/CallObfuscator

Obfuscate specific windows apis with different apis

Primary LanguageC++

CallObfuscator

Obfuscate windows apis from static analysis tools and debuggers

Theory

This's pretty forward, let's say I've used VirtualProtect and I want to obfuscate it with Sleep,
the tool will manipulate the IAT so that the thunk that points to VirtualProtect will point instead to
Sleep,
Now at executing the file, windows loader will load Sleep instead of VirtualProtect, and moves the execution to the entry point
From there the execution will be redirected to the shellcode , the tool put before, to find the address of
VirtualProtect and use it to replace the address of Sleep which assigned before by the loader

How to use

CallObf.exe [in_file] [out_file] [target_api_0],[new_api_0] [target_api_1],[new_api_1] ...

Example

Build this code sample

#include <windows.h>
#include <stdio.h>

int main() {
	SetLastError(5);
	printf("Last error is %d\n", GetLastError());
	return 0;
};

After building it, this is how the kernel32 imports look like

pic1

Now let's obfuscate both SetLastError and GetLastError with Beep and GetACP (actually any api from kernel32 will be ok even if it's not imported at all)

pic2

Again let's have a look on the kernel32 imports

pic3

There's no existance of SetLastError or GetLastError
A confirmation that two files will work properly

pic4

Impact

IDA HexRays Decompiler

pic5

IDA Debugger

pic6

Ghidra

pic7

ApiMonitor

pic8

That's because all static analysis tool depend on what is the api name written at IAT which can be manipulated as shown
For ApiMonitor, because of using IAT hooking, the same problem exists

On the other side, for tools like x64dbg the shown api names will only depend on what is actually called (not what written at the IAT)

pic9

Additional

  • Dumping the obfuscated PE out from memory won't deobfuscate it, because the manipulated IAT will be the same
  • The tool will try to use the code cave for the written shellcode if it's not enough, it will create a new section for it
  • It can be used multiple times on the same obfuscated PE
  • Tested only on Windows 10 x64
  • Get source with git clone --recursive https://github.com/d35ha/CallObfuscator
  • Download binaries from the Release Section