Results 1 to 5 of 5

Thread: Is it possible to intercept the ReadFile() function of an executable

  1. #1
    test
    Guest

    Is it possible to intercept the ReadFile() function of an executable

    without replacing any DLLs/installing drivers? (OS is winXP sp1, target application is a msvc++6 application).

    Here's the situation: I have a program which loads several files, all of which exist on the disk (completely unencrypted). The program expects these files to be in the format that they're in, and if not, it will crash because they're "corrupt." That's fine for most of the files, as the data they contain really isn't that sensitive anyway. But for one of the files, the data should never exist on the disk in an unencrypted form, but should instead only exist in memory when it isn't encrypted.

    So somehow, I need to intercept the call to readfile(), and instead of passing the contents of the file back to the caller, I need to pass the unencrypted version.

    If anyone has any suggestions/tips, I'd be glad to hear them.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    I think what you want to do falls in the category of API call hooking:

    http://www.codeproject.com/system/hooksys.asp


    There are many other articles on the issue if you look up "api call hooking" in google.

    Basically you would setup an app that would hook the readfile() call from your app and take control at that point.

    Or I completely misunderstood your problem/question

  3. #3
    If you just need to do this once, it can easily be done from a debugger, but I get the impression you want this change to be permanent.

    I'm not sure what exactly you mean by 'without replacing any DLLs' but if you're allowed to modify the app's PEs (rather than system DLLs) you have yourself a schoolboy exercise in code injection (specifically, injecting an IAT hook). Otherwise you're going to need to dabble in something a bit more subtle. My first suggestion would be to create a loader that monitors ReadFile and intervenes appropriately (much like what naides describes).

    I'm sure we could go on for days coming up with more and more convoluted solutions to the problem, but unless there's something very special about your situation, these suggestions should be more than adequate.

    Admiral

  4. #4
    hmm, not to self-promote, however, I just wrote a tutorial on this sort of thing: Weakness Of The Windows Api Part 1. you can get it at http://tutorials.accessroot.com
    As Admiral said there are many different ways to do this sort of thing. If you have no problem modifying the executable check out section 4.1 of my paper . That will help walk you through modifying the address table to redirect an api call. If you are ambitious enough to code a dll I walk you through that as well. I did not cover injection as thouroughly as I would have liked though, but I suggest checking out the references (the site naides referenced is one of them) they should help you inject a dll into the programs address space.

    It seems that the problem you face though is two-fold you need to unencrypt the file before you can pass back the unencrypted data. Which means your readfile hook may also need to account for the unencryption. There was a paper written awhile back that covered adding a dll to notepad to encrypt and unencrypt files. I thought it was from codebreakers-journal but I seem to be incorrect. Anyone remember where it is?

  5. #5

    Cool

    Another (most simple) solution could be using one of the off-the-shelf tools for encrypted virtual hard disks. Just create a container file with strong encryption which holds all the files of the application and there ya go.
    Double the killers!

Similar Threads

  1. Attaching to an executable
    By gabri3l in forum OllyDbg Support Forums
    Replies: 2
    Last Post: December 19th, 2004, 12:33
  2. FSG v2.0 executable packer
    By bart in forum Tools of Our Trade (TOT) Messageboard
    Replies: 11
    Last Post: May 30th, 2004, 12:33
  3. how to intercept debug events in a debugged proces
    By Lord_Looser in forum OllyDbg Support Forums
    Replies: 2
    Last Post: February 28th, 2004, 15:42
  4. Windows messages. How to intercept?
    By en0n in forum OllyDbg Support Forums
    Replies: 2
    Last Post: September 11th, 2003, 22:33
  5. crc's of executable
    By lowrunner in forum Malware Analysis and Unpacking Forum
    Replies: 7
    Last Post: June 11th, 2002, 00:51

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •