Call Api by Hash - Positron

posted 18 Aug 2010, 17:53 by Delphi Basics
                     API search engine by using CRC32                         
                           created by Positron                                
                        http://vx.netlux.org/delphi/                          
                                                                              
   Big thanks to Billy Belceb whose tutorial of "Advanced API search engine"  
   gave me the idea to create API search engine in Delphi too.          
                                                                              
   How it works:                                                             
   Instead of searching for a determinated amount of bytes that matches       
   exactly with the API name we have in our code, get all the API names, one  
   after another, and retrieve their CRC32, and compare it with  the CRC32 of 
   the API we are searching for. If it's equal, then we must proceed as       
   always.
   Below you can see a small example. It search the address of MessageBoxA    
   function in user32.dll and display a messagebox. When you check the com-   
   piled .exe with a hex editor you will not find the "MessageBoxA" srting    
   in IAT. Why is it good? First of all your application will be smaller, coz 
   you do not have to store the function name in your application. Otherwise  
   you can hide which API functions are used by your application.             
                                                                              
   With CalculateCRC32 function you can calulate the CRC32 of all needed API. 

PROGRAM Project;

USES
  Windows,
  uCRC32 in 'ucrc32.pas',
  uAPISearchEngine in 'uAPISearchEngine.pas';

CONST
  MessageBoxA = $572D5D8E;                       //CRC32 of "MessageBoxA" string

VAR
  MessageBox : FUNCTION(hWnd:HWND;lpText,lpCaption:PChar;uType:UINT) : Integer; STDCALL;

BEGIN
  BuildCRC32Table;  
  MessageBox:=GetProcAddress(LoadLibrary('user32.dll'),MessageBoxA);
  Messagebox(0,'API Search Engine by Positron','Message',0);
END.

Only Delphi source code is included in the archive.
ċ
APISearchEngine.rar
(3k)
Delphi Basics,
19 Aug 2010, 18:12
Comments