Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Delphi App network activity (https://forum.exetools.com/showthread.php?t=7743)

bgrimm 06-25-2005 22:50

Delphi App network activity
 
I have an app written in Delphi, every time it runs, trys to execute a UDP broadcast to a system outside the local network on a suspicious port.

The program was written for looking up parts in a local database, and is distributed free to businesses whom purchase from that distributor.
It was just after it triggered activity thru my firewall that I took an interest in what this app may be doing.

The app doesn't have any fancy tricks, (example: expiration was keyed to file date/time, admin password dialog text was hardcoded, etc...)

I'm wondering what functions the delphi app could use to communicate out, so as to breakpoint on them and trace what this app might be up to?

The import section looks pretty standard and I did not see what functions may be used for network communication.
Code:

kernel32.dll    user32.dll       
advapi32.dll    oleaut32.dll       
version.dll      gdi32.dll
ole32.dll        comctl32.dll
winspool.drv    shell32.dll
comdlg32.dll    ACE32.DLL
(ACE32 is for database access)

I expected to find wininet.dll imported, or maybe it using some function in Shell32.dll.
There are no other DLL's, or executables used by this app.

Referenced text strings had nothing of interest as the address it talks to is hardcoded. (224.0.1.55 on Port 2989)

Nothing in the registry regarding that address or port.

Googling got me some technical info, example code, etc, but nothing short and to the point of explanation on UDP broadcast communication in delphi.

-bg

baatazu 06-27-2005 16:11

Probably the UDP packet sending is to inform the company that software is running on a specific machine, in a specific IP (and IP can easily tell you the originator's country).

UDP in serious delphi applications can be sent using ICS or INDY. Your apps looks like using INDY. Can you see on resources if it has a list of the following strings:

Code:

65216,Connection Closed Gracefully.
65217,Could not bind socket. Address and port are already in use.
65218,Invalid Port Range (%d - %d)
65219,%s is not a valid service.
65220,IPv6 unavailable
65221,The requested IPVersion / Address family is not supported.
65222,Not all bytes sent.
65223,Package Size Too Big.
65224,Set Size Exceeded.
65225,Not enough bytes read from stream.
65226,End of stream: Class %s at %d
65227,UDP is not support in this SOCKS version.
65228,Request rejected or failed.
65229,Request rejected because SOCKS server cannot connect.
65230,Request rejected because the client program and identd report different user-ids.
65231,Unknown socks error.


etienne 06-27-2005 17:07

the IP address you specified is assigned to network multicasting.
(check RIPE/ARIN/APNIC databases for further info)
so unless you run several VPNs over a mainly unprotected network that is connected directly to the Internet (that is, no network address translation or IP masquerading taking place), you can be assured that this communication is done in your environment only.

redbull 06-27-2005 18:43

All third party Components placed on a form can be viewed in the resources section.

Also DEDE (Delphi Decompiler) will definetly help in telling what UDP components are used.

All called called TIDxxxx (where xxxx is some name) imply that the INDY component set was used.

baatazu 06-27-2005 22:15

If the forms are removed or encrypted they cant be viewed in resources. For example, in my applications you cant see the forms on the resources because they are encrypted with Citadel. On the other hand, the UDP component may be created dynamically without a component on the form ;)

Anyway INDY doesnt use any system DLL to accomplish the udp sending, means has no exports. The only way to see how things work, is to create an empty app, an empty form and an empty form/app with a UDP sending function on it and compare. Maybe that will help you studying.

I can generate those 2 exe for you, both for Indy9 and Indy10. Just let me know.

redbull 06-28-2005 22:38

Can we get our grubby paws on the app, bgrimm??

Valid comments "baatazu" especially if you are using an encrypted app...

The TPersitent nature of TComponents in delphi will embed them in the code somewhere, so I was refering to standard un-encrypted exe's (which it appears that bgrimm is playing with).

bgrimm 06-29-2005 08:45

Thanks to all for their responses and idea's.

Quote:

Can you see on resources if it has a list of the following strings...

... and...

the IP address you specified is assigned to network multicasting.
As I mentioned, there was nothing in the main executable resources, or text strings. So dead end there.

The reserved IP range kind of made me think a bit harder about the issue.

It appears from the other DLL's that the program uses a DB access mechanism written by "Extended Systems, Inc".

I'm beginning to think that the communication may be to see if a database is not on the localhost and instead resides on another machine on the LAN.
As the components clearly have Client & Server resources.

The distributor stopped in yesterday and I mentioned it to him, he knows the in house programmer that wrote the app but said he knew nothing of outbound communications.
I think perhaps they included components from Extended Systems, and since they don't know about it, they may have a control/component configured incorrectly or it is just by design.


I packed up the main executable and all the dll's that were in the
directory. It will give on error on startup since the database files
are missing, but it is enough that after the error, the outgoing
communication occurs.

h**p://s22.yousendit.com/d.aspx?id=0YF6ZWGCJJL9M3TJ8V4FP95R9V


Now my only question out of curiousity would be, I only saw ACE32.dll as an import, and it did not import anything, so if the communciations routines are called, say, from axcws32.dll, how could they have been called? LoadLibrary?

Regards,
-BG


All times are GMT +8. The time now is 07:10.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2021, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX