| View previous topic :: View next topic |
| Author |
Message |
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
 Posted: Thu Jan 27, 2011 2:07 am Post subject: See API calls, file is packed with themida |
 |
|
Hello,
I'm trying to read all API calls a .dll makes, seems like I've to make a dump of the file. Downloaded dark olly, tried one of the add ons, did not work out very well.
If someone could help me here?
Thanks.
|
|
| Back to top |
|
 |
AhMunRa
Grandmaster Cheater Supreme
![]() Reputation: 27
Joined: 06 Aug 2010
Posts: 1117
|
| Posted: Thu Jan 27, 2011 1:23 pm Post subject: |
|
|
Have you tried Import Reconstructor?
You may have to search a bit to find it.
_________________
<Wiccaan> Bah that was supposed to say 'not saying its dead' lol. Fixing >.> |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Thu Jan 27, 2011 3:23 pm Post subject: |
|
|
Thanks,
but that's if the process is running, This process is hided so...
Anyone has other ideas?
|
|
| Back to top |
|
|
AhMunRa
Grandmaster Cheater Supreme
![]() Reputation: 27
Joined: 06 Aug 2010
Posts: 1117
|
| Posted: Thu Jan 27, 2011 4:52 pm Post subject: |
|
|
Are you trying to reverse engineer a virus?
_________________
<Wiccaan> Bah that was supposed to say 'not saying its dead' lol. Fixing >.> |
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Fri Jan 28, 2011 1:25 am Post subject: |
|
|
Just dump the IAT from the file itself. (Binary not while loaded.)
If the file is packed either unpack it, or hook GetProcAddress and print out all the functions it looks up pointers for.
_________________
- Retired. |
|
| Back to top |
|
|
NoMercy
Master Cheater
![]() Reputation: 1
Joined: 09 Feb 2009
Posts: 289
|
| Posted: Sat Jan 29, 2011 4:08 am Post subject: |
|
|
I do not know how to unpack etc.
If I do hook GetProcAddress, do I see all API imports? So a program uses it always to determine what to call?
|
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Sat Jan 29, 2011 6:12 am Post subject: |
|
|
| NoMercy wrote: | I do not know how to unpack etc.
If I do hook GetProcAddress, do I see all API imports? So a program uses it always to determine what to call? |
If the program is told to load all API through LoadLibrary/GetProcAddress you should get most if not all of them, it mainly depends on how the packer is rebuilding the IAT and if it is fully altering it.
_________________
- Retired. |
|
| Back to top |
|
|
sloppy
Expert Cheater
![]() Reputation: 0
Joined: 17 Aug 2008
Posts: 123
|
| Posted: Sat Jan 29, 2011 12:45 pm Post subject: |
|
|
| Play around with WinAPIOverride or the traceapi sample from Microsoft Detours to get a quick look at the windows api calls.
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
