Re: DLL Watching

From: Hector Herrera (hectorhat_private)
Date: Tue Jan 08 2002 - 12:24:07 PST

Next message: Ryan Permeh: "Re: DLL Watching"

Previous message: Ryan Permeh: "Re: DLL Watching"
In reply to: Ryan Permeh: "Re: DLL Watching"
Next in thread: Ryan Permeh: "Re: DLL Watching"
Reply: Ryan Permeh: "Re: DLL Watching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 11:20 AM 08/01/02 -0800, Ryan Permeh wrote:
>by using "wrapper" dll's, or api hooking, you can do this.  basically, you
>create a shell dll that exports all of the same functions and each export
>logs and calls the equivilent actuall dll export.  this is a software
>cracker / reverse engineer trick that has a lot of applicibility in research
>context.

The problem with this approach is that you are assuming
that the "third party" is using the standard interfaces
to perform file i/o.

As soon as the "third party" uses a different api, such
as the "defrag" api, then the standard file i/o dlls will
never be used, and your "wrapper" will not log the activity.

Hector

Next message: Ryan Permeh: "Re: DLL Watching"
Previous message: Ryan Permeh: "Re: DLL Watching"
In reply to: Ryan Permeh: "Re: DLL Watching"
Next in thread: Ryan Permeh: "Re: DLL Watching"
Reply: Ryan Permeh: "Re: DLL Watching"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jan 08 2002 - 13:46:48 PST