Exetools

Exetools (https://forum.exetools.com/index.php)
-   General Discussion (https://forum.exetools.com/forumdisplay.php?f=2)
-   -   Questions again on howto hide APISPY32? (https://forum.exetools.com/showthread.php?t=4427)

boya 06-10-2004 18:58
Questions again on howto hide APISPY32?
 
oh, still on the hard pelock question, i want to use apispy to spy the api calls.
but pelocked target can detect apispy. i tried but failed to modify apis32.exe.... to cheat pelocked stuff. anyone has successful experience?


bow.

e.b 06-11-2004 04:02
what did you do in order to modify apispy ?

e.b

dyn!o 06-11-2004 04:29
API spying
 
I suggest to use: ***.rohitab.com/apimonitor.

Also some user level debuggers give you good API spy possibilities. If the app doesn't include telic SEHs then you can dance with it as much as you want. If someone was so bright to include them then you can disable them by configuring different exceptions handling options in your debugger.

The golden rule is: if you don't try - you won't learn.

Good luck.

boya 06-11-2004 13:15
thx a lot for your mental support( i donno the exact English word here: encourage?)
 
Quote:
Originally Posted by dyn!o
I suggest to use: ***.rohitab.com/apimonitor.

Also some user level debuggers give you good API spy possibilities. If the app doesn't include telic SEHs then you can dance with it as much as you want. If someone was so bright to include them then you can disable them by configuring different exceptions handling options in your debugger.

The golden rule is: if you don't try - you won't learn.
^^^^^^^^^^^^^^^^yes, try and fail, fail and try......

JMI 06-11-2004 16:09
boya:

I believe the word you may be looking for is "encouragement." :)

Regards,

boya 06-11-2004 20:03
yep :) thank you.
 
Quote:
Originally Posted by JMI
boya:

I believe the word you may be looking for is "encouragement." :)

Regards,

yep :) thank you.

boya 06-11-2004 20:05
i just want to know which API is called.
 
Quote:
Originally Posted by e.b
what did you do in order to modify apispy ?

e.b
i am a newbie in unpacking. pelock is too hard for me. so i want to use some tools to log what API is called, maybe it is useful for the IAT rebuilding.
what do you think?

but till now, i have NO success in using apispy32, apimonitor to observe pelocked target. :confused:

e.b 06-11-2004 23:22
I'm a newbie too, so I was interested in the modifications you did ...
could you give me some ideas ?

regards e.b

vgshadow 06-28-2004 23:54
Boya,

Apisyp32 works by modifying the import table on the target application. In your case you are trying to spy on an application which doesnt have a valid import table. You cannot use apisyp32.

You can try the followig if you have time and programming interest:

1. start the target application as child process with debug enabled.
2. In dll load event if you need to monitor the functions in the dll, insert cc (int 3) as the first byte for all the exported functions. store the original byte and the address .
3. whenever you get a debug breakpoint event check whether the eip in the target process is in your stored addresses. If yes then log the name in a file. Reset the original byte at the particular address and enable single-step by modifying the control registers. you will receive a sigle step breakpoint event again. there you can insert cc (int 3) instruction for next breakpoint and proceed.

I did this long ago. I dont know whether i still have the program with me. If i find it i will send it to you.

regards,
VGSHADOW


All times are GMT +8. The time now is 06:45.

Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2026, vBulletin Solutions, Inc.
Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX