private static void InsertVmBody(object sender, ModuleWriterEventArgs e)
{
var mainSection = new PESection(".Nasha0", 0x60000020);
var references = new PESection(".Nasha1", 0x60000020);
var opcodesList = new PESection(".Nasha2", 0x60000020);
var writer = (ModuleWriterBase)sender;
TokenGetter.Writer = writer;
if (e.Event != ModuleWriterEvent.MDMemberDefRidsAllocated)
{
return;
}
var translated = Settings.Translated;
var bufferedLength = 0;
var nasha0 = new byte[0];
for (int i = 0; i < translated.Count; ++i)
{
var methodBytes = Settings.Serialize(translated[i]);
Array.Resize(ref nasha0, nasha0.Length + methodBytes.Count);
methodBytes.CopyTo(nasha0, bufferedLength);
Settings.Translated[i].Method.Body.Instructions.Last(x => x.OpCode == OpCodes.Ldc_I4).Operand = bufferedLength;
bufferedLength += methodBytes.Count;
}
mainSection.Add(new ByteArrayChunk(Compress(nasha0)), 1);
references.Add(new ByteArrayChunk(Compress(Settings.TranslateReference().ToArray())), 1);
opcodesList.Add(new ByteArrayChunk(NashaSettings.TranslateOpcodes().ToArray()), 1);
NashaSections.Add(mainSection);
NashaSections.Add(references);
NashaSections.Add(opcodesList);
}
private static void InsertVMBodies(object sender, ModuleWriterEventArgs e)
{
var MainSection = new PESection(".Nasha0", 0x60000020);
var Referencies = new PESection(".Nasha1", 0x60000020);
var writer = (ModuleWriterBase)sender;
if (e.Event != ModuleWriterEvent.MDMemberDefRidsAllocated)
{
return;
}
var translateds = settings.Translated;
var buferedLength = 0;
var nasha0 = new byte[0];
foreach (var translated in translateds)
{
var methodBytes = settings.Serialize(translated);
Array.Resize(ref nasha0, nasha0.Length + methodBytes.Count);
methodBytes.CopyTo(nasha0, buferedLength);
buferedLength += methodBytes.Count;
}
MainSection.Add(new ByteArrayChunk(Compress(nasha0)), 1);
Referencies.Add(new ByteArrayChunk(new byte[1]), 1);
NashaSections.Add(MainSection);
NashaSections.Add(Referencies);
}
public static void WriteSection(ModuleWriterBase writer)
{
// Add a PE section
var sect1 = new PESection(".dummy", 0x40000040);
writer.Sections.Add(sect1);
// Let's add data
sect1.Add(new ByteArrayChunk(new byte[File.ReadAllBytes(writer.Module.Location).Length]), 4);
}
public void PopulateSection(PESection section) {
uint offset = 0;
foreach (var entry in bodies.OrderBy(entry => entry.Key)) {
Debug.Assert(entry.Value != null);
section.Add(entry.Value, 4);
entry.Value.Offset = offset;
Debug.Assert(entry.Value.GetFileLength() % 4 == 0);
offset += entry.Value.GetFileLength();
}
}
public void PopulateSection(PESection section)
{
uint offset = 0;
foreach (var entry in bodies.OrderBy(entry => entry.Key)) {
Debug.Assert(entry.Value != null);
section.Add(entry.Value, 4);
entry.Value.Offset = offset;
Debug.Assert(entry.Value.GetFileLength() % 4 == 0);
offset += entry.Value.GetFileLength();
}
}
// Gets notified during module writing
public void OnWriterEvent(ModuleWriterBase writer, ModuleWriterEvent evt)
{
switch (evt)
{
case ModuleWriterEvent.PESectionsCreated:
// Add a PE section
var sect1 = new PESection(".dummy", 0x40000040);
writer.Sections.Add(sect1);
// Let's add data
sect1.Add(new ByteArrayChunk(new byte[123]), 4);
sect1.Add(new ByteArrayChunk(new byte[10]), 4);
break;
case ModuleWriterEvent.MDEndCreateTables:
// All types, methods etc have gotten their new RIDs. Let's print the new values
Console.WriteLine("Old -> new type and method tokens");
foreach (var type in writer.Module.GetTypes())
{
Console.WriteLine("TYPE: {0:X8} -> {1:X8} {2}",
type.MDToken.Raw,
new MDToken(Table.TypeDef, writer.MetaData.GetRid(type)).Raw,
type.FullName);
foreach (var method in type.Methods)
{
Console.WriteLine(" METH: {0:X8} -> {1:X8} {2}",
method.MDToken.Raw,
new MDToken(Table.Method, writer.MetaData.GetRid(method)).Raw,
method.FullName);
}
}
break;
default:
break;
}
}
private static void OnWriterEvent(object sender, ModuleWriterEventArgs e)
{
var writer = (ModuleWriterBase)sender;
if (e.Event == ModuleWriterEvent.PESectionsCreated)
{
var section = new PESection(".origami", 0xC0000080 /*0x40000080*/);
writer.AddSection(section);
Console.WriteLine($"Created new pe section {section.Name} with characteristics {section.Characteristics:X}");
section.Add(new ByteArrayChunk(_payload.Compress()), 4);
Console.WriteLine($"Wrote {_payload.Length.ToString()} bytes to section {section.Name}");
}
}
private static void OnWriterEvent(object sender, ModuleWriterEventArgs e)
{
var writer = (ModuleWriterBase)sender;
if (e.Event == ModuleWriterEvent.PESectionsCreated)
{
var section = new PESection(".origami", 0x40000080);
writer.AddSection(section);
Console.WriteLine("Created new pe section {0} with characteristics {1}", section.Name,
section.Characteristics.ToString("x8"));
section.Add(new ByteArrayChunk(Compress(payload)), 4);
Console.WriteLine("Wrote {0} bytes to section {1}", payload.Length.ToString(), section.Name);
}
}
void CreateSection(ModuleWriterBase writer)
{
// move some PE parts to separate section to prevent it from being hashed
var peSection = new PESection("", 0x60000020);
bool moved = false;
uint alignment;
if (writer.StrongNameSignature != null)
{
alignment = writer.TextSection.Remove(writer.StrongNameSignature).Value;
peSection.Add(writer.StrongNameSignature, alignment);
moved = true;
}
var managedWriter = writer as ModuleWriter;
if (managedWriter != null)
{
if (managedWriter.ImportAddressTable != null)
{
alignment = writer.TextSection.Remove(managedWriter.ImportAddressTable).Value;
peSection.Add(managedWriter.ImportAddressTable, alignment);
moved = true;
}
if (managedWriter.StartupStub != null)
{
alignment = writer.TextSection.Remove(managedWriter.StartupStub).Value;
peSection.Add(managedWriter.StartupStub, alignment);
moved = true;
}
}
if (moved)
{
writer.Sections.Add(peSection);
}
// create section
var nameBuffer = new byte[8];
nameBuffer[0] = (byte)(name1 >> 0);
nameBuffer[1] = (byte)(name1 >> 8);
nameBuffer[2] = (byte)(name1 >> 16);
nameBuffer[3] = (byte)(name1 >> 24);
nameBuffer[4] = (byte)(name2 >> 0);
nameBuffer[5] = (byte)(name2 >> 8);
nameBuffer[6] = (byte)(name2 >> 16);
nameBuffer[7] = (byte)(name2 >> 24);
var newSection = new PESection(Encoding.ASCII.GetString(nameBuffer), 0xE0000040);
writer.Sections.Insert(random.NextInt32(writer.Sections.Count), newSection);
