9 comments on “Some notes on how to find out hidden callbacks

  1. You are not alone… Don’t know if you remember me. You helped me a lot once to understand some points in reversing. My private build of a sadly bugged app does this too. I noticed that callbacks I had set was not visible after tampering with the index so I started to scan the whole lists… I was amazed too, that none of the big guys had nailed it. Glad to see, you had. :)

    / Manko

  2. It`s relative easy – by static analysis of code

    You first build graph of code flow starting with some function
    Next you must have some set of rules to apply on each edge of this graph to find right addresses for each windows version, but it`s slow. So you can build FSM with can apply all of this rules in single pass and just finish graph traversing when FSM goes to one of end states

    With some experience I thinks it`s even possibly to write some SDL to build such FSM automatically (now I must handcode each rule)

    You can run wincheck on different windows versions and make sure that it finds all addresses with no downloading PDB

      • > my approach will work too on every windows versions too ?
        I think no
        – x64 code havn`t relocs, so how you will get xrefs ?
        – future version of compiler used for building nt kernel can add some other protection mechanisms in prolog of each function which can also have refs to PAGE/.data section
        – what if function has a lot of tails mixed with other functions ? How you will find right “range” in such cases ?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s