2

Can someone explain why this software can list all process and write process without using any api function that related to that specific task? or with current function can do that things. the sofware is called ArtMoney. its a memory editor software. i can get the list that function from look the source.

the current new version called

am800.exe

. this list the function that software use.

VirtualProtect
LoadLibraryA
ExitProcess
GetProcAddress
RegCloseKey
ImageList_Add
ChooseFontW
SymLoadModule64
Pie
WNetGetConnectionW
memset
NetWkstaGetInfo
IsEqualGUID

as we see the software have function loadlibraryA that means it will load other dll when running. I found the dll that software load by looking from process explorer modules. i found am800.dll that have several function.

SetThreadLocale
GetLastError
GetStdHandle
GetSystemInfo
SysReAllocStringLen
PostThreadMessageW

by looking that i don't find any related function that can list process like EnumProcesses and WriteProcess. after that i think theres again module that load before am800.dll. as i checked in process explorer. open 1 by 1. there's no suspicious file. this software is popular old software. so i think this developer have exprience to hide the existence.

1 Answers1

0

LoadLibraryA loads a DLL into the process at runtime, and GetProcAddress returns a function pointer to a specific function in a loaded library. Together, these two functions can be used to effectively late-bind to DLL functions.

At some point during runtime, the program is using these functions to load the libraries it needs and then get pointers to the functions it needs. This may be to evade anti-malware detection, or perhaps it's so that the program can run on multiple version of Windows APIs that may not be compatible with each other.

cdhowie
  • 158,093
  • 24
  • 286
  • 300
  • I wouldn't expect this to avoid malware detection; the dll open will still count as the application opening a file; and all file opens will go via the anti malware software (though most are likely pass through). – UKMonkey Dec 11 '17 at 17:12
  • ow i get it now. btw is there other function that like exact GetProcAddress? –  Dec 11 '17 at 17:41
  • @claudia I'm not sure what you mean. – cdhowie Dec 11 '17 at 18:06
  • @cdhowie i means other function that act like GetProcAddress that call function inside dll within run time. or other function that might to suspicious as a malicous code. –  Dec 11 '17 at 18:24
  • @claudia There may be others, but I'm not aware of any off the top of my head. `GetProcAddress` by itself is not suspicious. There are plenty of legitimate uses for this function. A good example would be a program that can load plugins; it would enumerate the DLLs in a directory, load each with `LoadLibraryA`, and then use `GetProcAddress` to interface with the plugin. – cdhowie Dec 11 '17 at 18:27