Skip navigation.
Home

creating win32api == ?

|

While researching for a book that I am writing , I came across this-

"Some malware goes so far as to avoid importing any functions from available
DLLs. Instead, it emulates all of the APIs it needs. This means that you cannot list the
functions, so you cannot easily set breakpoints on them, as all API calls will just be
a part of the malware code.In some cases, malware authors even use this to trap reverse engineers: they
may import functions that are never used (having used the emulated ones instead)."

Now my question is-

How can I write win32 api without using win32 or native api. For example, How can I write code that'll manipulate windows registry without using win32 or native api?

or if you've heard of any virus that emulates API, give me its name. The rest (like, retrieving the API emulating code from the virus) I'll manage.

This would be possible, as

This would be possible, as long as you emulate all the functionality the usermode API implements before a sysenter you should be ok. It would be a lot of work but it is possible. The sysenter could still be observed from the kernel side.

If you don't go into kernel..

The other commenter is correct, I believe. There is no reason why you couldn't just write all the user-mode code of Windows on your one. The only real issue is that, for the APIs that do something interesting, you'll eventually have to enter the kernel and use a kernel-mode API. For this to be hacked I believe you'd have to change the dispatch tables, which means you've already got kernel access anyway.

basicly..if you wantet todo

basicly..if you wantet todo so ..you COULD copy the ASM of a winAPI and put it into your OWN function..and just make it take the correct parameters
..and then you have your own Winapi ..outside of the .dll ..but to completely emulate one is sa said..allot of work..but ofcourse possible

to completely emulate one is sa said..allot of work..but ofcours

That is what I want to do, completely emulate api. And I am researching further by looking into ReactOS and wine sources + some other sources :-p

Post the names of any viruses that emulates all or at least some of api it uses, if you know of any.

Thanks.

sample

Not so sure but you can have a look at BackDoor-DKI.gen.c

i had a quick look at the sample and it seems to not import most of API it uses.
Lots of encryption tho.

A.

check this out:

check this out: http://code.google.com/p/native-nt-toolkit/

it might be what you are searching for.

md5

6a03c3361c5c13fa6b8fb6b6d3fdf545

can't find 6a03c3361c5c13fa6b8fb6b6d3fdf545

I can't find this, probably there is some problem with the md5. Please look into the matter.
Thanks.

> How can I write code

> How can I write code that'll manipulate windows registry without using win32 or native api?
you may read one from disk and parse values yourself.

Wouldn't emulating API cause

Wouldn't emulating API cause tons of incompatibilities when running on different versions of Windows?

Packers do this all the time

I think the referenced paper overstates the degree to which this is done. Some API functions such as GetProcAddress require no sysenter and are easy to emulate. Shellcode emulates GetProcAddress all the time in one form or another. In other cases you see home grown versions of LoadLibrary that make use of CreateFile and VirtualAlloc in order to map the library themselves. While the function does rely on some Windows API functions, the function itself is not immediately recognizable as LoadLibrary until you perform some analysis, and setting a breakpoint on LoadLibrary is useless which is the goal of this technique. Themidia/WinLicense does this.

Chris

You could also copy one

You could also copy one basic block of the code until the next ret or absolute jump; scan it for possible INT3 (if there is some, just abort malware execution) and otherwise execute the copied code. Also look into reversing / applying relocation information on that code.

rip the existing asm code

rip the existing asm code out of windows dlls and redo it internally inside your program.

>How can I write win32 api without using win32 or native api. >For example, How can I write code that'll manipulate windows >registry without using win32 or native api?