This repository uses a technique to modify a program's Import Address Table (IAT) by replacing the imported function names with their corresponding ordinals, resulting in a binary that exclusively imports functions through ordinals.
This technique reduces the chances of the binary being successfully analyzed by sandbox systems due to the mismatch in ordinal values on the different systems. This contrast causes the Windows Loader to either fail to locate the correct function address or retrieve an incorrect function, leading to the binary being broken in the sandbox environment. Lastly, this technique makes it more challenging to reverse engineer the binary.
This repository includes two projects:
Reads a PE file from disk and overwrites its name-imported functions with their ordinal values. The generated program will only run on a system where the imported functions have the same ordinal values as the system that generated it.
- Using the
TechTestBuilder.exeprogram to generatemimikatzDRM.exe, which ismimikatz.exebut with ordinals-imported functions.
- Running
mimikatzDRM.exeon a different system than the one used to generate it, will throw the following error.
This project utilizes the DRM technique itself when first executed. This means that this binary cannot be executed on other machines as easily. OrdinalDRMBin.exe applies the following steps:
-
Checks if the local program has any name-imported functions, if no, it will skip applying the IAT patch.
-
Read itself from the disk, and convert all of the name-imported functions to be ordinal-imported.
-
Delete itself from disk.
-
Write the new image where all the functions are imported by ordinal.
- The image below shows
OrdinalDRMBin.exewithout being executed. Notice the functions are imported by name.
- The image below shows
OrdinalDRMBin.exeafter being executed. Notice the functions are now imported by their ordinals.
As mentioned, systems with the exact ordinal values for all of the imported functions of the generated implementation will be able to run the protected binary. However, the chances of this happening can be reduced by importing functions from different DLLs. The same approach used in the IAT Camouflage module can be used for this purpose.
