Obfuscate calls to imports by patching in stubs. ICO works on both X86 and X64 binaries.

Related tags

Miscellaneous ImportCallObfuscator
Overview

ImportCallObfuscator (ICO)

Obfuscate calls to imports by patching in stubs. ICO works on both X86 and X64 binaries.

How it works

ICO adds a new section into the image, then begins building stubs for each import that uses a extremely basic routine to decrypt an RVA and places them into the section.

ICO then searches for CALL NEAR instructions that have a destination within the IAT, and replaces this instruction with a relative near call (opcode E8) to the newly generated import stub. This leaves an extra byte for use, which can be NOP'd, or even better, exploited to break disassemblers.

The import stubs increments the return address that is pushed onto the stack via CALL instructions by one, and abuses the skipped byte by randomizing it which in turns confuses disassemblers into attempting to decode a (usually) invalid sequence of bytes.

Build

In order to use ICO, pepp and spdlog need to be included so that the main file can be successfully compile. Then a file can be dropped onto the program in which it will spit out a file in the same directory named {file}.crypt.exe.

Examples

EX1 EX2

Limitations

  • Will not work on DLLs. The import stubs use the PEB which use the ImageBaseAddress variable as a base. This can be trivially fixed by changing the shellcode to use a known variable for the module base address.
You might also like...
A port of the Linux x86 IOLI crackme challenges to x86-64

This is a port of the original Linux x86 IOLI crackme binaries to x86-64. The original set of IOLI crackmes can be found here: https://github.com/Maij

Julian Daeumer 4 Mar 19, 2022
First open source android modding library for Geometry Dash Based on Hooking-and-Patching-android-template

Android-ML First open source android modding library for Geometry Dash Based on Hooking-and-Patching-android-template Installation Download this githu

BlackTea ML 21 Jul 17, 2022
A repository for experimenting with elf loading and in-place patching of android native libraries on non-android operating systems.

droidports: A repository for experimenting with elf loading and in-place patching of android native libraries on non-android operating systems. Discla

João Henrique 26 Dec 15, 2022
A build of sowm that takes the pain from patching away.

sowm-flexipatch A build of sowm that takes the pain from patching away. About Similar to the flexipatch builds made by bakkeby, sowm-flexipatch aims t

Mateo Palacios 7 Jun 26, 2022
vmnet.framework support for rootless QEMU (without patching QEMU)

vde_vmnet: vmnet.framework support for rootless QEMU vde_vmnet provides vmnet.framework support for VDE applications such as QEMU. vde_vmnet does not

Linux Machines 64 Dec 22, 2022
Operating system project - implementing scheduling algorithms and some system calls for XV6 OS

About XV6 xv6 is a modern reimplementation of Sixth Edition Unix in ANSI C for multiprocessor x86 and RISC-V systems.

Amirhossein Rajabpour 22 Dec 22, 2022
A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types and values using Ptrace during program execution.

print-function-args-debugger A refactored Proof-of-concept originally developed in 2017 to print all function calls with their arguments data types an

*finixbit 15 Jun 17, 2022
Shell program written in C to implement various system calls, with support of executing commands, output redirection and signals.

Use ./shell command to start the shell. $spacepath/executable to run the executable(please specify the path without beginning it with "/"). Eg. type

Ayuj Panchal 1 Nov 15, 2021
Detours is a software package for monitoring and instrumenting API calls on Windows.

Detours is a software package for monitoring and instrumenting API calls on Windows. It is distributed in source code form.

Microsoft 3.9k Jan 4, 2023
Owner
Mike
null
GitHub
Automatically de-obfuscate ollvm and generate binaries

AntiOllvm Automatically deobfuscate binaries and generate new binaries. Chinese Help 中文帮助点击 帮助 Decriptor Software obfuscation protection is very commo

sanfengAndroid 71 Dec 6, 2022
Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe process

Custom HellsGate Implementation Assembly HellGate implementation that directly calls Windows System Calls and displays the PPID of the explorer.exe pr

Bobby Cooke 90 Oct 18, 2022
A BOF to parse the imports of a provided PE-file, optionally extracting symbols on a per-dll basis.

PE Import Enumerator BOF What is this? This is a BOF to enumerate DLL files to-be-loaded by a given PE file. Depending on the number of arguments, thi

null 78 Dec 1, 2022
A tool for analyzing x86-64 binaries.

reopt Reopt is a general purpose decompilation and recompilation tool for repurposing application logic. It does this by analyzing machine code to rec

Galois, Inc. 263 Dec 23, 2022
A D++ Discord Bot template for Visual Studio 2019 (x64 and x86)

D++ Windows Bot Template A D++ Discord Bot template for Visual Studio 2019 (x64 and x86, release and debug). The result of this tutorial. This templat

brainbox.cc 28 Dec 24, 2022
A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.

manual-syscall-detect A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks. Description A full write-up of this to

Conor Richard 72 Dec 26, 2022
Vmpfix - Universal x86/x64 VMProtect 2.0-3.X Import fixer

vmpfix VMPfix is a dynamic x86/x64 VMProtect 2.0-3.x import fixer. The main goal of this project was to build correct and reliable tool to fix imports

Pavel 195 Dec 28, 2022
Fix some extrinsic parameter importing problems. 6-axis IMU works now. Lidar without ring works now.

LVI-SAM-MODIFIED This repository is a modified version of LVI-SAM. Modification Add function to get extrinsic parameters.The original code assumes the

null 88 Dec 9, 2022
Icopack - A simple command line tool to create multi-frame ICO files from PNG source images

Optidash is a modern, AI-powered image optimization and processing API. We will drastically speed-up your websites and save you money on bandwidth and

Optidash AI 61 Jul 27, 2022
Minify and obfuscate GLSL or HLSL code

Shader Minifier Shader Minifier is a tool that minifies and obfuscates shader code (GLSL and HLSL). Its original use-case is for the demoscene, for op

Laurent Le Brun 251 Jan 2, 2023