Log in

View Full Version : problem with AfxWinMain.

rflyer
January 17th, 2007, 10:08
Hi guys.
I have some problem with an VC++ 6.0 executable that uses MFC.
When i load this file to IDA it recognizes WinMain() and when i look to it,
there is just one call with only the parameters of WinMain():

push [esp+arg_C]
push [esp+4+arg_8]
push [esp+8+arg_4]
push [esp+0Ch+arg_0]
call ?AfxWinMain@@YGHPAUHINSTANCE__@@0PADH@Z
retn 10h

And i just don't know what next can i do...
My task is in analysyng what that exe is doing(there is some kind of virii stuff).
Can somebody help me?
esther
January 17th, 2007, 11:56
Don't think anyone can help you

virus sux
reverser
January 17th, 2007, 12:22
It's an MFC program. You need to find the main program class which is inherited from CWinApp. One of the simple ways is to find the reference to CWinApp::GetRuntimeClass(). It will be the first entry in the inherited class's vtable. From there you can find the class's constructor and all the overriden methods. MFC sources will be handy here.
ZaiRoN
January 17th, 2007, 12:24
Code:
int __stdcall AfxWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,char *,int)
This is where everything begins. All you have to do is... analyze the whole file. Ida is a great tool for a static approach, you can start from string references, suspicious functions and so on.

If you don't have any kind of experience in exe analysis I suggest you to start reading our faq. Feel free to post your doubts/questions on the forum.

Good luck,
ZaiRoN
blabberer
January 17th, 2007, 12:31
?AfxWinMain@@YGHPAUHINSTANCE__@@0PADH@Z

==

int __stdcall AfxWinMain(struct HINSTANCE__ *,struct HINSTANCE__ *,char *,int)


putting afxwinmain into google spits you a codeproject article which almost describes the Afxmain architecture

now what else do you want for a start ?


oops vc++filt Zairon ?
and 3 replies in three seconds woah
reverser
January 17th, 2007, 12:31
If you're lucky and the RTTI info was left in, the script from here might help:
https://www.openrce.org/downloads/details/196
Run ms_rtti4.idc.
rflyer
January 17th, 2007, 22:50
esther
>virus sux
Yeah, i know, but it's a virus/troj/etc. (i don't know exactly right now) that i
catched on my friend computer... So i just want to help...

ZaiRoN
>Ida is a great tool for a static approach, you can start from string references,
>suspicious functions and so on.
It was first what i done
But i think it'll be better to analyse program execution from the point where it start,
instead of *backtracing* from function to function by Ida xrefs

>If you don't have any kind of experience in exe analysis I suggest you to start
>reading our faq.
I already had some experience, but never asking yourself "what is behind that MFC?"

blabberer
>putting afxwinmain into google spits you a codeproject article which almost describes
>the Afxmain architecture
Yep, good article, thanx a lot!

reverser
>If you're lucky and the RTTI info was left in, the script from here might help
Seems like i'm not so lucky

>You need to find the main program class which is inherited from CWinApp.
Heh, it appears that i already seen it, but was not sure.

So thanx a lot to all of yours, there is no more problems