CallObfuscator

Obfuscate windows apis from static analysis tools and debuggers

Theory

This's pretty forward, let's say I've used VirtualProtect and I want to obfuscate it with Sleep,
the tool will manipulate the IAT so that the thunk that points to VirtualProtect will point instead to
Sleep,
Now at executing the file, windows loader will load Sleep instead of VirtualProtect, and moves the execution to the entry point
From there the execution will be redirected to the shellcode , the tool put before, to find the address of
VirtualProtect and use it to replace the address of Sleep which assigned before by the loader

How to use

CallObf.exe [in_file] [out_file] [target_api_0],[new_api_0] [target_api_1],[new_api_1] ...

Example

Build this code sample

#include <windows.h>
#include <stdio.h>

int main() {
	SetLastError(5);
	printf("Last error is %d\n", GetLastError());
	return 0;
};

After building it, this is how the kernel32 imports look like

Now let's obfuscate both SetLastError and GetLastError with Beep and GetACP (actually any api from kernel32 will be ok even if it's not imported at all)

Again let's have a look on the kernel32 imports

There's no existance of SetLastError or GetLastError
A confirmation that two files will work properly

Impact

IDA HexRays Decompiler

IDA Debugger

Ghidra

ApiMonitor

That's because all static analysis tool depend on what is the api name written at IAT which can be manipulated as shown
For ApiMonitor, because of using IAT hooking, the same problem exists

On the other side, for tools like x64dbg the shown api names will only depend on what is actually called (not what written at the IAT)

Additional