GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → JustasMasiulis → Lazy_importer

JustasMasiulis / Lazy_importer

Licence: apache-2.0
library for importing functions from dlls in a hidden, reverse engineer unfriendly way

Programming Languages

cpp
1120 projects

Labels

windowsreverse-engineeringstatic-analysismalwareexporthashingobfuscationimportcompile-timesmall

Projects that are alternatives of or similar to Lazy importer

Nt wrapper
A wrapper library around native windows sytem APIs
Stars: ✭ 287 (-47.24%)
Mutual labels:  malware, obfuscation, reverse-engineering
Freki
🐺 Malware analysis platform
Stars: ✭ 285 (-47.61%)
Mutual labels:  static-analysis, malware, reverse-engineering
Rascal
The implementation of the Rascal meta-programming language (including interpreter, type checker, parser generator, compiler and JVM based run-time system)
Stars: ✭ 284 (-47.79%)
Mutual labels:  static-analysis, reverse-engineering
Npoi.mapper
Use this tool to import or export data with Excel file. The tool is a convention based mapper between strong typed object and Excel data via NPOI.
Stars: ✭ 348 (-36.03%)
Mutual labels:  export, import
Pwndbg
Exploit Development and Reverse Engineering with GDB Made Easy
Stars: ✭ 4,178 (+668.01%)
Mutual labels:  malware, reverse-engineering
Simple Excel
Read and write simple Excel and CSV files
Stars: ✭ 502 (-7.72%)
Mutual labels:  export, import
Csvkeychain
Import/export between Apple Keychain.app and plain CSV file.
Stars: ✭ 281 (-48.35%)
Mutual labels:  export, import
Reverse Engineering Tutorial
A FREE comprehensive reverse engineering tutorial covering x86, x64, 32-bit ARM & 64-bit ARM architectures.
Stars: ✭ 5,763 (+959.38%)
Mutual labels:  malware, reverse-engineering
Drakvuf Sandbox
DRAKVUF Sandbox - automated hypervisor-level malware analysis system
Stars: ✭ 384 (-29.41%)
Mutual labels:  malware, reverse-engineering
Engine
Droidefense: Advance Android Malware Analysis Framework
Stars: ✭ 386 (-29.04%)
Mutual labels:  static-analysis, malware
Dex Oracle
A pattern based Dalvik deobfuscator which uses limited execution to improve semantic analysis
Stars: ✭ 398 (-26.84%)
Mutual labels:  malware, reverse-engineering
Node Firestore Import Export
Firestore data import and export
Stars: ✭ 271 (-50.18%)
Mutual labels:  export, import
Infectpe
InfectPE - Inject custom code into PE file [This project is not maintained anymore]
Stars: ✭ 266 (-51.1%)
Mutual labels:  malware, reverse-engineering
Xnalaramesh
Blender addon Import/Export XPS Models, Poses
Stars: ✭ 262 (-51.84%)
Mutual labels:  export, import
Domain generation algorithms
Some results of my DGA reversing efforts
Stars: ✭ 417 (-23.35%)
Mutual labels:  malware, reverse-engineering
Simpleator
Simpleator ("Simple-ator") is an innovative Windows-centric x64 user-mode application emulator that leverages several new features that were added in Windows 10 Spring Update (1803), also called "Redstone 4", with additional improvements that were made in Windows 10 October Update (1809), aka "Redstone 5".
Stars: ✭ 260 (-52.21%)
Mutual labels:  malware, reverse-engineering
unimport
A linter, formatter for finding and removing unused import statements.
Stars: ✭ 119 (-78.12%)
Mutual labels:  static-analysis, import
Shrimpit
Shrimpit 🍤 is a small CLI analysis tool for checking unused JavaScript, JSX & Vue templates ES6 exports in your project.
Stars: ✭ 255 (-53.12%)
Mutual labels:  export, import
Simplify
Android virtual machine and deobfuscator
Stars: ✭ 3,865 (+610.48%)
Mutual labels:  malware, reverse-engineering
Binee
Binee: binary emulation environment
Stars: ✭ 408 (-25%)
Mutual labels:  static-analysis, malware
View All Similar Projects ➔

lazy importer

A simple and easy to use header only library to make the life of a reverse engineer much harder.

