Jump to content
Tuts 4 You

Injective Code Inside Import Table...


Teddy Rogers

Recommended Posts

Teddy Rogers
Let’s imagine we could redirect the thoroughfare of the imported function's entrances into our especial routines by manipulating the import table thunks, it could be possible to filter the demands of the importations through our routines. Furthermore, we could settle our appropriate routine by this performance, which is done by the professional Portable Executable (PE) Protectors, additionally some sort of rootkits employ this approach to embed its malicious code inside the victim by a troy banana.

In reverse engineering world, we describe it as API redirection technique, nevertheless I am not going to accompany all viewpoints in this area by source code, this article merely represents a brief aspect of this technique by a simple code. I will describe other issues in the absence of the source code; I could not release the code which is related to the commercial projects or intended to the malicious motivation, however I think this article could be used as an introduction into this topic.

http://www.tuts4you.com/download.php?view.1555

Ted.

Link to comment

i have actually used a similar thing to this once... i unpacked an execryptor file that would refuse to run unless it had GetProcAddress in about five places in the IAT so i kept it there until the system made up the import table then modified the imports to the correct values before running..

Edited by syk071c
Link to comment

Thanks for putting this very nice article/tut in my view.

I'm very much a newbie in reversing, still, but I have a "project" - there's a certain piece of software, that I'd like to "take for a ride".

The software is packed with Molebox (and I cannot yet unpack it, due to lack of skills), but since the function that I'm targeting is taking input from windows APIs, and the import table for windows functions is seemingly intact, this might be a short path to the goal.

Again, my sincere thanks :)

Zool

Link to comment

Ive already seen this as an inline patch for PELock -> the packer itself which is packed with PELock, he (the cracker) hooked the IAT thunk of some API which probably was called close the the registration scheme...

Nice idea indeed, I was quite surprised when I stumbled upon this...

Link to comment

It's very cool, and a nice article. I've gotten many idea's for using this already.

on another note, does anyone happen to have Y0da's other articles he has posted on that site? Those would be nice to read also.

Link to comment

@zako: I still have too few posts on this forum to PM anyone :^

What time zone are you in ? Maybe we could talk about it on IRC ?

Zool

Edited by Zool
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...