#1
|
|||
|
|||
Delphi App network activity
I have an app written in Delphi, every time it runs, trys to execute a UDP broadcast to a system outside the local network on a suspicious port.
The program was written for looking up parts in a local database, and is distributed free to businesses whom purchase from that distributor. It was just after it triggered activity thru my firewall that I took an interest in what this app may be doing. The app doesn't have any fancy tricks, (example: expiration was keyed to file date/time, admin password dialog text was hardcoded, etc...) I'm wondering what functions the delphi app could use to communicate out, so as to breakpoint on them and trace what this app might be up to? The import section looks pretty standard and I did not see what functions may be used for network communication. Code:
kernel32.dll user32.dll advapi32.dll oleaut32.dll version.dll gdi32.dll ole32.dll comctl32.dll winspool.drv shell32.dll comdlg32.dll ACE32.DLL (ACE32 is for database access) There are no other DLL's, or executables used by this app. Referenced text strings had nothing of interest as the address it talks to is hardcoded. (224.0.1.55 on Port 2989) Nothing in the registry regarding that address or port. Googling got me some technical info, example code, etc, but nothing short and to the point of explanation on UDP broadcast communication in delphi. -bg |
#2
|
|||
|
|||
Probably the UDP packet sending is to inform the company that software is running on a specific machine, in a specific IP (and IP can easily tell you the originator's country).
UDP in serious delphi applications can be sent using ICS or INDY. Your apps looks like using INDY. Can you see on resources if it has a list of the following strings: Code:
65216,Connection Closed Gracefully. 65217,Could not bind socket. Address and port are already in use. 65218,Invalid Port Range (%d - %d) 65219,%s is not a valid service. 65220,IPv6 unavailable 65221,The requested IPVersion / Address family is not supported. 65222,Not all bytes sent. 65223,Package Size Too Big. 65224,Set Size Exceeded. 65225,Not enough bytes read from stream. 65226,End of stream: Class %s at %d 65227,UDP is not support in this SOCKS version. 65228,Request rejected or failed. 65229,Request rejected because SOCKS server cannot connect. 65230,Request rejected because the client program and identd report different user-ids. 65231,Unknown socks error. |
#3
|
|||
|
|||
the IP address you specified is assigned to network multicasting.
(check RIPE/ARIN/APNIC databases for further info) so unless you run several VPNs over a mainly unprotected network that is connected directly to the Internet (that is, no network address translation or IP masquerading taking place), you can be assured that this communication is done in your environment only. |
#4
|
|||
|
|||
All third party Components placed on a form can be viewed in the resources section.
Also DEDE (Delphi Decompiler) will definetly help in telling what UDP components are used. All called called TIDxxxx (where xxxx is some name) imply that the INDY component set was used. |
#5
|
|||
|
|||
If the forms are removed or encrypted they cant be viewed in resources. For example, in my applications you cant see the forms on the resources because they are encrypted with Citadel. On the other hand, the UDP component may be created dynamically without a component on the form
Anyway INDY doesnt use any system DLL to accomplish the udp sending, means has no exports. The only way to see how things work, is to create an empty app, an empty form and an empty form/app with a UDP sending function on it and compare. Maybe that will help you studying. I can generate those 2 exe for you, both for Indy9 and Indy10. Just let me know. |
#6
|
|||
|
|||
Can we get our grubby paws on the app, bgrimm??
Valid comments "baatazu" especially if you are using an encrypted app... The TPersitent nature of TComponents in delphi will embed them in the code somewhere, so I was refering to standard un-encrypted exe's (which it appears that bgrimm is playing with). |
#7
|
|||
|
|||
Thanks to all for their responses and idea's.
Quote:
The reserved IP range kind of made me think a bit harder about the issue. It appears from the other DLL's that the program uses a DB access mechanism written by "Extended Systems, Inc". I'm beginning to think that the communication may be to see if a database is not on the localhost and instead resides on another machine on the LAN. As the components clearly have Client & Server resources. The distributor stopped in yesterday and I mentioned it to him, he knows the in house programmer that wrote the app but said he knew nothing of outbound communications. I think perhaps they included components from Extended Systems, and since they don't know about it, they may have a control/component configured incorrectly or it is just by design. I packed up the main executable and all the dll's that were in the directory. It will give on error on startup since the database files are missing, but it is enough that after the error, the outgoing communication occurs. h**p://s22.yousendit.com/d.aspx?id=0YF6ZWGCJJL9M3TJ8V4FP95R9V Now my only question out of curiousity would be, I only saw ACE32.dll as an import, and it did not import anything, so if the communciations routines are called, say, from axcws32.dll, how could they have been called? LoadLibrary? Regards, -BG |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Network Monitor by M$ | wps8848 | x64 OS | 7 | 08-17-2014 17:05 |
Best network logger/sniffer? | FEARHQ | General Discussion | 0 | 05-21-2002 12:58 |