0x00241f48: C:\WINDOWS\system32\ntdll.dll
Base 0x7c900000 EntryPoint 0x7c913156 Size 0x000b0000
Flags 0x00085004 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_LOAD_IN_PROGRESS
LDRP_ENTRY_PROCESSED
LDRP_PROCESS_ATTACH_CALLED0x00242010: C:\WINDOWS\system32\kernel32.dll
Base 0x7c800000 EntryPoint 0x7c80b436 Size 0x000f4000
Flags 0x00085004 LoadCount 0x0000ffff TlsIndex 0x00000000
LDRP_IMAGE_DLL
LDRP_LOAD_IN_PROGRESS
LDRP_ENTRY_PROCESSED
LDRP_PROCESS_ATTACH_CALLEDSo, it would seem that the second module is NTDLL.DLL. The function at
00402EA8simply obtains the address of NTDLL.DLLin memory. This makes
a lot of sense because as I’ve said before, it would be utterly impossible for the
program to communicate with the user without any kind of interface to the
operating system. Obtaining the address of NTDLL.DLLis apparently the first
step in creating such an interface.
If you go back to Listing 11.6, you see that the return value from 00402EA8
is passed right into 004033D1, which is the next function being called. Let’s
take a look at it.
loc_4033D1:
.h3mf85n:004033D1 push ebp
.h3mf85n:004033D2 mov ebp, esp
.h3mf85n:004033D4 sub esp, 22Ch
.h3mf85n:004033DA push ebx
.h3mf85n:004033DB push esi
.h3mf85n:004033DC push edi
.h3mf85n:004033DD push offset dword_4034DD
.h3mf85n:004033E2 pop eax
.h3mf85n:004033E3 mov [ebp-20h], eax
.h3mf85n:004033E6 push offset loc_4041FD
.h3mf85n:004033EB pop eax
.h3mf85n:004033EC mov [ebp-18h], eax
.h3mf85n:004033EF mov eax, offset dword_4034E5
.h3mf85n:004033F4 mov ds:dword_4034D6, eax
.h3mf85n:004033FA mov dword ptr [ebp-8], 1
.h3mf85n:00403401 cmp dword ptr [ebp-8], 0
.h3mf85n:00403405 jz short loc_40346D
.h3mf85n:00403407 mov eax, [ebp-18h]
.h3mf85n:0040340A sub eax, [ebp-20h]
.h3mf85n:0040340D mov [ebp-30h], eaxListing 11.7 A disassembly of function 4033D1 from Defender, generated by IDA Pro.
(continued)
Breaking Protections 383