#1
|
|||
|
|||
KERNEL32 imports in IDA Pro
Hello,
I am currently exploring an executable in IDA Pro 4.5, and stumbled across a load of imported system calls that are labelled KERNEL32_4, KERNEL32_16 and so on. IDA created two sections called 'Imports from KERNEL32.DLL', one with system calls correctly identified and typed, the other with the bare KERNEL32_XX names and without data types (the only exception being BuildCommDCBAndTimeoutsW). What are those unidentified(?) system calls? Am i using a too old version of kernel32.ids? From their calling context I guess that they do some network-related stuff, am i missing a specific ids file? Asking google about KERNEL32_XX will only return a WINE resource. I'm only beginning with reverse engineering / analyzing executables, so there might be an obvious solution to this problem. TIA |
#2
|
|||
|
|||
You are correct, pez.
The kernel32.ids file of IDA 4.5 is old. You can check it by use the zipids.exe with -u option to dump the kernel32.ids, and use dumpbin.exe /exports to dump the export functions in kernel32.dll. They will have many mismatch. So, I think, you can backup the kernel32.ids and delete it. Decompile the .exe again, IDAPro will automatically find and apply the name of export/import functions in kernel32.dll. Or you can create the new kernel32.ids with dll2ids tool. Regards, TQN |
#3
|
|||
|
|||
thank you for your suggestions. However, rebuilding the kernel32.ids from the dll messed the imports up completely, and replaced previously sensible calls with useless import names.
PEExplorer also gave no names for those imports, but it showed that they were imports by ordinal and not by name, so I did some extensive google-searching about it, that resulted in a list of undocumented kernel32 exports ( hxxp://mitglied.lycos.de/pepage/k32.htm ). It seems that all exports below 100 are 'unofficial', still the VC7 compiled program I'm analyzing uses them. I'm now adding those to the IDA kernel32.idt, and am having first successes, e.g. it seems that one heavily used call, KERNEL32_16 is simply wvsprintfA that is passed through from USER32. A good resource for those undocumented exports, as i later found out, are the WINE sources, as they try to implement the NT-Kernel completely. However, also there is the KERNEL32_19 export missing (i.e. the export with the decimal ordinal 19, also heavily used), and it defines KERNEL32_9 as a VXD call, but that doesn't seem to make sense in my case. Anyone else who ever stumbled across this? |
#4
|
|||
|
|||
What your Windows OS ?
In Win9x, many function in Kernel32 were exported by ordinal, not by name, but in WinNT and Win2K above, all functions in kernel32 were exported by name. Here is dumpin /exports kernel32.dll on my Win2k Server. I still think you need recreate the kernel32.ids, manual add description, number of arguments... to the kernel32.idt by look into MSDN. Regards ! TQN |
#5
|
|||
|
|||
Ok, mystery solved. If anyone's interested, here is the deal:
The original executable was UPX-Compressed, and the UPX-unpacker I used damaged the import segment, resulting in the WS2_32.DLL imports being marked as KERNEL32 ordinal imports. I decompressed it now using PE-Explorer, and, hey presto, everything makes sense! Those mysterious calls are functions like send, connect, etc, from WS2_32.DLL. Thanks for your help, anyway! |
#6
|
||||
|
||||
it's anyway interesting if anyone of u guys could share your updated and reworked kernel32.ids; just at least if it's so simple as it seems to be, as a time saver for others.
Thanks in advance!
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
#7
|
|||
|
|||
Thanks for your idea, Shub-Nigurrath. I will recreate the kernel32.ids with detail comment, number of arguments. Wow, above 800 functions, a lot of tedious manual job.
Regards, TQN |
#8
|
||||
|
||||
well, so not so simple, "a tedious work" this is exactly what I suspected it could have been!
10x TQN, you're our beloved IDA hard-worker (also 4 Delphi stuffs)!
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
#9
|
|||
|
|||
Help !
I have finished with about 500 functions in kernel32.dll. A lot of undocument functions in kernel32.dll. But I need your help !
I am using very old Dll2ids tool. Do you have the idsutils3 tool ? In the datarescue homepage, they said the idsutils3 was updated at 2003, and I can not dowload it. I can not access to our FTP. So, if you have, please send it to me or attach it in the reply. Thank for your help ! Regards, TQN |
#10
|
||||
|
||||
Hi,
no problems, I have access to the ftp, but where is it supposed to be? I downloaded the whole flair archive and is not there..
__________________
Ŝħůb-Ňìĝùŕřaŧħ ₪) There are only 10 types of people in the world: Those who understand binary, and those who don't http://www.accessroot.com |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Bizarre problem resolving imports from KERNEL32 | ancev | General Discussion | 8 | 12-15-2005 23:11 |
adding code to kernel32.dll | amigo | General Discussion | 13 | 01-15-2005 01:49 |
how to replace kernel32.dll in win2k/xp | tAz | General Discussion | 12 | 02-06-2004 03:46 |
armkiller imports | Akki | General Discussion | 1 | 12-30-2002 17:33 |