Thread: IAT Emulation & Redirection
View Single Post
  #4  
Old 06-29-2011, 22:59
Kerlingen Kerlingen is offline
VIP
  
Join Date: Feb 2011
Posts: 338
Rept. Given: 0
Rept. Rcvd 278 Times in 100 Posts
Thanks Given: 0
Thanks Rcvd at 358 Times in 110 Posts
Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299 Kerlingen Reputation: 200-299
1.) As far as I remember, lvl1 tries to find the correct API by disassmbling the code and looking for some jump to the original API. lvl2 and lvl3 single step the protector's trash code until they end up somewhere in a loaded DLLs code section, which will most likely be the correct imported function.

2.) Write some tool by hand which finds the correct APIs or prevent the protector from redirecting the imports at all (must be done somewhere deep in the protector's code, while it is still decrypting and unpacking the code).

3.) Since there are very few possible emulated APIs, they are the ones left when all other imports where rebuild. You have to manually look at them in a debugger or disassembler and guess what they do.

For example, if you're running Windows 7 build 7600, the return value of GetVersion will be "0x1DB00106" (version 6, subversion 1, build 0x1DB0 (7600 decimal)). So if you see some code which does only "MOV EAX, 0x1DB00106; RET" (maybe inside of some trash code), it is likely that you've found the emulated "GetVersion" call.
Last edited by Kerlingen; 06-29-2011 at 23:07.
Reply With Quote
The Following 2 Users Gave Reputation+1 to Kerlingen For This Useful Post:
uranus64 (06-30-2011), yogi_saw (06-30-2011)