混淆外部 API 调用 C++ [英] Obfuscate External API Calls C++

问题描述

我有一个 C++ 代码，可以调用外部库中的函数.我调用的函数是 CreateProcess，如下所示.

I have a code in C++ that calls functions from external library. The function I called is CreateProcess like below.

CreateProcess(NULL,pProcessName,NULL,NULL,false,CREATE_SUSPENDED,
      NULL,NULL,&suStartUpInformation,&piProcessInformation)

现在，当我编译代码并对其进行反汇编时，程序集将纯文本显示为 CreateProcess(args1, args2, ...).有什么方法可以混淆或加密对 API 的函数调用，以便如果有人对其进行反汇编，那么他将永远不知道调用了哪些函数.

Now when I compile the code and dissemble it, the assembly shows the plain text as CreateProcess(args1, args2, ...). Is there any way to obfuscate or encrypt the function call to API so that if someone dissembles it then he won't ever know which functions are called.

谢谢！

推荐答案

任何按名称导入的函数都会将名称嵌入到二进制文件中(准确地说是在导入描述符 thunk 中)，获取详细的参数信息来自史蒂夫提到的 pdbs(但是，由于符号名称可用，分析像 ollydbg 这样的调试器可以推断出 args).避免这种情况的唯一方法是加密到 IAT(使用 3rd 方加壳器/虚拟化器/二进制保护系统等，如 enigma)或使用 GetModuleHandle 的自定义版本(基本上只是一个 PEB 挖掘工具)和 GetProcAddress(这次是一个 PE 挖掘工具)，然后通过将您需要的所有 api 调用存储为运行时加密字符串，然后您可以调用您需要的任何内容而不会泄露纯文本(securerom 这样做，尽管它直接使用了 GetProcAddress 以及一些二进制混淆).

Any function that is imported by name will always have the name embedded into the binary (in the import descriptor thunk to be exact), the detailed parameter info is gotten from the pdbs as Steve mentioned (however analysing debuggers like ollydbg can deduce args, due to the symbol name being available). The only ways to avoid this is to either encrypt to IAT (using 3rd party packers/virtualizers/binary protection systems etc, like enigma) or use a custom version of GetModuleHandle (basically just a PEB spelunking tool) and GetProcAddress (a PE spelunking tool this time), then by storing all the api calls you need as runtime encrypted strings, you can then call whatever you need without plain text giving you away (securerom does this, though it uses GetProcAddress directly, along with some binary obfuscation).

更新:

对于编译时'混淆'的字符串，你可以使用这样的东西(真的很简单，但它应该是可移植的，如果你使用 C++0x，这会容易得多):

for compile-time 'obfuscated' strings, you can use something like this (really simple, but it should be portable, if you use C++0x, this is a lot easier):

#define c(x) char((x) - 1) //really simple, complexity is up to the coder
#define un(x) char((x) + 1)

typedef int (WINAPI* MSGBOX)(HWND, LPCSTR, LPCSTR, UINT);
const int ORD_MASK = 0x10101010;    
const char szMessageBoxA[] = {c('M'),c('e'),c('s'),c('s'),c('a'),c('g'),c('e'),c('B'),c('o'),c('x'),c('A')};


FARPROC GetProcAddressEncrypted(HMODULE hModule, const char* szName, BOOL bOrd = FALSE)
{
    if(bOrd)
        return GetProcAddress(hModule,reinterpret_cast<const char*>(reinterpret_cast<int>(szName) ^ ORD_MASK)); //this requires that ordinals be stored as ordinal ^ ORD_MASK

    char szFunc[128] = {'\0'};
    for(int i = 0; *szName; i++)
        szFunc[i] = uc(*szName++);

    return GetProcAddress(hModule,szName);
}

MSGBOX pfMsgBox = static_cast<MSGBOX>(GetProcAddressEncrypted(GetHandleEncrypted(szUser32),szMessageBox));

您可能希望使用 MSVC 的 EncodePointer 隐藏全局函数指针中的值(请记住在调用它们时使用 DecodePointer).

Optionally you may want to use MSVC's EncodePointer to hide the values in the global function pointers (just remember to use DecodePointer when you call them).

注意:代码未经测试，因为它就在我的脑海中

这篇关于混淆外部 API 调用 C++的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！