Jump to content
Tuts 4 You

Import redirection - a basic idea

The_SSJ - retired

By The_SSJ - retired
in Programming and Coding

Recommended Posts

The_SSJ - retired

The_SSJ - retired

Posted
Posted (edited)

Hi guys,

This morning (in my time zone :D) I wrote a little txt-file explaining the basic approach to redirect imports of an app. This would be especially useful when u write your own protector or something else...

It is not finished yet - There are many things I plan to do...

You will find it attached in this post.

Greets

The_SSJ

/Edit: By the way - examples are coded in pseudo-asm...:D

Import redirection by The_SSJ.txt

Edited by The_SSJ
  • Like 1
  • 4 weeks later...
Guy

Guy

Posted
Posted

Fairly well job explaining it; I'm actually implementing my own API-redirection technique in a library of mine, except it uses its own GetModuleHandle/GetProcAddress functions for making imports in memory, rather than destroying the IAT, leaving such a large fingerprint behind.

From there, I do checks on the prologue code for some functions that have the usual three instructions: "MOV EDI, EDI"; "PUSH EBP"; "MOV EBP, ESP". If that's altered, you can assume a hook exists, etc.

I think the idea of API redirection is good, and it just takes a little creativity to make it into something great.

The_SSJ - retired

The_SSJ - retired

Posted
  • Author
Posted

Hey,

thanks for the feedback - it almost seemed that nobody cares about knowing the insights of such techniques...^^

I'm currently trying to replicate Obsidiums Import redirection technique - but still there is a lot of work to do...:D

If I succeed, I'll update my text-file (:

Thanks again and happy coding!

The_SSJ

steve10120

steve10120

Posted
Posted

Funny, just came here looking for something on this topic. The method I'm using can always be patched with the ImpRec trap flag function, even a

mov eax, memaddr

jmp eax

memaddr:

push API

retn

is defeated. Looking forward to seeing the ASProtect update, cheers. :)

The_SSJ - retired

The_SSJ - retired

Posted
  • Author
Posted

Hm, what u can do to defeat this function would be if u would do somethin like this:


mov ax, first half of API
shl eax, 8
Xor ebx, ebx
mov bx, second half of API 
or eax, ebx ; Eax holds now real api, don't know if this would defeat trap flag method
push eax
retn

if this won't work, then stay tuned - I should start with ASProtect Import redirection insights on friday ;)

Greets

The_SSJ

ghandi

ghandi

Posted
Posted

Nice! I think that VM and obfuscation will be used more and more to hide API, along with code-splicing (even if it is only the calls/jmps to API).

A polymorphic handler for each API or psuedo-randomized junk code to confuse automated scripts/tools would be more effective imho, but we all know that really, these measures are at best an obstacle for less experienced/determined reversers. Once a person has the method nutted out and it is dissected, it becomes 'cake' (so to speak) and the power of the redirection is lost until the redirection method is revised.

HR,

Ghandi

The_SSJ - retired

The_SSJ - retired

Posted
  • Author
Posted (edited)

Ghandi, it's an honor that u joined this discussion :D

I don't know how far I'll dive into the ASPR-technique, since VM's are not really my favourite subject...^^

I'll definitely show how ASPR steals some instructions from each API and then jumps into the middle of this API (still ImpRec is able to show which API is called there) or implements API functions in it's own packer-code.

Thinking about it, I could sure handle the topic of VM, but then sample-code wouldn't be assembler, but c/c++/c#...

Well, we'll see - first I have to survive my business meeting...^^

Greets

The_SSJ

/Edit: Obfuscation will be implemented, too, by the way...^^

Edited by The_SSJ
  • 2 weeks later...
The_SSJ - retired

The_SSJ - retired

Posted
  • Author
Posted

Here it is finally - import redirection with ASPR...for those wondering why there is no AIP presented there - I decided to make a dedicated section for things like virtualization and code obfuscation (which I didn't start ATM)...

I would have wished to attach the file to my first post, but either I am to stupid to do this or it is not possible (for moderators maybe??)...

Greets and enjoy! Many updates will follow now that I finished university!

Realizing_import_redirection_by_The_SSJ_V2.pdf

tonyweb

tonyweb

Posted
Posted

Great to be the first to say "thank you" !!!

Really good work, The_SSJ.

Good to see sections with "Will follow soon" ... I'm impatient :)

Regards,

Tony

AnTiCDLoCK

AnTiCDLoCK

Posted
Posted

Many tanx my friend. ;);)

Great.

Regards.

The_SSJ - retired

The_SSJ - retired

Posted
  • Author
Posted

Many tanx my friend. ;);)

Great.

Regards.

Nice to see u here around, too, my friend...;)

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...