twittergithublinkedin

Windows API Without Imports

Use sketchy Windows API functions without them showing up as imports

Using functions like VirtualAlloc, WriteProcessMemory, and CreateRemoteThread can increase the chances of EDR and AV flagging your program as malicious because these API calls are added to the import table, which the system checks before execution.

Overview

We can use our own dynamically-defined WINAPI functions at the same address as the original function to leverage them without adding to the import table. Here is an example with WriteProcessMemory:

import table of exe
dumpbin /imports [EXE FILE]

  1. WriteProcessMemory is defined in windows as the following:

BOOL WriteProcessMemory( 
[in] HANDLE hProcess, 
[in] LPVOID lpBaseAddress, 
[in] LPCVOID lpBuffer, 
[in] SIZE_T nSize, 
[out] SIZE_T *lpNumberOfBytesWritten 
);

  1. In our code, we will define our own WINAPI called aWriteProcessMemory:

typedef BOOL(WINAPI* aWriteProcessMemory)(HANDLE, LPVOID, LPCVOID, SIZE_T, SIZE_T*);

  1. Now we define this function at the address of the original WriteProcessMemory:

std::string apiCall = "WriteProcessMemory";
HMODULE kernel32 = GetModuleHandleA("kernel32.dll");
aWriteProcessMemory customWriteProcessMemory = (aWriteProcessMemory)GetProcAddress(kernel32, (LPCSTR)(apiCall.c_str()));

  1. Now replace your WriteProcessMemory call with customWriteProcessMemory:

WriteProcessMemory(hProcess, alloc, data, sizeof(data), &bytesWritten);
customWriteProcessMemory(hProcess, alloc, data, sizeof(data), &bytesWritten);

  1. Now WriteProcessMemory won't show up in your import table!

WriteProcessMemory is absent from import table
The import table no longer contains WriteProcessMemory

PreviousFull Remote DLL UnhookingNextTHE PowerShell command

Last updated