private static SortedSet <string> Instrument(ModuleDefMD src, Stream dst, Func <string, bool> matcher, TypeDef traceType) { var sharedMemDef = traceType.Fields.Single(f => f.Name == nameof(Common.Trace.SharedMem)); var prevLocationDef = traceType.Fields.Single(f => f.Name == nameof(Common.Trace.PrevLocation)); var sharedMemRef = src.Import(sharedMemDef); var prevLocationRef = src.Import(prevLocationDef); var types = new SortedSet <string>(); foreach (var type in src.GetTypes()) { if (type.HasMethods && matcher(type.FullName)) { bool instrumented = false; foreach (var method in type.Methods) { if (method.HasBody) { Method.Instrument(sharedMemRef, prevLocationRef, method); if (!instrumented) { types.Add(type.FullName); instrumented = true; } } } } } src.Write(dst); return(types); }
public void Initialize() { MethodDefs.Add(_moduleDefMd.Import(typeof(StackTrace).GetConstructor(new Type[0]))); MethodDefs.Add(_moduleDefMd.Import(typeof(StackTrace).GetMethod("GetFrame", new Type[] { typeof(int) }))); MethodDefs.Add(_moduleDefMd.Import(typeof(StackFrame).GetMethod("GetMethod"))); MethodDefs.Add(_moduleDefMd.Import(typeof(MethodBase).GetMethod("GetMethodBody"))); MethodDefs.Add(_moduleDefMd.Import(typeof(MethodBody).GetMethod("GetILAsByteArray"))); }
public void Apply() { string assemblyCSharp = Path.Combine(subnauticaManagedPath, GAME_ASSEMBLY_NAME); string nitroxPatcherPath = Path.Combine(subnauticaManagedPath, NITROX_ASSEMBLY_NAME); string modifiedAssemblyCSharp = Path.Combine(subnauticaManagedPath, GAME_ASSEMBLY_MODIFIED_NAME); if (File.Exists(modifiedAssemblyCSharp)) { File.Delete(modifiedAssemblyCSharp); } using (ModuleDefMD module = ModuleDefMD.Load(assemblyCSharp)) using (ModuleDefMD nitroxPatcherAssembly = ModuleDefMD.Load(nitroxPatcherPath)) { TypeDef nitroxMainDefinition = nitroxPatcherAssembly.GetTypes().FirstOrDefault(x => x.Name == NITROX_ENTRY_TYPE_NAME); MethodDef executeMethodDefinition = nitroxMainDefinition.Methods.FirstOrDefault(x => x.Name == NITROX_ENTRY_METHOD_NAME); MemberRef executeMethodReference = module.Import(executeMethodDefinition); TypeDef gameInputType = module.GetTypes().First(x => x.FullName == GAME_INPUT_TYPE_NAME); MethodDef awakeMethod = gameInputType.Methods.First(x => x.Name == GAME_INPUT_METHOD_NAME); Instruction callNitroxExecuteInstruction = OpCodes.Call.ToInstruction(executeMethodReference); awakeMethod.Body.Instructions.Insert(0, callNitroxExecuteInstruction); module.Write(modifiedAssemblyCSharp); } File.SetAttributes(assemblyCSharp, System.IO.FileAttributes.Normal); File.Delete(assemblyCSharp); File.Move(modifiedAssemblyCSharp, assemblyCSharp); }
public bool Inject(ModuleDefMD _Module, string _Path) { Module = _Module; path = _Path; bool injected = false; TypeDef[] array = Module.Types.ToArray <TypeDef>(); for (int i = 0; i < array.Length; i++) { foreach (MethodDef method in array[i].Methods.ToArray <MethodDef>()) { bool flag = method.HasBody && method.Body.HasInstructions && method.Body.Instructions.Count() >= 15 && !method.FullName.Contains("My.") && !method.FullName.Contains(".My") && !method.IsConstructor && !method.DeclaringType.IsGlobalModuleType; if (flag) { for (int j = 0; j < method.Body.Instructions.Count - 1; j++) { if (method.Body.Instructions[j].OpCode == OpCodes.Callvirt) { string operand = method.Body.Instructions[j].Operand.ToString(); if (operand.Contains("System.Object System.Reflection.MethodBase::Invoke(System.Object,System.Object[])") && method.Body.Instructions[j - 1].IsLdarg() && method.Body.Instructions[j - 2].IsLdarg() && method.Body.Instructions[j - 3].IsLdarg()) { Importer importer = new Importer(Module); IMethod myMethod; myMethod = importer.Import(typeof(Venturi77CallHijacker.Handler).GetMethod("HandleInvoke")); method.Body.Instructions[j].Operand = Module.Import(myMethod); method.Body.Instructions[j].OpCode = OpCodes.Call; injected = true; } } } } } } return(injected); }
static void AddServerVariables(string path, string runtimepath) { if (!File.Exists(path)) { Error("Couldn't find server variables file at " + path); } var dict = JsonConvert.DeserializeObject <Dictionary <string, string> >(File.ReadAllText(path)); var mod = ModuleDefMD.Load(runtimepath); var seal = mod.Types.Single(t => t.Name == "Seal"); var vars = seal.Fields.Single(f => f.Name == "_vars"); var body = seal.FindOrCreateStaticConstructor().Body; foreach (var pair in dict) { body.Instructions.Insert(2, new Instruction(OpCodes.Ldsfld, vars)); body.Instructions.Insert(3, new Instruction(OpCodes.Ldstr, pair.Key)); body.Instructions.Insert(4, new Instruction(OpCodes.Ldstr, pair.Value)); body.Instructions.Insert(5, new Instruction(OpCodes.Callvirt, _mod.Import(typeof(Dictionary <string, string>).GetMethod("set_Item", (BindingFlags)(-1))))); } using (var ms = new MemoryStream()) { mod.Write(ms); mod.Dispose(); File.WriteAllBytes(runtimepath, ms.ToArray()); } }
public void Apply() { string gameInputPath = subnauticaBasePath + GAME_ASSEMBLY_NAME; string nitroxPatcherPath = subnauticaBasePath + NITROX_ASSEMBLY_NAME; string modifiedAssemblyPath = subnauticaBasePath + GAME_ASSEMBLY_MODIFIED_NAME; using (ModuleDefMD module = ModuleDefMD.Load(gameInputPath)) using (ModuleDefMD nitroxPatcherAssembly = ModuleDefMD.Load(nitroxPatcherPath)) { TypeDef nitroxMainDefinition = nitroxPatcherAssembly.GetTypes().FirstOrDefault(x => x.Name == NITROX_ENTRY_TYPE_NAME); MethodDef executeMethodDefinition = nitroxMainDefinition.Methods.FirstOrDefault(x => x.Name == NITROX_ENTRY_METHOD_NAME); MemberRef executeMethodReference = module.Import(executeMethodDefinition); TypeDef gameInputType = module.GetTypes().First(x => x.FullName == GAME_INPUT_TYPE_NAME); MethodDef awakeMethod = gameInputType.Methods.First(x => x.Name == GAME_INPUT_METHOD_NAME); Instruction callNitroxExecuteInstruction = OpCodes.Call.ToInstruction(executeMethodReference); awakeMethod.Body.Instructions.Insert(0, callNitroxExecuteInstruction); module.Write(modifiedAssemblyPath); } string backuupAssemblyPath = subnauticaBasePath + GAME_ASSEMBLY_BACKUP_NAME; File.Replace(modifiedAssemblyPath, gameInputPath, backuupAssemblyPath); }
