![]()
For starters, the loader flags holds 0xABDBFFDE (normally 0x0) and the number of directories is 0xDFFFDDDE (normally 0x00000010), both values that are bizarre and seemingly incorrect. A closer inspection of the output though showed that there are some things that are "not quite right" with this PE-file. (Or, alternatively you can use my utility, PEBrowse Professional, available on my website to examine the file.) I immediately saw that there are four unnamed sections, two containing code, and that there are four imports from KERNEå…ƒ2: LoadLibraryA, GetProcAddress, VirtualAlloc, and VirtualFree. Running DUMPBIN with /HEADERS and /IMPORTS on the HDSPOOF executable I produced output found in Listing 1. Time to fire up a static analyzer program and then the debugger! #Ollydbg debugging program launched by another program driver#Furthermore, rebooting the system and rerunning the program would now create a driver with a new random name and with new entries in the system registry but would still "spoof" the hardware identification program. There were still entries present in the system registry for the driver but under a key with a name different than the display name. Deleting the configuration file would not restore the expected results. SYS file extension), but the file for the driver had been deleted from my hard drive. ![]() The driver was visible with a random name in my utility, NTDevices (available at my website, - look for an entry in the index minus the. A little bit of investigation yielded the discovery that this program had created and started a dynamic driver on the system and was trying to hide evidence of its presence. Clearly something on my system had changed. But, a proprietary hardware identification driver and test program I had written for a client now generated different results after executing this program. With no other visible results than creating a configuration file with the name of HDSPOOF.INI in the program's installation directory. ![]() Starting the program from the command line produced the following display: #Ollydbg debugging program launched by another program code#A while back I needed to find out what an executable named HDSPOOF.EXE was doing to my system (This article is based upon an early version of the program found in the hdspooferv2.0.rar WinRAR file - an updated version of the program is available at as hwspoofv2.1.rar - the points and code fragments noted throughout this discussion are the same, only the addresses have changed in the newer version). ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |