Windows Python / API Obfuscation
Author | Unprotect |
Platform | Windows |
Language | Python |
Technique | API Obfuscation |
Description:
In this code, the hash function is used to obfuscate the names of the APIs that are imported from the kernel32.dll library. The hashed names are then used to call the APIs using the GetProcAddress and LoadLibrary functions. When the code is disassembled, the actual names of the APIs will be hidden and replaced with the hashed values.
Code
import ctypes
# Hash function to obfuscate the API names
def hash(str):
hash = 5381
for c in str:
hash = (hash * 33 + ord(c)) % 2**32
return hash
# Load the kernel32.dll library
hKernel32 = ctypes.windll.kernel32
# Use the hash function to obfuscate the names of the APIs
# we want to call from the library
lpLoadLibraryA = hKernel32.GetProcAddress(hKernel32, hash("LoadLibraryA"))
lpMessageBoxA = hKernel32.GetProcAddress(hKernel32, hash("MessageBoxA"))
# Call the APIs using the hashed names
hUser32 = ctypes.CFUNCTYPE(ctypes.c_void_p)(lpLoadLibraryA)("user32.dll")
ctypes.CFUNCTYPE(ctypes.c_int, ctypes.c_void_p, ctypes.c_char_p, ctypes.c_char_p, ctypes.c_uint)(lpMessageBoxA)(None, "Hello World!", "API Hashing", 0)
# Clean up
hKernel32.FreeLibrary(hUser32)
Created
December 6, 2022
Last Revised
April 22, 2024