Binary Analysis
AppInit_DLLs, DLL Injection, Code Patching, Skype etc.. Mar 02 2006 04:13AM
Vinay A. Mahadik (vamahadik fastmail fm)
Thought I'd share this RevEngg tool I have been using for a while. It's
essentially "Hot Code Patching" via "AppInit_DLLs" DLL injection trick.
I have found it useful where MS Detours can't be used (explained in the
Readme). I have provided a sample application on Skype 2.0 .

Skype left at least two logging functions in their 2.0 release. These
are called from all over the binary with low level debugging info. These
logs can be used to study Skype's behavior (local logging, logging into
the Skype cloud, interaction with supernodes, searches, NAT hole
punching, STUN/TURN variants used etc etc). Due to certain global
variables, these are never really written to an external file, but the
RE_DLLCodeInj tool can be used to extract these logs easily.

It's fairly reliable, customizable, relocatable.. Questions, suggestions
are welcome.. email me directly.

Thanks,
Vinay.
P.S. If the attachment doesn't come through, you can find it here:
http://tinyurl.com/nc68v
PKM?a4
y?Êg
RE_DLLCodeInj/Readme}WMo7=7@þÃÀ?È?#ÐCn©?4FóÇM.j9+1â?[?«þ}ߐÜ??´
µ
c-Îμ?yó?þl?:ÐË%½S[¥Í?{ÕÕÇVÅÔ)c©íÎ/è5¯éòÙ³_>ئԿX­Æq\îåõ§õ?¥q­_=| ß?ÐûÈ/>xZ¿äÓÛ­?4$cM:9FvÉ(k¤¨ñÝþ?ñ?|KiËtö²ï¯I_û6??r?ÎÞøDW^3}T©Ù
·9£L³?¤úÞÖ?<Þs?Lì6Æ1?-é3?­?áÖ.àð³õ#?D£»øBP>¥[?> `½±p¬?e²9EG{e&ã2ðÀÂ-ÞüùöÝݧ¯o¿¼¼yu÷Î4ÁGߦ»/Æi?Fz{w5??:^DîÓÉÝ©÷sÁÑ
ymÚ?`ïKòÓ?É?
*ü5¢¥¬?-ÁÓóKâï +?h?åWx~¹ÔÖ?õJÇÙ-¤¼&EÒܳÓìÃ?Ő?éxI?÷RܵGð?ã=Tȳñ.y¤Q?InL³Mæ;?
êÏ?òÚE£9[ îü@Í??Þd|ò?Àvªc?#{ÇÙrT%ñΣ8>\ÛXN¾
1\?Ëq^ûâ)©°á$/¦ âT²B1÷Â
VñÖ?l?Ï-ȝ?l~­f?¨5Q?À*±Ð#mñ¨KÁ
vçô@·vNM&ÁõªÙHÓqçÃa?iU\?²bøïÁµÈ¦÷ÖÊç?ùL:6{?I¥!ÒB` ???aPì
ú®a¡~?³jù¿è.ĸ?©ã8Y>?õL§6LÑi^?MÎÊ0µ!ëà1]hç6Ô·¡ë¥¡?Îâ?­m0ÜgÓ ³§q?OK]¬oTRk[??¾6
=ä©·?;9´uqZ]P®U?îI$³¬TϠǢ úµð?zö-ÓÆ1å?9ÿT?
Qíky¤<IY¼ÌJfn)P?<Em`Î3]M?F=lçáO¹CF?E
܏Sd4õ?´;¼ê µ~XV¦?´?»eQüäaA±1?B?Ý:?¹Zðp?v¤dF1`mÐ1ý?í"m?Ì0lW??Û¿6î1Iʦ|rþ?õ?
?s'¹Û³Îzê?ð¨?F`Wî?R?BO)z6C*ºÝ«¦P3d?£<y?ضÇè#^®1Ef3?£ rS6ÏI??« ò?;_ªµÅNbÇz9?s?¸*?lhÑÔþ8+!)­?pA¶dMcYVëo?±z^¬òÉGï>Ñç«'Oh!
´{ùþÕ­lìçç0þ¥±´jèæ?lÙ?×îÛ²é{?@Pv´~ß?õëou?ccMñÊ~¼9½©?+èãEU?B#bsF?+
Ô?TÛr?~ N;¸ÜG% ·èªfTVD¬Q²´ÆÌvEüuMe&ËjCuëÔµ?'R*~^Rl?)@?q?$b?e?Nòs?¹·£h?yV»q?