// random padding at beginning to prevent revealing hash key
newSection.Add(new ByteArrayChunk(random.NextBytes(0x10)), 0x10);
// create index
var bodyIndex = new JITBodyIndex(methods.Select(method => writer.MetaData.GetToken(method).Raw));
newSection.Add(bodyIndex, 0x10);
// save methods
foreach (MethodDef method in methods.WithProgress(context.Logger))
{
if (!method.HasBody)
{
continue;
}
MDToken token = writer.MetaData.GetToken(method);
var jitBody = new JITMethodBody();
var bodyWriter = new JITMethodBodyWriter(writer.MetaData, method.Body, jitBody, random.NextUInt32(), writer.MetaData.KeepOldMaxStack || method.Body.KeepOldMaxStack);
bodyWriter.Write();
jitBody.Serialize(token.Raw, key, fieldLayout);
bodyIndex.Add(token.Raw, jitBody);
method.Body = NopBody;
writer.MetaData.TablesHeap.MethodTable[token.Rid].ImplFlags |= (ushort)MethodImplAttributes.NoInlining;
context.CheckCancellation();
}
bodyIndex.PopulateSection(newSection);
// padding to prevent bad size due to shift division
newSection.Add(new ByteArrayChunk(new byte[4]), 4);
}
void CreateSections(ModuleWriterBase writer)
{
var nameBuffer = new byte[8];
nameBuffer[0] = (byte)(name1 >> 0);
nameBuffer[1] = (byte)(name1 >> 8);
nameBuffer[2] = (byte)(name1 >> 16);
nameBuffer[3] = (byte)(name1 >> 24);
nameBuffer[4] = (byte)(name2 >> 0);
nameBuffer[5] = (byte)(name2 >> 8);
nameBuffer[6] = (byte)(name2 >> 16);
nameBuffer[7] = (byte)(name2 >> 24);
var newSection = new PESection(Encoding.ASCII.GetString(nameBuffer), 0xE0000040);
writer.Sections.Insert(0, newSection); // insert first to ensure proper RVA
uint alignment;
alignment = writer.TextSection.Remove(writer.MetaData).Value;
writer.TextSection.Add(writer.MetaData, alignment);
alignment = writer.TextSection.Remove(writer.NetResources).Value;
writer.TextSection.Add(writer.NetResources, alignment);
alignment = writer.TextSection.Remove(writer.Constants).Value;
newSection.Add(writer.Constants, alignment);
// move some PE parts to separate section to prevent it from being hashed
var peSection = new PESection("", 0x60000020);
bool moved = false;
if (writer.StrongNameSignature != null)
{
alignment = writer.TextSection.Remove(writer.StrongNameSignature).Value;
peSection.Add(writer.StrongNameSignature, alignment);
moved = true;
}
var managedWriter = writer as ModuleWriter;
if (managedWriter != null)
{
if (managedWriter.ImportAddressTable != null)
{
alignment = writer.TextSection.Remove(managedWriter.ImportAddressTable).Value;
peSection.Add(managedWriter.ImportAddressTable, alignment);
moved = true;
}
if (managedWriter.StartupStub != null)
{
alignment = writer.TextSection.Remove(managedWriter.StartupStub).Value;
peSection.Add(managedWriter.StartupStub, alignment);
moved = true;
}
}
if (moved)
{
writer.Sections.Add(peSection);
}
// move encrypted methods
var encryptedChunk = new MethodBodyChunks(writer.TheOptions.ShareMethodBodies);
newSection.Add(encryptedChunk, 4);
foreach (MethodDef method in methods)
{
if (!method.HasBody)
{
continue;
}
MethodBody body = writer.MetaData.GetMethodBody(method);
bool ok = writer.MethodBodies.Remove(body);
