Exetools  

Go Back   Exetools > General > General Discussion

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 06-25-2005, 22:50
bgrimm bgrimm is offline
Friend
 
Join Date: Jan 2004
Location: South of The North Pole
Posts: 66
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
bgrimm Reputation: 0
Delphi App network activity

I have an app written in Delphi, every time it runs, trys to execute a UDP broadcast to a system outside the local network on a suspicious port.

The program was written for looking up parts in a local database, and is distributed free to businesses whom purchase from that distributor.
It was just after it triggered activity thru my firewall that I took an interest in what this app may be doing.

The app doesn't have any fancy tricks, (example: expiration was keyed to file date/time, admin password dialog text was hardcoded, etc...)

I'm wondering what functions the delphi app could use to communicate out, so as to breakpoint on them and trace what this app might be up to?

The import section looks pretty standard and I did not see what functions may be used for network communication.
Code:
kernel32.dll     user32.dll	
advapi32.dll     oleaut32.dll	
version.dll      gdi32.dll
ole32.dll        comctl32.dll
winspool.drv     shell32.dll
comdlg32.dll     ACE32.DLL
(ACE32 is for database access)
I expected to find wininet.dll imported, or maybe it using some function in Shell32.dll.
There are no other DLL's, or executables used by this app.

Referenced text strings had nothing of interest as the address it talks to is hardcoded. (224.0.1.55 on Port 2989)

Nothing in the registry regarding that address or port.

Googling got me some technical info, example code, etc, but nothing short and to the point of explanation on UDP broadcast communication in delphi.

-bg
Reply With Quote
  #2  
Old 06-27-2005, 16:11
baatazu
 
Posts: n/a
Probably the UDP packet sending is to inform the company that software is running on a specific machine, in a specific IP (and IP can easily tell you the originator's country).

UDP in serious delphi applications can be sent using ICS or INDY. Your apps looks like using INDY. Can you see on resources if it has a list of the following strings:

Code:
65216,Connection Closed Gracefully.
65217,Could not bind socket. Address and port are already in use.
65218,Invalid Port Range (%d - %d)
65219,%s is not a valid service.
65220,IPv6 unavailable
65221,The requested IPVersion / Address family is not supported.
65222,Not all bytes sent.
65223,Package Size Too Big.
65224,Set Size Exceeded.
65225,Not enough bytes read from stream.
65226,End of stream: Class %s at %d
65227,UDP is not support in this SOCKS version.
65228,Request rejected or failed.
65229,Request rejected because SOCKS server cannot connect.
65230,Request rejected because the client program and identd report different user-ids.
65231,Unknown socks error.
Reply With Quote
  #3  
Old 06-27-2005, 18:43
redbull redbull is offline
Friend
 
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
All third party Components placed on a form can be viewed in the resources section.

Also DEDE (Delphi Decompiler) will definetly help in telling what UDP components are used.

All called called TIDxxxx (where xxxx is some name) imply that the INDY component set was used.
Reply With Quote
  #4  
Old 06-27-2005, 17:07
etienne
 
Posts: n/a
the IP address you specified is assigned to network multicasting.
(check RIPE/ARIN/APNIC databases for further info)
so unless you run several VPNs over a mainly unprotected network that is connected directly to the Internet (that is, no network address translation or IP masquerading taking place), you can be assured that this communication is done in your environment only.
Reply With Quote
  #5  
Old 06-27-2005, 22:15
baatazu
 
Posts: n/a
If the forms are removed or encrypted they cant be viewed in resources. For example, in my applications you cant see the forms on the resources because they are encrypted with Citadel. On the other hand, the UDP component may be created dynamically without a component on the form

Anyway INDY doesnt use any system DLL to accomplish the udp sending, means has no exports. The only way to see how things work, is to create an empty app, an empty form and an empty form/app with a UDP sending function on it and compare. Maybe that will help you studying.

I can generate those 2 exe for you, both for Indy9 and Indy10. Just let me know.
Reply With Quote
  #6  
Old 06-28-2005, 22:38
redbull redbull is offline
Friend
 
Join Date: Mar 2004
Posts: 160
Rept. Given: 17
Rept. Rcvd 5 Times in 4 Posts
Thanks Given: 3
Thanks Rcvd at 6 Times in 6 Posts
redbull Reputation: 5
Can we get our grubby paws on the app, bgrimm??

Valid comments "baatazu" especially if you are using an encrypted app...

The TPersitent nature of TComponents in delphi will embed them in the code somewhere, so I was refering to standard un-encrypted exe's (which it appears that bgrimm is playing with).
Reply With Quote
  #7  
Old 06-29-2005, 08:45
bgrimm bgrimm is offline
Friend
 
Join Date: Jan 2004
Location: South of The North Pole
Posts: 66
Rept. Given: 0
Rept. Rcvd 0 Times in 0 Posts
Thanks Given: 0
Thanks Rcvd at 3 Times in 3 Posts
bgrimm Reputation: 0
Thanks to all for their responses and idea's.

Quote:
Can you see on resources if it has a list of the following strings...

... and...

the IP address you specified is assigned to network multicasting.
As I mentioned, there was nothing in the main executable resources, or text strings. So dead end there.

The reserved IP range kind of made me think a bit harder about the issue.

It appears from the other DLL's that the program uses a DB access mechanism written by "Extended Systems, Inc".

I'm beginning to think that the communication may be to see if a database is not on the localhost and instead resides on another machine on the LAN.
As the components clearly have Client & Server resources.

The distributor stopped in yesterday and I mentioned it to him, he knows the in house programmer that wrote the app but said he knew nothing of outbound communications.
I think perhaps they included components from Extended Systems, and since they don't know about it, they may have a control/component configured incorrectly or it is just by design.


I packed up the main executable and all the dll's that were in the
directory. It will give on error on startup since the database files
are missing, but it is enough that after the error, the outgoing
communication occurs.

h**p://s22.yousendit.com/d.aspx?id=0YF6ZWGCJJL9M3TJ8V4FP95R9V


Now my only question out of curiousity would be, I only saw ACE32.dll as an import, and it did not import anything, so if the communciations routines are called, say, from axcws32.dll, how could they have been called? LoadLibrary?

Regards,
-BG
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Network Monitor by M$ wps8848 x64 OS 7 08-17-2014 17:05


All times are GMT +8. The time now is 06:47.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX
( 1998 - 2021 )