# Function call obfuscation
## Calling External Functions using WIN32 API
every PE file like EXE and DLL usually uses external files that means that it will call functions implemented in external DLLs which will be mapped into the process memory to make this functions available for the process code
AV industry realized by analyzing what kind of external DLLs and functions used by the binary it can be a good indicator if this binary is malicious or not, and it's all done before running the binary (Static Analysis) so AV Engines analyzes a PE file on disk by taking a look at its import address table Section which is a dedicated section in a PE file and reviews the functions and compares them to the list of functions that is known to be used by malware developers
this method generates false positives
function call obfuscation is a method to hide DLLs and external functions that will be called during runtime to do that we can use **GetModuleHandle** and **GetProcAddress**
* **GetModuleHandle :** handle = GetModuleHandle("Windows32.h") returns a handle to a DLL
* **GetProcAddress :** GetProcAddress(handle, "VirtualAlloc") allows you to get a memory address of the function you need which is exported by the dll
### List Import Address Table using DumpBin
### Let's Get rid of VirtualProtect from the import address table using function call obfuscation
this is function pointer declaration in C/C++ programming language. Specifically, it declares a function pointer named pVirtualProtect that points to the VirtualProtect function the pointer pVirtualProtect stores the address of the VirtualProtect function
by doing this you can indirectly call the VirtualProtect function through the function pointer pVirtualProtect. This provides flexibility and allows for dynamic function invocation based on runtime conditions or function indirection
now if we compile the program and list the import address table we will not find the VirtualProtect function in the list
let's make sure by using `findstr`
but if we use strings we will find that VirtualProtect string is still present in the binary and this is because when we have called GetProcAddress function we passed "VirtualProtect" string in clear text and we can go around this using XOR
let's set the key to
now let's encrypt the "VirtualProtect" string with the key using a python script
and now if search for the string "VirtualProtect" in the binary strings we will not find anything
so we have fully obfuscated the function call of the function VirtualProtect
## Full Code
