the original module,then it becomes the tactic that they verify your system version and then download the dll,and do another mapped checking...and then you got issues with gathering the file from the socket securely..

Modified Stack hooking(im working on it..)with 'code' that searchs for and uses the found code to bulid itself..this can be done by providing a usable 'Stack swapping and Context poisoning' methodolgy..searching for places to use these Mentioned methods will be the fun part ..as well as chaining them together.. :d


BanMe