Awesome
APICallProxy
This Project is for Windows API Call Obfuscation to make static/Dynamic analysis of a program harder, and to make it harder to recognize and extract the sequance of Windows API the application Call.
It is a Kernel Proxy that gives the developer the ability to proxy windows API call and hide it behind DeviceIoControl() API, so instead of calling CreateFile() you will call DeviceIoControl(,IOCTL_API_PROXY_CREATEFILE,), so if there is an API monitor tool or a sandbox all what are you going to see is a sequence of DeviceIoControl() calls.
To make it clearer if you want to do for example APC injection you would normally call those sequence of API OpenProcess() , VirtualAllocEx(), WriteProcessMemory(), OpenThread(), QueueUserAPC()
But with APICallProxy this is what the API calls would look like.
1- DeviceIoControl(,IOCTL_API_PROXY_OPEN_PROCESS,)
2- DeviceIoControl(,IOCTL_API_PROXY_ALLOCATE_MEMORY_IN_PROCESS_USING_HANDLE,)
3- DeviceIoControl(,IOCTL_API_PROXY_WRITE_PROCESS_MEMORY,)
4- DeviceIoControl(,IOCTL_API_PROXY_OPEN_THREAD,)
5- DeviceIoControl(,IOCTL_API_PROXY_QUEUE_APC,)
To use it all what you need to do is Call DeviceIoControl with the appropriate IOCTL code insted of calling normal Windows API like CreateFile, WriteFile, OpenProcess,..
I Create sample Client that will do the following:
1 - APCInjection.exe : APC injection
2 - DisableDSE.exe : Sample code to Disable Signing Policy(DSE), tested on windows 10 21H1 (it might crash on other windows version)
3- RegisterLoadDriver.exe : Register and Load Driver using DeviceIoControl()
4- WinsockServer.exe : WinSock Server same as Microsoft implementation (https://docs.microsoft.com/en-us/windows/win32/winsock/complete-server-code)
5- WinsockClient.exe : WinSock Client same as Microsoft implementation (https://docs.microsoft.com/en-us/windows/win32/winsock/complete-client-code)
6- ReverseShellClient.exe: Reverse Shell Client
7- ReverseShellServer.exe: Reverse Shell Server (it can support command up to 99 character (can be increased from the code) for example: powershell.exe -encodedCommand "Base64 Script")
Note that the APCInjector.exe only work as x64 bit application on x64 bit windows because the shellcode is x64 bit
i tested the Driver and the client on windows 10 0x64 and window 8.1 x64/x86 bit
Note that the network operation only support the TCP connection for now, will add UDP connection soon.
The Communication Between the Driver and User-mode happens using METHOD_NEITHER i made it very easy to change the communication method (METHOD_BUFFERED,..), you only need to change a couple of lines in the source code and it will work normally
Windows API:
-
CreateFile
-
OpenFile
-
DeleteFile
-
WriteFile
-
ReadFile
-
OpenProcess
-
TerminateProcess
-
OpenThread
-
CloseHandle
-
GetFileSize
-
ZwQuerySystemInformation
-
ZwAllocateVirtualMemory
-
ZwFreeVirtualMemory
-
VirtualProtectEx
-
WriteProcessMemory
-
ReadProcessMemory
-
NtSuspendProcess
-
NtResumeProcess
-
ZwCreateSection
-
ZwOpenSection
-
ZwMapViewOfSection
-
ZwUnmapViewOfSection
-
SetThreadContext
-
GetThreadContext
-
CreateThread
-
CreateRemoteThread
-
ResumeThread
-
SuspendThread
-
RegCreateKey
-
RegDeleteKey
-
RegQueryValue
-
RegSetValue
-
ZwLoadDriver
-
ZwUnloadDriver
-
WSAStartup
-
WSACleanup
-
GetAddrInfo
-
FreeAddrInfo
-
Socket
-
CloseSocket
-
Connect
-
Listen
-
Bind
-
Accept
-
Send
-
Recv
-
Get_ProcessID_From_Process_Name not windows API but usefull utility (can use ZwQuerySystemInformation to do the same)
Kindly note that this is only for educational purposes only
Reference
https://github.com/hfiref0x/DSEFix
https://github.com/wbenny/KSOCKET
License:
MIT