Windows API Without Imports

Use sketchy Windows API functions without them showing up as imports

Using functions like VirtualAlloc, WriteProcessMemory, and CreateRemoteThread can increase the chances of EDR and AV flagging your program as malicious because these API calls are added to the import table, which the system checks before execution.

Overview

We can use our own dynamically-defined WINAPI functions at the same address as the original function to leverage them without adding to the import table. Here is an example with WriteProcessMemory:

WriteProcessMemory is defined in windows as the following:

BOOL WriteProcessMemory( 
[in] HANDLE hProcess, 
[in] LPVOID lpBaseAddress, 
[in] LPCVOID lpBuffer, 
[in] SIZE_T nSize, 
[out] SIZE_T *lpNumberOfBytesWritten 
);

In our code, we will define our own WINAPI called aWriteProcessMemory:

typedef BOOL(WINAPI* aWriteProcessMemory)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T*);

Now we define this function at the address of the original WriteProcessMemory:

std::string apiCall = "WriteProcessMemory";
HMODULE kernel32 = GetModuleHandleA("kernel32.dll");
aWriteProcessMemory customWriteProcessMemory = (aWriteProcessMemory)GetProcAddress(kernel32, (LPCSTR)(apiCall.c_str()));

Now replace your WriteProcessMemory call with customWriteProcessMemory:

WriteProcessMemory(hProcess, alloc, data, sizeof(data), &bytesWritten);
customWriteProcessMemory(hProcess, alloc, data, sizeof(data), &bytesWritten);

Now WriteProcessMemory won't show up in your import table!

WriteProcessMemory is absent from import table

PreviousFull Remote DLL Unhooking NextTHE PowerShell command

Last updated 2 years ago

hashtagOverview

Overview