XR3X
Clicky

Jump to content


Photo

How to determine windows imports?


  • You cannot start a new topic
  • Please log in to reply
12 replies to this topic

#1 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 11 December 2013 - 10:48 PM

Wassup guys, 

 

As you know a exe file does has Windows imports, such as user32.dll. But I got a file which also has some selfmade imports, so not from Windows system.

Is there a way to determine if a import is from Windows self or selfmade?



#2 ComeBack

ComeBack

    Intermediate Member

  • Associate
  • Reputation: 88
    Good
  • 125 posts
Contributor

Posted 11 December 2013 - 11:55 PM

I mean Microsoft dll´s does have a version info in the rsrc section, that could be a way. Also all important win api´s are backuped in the system32\dllcache for me.
  • Tony likes this

#3 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 12 December 2013 - 09:05 AM

That has nothing to do with my question...



#4 karcrack

karcrack

    Advanced Member

  • Moderator
  • Reputation: 343
    Very Good
  • 303 posts

Posted 12 December 2013 - 10:04 AM

"selfmade imports"? What does that mean? It imports a DLL which is not "user32", "kernel32", "ntdll"...?

 

To know if a DLL is from Windows itself you must check the signature. Also you need to check that the EXE doesn't have a DLL nearby because if it imports "user32" and there's a "user32.dll" in the same folder as the EXE that DLL will be loaded instead of the W$ one.

 

Hope that's what you're asking for.


  • Tony and Deque like this

(PGP ID 0xCC050E77)

ASM, C, C++, VB6... skilled [malware] developer


#5 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 12 December 2013 - 10:50 AM

@karcrack

This is indeed were I'm asking for :)

 

I mean with selfmade imports, imports made by Delphi, like in the screen below.

 

So I could check indeed the signature. Both files (the selfmade & W$), got the "PE"-signature. Also they got both the "MZ"-signature. But the selfmade has one char more -> "MZP".

 

 

i6mrza.png



#6 karcrack

karcrack

    Advanced Member

  • Moderator
  • Reputation: 343
    Very Good
  • 303 posts

Posted 12 December 2013 - 10:58 AM

You can also check if the file has Microsoft ©opyright in the File information. A simpler way is to have a white-list of the most used Windows libraries.


  • ComeBack and Tony like this

(PGP ID 0xCC050E77)

ASM, C, C++, VB6... skilled [malware] developer


#7 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 12 December 2013 - 11:09 AM

I thought there might be a generic and a easier way, but it doesn't look like that, so then indeed i have to use a white-list i guess. :)

 

Thanks for your help karcrack 


  • karcrack likes this

#8 Hess

Hess

    Intelligence Service

  • Loyalist
  • Reputation: 765
    Excellent
  • 2,817 posts
  • LocationBelgrade
Contributor

Posted 12 December 2013 - 12:01 PM

Also , walk for dependencies , even selfmade imports must import native windows libraries. From screenshot , they are a bit confusive , but , at the end they must "touch" native stuff. It looks like msvbvm60.dll which has also some funky stuff , but at end also does the same as Delphi libs. :)



#9 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 12 December 2013 - 12:29 PM

even selfmade imports must import native windows libraries

 

Not true mate. Some functions could be emulated. The ShowMessage function of C++ builder is a good example of it ;)


  • Hess likes this

#10 dugidox

dugidox

    Member

  • Verified Seller
  • Reputation: 35
    Fair
  • 37 posts

Posted 13 December 2013 - 04:32 PM

What about open file in Olly, right click anywhere in disassemble window and choose Search for  -> All intermodular calls



#11 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 13 December 2013 - 04:41 PM

@dugidox

It should be done programmatically :)


  • Hess likes this

#12 Hess

Hess

    Intelligence Service

  • Loyalist
  • Reputation: 765
    Excellent
  • 2,817 posts
  • LocationBelgrade
Contributor

Posted 14 December 2013 - 09:36 AM

Ah , got the point , something like Fake API's which are generated by protectors like Arma , Asprotect , etc , and real ones are hidden , You wanna make new ImpREC ? :)



#13 Tony

Tony

    Intermediate Member

  • Associate
  • Reputation: 145
    Very Good
  • 270 posts
Contributor

Posted 14 December 2013 - 10:15 AM

@Hess, youre wrong (again) :P