Study/Reverse specific File/Registry hooks on NTDLL
$250-750 USD
Κλειστή
Αναρτήθηκε πάνω από 7 χρόνια πριν
$250-750 USD
Πληρωμή κατά την παράδοση
Hi,
I need someone who is able to study some hooks (on specific file/registry functions on NTDLL) and report a "detailed" description of what the hook is doing.
Specifically they are the hooks performed by a tool that allows bundling files/dlls into a single EXE, so the files are not visible on disk and the file operations are hooked to know when the access is performed in any of the bundled files. So in case that the application is accessing to a bundled file, it reports a "fake" handle and “manually” maps the file on memory. If the file is not bundled, the hook just passes control to the original function. The similar do when accessing to “bundle” registry keys.
I need someone who can do a detailed report of each hook. I don’t need something exactly to the original source code, but just a description of the steps performed in the hook but with internal details. Of course, if you feel better creating an approximate C pseudo code, that’s better than describing it with words.
Example of an expected description for “Hook #1: NtCreateFile” (or you might be feel more confortable writing it a pseudo/C code)
• First the hook waits that no other process is executing the hook. It performs a “WaitForSingleObject”
• The hook reads an structure which contains all the files bundled. The structure has the following format (bundle_file_structure)
LPBYTE: pointer to bundled file (in UNICODE format)
HANDLE: fake handle for the bundle file
DWORD: number of references to HANDLE
• Compare the filename parameter (located at POBJECT_ATTRIBUTES->ObjectName) with all the bundled files names
• If the file is found in “bundle_file_structure” it creates a fake handle. To create the fake handle it creates a temporal file and use that handle to store it in the HANDLE field in the bundled_file_structure.
• If the “FileAttributtes” parameter from NtCreateFile is FILE_ATTRIBUTE_NORMAL then bla, bla, bla
• Etc, etc.
• Etc, etc…..
As you can see, the decription contains detailed information about specific values in structures with the expected field names from NtDLL. It’s *not* correct to write something like “if [esp + 8] is 12 then exit”. The correct is “if FileAttributtes == FILE_ATTRIBUTTES_NORMAL then exit”
Please, feel free to contact me to send you an example file and/or more detailed information.
Dear client, how are you?
Seems task is appropriate for me.
Please check my "Profile & Work List" and tell me details if my skill is in your concern.
Looking forward to your response.
Thanks.
I've mastered software reverse engineering/C/C++/C#/Java/Win API/Assembly programming and helped many customers.
Especially, I've rich experiences of unpacking Themida/WinLicense, VmProtect, and other packing modules.
I've also ever worked for online game maintenance, bug's fixing, and cheat and anticheat developing.
And I have cracked a lot of dongle key(USB, Parallel, and etc) protection mechanisms.
I'm sure I can fulfill your job successfully. I hope our collaboration to produce a good outcome that makes u happy.
Best regards.
Hello, rtm2k!
It sounds like an interesting challenge and very good fit. I have great experience with reverse engineering, so it will be done in a very professional way.
Please share your example file and let me know when you are OK to discuss. Thank you.
Best regards,
-Mike
Nice to meet you.
I am reverse engineer for 6 years ago.
Meanwhile, I have developed many bot programs.
I can know you important technique such as hooking or cracking for reverse programs.
Skype : kb88313