From a49d731df87554784e9cac107ca2cd0b2dd1445b Mon Sep 17 00:00:00 2001
From: jp9000 <obs.jim@gmail.com>
Date: Mon, 10 Nov 2014 01:21:50 -0800
Subject: [PATCH] win-capture: Add obfuscation functions

This adds obfuscation functions primarily for use with GetProcAddress.
This takes an obfuscated string and uses a simple integer key to
de-obfuscate it to the intended function name string, which is then
loaded dynamically using GetProcAddress.

This is typically only used with functions such as OpenProcess,
SetWindowsHookEx, and the like, which can often be misinterpreted the
wrong way by security programs if those strings are found within the
strings segment of a scanned executable.
---
 plugins/win-capture/CMakeLists.txt |  2 ++
 plugins/win-capture/obfuscate.c    | 38 ++++++++++++++++++++++++++++++
 plugins/win-capture/obfuscate.h    | 15 ++++++++++++
 3 files changed, 55 insertions(+)
 create mode 100644 plugins/win-capture/obfuscate.c
 create mode 100644 plugins/win-capture/obfuscate.h

diff --git a/plugins/win-capture/CMakeLists.txt b/plugins/win-capture/CMakeLists.txt
index f7f090f20..a3a4da478 100644
--- a/plugins/win-capture/CMakeLists.txt
+++ b/plugins/win-capture/CMakeLists.txt
@@ -1,11 +1,13 @@
 project(win-capture)
 
 set(win-capture_HEADERS
+	obfuscate.h
 	window-helpers.h
 	dc-capture.h)
 
 set(win-capture_SOURCES
 	dc-capture.c
+	obfuscate.c
 	window-helpers.c
 	monitor-capture.c
 	window-capture.c
diff --git a/plugins/win-capture/obfuscate.c b/plugins/win-capture/obfuscate.c
new file mode 100644
index 000000000..10d6e7794
--- /dev/null
+++ b/plugins/win-capture/obfuscate.c
@@ -0,0 +1,38 @@
+#define _CRT_SECURE_NO_WARNINGS
+#pragma warning(disable : 4152) /* casting func ptr to void */
+#include <stdbool.h>
+#include <windows.h>
+#include "obfuscate.h"
+
+#define LOWER_HALFBYTE(x) ((x) & 0xF)
+#define UPPER_HALFBYTE(x) (((x) >> 4) & 0xF)
+
+static void deobfuscate_str(char *str, uint64_t val)
+{
+	uint8_t *dec_val = (uint8_t*)&val;
+	int i = 0;
+
+	while (*str != 0) {
+		int pos = i / 2;
+		bool bottom = (i % 2) == 0;
+		uint8_t *ch = (uint8_t*)str;
+		uint8_t xor = bottom ?
+			LOWER_HALFBYTE(dec_val[pos]) :
+			UPPER_HALFBYTE(dec_val[pos]);
+
+		*ch ^= xor;
+
+		if (++i == sizeof(uint64_t) * 2)
+			i = 0;
+
+		str++;
+	}
+}
+
+void *get_obfuscated_func(HMODULE module, const char *str, uint64_t val)
+{
+	char new_name[128];
+	strcpy(new_name, str);
+	deobfuscate_str(new_name, val);
+	return GetProcAddress(module, new_name);
+}
diff --git a/plugins/win-capture/obfuscate.h b/plugins/win-capture/obfuscate.h
new file mode 100644
index 000000000..324924a78
--- /dev/null
+++ b/plugins/win-capture/obfuscate.h
@@ -0,0 +1,15 @@
+#pragma once
+
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+/* this is a workaround to A/Vs going crazy whenever certain functions (such as
+ * OpenProcess) are used */ 
+extern void *get_obfuscated_func(HMODULE module, const char *str, uint64_t val);
+
+#ifdef __cplusplus
+}
+#endif