Call Api by Hash - Positron

Post date: Aug 19, 2010 12:53:13 AM

API search engine by using CRC32

created by Positron

http://vx.netlux.org/delphi/

Big thanks to Billy Belceb whose tutorial of "Advanced API search engine"

gave me the idea to create API search engine in Delphi too.

How it works:

Instead of searching for a determinated amount of bytes that matches

exactly with the API name we have in our code, get all the API names, one

after another, and retrieve their CRC32, and compare it with the CRC32 of

the API we are searching for. If it's equal, then we must proceed as

always.

Below you can see a small example. It search the address of MessageBoxA

function in user32.dll and display a messagebox. When you check the com-

piled .exe with a hex editor you will not find the "MessageBoxA" srting

in IAT. Why is it good? First of all your application will be smaller, coz

you do not have to store the function name in your application. Otherwise

you can hide which API functions are used by your application.

With CalculateCRC32 function you can calulate the CRC32 of all needed API.

PROGRAM Project;

USES

  Windows,

  uCRC32 in 'ucrc32.pas',

  uAPISearchEngine in 'uAPISearchEngine.pas';

CONST

  MessageBoxA = $572D5D8E;                       //CRC32 of "MessageBoxA" string

VAR

  MessageBox : FUNCTION(hWnd:HWND;lpText,lpCaption:PChar;uType:UINT) : Integer; STDCALL;

BEGIN

  BuildCRC32Table;  

  MessageBox:=GetProcAddress(LoadLibrary('user32.dll'),MessageBoxA);

  Messagebox(0,'API Search Engine by Positron','Message',0);

END.

Only Delphi source code is included in the archive.