small example

LI_FN(OutputDebugStringA)("hello world");
LI_FN(VirtualProtect).in(LI_MODULE("kernel32.dll").cached());

IDA output when compiling first line

features

  • Does not leave any strings in memory.
  • Does not allocate any memory.
  • Can be easily inlined.
  • Does not leave any imports in the executable.
  • Produces extremely small assembly.
  • Non caching functions do not leave anything in data sections.

documentation

  • LI_FN(function_pointer) -> lazy_function
  • LI_FN_DEF(function_type) -> lazy_function
  • LI_MODULE(module_name) -> lazy_module
  • safe indicates that when function cannot complete its task successfully 0 is returned instead of undefined behaviour manifesting.
  • cached indicates that the result is only computed during the first call and later reused.
  • forwarded indicates that export forwarding will be correctly resolved.

lazy_module

function safe cached
Attempts to find the given module and returns its address
get<T = void*>() -> T
safe<T = void*>() -> T
cached<T = void*>() -> T
safe_cached<T = void*>() -> T
Attemps to find the given module using the given LDR_DATA_TABLE_ENTRY pointer
in<T = void*, Ldr>(Ldr ldr_entry) -> T
in_cached<T = void*, Ldr>(Ldr ldr_entry) -> T

lazy_function<F>

function safe cached forwarded
calls resolved export using given arguments
operator()(...) -> result_of<F, ...>
attempts to resolve an export in all loaded modules and returns the function address
get<T = F>() -> T
safe<T = F>() -> T
cached<T = F>() -> T
safe_cached<T = F>() -> T
forwarded<T = F>() -> T
forwarded_safe<T = F>() -> T
forwarded_cached<T = F>() -> T
forwarded_safe_cached<T = F>() -> T
attempts to resolve an export in the given module and returns the function address
in<T = F, A>(A module_address) -> T
in_safe<T = F, A>(A module_address) -> T
in_cached<T = F, A>(A module_address) -> T
in_safe_cached<T = F, A>(A module_address) -> T
attempts to resolve an export in ntdll and returns the function address
nt<T = F>() -> T
nt_safe<T = F>() -> T
nt_cached<T = F>() -> T
nt_safe_cached<T = F>() -> T

extra configuration

#define effects
LAZY_IMPORTER_NO_FORCEINLINE disables force inlining
LAZY_IMPORTER_CASE_INSENSITIVE enables case insensitive comparison. Might be required for forwarded export resolution.
LAZY_IMPORTER_CACHE_OPERATOR_PARENS uses cached() instead of get() in operator() of lazy_function
LAZY_IMPORTER_RESOLVE_FORWARDED_EXPORTS uses forwarded() in get(). WARNING does not apply to nt() and in().
LAZY_IMPORTER_HARDENED_MODULE_CHECKS adds extra sanity checks to module enumeration.

example output

for ( i = *(_QWORD **)(*(_QWORD *)(__readgsqword(0x60u) + 24) + 16i64); ; i = (_QWORD *)*i )
  {
    v1 = i[6];
    v2 = *(unsigned int *)(*(signed int *)(v1 + 60) + v1 + 136);
    v3 = (_DWORD *)(v2 + v1);
    if ( v2 + v1 != v1 )
    {
      LODWORD(v4) = v3[6];
      if ( (_DWORD)v4 )
        break;
    }
LABEL_8:
    ;
  }
  while ( 1 )
  {
    v4 = (unsigned int)(v4 - 1);
    v5 = -2128831035;
    v6 = (char *)(v1 + *(unsigned int *)((unsigned int)v3[8] + 4 * v4 + v1));
    v7 = *v6;
    v8 = (signed __int64)(v6 + 1);
    if ( v7 )
    {
      do
      {
        ++v8;
        v5 = 16777619 * (v5 ^ v7);
        v7 = *(_BYTE *)(v8 - 1);
      }
      while ( v7 );
      if ( v5 == -973690651 )
        break;
    }
    if ( !(_DWORD)v4 )
      goto LABEL_8;
  }
  ((void (__fastcall *)(const char *))(v1
                                     + *(unsigned int *)(v1
                                                       + (unsigned int)v3[7]
                                                       + 4i64 * *(unsigned __int16 *)(v1 + (unsigned int)v3[9] + 2 * v4))))("hello world");

People that have supported this project

I would like to thank people that have reached out to me and donated some money to support me and my projects

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].