Log in

View Full Version : Reverse Engineering a DLL, assembler problems


Kane49
July 27th, 2009, 10:02
Code:
.main
.text:0040123F push 3
.text:00401241 push offset return0
.text:00401246 mov eax, ds:aGetUserNameA
.text:0040124B push eax
.text:0040124C push 0E9h
.text:00401251 call UseOfVP

.useOfVP
.text:00401286 UseOfVP proc near
.text:00401286
.text:00401286 mov eax, esp
.text:00401288 push ebx
.text:00401289 push eax
.text:0040128A push eax
.text:0040128B push esp ;OldProtectionStatus (not relevant)
.text:0040128C push 40h ;NewProtectionStatus
.text:0040128E mov ecx, [eax+10h]
.text:00401291 add ecx, 5 ;SizeOfProtection
.text:00401294 push ecx
.text:00401295 push dword ptr [eax+8] ;StartingAddressOfProtection
.text:00401298 call ds:VirtualProtect_0
.text:004012C7 EndOfUseOfVP:

.Referenced Data
.idata:004030A2 aGetUserNameA dd 30AEh
.idata:004030A6 AGetUserNameW dd 30BEh
.idata:004030AA align 10h
.idata:004030B0 aGetusernamea db 'GetUserNameA',0
.idata:004030BD align 10h
.idata:004030C0 aGetusernamew db 'GetUserNameW',0
.idata:004030CD align 2


Virtual Protect http://msdn.microsoft.com/en-us/library/aa366898%28VS.85%29.aspx

This should be the relevant code for this purpose, i cut out non relevant stuff so dont worry when the Adresses are not coherent. Im pretty confused by the calculation he does to determine the Size and Address of the protection Area for VirtualProtect as i want to use the exact same call in my C++ Program.

My own thoughts, which are probably wrong, in the form of pseudocode !
eax = 004030A2
dwSize = [004030B2]+5
lpAddress = [004030AA] (32bit)
dwSize = t+5 ??
lpAddress = 10 GetUserNameA 00 00 00 | 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Since the t+5 part doesn't make any sense im stuck !

Anybody here willing to help a poor noob ?

BanMe
July 27th, 2009, 11:47
looks to be hooking code..
I am kinda lost as to what your doing but

I think your trying to hook those functions..
hopefully this compact prolly wrong code helps

Code:

VirtualProtect(GetProcAddress(GetModuleHandle("Advapi32.dll","GetUserNameW",5,PAGE_EXECUTE_READWRITE,&OldProtect);


regards BanMe

Kane49
July 27th, 2009, 13:13
its a proxy dll for a dll which is called by an evil rootkit that mistreats my memory and i'd like to have full control over my computer again

And your code is not wrong at all, i effectively did the same thing after a while just not as compact and im not really sure about the size.

Thanks for helping though !

BanMe
July 27th, 2009, 15:35
next time include a smidge more details

and Anytime..
to explain the size it is more then likely 5 because that is the size of a hook..for example..heres a small somewhat abstracted example..of how i think 'it' looks..
VirtualProtect the Start of the function..you got that..so

maybe this can help if your injecting a dll and then hooking.. or you are hooking yourself.. :d
Code:

pushad
lea eax,HkParams
lea edi,ByteArray
mov esi,[eax]HkParams.hkTAddress
mov ecx,0x5
push esi
rep movsb
pop esi
push eax
mov al,byte ptr [eax]HkParams.Opcode
mov byte ptr [esi],al
pop eax
mov ebx,[eax]HkParams.hkAddress
add esi,5
sub ebx,esi
sub esi,4
mov dword ptr [esi],ebx
popad


this is a small snippet from hkHooking Namespace I coded..that still needs work.. the other methods besides apc injection are easily implemented... IM currently toying with seeing if I can add a section to a Files in Memory image sections in runtime.. or preruntime.. need to mimic the base concept of rebuilding everything for a "attached section" but this shouldn't be to hard a task for the Ldr Routines... but this topic is widely talked about and now documented partly by piotr bania..

known 'hooking' methods and some concept methods...
the old '5 byte overwrite'..

2 byte hooking ebf9
mov edi,edi

old 5 byte overwrite with a spin
hooking of iether the "int3's or the nop's"..If now if you cant locate them up,you can search down..jmp up 7 or down the length of the function..

single byte hooks the Kernel Call Routines Service Identifier..use a kernel driver similar to stoned's 'service adding' features ....at least i would do that..havent analysed any of his code yet..

Shared Section Code used as hook routine..and the 'client' part of the subsystem implements the hooks.. preruntime..havent tested the client by injecting it yet though, but i have successfully hooked myself in some of the various tests to accomplish this..

IAT Hooking hooking the ImportAddress Table..
basicly hooks the Import Address Table to 'filter or hooking' the function upon call from the 'host' process..and can be used to gain information from a remote process..
IAT hooking can be easily bypassed by GetProcessAddress or a similar routine as well as signature scanning for the function..

EAT (or AddressLookupHooking)used for GetProcessAddress or other type lookup that retrieve the address from the EAT..
SigScanning for the function bypasses EAT.

Ghostwriting..on rootkit.com

.Mapped memory double checking with a gathered 'mapped' signature can detect runtime hooking and most of these types hooks not IAT or EAT..unless you modify the original module,then it becomes the tactic that they verify your system version and then download the dll,and do another mapped checking...and then you got issues with gathering the file from the socket securely..

Modified Stack hooking(im working on it..)with 'code' that searchs for and uses the found code to bulid itself..this can be done by providing a usable 'Stack swapping and Context poisoning' methodolgy..searching for places to use these Mentioned methods will be the fun part ..as well as chaining them together.. :d


BanMe