?«]YÃr?0 ³uèM#z_o?ô(ͱÖÜ(<?@?Õ§*ñCò?HÞS´~Ì$_Õå5ÃîÌf?HTsBá1£?,¨?À¦N?Æ{?38 ?+r?Õ
J?ø¶¬ª;×kH?TòÈû
MÙË(Ô7Í"?@Wø?ãT»i?¾åëÙ?¬
¾Ëö?ûó¾)?]@?tHY*&mi¾<=?;Jò?Ç?µ\;ª®Y??\å®D?Lª?óñD²Ç¸ðù¨SQ7¯,~pQb?
Ú¼në
3Ãì?Ö6Ë??;Ñx·¬ÊDÕ
ÉJ<<Íôg«?ªNóÆãþp}?fEöhIåcâMnÔ«?¸Ö ÈY~_¯M'ÔÖ?ça?S6?ÎGy?òÒBȹ*<\ó??¼ss?Szõ]u½ýñæÿ îÓîÐóWì?XV?TXÖ×Ä °ÿxc?*e É §?=ÑåòÉ? õÚ$?¥vù¾Wù#Îl.z^5?ÂéÆú5ÔFF
/p?êïeóN?8kÞ£ð|··,åØ?ûº9ZÞÐu?¿c×díà×2luQKÔïPK??a4Ö7¾®
åRE_DLLCodeInj/RE_DLLCodeInj.cpp­X{SÛHÿªø
WÙ??bL²»°¹?Áfñ?y?í,Ù˦Tcid+È??Í}öûõ?dKÆpUWç"?4ÓÝÓÓïî½]ú-?ŵt!&ÂoÉ
ºÓâ5i6aDÁÔvèL?èm³yH»{[?[?{»[?'yùGxñ"Úó¨ßqÛ½Þ©òe7þÚðf3ìDa|K{X^ÙU£¯[?
?Ô_|?±¤?îå»·n¯Óºt[?m÷/Ø c/Ê}I¿ÌÃØWó´1ùku5ÍüP=YKÂx¬?Qjù_ó4£l")PQ¤@iL?¢ ?
}¡??Χ?{ÙºèÐÎ@Lg?lÈ{¹³Ü>i
:n«ÝîSóþGH£Ù\î]_õzîY¿ówÚ¯¬ö®Zm÷¦Õbµ
}Ñúä^·?§çî ûínmæq?cé?7 ©$»jæA^éç:ôz¿µùáØhw<[m~?è÷Î?óZßÚüv\ÓPß=ëY6Ý$a&ÏÂHZ~:©±;Ê?â??©9o
;ô>ø5?±C?{={?þ>ÎAïñ\æ%zL?}å©Æ;É?@&©!b6¿ñä}&??Bã??0I37 ½[zOM\?¥
ë)ΧÅ?VEÁÈç?æÏ?_°Ø¾¹ê·iÉHu©`Kç0â^??ËL®åa?õe? WA*³â?_¨ÛM3?¬ß?±_[÷e¦òÄ?T>·î®*¶Ò??"&ZÛ??Ì?¸iø¯r´Gæá?$xWÍ iáïÍÔLødÍÃl¢ò?ò?½
?{·vÅ?ù¾ãY"Çéç?a·ôØüvL 9ÈT"Sê´»uü8¹æÇ'<Úü8åG Df9'|é6?_?,ÜY?Ä?I?Ù¼S¡_ÜͲ{ð¿
×é?_ô×?n³ø©?Á^8LÅ­M\"Å??òD&FËQD?[?*DSû>Òp Iq¬?¦ênEÎbS?¤æ¦?ò©)ÍT??8¯vúa
çLèÎ>?åÔ?(°jֵܭ-¿? ë{??ÅõX«?ö?ÕÅÎ:¹  ¨E?Rå?¤$³p*K;(ô?R¬æZG+NµâohUfu_{ý¾æ?5ö¹Õ}2G®xÒS* Vó©*Ñ7uÙk¿°þ}H£?L¦6nªÓÖJ¦ø®?Hx|V=,M* ?³ÄáP?Ñ<?«8z@àã·B?¬Èû0kèCE
cEȵ?°Lg"î$}Î8&?ü0?^=hpã?ZFuìµkdµ?ã/HÔTçbäZ?ñ?Â`Åó?kè[õHòh s?×?Y¥Pòãø Ü0¡¹JnµÀL\FðÆ¢&­ZÞP×"?Í$Â[)²?=#È;?< !(OY?#ȯ¬@樷X"ݦJâPº½cô·?&̲?á`ÇRI"
mwû>Ͳ¤àÚ=~vûõÁ/?¼Õ!ùEw:`¿r Ã¹Áu?úAÇ{mÿ:äã??H¼??æ|Ý)êdÁv
H??c½ D~ç<UO'??üt?
