CFF Explorer View/modify PE file Resources

CFF Explorer View/modify PE file Resources

Using CFF Explorer, you can view and modify the resources of a PE file, you can view the functions that the DLL file can call, and modify the function entry address to achieve the purpose of creating a crash screen. CFF Explorer features a similar depends dependency analysis function/hex Editor/Quick Disassembly, as described in the following figure:

PE (Portable execute) files are known as portable executables, Common EXE, DLL, OCX, SYS, com are PE files, and PE files are program files on Microsoft Windows operating system (may be executed indirectly, such as DLLs)

How to implement API hooks under Windows 7

About the API HOOK, is the interception of API call technology, before an API call to perform their own set of functions, as needed to be able to perform the default API or other processing, assuming that if you want to intercept a process on the network access, generally is a few socket api:recv, Recvfrom, send, sendto and so on, of course, you can use the Network grab Bag tool, here only introduces through API Hook way to achieve, the most basic there are two methods: 1. Modifying the entry address of the original function is to modify the PE file Input function Address Table 2. Do not change the function input table, Modify the first memory data of the function, increase the JMP statement jump to its own function, and then recover the memory data after execution.

The method of using the JMP statement is more flexible, so the API CreateRemoteThread can inject its own DLL into another process, and then use the JMP method to implement the interception of the API, another use of this technique is to hide the process, Many virus Trojans are also using this technology to hide themselves, difficult to be found and cleared.

But the technology of injecting DLLs through CreateRemoteThread in the Win7 system has not been easy to use, the Win7 system in many ways to enhance security, restricting the number of API calls, then how simple to do DLL injection and API hook? Here is a well-known tool: CFF Explorer, is a tool in the Explorer Suite (http://www.ntcore.com/) for the modification of PE files, but also can add to the original PE file function input table, We just write a DLL file, and then implement an export function, you can use this tool to the PE file to increase the load on its own DLL, the following operation is to let Notepad.exe load Rand.dll operation:

You can save the new file as long as you rebuild the Import Table and then save/save as. This way, your DLL is automatically loaded, and then when the DLL is loaded, the API hook is done.

Using this technology can do a lot of "bad things", for example, just mentioned the interception process of the network to send and receive data, there is the software to crack or when in addition to restrictions, for example: Suppose a software is a trial software, trial 7 days, the most stupid way is to change the machine time, but if the API hook technology can be easily done, You can use CFF Explorer or dependency to see the software is called which function to obtain the system's current time, if it is the Getlocaltime function, then I can intercept getlocaltime, return a never expire time, and then use the CFF Explorer adds its own DLL to the function Import table of the software, so that it does not have to change the system time to go beyond the software trial period.

Solemn hint: Use API hook can do a lot of things you want to do, but I think I study use can, do not spread or seek benefits, otherwise the consequences are very serious.