Saturday, August 30, 2014

Windows System Programming: Grabbing Address of required Windows API from a DLL

Any program on Windows needs two API's to get all the imports in an executable.
LoadLibraryA
GetProcAddress  

LoadLibraryA Takes DLL name as argument and returns handle to DLL. GetProcAddress Takes DLL handle and function name as arguments and returns address of the interested function.

#include"windows.h"

int main(int argc, char *argv[])
{
     HINSTANCE handle;
     LPWSTR procAddr;

     //handle=LoadLibrary(TEXT("C:\\WINDOWS\\system32\\kernel32.dll"));
     handle = LoadLibrary(argv[1]);    
     if(handle != NULL) {
         procAddr = (LPWSTR)GetProcAddress(handle,argv[2]);
         if(procAddr != NULL) {
             printf("In %s API \"%s\" is located at %#x\n",
                    argv[1], argv[2], procAddr);
         } else {
             printf("Address not found\n");
         }
     } else {
       printf("NULL handle");
     }
     
     //Free DLL Module
     FreeLibrary(handle);
     return 0;
}

Above program is compiled to ll_gp.exe and takes 2 arguments. To build and compile binary using Dev-C++ press F9 key.

Usage:
ll_gp.exe  dll_name api_name























For Windows Programming below link can be used as reference

http://www.winprog.org/tutorial/

Sunday, August 10, 2014

DLL Injection: Executing and Testing DLL's

DLL (Dynamic Link Library) Injection is the process of loading a DLL into target process so that code in the DLL might be executed in the context of the target process.

Example Code Snippet

How to test DLL
RUNDLL32.EXE dll_name,EntryPoint [options]



AppInit_DLLs value is found at
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows
We have to set Appinit_DLLs key value of the type REG_SZ to DLL's Path. Executables that do not link with User32.dll do not load AppInit DLLs.

NOTE: Above registry change might cause inconvenience as you might see too many pop-ups

References
http://www.exploit-db.com/exploits/14740/
http://www.exploit-db.com/papers/14813/
http://www.exploit-db.com/wp-content/themes/exploit/docs/242.pdf
http://www.ericphelps.com/batch/rundll/
http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html

Tuesday, August 5, 2014

Manual Unpacking of Compressed Binaries



INTRODUCTION
In this article we will walk through manual unpacking of protected malicious Windows binaries using OllyDBG. We also need to rebuild Import Address Table (IAT) to restore the file to executable state. Most of the Anti-virus (AV) vendors flag PE packers as malicious software. There are many varieties of packer’s available, say, ASpcak, UPX, NsPack, Armadillo, Themida etc.

PACKERS
Packers reduce the physical size of an executable by compressing an executable and combine the compressed data with decompression stub into a single binary. At runtime, the decompression stub expands the original application and transfers control to the original entry point (OEP).

One of the methods that can be used to locate the original entry point (OEP) of the file is to apply break points on the following APIs:
GetLoadLibraryA
GetVersionExA
GetEnvironmentA
LoadLibraryA
GetProcAddress
IniHeap
These APIs are called by the packer’s start-up routine.
 
Following articles explain manual unpacking of UPX and AHpack
http://blog.disects.com/2013/12/manual-unpacking-of-upx-packed-binary.html
http://blog.disects.com/2013/12/manual-unpacking-of-ahpack01.html
  
REFERENCES