1
00:00:00,620 --> 00:00:05,730
Hello and welcome to a new section call Advanced Function Obfuscation.

2
00:00:06,290 --> 00:00:16,790
Implementing your own custom Win32 API functions, as you have seen from the first course on the basics

3
00:00:16,790 --> 00:00:18,230
for mobile development.

4
00:00:18,950 --> 00:00:24,170
The purpose or function obfuscation is to avoid detection by antivirus.

5
00:00:26,810 --> 00:00:32,540
So assuming we have member then makes use of her function API call.

6
00:00:32,810 --> 00:00:34,760
What's your outlook now?

7
00:00:34,770 --> 00:00:43,370
If there were no obfuscation, which will be clearly detectable by the antivirus now in order to defeat

8
00:00:43,580 --> 00:00:44,690
the antivirus?

9
00:00:45,470 --> 00:00:46,230
Well, we tried.

10
00:00:46,400 --> 00:00:51,070
First was to use dynamic API loading.

11
00:00:52,220 --> 00:00:54,950
So the method is called function obfuscation.

12
00:00:55,820 --> 00:01:05,030
So in this Tanami API, including the obfuscated function by using the Gate Address API to look which

13
00:01:05,030 --> 00:01:06,800
are low during runtime.

14
00:01:07,880 --> 00:01:11,990
So we get address, we need to have two parameters.

15
00:01:12,440 --> 00:01:17,900
The first parameter will be the handle to the of containers here, which are OK.

16
00:01:18,590 --> 00:01:22,010
So in this case, we will use get more you handle and pass.

17
00:01:22,580 --> 00:01:30,920
Yeah, and it contains D, which are so your hand will be return the handle to kind of three to Liane

18
00:01:31,190 --> 00:01:32,210
and keep our address.

19
00:01:32,210 --> 00:01:34,670
We used it to search for the water.

20
00:01:35,600 --> 00:01:42,290
So once he finds it, he will return a pointer and we will sabihin the variable copy, which are OK.

21
00:01:43,160 --> 00:01:49,280
So we which will be then used to perform the which allocation of memory during runtime.

22
00:01:49,850 --> 00:01:55,520
So in this way, you can hide this, which are from the antivirus.

23
00:01:56,390 --> 00:02:03,590
However, if you later saw that the antivirus can still detect the string because the string, which

24
00:02:03,950 --> 00:02:09,980
is plainly visible in the screen strings, can and can be seen in the memory.

25
00:02:10,790 --> 00:02:13,700
So what we need to do next was to hide this string.

26
00:02:14,120 --> 00:02:20,030
And for that, we will use another method called string parameter encryption.

27
00:02:20,900 --> 00:02:29,060
So in this next second stage obfuscation, we will use function, obfuscation plus string parameter

28
00:02:29,060 --> 00:02:29,720
encryption.

29
00:02:30,500 --> 00:02:39,320
So in this method, we will take this plain text string and encrypted using XOR encryption all equally

30
00:02:39,320 --> 00:02:40,680
when you say yes, encryption.

31
00:02:41,510 --> 00:02:48,900
And after being encrypted, he will save it in a string variable called SDR, which I like now.

32
00:02:48,930 --> 00:02:56,960
During runtime, we will call the decrypt function, which we then decrypt the the string back into

33
00:02:56,960 --> 00:03:00,860
plaintext and in plastic as parameter to the Padres.

34
00:03:01,520 --> 00:03:11,120
So this second light, second level obfuscation could then defeat the antivirus, which such as four

35
00:03:11,120 --> 00:03:12,110
strings in memory.

36
00:03:13,130 --> 00:03:13,520
No.

37
00:03:13,700 --> 00:03:17,240
In this course, we will look at another method.

38
00:03:17,420 --> 00:03:19,040
Even more advanced in this.

39
00:03:20,150 --> 00:03:21,410
So what is the problem?

40
00:03:21,650 --> 00:03:24,170
The second stage at the second level meant it.

41
00:03:24,860 --> 00:03:26,300
The second and the third is that.

42
00:03:27,480 --> 00:03:34,920
We need to use, get progress and get them on your handle in order to dynamically load the function

43
00:03:34,920 --> 00:03:35,460
that we need.