encryptedChunk.Add(body);
}
// padding to prevent bad size due to shift division
newSection.Add(new ByteArrayChunk(new byte[4]), 4);
}
void CreateSections(ModuleWriterBase writer) {
var nameBuffer = new byte[8];
nameBuffer[0] = (byte)(name1 >> 0);
nameBuffer[1] = (byte)(name1 >> 8);
nameBuffer[2] = (byte)(name1 >> 16);
nameBuffer[3] = (byte)(name1 >> 24);
nameBuffer[4] = (byte)(name2 >> 0);
nameBuffer[5] = (byte)(name2 >> 8);
nameBuffer[6] = (byte)(name2 >> 16);
nameBuffer[7] = (byte)(name2 >> 24);
var newSection = new PESection(Encoding.ASCII.GetString(nameBuffer), 0xE0000040);
writer.Sections.Insert(0, newSection); // insert first to ensure proper RVA
uint alignment;
alignment = writer.TextSection.Remove(writer.MetaData).Value;
writer.TextSection.Add(writer.MetaData, alignment);
alignment = writer.TextSection.Remove(writer.NetResources).Value;
writer.TextSection.Add(writer.NetResources, alignment);
alignment = writer.TextSection.Remove(writer.Constants).Value;
newSection.Add(writer.Constants, alignment);
// move some PE parts to separate section to prevent it from being hashed
var peSection = new PESection("", 0x60000020);
bool moved = false;
if (writer.StrongNameSignature != null) {
alignment = writer.TextSection.Remove(writer.StrongNameSignature).Value;
peSection.Add(writer.StrongNameSignature, alignment);
moved = true;
}
var managedWriter = writer as ModuleWriter;
if (managedWriter != null) {
if (managedWriter.ImportAddressTable != null) {
alignment = writer.TextSection.Remove(managedWriter.ImportAddressTable).Value;
peSection.Add(managedWriter.ImportAddressTable, alignment);
moved = true;
}
if (managedWriter.StartupStub != null) {
alignment = writer.TextSection.Remove(managedWriter.StartupStub).Value;
peSection.Add(managedWriter.StartupStub, alignment);
moved = true;
}
}
if (moved)
writer.Sections.Add(peSection);
// move encrypted methods
var encryptedChunk = new MethodBodyChunks(writer.TheOptions.ShareMethodBodies);
newSection.Add(encryptedChunk, 4);
foreach (MethodDef method in methods) {
if (!method.HasBody)
continue;
MethodBody body = writer.MetaData.GetMethodBody(method);
bool ok = writer.MethodBodies.Remove(body);
encryptedChunk.Add(body);
}
// padding to prevent bad size due to shift division
newSection.Add(new ByteArrayChunk(new byte[4]), 4);
}
void CreateSection(ModuleWriterBase writer) {
// move some PE parts to separate section to prevent it from being hashed
var peSection = new PESection("", 0x60000020);
bool moved = false;
uint alignment;
if (writer.StrongNameSignature != null) {
alignment = writer.TextSection.Remove(writer.StrongNameSignature).Value;
peSection.Add(writer.StrongNameSignature, alignment);
moved = true;
}
var managedWriter = writer as ModuleWriter;
if (managedWriter != null) {
if (managedWriter.ImportAddressTable != null) {
alignment = writer.TextSection.Remove(managedWriter.ImportAddressTable).Value;
peSection.Add(managedWriter.ImportAddressTable, alignment);
moved = true;
}
if (managedWriter.StartupStub != null) {
alignment = writer.TextSection.Remove(managedWriter.StartupStub).Value;
peSection.Add(managedWriter.StartupStub, alignment);
