Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>Any function that is imported by name will always have the name embedded into the binary (in the import descriptor thunk to be exact), the detailed parameter info is gotten from the pdbs as Steve mentioned (however analysing debuggers like ollydbg can deduce args, due to the symbol name being available). The only ways to avoid this is to either encrypt to IAT (using 3rd party packers/virtualizers/binary protection systems etc, like enigma) or use a custom version of <code>GetModuleHandle</code> (basically just a PEB spelunking tool) and <code>GetProcAddress</code> (a PE spelunking tool this time), then by storing all the api calls you need as runtime encrypted strings, you can then call whatever you need without plain text giving you away (securerom does this, though it uses <code>GetProcAddress</code> directly, along with some binary obfuscation).</p> <p><strong>Update:</strong></p> <p>for compile-time 'obfuscated' strings, you can use something like this (really simple, but it should be portable, if you use C++0x, this is a lot easier):</p> <pre><code>#define c(x) char((x) - 1) //really simple, complexity is up to the coder #define un(x) char((x) + 1) typedef int (WINAPI* MSGBOX)(HWND, LPCSTR, LPCSTR, UINT); const int ORD_MASK = 0x10101010; const char szMessageBoxA[] = {c('M'),c('e'),c('s'),c('s'),c('a'),c('g'),c('e'),c('B'),c('o'),c('x'),c('A')}; FARPROC GetProcAddressEncrypted(HMODULE hModule, const char* szName, BOOL bOrd = FALSE) { if(bOrd) return GetProcAddress(hModule,reinterpret_cast&lt;const char*&gt;(reinterpret_cast&lt;int&gt;(szName) ^ ORD_MASK)); //this requires that ordinals be stored as ordinal ^ ORD_MASK char szFunc[128] = {'\0'}; for(int i = 0; *szName; i++) szFunc[i] = uc(*szName++); return GetProcAddress(hModule,szName); } MSGBOX pfMsgBox = static_cast&lt;MSGBOX&gt;(GetProcAddressEncrypted(GetHandleEncrypted(szUser32),szMessageBox)); </code></pre> <p>Optionally you may want to use MSVC's <a href="http://msdn.microsoft.com/en-us/library/bb432254%28v=vs.85%29.aspx" rel="nofollow"><code>EncodePointer</code></a> to hide the values in the global function pointers (just remember to use <code>DecodePointer</code> when you call them). </p> <p><em>note: code is untested, as its just off the top of my head</em></p>
    singulars
    1. This table or related slice is empty.
    1. POObfuscate External API Calls C++
      singulars
      1. PTQuestion
    1. PTAnswer
    1. USNecrolis
    1. USNecrolis
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POObfuscate External API Calls C++
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    1. COEver heard of import by ordinal? (Although it's still quite straightforward to find the actual function name, it won't exist in your file).
      singulars
      1. PO
      1. USBen Voigt
    2. CO@ben: yes I have, but not very many widows APIs (or other APIs) export by ordinal, winsock and ole are some of the few do.
      singulars
      1. PO
      1. USNecrolis
    3. COThanks! Necrolis, Well I m not going to use any 3rd party tool. My question was simple that how you would have an obfuscate call to a dll and its function in c++ so that it wont be revealed in dissembler. I found an example by calling MessageBoxA function in User32.dll. The code is loading the dll but not calling the function properly. see the code below.
      singulars
      1. PO
      1. USMudasir Khan
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload