flat assembler
Message board for the users of flat assembler.

Index > Windows > win32 api creation == ?

Author
Thread Post new topic Reply to topic
shakuni



Joined: 11 Oct 2007
Posts: 24
shakuni 26 Mar 2008, 09:43
While researching for the book I am writing on viruses and AV technology, I came across this-
Quote:

Some malware goes so far as to avoid importing any functions from available
DLLs. Instead, it emulates all of the APIs it needs. This means that you cannot list the
functions, so you cannot easily set breakpoints on them, as all API calls will just be
a part of the malware code.In some cases, malware authors even use this to trap reverse engineers: they
may import functions that are never used (having used the emulated ones instead).

Now my question is-

How can I emulate an API, for example, How can I write code that'll manipulate windows registry without using win32 api?

In simple words, how can I implement win32 api without using win32 api.

While researching on web for this idea, all I found was either emulation of win32 api on linux boxes (wine etc.) or the "new" technology AVs that emulates win32 api to fool viruses.

Please share any ideas you may have on the problem.

Maybe these viruses use native api(s) to emulate win32 api, but I don't think so(for obvious reasons).

or if you've heard of any virus that emulates API, give me its name. The rest (like, retrieving the API emulating code from the virus) I'll manage.

_________________
There is no rule, law or tradition that apply universally... including this one.
Post 26 Mar 2008, 09:43
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 20451
Location: In your JS exploiting you and your system
revolution 26 Mar 2008, 10:00
API emulation is an advanced topic with little relevance to fasm specifically.

But basically if you simply duplicate the code the the API would have executed in to your app then you have "emulated" the API. It can be a lot of work or it can be easy, depending upon the specific API that you want to emulate. If you have administrator access then I suppose accessing the registry might be possible without an API but it would be very difficult. The registry is a core function of the kernel and not typically directly implemented by a DLL. Using the int 0x2e (or sysenter) interface directly is a possibly path but it is very OS version specific and likely to fail unless the target OS exactly matches the development OS.
Post 26 Mar 2008, 10:00
View user's profile Send private message Visit poster's website Reply with quote
FrozenKnight



Joined: 24 Jun 2005
Posts: 128
FrozenKnight 25 Apr 2008, 13:19
Viruses can and will use anything available to them. some viruses even go as far as to use no visible api at all. (yes, there are ways of calling the api with an empty imports table.) a good way of faking api returns (that may even allow you to edit out harmful code) would be to make a DLL that contains every api used by your code and name it the same as the system dll you are using and place it in the same directory as your program. you can even call real API inside the DLL. (though i'm not sure if you have to use some trick when doing this)
Post 25 Apr 2008, 13:19
View user's profile Send private message Reply with quote
AlexP



Joined: 14 Nov 2007
Posts: 561
Location: Out the window. Yes, that one.
AlexP 25 Apr 2008, 13:23
or just use the import or export tables of Kernel32(or was it ntdll?) to get the address of the function you want, that's what I've seen in a lot of copy protection.

I have an example program if you would like, plus a lot of virii just require their host to import functions ilke GetProcessAddress or something. Then that function is called to get all the API's the virus needs. I have quite many examples of that if you would like also.
Post 25 Apr 2008, 13:23
View user's profile Send private message Visit poster's website Reply with quote
vid
Verbosity in development


Joined: 05 Sep 2003
Posts: 7105
Location: Slovakia
vid 25 Apr 2008, 13:50
Look into API code, and check what it does. But i think you'd have to use hardcoded kernel API numbers and interrupts/SYSCALL, and that is not portable across different windowses.
Post 25 Apr 2008, 13:50
View user's profile Send private message Visit poster's website AIM Address MSN Messenger ICQ Number Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4073
Location: vpcmpistri
bitRAKE 25 Apr 2008, 15:38
Code:
HANDLE.CurrentProcess = -1
HANDLE.CurrentThread = -2
    
Code:
macro HANDLE.STD_OUTPUT_HANDLE {
  mov eax,[fs:$30]  ; PEB
  mov eax,[eax+$10] ; ProcessParameters
  mov eax,[eax+$1C] ; output
}    
(Not guaranteed to work everywhere, but really - what is?)

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 25 Apr 2008, 15:38
View user's profile Send private message Visit poster's website Reply with quote
bitRAKE



Joined: 21 Jul 2003
Posts: 4073
Location: vpcmpistri
bitRAKE 26 Apr 2008, 06:05
Rereading, the above post seems like half a post. Confused

Normally, the Windows API must be called to get these handles. (The first of which are just constants used internally by windows - I'll bet they are defined as constants in the Windows source code. The second example is access to internal Windows variables to obtain the standard output handle - the same thing done by the API code.)

With a large library of such shortcuts the use of Windows code can be minimized (for any number of good/bad reasons).

_________________
¯\(°_o)/¯ “languages are not safe - uses can be” Bjarne Stroustrup
Post 26 Apr 2008, 06:05
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2025, Tomasz Grysztar. Also on GitHub, YouTube.

Website powered by rwasa.