Figure 11.12 Executable modules statically linked with Defender (from OllyDbg).
Figure 11.13 Imports and Exports for Defender.EXE (from OllyDbg).
Very short list indeed only NTDLL.DLL and KERNEL32.DLL. Remember that our GUI crackme, KeygenMe-3 had a much longer list, but then again Defender is a console-mode application. Let s proceed to the Names window to determine which APIs are called by Defender. Figure 11.13 shows the Names window for Defender.EXE. Very strange indeed. It would seem that the only API called by Defender.EXE is IsDebuggerPresent from KERNEL32.DLL. It doesn t take much reasoning to figure out that this is unlikely to be true. The program must be able to somehow communicate with the operating system, beyond just calling IsDebuggerPresent. For example, how would the program print out messages to the console window without calling into the operating system That s just not possible. Let s run the program through DUMPBIN and see what it has to say about Defender s imports. Listing 11.4 shows DUMPBIN s output when it is launched with the /IMPORTS option.
Microsoft (R) COFF/PE Dumper Version 7.10.3077 Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file defender.exe
Listing 11.4 Output from DUMPBIN when run on Defender.EXE with the /IMPORTS option.
Breaking Protections
File Type: EXECUTABLE IMAGE Section contains the following imports: KERNEL32.dll 405000 405030 0 0 Import Address Table Import Name Table time date stamp Index of first forwarder reference
22F IsDebuggerPresent Summary 1000 4000 1000 1000 .data .h3mf85n .h477w81 .rdata
Listing 11.4 (continued)
Not much news here. DUMPBIN is also claiming the Defender.EXE is only calling IsDebuggerPresent. One slightly interesting thing however is the Summary section, where DUMPBIN lists the module s sections. It would appear that Defender doesn t have a .text section (which is usually where the code is placed in PE executables). Instead it has two strange sections: .h3mf85n and .h477w81. This doesn t mean that the program doesn t have any code, it simply means that the code is most likely tucked in one of those oddly named sections. At this point it would be wise to run DUMPBIN with the /HEADERS option to get a better idea of how Defender is built (see Listing 11.5).
Microsoft (R) COFF/PE Dumper Version 7.10.3077 Copyright (C) Microsoft Corporation. All rights reserved.
Dump of file defender.exe PE signature found File Type: EXECUTABLE IMAGE FILE HEADER VALUES 14C machine (x86)
Listing 11.5 Output from DUMPBIN when run on Defender.EXE with the /HEADERS option. (continued)
4 4129382F 0 0 E0 10F
number of sections time date stamp Mon Aug 23 03:19:59 2004 file pointer to symbol table number of symbols size of optional header characteristics Relocations stripped Executable Line numbers stripped Symbols stripped 32 bit word machine
OPTIONAL HEADER VALUES 10B magic # (PE32) 7.10 linker version 3400 size of code 600 size of initialized data 0 size of uninitialized data 4232 entry point (00404232) 1000 base of code 5000 base of data 400000 image base (00400000 to 00407FFF) 1000 section alignment 200 file alignment 4.00 operating system version 0.00 image version 4.00 subsystem version 0 Win32 version 8000 size of image 400 size of headers 0 checksum 3 subsystem (Windows CUI) 400 DLL characteristics No safe exception handler 100000 size of stack reserve 1000 size of stack commit 100000 size of heap reserve 1000 size of heap commit 0 loader flags 10 number of directories 5060 [ 35] RVA [size] of Export Directory 5008 [ 28] RVA [size] of Import Directory 0 [ 0] RVA [size] of Resource Directory 0 [ 0] RVA [size] of Exception Directory 0 [ 0] RVA [size] of Certificates Directory 0 [ 0] RVA [size] of Base Relocation Directory 0 [ 0] RVA [size] of Debug Directory 0 [ 0] RVA [size] of Architecture Directory 0 [ 0] RVA [size] of Global Pointer Directory
Listing 11.5 (continued)
