search

JustasMasiulis / lazy_importer

library for importing functions from dlls in a hidden, reverse engineer unfriendly way
Apache License 2.0
1.62k stars 219 forks source link

Question using nt* imports #23

Closed Mecanik closed 5 years ago

Mecanik commented 5 years ago

Hello,

Could you provide some examples on how to use ntdll imports ?

At the same time, I would like to ask your recommendation regarding "GetProcAddress". Currently I use lazy import for this, cached more specifically.

What would be the best way to prevent reversing/hooking of this function:

  1. Just use lazy import
  2. Store original address, then check periodically if hooked/detoured

I would really appreciate your advice!

JustasMasiulis commented 5 years ago

example:

auto function_pointer = LI_FN(NtSomething).nt(); // you can call this immediately without variable ofc

Reversing wise this is just a simple static analysis deterrent. Anyone who can attach a debugger will see what function pointer is acquired.

Concerning hooks by default everything is inlined. However it would be possible to change the cached pointers (if you opt into caching) so I guess you would want to occasionally compare those to the ones returned from non cached versions of code. If you choose to do that I'd suggest adding some extra code into lazy importer instead of comparing them somewhere else as that would be rather verbose I imagine.

Mecanik commented 5 years ago

Thanks, I cannot imagine myself editing lazy importer at the moment so I will wait and maybe in the future you can add a macro or something.

Maybe:

#define CHECK_API_REDIRECT(x) (((x)==0)?0:((*(BYTE*)((x))==0xE9)?0:(x)))

Mecanik commented 5 years ago

Also it might be stupid question, but I need to understand/know; by using:

LI_FN(GetProcAddress).in(LI_MODULE("Kernel32.dll").get())

It will search through all functions inside kernel32.dll and I get a pointer for GetProcAddress right ?

JustasMasiulis commented 5 years ago

Sorry for the late reply.

Also it might be stupid question, but I need to understand/know; by using: LI_FN(GetProcAddress).in(LI_MODULE("Kernel32.dll").get()) It will search through all functions inside kernel32.dll and I get a pointer for GetProcAddress right ?

yes

Thanks, I cannot imagine myself editing lazy importer at the moment so I will wait and maybe in the future you can add a macro or something. Maybe:

define CHECK_API_REDIRECT(x) (((x)==0)?0:(((BYTE)((x))==0xE9)?0:(x)))

I do not really have plans to add any extras into the library unless they are necessary for a significant percentage of people that would use this.

Furthermore there is a multitude of ways to hook and detecting every single one of them is quite a task on itself.

At some point in time (probably around the start of autumn) I'll be releasing code that uses optimized inline assembly (clang and gcc only because MSVC inline asm is shit) to call the syscalls directly.

Mecanik commented 5 years ago

Ok thank you, regarding the NT functions; how about undocumented functions like RtlGetNtVersionNumbers ?

JustasMasiulis commented 5 years ago

as long as it's exported

Mecanik commented 5 years ago

I'm not sure how Rtl* functions are/if exported in ntdll.dll ad I have no had time to look. Just asked because thought you dealt with them :)

JustasMasiulis commented 5 years ago

IIRC all Rtl functions are exported. The ones that are not exported are Rtlp. Feel free to reopen this issue or open a new one if you have further questions