Function Call Obfuscation

Table of content

What is it ?

Every PE modules usually use external function and when it run it will call functions from externals that will be map to the process memory to make them available.

By analyzing the DLL and functions used by the binary it can be a good indicator about what do the binary. EDR can collect the function used by the process and compare them to a list of well known functions used by malware.

The goal of function call obfuscation is a way of hiding DLL and functions call that will be used during runtime.

Windows API


dllHandle = GetModuleHandle("file.dll")

Return a handle to the specified DLL


function = GetProcAddress(dllHandle,  "functionFromDll")

Get the memory address of the function you need and that is exported from the DLL

Hands on

Step 1 : making VirtualProtect disappear from the dumpbin output

  1. Find declaration of VirtualProtect : Use Google and MSDN documentation.

    // Declared in Kernel32.dll
    BOOL VirtualProtect(
    [in]  LPVOID lpAddress,
    [in]  SIZE_T dwSize,
    [in]  DWORD  flNewProtect,
    [out] PDWORD lpflOldProtect
  2. In the code declare a new global variable :

    // It will store the address to `VirtualProtect`
    BOOL (WINAPI * pVirtualProtect)( LPVOID lpAddress, SIZE_T dwSize, DWORD  flNewProtect, PDWORD lpflOldProtect)
  3. Retrieve the address ::

    pVirtualProtect = GetProcAddress(GetModuleHandle("kernel32.dll"), "VirtualProtect")
  4. Call the function from the created handler :

    rv = pVirtualProtect(exec_mem, calc_len, PAGE_EXECUTE_READ, &oldprotect);
  5. Conclusion : The VirtualProtect function is not list when dumpbin is used. However, the VirtualProtect string is still here in the code strings.

Step 2 : Making every reference of VirtualProtect disappear

  1. XOR all string containing VirtualProtect : The problem is your key will be easily spot using the Strings Sysinternals or with some reverse engineering

  2. Use one of the binary string as the XOR key : String the binary and choose one of the string as the key. Thus, if someone also string the executable, the key will not be easily spoted.

  3. Conclusion : The VirtualProtect does not appear on dumpbin /imports file.exe and does not also appear when the executable is stringed.

results matching ""

    No results matching ""

    results matching ""

      No results matching ""