Part 3 - Reverse Engineering & Binary Augmentation / Modification (Patching) - Snipping Tool

Reverse engineering session - part 3 - Adding a binary patch to the Microsoft Snipping Tool to enable immediate taking of a snip if the command line parameter "1" was specified. You can download the binary files (patched and the original Snipping Tool) that were used in this video at: https://mega.nz/file/jLhUWTAQ#KzfvXZ9Qv43oPksO6-KlKtneqiOyX836mOKNOIIFIQE Time Codes: ----------------------------------- 1:34 Using Detect-It-Easy to tell the type of executable 2:41 How can we start a snip automatically 4:30 How Snipping Tool UI is built: WinID tool 7:40 Documentation for TOOLBARCLASSNAME 8:08 How to create Win32 sample app to test a toolbar button click simulation 8:47 Creating a sample Win32 app in Visual Studio 2022: TestToolbar01 10:03 Adding a test toolbar to our TestToolbar01 app 24:20 How to simulate a toolbar button click? 27:25 Coding a simulated toolbar button click, explanation for converting our compiled code to "shell code" 36:28 Checking if our needed APIs are imported into the Snipping Tool 39:51 Writing the logic of our simulated toolbar button click 46:30 Retrieving dynamically Win32 APIs that are not statically linked to in the Snipping Tool 58:02 Retrieving compiled Assembly language code for our code snippet 1:04:47 What needs to be adjusted in the compiled Assembly code 1:05:27 Finding where to put our patch 1:06:17 Looking up the ending of the WndProc for the main window of the Snipping Tool 1:19:01 x86-64 ABI: volatile and nonvolatile registers 1:20:10 How to insert our patch into the Snipping Tool 1:22:13 Where to put machine code for our patch: PE file sections 1:25:24 Adding a section to the PE file of the Snipping Tool 1:26:40 Section characteristics in a PE file 1:31:00 Why we need to modify our compiled Assembly code 1:31:40 Adjusting Assembly code line-by-line 1:38:15 Placing strings after the code area 1:49:06 How to adjust addresses of CALL instructions for imported Win32 APIs: IAT = Import Address Table 1:53:05 Adjusting addresses of local variables 2:06:16 Where are HWND and uMsg stored in WndProc - mistake with the MOV 2:10:44 Offset where to place our global static variable: gnRanOnce 2:11:57 Using x64dbg to locate the read/write section for our static variable 2:20:48 Figuring out relative offsets to the IAT for our needed Win32 APIs 2:28:33 x64dbg fail - I selected one line but x64dbg copied another one. (It must have been 7FF651B23C89) 2:32:53 How to set conditional breakpoint in x64dbg to catch API call from specific module 2:38:35 C++ code to calculate offsets for Win32 APIs in the IAT 2:45:38 Applying API offsets to our generated Assembly code (mistake of using + instead of -) 2:48:37 Size of space on the stack needed for local variables 2:55:30 16-byte stack alignment for x64 calling convention 2:59:54 Stack offsets for our local variables 3:00:56 Compiling our Assembly to x64 machine code 3:03:59 Inserting compiled machine code into .text2 PE section 3:06:03 Offset for JMP instruction from WndProc to our patch 3:12:22 Patching WndProc with our JMP instruction 3:14:32 Stepping through our binary patch with a debugger 3:18:22 Our patch fails :( Reason? Wrong order of initial Assembly instructions 3:19:52 Correcting mistake ... and doing it wrong 3:23:53 Checking patch in IDA ... and it's wrong 3:26:58 Finally correcting the bug ... adjusting the patch 3:28:54 Take 3: testing the patch 3:31:32 Win32 API offsets to IAT are wrong: I used + instead of - 3:33:02 Correcting Win32 API offsets & re-applying the patch 3:35:13 Stepping through patch with IDA one more time 3:36:17 One Win32 API offset is set incorrectly 3:37:52 First error from 2:28:33 comes back to bite me. I used wrong offset. 3:40:29 Stepping through our patch with IDA. It doesn't crash. 3:44:20 Stepping through patch with command line to verify that it's working! 3:47:50 Final test of the patched Snipping Tool. References: ----------------------------------- Part 1: https://youtu.be/q47TzHkz0SE Part 2: https://youtu.be/F1Sjo6UTwzo "How to set up a virtual machine for your reverse engineering work on Windows." https://dennisbabkin.com/blog/?i=AAA11A00 "What do you need to become a software reverse engineer?" https://dennisbabkin.com/blog/?i=AAA11B00 #reverseengineering #x64 #windows #lowlevel