CallObfuscator

Obfuscate (hide) the PE imports from static/dynamic analysis tools.

Theory

This's pretty forward, let's say I've used VirtualProtect and I want to obfuscate it with Sleep, the tool will manipulate the IAT so that the thunk that points to VirtualProtect will point instead to Sleep, now at executing the file, windows loader will load Sleep instead of VirtualProtect, and moves the execution to the entry point, from there the execution will be redirected to the shellcode, the tool put before, to find the address of VirtualProtect and use it to replace the address of Sleep which assigned before by the loader.

How to use

• It can be included directly as a library, see the following snippet (based on the example), also you can take a look at cli.cpp.

#include <cobf.hpp>

int main() {
	cobf obf_file = cobf("sample.exe");
	obf_file.load_pe();
	obf_file.obf_sym("kernel32.dll", "SetLastError", "Beep");
	obf_file.obf_sym("kernel32.dll", "GetLastError", "GetACP");
	obf_file.generate("sample_obfuscated.exe");
	obf_file.unload_pe();
	return 0;
};

• Also can be used as a command line tool by supplying it with the input PE path, the output PE path and optionally the path to the configuration file (default is config.ini). cobf.exe <input file> <out file> [config file] The config file contains the obfuscations needed (dlls, symbols, ...). Here is a template for the config file content

; Template for the config file:
; 	* Sections can be written as:
; 		[dll_name]
; 		old_sym=new_sym
;	* The dll name is case insensitive, but 
;	the old and the new symbols are not.
; 	* You can use the wildcard on both the
; 	dll name and the old symbol.
; 	* You can use '#' at the start of
; 	the old or the new symbol to flag 
; 	an ordinal.
;	* The new symbol should be exported
;	by the dll so the windows loader can resolve it.
; For example:
; 	* Obfuscating all of the symbols
;	imported from user32.dll with ordinal 1600.
[user32.dll]
*=#1600
;	* Obfuscating symbols imported from both
;	kernel32.dll and kernelbase.dll with Sleep.
[kernel*.dll]
*=Sleep
;	* Obfuscating fprintf with exit.
[*]
fprintf=exit

Example

Build this code sample

#include <windows.h>
#include <stdio.h>

int main() {
	SetLastError(5);
	printf("Last error is %d\n", GetLastError());
	return 0;
};

After building it, this is how the kernel32 imports look like

Now let's obfuscate both SetLastError and GetLastError with Beep and GetACP (actually any api from kernel32 will be ok even if it's not imported at all). The used configurations are

[kernel32.dll]
SetLastError=Beep
GetLastError=GetACP

Here is the output (also you can use the library directly as shown above).

Again let's have a look on the kernel32 imports

There's no existence of SetLastError or GetLastError A confirmation that two files will work properly

Impact

IDA HexRays Decompiler

IDA Debugger

Ghidra

ApiMonitor

That's because all of the static analysis tool depend on what is the api name written at IAT which can be manipulated as shown. For ApiMonitor, because of using IAT hooking, the same problem exists.

On the other side, for tools like x64dbg the shown api names will only depend on what is actually called (not what written at the IAT).

Additional

• Dumping the obfuscated PE out from memory won't deobfuscate it, because the manipulated IAT will be the same.
• The main purpose for this tool is to mess up with the analysis process (make it slower).
• One can obfuscate any imported symbol (by name or by ordinal) with another symbol (name or ordinal).
• The shellcode is executed as the first tls callback to process the obfuscated symbols needed by the other tls callbacks before the entry point is executed.
• The shellcode is shipped as c code, generated when the tool is compiled to facilitate editing it.
• The obfuscated symbols names are being resolved by hash not by name directly.
• The tool disables the relocations and strips any of the debug symbols.
• The tool creates a new rwx section named .cobf for holding the shellcode and the other needed datas.
• It can be used multiple times on the same obfuscated PE.
• Tested only on Windows 10 x64.
• Get source with git clone https://github.com/d35ha/CallObfuscator.
• Download binaries from the Release Section.

TODO

• Shellcode obfuscation (probably with obfusion).
• Support the delay-loaded symbols.
• Minimize the created section size.
• Compile time hashing.
• Better testing.