427 Botnet fm qxd

sets up an 
interprocess communication (IPC)
object to communicate with the
sandbox application. Via this mechanism the collected process information is
sent to the sandbox and some configuration settings are received in turn.
Then 
function hooks
are installed for all relevant API functions to intercept
their calls.The technique used in CWSandbox for realizing the hook func-
tions is called 
inline code overwriting
(see Figure 10.5) and is described in detail
later.There are several other approaches, such as Import Address Table (IAT)
patching, Export Address Table (EAT) patching, or using proxy DLLs. Every
hooking technique has its disadvantages and advantages, but for CWSandbox
the currently used one seems to fit best for the moment.
Figure 10.5
Inline Code Overwriting
The inline patching performed in CWSandbox works in the following
way: Each Windows API function that is being used in an application is
implemented in one of the Windows DLL files like kernel32.dll, advapi32.dll
or ntdll.dll.These DLLs are either loaded automatically on process initializa-
tion or can be reloaded manually during runtime by one of the functions
LoadLibrary, LoadLibraryEx,
or 
LdrLoadDll.
No matter how and when the DLL
is loaded, at runtime the code of each API function that is called needs to
www.syngress.com
Using Sandbox Tools for Botnets • Chapter 10
357
Application.CreateFileA-Hook:
2005EDB7
- custom hook code -
…
...
2005EDF0
JMP [CreateFileA-SavedStub]

Download 6,98 Mb.

Do'stlaringiz bilan baham: