-
Notifications
You must be signed in to change notification settings - Fork 17
Obfuscation methods
cpunk edited this page Oct 6, 2022
·
4 revisions
Laika uses several fairly common obfuscation techniques. (Enabled by passing -DLAIKA_OBFUSCATE=On
to cmake)
Laika has a tiny VM embedded in the library (/lib/
&& /lib/core/
). This mostly handles things like deobfuscating strings during runtime. For more information regarding this, please read this post on my blog which goes into detail on how it works.
This method is extremely common and most AVs have smartened up to it. Basically instead of having WinAPI in our IAT (Import Address Table) of the executable, we load the commonly flagged functions (things like CreatePseudoConsole, ShellExecuteA, etc.) during runtime. For details on adding another API to be loaded during runtime, please refer to the contributing guide.