OpenRCE

📚 OpenRCE is preserved as a read-only archive. Launched at RECon Montreal in 2005. Registration and posting are disabled.

About Articles Book Store Distributed RCE Downloads Event Calendar Forums Live Discussion Reference Library RSS Feeds Search Users What's New

Customize Theme

Flag: Tornado! Hurricane!

Topic created on: July 9, 2011 13:42 CDT by Usman .

Hello,
I need to solve a reverse engineering problem of a native process.
I am having unmanaged .exe of having some controls on it ( e.g TextBox, Buttons, TextAreas, ComboBoxes). After filling all the data on controls User will press "Open".

Actually it will open the modem port and will send the AT commands. I want to check the format of the data and the message which it will send to modem COM port.

So some how I need to reverse engineer the process and hook the functions( most probably the function which "Open" the modem port, and when user clicks "Open", it will be called).

Suggestions?? My directions are right and do I need to hook its functions then after injection, my goal will be achieved.

Note:
=====

No EXPORTED function is detected. I used CFF/PE Explorer for that.
Regards
Usman

gemoroy		July 10, 2011 01:56.01 CDT
You can use Portmon to solve that issue, source code is't provided, but it logs every IRP\IOCTL it filters, so you'l be able to reimplement needed filter driver functionality if you really want to. PS:You'l be able to find filter driver sample in DDK

Usman		July 10, 2011 04:33.51 CDT
gemoroy : Actually the problem I am facing is that I am having a VB 6.0 made process and it has some controls (e.g Buttons,TextBoxes, dropdowns etc and finally a "Send " button). When I fill up all the fields required, I just click the send button. Now here this process internally make some AT command by using my provided data and send tbat AT command to GSM modem. I need to somehow interpret that AT command and use of it on web for the clients/users. So for that I need to have whole idea about the format/working and representation of that AT commands(AT commands are instructions used to control a modem) This leeds me to HOOK "Send" function, so that when I click after entering data , send function can be hooked with some "MySend" some how and the whole data I can catch , make the analysis on that and forward the actual call to ACTUAL "Send" function of where it was actually sending. MAIN PROBLEM IS IT IS CONSTRUCTED IN VB 6.0, NO SOURCE CODE, NO GOOD HELP OVER WEB , AND MORE OVER Question is HOW TO HOOK THIS VB based process functions in C++ or C#?

gemoroy		July 10, 2011 05:14.33 CDT
portmon cat help you to inspect serial\parallel port io without hooking anything in actual usermode program. However if you still want to dig into your VB app here is quite helpful idc script which can help you to determine GUI handler's including you "Send" button, if you're not familiar with p-code app's. After you can hook it any way you like, for example injecting a dll setup function you want to handle hook as a VEH handler, set e breakpoint on a function you want to hook. So when function you want to hook will be executed, breakpoint will be hit, and a trap exception raised, so execution will be redirected to VEH handler.

Usman		July 10, 2011 05:26.28 CDT
actually portmon is just showing the messages which is being SENT in the form of like IOCT_MSG_...blah blah.. I actually want to know EXACT PARAMETERS what were being sent to Modem after "Send" click. For THIS I NEED TO HOOK "SEND" function., and moreover it is not working at my side, it asks the computer to connect, and I don't have installed modem and its local inspection though.Leave it!! So the actualy thing to hook, and Now what this VB app would benifit me, i have little gone through, what is its theme and what is its functionality and how can I utilize this to solve my problem then?

Note: Registration is required to post to the forums.

There are 31,328 total registered users.

Recently Created Topics
[help] Unpacking VMP...	Mar/12
Reverse Engineering ...	Jul/06
let 'IDAPython' impo...	Sep/24
set 'IDAPython' as t...	Sep/24
GuessType return une...	Sep/20
About retrieving the...	Sep/07
How to find specific...	Aug/15
How to get data depe...	Jul/07
Identify RVA data in...	May/06
Question about memor...	Dec/12

Recent Forum Posts
Finding the procedur...	rolEYder
Question about debbu...	rolEYder
Identify RVA data in...	sohlow
let 'IDAPython' impo...	sohlow
How to find specific...	hackgreti
Problem with ollydbg	sh3dow
How can I write olly...	sh3dow
New LoadMAP plugin v...	mefisto...
Intel pin in loaded ...	djnemo
OOP_RE tool available?	Bl4ckm4n

Recent Blog Entries
	halsten	Mar/14
Breaking IonCUBE VM
	oleavr	Oct/24
Anatomy of a code tracer
	hasherezade	Sep/24
IAT Patcher - new tool for ...
	oleavr	Aug/27
CryptoShark: code tracer ba...
	oleavr	Jun/25
Build a debugger in 5 minutes
More ...

Recent Blog Comments
	nieo on:	Mar/22
IAT Patcher - new tool for ...
	djnemo on:	Nov/17
Kernel debugger vs user mod...
	acel on:	Nov/14
Kernel debugger vs user mod...
	pedram on:	Dec/21
frida.github.io: scriptable...
	capadleman on:	Jun/19
Using NtCreateThreadEx for ...
More ...

Imagery

SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit