Programmatically Identifying and Isolating Functions Inside Executables Like IDA Does.


Even though it’s one of the tools I use on a daily basis, Hex-Rays IDA always fascinates me for its completeness and the huge amount of informations it is able to extract using just a “simple” static analysis approach and being myself a “make yourself the tools you need” guy a couple of weeks ago I’ve started to study it, trying to understand its internal mechanisms, algorithms and tricks.

I’ve focused on the identification and isolation of subroutines inside an executable due to the fact that this seemed to me the simplest thing to start with and because I came accross this blog post that shows how great IDA python libraries are.

Read More

Libpe - a Fast PE32/PE32+ Parsing Library.


I’ve just published on github libpe, a C/C++ library to parse Windows portable executables ( both PE32 and PE32+ ) written with speed and stability in mind, released under the GPL 3 license.
Currently the library is released as a Microsoft Visual Studio solution containing the library itself and an example project, I will make it cross platform in future releases.

Read More

On Windows Syscall Mechanism and Syscall Numbers Extraction Methods


Everyone who’s familiar with operating systems theoretical structure, whether he attented a college course or he has just read a book on this subject, knows the concept of a system call i.e. how a user space application talks with the kernel asking it to perform various jobs such as opening a file, creating a memory mapped region, etc.

Read More

Termination and Injection Self Defense on Windows >= Vista SP1


On a previous post I’ve talked about how to perform API hooking at kernel level on 32bit Windows systems to prevent a process from being terminated.
Today I’m gonna talk about OBR and callbacks.aspx), mainly to show how to achieve the same result on 64bit systems starting from Vista SP1 and later.

Read More

Process Introspection for Fun and Profit


While studying Windows internals for my job, I had to deepen my knowledge of executable loading process, including their memory layout, address relocations and so on.
I came accross the PEB ( process environment block ), a data structure ( mostly undocumented ) that NT systems use internally to handle many aspects of a process, including a list of loaded libraries, environment variables, command line arguments, heap informations, TLS slots and so on.
The interesting fact about the PEB is that can be inspected to obtain those informations without the use of any standard API, thus resulting in an interesting technique to detect bad written virtual machines, emulators and any sort of sandboxing that could be used by a malware analyst or an anti virus product.
Moreover you could check the PEB to detect if a DLL has been injected into your process to perform api hooking.
API hooking softwares usually hooks API such as EnumProcessModules and patch them to hide the presence of the injected module. Inspecting the PEB you will be able to perform the same task only analyzing your address space, thus avoiding API patching.

Read More

How to Hook Win32 API With Kernel Patching


This post is about SSDT patching to perform API hooking within the kernel instead of the classic user mode hooking using remote threads and things like that.
SSDT hooking is as far as I know the lowest level technique to replace/hook/intercept/whatever API and for this reason has been used for years both by malwares writers and AV vendors.
I’m using the past tence due to the fact that on 2005 Microsoft introduced a Kernel Patching Protection ( also known as “PatchGuard” ) for 64 bit systems, making this technique uneffective in the worst case or quite harder to perform in the average case.

Read More