Function Call Obfuscation
Table of content
- What is it ?
- Windows API
- Hands on
What is it ?
Every PE modules usually use external function and when it run it will call functions from externals that will be map to the process memory to make them available.
By analyzing the DLL and functions used by the binary it can be a good indicator about what do the binary. EDR can collect the function used by the process and compare them to a list of well known functions used by malware.
The goal of function call obfuscation is a way of hiding DLL and functions call that will be used during runtime.
dllHandle = GetModuleHandle("file.dll")
Return a handle to the specified DLL
function = GetProcAddress(dllHandle, "functionFromDll")
Get the memory address of the function you need and that is exported from the DLL
Step 1 : making VirtualProtect disappear from the dumpbin output
Find declaration of VirtualProtect : Use
// Declared in Kernel32.dll BOOL VirtualProtect( [in] LPVOID lpAddress, [in] SIZE_T dwSize, [in] DWORD flNewProtect, [out] PDWORD lpflOldProtect );
In the code declare a new global variable :
// It will store the address to `VirtualProtect` BOOL (WINAPI * pVirtualProtect)( LPVOID lpAddress, SIZE_T dwSize, DWORD flNewProtect, PDWORD lpflOldProtect)
Retrieve the address ::
pVirtualProtect = GetProcAddress(GetModuleHandle("kernel32.dll"), "VirtualProtect")
Call the function from the created handler :
rv = pVirtualProtect(exec_mem, calc_len, PAGE_EXECUTE_READ, &oldprotect);
Conclusion : The
VirtualProtectfunction is not list when
dumpbinis used. However, the
VirtualProtectstring is still here in the code strings.
Step 2 : Making every reference of VirtualProtect disappear
XOR all string containing
VirtualProtect: The problem is your key will be easily spot using the Strings Sysinternals or with some reverse engineering
Use one of the binary string as the XOR key : String the binary and choose one of the string as the key. Thus, if someone also string the executable, the key will not be easily spoted.
Conclusion : The
VirtualProtectdoes not appear on
dumpbin /imports file.exeand does not also appear when the executable is stringed.