Results 1 to 3 of 3

Thread: Integrity checking.

Hybrid View

  1. #1

    Unhappy Integrity checking.

    I have an app fully unpacked and fixed the dump using ImpREC, but it refuses to run (showing in task manager but no windows.) It's obviously doing an integrity check which is why I'm here. The packer/protector was Yoda's Protector 1.03.2 beta 3. The app creates and depends on reg keys and files in multiple directories as shown using ProcMon. The app is ID'd as Visual Basic 5.0/6.0 using Exeinfo, PEiD, and RDG Packer Detector. For what it's worth, using VB Decompiler, VBReFormer, P32Dasm and others, it seems it's not been obfuscated. I've searched endlessly on integrity checking and the likes to no avail. Most results eventually lead to foreign language websites (Turkish, Arabic, and Chinese mostly) with crappy translations using chrome. I've found something called "Defeating File Integrity Checks Through Redirection" on Fravia's site. However, that piece was from '98, so I'm not sure how relevant that would be today. I'd be eternally grateful for any guidance I can get. Thanks!

  2. #2
    Registered User
    Join Date
    Dec 2005
    Posts
    216
    Blog Entries
    5
    Breakpoint ZwCreateFile to see if it's opening a handle to itself and checking that way.

    Also Hardware Breakpoint on read on the code section/PE header and see if it's checking those.

  3. #3
    FYI, I'm pretty new to this, so there's a good chance I may not know what you say sometimes. With that said, it does indeed break on ZwCreateFile with:

    Code:
    Handles, item 9
    Handle=0000000C
    Type=File (dir)
    Refs=   2.
    Access=00100020 SYNCHRONIZE|TRAVERSE
    Name=l:\Program Files\****\**** <----------- The DIR of the executable.

    As for setting a HWBP on access in the code/PE section, I don't see that option, only memory breakpoint on access/write and "break-on-access."
    Last edited by Zumo; April 9th, 2012 at 00:13.

Similar Threads

  1. Control Flow Integrity: Some interesting papers
    By Piotr Bania Chronicles in forum Blogs Forum
    Replies: 0
    Last Post: May 17th, 2011, 21:18
  2. Checking Exe Integrity
    By Mishima in forum The Newbie Forum
    Replies: 5
    Last Post: November 13th, 2008, 04:32
  3. Packed and probably self-checking. Help needed
    By rokafeller in forum The Newbie Forum
    Replies: 3
    Last Post: November 16th, 2005, 01:07
  4. checking my ASM
    By tdennist in forum The Newbie Forum
    Replies: 26
    Last Post: November 25th, 2004, 07:57

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •