Skip to content

Feature/dynamic api resolution#37

Merged
defaultmodel merged 12 commits into
unstablefrom
feature/dynamic_api_resolution
Apr 18, 2025
Merged

Feature/dynamic api resolution#37
defaultmodel merged 12 commits into
unstablefrom
feature/dynamic_api_resolution

Conversation

@ErrorTeaPot
Copy link
Copy Markdown
Collaborator

@ErrorTeaPot ErrorTeaPot commented Feb 20, 2025

We have been working on dynamic API resolution with @elyessfaxiano, it is working on some APIs like CheckRemoteDebuggerPresent() (not only).

This work is based on this and the "Hiding imports via dynamic WinAPI functions resolving" part of this.

Here is a comparison of Dependencies analysis before vs after the feature :
Before :

PS C:\Users\q\Downloads\Dependencies_x64_Release_.without.peview.exe> .\Dependencies.exe -imports Z:\chipeur.exe
[-] Import listing for file : Z:\chipeur.exe
Import from module CRYPT32.dll :
         Function CryptStringToBinaryA
         Function CryptUnprotectData
Import from module KERNEL32.dll :
         Function AreFileApisANSI
         Function CheckRemoteDebuggerPresent
         Function CloseHandle
         Function CreateFileA
         Function CreateFileMappingW
         Function CreateFileW
         Function CreateMutexW
         Function DeleteCriticalSection
         Function DeleteFileA
         Function DeleteFileW
         Function EnterCriticalSection
         Function FindClose
         Function FindFirstFileW
         Function FindNextFileW
         Function FlushFileBuffers
         Function FlushViewOfFile
         Function FormatMessageA
         Function FormatMessageW
         Function FreeLibrary
         Function GetCurrentProcess
         Function GetCurrentProcessId
         Function GetCurrentThreadId
         Function GetDiskFreeSpaceA
         Function GetDiskFreeSpaceW
         Function GetFileAttributesA
         Function GetFileAttributesExW
         Function GetFileAttributesW
         Function GetFileSize
         Function GetFullPathNameA
         Function GetFullPathNameW
         Function GetLastError
         Function GetProcAddress
         Function GetProcessHeap
         Function GetSystemInfo
         Function GetSystemTime
         Function GetSystemTimeAsFileTime
         Function GetTempPathA
         Function GetTempPathW
         Function GetTickCount
         Function HeapAlloc
         Function HeapCompact
         Function HeapCreate
         Function HeapDestroy
         Function HeapFree
         Function HeapReAlloc
         Function HeapSize
         Function HeapValidate
         Function InitializeCriticalSection
         Function IsDBCSLeadByteEx
         Function LeaveCriticalSection
         Function LoadLibraryA
         Function LoadLibraryW
         Function LocalFree
         Function LockFile
         Function LockFileEx
         Function MapViewOfFile
         Function MultiByteToWideChar
         Function OutputDebugStringA
         Function OutputDebugStringW
         Function QueryPerformanceCounter
         Function ReadFile
         Function SetConsoleOutputCP
         Function SetEndOfFile
         Function SetFilePointer
         Function SetUnhandledExceptionFilter
         Function Sleep
         Function SystemTimeToFileTime
         Function TlsGetValue
         Function TryEnterCriticalSection
         Function UnlockFile
         Function UnlockFileEx
         Function UnmapViewOfFile
         Function VirtualProtect
         Function VirtualQuery
         Function WaitForSingleObject
         Function WaitForSingleObjectEx
         Function WideCharToMultiByte
         Function WriteFile
Import from module msvcrt.dll :
         Function fwprintf
         Function __C_specific_handler
         Function ___lc_codepage_func
         Function ___mb_cur_max_func
         Function __getmainargs
         Function __initenv
         Function __iob_func
         Function __set_app_type
         Function __setusermatherr
         Function _amsg_exit
         Function _beginthreadex
         Function _cexit
         Function _commode
         Function _endthreadex
         Function _errno
         Function _fmode
         Function _initterm
         Function _localtime64
         Function _lock
         Function _onexit
         Function _snwprintf
         Function _unlock
         Function abort
         Function calloc
         Function exit
         Function fflush
         Function fprintf
         Function fputc
         Function fputwc
         Function free
         Function fwrite
         Function localeconv
         Function malloc
         Function memchr
         Function memcmp
         Function memcpy
         Function memmove
         Function memset
         Function realloc
         Function signal
         Function strchr
         Function strcmp
         Function strcspn
         Function strerror
         Function strlen
         Function strncmp
         Function strncpy
         Function strrchr
         Function strspn
         Function strstr
         Function vfprintf
         Function wcscat
         Function wcscmp
         Function wcscpy
         Function wcslen
         Function wcsncpy
         Function _strdup
Import from module ole32.dll :
         Function CoTaskMemFree
Import from module SHELL32.dll :
         Function SHGetKnownFolderPath
[-] Import listing done

After :

[-] Import listing for file : Z:\chipeur.exe
Import from module KERNEL32.dll :
	 Function AreFileApisANSI
	 Function CloseHandle
	 Function CreateFileA
	 Function CreateFileMappingW
	 Function CreateFileW
	 Function CreateMutexW
	 Function DeleteCriticalSection
	 Function DeleteFileA
	 Function DeleteFileW
	 Function EnterCriticalSection
	 Function FindClose
	 Function FindFirstFileW
	 Function FindNextFileW
	 Function FlushFileBuffers
	 Function FlushViewOfFile
	 Function FormatMessageA
	 Function FormatMessageW
	 Function FreeLibrary
	 Function GetCurrentProcess
	 Function GetCurrentProcessId
	 Function GetCurrentThreadId
	 Function GetDiskFreeSpaceA
	 Function GetDiskFreeSpaceW
	 Function GetFileAttributesA
	 Function GetFileAttributesExW
	 Function GetFileAttributesW
	 Function GetFileSize
	 Function GetFullPathNameA
	 Function GetFullPathNameW
	 Function GetLastError
	 Function GetModuleHandleW
	 Function GetProcAddress
	 Function GetProcessHeap
	 Function GetSystemInfo
	 Function GetSystemTime
	 Function GetSystemTimeAsFileTime
	 Function GetTempPathA
	 Function GetTempPathW
	 Function GetTickCount
	 Function HeapAlloc
	 Function HeapCompact
	 Function HeapCreate
	 Function HeapDestroy
	 Function HeapFree
	 Function HeapReAlloc
	 Function HeapSize
	 Function HeapValidate
	 Function InitializeCriticalSection
	 Function IsDBCSLeadByteEx
	 Function LeaveCriticalSection
	 Function LoadLibraryA
	 Function LoadLibraryW
	 Function LocalFree
	 Function LockFile
	 Function LockFileEx
	 Function MapViewOfFile
	 Function MultiByteToWideChar
	 Function OutputDebugStringA
	 Function OutputDebugStringW
	 Function QueryPerformanceCounter
	 Function ReadFile
	 Function SetConsoleOutputCP
	 Function SetEndOfFile
	 Function SetFilePointer
	 Function SetUnhandledExceptionFilter
	 Function Sleep
	 Function SystemTimeToFileTime
	 Function TlsGetValue
	 Function TryEnterCriticalSection
	 Function UnlockFile
	 Function UnlockFileEx
	 Function UnmapViewOfFile
	 Function VirtualProtect
	 Function VirtualQuery
	 Function WaitForSingleObject
	 Function WaitForSingleObjectEx
	 Function WideCharToMultiByte
	 Function WriteFile
Import from module msvcrt.dll :
	 Function fwprintf
	 Function __C_specific_handler
	 Function ___lc_codepage_func
	 Function ___mb_cur_max_func
	 Function __getmainargs
	 Function __initenv
	 Function __iob_func
	 Function __set_app_type
	 Function __setusermatherr
	 Function _amsg_exit
	 Function _beginthreadex
	 Function _cexit
	 Function _commode
	 Function _endthreadex
	 Function _errno
	 Function _fmode
	 Function _initterm
	 Function _localtime64
	 Function _lock
	 Function _onexit
	 Function _snwprintf
	 Function _unlock
	 Function abort
	 Function calloc
	 Function exit
	 Function fflush
	 Function fprintf
	 Function fputc
	 Function fputwc
	 Function free
	 Function fwrite
	 Function localeconv
	 Function malloc
	 Function memchr
	 Function memcmp
	 Function memcpy
	 Function memmove
	 Function memset
	 Function realloc
	 Function signal
	 Function strchr
	 Function strcmp
	 Function strcspn
	 Function strerror
	 Function strlen
	 Function strncmp
	 Function strncpy
	 Function strrchr
	 Function strspn
	 Function strstr
	 Function vfprintf
	 Function wcscat
	 Function wcscmp
	 Function wcscpy
	 Function wcslen
	 Function wcsncpy
	 Function _strdup
Import from module ole32.dll :
	 Function CoTaskMemFree
Import from module SHELL32.dll :
	 Function SHGetKnownFolderPath
[-] Import listing done

@defaultmodel defaultmodel merged commit 9a01d1d into unstable Apr 18, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@defaultmodel defaultmodel defaultmodel approved these changes

@GZNOP GZNOP Awaiting requested review from GZNOP

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ErrorTeaPot @defaultmodel @elyessfaxiano