search

JustasMasiulis / lazy_importer

library for importing functions from dlls in a hidden, reverse engineer unfriendly way
Apache License 2.0
1.61k stars 218 forks source link

PEB Problem #63

Closed 0Z0SK0 closed 5 days ago

0Z0SK0 commented 4 weeks ago

Unfortunately none of this is a defense, LazyImporter relies too heavily on PEB.

Lazy_Importer after some hash manipulations, always calls import with call rax mov rax, qword ptr gs:[0x000000000000000000000030] (where gs:[0x30] is PEB addresses)

If you use pattern (ex. 65 48 8B 04 25 30 00 00 00 for x64), you can find any import name

JustasMasiulis commented 3 weeks ago

So what's the point of this issue exactly?

Lazy_Importer after some hash manipulations, always calls import with call rax

The library can just return a function pointer. You can do anything with it.

mov rax, qword ptr gs:[0x000000000000000000000030] (where gs:[0x30] is PEB addresses)

You have the code. You're free to change it to rdgsbase, use a saved global variable, use the entry point argument, etc.

If you use pattern (ex. 65 48 8B 04 25 30 00 00 00 for x64), you can find any import name

As far as I'm aware there's no automated tooling that will statically resolve lazy importer function names.