Rename Functions for AV signature evading

by | Oct 25, 2019 | AV, Red team, Security, Windows | 0 comments

Reading Time: < 1 minute

For academic purpose only.
The used of some functions can trigger singature based Anti Virus detection.

Example : SystemFunction032 or SamEnumerateUsersInDomain used in same particular programs.
in this example let’s try to hide the function SamEnumerateUsersInDomain

original function is written :

extern NTSTATUS WINAPI SamEnumerateUsersInDomain(IN SAMPR_HANDLE ServerHandle, OUT DWORD * EnumerationContext, OUT PSAMPR_RID_ENUMERATION* Buffer, IN DWORD PreferedMaximumLength, OUT DWORD * CountReturned);

Create a Type Def with the same types as the original function :

typedef NTSTATUS(WINAPI *mafunctiontype1) (SAMPR_HANDLE, PDWORD, DWORD, PSAMPR_RID_ENUMERATION*, DWORD, PDWORD);
Then create a new function with the address of the original function
mafunctiontype1 myfunction1 = (mafunctiontype1)GetProcAddress(GetModuleHandle(TEXT(“samlib.dll“)), “SamEnumerateUsersInDomain“, -1));

Now you can replace the original calls to SamEnumerateUsersInDomain with myfunction1.

The compiled executable will still hold the string but at a different place.

Try recompiling your code and see if it works well.

Now to finally get rid of that string code your own encoding function.

For example if you use a simple ROT13 function

                    functionROT13(SamEnumerateUsersInDomain) = TbnFovnfsbufVtfstJoEpnbjo

  

Final coding would be :

// Comment out initial function
//extern NTSTATUS WINAPI SamEnumerateUsersInDomain(IN SAMPR_HANDLE DomainHandle, IN OUT PDWORD EnumerationContext, IN DWORD UserAccountControl, OUT PSAMPR_RID_ENUMERATION* Buffer, IN DWORD PreferedMaximumLength, OUT PDWORD CountReturned);

typedef NTSTATUS(WINAPI *mafunctiontype1) (SAMPR_HANDLE, PDWORD, DWORD, PSAMPR_RID_ENUMERATION*, DWORD, PDWORD);

mafunctiontype1 myfunction1 = (mafunctiontype1)GetProcAddress(GetModuleHandle(TEXT(“samlib.dll“)), myROT13(“TbnFovnfsbufVtfstJoEpnbjo“, -1));

 

if (!myfunction1)

                PRINT_ERROR(L”Wrong Return of Address of the myfunction1“);

… 

replace finally all the calls of SamEnumerateUsersInDomain to myfunction1

This should now work nicely 🙂

 

Another example of this can be found at : https://blog.scrt.local/2020/06/19/engineering-antivirus-evasion/ who was the person who inspired me how to it this way.

0

Submit a Comment

Your email address will not be published. Required fields are marked *