Introduction
Have you ever wanted to have secure APIs access without using a single static linked API? This may seem like a daunting task for many, but I have tamed the wild beast! So first thing, this is aimed at advanced users. I will not be explaining everything in depth if you happen to be an advanced programmer, and if something went over your head, reply and I will try to clear it up for you.
Protection Development
When I began this task, I had no idea as to how I was going to do it. Without touching a single static linked import, this was troublesome. After looking around the net for some kernel stuff, I found a nice assembly gem which allowed the caller to lookup kernel32’s base address without any API usage whatsoever. This was indeed a break through for me. Now that I had this, I began to brainstorm on what this little should and should not have. I knew that address displace and pre-encrypted were a must for it to be truly (nothing is unable to be cracked, I admit this) secure. Security of the system was at the top of my list. I could have cared less about the other, so I wrote my security classes which would be the wrappers around import pointer's address, displacement, and strings. The displacement of addresses was no trouble at all, but when I looked at string, I was quite stumped for a time when trying to think of a way to remove XREFs and strings stored in data section of the given PE file. So I was disappointed by failure left and right, until I decided to try pre-encrypted string which basically appear as BYTE
arrays. This worked on first, but I still had the biggest problem which I had tried: to avoid XREFs. So in trying to solve this problem, I looked back on my other code review what had worked so well for its displacement! After some testing and some more failure, I did it: made a great class using pre-encrypted that didn’t leave any XREFs. Only way they could be traced was registers and the stack which I knew could not be avoided. There were other classes made, they all use the same code: CDynamicCrc32
, CDisplacementTable
, and CCPolynomialTable
.
Kernel and Windows System Module Development
After finishing the protection classes and fixing the code a bit up, I moved to this stage of my project. In this stage, I wanted to work on import table and PE format for reading and getting the data needed. I had to fully support every API provided by system DLLs. This made the task at hand harder because I have never had to handle forwarded imports. So after some trial and error, I got my BuildExportTable
function working as I had wanted it to. I first had to build a single table without forwarder support, grab GetModuleHandle
entry, clear the current table, and rebuild with forwarder support. Most of this was done in the CKernelModule
class which mainly is just the Kernel32 address and all its exports. This class is used to provide a derived class CWinModule
access to basic secure APIs needed to support other system DLLs. CWinModule
is almost the same class as CKernelModule
except that it gets a few kernel exports needed to load any system DLLs. After this loads, the selected system DLL builds it an export table. It also provides a GetProcAddress
like function for callers just like CKernelModule
. There really isn’t much else to explain or go into depth about.
API Class Development
When I started this class, I had no idea what to do as I wanted something that could wrap each API in class and protect its entry. I saw no easy or good path at first, then macros came to hand. I used macros to define the API objects, given the name, parameters, return type, and if it was a void or returning function. So, the macros create the class in CWindowsApi
as private and the object as public, prefixing an ‘x’ to the beginning of the name so the compile doesn’t barf on us. These macros are great because the user only needs to basically know the function type definition. These are easy to get from using the scope (::
) operator or MSDN. So the macros wrap everything and provide a nice operator ( )
for calling the function without accessing any member or using ‘.
’ operator which is just great.
Closing
In the end, I like to say that I have enjoyed writing this code and the project over all. Also, I provided some new stuff with this update: protected string maker and CRC32 string project. Have fun. Comment on my work please, I want feedback!!! :).