ñ?@~Òi©Â?9²?up#ã?+§#?rj? ;F,¥/}Æ]Ö?é ÕlX?rhõ3æ??¦py?Þ'?~·]~÷ÍA-Ä?üþÕ=wúUf?vªN-ûͲÒ[§y? ËÄ|˶+w©$7þWT?:Ê?¡£Vb?c+Ý?7°)
oY«ã1oyìe¡?M2??A?¬¿åZå??·DdáïèbÜ.N?©Ð?éÌÆÅv?i?0?ì8åêë^_86% Íuìº?+p¥#ÓöªÇ?FÖV &M}`ÝHA?4aM?!¹B«Ä%·?ٍH?"í#ZX?þÒÅE)$m(©¢9Ü
uUä?s
TA?ÓÞ«õq%?>ÕÒº»BL\??Û,HÂ?µv^ÐÑj??'W-Z?E/É°7¯ó¨??k?DûKv`ý:WÔ£^I? Ç
UÊÇþ×lsà«??¬¿âÛ*ÈzößU@ÚëAj1OW³ë_êi>+K?'?¸âde ¥?c-cû°¨7¼:Éyii:3?º¬Ü>³ýô帲ì?ËårÝ?¿U²?¦±l?_#ø46ñ/?käÆçE?vLs)¸R
ìHÝ¡¾???{?"ÅêR jÚú@ý0}ËM÷²uÝ-¢ ·Zõ®»B<?f×"S²!³G??AË$1f¨?¬ãcÛ$ ¸"B*%§û±QOýóx?,ȹ?uuj?G_?r-?*¾Ý²?gþµ?@Ï¢©?zÓ?ey
² ݳìÚ a9µÚÎY)ýl²«?û|^8áúõMü}?¶Å'=ÈìÈ$~4Ä?»?UkÓ*?ØNqÈÆS k?P[$@.ã >??3k1±?!??"
2?¦nKUêZG#-&¶¶?ªùR
?\é¢ ãliÑ>/?6Û?ѐ¶qeÍF-ênÊ;af?»t©æ¦.¨Q?½?·õ¬âÚ°u!§*y°t?ïeÌ®ªS,êµ?Nk
ÙðX#?Úôç? ÎÃ?_*?Fí:?³Õ"»!S÷à5$QI!òçåð?WºÖWÓèGôÊ7?a?¯|m|PùdÖô3?¶62??ä¦?³
dìÃèµÞ??©eà0 ÓÐ?Zz8Â÷ÃÂÆ)S9×øåôÆ?sE?iry§>¹ºêü½s9ìÿNí(º@Ò±¨?¸\(?ç?K½¬üL À?÷¥HUüè
"? 1ÉäÎÔgø??1TÇyÃó~§Õо6?ú4/?õé?ý·åÄ?X?dæeÅõ¹BèKS^ËÀÔ!H?å«?'w"bÝà??ñ®±
°ÿ? ¼Ã¢õ2M?¢ö¤(À?.^P<Á¹­þa³ù?Îê«?w?l2
ûYßavSBÞÄZJW?^Þy¬?Ùã?ìÓ½î_v·5¶NϏê?X mýµÈ#D2]vbwª&Gf2ìì?3¡E{¦ñ?¢¾-¼¡txãÓØ6?æw)¦Òâñ¢vßá`Ø· :ÄN©Ë|Úoöm
}A?«<0?§?ýC¡Y4îÁC??3¾8rGR?7?.?¡aÉe®Ðf´k?L??j>?tÉÊùÊ´Ùºânkêto˸
»k¥á?%Zg%âUF¥: ÕF§õ¦ÂÕ¸ö{:?
