How to get symbolic names of APIs etc?

[LCF-AT]

Hello all,

so I have again a question and maybe you have a solution for me. So I am searching a way how to get a API name from a register with a Olly code for exsample.So normaly I use Olly Script plugin to check the addresses for API Names and dll Names with the script command GN.

Exsample:

EAX 010015E0 calc.010015E0
ECX 0007FFB0
EDX 7C91EB94 ntdll.KiFastSystemCallRet
EBX 00000000
ESP 0007FF30
EBP 0007FFC0
ESI FFFFFFFF
EDI 7C80B529 kernel32.GetModuleHandleA
-------------------
EIP 0101248A calc.0101248AAPI ADDR | API NAME
7C80B529 GetModuleHandleA      MOV EDI,EDI7C91EB94 KiFastSystemCallRet   RETN

Here we have 2 APIs into the register EDX and EDI.Now I can use this GN command to get the infos to know whether its a API in or not.

gn edi
cmp $RESULT_2, 00
je NO_API
log $RESULT
log $RESULT_1
log $RESULT_2
////////////////////
NO_API:
ret

 $RESULT: kernel32.GetModuleHandleA
$RESULT_1: kernel32
$RESULT_2: GetModuleHandleA

On this way I get the symbolic names with Olly script.So now my question is how to get the same results with a Olly ASM code?Is there a easy solution / code which I can use?

push Free Address // Store for back values

push EDI // API or no API Address

call GetSymbolName // Any API or so

You know something like this maybe.Maybe someone of you have already a idea or a ready code [MultiASM style please] which I can use for this.

-----------------------------

-----------------------------

So on the other hand I asked me why is there no Olly Scirpt dll to get which the user can control with direct Olly ASM commands! So I think some kind of multi dll with a double function.So that you can use Olly Script with normaly Olly written scripts and also that you can use Olly scirpt commands with Olly ASM code. So on this way you can work very very faster than only to use Olly script commands alone you know?So the advantage is that you can use Olly script commands with Olly ASM code if you maybe have to check A LOT code which takes many time to check.So on this way you can create a check loop ASM code + Olly script commands like GN for exsample which is executed in one,two,three seconds instead of one,two hours with Olly script window execution you know.

So is there a way to translate the most Olly stuff to new APIs?Maybe it is a good idea [so I think of course it is ] and some coding expert want to try to transplant it or so.What do you think?Also I have no idea whether its possible or not so its just a idea.

PS: So for the momnent it would be very helpfully if someone has a solution for me to my first question above.

Thank you

[cozofdeath]

At...

/>http://msdn.microsoft.com/en-us/library/ms679291%28v=VS.85%29.aspx

they have a bunch of apis for handling symbols. I seen a couple that looked useful but I don't have any experience with them so I don't want to give you the wrong info but hopefully this helps.

[Killboy]

What is Olly ASM code?

[LCF-AT]

So I mean the normaly disassembly | ASM etc you know what I mean.

Pushad
push
call
etc
GetSymbolNames somehow
etc
popad 

So I called always Olly ASM code.

EDIT:

@ cozofdeath

Ah yes but I am not good to understand this msdn descriptions.So I grow up only with Olly.So maybe someone can have a look into the Olly script source and look what the GN command does and then I need someone who can translate this small peace of code in a MultiASM exsample which I can paste in Olly.Something like this you know.So the last time I was also searching a exsample how to get the size of a command and there has BoB send a exsample which was working perfect.

greetz

Edited August 30, 2011 by LCF-AT

[kao]

"GN" uses function _Decodeaddress - it's a custom function exported by OllyDbg.exe. So, it's probably a dead end.

Import rebuilders use bruteforce method by finding proper DLL using Module32First/Module32Next or EnumProcessModules/GetModuleInformation, and then enumerating all exports of this DLL until they find one which has correct address.

I'm afraid that there is no easier way.

[LCF-AT]

Hi all,

@ Kao

So this sounds very BAD!So normaly I dont want to use Module32First/Module32Next etc to get the infos you know.So lets say the Imports & Exports are overwritten with 00 bytes and then I can also get no infos in this way you know.So is there nothing to do?Is it not possible that someone can kopie this GN function from the Olly script source and create some kind of NEW mini dll which I can load with my script and then can use in a patch?So I mean a dll which are used also the custom function.You know something like this.

PS: So do you have already a ready code exsample for your way which I can test for the moment?MultiASM style I mean [opcodes] which I can paste etc.

greetz

[Nacho_dj]

LCF-AT, I don't know if this will do the work, but I could share with you the Import Rebuilder coded for Armageddon tool, as a dll file.

Let me know about this.

Cheers

Nacho_dj

[Aguila]

That is funny LCF-AT, why do you think do we need some import rebuilder tool?

