Teddy Rogers Posted April 17, 2007 Posted April 17, 2007 Let’s imagine we could redirect the thoroughfare of the imported function's entrances into our especial routines by manipulating the import table thunks, it could be possible to filter the demands of the importations through our routines. Furthermore, we could settle our appropriate routine by this performance, which is done by the professional Portable Executable (PE) Protectors, additionally some sort of rootkits employ this approach to embed its malicious code inside the victim by a troy banana. In reverse engineering world, we describe it as API redirection technique, nevertheless I am not going to accompany all viewpoints in this area by source code, this article merely represents a brief aspect of this technique by a simple code. I will describe other issues in the absence of the source code; I could not release the code which is related to the commercial projects or intended to the malicious motivation, however I think this article could be used as an introduction into this topic.http://www.tuts4you.com/download.php?view.1555Ted.
syk071c Posted April 17, 2007 Posted April 17, 2007 (edited) i have actually used a similar thing to this once... i unpacked an execryptor file that would refuse to run unless it had GetProcAddress in about five places in the IAT so i kept it there until the system made up the import table then modified the imports to the correct values before running.. Edited April 18, 2007 by syk071c
zako Posted April 17, 2007 Posted April 17, 2007 must try this..Don't forget to let us know how you get on.
Zool Posted April 18, 2007 Posted April 18, 2007 Thanks for putting this very nice article/tut in my view. I'm very much a newbie in reversing, still, but I have a "project" - there's a certain piece of software, that I'd like to "take for a ride". The software is packed with Molebox (and I cannot yet unpack it, due to lack of skills), but since the function that I'm targeting is taking input from windows APIs, and the import table for windows functions is seemingly intact, this might be a short path to the goal. Again, my sincere thanks Zool
zako Posted April 18, 2007 Posted April 18, 2007 If you wouldn't mind sharing that target would you pm me a link?
Killboy Posted April 18, 2007 Posted April 18, 2007 Ive already seen this as an inline patch for PELock -> the packer itself which is packed with PELock, he (the cracker) hooked the IAT thunk of some API which probably was called close the the registration scheme...Nice idea indeed, I was quite surprised when I stumbled upon this...
Fungus Posted April 18, 2007 Posted April 18, 2007 It's very cool, and a nice article. I've gotten many idea's for using this already.on another note, does anyone happen to have Y0da's other articles he has posted on that site? Those would be nice to read also.
Zool Posted April 19, 2007 Posted April 19, 2007 (edited) @zako: I still have too few posts on this forum to PM anyone What time zone are you in ? Maybe we could talk about it on IRC ? Zool Edited April 19, 2007 by Zool
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now