24 May

IDA function reference count to comment plug-in

It dawned on me the other day that because of how I think when I do reversing that seeing how many times a function is referenced would be useful information.
If I could just glean this off the screen rather then manually pressing ‘X’ and count summarizing each sub-function while within a function then that might save me a lot of time and energy.

As I am reversing a particular function it’s local functions are probably of more significance then ones that are not.
If I see a count of ‘1’ then I can assume it is local (although this might not be 100% true as there could be some error in my IDB that is missing one or more references).
Otherwise if I see a function with many references then I can make some assumptions about it’s nature too.
Read More

23 May

Updated IDA Pro plugins

I updated my IDA Pro plugins back in March here IDA Plugins.
I made a post on the IDA forum IDA Pro fourm but forgot to note it here until now.

Added a few new features to some like code and or data segment selectors, etc.
The best thing I’ve removed most if not all of the slow string searching (where it was used) and in general did some speed optimizations.
Now several key ones like “Class Informer” and “ExtraPass” are exponentially faster.

For reversing Windows executables I find IMHO two that are pretty much a necessity:
Read More

07 Nov

Knowing if and when you can fit a JMP5 binary hook.

First an interesting read on API hooking methods: http://help.madshi.net/ApiHookingMethods.htm

Traditionally and perhaps the most logical way to do a function hook is to overwrite the code entry point with a 5 byte 32bit relative offset JMP instruction.
IMHO sort of the “bread and butter” of binary hooking .
madCodeHook actually uses a 6 byte 32bit absolute offset JMP instruction.
(Incidentally, some people have been known to resort to using rather unusual instruction combinations of various lengths in attempts to hide from anti-hack detections).

Our number one problem is when the function to be hooked is less then 5 bytes in size.
One solution is to use a one byte exception hook instead. These are one byte opcodes like an int3 instruction.
This will work well (with the addition of a custom exception handler) although the exception overhead is a bit costly compared to the few cycles of a JMP5.
madCodeHook uses it’s “mixture mode” for some of these cases. Applies only to API hooks of course as there is no import/export table for regular code functions.
Read More

07 Nov

Windows binary hook engine design

I’m revisiting my unfinished binary hook engine that I started back in 2007 to hopefully complete it and use it in some current projects.

For people new to such things.  It’s a programming mechanism that allows you to inject/load a DLL (usually) into a target process at the same time, or after it’s loaded to allow you to modify, and, or, hijack parts of it’s code.  See: Hooking at wikipedia

What game and otherwise hackers might use to make “hacks”, bots, etc.  But that’s not all.  It’s along the same lines as “plug-ins”, “ad-dons”, etc.  For instance there are systems that use a hook system to add TeamSpeak to games so you can graphically see who is speaking.   Firewalls and security software like real time anti-virus programs might use a hook system too.

When you read about hooking systems you will mostly see API hooking.  But as the Wikipedia article covers to some degree is that the whole “hooking” concept is actually pretty broad topic. Often maligned do to it’s notorious uses in malware like rootkits.  But there are as many of not more positive, helpful, and useful reasons to use hooking mechanisms.
Read More