public override void Deobfuscate() { // Console.WriteLine("[!] Cleaning Callis"); List <CallInfo> calls = FindPointers(); if (calls == null) { return; } if (calls.Count == 0) { //Console.WriteLine("[!] No calls found!"); // Console.ReadLine(); return; } // Console.WriteLine("[!] Calli Total Calls: {0}", calls.Count); foreach (CallInfo call in calls) { call.References.AddRange(FindReferences(call)); } int replaced = 0; foreach (CallInfo call in calls) { foreach (CallRef reference in call.References) { if (reference.ParentMethod.MDToken.ToInt32() == 0x06000260) { } int instIndex = reference.ParentMethod.Body.Instructions.IndexOf(reference.CalliInst); if (instIndex == -1) { continue; } // Nop the above 3 insts var fieldCalli = reference.ParentMethod.Body.Instructions[instIndex - 3].Operand as FieldDef; if (fieldCalli != fieldDef) { continue; } for (int i = 1; i <= 3; i++) { reference.ParentMethod.Body.Instructions[instIndex - i].OpCode = OpCodes.Nop; reference.ParentMethod.Body.Instructions[instIndex - i].Operand = null; } reference.ParentMethod.Body.Instructions[instIndex].OpCode = OpCodes.Call; reference.ParentMethod.Body.Instructions[instIndex].Operand = ModuleDefMD.Import(call.TargetMethod); replaced++; } } // Console.WriteLine("[!] Calli Total Replaced: {0}", replaced); return; }
public static bool InjectEazVM(ModuleDefMD Module, string Pathh) { bool injected = false; TypeDef[] array = Module.Types.ToArray <TypeDef>(); for (int i = 0; i < array.Length; i++) { foreach (MethodDef method in array[i].Methods.ToArray <MethodDef>()) { bool flag = method.HasBody && method.Body.HasInstructions && method.Body.Instructions.Count() >= 15 && !method.FullName.Contains("My.") && !method.FullName.Contains(".My") && !method.IsConstructor && !method.DeclaringType.IsGlobalModuleType; if (flag) { for (int j = 0; j < method.Body.Instructions.Count - 1; j++) { if (method.Body.Instructions[j].OpCode == OpCodes.Callvirt) { if (j <= 4) { continue; } if (method.Body.Instructions[j - 1].OpCode == OpCodes.Ldarg_3 || method.Body.Instructions[j - 1].OpCode == OpCodes.Ldarg_2) { if (method.Body.Instructions[j - 2].OpCode == OpCodes.Ldarg_2 || method.Body.Instructions[j - 2].OpCode == OpCodes.Ldarg_1) { if (method.Body.Instructions[j - 3].OpCode == OpCodes.Ldarg_1 || method.Body.Instructions[j - 3].OpCode == OpCodes.Ldarg_0) { Importer importer = new Importer(Module); IMethod Method; Method = importer.Import(typeof(Venturi77CallHijacker.Handler).GetMethod("HandleInvoke")); method.Body.Instructions[j].Operand = Module.Import(Method); method.Body.Instructions[j].OpCode = OpCodes.Call; injected = true; } } } } } } } } if (!injected) { return(injected); } ModuleWriterOptions moduleWriterOptions = new ModuleWriterOptions(Module); moduleWriterOptions.MetadataOptions.Flags = MetadataFlags.KeepOldMaxStack; moduleWriterOptions.Logger = DummyLogger.NoThrowInstance; moduleWriterOptions.MetadataOptions.Flags = MetadataFlags.PreserveAll; moduleWriterOptions.MetadataOptions.PreserveHeapOrder(Module, true); moduleWriterOptions.Cor20HeaderOptions.Flags = new ComImageFlags?(ComImageFlags.ILOnly | ComImageFlags.Bit32Required); Module.Write(Pathh + "_Injected.exe", moduleWriterOptions); File.Copy("Venturi77CallHijacker.dll", Path.GetDirectoryName(Pathh) + "\\Venturi77CallHijacker.dll"); File.Copy("Newtonsoft.Json.dll", Path.GetDirectoryName(Pathh) + "\\Newtonsoft.Json.dll"); return(injected); }
public void Inject(ModuleDefMD module) { MethodDefUser decode = new MethodDefUser("Decode", MethodSig.CreateStatic(module.CorLibTypes.String, module.CorLibTypes.String), MethodImplAttributes.IL | MethodImplAttributes.Managed, MethodAttributes.Public | MethodAttributes.Static | MethodAttributes.HideBySig | MethodAttributes.ReuseSlot); module.GlobalType.Methods.Add(decode); CilBody body = new CilBody(); decode.Body = body; body.Instructions.Add(OpCodes.Nop.ToInstruction()); body.Instructions.Add(OpCodes.Call.ToInstruction(module.Import(typeof(System.Text.Encoding).GetMethod("get_UTF8", new Type[] { })))); body.Instructions.Add(OpCodes.Ldarg_0.ToInstruction()); body.Instructions.Add(OpCodes.Call.ToInstruction(module.Import(typeof(System.Convert).GetMethod("FromBase64String", new Type[] { typeof(string) })))); body.Instructions.Add(OpCodes.Callvirt.ToInstruction(module.Import(typeof(System.Text.Encoding).GetMethod("GetString", new Type[] { typeof(byte[]) })))); body.Instructions.Add(OpCodes.Ret.ToInstruction()); foreach (TypeDef type in module.Types) { if (type.Name != "Resources" || type.Name != "Settings") { foreach (MethodDef method in type.Methods) { if (!method.HasBody) { continue; } for (int i = 0; i < method.Body.Instructions.Count(); i++) { if (method.Body.Instructions[i].OpCode == OpCodes.Ldstr) { method.Body.Instructions[i].Operand = Convert.ToBase64String(UTF8Encoding.UTF8.GetBytes(method.Body.Instructions[i].Operand.ToString())); method.Body.Instructions.Insert(i + 1, new Instruction(OpCodes.Call, decode)); i += 1; } } method.Body.SimplifyBranches(); method.Body.OptimizeBranches(); } } } }
internal IMethod FindMethod(string fullName) { foreach (var module in Module.Assembly.Modules) { foreach (var type in module.GetTypes()) { foreach (var method in type.Methods) { if (string.Equals(method.FullName, fullName, StringComparison.InvariantCultureIgnoreCase)) { return(method); } } } } LoadCustomModule(ref fullName, out ModuleDefMD customModule); foreach (var module in customModule.Assembly.Modules) { foreach (var type in module.GetTypes()) { foreach (var method in type.Methods) { if (string.Equals(method.FullName, fullName, StringComparison.InvariantCultureIgnoreCase)) { return(Module.Import(method)); } } } } throw new PatcherException("Method not found", fullName); }
public static bool FindField(ModuleDefMD module) { TypeDef type = module.GlobalType; foreach (FieldDef fld in type.Fields) { if (fld.FieldType.ReflectionFullName == module.Import(typeof(Assembly)).ToTypeSig().ReflectionFullName) { return(true); } } return(false); }
public static Instruction CallHelperMethodInstruction(ModuleDefMD mod, TypeDef helperClass, string methodName) { MemberRef methodRef = new MemberRefUser( mod, methodName, MethodSig.CreateStatic(mod.CorLibTypes.Void), helperClass ); IMethod importedMethodRef = mod.Import(methodRef); return(OpCodes.Call.ToInstruction(importedMethodRef)); }
//Try to find a Proxy meth of Anti-Debug. Can't work if RefProxy is not enabled.... public static bool TryFindAntiDebug(ModuleDefMD module) { TypeDef type = module.GlobalType; foreach (MethodDef method in type.Methods) { if (method.ReturnType.ReflectionFullName == module.Import(typeof(System.Threading.Thread)).ToTypeSig().ReflectionFullName) { if (method.MethodSig.Params.Count == 1 && method.MethodSig.Params[0].ToString().Contains("ParameterizedThreadStart")) { return(true); } } } return(false); }
//Try to find a Proxy meth of Anti-Dump. Can't work if RefProxy is not enabled.... public static bool TryFindAntiDump(ModuleDefMD module) { TypeDef type = module.GlobalType; foreach (MethodDef method in type.Methods) { if (method.ReturnType.ReflectionFullName == module.Import(typeof(Type)).ToTypeSig().ReflectionFullName) { if (method.MethodSig.Params.Count == 1 && method.MethodSig.Params[0].ToString().Contains("RuntimeTypeHandle")) { return(true); } } } return(false); }
