I was recently impressed reading an entry in the Coding the Wheel blog. James Devlin was writing the latest installment of articles on how he reversed engineered online poker games using his hacking skills. His goal was to build a bot that could play and win poker for him. Obviously some of the work for this task involves some sort of screen scraping and user input simulation. However this time around James was showing how he monitored file I/O to reverse engineer some online poker client applications.The crux of the hack was to perform DLL injection for any poker application processes to keep track of all file input and output. Specifically he wanted to know which files were being created by the poker applications. So essentially he wrote his own version of CreateFile, which any poker app will eventually be called, injected his version of this function into the poker app, then passed the results to his monitoring application. I will say that I have heard about DLL injection before for other type of monitoring such as keyboard logging. But I thought this was a brilliant idea for keeping track of what files an application is creating.
Along the same lines as tracking which files are being created by the poker app, James used DLL injection to spy on all the other type of file I/O being performed. So he knew what data was being written to files. He knew what data was being read from files. The trick was to write his own version of the ReadFile and WriteFile operations, inject his versions in the poker app, and record the results. This is almost not fair. On the Windows system, an application must used these primitives to conduct input and output. It is just the way Windows works. Of course an application that wants to be secure can try to detect such DLL injection techniques. However from a programmatic standpoint this is not easy. The replaced I/O function mimic the behavior of the real ones from an outside point of view.
Good work James. I think I shall keep a watch on Coding the Wheel for other innovative hacks.