44
00:03:35,940 --> 00:03:39,240
So these to have visible to the antivirus.

45
00:03:40,050 --> 00:03:43,830
So in this advanced tiny fish, you are going to study nice.

46
00:03:44,340 --> 00:03:47,370
We are going to obfuscate or height is to.

47
00:03:48,560 --> 00:03:52,120
So this method is called custom API function of whiskey.

48
00:03:53,030 --> 00:03:55,250
So how do we hide this tool from antivirus?

49
00:03:55,760 --> 00:04:01,910
We will create our own capable address and also create our own game model handle.

50
00:04:02,720 --> 00:04:07,470
So in this year, you can see the customized address.

51
00:04:08,390 --> 00:04:16,520
We'll call it my apologies because this is customizing your real self and any the game you handle the

52
00:04:16,520 --> 00:04:23,240
customize on your mind, get more you handle again because we are going to write this ourselves.

53
00:04:23,960 --> 00:04:30,440
So this too, this is advancement day, because trying to write your own progress is quite complicated

54
00:04:31,250 --> 00:04:35,570
and so is getting a is writing your own game more, you know, API.

55
00:04:36,500 --> 00:04:37,520
So let's get started.

56
00:04:38,180 --> 00:04:40,670
This is the theory and how they are going to push this.

57
00:04:41,780 --> 00:04:51,440
So as you can see here, now that it's running, if he wants to find out about the little details he

58
00:04:51,440 --> 00:04:54,680
will, you can look at the behavior in the behavior.

59
00:04:54,680 --> 00:04:56,720
You will find a lot of fields.

60
00:04:56,990 --> 00:05:01,970
And one of the important field is the Lisa Gale Senior Editor Directory.

61
00:05:02,600 --> 00:05:06,020
So the data directory can be seen here like this?

62
00:05:06,380 --> 00:05:08,300
This is a diagram of her behavior.

63
00:05:09,140 --> 00:05:12,960
You can see here's a dossier that contains imaging by MS.

64
00:05:13,220 --> 00:05:16,910
Here and here on its position.

65
00:05:16,910 --> 00:05:17,360
Three.

66
00:05:17,360 --> 00:05:21,320
See, there is a pointer to your behavior.

67
00:05:22,550 --> 00:05:30,530
So a behavior starts here and behavior is quite amazing by be followed by do not track characters.

68
00:05:31,730 --> 00:05:37,210
So it is known as a behavior and also known as A. It's the same thing.

69
00:05:37,220 --> 00:05:44,420
Sometimes they also call cophura all this, but here is the optional heater and optional head.

70
00:05:44,420 --> 00:05:50,210
Isa contains several other subheadings and the important one for our purposes today.

71
00:05:50,210 --> 00:05:57,260
Today, atriz, which is over here, the data Garrett is continue exploitable and in particular decided

72
00:05:57,260 --> 00:06:03,470
to fuse of the data that which you are interested in and we have seen before in previous license.

73
00:06:04,130 --> 00:06:11,930
So this example of a country to the L and the optional behavior has quite a spotting directory and important

74
00:06:11,930 --> 00:06:12,500
directory.

75
00:06:14,220 --> 00:06:21,000
And then you can look at, yeah, the details are it by clicking the X POSTECH to see the meaning of

76
00:06:21,000 --> 00:06:25,710
all these various views inside the P export directory.

77
00:06:26,910 --> 00:06:31,440
So this is done before just to refresh your memory to coming back to this.

78
00:06:32,100 --> 00:06:39,170
So the malware will know the behavior and then look at a little else in the data directory and then

79
00:06:39,180 --> 00:06:39,910
you day.

80
00:06:40,290 --> 00:06:44,880
We will search for Chanatry, too from the lease on the house.

81
00:06:45,600 --> 00:06:51,210
So this this idea is contained inside the impact table in Python table.

82
00:06:51,900 --> 00:07:00,180
So this list would tell the programmer if you are writing a program to obfuscate the function.

83
00:07:00,660 --> 00:07:08,490
You can see what are the important details and cannot agree to the is always important for sure in any

84
00:07:08,490 --> 00:07:09,630
program that is running.

85
00:07:10,140 --> 00:07:15,300
So we need to search for the module, the address on your model.

86
00:07:15,690 --> 00:07:22,150
So to do that, you will use the method for searching and he will go through all this process, which

87
00:07:22,180 --> 00:07:25,970
I been the and then you will return the address of 82.

88
00:07:26,820 --> 00:07:33,800
So once you get your desk country to you, you will then be able to pass through the list of APIs exported

89
00:07:34,050 --> 00:07:40,050
by country to using this method by going to the export directory.

90
00:07:40,620 --> 00:07:43,830
And then from this point directory, going to the address and function.

91
00:07:44,520 --> 00:07:51,000
And then from the address information, you can iterate through the list in there to look for the function

92
00:07:51,000 --> 00:07:51,930
that you are interested in.

93
00:07:52,620 --> 00:07:53,670
For example, here.

94
00:07:54,510 --> 00:08:01,080
So here you can go to the address of functions and then look through all this list and find the functional

95
00:08:01,080 --> 00:08:01,380
unit.

96
00:08:02,820 --> 00:08:06,270
So this is just a reminder of our lesson here.

97
00:08:07,020 --> 00:08:12,420
So why don't you find this a function, for example, in this case, if you want to look for quick progress?

98
00:08:12,870 --> 00:08:17,670
So once you find your address, you can use it to look for which you are OK.

99
00:08:19,020 --> 00:08:20,670
Another complication is here.

100
00:08:21,240 --> 00:08:28,110
If you also want to obfuscate this search, this search here is actually getting more you handle.

101
00:08:29,410 --> 00:08:29,740
Here.

102
00:08:31,320 --> 00:08:40,290
So capable address is this one we are looking for address how you get progress, but what can you handle?

103
00:08:41,070 --> 00:08:46,710
So for game your handle, we need to use to help move to other structures.

104
00:08:47,100 --> 00:08:48,600
Go to the NPV.

105
00:08:49,260 --> 00:08:56,610
Every running program in windows has got TB and B-BBEE, so environment is important because it contains

106
00:08:56,610 --> 00:09:04,410
a list of all the details that are important as all of the environmental variables in the path to the

107
00:09:04,410 --> 00:09:12,120
current diet tree, the path to executable and other data and information which is needed by a particular

108
00:09:12,120 --> 00:09:20,880
process in order to run every program that runs is run as a process and process can have multiple TB

109
00:09:21,000 --> 00:09:21,570
inside it.

110
00:09:22,110 --> 00:09:27,360
So all the information about the tracks is found in the the environment block.

111
00:09:28,350 --> 00:09:33,570
So in order to get hold of the PB, you need to go through the TB.

112
00:09:34,230 --> 00:09:38,280
So this is how the Windows system operates.

113
00:09:39,510 --> 00:09:42,340
TB contains a pointer to the PB.

114
00:09:43,580 --> 00:09:52,490
And then once we get the APB, we can then go to the loader field and another few will have a pointer

115
00:09:52,490 --> 00:09:59,620
to a lease on the house and then we need essentially lethal gas in order to get the address or not,

116
00:09:59,630 --> 00:10:00,110
No.32.

117
00:10:00,650 --> 00:10:03,600
So once you get it, you can return to the caller.

118
00:10:04,100 --> 00:10:06,440
Let's take a look at the example of that.

119
00:10:07,250 --> 00:10:13,460
Now this, you would be doing this later in a particular walkthrough, but now I just want to explain

120
00:10:13,460 --> 00:10:13,970
how it works.

121
00:10:14,960 --> 00:10:17,930
No, we have this finishing off with Gator English one.

122
00:10:20,060 --> 00:10:20,880
Version one.

123
00:10:20,960 --> 00:10:22,430
It is not obfuscated at all.

124
00:10:22,790 --> 00:10:28,580
OK, so this is a program this year than before in a previous course on the basics.

125
00:10:29,480 --> 00:10:38,030
And we have a payload here, shackle we who run note back when you're security.

126
00:10:38,980 --> 00:10:44,520
And then here is your main function, and you also have a decrypting function to decrypt SLR.

127
00:10:45,700 --> 00:10:52,360
And then in the main function we use, which are lock because you want to allocate memory in order to

128
00:10:52,420 --> 00:10:53,440
store our bill.