//Try to find a Proxy meth of Resources decryption. Works even without proxy public static bool TryGetResource(ModuleDefMD module) { TypeDef type = module.GlobalType; foreach (MethodDef method in type.Methods) { if (method.ReturnType.ReflectionFullName == module.Import(typeof(Assembly)).ToTypeSig().ReflectionFullName) { if (method.MethodSig.Params.Count == 2 && method.MethodSig.Params[0].ToString().Contains("Object") && method.MethodSig.Params[1].ToString().Contains("ResolveEventArgs")) { //Extra check to strengthen result return(FindField(module)); } } } return(false); }
public void Apply() { string assemblyCSharp = Path.Combine(subnauticaManagedPath, GAME_ASSEMBLY_NAME); string nitroxPatcherPath = Path.Combine(subnauticaManagedPath, NITROX_ASSEMBLY_NAME); string modifiedAssemblyCSharp = Path.Combine(subnauticaManagedPath, GAME_ASSEMBLY_MODIFIED_NAME); if (File.Exists(modifiedAssemblyCSharp)) { File.Delete(modifiedAssemblyCSharp); } using (ModuleDefMD module = ModuleDefMD.Load(assemblyCSharp)) using (ModuleDefMD nitroxPatcherAssembly = ModuleDefMD.Load(nitroxPatcherPath)) { TypeDef nitroxMainDefinition = nitroxPatcherAssembly.GetTypes().FirstOrDefault(x => x.Name == NITROX_ENTRY_TYPE_NAME); MethodDef executeMethodDefinition = nitroxMainDefinition.Methods.FirstOrDefault(x => x.Name == NITROX_ENTRY_METHOD_NAME); MemberRef executeMethodReference = module.Import(executeMethodDefinition); TypeDef gameInputType = module.GetTypes().First(x => x.FullName == GAME_INPUT_TYPE_NAME); MethodDef awakeMethod = gameInputType.Methods.First(x => x.Name == GAME_INPUT_METHOD_NAME); Instruction callNitroxExecuteInstruction = OpCodes.Call.ToInstruction(executeMethodReference); awakeMethod.Body.Instructions.Insert(0, callNitroxExecuteInstruction); module.Write(modifiedAssemblyCSharp); } // The assembly might be used by other code or some other program might work in it. Retry to be on the safe side. Exception error = RetryWait(() => File.Delete(assemblyCSharp), 100, 5); if (error != null) { throw error; } File.Move(modifiedAssemblyCSharp, assemblyCSharp); }
public string FindModePacker(ModuleDefMD module) { foreach (TypeDef type in module.Types) { foreach (MethodDef method in type.Methods.Where(m => m.HasBody && m.Body.HasInstructions)) { if (method.MethodSig.RetType.ReflectionFullName == module.Import(typeof(GCHandle)).ToTypeSig().ReflectionFullName) { if (method.MethodSig.Params.Count == 2 && method.MethodSig.Params[0].ToString().Contains("UInt32[]") && method.MethodSig.Params[1].ToString().Contains("UInt32")) { if (method.Body.Variables.Count >= 14) { return("Dynamic"); } else { return("Normal"); } } } } } return("Not Found"); }
void AntiDebug(ref ModuleDefMD moduleDef, string folderPathFile) { int skipFirstInvoke = 0; foreach (var type in moduleDef.Types) { foreach (var method in type.Methods) { if (method.Parameters.Count == 3 && method.Parameters[1].Type.TypeName == "MethodBase" && method.Parameters[2].Type.TypeName == "Boolean") { for (int i = 0; i < method.Body.Instructions.Count; i++) { if (method.Body.Instructions[i].Operand?.ToString().Contains("Invoke") ?? false) { if (skipFirstInvoke++ == 1) { var indexInvoke = method.Body.Instructions.IndexOf(method.Body.Instructions[i]); var lastInstruction = method.Body.Instructions[indexInvoke + 2]; // stub, will be reinitialized later Local getLocal; if (method.Body.Instructions[indexInvoke + 1].IsStloc()) { if (method.Body.Instructions[indexInvoke + 1].OpCode == OpCodes.Stloc_0) { getLocal = method.Body.Variables.Locals[0]; } else if (method.Body.Instructions[indexInvoke + 1].OpCode == OpCodes.Stloc_1) { getLocal = method.Body.Variables.Locals[1]; } else if (method.Body.Instructions[indexInvoke + 1].OpCode == OpCodes.Stloc_2) { getLocal = method.Body.Variables.Locals[2]; } else if (method.Body.Instructions[indexInvoke + 1].OpCode == OpCodes.Stloc_3) { getLocal = method.Body.Variables.Locals[3]; } else { getLocal = method.Body.Instructions[indexInvoke + 1].GetLocal(null); } } else if (method.Body.Instructions[indexInvoke + 3].OpCode == OpCodes.Stloc_S) { getLocal = method.Body.Instructions[indexInvoke + 3].GetLocal(null); indexInvoke += 2; } else { getLocal = method.Body.Instructions[indexInvoke + 5].GetLocal(null); // skip VMP-mutations indexInvoke += 4; } // ### CRC-Check ### Console.WriteLine("CRC-check bypassing..."); int indexPreInvoke = indexInvoke; Local getLocalObjectInvokeArgs; dynamic opcodeLdlocS; while (true) { if (method.Body.Instructions[indexPreInvoke].IsLdloc()) { opcodeLdlocS = method.Body.Instructions[indexPreInvoke].Operand; if (opcodeLdlocS.Type?.FullName == "System.Object[]") { getLocalObjectInvokeArgs = method.Body.Variables[opcodeLdlocS.Index]; break; } } indexPreInvoke--; } while (true) { if (method.Body.Instructions[indexPreInvoke].IsLdarg()) { method.Body.Instructions.Insert(indexPreInvoke + 1, Instruction.Create(OpCodes.Callvirt, moduleDef.Import(typeof(System.Reflection.MemberInfo).GetMethod("get_Name", new Type[] { })))); method.Body.Instructions.Insert(indexPreInvoke + 2, Instruction.Create(OpCodes.Ldstr, "CreateFile")); method.Body.Instructions.Insert(indexPreInvoke + 3, Instruction.Create(OpCodes.Call, moduleDef.Import(typeof(System.String).GetMethod("op_Equality", new Type[] { typeof(string), typeof(string) })))); method.Body.Instructions.Insert(indexPreInvoke + 4, Instruction.Create(OpCodes.Brfalse_S, lastInstruction)); method.Body.Instructions.Insert(indexPreInvoke + 5, Instruction.Create(OpCodes.Ldloc_S, getLocalObjectInvokeArgs)); method.Body.Instructions.Insert(indexPreInvoke + 6, Instruction.Create(OpCodes.Ldc_I4_0)); method.Body.Instructions.Insert(indexPreInvoke + 7, Instruction.Create(OpCodes.Ldstr, folderPathFile)); method.Body.Instructions.Insert(indexPreInvoke + 8, Instruction.Create(OpCodes.Stelem_Ref)); method.Body.Instructions.Insert(indexPreInvoke + 9, Instruction.Create(OpCodes.Ldarg_1)); indexInvoke += 9; break; } indexPreInvoke--; } Console.WriteLine("Anti-debug bypassing..."); // ### NtQueryInformationProcess ### method.Body.Instructions.Insert(indexInvoke + 2, Instruction.Create(OpCodes.Ldarg_1)); method.Body.Instructions.Insert(indexInvoke + 3, Instruction.Create(OpCodes.Callvirt, moduleDef.Import(typeof(System.Reflection.MemberInfo).GetMethod("get_Name", new Type[] { })))); method.Body.Instructions.Insert(indexInvoke + 4, Instruction.Create(OpCodes.Ldstr, "NtQueryInformationProcess")); method.Body.Instructions.Insert(indexInvoke + 5, Instruction.Create(OpCodes.Call, moduleDef.Import(typeof(System.String).GetMethod("op_Equality", new Type[] { typeof(string), typeof(string) })))); method.Body.Instructions.Insert(indexInvoke + 6, Instruction.Create(OpCodes.Brfalse_S, lastInstruction)); method.Body.Instructions.Insert(indexInvoke + 