Function call obfuscation

Calling External Functions using WIN32 API

every PE file like EXE and DLL usually uses external files that means that it will call functions implemented in external DLLs which will be mapped into the process memory to make this functions available for the process code

AV industry realized by analyzing what kind of external DLLs and functions used by the binary it can be a good indicator if this binary is malicious or not, and it's all done before running the binary (Static Analysis) so AV Engines analyzes a PE file on disk by taking a look at its import address table Section which is a dedicated section in a PE file and reviews the functions and compares them to the list of functions that is known to be used by malware developers

this method generates false positives

function call obfuscation is a method to hide DLLs and external functions that will be called during runtime to do that we can use GetModuleHandle and GetProcAddress

GetModuleHandle : handle = GetModuleHandle("Windows32.h") returns a handle to a DLL
GetProcAddress : GetProcAddress(handle, "VirtualAlloc") allows you to get a memory address of the function you need which is exported by the dll

List Import Address Table using DumpBin

Let's Get rid of VirtualProtect from the import address table using function call obfuscation

this is function pointer declaration in C/C++ programming language. Specifically, it declares a function pointer named pVirtualProtect that points to the VirtualProtect function the pointer pVirtualProtect stores the address of the VirtualProtect function

by doing this you can indirectly call the VirtualProtect function through the function pointer pVirtualProtect. This provides flexibility and allows for dynamic function invocation based on runtime conditions or function indirection

now if we compile the program and list the import address table we will not find the VirtualProtect function in the list

let's make sure by using findstr

but if we use strings we will find that VirtualProtect string is still present in the binary and this is because when we have called GetProcAddress function we passed "VirtualProtect" string in clear text and we can go around this using XOR

let's set the key to

now let's encrypt the "VirtualProtect" string with the key using a python script

and now if search for the string "VirtualProtect" in the binary strings we will not find anything

so we have fully obfuscated the function call of the function VirtualProtect

Full Code

PreviousDropper Project NextPortswigger

Last updated 1 year ago

Was this helpful?