Friday, September 26, 2014

Simple call logger

Hello.

I'm working on a new application which can be used to log application behavior. By saying behavior I mean logging events for example: creating a new thread, loading a dll, calling API functions or application functions and jumping. That's not all features. Call logger enables to do specific action for example: starting logging application from a given address, changing register value, changing memory value, saving parameter or buffer, changing parameter or buffer. These actions can be used only at given EIP, before/after call to a function, before/after call to a dll function. A script file may look:
start=0x004016fe;
afterdll=IsDebuggerPresent;register=eax,0x00000000;
After call to IsDebuggerPresent register eax is set to 0. This command is useful because logger works as debugger and application won't know that is being debugged. And example log file may look:
Start from: 0x004016FE
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
LoadDLL: ntdll.dll
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
LoadDLL: KERNEL32.dll
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
LoadDLL: msvcrt.dll
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: test.exe processID: 7BE8 threadID: 7BEC
Jump to: 0x7C813123 (KERNEL32.dll:IsDebuggerPresent) EIP: 0x00403808
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: test.exe processID: 7BE8 threadID: 7BEC
Jump from 0x00403808 to 0x7C813123 (KERNEL32.dll:IsDebuggerPresent) EIP: 0x00401750
Stack params: 0x00000000 0x00000000 0x004016BD 0x00000000 0x00000000 0x00000000 0x0022FFA0 0x00401CFE 0x00401CA0 0x0022FF30 
Registers before call:
EAX: 0x0000002C EBX: 0x00000000 ECX: 0x7C810693 EDX: 0xFFFFFFFF EBP: 0x0022FF18 ESP: 0x0022FEEC ESI: 0x00241EE9 EDI: 0x0022FF33 EFLAGS: 0x00000206
Registers after call:
EAX: 0x00000000 EBX: 0x00000000 ECX: 0x7C810693 EDX: 0xFFFFFFFF EBP: 0x0022FF18 ESP: 0x0022FEF0 ESI: 0x00241EE9 EDI: 0x0022FF33 EFLAGS: 0x00000206 CF: 0 PF: 1 AF: 0 ZF: 0 SF: 0 DF: 0 OF: 0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: test.exe processID: 7BE8 threadID: 7BEC
CONDITIONAL JMP (JZ) is TAKEN to: 0x0040175E EIP: 0x00401752 CF: 0 PF: 1 AF: 0 ZF: 1 SF: 0 DF: 0 OF: 0
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Name: test.exe processID: 7BE8 threadID: 7BEC
Call to: 0x00403738 EIP: 0x00401762
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
It's not all file but it shows how it works. So till next time.

No comments:

Post a Comment