?¹î°óihíø(9¤ïrs°c;´Þõ~í\vúÝS÷¦ßvþ,¿Ø蝵ðgÝ^Ç?·úT,s-=áN??<{.¸ߨúÉo-
ìÕuçÒmõnZ¿(Ï3»îwO>¡®«þE«·?ÿb?½òh¡?B?ï©{ù[«×m»&(¸øøØ1æGÏê¸?Á+s>[Æ
æïÓ?±3O1ªS*´<!OBÙ?æPGAÞÚ®¢ðwu2½òí(OægviªÏg³«bhHNa?XüF?Û«j(6?èË@Úü²
0O³b­¨qQðÜÈD!Ô?^?´ö@"CÃ7Ê3?P¶ùÔ ???vIÂt<\9zYÈ.?ìñW?óêyTÿÍj>?¦Z
ýoè´ú[a×cY1b 4duôï*I¬ùEÛ²î.Y ©.£?ãCì?A?è¤í??µ?WÔòÞ8D?7?'=ã÷SϹ3â?Ç©?Â,yag?lP§©ËÊÒ!(?=i¨
^5ýÁz?Úß)áukt??ÒHܺâÍ ìI^T¸?¥oâpϬúX??wÛ0GÝ?ó3?\@Ô!êÛ«ÑWée©UÉ÷Ni»????hpÖ½D?´?B .-?ÿPKl
?a4vò?æ' RE_DLLCodeInj/skype_logs½?mOã8Çß÷SÌË?ڐÇæA$®¨T`Eûb?NnìÒ\S;g»»ôN÷Ýo
?@aK)¤jå¤ÎüÆãñæJåüô?ÁÅàÃѨ/(ò?A Q?àp9_? \ËNº­î¯_­Vû??ïy±Ex®ó¿Â)(??%£;V«5γ9¤;Àx&¡ÃC¼÷½ÈÆ'L/%?J%>´oCÏ I?

»ßÌ?kÐèÜ(?X?dÅè?d¬¶??ÒDjFïNÐ?Ø?û*ç\×°$ç \«&^`Y[0=Í9rt?g,>ZÐìt©Ù-Èêe ??wà?éQz ¥©}wm?ÍX6à=ò¦$/}?í¸Û`cT¿JR&0!??Ivèú~l·~3 ²¿&D
B»þ3?Èv?³É~¢H`?+-ä

A(²­³rÈSû6¨/¿KúÌ?ó¥ÆG¤¾¢-8²,)îëSþüzg?k?ڝ¬?Q¸&ÆS¿#?Z8usÿ~ÇÃø#§z
?ÜGhÒ^_pÎ2 ¾·?±7ä'u0Óßþ÷S??54
?Mµxy"?îLõ\Û?Þª{úT?(|³ÜØüÑcI²9?ë5ِ ®1¹¥?°n½S*#???£,'`~s>ÆiTh?¸>
¦Ó?=' }·«º¶U}?æY
C÷à*Ûª?U##|¥"{ 6?ÖlQVj?+© µyß÷Öö£?}¯ç¿ZÌ?k×Åapkó*?W?Éþ?ð äîî.?Îû£«ËÁEÿäàìxp?@ä¿ÈÝ8Vÿ·?×?¹fXôù7Ïd³Â½ÙøG
TøT ¶²ø¬¿cՏP/ôÏÏÎýqwÿn0<;Þ?õÌTs??âd?Û5"vYÛX·6Ð.°0A?AÊQU®S*Ñ
ÁFè¯4??HÜ_??:¨Jf?8SÊ?ÕL4âÍ÷çg?§UÊ<´ ÎN#ÏrÝÐ
{V%=;òbÐù?¥¨Mj§¡MQРÿz'Mà)6gGB.,£??bÉé!û?g¬íí×tµ´z¤?ØønìǽЍ?Σñ|Qó
?%Í??§{??IÁà4Ϥ(g?³í3ÌÒ?±ßÜÍ·Ø?zÎVX²?\²?Y}×lÌBÇÛv¾¸?X®X¾?½Ðöîó%V;
É
ª<u<ßÂ7§zöç{..©nd9vâ.¶?vÏrªolÅ~â»X2?ïöºÙ?øï??)j?ñc?Ý?9?ãþX Tb#
!J´+¥LM?VùJQÂP¨JÁS+Éûü¸«!Æ?×ö?¬?꣰/ÈcÚ?÷A_Þøž?è?Q£0xO¢?ð ?= XÿìÿPK
?a4RE_DLLCodeInj/PKM?a4
y?Êg
 RE_DLLCodeInj/ReadmePK??a4Ö7¾® å ?RE_DLLCodeInj/RE_DLLCodeInj.cppPKl?a4vò?æ'  ?RE_DLLCodeInj/skype_logsPK
?a4áRE_DLLCodeInj/PK


[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus