Faking the Import Address Table (IAT)

Malware, Reverse Engineering Leave a comment

Hello

I am presenting a straightforward method to increase the difficulty for malware analysts or to evade detection by EDR. This technique is not overly complex; in fact, it is quite simple.

As it is known, the malware analyst learn to understand the behavior of malware through an examination of the Import Address Table. An excellent tool for swiftly conducting such analysis is PEStudio.

The developer of the malware will employ creative techniques to evade analysis, such as dynamically loading the API call during runtime. As a result, the Import Address Table (IAT) will not list the required API call, compelling analysts to delve into the code in order to comprehend the malware’s interaction with the operating system.

When the Import Address Table (IAT) is significantly reduced through the application of dynamic loading, it may raise further suspicion. If all API calls are resolved dynamically, the IAT will only display minimal information, potentially indicating a cause for malware evasion concern.

To minimize suspicion, the malware developer may choose to fabricate a spurious API call for inclusion in the Import Address Table (IAT). This could involve incorporating fake API call. Nonetheless, the developer must ensure that the malware’s behavior remains unaffected by the inclusion of these fabricated calls. One way to achieve this is by creating dead code, thereby preventing the fake API call from being executed during runtime, as illustrated by the simple code snippet below.

#include <iostream>
#include <Windows.h>


VOID FakingAPICall() {

	int i = 5;

	if (i < 2) {
		unsigned __int64 i = MessageBoxA(NULL, NULL, NULL, NULL);
		i = GetLastError();
		i = SetCriticalSectionSpinCount(NULL, NULL);
		i = GetWindowContextHelpId(NULL);
		i = GetWindowLongPtrW(NULL, NULL);
		i = RegisterClassW(NULL);
		i = IsWindowVisible(NULL);
		i = ConvertDefaultLocale(NULL);
		i = MultiByteToWideChar(NULL, NULL, NULL, NULL, NULL, NULL);
		i = IsDialogMessageW(NULL, NULL);
	}
}

int main()
{
    std::cout << "Hello World!\n";
	FakingAPICall();
}

The API call will not be executed as the condition will never be met. Nevertheless, by including the above code, all those API calls will be ensured to be included in the IAT table.

To ensure that the dead code is not eliminated by the compiler during the compilation optimization process, it is a must to disable any optimizations, as demonstrated below.

Leave a Reply