129
00:10:54,430 --> 00:11:01,900
And then over here is where the copy of Bill to the allocated memory and the bill is actually this bill

130
00:11:03,040 --> 00:11:09,010
and then down here we change the permission of the allocated memory so that you can execute it down

131
00:11:09,010 --> 00:11:09,220
here.

132
00:11:09,760 --> 00:11:14,150
If you've forgotten or this, you can refer back to the previous course.

133
00:11:15,640 --> 00:11:21,350
No, the problem with this is that these which are long is visible to anti-virus.

134
00:11:21,880 --> 00:11:23,290
So we wanted to hide this.

135
00:11:23,860 --> 00:11:25,000
So not to hide this.

136
00:11:25,090 --> 00:11:25,540
We can't.

137
00:11:25,540 --> 00:11:34,150
We can come up with a second version of this program whereby we use dynamic API loading by using a project

138
00:11:34,330 --> 00:11:35,200
in conjunction.

139
00:11:35,200 --> 00:11:42,280
You get more you can do, and you also want to hide the string, which are lock string.

140
00:11:42,280 --> 00:11:48,940
So we increase this string up here by using this key and come out with this and crypto version, which

141
00:11:48,940 --> 00:11:49,360
you a lot.

142
00:11:50,530 --> 00:11:57,640
Then during runtime, you called a a function to decrypt this vacuum think tanks and then pass these

143
00:11:57,640 --> 00:12:04,450
to these two parameters to a general address, an address will then return the address on which channel

144
00:12:04,990 --> 00:12:05,900
and then down here.

145
00:12:05,920 --> 00:12:08,110
He called the channel in the usual way.

146
00:12:08,590 --> 00:12:12,310
So this is the second method which we covered in the first course.

147
00:12:13,030 --> 00:12:21,300
But the problem is this second method is that this ghetto address function call is visible to antivirus.

148
00:12:21,700 --> 00:12:25,030
And so it is also visible in my youth center.

149
00:12:25,540 --> 00:12:33,130
So now in this advanced method, we went to hide this too by customizing our own gear proper address.

150
00:12:33,700 --> 00:12:36,030
And that's how we come up with a tabulation.

151
00:12:36,880 --> 00:12:38,140
So in distinguishing.

152
00:12:39,690 --> 00:12:46,650
We will use our own version of Gail from Address, call my reporter right over here.

153
00:12:47,220 --> 00:12:48,900
So using my apologies.

154
00:12:49,900 --> 00:12:58,870
To get hold of the address of which I like and then return it to what you are up to a variable cost

155
00:12:59,140 --> 00:13:06,100
the are and then down here we will use it in the normal way and for an extra demonstration, we are

156
00:13:06,100 --> 00:13:14,170
also going to use his CMT to get the you're trying to get the address or more memory.

157
00:13:14,950 --> 00:13:15,340
All right.

158
00:13:16,030 --> 00:13:18,040
And return it here and use it in.

159
00:13:18,340 --> 00:13:21,880
You shall be down here as if I should point out.

160
00:13:22,660 --> 00:13:24,250
So let's take a look at this to now.

161
00:13:25,180 --> 00:13:29,170
How do we how do we define our own hateful address?

162
00:13:29,320 --> 00:13:31,080
How do we define our gig mall?

163
00:13:31,080 --> 00:13:32,560
You handle function.

164
00:13:33,370 --> 00:13:39,070
That's where we make use of a new and different file called my API.

165
00:13:39,880 --> 00:13:49,360
So my API, CPC and the header file easier to hit FAQ on this or media function for the time and implementation

166
00:13:49,360 --> 00:13:51,880
is following my API and CBP.

167
00:13:52,720 --> 00:13:57,340
No say here you have two functions which are defined.

168
00:13:58,120 --> 00:14:02,140
One is my gate progress and one is my your.

169
00:14:02,440 --> 00:14:09,640
So these are two custom made APIs that are also in order to defeat the antivirus.

170
00:14:10,510 --> 00:14:16,540
So we may get progressively this part here is testing, but on the hater behavior.

171
00:14:17,110 --> 00:14:18,640
Why do any party be here, though?

