This project demonstrates a technique to hide LoadLibraryW from the Import Address Table (IAT) by implementing a custom API resolution mechanism. Instead of relying on direct imports, the algorithm uses:
- A custom implementation of
GetProcAddressandGetModuleHandle. - MurmurHash to hash API function names and resolve them dynamically.
- Manual module traversal to locate necessary functions without relying on static imports.
By doing this, tools like dumpbin.exe /IMPORTS or PE analysis tools will not reveal LoadLibraryW or other critical APIs in the IAT.
-
MurmurHash Hashing:
- Instead of storing function names in plaintext, they are hashed using MurmurHash.
- This prevents string-based signature detection.
-
Custom
GetProcAddress&GetModuleHandle:- Manually enumerates loaded modules to retrieve function addresses.
- Matches hashed function names to their real counterparts dynamically.
-
IAT Evasion:
LoadLibraryWis called dynamically via the custom resolver instead of being linked in the IAT.- This ensures that
dumpbin.exe /IMPORTSdoes not displayLoadLibraryWor other dynamically loaded functions.
- Prevents Static Analysis: Tools like IDA Pro, Ghidra, and PEView won't see
LoadLibraryWin the import table. - Anti-Reversing Technique: Since function resolution is done at runtime, traditional IAT hooking techniques fail.
- Resistant to String Signatures: Using MurmurHash instead of plain strings makes it harder for malware analysis tools to detect the functions being resolved.
- Compile the project with your preferred compiler (
cl.exe,gcc,clang). - Run the executable and observe that
LoadLibraryWis successfully invoked without being in the IAT. - Verify using:
dumpbin.exe /IMPORTS <executable>
You won't see LoadLibraryW.
This project is for educational purposes only. It demonstrates defensive coding techniques for obfuscation and security research. Do not use it for malicious activities.