Figure 11.12 Executable modules statically linked with Defender (from OllyDbg).Figure 11.13 Imports and Exports for Defender.EXE (from OllyDbg).Very short list indeed—only NTDLL.DLLand KERNEL32.DLL. Remember
that our GUI crackme, KeygenMe-3 had a much longer list, but then again
Defender is a console-mode application. Let’s proceed to the Names window
to determine which APIs are called by Defender. Figure 11.13 shows the
Names window for Defender.EXE.
Very strange indeed. It would seem that the only API called by
Defender.EXEis IsDebuggerPresentfrom KERNEL32.DLL. It doesn’t
take much reasoning to figure out that this is unlikely to be true. The program
must be able to somehow communicate with the operating system, beyond
just calling IsDebuggerPresent. For example, how would the program
print out messages to the console window without calling into the operating
system? That’s just not possible. Let’s run the program through DUMPBIN
and see what it has to say about Defender’s imports. Listing 11.4 shows
DUMPBIN’s output when it is launched with the /IMPORTSoption.Microsoft (R) COFF/PE Dumper Version 7.10.3077
Copyright (C) Microsoft Corporation. All rights reserved.Dump of file defender.exeListing 11.4 Output from DUMPBIN when run on Defender.EXE with the /IMPORTS
option.372 Chapter 11