private static bool WipeBytes(byte[] fileBytes, MethodDef targetMethod, PEReader.PEReader peReader)
{
bool isFat;
uint firstOffset = (uint)targetMethod.RVA;
uint bodySize = targetMethod.Body.Instructions[targetMethod.Body.Instructions.Count - 1].Offset + 1;
firstOffset = peReader.RVAToOffset(firstOffset);
if ((fileBytes[firstOffset] & 0x3) == 0x2)
{
// Tiny method.
firstOffset += 1;
isFat = false;
}
else
{
// Fat method.
firstOffset += 12;
isFat = true;
}
for (int i = 0; i < bodySize; i++)
{
fileBytes[firstOffset + i] = 0;
}
return(isFat);
}
public static void EncryptMethods(ModuleDef targetModule)
{
PEReader.PEReader pe = new PEReader.PEReader(targetModule.Location);
byte[] bytes = File.ReadAllBytes(targetModule.Location);
foreach (TypeDef t in targetModule.GetTypes().Where(t => !t.Namespace.Contains("ByteGuard") && t.Name != "<Module>"))
{
foreach (MethodDef m in t.Methods.Where(m => m.HasBody))
{
bytes = EncryptMethod(bytes, m, pe);
}
}
//File.WriteAllBytes("A://new.exe", bytes);
}
private static byte[] EncryptMethod(byte[] byteArray, MethodDef targetMethod, PEReader.PEReader peReader)
{
int firstOffset, lastOffset;
// Checks if the method is tiny or fat and calculates the offsets accordingly.
if ((byteArray[peReader.RVAToOffset(Convert.ToUInt32(targetMethod.RVA))] & 0x3) == 0x2)
{
// TINY:
firstOffset = peReader.GetOffset((int)targetMethod.RVA + 1, 0);
lastOffset = peReader.GetOffset((int)targetMethod.RVA + 1, (int)targetMethod.Body.Instructions[targetMethod.Body.Instructions.Count - 1].Offset);
}
else
{
// FAT:
firstOffset = peReader.GetOffset((int)targetMethod.RVA + 12, 0);
lastOffset = peReader.GetOffset((int)targetMethod.RVA + 12, (int)targetMethod.Body.Instructions[targetMethod.Body.Instructions.Count - 1].Offset);
}
for (int i = firstOffset; i <= lastOffset; i++)
{
}
return(byteArray);
}
public static void EncryptMethods(string protectedLocation, uint sectionrva)
{
// Converts the section RVA to file offset.
PEReader.PEReader pe = new PEReader.PEReader(protectedLocation);
// Byte list to store the section bytes in.
List <byte> section = new List <byte>();
// Initialize variables.
uint methodCount = 0;
// Create two byte arrays, one to be wiped and another to use as a reference.
byte[] fileBytes = File.ReadAllBytes(protectedLocation);
byte[] original = File.ReadAllBytes(protectedLocation);
// Load the protected module.
ModuleDefMD protectedModule = ModuleDefMD.Load(protectedLocation);
// Iterate through all types except <Module> and the anti tamper type.
foreach (TypeDef t in protectedModule.GetTypes().Where(t => t != protectedModule.GlobalType && t.Name != "ByteGuardAntiTamper"))
{
// Iterate through all methods that have a body & instructions.
foreach (MethodDef m in t.Methods.Where(m => m.HasBody && m.Body.HasInstructions))
{
uint firstOffset = (uint)m.RVA;
uint bodySize = m.Body.Instructions[m.Body.Instructions.Count - 1].Offset + 1;
// Wipes the method bytes and returns true if it is a FAT method.
bool isFatMethod = WipeBytes(fileBytes, m, pe);
// Adjusts the offset accordingly. (12 for FAT, 1 for TINY).
firstOffset += (uint)(isFatMethod ? 12 : 1);
// Adds the method RVA to the section bytes.
// (This is used to find where to write the method bytes in memory)
section.AddRange(BitConverter.GetBytes(firstOffset));
// Adds the method size to the section bytes.
// (This is used to know how many bytes to read)
section.AddRange(BitConverter.GetBytes(bodySize));
// Adds every byte for each method to the section bytes.
// (This will be read and copied into memory).
for (int i = 0; i < bodySize; i++)
{
uint fileOffset = pe.RVAToOffset((uint)(firstOffset + i));
section.Add(original[fileOffset]);
}
methodCount++;
}
}
Array.Resize(ref fileBytes, fileBytes.Length + section.Count);
MemoryStream memoryStream = new MemoryStream(fileBytes);
BinaryWriter binaryWriter = new BinaryWriter(memoryStream);
section.InsertRange(0, BitConverter.GetBytes(methodCount));
binaryWriter.Seek(0x20, SeekOrigin.Begin);
binaryWriter.Write(sectionrva);
// Copy method bytes to section.
binaryWriter.Seek((int)pe.RVAToOffset(sectionrva), SeekOrigin.Begin);
binaryWriter.Write(section.ToArray());
byte[] sectionBytes = memoryStream.ToArray();
File.WriteAllBytes("A://ByteGuard-Protected.exe", sectionBytes);
}