7, Instruction.Create(OpCodes.Ldc_I4_1)); method.Body.Instructions.Insert(indexInvoke + 8, Instruction.Create(OpCodes.Box, moduleDef.Import(typeof(System.Int32)))); method.Body.Instructions.Insert(indexInvoke + 9, Instruction.Create(OpCodes.Stloc_S, getLocal)); // ### is_Attached ### method.Body.Instructions.Insert(indexInvoke + 10, Instruction.Create(OpCodes.Ldarg_1)); method.Body.Instructions.Insert(indexInvoke + 11, Instruction.Create(OpCodes.Callvirt, moduleDef.Import(typeof(System.Reflection.MemberInfo).GetMethod("get_Name", new Type[] { })))); method.Body.Instructions.Insert(indexInvoke + 12, Instruction.Create(OpCodes.Ldstr, "get_IsAttached")); method.Body.Instructions.Insert(indexInvoke + 13, Instruction.Create(OpCodes.Call, moduleDef.Import(typeof(System.String).GetMethod("op_Equality", new Type[] { typeof(string), typeof(string) })))); method.Body.Instructions.Insert(indexInvoke + 14, Instruction.Create(OpCodes.Brfalse_S, lastInstruction)); method.Body.Instructions.Insert(indexInvoke + 15, Instruction.Create(OpCodes.Ldc_I4_0)); method.Body.Instructions.Insert(indexInvoke + 16, Instruction.Create(OpCodes.Box, moduleDef.Import(typeof(System.Boolean)))); method.Body.Instructions.Insert(indexInvoke + 17, Instruction.Create(OpCodes.Stloc_S, getLocal)); // ### IsLogging ### method.Body.Instructions.Insert(indexInvoke + 18, Instruction.Create(OpCodes.Ldarg_1)); method.Body.Instructions.Insert(indexInvoke + 19, Instruction.Create(OpCodes.Callvirt, moduleDef.Import(typeof(System.Reflection.MemberInfo).GetMethod("get_Name", new Type[] { })))); method.Body.Instructions.Insert(indexInvoke + 20, Instruction.Create(OpCodes.Ldstr, "IsLogging")); method.Body.Instructions.Insert(indexInvoke + 21, Instruction.Create(OpCodes.Call, moduleDef.Import(typeof(System.String).GetMethod("op_Equality", new Type[] { typeof(string), typeof(string) })))); method.Body.Instructions.Insert(indexInvoke + 22, Instruction.Create(OpCodes.Brfalse_S, lastInstruction)); method.Body.Instructions.Insert(indexInvoke + 23, Instruction.Create(OpCodes.Ldc_I4_0)); method.Body.Instructions.Insert(indexInvoke + 24, Instruction.Create(OpCodes.Box, moduleDef.Import(typeof(System.Boolean)))); method.Body.Instructions.Insert(indexInvoke + 25, Instruction.Create(OpCodes.Stloc_S, getLocal)); // ### IsDebuggerPresent ### method.Body.Instructions.Insert(indexInvoke + 26, Instruction.Create(OpCodes.Ldarg_1)); method.Body.Instructions.Insert(indexInvoke + 27, Instruction.Create(OpCodes.Callvirt, moduleDef.Import(typeof(System.Reflection.MemberInfo).GetMethod("get_Name", new Type[] { })))); method.Body.Instructions.Insert(indexInvoke + 28, Instruction.Create(OpCodes.Ldstr, "IsDebuggerPresent")); method.Body.Instructions.Insert(indexInvoke + 29, Instruction.Create(OpCodes.Call, moduleDef.Import(typeof(System.String).GetMethod("op_Equality", new Type[] { typeof(string), typeof(string) })))); method.Body.Instructions.Insert(indexInvoke + 30, Instruction.Create(OpCodes.Brfalse_S, lastInstruction)); method.Body.Instructions.Insert(indexInvoke + 31, Instruction.Create(OpCodes.Ldc_I4_0)); method.Body.Instructions.Insert(indexInvoke + 32, Instruction.Create(OpCodes.Box, moduleDef.Import(typeof(System.Boolean)))); method.Body.Instructions.Insert(indexInvoke + 33, Instruction.Create(OpCodes.Stloc_S, getLocal)); // ### CheckRemoteDebuggerPresent ### method.Body.Instructions.Insert(indexInvoke + 34, Instruction.Create(OpCodes.Ldarg_1)); method.Body.Instructions.Insert(indexInvoke + 35, Instruction.Create(OpCodes.Callvirt, moduleDef.Import(typeof(System.Reflection.MemberInfo).GetMethod("get_Name", new Type[] { })))); method.Body.Instructions.Insert(indexInvoke + 36, Instruction.Create(OpCodes.Ldstr, "CheckRemoteDebuggerPresent")); method.Body.Instructions.Insert(indexInvoke + 37, Instruction.Create(OpCodes.Call, moduleDef.Import(typeof(System.String).GetMethod("op_Equality", new Type[] { typeof(string), typeof(string) })))); method.Body.Instructions.Insert(indexInvoke + 38, Instruction.Create(OpCodes.Brfalse_S, lastInstruction)); method.Body.Instructions.Insert(indexInvoke + 39, Instruction.Create(OpCodes.Ldc_I4_0)); method.Body.Instructions.Insert(indexInvoke + 40, Instruction.Create(OpCodes.Box, moduleDef.Import(typeof(System.Boolean)))); method.Body.Instructions.Insert(indexInvoke + 41, Instruction.Create(OpCodes.Stloc_S, getLocal)); var invoke = (MemberRef)method.Body.Instructions[indexInvoke].Operand; method.Body.UpdateInstructionOffsets(); // update offsets if (invoke.GetParamCount() == 5) // new version VMP (build 1261) { // lastInstruction = this pointer, when need jump lastInstruction = method.Body.Instructions[indexInvoke - 6]; // On Ldarg.1 method.Body.Instructions[indexInvoke - 11] = Instruction.Create(OpCodes.Brfalse_S, lastInstruction); // create Instruction } else // old version VMP (build 1213) { // lastInstruction = this pointer, when need jump lastInstruction = method.Body.Instructions[indexInvoke - 3]; // On Ldarg.1 method.Body.Instructions[indexInvoke - 8] = Instruction.Create(OpCodes.Brfalse_S, lastInstruction); // create Instruction } lastInstruction = method.Body.Instructions[indexInvoke + 10]; method.Body.Instructions[indexInvoke + 6] = Instruction.Create(OpCodes.Brfalse_S, lastInstruction); lastInstruction = method.Body.Instructions[indexInvoke + 18]; method.Body.Instructions[indexInvoke + 14] = Instruction.Create(OpCodes.Brfalse_S, lastInstruction); lastInstruction = method.Body.Instructions[indexInvoke + 26]; method.Body.Instructions[indexInvoke + 22] = Instruction.Create(OpCodes.Brfalse_S, lastInstruction); lastInstruction = method.Body.Instructions[indexInvoke + 34]; method.Body.Instructions[indexInvoke + 30] = Instruction.Create(OpCodes.Brfalse_S, lastInstruction); lastInstruction = method.Body.Instructions[indexInvoke + 42]; method.Body.Instructions[indexInvoke + 38] = Instruction.Create(OpCodes.Brfalse_S, lastInstruction); i += 20; } } } } } } }
