A Plugin Idea?

iago · November 04, 2003, 02:03 PM

The point came up that, "What if a program checksums code segment?" One solution I thought of was, what if, instead of hooking the code, you hooked, say, winsock.dll (or ws2_32.dll or whatever) instead, so the checksum of the code wouldn't change? Since there are many versions of winsock, it's doubtful they could have a valid checksum for that.

Then we talked about, what if somebody wrote a program that could analyze a .dll, pull out the symbols and ords, as well as the code for them, and prepare a .c file that, if compiled, will produce a near-identical .dll file. That way, you can easily write your own hooks in c without having to worry about modifying the program while running.

Just wondering how feasible this is/if it's been done before/if it could be useful.

Yoni · November 04, 2003, 02:42 PM

Quote from: iago on November 04, 2003, 02:03 PM
we

Who?

Quote from: iago on November 04, 2003, 02:03 PM
a program that could analyze a .dll, pull out the symbols and ords, as well as the code for them, and prepare a .c file that, if compiled, will produce a near-identical .dll file

IDA: File -> Produce -> ASM File
Your idea, but ASM instead of C. This makes a .asm source file that can be assembled with (I think) MASM.

iago · November 04, 2003, 02:57 PM

Quote from: Yoni on November 04, 2003, 02:42 PM
Quote from: iago on November 04, 2003, 02:03 PM
we
Who?

us!

Quote
Quote from: iago on November 04, 2003, 02:03 PM
a program that could analyze a .dll, pull out the symbols and ords, as well as the code for them, and prepare a .c file that, if compiled, will produce a near-identical .dll file

IDA: File -> Produce -> ASM File
Your idea, but ASM instead of C. This makes a .asm source file that can be assembled with (I think) MASM.

hmm, that could work too, I guess

Adron · November 04, 2003, 04:36 PM

It's much easier to hook the function pointers used to pass control from application to dll - i.e. patch the import table.

iago · November 04, 2003, 05:06 PM

But the idea is not to modify the actual program, which, I would think, includes the import table.

Adron · November 05, 2003, 09:01 AM

It can't checksum the import table because the import addresses depend on the system. You could also modify the export tables of the dlls.

Skywing · November 05, 2003, 10:21 AM

Note that it would be trivial to locate the code doing the checksum with a break-on-access breakpoint set via the debug registers.

iago · November 05, 2003, 12:54 PM

Yes, but editing the checksum algorithm may be tricky, and you may only have one chance to do it.

And Adron's right, I hadn't really thought about that

Mind you, this is purely theoretical. I can't think of any program that's actually done it, but some speculate that Diablo 2 1.1 might have implemented protection that works like that, which is what brought up the discussion. But there is no confirmed case of that that I have heard of.

indulgence · November 06, 2003, 07:06 AM

AIM OSCAR protocol used to (- not sure about if it does now or not -) send a request for a hash of a certain amount of data randomly from the AIM files on a periodical basis. This sound similar to the thoery you outline about diablo 2 -- not having diablo2 (yet alone the amazing, mystical 1.10 patch that took so long) installed I wouldn't want to speculate on that theory.