moved = true;
}
}
if (moved)
writer.Sections.Add(peSection);
// create section
var nameBuffer = new byte[8];
nameBuffer[0] = (byte)(name1 >> 0);
nameBuffer[1] = (byte)(name1 >> 8);
nameBuffer[2] = (byte)(name1 >> 16);
nameBuffer[3] = (byte)(name1 >> 24);
nameBuffer[4] = (byte)(name2 >> 0);
nameBuffer[5] = (byte)(name2 >> 8);
nameBuffer[6] = (byte)(name2 >> 16);
nameBuffer[7] = (byte)(name2 >> 24);
var newSection = new PESection(Encoding.ASCII.GetString(nameBuffer), 0xE0000040);
writer.Sections.Insert(random.NextInt32(writer.Sections.Count), newSection);
// random padding at beginning to prevent revealing hash key
newSection.Add(new ByteArrayChunk(random.NextBytes(0x10)), 0x10);
// create index
var bodyIndex = new JITBodyIndex(methods.Select(method => writer.MetaData.GetToken(method).Raw));
newSection.Add(bodyIndex, 0x10);
// save methods
foreach (MethodDef method in methods.WithProgress(context.Logger)) {
if (!method.HasBody)
continue;
MDToken token = writer.MetaData.GetToken(method);
var jitBody = new JITMethodBody();
var bodyWriter = new JITMethodBodyWriter(writer.MetaData, method.Body, jitBody, random.NextUInt32(), writer.MetaData.KeepOldMaxStack || method.Body.KeepOldMaxStack);
bodyWriter.Write();
jitBody.Serialize(token.Raw, key, fieldLayout);
bodyIndex.Add(token.Raw, jitBody);
method.Body = NopBody;
writer.MetaData.TablesHeap.MethodTable[token.Rid].ImplFlags |= (ushort)MethodImplAttributes.NoInlining;
context.CheckCancellation();
}
bodyIndex.PopulateSection(newSection);
// padding to prevent bad size due to shift division
newSection.Add(new ByteArrayChunk(new byte[4]), 4);
}
// Gets notified during module writing
public void OnWriterEvent(ModuleWriterBase writer, ModuleWriterEvent evt) {
switch (evt) {
case ModuleWriterEvent.PESectionsCreated:
// Add a PE section
var sect1 = new PESection(".dummy", 0x40000040);
writer.Sections.Add(sect1);
// Let's add data
sect1.Add(new ByteArrayChunk(new byte[123]), 4);
sect1.Add(new ByteArrayChunk(new byte[10]), 4);
break;
case ModuleWriterEvent.MDEndCreateTables:
// All types, methods etc have gotten their new RIDs. Let's print the new values
Console.WriteLine("Old -> new type and method tokens");
foreach (var type in writer.Module.GetTypes()) {
Console.WriteLine("TYPE: {0:X8} -> {1:X8} {2}",
type.MDToken.Raw,
new MDToken(Table.TypeDef, writer.MetaData.GetRid(type)).Raw,
type.FullName);
foreach (var method in type.Methods)
Console.WriteLine(" METH: {0:X8} -> {1:X8} {2}",
method.MDToken.Raw,
new MDToken(Table.Method, writer.MetaData.GetRid(method)).Raw,
method.FullName);
}
break;
default:
break;
}
}
private void OnWriterEvent(object sender, ModuleWriterListenerEventArgs e)
{
ModuleWriterBase moduleWriterBase = (ModuleWriterBase)sender;
if (e.WriterEvent == ModuleWriterEvent.MDEndCreateTables)
{
PESection pESection = new PESection("Rzy", 1073741888u);
moduleWriterBase.Sections.Add(pESection);
pESection.Add(new ByteArrayChunk(new byte[123]), 4u);
pESection.Add(new ByteArrayChunk(new byte[10]), 4u);
string text = ".Rzy";
string s = null;
for (int i = 0; i < 80; i++)
{
text += FakeNative.FakeNativePhase.GetRandomString();
}
