issuhub.com

Reversing : The Hacker's Guide to Reverse Engineering

(ff) #1

see that it points somewhere into NTDLL’s header (the specific value is likely
to change with each new update of the operating system). Taking a quick look
at the NTDLL headers using DUMPBIN shows you that the address in EAXis
the beginning of NTDLL’s export directory. Going to the structure definition
for IMAGE_EXPORT_DIRECTORY, you will find that offset +18 is the Number
OfFunctionsmember. Here’s the final preparation of the block size:


00403649 MOV EAX,DWORD PTR [EBP-88]

0040364F MOV ECX,DWORD PTR [EBP-78]

00403652 LEA EAX,DWORD PTR [ECX+EAX*8+8]

The total block size is calculated according to the following formula: Block-
Size = NTDLLCodeSize + (TotalExports + 1) * 8. You’re still not sure what
Defender is doing here, but you know that it has something to do with
NTDLL’s code section and with its export directory.
The function proceeds into another iteration of the NTDLL export list, again
computing that strange checksum for each function name. In this loop there
are two interesting lines that write into the newly allocated memory block:


0040380F MOV DWORD PTR DS:[ECX+EAX*8],EDX

00403840 MOV DWORD PTR DS:[EDX+ECX*8+4],EAX

The preceding lines are executed for each exported function in NTDLL.
They treat the allocated memory block as an array. The first writes the current
function’s checksum, and the second writes the exported function’s RVA (Rel-
ative Virtual Address) into the same memory address plus 4. This indicates
that the newly allocated memory block contains an array of data structures,
each 8 bytes long. Offset +0 contains a function name’s checksum, and offset
+4 contains its RVA.
The following is the next code sequence that seems to be of interest:


004038FD MOV EAX,DWORD PTR [EBP-C8]

00403903 MOV ESI,DWORD PTR [EBP+8]

00403906 ADD ESI,DWORD PTR [EAX+2C]

00403909 MOV EAX,DWORD PTR [EBP-D8]

0040390F MOV EDX,DWORD PTR [EBP-C]

00403912 LEA EDI,DWORD PTR [EDX+EAX*8+8]

00403916 MOV EAX,ECX

00403918 SHR ECX,2

0040391B REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI]

0040391D MOV ECX,EAX

0040391F AND ECX,3

00403922 REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]

This sequence performs a memory copy, and is a commonly seen “sentence”
in assembly language. The REP MOVSinstruction repeatedly copies DWORDs


Breaking Protections 391
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2025. All rights reserved.