Understanding of API deformation during program call

Let me start with a simple analysis on how to escape anti-virus software detection and removal.

This is my previous article. It is said that this technology can be used for active defense.

. 386
. Model flat, stdcall
Option Casemap: None

Include windows. inc
Include user32.inc
Include kernel32.inc
Includelib user32.lib
Includelib kernel32.lib

. Data
Szdllkernel dB 'user32. dll ', 0
Szmessagebox dB 'messageboxa ', 0

. Data?
Lpmessagebox dd?
. Code
Start:
Invoke getmodulehandle, ADDR szdllkernel
MoV EBX, eax
Invoke getprocaddress, EBX, offset szmessagebox
MoV lpmessagebox, eax
Push mb_ OK
Push 0
Push 0
Push 0
MoV eax, offset _ end
Push eax
JMP lpmessagebox
_ End:
Invoke exitprocess, 0

End start

The above code can be used in anti-virus software viruses. Anti-Virus Software generally uses signatures to determine whether dangerous APIs are called. The above code is to break down the call and implement simple code deformation.
If anti-virus software is used to determine whether the JMP target is a dangerous API, it can also be written to escape anti-virus software.

 

. Code
Start:
Invoke getmodulehandle, ADDR szdllkernel
MoV EBX, eax
Invoke getprocaddress, EBX, offset szmessagebox
MoV lpmessagebox, eax
Push mb_ OK
Push 0
Push 0
Push 0
MoV eax, offset _ end
Push eax
; The added code starts.
MoV EDI, EDI
Push EBP
MoV EBP, ESP
Add lpmessagebox, 5
; The added code ends.
JMP lpmessagebox
_ End:
Invoke exitprocess, 0
End start

 

Anti-Virus Software generally relies on signatures to determine viruses. For example, anti-virus software monitors the call of the MessageBox function. If you call this function, anti-virus software considers that you have the motivation to damage the system, so we have to find a way to avoid the monitoring of anti-virus software, but we cannot use this function. What should we do?
Www.xbin.cn
Anyone who knows the call process knows that the call command is to first press the next command address to stack and then use JMP to jump to the function entry. Then our solution will come out, we can perform this call by ourselves. First, press the next command to the stack.

 

MoV eax, offset _ end
Push eax

 

Jump to the function entry

 

JMP lpmessagebox

 

In this way, the anti-virus software is cheated because the above Code is different from the binary of the Call command at the binary code level, but the functions are the same.

Some anti-virus software not only depends on the pattern, but also determines the target address of the jump, that is, whether your command is redirected to the API entrance that he deems dangerous. Of course, we can also cheat him, that is to implement the first few lines of code of the target API in your own program, and then continue running in the jump to the API function. For example, I implemented the first three lines of MessageBox code in my own program, and then continued to run the code in the first line of MessageBox.
Www.xbin.cn
In this way, the jump to the target entry address is not the API function entry.

If anti-virus software redirects to a specified region by checking whether it is redirected, there is also a more poisonous trick, that is, allocating a dynamic memory and testing the API function code to your own 2 GB space for running.