Windows API Call Obfuscation
This Project is for Windows API Call Obfuscation to make static/Dynamic analysis of a program harder, and to make it harder to recognize and extract the sequance of Windows API the application Call.
It is a Kernel Proxy that gives the developer the ability to proxy windows API call and hide it behind DeviceIoControl() API, so instead of calling CreateFile() you will call DeviceIoControl(,IOCTL_API_PROXY_CREATEFILE,), so if there is an API monitor tool or a sandbox all what are you going to see is a sequence of DeviceIoControl() calls.
To make it clearer if you want to do for example APC injection you would normally call those sequence of API OpenProcess() , VirtualAllocEx(), WriteProcessMemory(), OpenThread(), QueueUserAPC()
But with APICallProxy this is what the API calls would look like.
1- DeviceIoControl(,IOCTL_API_PROXY_OPEN_PROCESS,)
2- DeviceIoControl(,IOCTL_API_PROXY_ALLOCATE_MEMORY_IN_PROCESS_USING_HANDLE,)
3- DeviceIoControl(,IOCTL_API_PROXY_WRITE_PROCESS_MEMORY,)
4- DeviceIoControl(,IOCTL_API_PROXY_OPEN_THREAD,)
5- DeviceIoControl(,IOCTL_API_PROXY_QUEUE_APC,)
To use it all what you need to do is Call DeviceIoControl with the appropriate IOCTL code insted of calling normal Windows API like CreateFile, WriteFile, OpenProcess,..
I Create sample Client that will do the following:
1 - APCInjection.exe : APC injection
2 - DisableDSE.exe : Sample code to Disable Signing Policy(DSE), tested on windows 10 21H1 (it might crash on other windows version)
3- RegisterLoadDriver.exe : Register and Load Driver using DeviceIoControl()
4- WinsockServer.exe : WinSock Server same as Microsoft implementation (https://docs.microsoft.com/en-us/windows/win32/winsock/complete-server-code)
5- WinsockClient.exe : WinSock Client same as Microsoft implementation (https://docs.microsoft.com/en-us/windows/win32/winsock/complete-client-code)
6- ReverseShellClient.exe: Reverse Shell Client
7- ReverseShellServer.exe: Reverse Shell Server (it can support command up to 99 character (can be increased from the code) for example: powershell.exe -encodedCommand "Base64 Script")
Note that the APCInjector.exe only work as x64 bit application on x64 bit windows because the shellcode is x64 bit
i tested the Driver and the client on windows 10 0x64 and window 8.1 x64/x86 bit
Note that the network operation only support the TCP connection for now, will add UDP connection soon.
The Communication Between the Driver and User-mode happens using METHOD_NEITHER i made it very easy to change the communication method (METHOD_BUFFERED,..), you only need to change a couple of lines in the source code and it will work normally
CreateFile
OpenFile
DeleteFile
WriteFile
ReadFile
OpenProcess
TerminateProcess
OpenThread
CloseHandle
GetFileSize
ZwQuerySystemInformation
ZwAllocateVirtualMemory
ZwFreeVirtualMemory
VirtualProtectEx
WriteProcessMemory
ReadProcessMemory
NtSuspendProcess
NtResumeProcess
ZwCreateSection
ZwOpenSection
ZwMapViewOfSection
ZwUnmapViewOfSection
SetThreadContext
GetThreadContext
CreateThread
CreateRemoteThread
ResumeThread
SuspendThread
RegCreateKey
RegDeleteKey
RegQueryValue
RegSetValue
ZwLoadDriver
ZwUnloadDriver
WSAStartup
WSACleanup
GetAddrInfo
FreeAddrInfo
Socket
CloseSocket
Connect
Listen
Bind
Accept
Send
Recv
Get_ProcessID_From_Process_Name not windows API but usefull utility (can use ZwQuerySystemInformation to do the same)
Kindly note that this is only for educational purposes only
https://github.com/hfiref0x/DSEFix
https://github.com/wbenny/KSOCKET
MIT