Saturday, August 30, 2014

Windows System Programming: Grabbing Address of required Windows API from a DLL

Any program on Windows needs two API's to get all the imports in an executable.

LoadLibraryA Takes DLL name as argument and returns handle to DLL. GetProcAddress Takes DLL handle and function name as arguments and returns address of the interested function.


int main(int argc, char *argv[])
     HINSTANCE handle;
     LPWSTR procAddr;

     handle = LoadLibrary(argv[1]);    
     if(handle != NULL) {
         procAddr = (LPWSTR)GetProcAddress(handle,argv[2]);
         if(procAddr != NULL) {
             printf("In %s API \"%s\" is located at %#x\n",
                    argv[1], argv[2], procAddr);
         } else {
             printf("Address not found\n");
     } else {
       printf("NULL handle");
     //Free DLL Module
     return 0;

Above program is compiled to ll_gp.exe and takes 2 arguments. To build and compile binary using Dev-C++ press F9 key.

ll_gp.exe  dll_name api_name

For Windows Programming below link can be used as reference

Sunday, August 10, 2014

DLL Injection: Executing and Testing DLL's

DLL (Dynamic Link Library) Injection is the process of loading a DLL into target process so that code in the DLL might be executed in the context of the target process.

Example Code Snippet

How to test DLL
RUNDLL32.EXE dll_name,EntryPoint [options]

AppInit_DLLs value is found at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
We have to set Appinit_DLLs key value of the type REG_SZ to DLL's Path. Executables that do not link with User32.dll do not load AppInit DLLs.

NOTE: Above registry change might cause inconvenience as you might see too many pop-ups


Tuesday, August 5, 2014

Manual Unpacking of Compressed Binaries

In this article we will walk through manual unpacking of protected malicious Windows binaries using OllyDBG. We also need to rebuild Import Address Table (IAT) to restore the file to executable state. Most of the Anti-virus (AV) vendors flag PE packers as malicious software. There are many varieties of packer’s available, say, ASpcak, UPX, NsPack, Armadillo, Themida etc.

Packers reduce the physical size of an executable by compressing an executable and combine the compressed data with decompression stub into a single binary. At runtime, the decompression stub expands the original application and transfers control to the original entry point (OEP).

One of the methods that can be used to locate the original entry point (OEP) of the file is to apply break points on the following APIs:
These APIs are called by the packer’s start-up routine.
Following articles explain manual unpacking of UPX and AHpack