Function Call Obfuscation
Table of content
What is it ?
Every PE modules usually use external function and when it run it will call functions from externals that will be map to the process memory to make them available.
By analyzing the DLL and functions used by the binary it can be a good indicator about what do the binary. EDR can collect the function used by the process and compare them to a list of well known functions used by malware.
The goal of function call obfuscation is a way of hiding DLL and functions call that will be used during runtime.
Windows API
GetModuleHandle
dllHandle = GetModuleHandle("file.dll")
Return a handle to the specified DLL
GetProcAddress
function = GetProcAddress(dllHandle, "functionFromDll")
Get the memory address of the function you need and that is exported from the DLL
Hands on
Step 1 : making VirtualProtect disappear from the dumpbin output
Find declaration of VirtualProtect : Use
GoogleandMSDNdocumentation.// Declared in Kernel32.dll BOOL VirtualProtect( [in] LPVOID lpAddress, [in] SIZE_T dwSize, [in] DWORD flNewProtect, [out] PDWORD lpflOldProtect );In the code declare a new global variable :
// It will store the address to `VirtualProtect` BOOL (WINAPI * pVirtualProtect)( LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect)Retrieve the address ::
pVirtualProtect = GetProcAddress(GetModuleHandle("kernel32.dll"), "VirtualProtect")Call the function from the created handler :
rv = pVirtualProtect(exec_mem, calc_len, PAGE_EXECUTE_READ, &oldprotect);Conclusion : The
VirtualProtectfunction is not list whendumpbinis used. However, theVirtualProtectstring is still here in the code strings.
Step 2 : Making every reference of VirtualProtect disappear
XOR all string containing
VirtualProtect: The problem is your key will be easily spot using the Strings Sysinternals or with some reverse engineeringUse one of the binary string as the XOR key : String the binary and choose one of the string as the key. Thus, if someone also string the executable, the key will not be easily spoted.
Conclusion : The
VirtualProtectdoes not appear ondumpbin /imports file.exeand does not also appear when the executable is stringed.