By knowing which functions are called—either directly or indirectly—a programmer can understand the operation of a compiled program without resorting to runtime analysis.
The address of a function will always be visible in memory before it is called; however, by storing an obfuscated version of the function pointer, disassemblers and cross-reference analysis tools will fail to recognize the stored pointer as a code address. Note that this technique will not work with function pointers that require relocation, such as the addresses of functions in shared libraries.
Function pointers can be handled like other variables. Because they
are essentially compile-time constants, it is best to use a technique
that obfuscates them at compile time. It is important that the
functions created using the
SET_FN_PTR
macro presented below be inlined by the
compiler so that they do not appear in the resulting
executable's symbol table; otherwise, they will be
obvious tip-offs to a cracker that something is not as it should be.
#define SET_FN_PTR(func, num) \
static inline void *get_##func(void) { \
int i, j = num / 4; \
long ptr = (long)func + num; \
for (i = 0; i < 2; i++) ptr -= j; \
return (void *)(ptr - (j * 2)); \
}
#define GET_FN_PTR(func) get_##func( )With the SET_FN_PTR macro, the pointer to a
function is returned by a routine that stores the function pointer
modified by a programmer-supplied value. The
GET_FN_PTR macro calls this routine, which
performs a mathematical transformation on the stored pointer and
returns the real function address. The following example demonstrates
the usage of the macros:
#include <stdio.h>
void my_func(void) {
printf("my_func( ) called!\n");
}
SET_FN_PTR(my_func, 0x01301100); /* 0x01301100 is some arbitrary value */
int main(int argc, char *argv[ ]) {
void (*ptr)(void);
ptr = GET_FN_PTR(my_func); /* get the real address of the function */
(*ptr)( ); /* make the function call */
return 0;
}