GithubHelp home page GithubHelp logo

5l1v3r1 / callobfuscator Goto Github PK

View Code? Open in Web Editor NEW

This project forked from d35ha/callobfuscator

0.0 2.0 0.0 398 KB

Obfuscate specific windows apis with different apis

C++ 85.90% Batchfile 0.21% Assembly 13.90%

callobfuscator's Introduction

CallObfuscator

Obfuscate windows apis from static analysis tools and debuggers

Theory

This's pretty forward, let's say I've used VirtualProtect and I want to obfuscate it with Sleep,
the tool will manipulate the IAT so that the thunk that points to VirtualProtect will point instead to
Sleep,
Now at executing the file, windows loader will load Sleep instead of VirtualProtect, and moves the execution to the entry point
From there the execution will be redirected to the shellcode , the tool put before, to find the address of
VirtualProtect and use it to replace the address of Sleep which assigned before by the loader

How to use

CallObf.exe [in_file] [out_file] [target_api_0],[new_api_0] [target_api_1],[new_api_1] ...

Example

Build this code sample

#include <windows.h>
#include <stdio.h>

int main() {
	SetLastError(5);
	printf("Last error is %d\n", GetLastError());
	return 0;
};

After building it, this is how the kernel32 imports look like

pic1

Now let's obfuscate both SetLastError and GetLastError with Beep and GetACP (actually any api from kernel32 will be ok even if it's not imported at all)

pic2

Again let's have a look on the kernel32 imports

pic3

There's no existance of SetLastError or GetLastError
A confirmation that two files will work properly

pic4

Impact

IDA HexRays Decompiler

pic5

IDA Debugger

pic6

Ghidra

pic7

ApiMonitor

pic8

That's because all static analysis tool depend on what is the api name written at IAT which can be manipulated as shown
For ApiMonitor, because of using IAT hooking, the same problem exists

On the other side, for tools like x64dbg the shown api names will only depend on what is actually called (not what written at the IAT)

pic9

Additional

  • Dumping the obfuscated PE out from memory won't deobfuscate it, because the manipulated IAT will be the same
  • The tool will try to use the code cave for the written shellcode if it's not enough, it will create a new section for it
  • It can be used multiple times on the same obfuscated PE
  • Tested only on Windows 10 x64
  • Get source with git clone --recursive https://github.com/d35ha/CallObfuscator
  • Download binaries from the Release Section

callobfuscator's People

Contributors

d35ha avatar

Watchers

avatar avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.