Aziz Farghly

Aziz Farghly

Malware Reverse Engineer

Expolring API resolving

3 minute read

Dynamically IAT building

practicing malware analysis is a big challenge but make me happy so in this letter

I’m going to talk about one method of dynamically Api importing

in the next pic there is an indictor of resolving api cause calling a Dword has no meaning

but if we write an api link in this dword WoW we got it so the function call sub_404653 will make some changes in that dword let’s get into it

we found there is 2 calls to function and then there is anthor call to dword which make an indictor of that 2 function make the resolving process of

1- dll resolving at(text:00404D61) to get the library which have the exports to import api from it

2- api resolving at(text:00404D75) to get a specific apis which make the program do it’s job

first let’s get into the first function which i called as Dll_resolving

it get the PEB Structure by moving (0x30h) into edi

after that it add (0x0Ch) to get the (peb_ldr_data) structure

after getting a pointer to (In_memory_Order_Module_List) structure by adding (0x14h)

after that it get the name of the dll but we need to take care of some thing that’s the (In_memory_Order_Module_List) contians (Flink,Blink) so the first item of the structure

is an 8 byte element as explained in the pic

and after getting the name it will put all of in lower cases letters

and then get the base address of the dll by using (eax=[edi+10h]

remeber that the first element in the structure is an 8 byte

after getting the base address of the required DLL going to next step is to resolve apis

but it save some data in (esi,edi) before calling

getting into Api_resolving function

import table building

first it get a pointer to (elfanew)

need to explain some thing about PE headers

most important header i think is the optional header which is at (0x18h)

adding a 0x60h to 0x18h(optional header base address)

leads us to the Data_Directory which contain important information about export table of an Dll

after getting a pointer to the export table directory

the binary adds the saved dll base address(saved in ebp register) to the Export_Directory address

and then add 0x20h to (edx= Export_table RVA) to get the AddressOfNames

after that it’s going to dynamically calculate a check sum for all the API in the Dll and compare it against needed API which it’s checksum value had been calculated and saved in the data section and mentioned by (esi) register

the first hitted Api is (closeHandle)

after that it will get a linker to this function and save the address into the

(edi —→ points to a place to save API address)

as i still learning there some movements and additions i have not understand it

but i got some thing that is the line at (0x004017A0h)

mean it’s going to get the address form the array of

(address_of_names_ordinals) which is in the structure of Export_table_directory

let’s do that using the Debugger

here there is the first call followed by a call to dword

getting into that function as explained

there is 2 calls one for dll resolving(sub_401728) and one for the api bulding (sub_40175E)

and the value stored in edi is a pointer to IAT before building

and there is a calls to dword which save in eax register

after calling the above function let’s look at the IAT ….WOW it’s amazing

and there is no calls to dowrds

I think the malware is now easy to analysis

in the next letter i will analyze it and build the IAT using Python script to make it like professionals

ThX

Updated: