Friday, 20 October 2017

Anti Reverse Engineering Mechanism and its Bypass - Part-3 - FindWindowAPI

This is Part 3 of the Anti Reverse Engineering Mechanism Series. Here we will discuss about FindWindow API and how we can bypass the check.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms633499(v=vs.85).aspx

This function retrieves the top window level handle whose classname and window name match any specified string.
So if the name matches it returns a handle, else it returns null.

There is a tool called WinLister which you can find out the ClassName, Handler , Location , etc. So if you have Ollydbg already running this is what you would see


So if I would start Immunity Debugger and IDA Pro , this is what you would see as well ..


So the code to detect these we can write a code like this which tells if there is a debugger attached or not

Now let us have a look behind the scene by loading in OllyDdb.


At first we will investigate what is going inside the FindWindowAPI , so let us step inside the function call

Next we will do investigation inside the function call on line 10 , CALL USER32.7E42C962. We will step inside this function call
So after analyzing this code we can confirm that this code the value of the handler if the string search is successful, we can verify it by comparing the value of EAX after it exits with the value listed in the WINLISTER application



Now if we come back to the main code execution we will see a comparison at line 12. As we discussed earlier , the application will return NULL/Zero if no match found or if there was no window name available. So lets analyze what is happening
MOV DWORD PTR SS:[EBP-8],EAX - This pushes the EAX value containing the Handler Value to Stack Segement CMP DWORD PTR SS:[EBP-8],0 - This checkes if the value in Stack Segment is 0 or not The Jump would take based on the comparison. This similar to the IF condition if (olly)
Now how would we bypass it ? What we have to do is little bit of patching in the code , we would patch the instruction just after CALL USER32.7E42C962 , with XOR EAX,EAX followed by the same instructions. This will make the value of EAX to 0. So whatever the function returns, the value of EAX will always be set to 0


Old Instruction Sets
CALL USER32.7E42C962
POP EBP
RETN 8

New Instruction Sets
CALL USER32.7E42C962
XOR EAX, EAX
POP EBP
RETN 8

References :
https://www.codeproject.com/Articles/30815/An-Anti-Reverse-Engineering-Guide#OllyFindWindow
https://www.youtube.com/watch?v=mceey3ZOxBs&list=PLDDgCVPL60zigbZmnNIj-l7fA4rEQThH0&index=3