Many tools and techniques for analyzing malicious programs have been created. From debuggers to virtual machines to sandbox technology, each provides essential information to the researcher. For their part, malware authors have attempted to thwart the efforts of researchers by making their code “analysis proof”. In response the tools and techniques of the researcher must rapidly evolve.
One way to stay ahead of the malware authors is to maintain a small number of locally developed tools. “Home-grown” tools have some advantages over commercially available products that make them particularly useful: it is difficult to exploit their vulnerabilities; they can evolve rapidly; they can be customized to fit into automated analysis systems.
One particular class of tools is Dll spoofing modules that either replace or augment the behavior of other modules. Among the Dlls that may be spoofed, kernel32.dll is of special interest -- not only because of the services it provides to applications, but because of its inherent difficulty to spoof. This presentation will describe how to create a framework (in C) that solves the difficulties and makes the creation of new tools simpler. We will also demonstrate the framework through the execution of a tool constructed from it.