Jump to content
Tuts 4 You

Injective Code Inside Import Table...

Teddy Rogers

By Teddy Rogers
in Reverse Engineering Articles

 Share

Recommended Posts

Teddy Rogers

Teddy Rogers

Posted
Posted
Let’s imagine we could redirect the thoroughfare of the imported function's entrances into our especial routines by manipulating the import table thunks, it could be possible to filter the demands of the importations through our routines. Furthermore, we could settle our appropriate routine by this performance, which is done by the professional Portable Executable (PE) Protectors, additionally some sort of rootkits employ this approach to embed its malicious code inside the victim by a troy banana.

In reverse engineering world, we describe it as API redirection technique, nevertheless I am not going to accompany all viewpoints in this area by source code, this article merely represents a brief aspect of this technique by a simple code. I will describe other issues in the absence of the source code; I could not release the code which is related to the commercial projects or intended to the malicious motivation, however I think this article could be used as an introduction into this topic.

http://www.tuts4you.com/download.php?view.1555

Ted.

Link to comment
Share on other sites
syk071c

syk071c

Posted
Posted (edited)

i have actually used a similar thing to this once... i unpacked an execryptor file that would refuse to run unless it had GetProcAddress in about five places in the IAT so i kept it there until the system made up the import table then modified the imports to the correct values before running..

Edited by syk071c
Link to comment
Share on other sites
Zool

Zool

Posted
Posted

Thanks for putting this very nice article/tut in my view.

I'm very much a newbie in reversing, still, but I have a "project" - there's a certain piece of software, that I'd like to "take for a ride".

The software is packed with Molebox (and I cannot yet unpack it, due to lack of skills), but since the function that I'm targeting is taking input from windows APIs, and the import table for windows functions is seemingly intact, this might be a short path to the goal.

Again, my sincere thanks :)

Zool

Link to comment
Share on other sites
Killboy

Killboy

Posted
Posted

Ive already seen this as an inline patch for PELock -> the packer itself which is packed with PELock, he (the cracker) hooked the IAT thunk of some API which probably was called close the the registration scheme...

Nice idea indeed, I was quite surprised when I stumbled upon this...

Link to comment
Share on other sites
Fungus

Fungus

Posted
Posted

It's very cool, and a nice article. I've gotten many idea's for using this already.

on another note, does anyone happen to have Y0da's other articles he has posted on that site? Those would be nice to read also.

Link to comment
Share on other sites
Zool

Zool

Posted
Posted (edited)

@zako: I still have too few posts on this forum to PM anyone :^

What time zone are you in ? Maybe we could talk about it on IRC ?

Zool

Edited by Zool
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...