MALWARE, HIDING API CALL FROM STATIC ANALYSES 2

Hi Guys,

In my previous post we discussed about how to hide the API call with the help of dynamic loading so that the API that we call is not listed in the import table of the PE. It will make the behaviour analysis of the malware or the application will become harder

But malware analyst will keep continue to find another aspect of the application in order to deep dive the analysis. Malware analyst will extract any string from the PE which may uncover our API call during runtime like below image

There we can see one of the string extracted is MessageBox which it is highly an API call to user32.dll.

So how to evade from the prying eyes of the malware analyst. There are some technique to evade is by doing some methods of encryption, hashing or encoding so that the string is not human readable. Here below the sample code. I use 64 base encoding to hide it

#include <windows.h>
#include <iostream>
#include "base64.h"

using namespace std;

typedef int (*Msg)(HWND, LPCTSTR, LPCTSTR, UINT);

int main()
{
    HINSTANCE hDLL = LoadLibrary("User32.dll");

    string APIName = base64_decode("TWVzc2FnZUJveEE=");

    if (hDLL == NULL) {
        std::cout << "Failed to load the library.\n";
    }
    else {
        std::cout << "Library loaded.\n";
        std::cout << "Rio Test\n";
        Msg MsgBox = (Msg)GetProcAddress(hDLL, APIName.c_str());
        MsgBox(
            NULL,
            "Resource not available\nDo you want to try again?",
            "Account Details",
            MB_ICONWARNING | MB_CANCELTRYCONTINUE | MB_DEFBUTTON2
        );
    }
    FreeLibrary(hDLL);
    return 0;
}

in the above code, I encoded with base64 the API name MessageBoxA into TWVzc2FnZUJveEE= with the expectation that whenever the string extracted from the PE it is not in the clear format so that it is harder to be spotted by malware analyst

Yeah, The string extracted is no longer in plain text. The analyst need alot more effort to find the API call in order to determine the application behaviour.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s