Questions again on howto hide APISPY32?

[boya]

oh, still on the hard pelock question, i want to use apispy to spy the api calls.
but pelocked target can detect apispy. i tried but failed to modify apis32.exe.... to cheat pelocked stuff. anyone has successful experience?


bow.

what did you do in order to modify apispy ?

e.b

[dyn!o]

I suggest to use: ***.rohitab.com/apimonitor.

Also some user level debuggers give you good API spy possibilities. If the app doesn't include telic SEHs then you can dance with it as much as you want. If someone was so bright to include them then you can disable them by configuring different exceptions handling options in your debugger.

The golden rule is: if you don't try - you won't learn.

Good luck.

[boya]

Quote:

Originally Posted by dyn!o

I suggest to use: ***.rohitab.com/apimonitor.

Also some user level debuggers give you good API spy possibilities. If the app doesn't include telic SEHs then you can dance with it as much as you want. If someone was so bright to include them then you can disable them by configuring different exceptions handling options in your debugger.

The golden rule is: if you don't try - you won't learn.

^^^^^^^^^^^^^^^^yes, try and fail, fail and try......

[JMI]

boya:

I believe the word you may be looking for is "encouragement."

Regards,

[boya]

Quote:

Originally Posted by JMI

boya:

I believe the word you may be looking for is "encouragement."

Regards,

yep thank you.

[boya]

Quote:

Originally Posted by e.b

what did you do in order to modify apispy ?

e.b

i am a newbie in unpacking. pelock is too hard for me. so i want to use some tools to log what API is called, maybe it is useful for the IAT rebuilding.
what do you think?

but till now, i have NO success in using apispy32, apimonitor to observe pelocked target.

I'm a newbie too, so I was interested in the modifications you did ...
could you give me some ideas ?

regards e.b

Boya,

Apisyp32 works by modifying the import table on the target application. In your case you are trying to spy on an application which doesnt have a valid import table. You cannot use apisyp32.

You can try the followig if you have time and programming interest:

1. start the target application as child process with debug enabled.
2. In dll load event if you need to monitor the functions in the dll, insert cc (int 3) as the first byte for all the exported functions. store the original byte and the address .
3. whenever you get a debug breakpoint event check whether the eip in the target process is in your stored addresses. If yes then log the name in a file. Reset the original byte at the particular address and enable single-step by modifying the control registers. you will receive a sigle step breakpoint event again. there you can insert cc (int 3) instruction for next breakpoint and proceed.

I did this long ago. I dont know whether i still have the program with me. If i find it i will send it to you.

regards,
VGSHADOW