Results 1 to 3 of 3

Thread: DLL in folder - Imported by ..which exe/dll/sys?

  1. #1
    Registered User
    Join Date
    Apr 2011
    Posts
    78
    Blog Entries
    1

    DLL in folder - Imported by ..which exe/dll/sys?

    Hi All,
    Been doing a pentest for a client and it's a very large program. Lots of exes, dlls and sys files. Now I ran a few basic IDA Pro scripts on these and have 2 nice lists of functions:

    a) List of files with offsets which call function vuln to Buffer overflows. - Say List A
    b) List of files which use DPAPI. This I need to find how the key is stored as everything is encrypted. - Say List B
    c) List of imports for each Exe, Dll and Sys file. - Say List C

    Now to simplify the problem lets say I have 10 EXE files in total. I have List C for all 10 EXE files. Now I look at List A and List B and think ah 5 DLLs are using strcpy. Let me see which of the 10 EXE files import any of the DLLs in List A and List B.

    Strangely though, I get very very few hits.

    So I'm thinking...if those DLLs are not imported at all...is it even a problem if it has insecure code? Is it possible that a DLL is never imported by any file anywhere ..but still runs? Or is there some other way in which these DLLs are imported?

    I highly doubt everything is dead code. I guess it's possible (as I don't have code) but it's unlikely. So I wanted to check with all the great people here before I conclude

    All the scripts in List A, B and C were written using IdaPython and using the latest IDA Pro version 6.4.

    All help is much much appreciated and if you need more info..please let me know.

    Thanks
    Arvind
    Reversing articles, primarily from a newbie perspective - http://ardsec.blogspot.com

    Latest article written - http://resources.infosecinstitute.com/author/arvind

  2. #2
    Hello.

    1) Delayed Load.

    2) Direct import via kernel32 functions (GetProcessXXX, GetModuleXXX, and so on)

    3) Undocumented WinAPI Calls (aka ZiXXXXXXX, ZxXXXX and so on)

    4) scrambled IAT

    5) Import Tree Run (aka, Running the snake)


    Among others...
    Code:
    www.dependencywalker.com
    - It's good.

    Have Phun
    Last edited by Aimless; April 15th, 2013 at 20:56.
    Blame Microsoft, get l337 !!

  3. #3
    Registered User
    Join Date
    Apr 2011
    Posts
    78
    Blog Entries
    1
    Quote Originally Posted by Aimless View Post
    Hello.

    1) Delayed Load.

    2) Direct import via kernel32 functions (GetProcessXXX, GetModuleXXX, and so on)

    3) Undocumented WinAPI Calls (aka ZiXXXXXXX)

    4) scrambled IAT


    Among others...
    Code:
    www.dependencywalker.com
    - It's good.

    Have Phun
    Thnx Aimless. Is there someway to find all this in IDA? I think 2) and 3) should be doable...its just searching for those function calls. What about delay loaded DLLs? If I have an IDB file, can I find out what are the delay loaded DLLs? Or are those only viewable at runtime..when that feature is invoked?

    Scrambled IAT..isn't that more a malware technique to prevent an analyst from easily reversing a piece of malware? Here I want to find out which DLL is called by which EXE.

    Is there a difference in grabbing imports using IDAPython API from a saved IDB ... and Depwalker? What's the difference?

    Thnx
    Arvind
    Reversing articles, primarily from a newbie perspective - http://ardsec.blogspot.com

    Latest article written - http://resources.infosecinstitute.com/author/arvind

Similar Threads

  1. unlock file or folder , i hope this tool might be useful :)
    By lcx2005 in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: June 13th, 2010, 07:18
  2. Altering an Imported Function
    By RobertReed in forum The Newbie Forum
    Replies: 9
    Last Post: February 28th, 2009, 10:19
  3. Unpinning Imported .dll's
    By Arcane in forum Blogs Forum
    Replies: 2
    Last Post: January 18th, 2009, 17:32
  4. Manipulation of folder's content.
    By Bratsch in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: December 29th, 2000, 16:14

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •