Code accompanying "3 Reverse Engineering Tricks For Windows Defender" by Alexei Bulazel The code included here: mp_apicall_7.py - an IDA 7 processor extension module adding support for the apicall instruction find_apicall_functions.py - to be run after loading a binary with mp_apicall_7.py, this script will locate functions using the apicall instruction and name them ret2apicall - Visual Studio 17 project to demonstrate the apicall trick. In my experimentation, the binary this project produces will be consistently emulated. Make sure you build x86 Release. 0001-poc-diff.patch - clone https://github.com/taviso/loadlibrary, follow all of the steps Tavis prescribes to get DLL symbols and such set up. This patch can then be applied with `git apply 0001-poc-diff.patch` NOTE: the offsets included are hardcoded for the Feb 28, 2018 release of mpengine.dll, version 1.1.14600.4, MD5: FAADDDD3BE6CA763559F5F55B14532FB The mpam-fe.exe distro is MD5: 2dba714acd66eb28cf93814ac3ac9865 If you can't find a copy of this exact version of the DLL, you'll have to locate the offsets yourself, it's easy, there's just 3: pe_read_string_ex, Parameters<1>::Parameters<1>, and KERNEL32_DLL_OutputDebugStringA When I run the patched loadlibrary on the built binary from the ret2apicall Visual Studio project, I get: $ ./mpclient ret2apiPoC.exe MpEngine.dll base at 0xf67a3008 Setting Hooks Parameters1: 0x4942b5 @ 0xf6c372bd pe_read_string_ex: 0x3b8723 @ 0xf6b5b72b OutputDebugStringA: 0x01abc0 @ 0xf6c9ba78 OutputDebugStringA Hooked: 0x804ea80 main(): Scanning ret2apiPoC.exe... EngineScanCallback(): Scanning input Hooks Set!OutputDebugStringA CALLED v = 0x0xf7b0b008 Params[1]: 0x402064 OutputDebugStringA: "OutputDebugStringA the normal way" OutputDebugStringA DONE OutputDebugStringA CALLED v = 0x0xf7b0b008 Params[1]: 0x402088 OutputDebugStringA: "OutputDebugStringA via ret2apicall" OutputDebugStringA DONE OutputDebugStringA CALLED v = 0x0xf7b0b008 Params[1]: 0x402034 OutputDebugStringA: "Version number matches 14600" OutputDebugStringA DONE EngineScanCallback(): Threat Virus:Win32/Virut.BN!dam identified.