الفريق العربي للهندسة العكسية

نسخة كاملة : Understanding what API-functions are used in EXECryptor by kioresk
أنت حالياً تتصفح نسخة خفيفة من المنتدى . مشاهدة نسخة كاملة مع جميع الأشكال الجمالية .
Posted By dj-siba 20-10-2007, 03:33 PM
إقتباس :Understanding what API-functions are used in EXECryptor by kioresk
October 20th, 2007
Here you will find how list of API-functions and their hashs can be usefull in researching EXECryptor.
As you may knew, StrongBit recently released new version of EXECryptor - 2.4.1 with improved antidebugg and antitrace features. While unpacking console part of it, i’ve noticed that it detects my debugger (patched OllyDbg with FantOm plugin).
So let’s imagine that we are trying to understand this new antidebug trick. We’ll unpack console part (EXECrypt.exe) or just dump it running and then start to analyze it in Ida.
PhantOm consist of 2 drivers named FRDTSC and EXTREMEHIDE, that are loaded and used to hide OllyDbg. So, first of all we’ll try to search this strings in Ida and of cource we will find them. Ok, then we will look where this strings are used and find interesting procedure that is used with PhantOm driver’s names.

[صورة مرفقة: screenshot_01.gif]

إقتباس :Looking what’s going on in this procedure, we’ll found out that there is some API function used. But the problem is that EXECryptor uses hashs (created from API-function’s names) insead of using API-functions directly. Let’s think that we don’t know how to detect running driver and what is this function. 

[صورة مرفقة: screenshot_02.gif]
إقتباس :So, our hash is 0EF9F7D01 and we need to find out what is the name of used function - no problem, we open list of API-functions and hashs and search for 0EF9F7D01.

[صورة مرفقة: screenshot_03.gif]
إقتباس :Aha!, it’s CreateFileA function (just as you already thought). Ok, let’s rename that function and look what we have in result:
[صورة مرفقة: screenshot_04.gif]
إقتباس :Nice, huh. 
Using this list you can find that OpenServiceA is also used in this check.
EXECryptor 2.x - 2.4.1 API Hashs list consist of functions and hashs for this modules:

advapi32.dll
gdi32.dll
kernell2.dll
ntdll.dll
shell32.dll
user32.dll
إقتباس :Download it from
http://www.revenge-crew.com/kioresk/EXECryptor%202.x%20API%20Hashs.zip
إقتباس :Hope, it will be usefull for you
source kioresk blog
http://kioresk.wordpress.com/2007/10/20/EXECryptor_API_hashs