C++ Detour Trampoline (send/recv)
It’s time for a new code-snippet to be posted. It’s about detouring!
Let’s see what Wikipedia has to say about detouring.
Source: Wikipedia
In computer programming, the term detouring covers a range of techniques used to alter or augment the behavior of an operating system, of applications, or of other software components by intercepting function calls or messages or events passed between software components. Code that handles such intercepted function calls, events or messages is called a “detour”.Detouring is used for many purposes, including debugging and extending functionality. Examples might include intercepting keyboard or mouse event messages before they reach an application, or intercepting operating system calls in order to monitor behavior or modify the function of an application or other component.
Detouring can also be used by malicious code. For example, rootkits, pieces of software that try to make themselves invisible by faking the output of API calls that would otherwise reveal their existence, often use detouring techniques. A wallhack is another example of malicious behavior that can stem from detouring techniques. It is done by intercepting function calls in a computer game and altering what is shown to the player to allow them to gain an unfair advantage over other players.
In this example the following functions are hooked ‘send’ and ‘recv’. Let’s see what MSDN has to say about these functions.
The send function sends data on a connected socket.
int send(
__in SOCKET s,
__in const char *buf,
__in int len,
__in int flags
);
The recv function receives data from a connected socket or a bound connectionless socket.
int recv(
__in SOCKET s,
__out char *buf,
__in int len,
__in int flags
);
The ‘detour trampoline’ function is mainly used to hook regular functions, if you would want to hook addresses then your best option is to use ‘DetourAttach()’. And that’s pretty much everything I have to say about detouring. There is a source and a compiled library available at the bottom at this post. Currently what this ‘hook/detour’ does is that it shows a MessageBox with the information buffer of the function, and then it continues as if nothing happened. You can always modify the source and make it filter/replace specific information, but you can also make it write all the information to a file.
Source: http://skilinium.com/blog/downloads/Win32DetourSocket.CPP
Binary: http://skilinium.com/blog/downloads/Win32DetourSocket.dll
(Video Tutorial) Analyze .NET assemblies
Another video tutorial for my blog. This one will be about analyzing .NET assemblies.
This method of ‘reversal’, also referred to as decompiling allows you to view the source-code of the executable.
Unless the executable is either packed or obfuscated, then you would have to unpack or de-obfuscate the program.
Source: Wikipedia
The CIL code is housed in .NET assemblies. As mandated by specification, assemblies are stored in the Portable Executable (PE) format, common on the Windows platform for all DLL and EXE files. The assembly consists of one or more files, one of which must contain the manifest, which has the metadata for the assembly. The complete name of an assembly (not to be confused with the filename on disk) contains its simple text name, version number, culture, and public key token. The public key token is a unique hash generated when the assembly is compiled, thus two assemblies with the same public key token are guaranteed to be identical from the point of view of the framework.[dubious – discuss] A private key can also be specified known only to the creator of the assembly and can be used for strong naming and to guarantee that the assembly is from the same author when a new version of the assembly is compiled (required to add an assembly to the Global Assembly Cache).
The tool ‘.NET Reflector’ has been used in this tutorial, let’s see what information Wikipedia gives us.
Source: Wikipedia
.NET Reflector is a free software utility for Microsoft .NET combining class browsing, static analysis and decompilation, originally written by Lutz Roeder. MSDN Magazine named it as one of the Ten Must-Have utilities for developers, and Scott Hanselman listed it as part of his “Big Ten Life and Work-Changing Utilities”..NET Reflector was the first .NET assembly browser. It can be used to inspect, navigate, search, analyze, and browse the contents of a .NET component such as an assembly and translates the binary information to a human-readable form. By default Reflector allows decompilation of .NET assemblies into C#, Visual Basic .NET and Common Intermediate Language. Reflector also includes a “Call Tree”, that can be used to drill down into IL methods to see what other methods they call. It will show the metadata, resources and XML documentation. .NET Reflector can be used by .NET developers to understand the inner workings of code libraries, to show the differences between two versions of the same assembly, and how the various parts of a .NET application interact with each other. There are a large number of addins for Reflector.
And that’s pretty much all the information you will need.
Video: http://skilinium.com/blog/downloads/_NET%20Reversal/_NET%20Reversal.html
In: Malware, Video Tutorials
(Video Tutorial) Removing Major Defense Kit
And another video tutorial on removing a slightly different variant of the ‘AntiSpy Safeguard’, this time it’s called ‘Major Defense Kit’.
Simple description about what the program is and does.
Source: 2-spyware
Major Defense Kit is a fake antivirus program that is promoted through misleading advertisements on infected websites or through the use of Trojan downloaders and other malware. Once installed, the program will be set to run when you start your computer. While running, Major Defense Kit will pretend to scan your PC and then display numerous infections, such as spyware, adware and Trojans. It will prompt you to pay for a full version of the program to remove the infections. In reality, though, it won’t remove any infections even if you purchase it. That’s because MajorDefenseKit is a virus itself and it reports non-existent infections on your computer. It goes without saying that you should remove Major Defense Kit from the computer as soon as possible. Please follow the removal instructions below.
Video: http://skilinium.com/blog/downloads/Major Defense Kit/Major Defense Kit.html
In: Malware, Video Tutorials