HDSpoof Reversing

What's happening under the covers when you launch an executable on your Windows system? These days, malicious activity--viruses, worms, spyware--caused by seemingly innocent programs and attachments makes the question extremely important. Even if you are confident that you could debug (or reverse-engineer) a suspicious program, what if you encounter a program designed to frustrate your analysis attempts? There are tricks and traps that can thwart your best intentions. This article will examine some of these and introduce you to topics such as code obfuscation and protection and anti-reverse-
engineering.

A while back I needed to find out what an executable named HDSPOOF.EXE was doing to my system. Starting the program from the command line produced the display seen in Figure 1 (HDSpoof.BMP). The only visible result was the creation of a configuration file with the name of HDSPOOF.INI in the program's installation directory. But a proprietary hardware identification driver and test program I had written for a client now generated different results after executing this program. Clearly something on my system had changed. A little bit of investigation revealed that this program had created and started a dynamic driver on the system and was trying to hide its presence. The driver was visible with a random name in my utility, NTDevices (available at my website, www.smidgeonsoft.com--look for an entry in the index minus the .SYS file extension), but the file for the driver had been deleted from my hard drive. Deleting the configuration file would not restore the expected results. There were still entries present in the system registry for the driver but under a key with a name different than the display name. Rebooting the system and rerunning the program created a driver with a new random name
and with new entries in the system registry but would still "spoof" the hardware identification program. Time to fire up a static analyzer program and then the debugger!

Note: this article is based upon an early version of the program found in the WinRAR file. An updated version is available at www.taurine.game-deception.com as hwspoofv2.1.rar. The points and code fragments noted throughout this discussion are the same; only the addresses have changed in the newer version.