I'm reversing a heavily obfuscated application with a lot of anti-debugging techniques. At some point in this application there is a place which records audio and sends the recorded audio to some servers (I assume) with a built-in proprietary protocol.
In order to study that protocol, i want to set an "anchor" and start reverse-engineer the application from the point in the code it is recording the microphone.
So i have looked around the internet and found mostly Volume manipulation API and not Volume-Recording or Volume-Read or anything like that.
i did find the WaveForm WinAPI but trying to put a BreakPoint on specific functions failed. I think i should add at that point that i have no Symbols what so ever on the application im reversing, and by what i found out so far - it is implementing a lot of exported functions by different DLLS inside the Executable code itself (The exe is about that size of 40 MB of code)
So are there any other WindowsApi calls used to record sounds i could try?
-UnderTheHood- the API eventually is calling some basic form of the recording api.. Something like when calling CreateProcess it eventually calling NtCreateProcess and possibly even deeper functions i dont really know about. so what i would like to do is set a BreakPoint at the NtCreateProcess equivalent for sound recording and try that, The deeper it gets - the better because then it is more likely to hit the breakpoint.
I also think that the recording could happen in some Pipe of some sort. Or in other words in another service.. I recently reverse-engineered the RPCRT4!NdrClientCall2 so i more or less figured it out and know how it works. are there any other RPC calls that i could try and reverse-engineer to find more places with remote communication of processes?
So this is a lot of information all at once. To sum up what i know and what my questions are:
What there is:
- Heavily obfuscated application (No standard calling-convention, weird Assembly code everywhere)
- Lots of anti debugging
- No symbols to use
- a huge executable file which implements a lot of functions inside by it self
What i want:
Find a function related to AudioRecording (to set an anchor eventually)
Other RPC calls usually called for ProcessCommunication besides RPCRT4!NdrClientCall2 to find the service or whatever eventually is recording
Any more help or different approaches than mine could be really nice
Note: When im saying 'Anchor' i mean a point in the code from which i can start reverse-engineering that code section and the understanding of that code will lead me closer to my goal (A relevant code section).
Aucun commentaire:
Enregistrer un commentaire