public static bool InjectKoiVM(ModuleDefMD Module, string Pathh) { bool injected = false; TypeDef[] array = Module.Types.ToArray <TypeDef>(); for (int i = 0; i < array.Length; i++) { foreach (MethodDef method in array[i].Methods.ToArray <MethodDef>()) { bool flag = method.HasBody && method.Body.HasInstructions && !method.FullName.Contains("My.") && !method.FullName.Contains(".My") && !method.IsConstructor && !method.DeclaringType.IsGlobalModuleType; if (flag) { for (int j = 0; j < method.Body.Instructions.Count - 1; j++) { if (method.Body.Instructions[j].OpCode == OpCodes.Ldarg_2) { if (method.Body.Instructions[j + 1].OpCode == OpCodes.Ldloc_2) { if (method.Body.Instructions[j + 2].OpCode == OpCodes.Ldloc_3) { if (method.Body.Instructions[j + 3].OpCode == OpCodes.Callvirt) { if (method.Body.Instructions[j + 4].OpCode == OpCodes.Stloc_S) { method.Body.Instructions[j + 3].OpCode = OpCodes.Call; Importer importer = new Importer(Module); IMethod Method; Method = importer.Import(typeof(Venturi77CallHijacker.Handler).GetMethod("HandleInvoke")); method.Body.Instructions[j + 3].Operand = Module.Import(Method); injected = true; } } } } } } } } } if (!injected) { return(injected); } ModuleWriterOptions nativeModuleWriterOptions = new ModuleWriterOptions(Module); nativeModuleWriterOptions.MetadataOptions.Flags = MetadataFlags.KeepOldMaxStack; nativeModuleWriterOptions.Logger = DummyLogger.NoThrowInstance; nativeModuleWriterOptions.MetadataOptions.Flags = MetadataFlags.PreserveAll; nativeModuleWriterOptions.Cor20HeaderOptions.Flags = new ComImageFlags?(ComImageFlags.ILOnly); var otherstrteams = Module.Metadata.AllStreams.Where(a => a.GetType() == typeof(DotNetStream)); nativeModuleWriterOptions.MetadataOptions.PreserveHeapOrder(Module, addCustomHeaps: true); Module.Write(Path.Combine(Path.GetDirectoryName(Pathh), Path.GetFileNameWithoutExtension(Pathh) + "_Injected" + ".exe"), nativeModuleWriterOptions); File.Copy("Venturi77CallHijacker.dll", Path.GetDirectoryName(Pathh) + "\\Venturi77CallHijacker.dll"); File.Copy("Newtonsoft.Json.dll", Path.GetDirectoryName(Pathh) + "\\Newtonsoft.Json.dll"); return(injected); }
public static void InjectForlaxerEaz(string path, int pick) { ModuleDefMD md = ModuleDefMD.Load(path); foreach (TypeDef type in md.Types) { foreach (MethodDef method in type.Methods) { if (method.HasBody && method.Body.HasInstructions && method.Body.Instructions.Count() < 200) { for (int i = 0; i < method.Body.Instructions.Count(); i++) { if (method.Body.Instructions[i].OpCode == OpCodes.Callvirt) { string operand = method.Body.Instructions[i].Operand.ToString(); if (operand.Contains("System.Object System.Reflection.MethodBase::Invoke(System.Object,System.Object[])") && method.Body.Instructions[i - 1].IsLdarg() && method.Body.Instructions[i - 2].IsLdarg() && method.Body.Instructions[i - 3].IsLdarg()) { MDToken var = method.MDToken; Colorful.Console.Write("[INFO] ", Color.Purple); Colorful.Console.Write("Invoke MDToken: " + var.Raw.ToString()); method.Body.Instructions[i].OpCode = OpCodes.Nop; Importer importer = new Importer(md); IMethod myMethod; if (pick == 1) { myMethod = importer.Import(typeof(Forlaxer.Forlaxer).GetMethod("dbgInvokeHandler")); } else { myMethod = importer.Import(typeof(Forlaxer.Forlaxer).GetMethod("InvokeHandler")); } method.Body.Instructions.Insert(i + 1, new Instruction(OpCodes.Call, md.Import(myMethod))); i += 1; success("Forlaxer Hooked Succesfully!"); } } } } } } BLOCK1: ModuleWriterOptions moduleWriterOptions = new ModuleWriterOptions(md); moduleWriterOptions.MetadataOptions.Flags = MetadataFlags.KeepOldMaxStack; moduleWriterOptions.Logger = DummyLogger.NoThrowInstance; moduleWriterOptions.MetadataOptions.Flags = MetadataFlags.PreserveAll; moduleWriterOptions.MetadataOptions.PreserveHeapOrder(md, true); moduleWriterOptions.Cor20HeaderOptions.Flags = new ComImageFlags?(ComImageFlags.ILOnly | ComImageFlags.Bit32Required); md.Write(path + "_Hooked_.exe", moduleWriterOptions); }
private void AntiVMInit(ref ModuleDefMD moduleDefMD) { foreach (var type in moduleDefMD.Types) { // Bypass EnumSystemFirmwareTables() if (type.Methods.Count == 1 || type.Fields.Count == 5) { foreach (var method in type.Methods) { if (method.HasBody) { var countLdcI4_1 = 0; foreach (var instruction in method.Body.Instructions) { // Bypass EnumSystemFirmwareTables() if (instruction.OpCode.Code == Code.Ldc_I4_1) // check signature (count Ldc_I4_1 == 13) { countLdcI4_1++; } else if (instruction.IsLdcI4() && instruction.GetLdcI4Value() == 1) { countLdcI4_1++; } } if (countLdcI4_1 == 13) { Console.WriteLine("Bypass Anti-Virtual-Machine bypassing(EnumSystemFirmwareTables)"); for (var indexInstructions = 0; indexInstructions < method.Body.Instructions.Count - 2; indexInstructions++) { method.Body.Instructions[indexInstructions] = Instruction.Create(OpCodes.Nop); } method.Body.Instructions[method.Body.Instructions.Count - 2] = Instruction.Create(OpCodes.Ldc_I4, 0); } } } } // Bypass CPUID 0x40000000 && 0x40000010 if (type.Fields.Count == 2 && type.Methods.Count == 2) { foreach (var method in type.Methods) { if (method.HasBody) { for (int indexInstructions = 0; indexInstructions < method.Body.Instructions.Count; indexInstructions++) { if (method.Body.Instructions[indexInstructions].OpCode == OpCodes.Ldtoken && method.Body.Instructions[indexInstructions + 3].OpCode == OpCodes.Castclass && method.Body.Instructions[indexInstructions + 6].OpCode == OpCodes.Initobj) { Console.WriteLine("Bypass CPUID 0x40000000 && 0x40000010"); method.Body.Instructions[0] = new Instruction(OpCodes.Ldc_I4_4); method.Body.Instructions[1] = new Instruction(OpCodes.Newarr, moduleDefMD.Import(typeof(System.Int32))); method.Body.Instructions[2] = new Instruction(OpCodes.Dup); method.Body.Instructions[3] = new Instruction(OpCodes.Ldc_I4_0); method.Body.Instructions[4] = new Instruction(OpCodes.Ldc_I4, 0x206A7); method.Body.Instructions[5] = new Instruction(OpCodes.Stelem_I4); method.Body.Instructions[6] = new Instruction(OpCodes.Dup); method.Body.Instructions[7] = new Instruction(OpCodes.Ldc_I4_1); method.Body.Instructions[8] = new Instruction(OpCodes.Ldc_I4, 0x3100800); method.Body.Instructions[9] = new Instruction(OpCodes.Stelem_I4); method.Body.Instructions[10] = new Instruction(OpCodes.Dup); method.Body.Instructions[11] = new Instruction(OpCodes.Ldc_I4_2); method.Body.Instructions[12] = new Instruction(OpCodes.Ldc_I4, 0x1F9AE3BF); method.Body.Instructions[13] = new Instruction(OpCodes.Stelem_I4); method.Body.Instructions[14] = new Instruction(OpCodes.Dup); method.Body.Instructions[15] = new Instruction(OpCodes.Ldc_I4_3); method.Body.Instructions[16] = new Instruction(OpCodes.Ldc_I4, -0x40140401); method.Body.Instructions[17] = new Instruction(OpCodes.Stelem_I4); method.Body.Instructions[18] = new Instruction(OpCodes.Ret); for (int indexCleaningInstruction = 19; indexCleaningInstruction < method.Body.Instructions.Count;) { if (method.Body.Instructions[indexCleaningInstruction] != null) { method.Body.Instructions.RemoveAt(indexCleaningInstruction); } } for (int exceptionIterator = method.Body.ExceptionHandlers.Count - 1; exceptionIterator >= 0; exceptionIterator--) { method.Body.ExceptionHandlers.RemoveAt(exceptionIterator); } method.Body.OptimizeBranches(); method.Body.UpdateInstructionOffsets(); break; } } } } } } }
public static void Publicize(string input, string output = null) { output ??= DefaultOutputDir + Path.DirectorySeparatorChar; if (string.IsNullOrEmpty(Path.GetFileName(output))) { output = Path.Combine(output, Path.GetFileNameWithoutExtension(input) + Suffix + Path.GetExtension(input)); } if (!File.Exists(input)) { Console.WriteLine(); Console.WriteLine("ERROR! File doesn't exist or you don't have sufficient permissions."); Environment.Exit(30); } ModuleDefMD module = null; try { module = ModuleDefMD.Load(input, ModuleDef.CreateModuleContext()); } catch (Exception e) { Console.WriteLine(); Console.WriteLine("ERROR! Cannot read the assembly. Please check your permissions."); Console.WriteLine(e); Environment.Exit(40); } var runtimeVisibilityAttribute = new TypeDefUser("RuntimeVisibilityAttribute", module.Import(typeof(Attribute))) { Attributes = TypeAttributes.Class & TypeAttributes.Public }; module.Types.Add(runtimeVisibilityAttribute); runtimeVisibilityAttribute.Methods.Add(new MethodDefUser( ".ctor", MethodSig.CreateInstance(module.CorLibTypes.Void, module.CorLibTypes.String), MethodImplAttributes.Managed & MethodImplAttributes.IL, MethodAttributes.Public | MethodAttributes.SpecialName | MethodAttributes.RTSpecialName) { ParamDefs = { new ParamDefUser("visibility") } } ); var allTypes = module.GetTypes().ToList(); var types = 0; var methods = 0; var fields = 0; foreach (var type in allTypes) { foreach (var method in type.Methods) { if (method.IsPublic) { continue; } methods++; method.CustomAttributes.Add( new CustomAttribute(runtimeVisibilityAttribute.FindConstructors().Single(), new[] { new CAArgument(module.CorLibTypes.String, method.Access.ToString()) }) ); method.Access = MethodAttributes.Public; } foreach (var field in type.Fields) { if (field.IsPublic) { continue; } fields++; field.CustomAttributes.Add( new CustomAttribute(runtimeVisibilityAttribute.FindConstructors().Single(), new[] { new CAArgument(module.CorLibTypes.String, field.Access.ToString()) }) ); field.Access = FieldAttributes.Public; } if (type.IsNested ? type.IsNestedPublic : type.IsPublic) { continue; } types++; type.CustomAttributes.Add( new CustomAttribute(runtimeVisibilityAttribute.FindConstructors().Single(), new[] { new CAArgument(module.CorLibTypes.String, type.Visibility.ToString()) }) ); type.Visibility = type.IsNested ? TypeAttributes.NestedPublic : TypeAttributes.Public; } const string reportString = "Changed {0} {1} to public."; Console.WriteLine(reportString, types, "types"); Console.WriteLine(reportString, methods, "methods (including getters and setters)"); Console.WriteLine(reportString, fields, "fields"); Console.WriteLine(); Console.WriteLine("Saving a copy of the modified assembly ..."); try { var directory = Path.GetDirectoryName(output); if (!string.IsNullOrEmpty(directory)) { Directory.CreateDirectory(directory); } module.Write(output); } catch (Exception e) { Console.WriteLine(); Console.WriteLine("ERROR! Cannot create/overwrite the new assembly. "); Console.WriteLine("Please check the path and its permissions " + "and in case of overwriting an existing file ensure that it isn't currently used."); Console.WriteLine(e); Environment.Exit(50); } Console.WriteLine("Completed."); }
public static void Execute(ModuleDefMD asm) { asm.Mvid = null; asm.Name = RandomString(Random.Next(90, 120), Ascii); asm.Import(new FieldDefUser(RandomString(Random.Next(90, 120), Ascii))); foreach (TypeDef typeDef in asm.Types) { foreach (MethodDef methodDef in typeDef.Methods) { bool flag = methodDef.Body == null; if (!flag) { methodDef.Body.SimplifyBranches(); bool flag2 = methodDef.ReturnType.FullName != "System.Void" || !methodDef.HasBody || methodDef.Body.Instructions.Count == 0; if (!flag2) { TypeSig typeSig = asm.Import(typeof(int)).ToTypeSig(); Local local = new Local(typeSig); TypeSig typeSig2 = asm.Import(typeof(bool)).ToTypeSig(); Local local2 = new Local(typeSig2); methodDef.Body.Variables.Add(local); methodDef.Body.Variables.Add(local2); Instruction operand = methodDef.Body.Instructions[methodDef.Body.Instructions.Count - 1]; Instruction item = new Instruction(OpCodes.Ret); Instruction instruction = new Instruction(OpCodes.Ldc_I4_1); methodDef.Body.Instructions.Insert(0, new Instruction(OpCodes.Ldc_I4_0)); methodDef.Body.Instructions.Insert(1, new Instruction(OpCodes.Stloc, local)); methodDef.Body.Instructions.Insert(2, new Instruction(OpCodes.Br, instruction)); Instruction instruction2 = new Instruction(OpCodes.Ldloc, local); methodDef.Body.Instructions.Insert(3, instruction2); methodDef.Body.Instructions.Insert(4, new Instruction(OpCodes.Ldc_I4_0)); methodDef.Body.Instructions.Insert(5, new Instruction(OpCodes.Ceq)); methodDef.Body.Instructions.Insert(6, new Instruction(OpCodes.Ldc_I4_1)); methodDef.Body.Instructions.Insert(7, new Instruction(OpCodes.Ceq)); methodDef.Body.Instructions.Insert(8, new Instruction(OpCodes.Stloc, local2)); methodDef.Body.Instructions.Insert(9, new Instruction(OpCodes.Ldloc, local2)); methodDef.Body.Instructions.Insert(10, new Instruction(OpCodes.Brtrue, methodDef.Body.Instructions[10])); methodDef.Body.Instructions.Insert(11, new Instruction(OpCodes.Ret)); methodDef.Body.Instructions.Insert(12, new Instruction(OpCodes.Ldstr, "Scold")); methodDef.Body.Instructions.Insert(13, new Instruction(OpCodes.Unbox_Any)); methodDef.Body.Instructions.Insert(14, new Instruction(OpCodes.Call)); methodDef.Body.Instructions.Insert(15, new Instruction(OpCodes.Calli)); methodDef.Body.Instructions.Insert(16, new Instruction(OpCodes.Callvirt)); methodDef.Body.Instructions.Insert(17, new Instruction(OpCodes.Sizeof)); methodDef.Body.Instructions.Insert(18, new Instruction(OpCodes.Unaligned, operand)); methodDef.Body.Instructions.Insert(methodDef.Body.Instructions.Count, instruction); methodDef.Body.Instructions.Insert(methodDef.Body.Instructions.Count, new Instruction(OpCodes.Stloc, local2)); methodDef.Body.Instructions.Insert(methodDef.Body.Instructions.Count, new Instruction(OpCodes.Br, instruction2)); methodDef.Body.Instructions.Insert(methodDef.Body.Instructions.Count, item); ExceptionHandler item2 = new ExceptionHandler(ExceptionHandlerType.Finally) { HandlerStart = methodDef.Body.Instructions[10], HandlerEnd = methodDef.Body.Instructions[11], TryEnd = methodDef.Body.Instructions[14], TryStart = methodDef.Body.Instructions[12] }; bool flag3 = !methodDef.Body.HasExceptionHandlers; if (flag3) { methodDef.Body.ExceptionHandlers.Add(item2); } methodDef.Body.OptimizeBranches(); methodDef.Body.OptimizeMacros(); } } } } }
/// <summary> /// Weaves the interface. /// What we do here is: /// - creating a class (which is named after the interface name) /// - this class implements all interface members /// - all members invoke Invocation.ProcessInterfaceMethod /// </summary> /// <param name="moduleDefinition">The module definition.</param> /// <param name="interfaceType">Type of the interface.</param> /// <param name="context">The context.</param> private void WeaveInterface(ModuleDefMD moduleDefinition, TypeDef interfaceType, WeavingContext context) { var importedInterfaceType = moduleDefinition.Import(interfaceType); Logging.WriteDebug("Weaving interface '{0}'", interfaceType.FullName); TypeDef implementationType; TypeDef advisedInterfaceType; lock (moduleDefinition) { // ensure we're creating the interface only once var implementationTypeName = GetImplementationTypeName(interfaceType.Name); var implementationTypeNamespace = interfaceType.Namespace; if (moduleDefinition.GetTypes().Any(t => t.Namespace == implementationTypeNamespace && t.Name == implementationTypeName)) { return; } // now, create the implementation type var typeAttributes = (InjectAsPrivate ? TypeAttributes.NotPublic : TypeAttributes.Public) | TypeAttributes.Class | TypeAttributes.BeforeFieldInit; advisedInterfaceType = TypeResolver.Resolve(moduleDefinition, typeof(AdvisedInterface)); // TODO: this should work using TypeImporter.Import var advisedInterfaceTypeReference = moduleDefinition.Import(advisedInterfaceType); implementationType = new TypeDefUser(implementationTypeNamespace, implementationTypeName, advisedInterfaceTypeReference) { Attributes = typeAttributes }; implementationType.Interfaces.Add(new InterfaceImplUser(importedInterfaceType)); lock (moduleDefinition) moduleDefinition.Types.Add(implementationType); } // create empty .ctor. This .NET mofo wants it! var baseEmptyConstructor = moduleDefinition.SafeImport(advisedInterfaceType.FindConstructors().Single()); const MethodAttributes ctorAttributes = MethodAttributes.Public | MethodAttributes.HideBySig | MethodAttributes.SpecialName | MethodAttributes.RTSpecialName; var method = new MethodDefUser(".ctor", baseEmptyConstructor.MethodSig, ctorAttributes); method.Body = new CilBody(); method.Body.Instructions.Add(Instruction.Create(OpCodes.Ldarg_0)); method.Body.Instructions.Add(Instruction.Create(OpCodes.Call, baseEmptyConstructor)); method.Body.Instructions.Add(Instruction.Create(OpCodes.Ret)); implementationType.Methods.Add(method); // create implementation methods foreach (var currentInterfaceType in interfaceType.GetAllInterfaces(TypeResolver)) { foreach (var interfaceMethod in currentInterfaceType.Methods.Where(m => !m.IsSpecialName)) { WeaveInterfaceMethod(interfaceMethod, implementationType, true, context); } // create implementation properties foreach (var interfaceProperty in currentInterfaceType.Properties) { var implementationProperty = new PropertyDefUser(interfaceProperty.Name, interfaceProperty.PropertySig); implementationType.Properties.Add(implementationProperty); if (interfaceProperty.GetMethod != null) { implementationProperty.GetMethod = WeaveInterfaceMethod(interfaceProperty.GetMethod, implementationType, InjectAsPrivate, context); } if (interfaceProperty.SetMethod != null) { implementationProperty.SetMethod = WeaveInterfaceMethod(interfaceProperty.SetMethod, implementationType, InjectAsPrivate, context); } } // create implementation events foreach (var interfaceEvent in currentInterfaceType.Events) { var implementationEvent = new EventDefUser(interfaceEvent.Name, interfaceEvent.EventType); implementationType.Events.Add(implementationEvent); if (interfaceEvent.AddMethod != null) { implementationEvent.AddMethod = WeaveInterfaceMethod(interfaceEvent.AddMethod, implementationType, InjectAsPrivate, context); } if (interfaceEvent.RemoveMethod != null) { implementationEvent.RemoveMethod = WeaveInterfaceMethod(interfaceEvent.RemoveMethod, implementationType, InjectAsPrivate, context); } } } }
public static void InjectForlaxerKoi(string path, byte[] koi, int pick) { ModuleDefMD md = ModuleDefMD.Load(path); foreach (TypeDef type in md.Types) { foreach (MethodDef method in type.Methods) { if (method.HasBody && method.Body.HasInstructions && method.Body.Instructions.Count() > 150) { for (int i = 0; i < method.Body.Instructions.Count(); i++) { if (method.Body.Instructions[i].OpCode == OpCodes.Callvirt) { string operand = method.Body.Instructions[i].Operand.ToString(); if (operand.Contains("System.Object System.Reflection.MethodBase::Invoke(System.Object,System.Object[])") && method.Body.Instructions[i + 1].IsStloc() && method.Body.Instructions[i - 2].IsLdloc()) { MDToken var = method.MDToken; Colorful.Console.Write("[INFO] ", Color.Purple); Colorful.Console.Write("Invoke MDToken: " + var.Raw.ToString()); method.Body.Instructions[i].OpCode = OpCodes.Nop; Importer importer = new Importer(md); IMethod myMethod; if (pick == 1) { myMethod = importer.Import(typeof(Forlaxer.Forlaxer).GetMethod("dbgInvokeHandler")); } else { myMethod = importer.Import(typeof(Forlaxer.Forlaxer).GetMethod("InvokeHandler")); } method.Body.Instructions.Insert(i + 1, new Instruction(OpCodes.Call, md.Import(myMethod))); i += 1; success("Forlaxer Hooked Succesfully!"); } } } } } } BLOCK1: dbg("Preparing to move KoiVM Data..."); MethodDef methodDef = stuffs.GetMethod(md); MethodDef methodDef2 = stuffs.GetMethod2(md); try { methodDef.Body.Instructions.Clear(); } catch { } ModuleDefMD mod = ModuleDefMD.Load("ForlaxerKoi.exe"); MethodDef testMethod = stuffs.GetTestMethod(mod); foreach (Instruction item in testMethod.Body.Instructions) { methodDef.Body.Instructions.Add(item); } TypeRef type2 = new TypeRefUser(md, "System.IO", "UnmanagedMemoryStream", md.CorLibTypes.AssemblyRef); methodDef.Body.Variables[0].Type = type2.ToTypeSig(true); if (methodDef.Body.Instructions[11].OpCode == OpCodes.Call) { methodDef.Body.Instructions[11].Operand = methodDef2.ResolveMethodDef(); } dbg("Adding VM to Resources"); md.Resources.Add(new EmbeddedResource("VM", koi, ManifestResourceAttributes.Private)); ModuleWriterOptions moduleWriterOptions = new ModuleWriterOptions(md); moduleWriterOptions.MetadataOptions.Flags = MetadataFlags.KeepOldMaxStack; moduleWriterOptions.Logger = DummyLogger.NoThrowInstance; moduleWriterOptions.MetadataOptions.Flags = MetadataFlags.PreserveAll; moduleWriterOptions.MetadataOptions.PreserveHeapOrder(md, true); moduleWriterOptions.Cor20HeaderOptions.Flags = new ComImageFlags?(ComImageFlags.ILOnly | ComImageFlags.Bit32Required); success("VM Resource injected"); md.Write(path + "_Hooked_.exe", moduleWriterOptions); }
private IMethod GetMethod(Type type, string methodName, Type[] types) { return(_moduleDefMd.Import(type.GetMethod(methodName, types))); }
public static void String(ModuleDefMD module) { foreach (TypeDef type in module.Types) { foreach (MethodDef method in type.Methods) { if (method.Body == null) { continue; } for (int i = 0; i < method.Body.Instructions.Count(); i++) { if (method.Body.Instructions[i].OpCode == OpCodes.Ldstr) { //Encoding.UTF8.GetString(Convert.FromBase64String("")); String oldString = method.Body.Instructions[i].Operand.ToString(); //Original String. String newString = Convert.ToBase64String(UTF8Encoding.UTF8.GetBytes(oldString)); //Encrypted String by Base64 method.Body.Instructions[i].OpCode = OpCodes.Nop; //Change the Opcode for the Original Instruction method.Body.Instructions.Insert(i + 1, new Instruction(OpCodes.Call, module.Import(typeof(System.Text.Encoding).GetMethod("get_UTF8", new Type[] { })))); //get Method (get_UTF8) from Type (System.Text.Encoding). method.Body.Instructions.Insert(i + 2, new Instruction(OpCodes.Ldstr, newString)); //add the Encrypted String method.Body.Instructions.Insert(i + 3, new Instruction(OpCodes.Call, module.Import(typeof(System.Convert).GetMethod("FromBase64String", new Type[] { typeof(string) })))); //get Method (FromBase64String) from Type (System.Convert), and arguments for method we will get it using "new Type[] { typeof(string) }" method.Body.Instructions.Insert(i + 4, new Instruction(OpCodes.Callvirt, module.Import(typeof(System.Text.Encoding).GetMethod("GetString", new Type[] { typeof(byte[]) })))); i += 4; //skip the Instructions that we have just added. } } } } }
public static void ConvertToDnBody(CilBody g, Body b, int i) { foreach (Instruction k in b.GetMethod(i)) { switch (k.Code) { case OpCode.Add: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Add().Deserialized(k)); break; case OpCode.Call: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Call().Deserialized(k)); break; case OpCode.Cgt: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Cgt().Deserialized(k)); break; case OpCode.Clt: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Clt().Deserialized(k)); break; case OpCode.Cmp: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Cmp().Deserialized(k)); break; case OpCode.Dup: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Dup().Deserialized(k)); break; case OpCode.Int32: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Int().Deserialized(k)); break; case OpCode.Jf: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Jf().Deserialized(k)); break; case OpCode.Jmp: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Jmp().Deserialized(k)); break; case OpCode.Jt: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Jt().Deserialized(k)); break; case OpCode.Ldarg: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Ldarg().Deserialized(k)); break; case OpCode.Ldfld: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Ldfld().Deserialized(k)); break; case OpCode.Ldloc: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Ldloc().Deserialized(k)); break; case OpCode.Int64: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Long().Deserialized(k)); break; case OpCode.Newarr: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Newarr().Deserialized(k)); break; case OpCode.Null: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Null().Deserialized(k)); break; case OpCode.Pop: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Pop().Deserialized(k)); break; case OpCode.Ret: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Ret().Deserialized(k)); break; case OpCode.Stfld: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.Stfld().Deserialized(k)); break; case OpCode.Stloc: var stl = new MemeVM.Runtime.Handlerzs.Stloc().Deserialized(k); g.Instructions.Add(stl); Local lcl = new Local(Moduledefmd.Import(stl.OpCode.GetType()).ToTypeSig()); g.Variables.Locals.Add(lcl); break; case OpCode.String: g.Instructions.Add(new MemeVM.Runtime.Handlerzs.String().Deserialized(k)); break; } } }
static void Main(string[] args) { ConsoleShort Console = new ConsoleShort(); if (asArgs(args)) { try { int count = 0; ModuleDefMD md = ModuleDefMD.Load(args[0]); foreach (TypeDef type in md.GetTypes()) { if (!type.IsGlobalModuleType) { continue; } foreach (MethodDef method in type.Methods) { try { if (!method.HasBody && !method.Body.HasInstructions) { continue; } for (int i = 0; i < method.Body.Instructions.Count; i++) { if (method.Body.Instructions[i].OpCode == OpCodes.Call && method.Body.Instructions[i].Operand.ToString().Contains("CallingAssembly")) { method.Body.Instructions[i].Operand = (method.Body.Instructions[i].Operand = md.Import(typeof(Assembly).GetMethod("GetExecutingAssembly"))); count++; } } } catch { } } } Console.WriteLine("Invoke Detection replaced: " + count, ConsoleColor.Red); ModuleWriterOptions writerOptions = new ModuleWriterOptions(md); writerOptions.MetaDataOptions.Flags |= MetaDataFlags.PreserveAll; writerOptions.Logger = DummyLogger.NoThrowInstance; NativeModuleWriterOptions NativewriterOptions = new NativeModuleWriterOptions(md); NativewriterOptions.MetaDataOptions.Flags |= MetaDataFlags.PreserveAll; NativewriterOptions.Logger = DummyLogger.NoThrowInstance; if (md.IsILOnly) { md.Write(args[0] + "_unpacked.exe", writerOptions); } md.NativeWrite(args[0] + "_unpacked.exe", NativewriterOptions); } catch { Console.WriteLine("File isn't .net assembly valid! ", ConsoleColor.Red); } } else { Console.WriteLine("No Args Detected!", ConsoleColor.Red); } Console.Pause(); }
public static bool PatchACShrp(string assemblypath, string modpath, string tempName, string managedDir) { bool installed = false; WriteToLog("Attempting to patch Assembly-CSharp.dll"); using (ModuleDefMD mod = ModuleDefMD.Load(modpath)) { foreach (TypeDef type in mod.GetTypes()) { if (type.Name == "Init") { WriteToLog("Got mod initialization class"); foreach (MethodDef method in type.Methods) { if (method.Name == "Load") { WriteToLog("Got mod initialization method"); using (ModuleDefMD module = ModuleDefMD.Load(assemblypath)) { MemberRef reference = module.Import(method); foreach (TypeDef type2 in module.GetTypes()) { if (type2.Name == "SplashScreen") { WriteToLog("Successfully found SplashScreen class, getting Awake method"); foreach (MethodDef method2 in type2.Methods) { if (method2.Name == "Awake") { WriteToLog("Successfully found Awake method"); Instruction modLoader = OpCodes.Call.ToInstruction(reference); method2.Body.Instructions.Insert(0, modLoader); WriteToLog("Successfully added ZeroG loading instruction"); module.Write(managedDir + "\\" + tempName); installed = true; goto EndPatchACSharp; } } } } } //ModuleDefMD module = ModuleDefMD.Load(assemblypath); } } } } EndPatchACSharp :; } // ModuleDefMD mod = ModuleDefMD.Load(modpath); if (!installed) { File.SetAttributes(assemblypath, System.IO.FileAttributes.Normal); WriteToLog("Unable to patch Assembly-CSharp.dll. You have to do it manually"); return(false); } File.SetAttributes(assemblypath, System.IO.FileAttributes.Normal); File.Delete(assemblypath); File.Copy(managedDir + "\\" + tempName, assemblypath); File.Delete(managedDir + "\\" + tempName); WriteToLog("Successfully patched Assembly-CSharp.dll"); return(true); }