Reverse Engineering Asked by Keystone on February 4, 2021
I have an exe file that read and write from a local DB file.
I checked this file with Detect It Easy and it shows that this is a mdb file.
I can open this file with microsoft access, and watch all the tables, but when I tried to view some table I see that I don’t have permission to do so.
If I understand correctly, the executable needs to send to this mdb file a connection string that includes a user and a password when it initializes the connection.
Is that true?
If yes, how can I sniff and observe this connection string as it sends it from the process to the mdb?
You can find the connection string with an API Monitor tool or Debugger. However first you will need to know are you looking at .NET based executable (i.e. has it loaded clr.dll or mscorlib.dll) and how does it access the database. To work this out you can use a tool like Process Monitor and filter on Process Name is Include and Operation is Load Image Include. From here you can see what runtime DLLs are used (i.e. .NET or MS Visual C, etc) and what database related DLLs are loaded i.e. msjet40.dll.
A generic method that will frequently find the connection string is to simply API monitor the string C runtime functions.
For example
This can also be done with tools such as WinDbg and setting breakpoint on the C runtime functions and dumping the parameters.
For example commands like below in WinDbg would print out the unicode string in a 64-bit EXE if the wscpy_s function had been called:
0:000> bp MSVCR100!wcscpy_s ".printf "msvcr100!wcscpy_s source='%mu' ",r8;!position;g"
bp MSVCR100!wcscpy_s ".printf "msvcr100!wcscpy_s source='%mu' ",r8;!position;g"
Bp expression 'MSVCR100!wcscpy_s' could not be resolved, adding deferred bp
0:000> bp ucrtbase_clr0400!wcscpy_s ".printf "ucrtbase_clr0400!wcscpy_s source='%mu' ",r8;!position;g"
bp ucrtbase_clr0400!wcscpy_s ".printf "ucrtbase_clr0400!wcscpy_s source='%mu' ",r8;!position;g"
Bp expression 'ucrtbase_clr0400!wcscpy_s' could not be resolved, adding deferred bp
0:000> bp mscoreei!wcscpy_s ".printf "ucrtbase_clr0400!wcscpy_s source='%mu' ",r8;!position;g"
bp mscoreei!wcscpy_s ".printf "ucrtbase_clr0400!wcscpy_s source='%mu' ",r8;!position;g"
Bp expression 'mscoreei!wcscpy_s' could not be resolved, adding deferred bp
0:000> bp mscoree!wcscpy_s ".printf "mscoree!wcscpy_s source='%mu' ",r8;!position;g"
bp mscoree!wcscpy_s ".printf "mscoree!wcscpy_s source='%mu' ",r8;!position;g"
Bp expression 'mscoree!wcscpy_s' could not be resolved, adding deferred bp
0:000> bp msvcrt!wcscpy_s ".printf "msvcrt!wcscpy_s source='%mu' ",r8;!position;g"
bp msvcrt!wcscpy_s ".printf "msvcrt!wcscpy_s source='%mu' ",r8;!position;g"
0:000> bp ntdll!wcscpy_s ".printf "ntdll!wcscpy_s source='%mu' ",r8;!position;g"
bp ntdll!wcscpy_s ".printf "ntdll!wcscpy_s source='%mu' ",r8;!position;g"
Answered by chentiangemalc on February 4, 2021
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP