The_SSJ - retired Posted August 12, 2009 Posted August 12, 2009 (edited) Hi guys, This morning (in my time zone ) I wrote a little txt-file explaining the basic approach to redirect imports of an app. This would be especially useful when u write your own protector or something else... It is not finished yet - There are many things I plan to do... You will find it attached in this post. Greets The_SSJ /Edit: By the way - examples are coded in pseudo-asm... Import redirection by The_SSJ.txt Edited September 17, 2009 by The_SSJ 1
Guy Posted September 4, 2009 Posted September 4, 2009 Fairly well job explaining it; I'm actually implementing my own API-redirection technique in a library of mine, except it uses its own GetModuleHandle/GetProcAddress functions for making imports in memory, rather than destroying the IAT, leaving such a large fingerprint behind.From there, I do checks on the prologue code for some functions that have the usual three instructions: "MOV EDI, EDI"; "PUSH EBP"; "MOV EBP, ESP". If that's altered, you can assume a hook exists, etc.I think the idea of API redirection is good, and it just takes a little creativity to make it into something great.
The_SSJ - retired Posted September 6, 2009 Author Posted September 6, 2009 Hey, thanks for the feedback - it almost seemed that nobody cares about knowing the insights of such techniques...^^ I'm currently trying to replicate Obsidiums Import redirection technique - but still there is a lot of work to do... If I succeed, I'll update my text-file (: Thanks again and happy coding! The_SSJ
steve10120 Posted September 8, 2009 Posted September 8, 2009 Funny, just came here looking for something on this topic. The method I'm using can always be patched with the ImpRec trap flag function, even a mov eax, memaddr jmp eax memaddr: push API retn is defeated. Looking forward to seeing the ASProtect update, cheers.
The_SSJ - retired Posted September 8, 2009 Author Posted September 8, 2009 Hm, what u can do to defeat this function would be if u would do somethin like this: mov ax, first half of APIshl eax, 8Xor ebx, ebxmov bx, second half of API or eax, ebx ; Eax holds now real api, don't know if this would defeat trap flag methodpush eaxretn if this won't work, then stay tuned - I should start with ASProtect Import redirection insights on friday Greets The_SSJ
ghandi Posted September 9, 2009 Posted September 9, 2009 Nice! I think that VM and obfuscation will be used more and more to hide API, along with code-splicing (even if it is only the calls/jmps to API).A polymorphic handler for each API or psuedo-randomized junk code to confuse automated scripts/tools would be more effective imho, but we all know that really, these measures are at best an obstacle for less experienced/determined reversers. Once a person has the method nutted out and it is dissected, it becomes 'cake' (so to speak) and the power of the redirection is lost until the redirection method is revised.HR,Ghandi
The_SSJ - retired Posted September 9, 2009 Author Posted September 9, 2009 (edited) Ghandi, it's an honor that u joined this discussion I don't know how far I'll dive into the ASPR-technique, since VM's are not really my favourite subject...^^ I'll definitely show how ASPR steals some instructions from each API and then jumps into the middle of this API (still ImpRec is able to show which API is called there) or implements API functions in it's own packer-code. Thinking about it, I could sure handle the topic of VM, but then sample-code wouldn't be assembler, but c/c++/c#... Well, we'll see - first I have to survive my business meeting...^^ Greets The_SSJ /Edit: Obfuscation will be implemented, too, by the way...^^ Edited September 9, 2009 by The_SSJ
The_SSJ - retired Posted September 17, 2009 Author Posted September 17, 2009 Here it is finally - import redirection with ASPR...for those wondering why there is no AIP presented there - I decided to make a dedicated section for things like virtualization and code obfuscation (which I didn't start ATM)...I would have wished to attach the file to my first post, but either I am to stupid to do this or it is not possible (for moderators maybe??)...Greets and enjoy! Many updates will follow now that I finished university!Realizing_import_redirection_by_The_SSJ_V2.pdf
tonyweb Posted September 17, 2009 Posted September 17, 2009 Great to be the first to say "thank you" !!! Really good work, The_SSJ. Good to see sections with "Will follow soon" ... I'm impatient Regards, Tony
The_SSJ - retired Posted September 18, 2009 Author Posted September 18, 2009 Many tanx my friend. Great. Regards. Nice to see u here around, too, my friend...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now