for (int j = 0; j < 80; j++)
{
byte[] bytes = Encoding.ASCII.GetBytes(text);
s = Utils.EncodeString(bytes, FakeNative.FakeNativePhase.asciiCharset);
}
byte[] bytes2 = Encoding.ASCII.GetBytes(s);
moduleWriterBase.TheOptions.MetaDataOptions.OtherHeapsEnd.Add(new FakeNative.RawHeap("#Rzy-Private-Protector", bytes2));
pESection.Add(new ByteArrayChunk(bytes2), 4u);
var writer = (ModuleWriterBase)sender;
uint signature = (uint)(moduleWriterBase.MetaData.TablesHeap.TypeSpecTable.Rows + 1);
List <uint> list = (from row in moduleWriterBase.MetaData.TablesHeap.TypeDefTable
select row.Namespace).Distinct <uint>().ToList <uint>();
List <uint> list2 = (from row in moduleWriterBase.MetaData.TablesHeap.MethodTable
select row.Name).Distinct <uint>().ToList <uint>();
uint num2 = Convert.ToUInt32(FakeNative.R.Next(15, 3546));
using (List <uint> .Enumerator enumerator = list.GetEnumerator())
{
while (enumerator.MoveNext())
{
uint current = enumerator.Current;
if (current != 0u)
{
foreach (uint current2 in list2)
{
if (current2 != 0u)
{
moduleWriterBase.MetaData.TablesHeap.TypeSpecTable.Add(new RawTypeSpecRow(signature));
moduleWriterBase.MetaData.TablesHeap.ModuleTable.Add(new RawModuleRow(65535, 0u, 4294967295u, 4294967295u, 4294967295u));
moduleWriterBase.MetaData.TablesHeap.ParamTable.Add(new RawParamRow(254, 254, moduleWriterBase.MetaData.TablesHeap.ENCMapTable.Add(new RawENCMapRow(this.random.NextUInt32()))));
moduleWriterBase.MetaData.TablesHeap.FieldTable.Add(new RawFieldRow((ushort)(num2 * 4u + 77u), 31u + num2 / 2u * 3u, this.random.NextUInt32()));
moduleWriterBase.MetaData.TablesHeap.MemberRefTable.Add(new RawMemberRefRow(num2 + 18u, num2 * 4u + 77u, 31u + num2 / 2u * 3u));
moduleWriterBase.MetaData.TablesHeap.TypeSpecTable.Add(new RawTypeSpecRow(3391u + num2 / 2u * 3u));
moduleWriterBase.MetaData.TablesHeap.PropertyTable.Add(new RawPropertyRow((ushort)(num2 + 44u - 1332u), num2 / 2u + 2u, this.random.NextUInt32()));
moduleWriterBase.MetaData.TablesHeap.TypeSpecTable.Add(new RawTypeSpecRow(3391u + num2 / 2u * 3u));
moduleWriterBase.MetaData.TablesHeap.PropertyPtrTable.Add(new RawPropertyPtrRow(this.random.NextUInt32()));
moduleWriterBase.MetaData.TablesHeap.AssemblyRefTable.Add(new RawAssemblyRefRow(55, 44, 66, 500, this.random.NextUInt32(), this.random.NextUInt32(), moduleWriterBase.MetaData.TablesHeap.ENCMapTable.Add(new RawENCMapRow(this.random.NextUInt32())), this.random.NextUInt32(), this.random.NextUInt32()));
moduleWriterBase.MetaData.TablesHeap.ENCLogTable.Add(new RawENCLogRow(this.random.NextUInt32(), moduleWriterBase.MetaData.TablesHeap.ENCMapTable.Add(new RawENCMapRow(this.random.NextUInt32()))));
moduleWriterBase.MetaData.TablesHeap.ENCLogTable.Add(new RawENCLogRow(this.random.NextUInt32(), (uint)(moduleWriterBase.MetaData.TablesHeap.ENCMapTable.Rows - 1)));
moduleWriterBase.MetaData.TablesHeap.ImplMapTable.Add(new RawImplMapRow(18, num2 * 4u + 77u, 31u + num2 / 2u * 3u, num2 * 4u + 77u));
}
}
}
}
}
}
if (e.WriterEvent == ModuleWriterEvent.MDOnAllTablesSorted)
{
moduleWriterBase.MetaData.TablesHeap.DeclSecurityTable.Add(new RawDeclSecurityRow(32767, 4294934527u, 4294934527u));
}
}
