Obfuscate windows apis from static analysis tools and debuggers
This's pretty forward, let's say I've used VirtualProtect and I want to obfuscate it with Sleep,
the tool will manipulate the IAT so that the thunk that points to VirtualProtect will point instead to
Sleep,
Now at executing the file, windows loader will load Sleep instead of VirtualProtect, and moves the execution to the entry point
From there the execution will be redirected to the shellcode , the tool put before, to find the address of
VirtualProtect and use it to replace the address of Sleep which assigned before by the loader
CallObf.exe [in_file] [out_file] [target_api_0],[new_api_0] [target_api_1],[new_api_1] ...
Build this code sample
#include <windows.h>
#include <stdio.h>
int main() {
SetLastError(5);
printf("Last error is %d\n", GetLastError());
return 0;
};After building it, this is how the kernel32 imports look like
Now let's obfuscate both SetLastError and GetLastError with Beep and GetACP (actually any api from kernel32 will be ok even if it's not imported at all)
Again let's have a look on the kernel32 imports
There's no existance of SetLastError or GetLastError
A confirmation that two files will work properly
IDA HexRays Decompiler
IDA Debugger
Ghidra
ApiMonitor
That's because all static analysis tool depend on what is the api name written at IAT which can be manipulated as shown
For ApiMonitor, because of using IAT hooking, the same problem exists
On the other side, for tools like x64dbg the shown api names will only depend on what is actually called (not what written at the IAT)
- Dumping the obfuscated PE out from memory won't deobfuscate it, because the manipulated IAT will be the same
- The tool will try to use the code cave for the written shellcode if it's not enough, it will create a new section for it
- It can be used multiple times on the same obfuscated PE
- Tested only on Windows 10 x64
- Get source with
git clone --recursive https://github.com/d35ha/CallObfuscator - Download binaries from the Release Section