• Welcome to Valhalla Legends Archive.
 

A Plugin Idea?

Started by iago, November 04, 2003, 02:03 PM

Previous topic - Next topic

iago

The point came up that, "What if a program checksums code segment?"  One solution I thought of was, what if, instead of hooking the code, you hooked, say, winsock.dll (or ws2_32.dll or whatever) instead, so the checksum of the code wouldn't change?  Since there are many versions of winsock, it's doubtful they could have a valid checksum for that.    

Then we talked about, what if somebody wrote a program that could analyze a .dll, pull out the symbols and ords, as well as the code for them, and prepare a .c file that, if compiled, will produce a near-identical .dll file.  That way, you can easily write your own hooks in c without having to worry about modifying the program while running.

Just wondering how feasible this is/if it's been done before/if it could be useful. :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Yoni

Quote from: iago on November 04, 2003, 02:03 PM
we
Who?

Quote from: iago on November 04, 2003, 02:03 PM
a program that could analyze a .dll, pull out the symbols and ords, as well as the code for them, and prepare a .c file that, if compiled, will produce a near-identical .dll file

IDA: File -> Produce -> ASM File
Your idea, but ASM instead of C. This makes a .asm source file that can be assembled with (I think) MASM.

iago

Quote from: Yoni on November 04, 2003, 02:42 PM
Quote from: iago on November 04, 2003, 02:03 PM
we
Who?
us!

Quote
Quote from: iago on November 04, 2003, 02:03 PM
a program that could analyze a .dll, pull out the symbols and ords, as well as the code for them, and prepare a .c file that, if compiled, will produce a near-identical .dll file

IDA: File -> Produce -> ASM File
Your idea, but ASM instead of C. This makes a .asm source file that can be assembled with (I think) MASM.

hmm, that could work too, I guess :)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Adron

It's much easier to hook the function pointers used to pass control from application to dll - i.e. patch the import table.

iago

But the idea is not to modify the actual program, which, I would think, includes the import table.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Adron

It can't checksum the import table because the import addresses depend on the system. You could also modify the export tables of the dlls.

Skywing

Note that it would be trivial to locate the code doing the checksum with a break-on-access breakpoint set via the debug registers.

iago

Yes, but editing the checksum algorithm may be tricky, and you may only have one chance to do it.

And Adron's right, I hadn't really thought about that :)

Mind you, this is purely theoretical.  I can't think of any program that's actually done it, but some speculate that Diablo 2 1.1 might have implemented protection that works like that, which is what brought up the discussion.  But there is no confirmed case of that that I have heard of.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


indulgence

AIM OSCAR protocol used to (- not sure about if it does now or not -) send a request for a hash of a certain amount of data randomly from the AIM files on a periodical basis.  This sound similar to the thoery you outline about diablo 2 -- not having diablo2 (yet alone the amazing, mystical 1.10 patch that took so long) installed I wouldn't want to speculate on that theory.
<3