Wassup guys,
As you know a exe file does has Windows imports, such as user32.dll. But I got a file which also has some selfmade imports, so not from Windows system.
Is there a way to determine if a import is from Windows self or selfmade?
How to determine windows imports?
Started By
Tony
, Dec 11 2013 10:48 PM
12 replies to this topic
#2
Posted 11 December 2013 - 11:55 PM
I mean Microsoft dll´s does have a version info in the rsrc section, that could be a way. Also all important win api´s are backuped in the system32\dllcache for me.
- Tony likes this
#4
karcrack
-
- Moderator
-
-
Reputation: 343Very Good
- 303 posts
Advanced Member
Posted 12 December 2013 - 10:04 AM
"selfmade imports"? What does that mean? It imports a DLL which is not "user32", "kernel32", "ntdll"...?
To know if a DLL is from Windows itself you must check the signature. Also you need to check that the EXE doesn't have a DLL nearby because if it imports "user32" and there's a "user32.dll" in the same folder as the EXE that DLL will be loaded instead of the W$ one.
Hope that's what you're asking for.
- Tony and Deque like this
(PGP ID 0xCC050E77)
ASM, C, C++, VB6... skilled [malware] developer
#5
Posted 12 December 2013 - 10:50 AM
@karcrack
This is indeed were I'm asking for 
I mean with selfmade imports, imports made by Delphi, like in the screen below.
So I could check indeed the signature. Both files (the selfmade & W$), got the "PE"-signature. Also they got both the "MZ"-signature. But the selfmade has one char more -> "MZP".
#6
karcrack
-
- Moderator
-
-
Reputation: 343Very Good
- 303 posts
Advanced Member
Posted 12 December 2013 - 10:58 AM
You can also check if the file has Microsoft ©opyright in the File information. A simpler way is to have a white-list of the most used Windows libraries.
- ComeBack and Tony like this
(PGP ID 0xCC050E77)
ASM, C, C++, VB6... skilled [malware] developer
#7
Posted 12 December 2013 - 11:09 AM
I thought there might be a generic and a easier way, but it doesn't look like that, so then indeed i have to use a white-list i guess.
Thanks for your help karcrack
- karcrack likes this
#8
Hess
Contributor
-
- Loyalist
-
-
Reputation: 765Excellent
- 2,817 posts
Intelligence Service
- LocationBelgrade
Contributor
Posted 12 December 2013 - 12:01 PM
Also , walk for dependencies , even selfmade imports must import native windows libraries. From screenshot , they are a bit confusive , but , at the end they must "touch" native stuff. It looks like msvbvm60.dll which has also some funky stuff , but at end also does the same as Delphi libs.
Meet me here: http://www.voa.mod.gov.rs/en/
#9
Posted 12 December 2013 - 12:29 PM
Hess, on 12 Dec 2013 - 12:01 PM, said:
even selfmade imports must import native windows libraries
Not true mate. Some functions could be emulated. The ShowMessage function of C++ builder is a good example of it 
- Hess likes this
#10
dugidox
-
- Verified Seller
-
-
Reputation: 35Fair
- 37 posts
Member
Posted 13 December 2013 - 04:32 PM
What about open file in Olly, right click anywhere in disassemble window and choose Search for -> All intermodular calls
#12
Hess
Contributor
-
- Loyalist
-
-
Reputation: 765Excellent
- 2,817 posts
Intelligence Service
- LocationBelgrade
Contributor
Posted 14 December 2013 - 09:36 AM
Ah , got the point , something like Fake API's which are generated by protectors like Arma , Asprotect , etc , and real ones are hidden , You wanna make new ImpREC ?
Meet me here: http://www.voa.mod.gov.rs/en/
