0

Is it possible to rename win32api funtions in c++?

I'm curious because I want to obfuscate my program's function names.

I'm open to any method to rename.

Say I have a function:

somewin32apifunc();

How could I rename it to:

renamedwin32apifunc();
Redslev
  • 57
  • 6
  • what you mean under "rename" ? – RbMm Jan 12 '20 at 08:33
  • I edited to represent what I'm looking for. – Redslev Jan 12 '20 at 08:35
  • You can use macros (`#define`) or function pointers. – ikegami Jan 12 '20 at 08:35
  • If anyone can provide a working example/answer I'll accept it. – Redslev Jan 12 '20 at 08:38
  • Technically, someone already did – ikegami Jan 12 '20 at 08:38
  • and ? *where* you what such "rename" ? how you want for this "work" ? exist different ptotectors like VMProtect for example. possible try use it – RbMm Jan 12 '20 at 08:40
  • @AndreasWenzel obfuscating source code on c/c++ have no any sense – RbMm Jan 12 '20 at 08:49
  • 1
    Are you talking about obfuscating your source code? Or rather the contents of the produced .exe file so that it cannot be disassembled so easily (i.e. function import tables, etc.)? – Andreas Wenzel Jan 12 '20 at 08:51
  • @AndreasWenzel I'm looking to obfuscate the binary .exe , so yes that it cannot be reverse engineered so easily. So that the win32api calls are undetected. – Redslev Jan 12 '20 at 08:51
  • @kay: C and C++ are indeed different languages. Yet they share the same build model. This question is focused on linking, which is, by and large, identical between C and C++. Using both tags on this question is valid and useful. – IInspectable Jan 12 '20 at 09:16
  • If you want to provide a *serious* challenge for reverse engineers, use a tool like [M/o/Vfuscator](https://github.com/xoreaxeaxeax/movfuscator). Don't worry about the imports; a reverse engineer will give up way before they even get there. – IInspectable Jan 12 '20 at 09:18
  • It's possible, you can specify imported functions by name or by ordinal. The .lib files you got from Microsoft use the name. Creating your own .lib files is not a lot of fun, google "create .lib file from .def file" for the critical step. You don't have to obfuscate all of them if you still link the Microsoft .lib file. It just obfuscates, the hacker can still figure out the function from the number with enough effort. But it certainly helps him to give up quickly, reversing compiled c++ is already highly unpractical. – Hans Passant Jan 12 '20 at 10:08

1 Answers1

1

You cannot rename functions in the function import table, but you can circumvent it altogether by calling LoadLibrary and GetProcAddress yourself on kernel32.dll, user32.dll, etc. Then, you can call the Win32 API functions through the returned function pointers.

That way, the only two functions that will have to be be imported will be LoadLibraryA and GetProcAddress.

This will make it harder (but by no means impossible!) to reverse-engineer your executable file.

See this question for more general information on protecting your executable file from reverse-engineering.

Andreas Wenzel
  • 22,760
  • 4
  • 24
  • 39
  • 1
    @red: [Using Run-Time Dynamic Linking](https://learn.microsoft.com/en-us/windows/win32/dlls/using-run-time-dynamic-linking). – IInspectable Jan 12 '20 at 09:19
  • @IInspectable: Thanks for providing that link. That saved me the effort of writing an example. All that is required to adapt that example is that "MyPuts.dll" must be renamed to "kernel32.dll" or "user32.dll" or whatever DLL that exports the Win32 API function, and "myPuts" must be renamed to the function name, for example "GetWindowTextA". One other thing that must be changed is "_cdecl" must be changed to "_stdcall", because the Win32 API uses that calling convention for nearly all function calls. – Andreas Wenzel Jan 12 '20 at 09:36
  • You'll also need to provide the correct function pointer signatures. – IInspectable Jan 12 '20 at 09:41
  • I believe using `_stdcall` is only necessary in 32-bit code, not 64-bit. – Andreas Wenzel Jan 12 '20 at 09:48
  • 1
    For x64, Windows' ABI only has a single [calling convention](https://learn.microsoft.com/en-us/cpp/build/x64-calling-convention) that doesn't have a name. While you can use [`__stdcall`](https://learn.microsoft.com/en-us/cpp/cpp/stdcall) when targeting x64 (or ARM), it silently gets ignored. – IInspectable Jan 12 '20 at 10:52
  • Could you provide an example of "__stdcall" in a context related to the question? – Redslev Jan 12 '20 at 11:42
  • @red: The link in my previous comment does. – IInspectable Jan 12 '20 at 13:14
  • Do you know which .dll contains the win32api functions? – Redslev Jan 12 '20 at 13:17
  • No one dll, but many dlls, kernel32.dll - kernel stuff, user32.dll - window related stuff, gdi32.dll - graphics stuff, shell32.dll - shell and explorer, etc – user2120666 Jan 12 '20 at 13:27
  • 1
    @Redslev: In the documentation of the individual Windows API functions is always written the DLL in which it is stored. – Andreas Wenzel Jan 12 '20 at 14:02