~ Essays ~
|
|
|
|
essays |
(Courtesy of fravia's advanced searching
lore)
(�`�.� Some fun with Aureate �.���)
by garph0
published at searchlores in
October 2001
An amazing essay, that will teach you more than you would believe just perusing it, especially
if you examine carefully the files contained in this [../zipped/AureateBust.zip]
package that
garphO has been so kind to prepare...
The package contains the following files:
TFDE DLL 40,960 27/09/01 14:21 tfde.dll
ADVERT DLL 40,960 27/09/01 14:20 Advert.dll
ADIMAGE DLL 40,960 27/09/01 14:20 adimage.dll
and in the subdir SRC
ADIMAGE DEF 251 23/09/01 15:10 adimage.def
ADIMAGE CPP 3,168 27/09/01 14:26 adimage.cpp
ADVERT DEF 830 24/09/01 13:56 advert.def
ADVERT CPP 2,353 27/09/01 14:27 Advert.cpp
TFDE CPP 1,162 27/09/01 14:28 tfde.cpp
TFDE DEF 270 24/09/01 15:37 tfde.def
Enjoy!
Some fun with Aureate
It's amazing how many softwares are going to use Aureate/Radiate
advertising to show us some ads! I'm not against the concept of
adware software: i can get some proggies that I want to try (and
that usually I want to zap off my hard disk as quickly as I can ;)
for free. I'm definitevly against the Aureate & Co. way of thinking
adware...
Ok, now that I gave my (unasked :P ) two cents to the adware topic,
let's start with the real stuff :
[TOOLS]
- A brain (maybe a working one, and it's better if it's yours ;)
- Old good IDA
- Depends (it's a Microsoft SDK tool)
- AdAware (www.lavasoft.de or www.lavasoftUSA.com)
- A compiler
[TARGETS]
- NetAnts (www.netants.com)
- NetVampire (?www.netvampire.com?)
- Go!Zilla (www.aureate.com) <- Yessir!
- Possibly other (all?) aureate powered bugware
The problem with that adware things is that you cannot
remove the spyware files, or your latest cute nice proggie
youcannotlivewithout will stop working.
Now, when I installed NetAnts I had to leave it running for
some days (a big download, yes ;) but I didn't want to have
the aureate stuff doing its work with my data, so I retrieved
AdAware and let it have a run on my hard disk.
This baby seems quite good at removing spyware: it wiped
aureate (and some other things I didn't knew as spywares)
off my system.
Then I gave a run to NetAnts: it showed an error message saying
LoadLibrary(adimage.dll)[126], followed by some other complains.
So the problem was in the adimage.dll library, which I had just
removed...
I reinstalled NetAnts to get aureate back, and I made a backup of
the dll aureate stuff before deleting it.
Ok, now I had something to study :)
A quick dependency check on NetAnts shows that it doesn't
links implicitly any of the aureate's DLL, so I disassembled
it with IDA: searching all the LoadLibrary occurrences I
saw that only adimage.dll was used by NetAnts.
In a first time I thought to patch NetAnts where it loads
adimage.dll, but the I would have had to fix also all the
GetProcAddress mess, and all the calls to the functions
loaded from the DLL... too much effort! So I thought to
write my version of adimage.dll, and put it in the place
of the original one: I expected to have to write some
code to at least partially emulate the original functions,
but it seemed to be easier than all the patching work.
Let's write a DLL exporting the same functions as the
original one: it's easy:
- create an adimage.c file, with this function:
BOOL APIENTRY DllMain(HANDLE hMod, DWORD dw, LPVOID lpV)
{
return TRUE;
}
- use Depends to see all the functions exported from
adimage, you can select all of them and copy the names
in your adimage.c file
- now for each exported function make a write function like this:
DWORD Initialize ()
{
return 1;
}
- now we need to know the right number of parameters
that the function accepted: disassemble adimage.dll
with IDA, search for the function you want and you can
see all the infos we need:
10002F6E
10002F6E ; S u b r o u t i n e
10002F6E ; Attributes: bp-based frame
10002F6E
10002F6E public Initialize
10002F6E Initialize proc near ; CODE XREF: std_Initialize+1
10002F6E
10002F6E var_260 = byte ptr -260h
10002F6E var_15D = byte ptr -15Dh
10002F6E var_15C = byte ptr -15Ch
10002F6E var_58 = byte ptr -58h
10002F6E var_24 = byte ptr -24h
10002F6E var_4 = dword ptr -4
10002F6E arg_0 = dword ptr 8 <-- arg #1
10002F6E arg_4 = dword ptr 0Ch .
10002F6E arg_8 = dword ptr 10h .
10002F6E arg_C = dword ptr 14h .
10002F6E arg_10 = dword ptr 18h <-- arg #5
10002F6E
10002F6E push ebp
10002F6F mov ebp, esp
10002F71 sub esp, 260h
Initialize will accept 5 parameters. Here's the C code:
DWORD Initialize (DWORD a1, DWORD a2, DWORD a3, DWORD a4, DWORD a5)
{
return 1;
}
please note that we can completely ignore the original
type of the parameter (if it was a char, or an int or
a pointer...) since once linked all the variables are
referenced through pointers, that have DWORD size.
Should you need a particular type for programing
needs you can cast it, once you've discovered what
it is.
Set the right parameter number in each function.
- now prepare a simple DEF file (adimage.def)
LIBRARY adimage
EXPORTS
Initialize @1
std_Initialize @2
StartMessaging @3
std_StartMessaging @4
SetThrottle @5
std_SetThrottle @6
SetProxy @7
std_SetProxy @8
Spuck @9
std_Spuck @10
SetOffline @11
std_SetOffline @12
- compile, link and put the resulting adimage.dll in
NetAnts.exe's directory (I'm not going to bother you
with details on this part :P ).
At this point I expected some problems with NetAnts,
since the library function are totally fake, so I
launched NetAnts to see what needed a fix-up ...
IT WORKED! there is no check, nothing at all!
just return a nonzero value and you're ok!
Amazing :)
At this point I downloaded the other two targets,
just to see if this thing worked also with those:
obviously it didn't :(
Fortunately the problem is that NetVampire and
Go!Zilla use other DLLs:
Advert.dll and
tfde.dll
I tryed to make two more fake dlls, exactly in the
same way, and both the programs worked fine :)
tfde.dll is a COM object, and it exports also
DllCanUnloadNow,DllGetClassObject, DllRegisterServer
and DllUnregisterServer but we don't need to export these
functions, since these are function called by the system
if some COM client wants to use tfde COM functions (and we
have not created a COM object, so it would not work anyway
if COM functionalities are needed).
Finally, if you debug a little your new adimage DLL
you'll find that the first parameter in Initialize
is the handle of the window that contains the
banner... that's how i managed to write there :)
I only tested my dll with these three targets, so I
can't assure this will work with everything (writing
these dll it's a simple task, but quite boring, you
know). If you need help, have suggestion, discover
something that doesn't work with this method, or
have any comments/suggestions please feel free
to write me.
work well, and forgive my bad english ;)
garph0 ( xmarkix (at) katamail (dot) com )
Back to Malware.htm
(c) 1952-2032: [fravia+], all rights
reserved and reversed