172
00:14:18,640 --> 00:14:24,640
Because the beta contains an important directory called the data directory.

173
00:14:25,420 --> 00:14:33,730
So from the data diatriot, you can go through the spot export address table once again as far as this

174
00:14:33,730 --> 00:14:36,250
table over here, which is over here.

175
00:14:36,700 --> 00:14:43,510
You can then look go through all the list of function names and search for it down here.

176
00:14:45,020 --> 00:14:52,980
So you can either search for him by ordinance or such void by functioning after you found this point

177
00:14:53,000 --> 00:14:59,110
to this variable people address will continue address of here function.

178
00:14:59,270 --> 00:15:00,230
And you're looking for.

179
00:15:02,090 --> 00:15:02,410
All right.

180
00:15:02,420 --> 00:15:03,490
So this is how it works.

181
00:15:03,860 --> 00:15:06,470
And also, we have a second bar here.

182
00:15:06,860 --> 00:15:12,740
If the function you're looking for is a forward, it function properly function saying is from Yale

183
00:15:12,740 --> 00:15:13,790
named function.

184
00:15:14,210 --> 00:15:15,410
So you did what the case?

185
00:15:15,410 --> 00:15:24,080
Then you will use this second part of in order to perform search on the name in order to extract the

186
00:15:24,080 --> 00:15:24,560
function.

187
00:15:24,980 --> 00:15:31,340
And this town name will be passed the recursively to this functioning in multiple address.

188
00:15:31,790 --> 00:15:34,850
And that happens down here.

189
00:15:35,120 --> 00:15:36,080
Major progress.

190
00:15:36,800 --> 00:15:43,730
So this first part of the second block here is just to split the folding them into two parts.

191
00:15:44,210 --> 00:15:53,870
So the owl name is starting here as string followed here and function name is started asking for this

192
00:15:53,870 --> 00:15:54,350
function.

193
00:15:55,700 --> 00:16:02,750
And once you split into two parts, you will then you might not get progress to get your address or

194
00:16:02,750 --> 00:16:04,700
law library because you need the library.

195
00:16:05,060 --> 00:16:12,950
So this particular library is too the Yale so that you get proper dress would be able to look for function

196
00:16:13,640 --> 00:16:14,750
and it's only a dress.

197
00:16:15,750 --> 00:16:22,320
So his how he will stand in for the top buy here game on your hand on this first, but here he is to

198
00:16:22,320 --> 00:16:22,990
a string.

199
00:16:23,010 --> 00:16:29,250
The pointer from the Czech environment blocked the TV, so it is still functioning, essentially working

200
00:16:29,250 --> 00:16:35,550
on a TV and for three steady six s 86, his knees are set.

201
00:16:36,120 --> 00:16:36,810
These are several.

202
00:16:36,810 --> 00:16:46,950
TV contains the pointer to the P.B. and if his SSD for this are set, a TV contains the pointer to the

203
00:16:46,950 --> 00:16:47,490
BBB.

204
00:16:48,390 --> 00:16:54,660
So in this case, if he's 84, this will run and return the pointer to B-BBEE.

205
00:16:54,660 --> 00:16:57,600
Once you get it B-BBEE, you can get in opinion.

206
00:16:58,080 --> 00:17:03,640
So I the bass and race and getting over here, this is where you go to the loader.

207
00:17:04,330 --> 00:17:11,130
The pibil content, louder and louder, is where he has a link to the lease of the house.

208
00:17:11,550 --> 00:17:17,160
And once you get over here, you get the list of all the DLC from the loader.

209
00:17:17,700 --> 00:17:20,460
You will use these to search for it in a loop.

210
00:17:21,300 --> 00:17:24,990
So this is where you search for the detail attached and then return.

211
00:17:24,990 --> 00:17:26,850
It is where you any.

212
00:17:27,690 --> 00:17:33,090
So this is a high level view of how these two functions hook.

213
00:17:34,430 --> 00:17:40,880
So that's all for this lesson in their next video, we're going to do a practical walkthrough on all

214
00:17:40,880 --> 00:17:41,150
this.

215
00:17:41,420 --> 00:17:42,500
Thank you, Heidi.