ServerMapper

Building/Defeating a ServerMapper

This is article is all about ServerMappers and how we can defeat them.

What is a ServerMapper?

To understand the purpose of a ServerMapper we first have to understand how Windows loads PE files.

The Windows PE Loader basicly does 3 major things:

  1. Import Table Handling
  2. Relocation Processing
  3. Section Mapping

For more information about Windows PE Loader, read this.

When loading a PE file we usually need a static version of that file in order to extract all the neccecary info to map it.

This is exactly when a ServerMapper is used.

A ServerMapper is a mapper which maps a PE file on a server and sends the mapped file to a client.

Who uses a ServerMapper?

  1. P2C's (Pay to Cheat)
  2. Malware

Everyone who wants to prevent dump of their module.

How to build one?

First, we need to ask ourselfs which information we need to map on the server?

  1. Relocations
  2. Imports

Relocations are only neccecary if the PE file is mapped at a different Base Address than OptinalHeader->ImageBase. more info here.

For testing we can force load the PE at a certain Base Address, so we dont need to worry abt them.

All this can be done using VirtuaAllocEX.

Imports are slightly more complicated.

Each PE file imports some functions (MessageBox, Sleep) from other modules (kernel32.dll, user32.dll) for instance.

When loading PE files the loader needs to make a lookup (GetProcAddress) for the address of the import since System Modules are loaded at different Base Addresses each boot.

Once the lookup is done he populates the IAT (Import Address Table) with function pointers.

You can imagine the IAT as an array of function pointers which change each boot.

Does this really improve security and prevent dumps?

Short answer: NO

Why?

A big misconseption is that using a Server Mapper is the crackproof solution, but its not the case.

It only slows down reverse-eginnerring and "out of the box" dumping tools.

How to defeat a ServerMapper?

Take a dump of the memory region

  1. Relocations

    We can just map the PE file at the same Base Address

  2. Imports

    Basicly we have 2 options:

    1. Take a dump of the IAT, unmap the PE and create a new Import Directory together with ILT.
    2. Parse IAT function pointers manually before invoking OEP.