Reputation: 115
IDA Pro: Reverse-Engineering Temp Storage
In the executable I am reverse-engineering, there are several references to a path in my D:\ drive. However, I do not have a D:\ drive connected. Is it possible that it creates a temporary storage site in the executable?
For example, there is a string:
D:\BuildAgent\...\bin\...\fileIWantToSee.jpg
IDA even believes that the symbol information is in the D drive, and attempts to look for it, to no avail. There are many instances of file references within these strings, and many of them end with a:
Line: **LINENUMBER**
Where would I go about trying to find where this storage is located? Thank you!
EDIT: Could it be in a specific section?
Upvotes: 2
Views: 390
Answers (1)
Reputation: 46070
Is it possible that it creates a temporary storage site in the executable?
This is possible. There exists at least one product (http://www.boxedapp.com/, kind of our competitor :) that lets the application create such container -- the calls to file APIs are intercepted by the code added to the application by this product, and this added code handles specific paths in a different way (emulating file operations), letting all other calls go to Windows API.
Upvotes: 1
Related Questions
- How to avoid reverse engineering of an APK file
- fgets exploit - reverse engineering with IDA
- Protect .NET code from reverse engineering?
- IDA pro asm instructions change
- Find file open with IDA PRO
- IDA Pro jumping to offset from base
- IDA Pro variable declaration
- IDA pro Reverse Engineering -- String Condition