I mean, if it is that easy, nobody needs an extra import reconstruktor tool...

I can create a dll too if you need one. But it is not some "mini" as you might think. In my scylla tool this address to api name magic stuff has over 1000 lines of C/C++ code, probably over 10 000 lines asm.

[LCF-AT]

Hi again,

@ Nacho_dj

Hhmmm so I dont know whether I can use this on this way too but sounds interesting too.

Ok I tell you again easy what I need.So at the moment I write a new script and there is a part where I have to check XY Address just to know whether it is a API or no API.So this are the 2 conditions YES or NO.Unfortunately I have to check a lot code and only to use the script will take a lot time and I want to prevent this waste of time.So I added also a lot other code patches into the script also to prevent waste of time and all is working very well so far but now I stuck on this API YES or NO problem.So I have to find a way how to recognize a API address.Yes API NO API....but also if the dll import & export table are not there or overwritten for exsample you know.So the symbolic of any API are always there and I thought it would be good to create a patch which can get the symbolic Name of a API to be sure that address XY is really a API or not.So its no problem to use the GN command but it takes a to long time to check all and this is irritating.

So can your Import Rebuilder [dll] check this anyhow?Maybe so...

push eax // There is a API or NO API let say there is no GMHA API

call Import_Rebuilder_xy_API

...result = 1 for YES its a API

...result = 0 for NO its no API

So this would be also very good for the moment just to get this info 1 or 0 you know.But is it possible to check this too if no import / export table is there?Ok it would be also good if you can create a small dll which can check this API with imports / exports but then maybe with a third result parameter.

...result = 1 for YES its a API

...result = 0 for NO its no API

...result = 2 for No Import | Export to find

Then I could later check the rest with GN command.

@ Aguila

Yes ok sounds very costly just to get the info. So I thought it would be easier or so.Do you have a idea for a other easier way maybe?So I dont want to fix something or so just need to know the info YES or NO API thats all.

greetz

[Nacho_dj]

OK, There is a function in the dll that performs exactly that.

I have just to export it to be used externally of the dll.

I'll try to implement it and test a little bit before answering you...

Cheers

Nacho_dj

[kao]

Exports are overwritten with 00 bytes

It's very unlikely that anyone will ever do that, because it makes GetProcAddress() to fail for any API exported by such DLL.

I hope that Nacho_DJ will be able to give you the DLL you need.

[Aguila]

well, if you always are in the process (not do it externally), there is a fast and more easy way.

Use the PEB to walk through all modules, compare the api address with the base address

if (api address > module_base && api address < module_base_next)

{

go to export table and walk the address of functions array

if found -> api

if not found -> no api

}

probably this are only ~50 lines asm without any caching.

you can find the PEB here: DWORD PTR FS:[30h]

Edited September 1, 2011 by Aguila

[-Alex-]

Do u only want to check if the va is an api, or u also want to have the name of api and module?

[mrexodia]

Normally all apis (system ones) are allocated in addresses higher than 70000000... just sub the api addr with 70000000 and see if it's higher than 0

Greetings

[Killboy]

Normally all apis (system ones) are allocated in addresses higher than 70000000... just sub the api addr with 70000000 and see if it's higher than 0

Greetings

That also makes FFFFFFFF an api Actually you made half of all the address space one big API.

[Saduff]

Build a list of API addresses in e.g kernel32.dll, ntdll.dll, etc by reading the exports section.

Once you have the addresses, compare the given address against the list.

If found in the list, it's an API, if not, it's not an API.

This is too much work to be done with inline asm, but if you put it in a DLL, you can just call the function.

Or maybe disassemble _Decodeaddress in Olly and see how Olly does it.

Edited September 2, 2011 by Saduff

[-Alex-]

I have coded already a dll, i just wait till LCF-AT answers my question, so i can see if i need to add the names to the output, thats all.

[LCF-AT]

Hi guys,

@ Nacho_dj

Ok sounds good.So let me know if you are ready so that I can test it.

@ kao

Yes I will see what Nacho_dj can do.

@ Aguila

Yes I can also use the PeB struct so a fried has send me a small code part for this which I can use at the moment.

@ -Alex-

So first I want to find a way to get the symbolic names like the GN command of Olly script can do.So to check the APIs whether they are valid is also a solution I can live with for the moment.So this code have already.

@ Mr. eXoDia

Yes ok but I dont want only to check system APIs also custom API | dlls protected dlls etc all you know.

@ Saduff

So I can not create a dll so I am no coder person.I can just use Olly script to load xy dll or insert pacthes.

greetz

[Nacho_dj]

Hello!

Please check your mailbox to get all info needed for your tests...

Let me know about your progress

Cheers

Nacho_dj