public unsafe int RandomizeImportTable() { string[] xp_dll_paths = Directory.GetFiles(ImportDirectory).Where(file => Path.GetExtension(file) == ".dll").ToArray(); for (int i = 0; i < xp_dll_paths.Length; i++) { ImportDLL xp_dll = new ImportDLL(); // ImportDLL win8_dll = new ImportDLL(); // xp xp_dll.ModulePath = xp_dll_paths[i]; xp_dll.ModuleName = Path.GetFileNameWithoutExtension(xp_dll.ModulePath).ToUpper(); xp_dll.LoadedAddress = LoadLibraryEx(xp_dll.ModulePath, IntPtr.Zero, 0x1); xp_dll.Functions = new Dictionary <string, IntPtr>(); XP_DLLS.Add(xp_dll); // win8 //win8_dll.ModuleName = xp_dll.ModuleName; //win8_dll.ModulePath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.SystemX86), win8_dll.ModuleName); //win8_dll.LoadedAddress = LoadLibraryEx(win8_dll.ModulePath, IntPtr.Zero, 0x00000001); //win8_dll.Functions = new Dictionary<string, IntPtr>(); //WIN8_DLLS.Add(win8_dll); } // walk exports to find functions to use foreach (ImportDLL IDLL in XP_DLLS) { IMAGE_DOS_HEADER pIDH = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(IDLL.LoadedAddress, typeof(IMAGE_DOS_HEADER)); IMAGE_NT_HEADERS32 pINH = (IMAGE_NT_HEADERS32)Marshal.PtrToStructure((IntPtr)(IDLL.LoadedAddress + pIDH.e_lfanew), typeof(IMAGE_NT_HEADERS32)); IMAGE_DATA_DIRECTORY ExportDirectory = pINH.OptionalHeader.ExportTable; IMAGE_EXPORT_DIRECTORY pIED = (IMAGE_EXPORT_DIRECTORY)Marshal.PtrToStructure(((IntPtr)IDLL.LoadedAddress + (int)ExportDirectory.VirtualAddress), typeof(IMAGE_EXPORT_DIRECTORY)); int NumberOfNamedFunctions = (int)pIED.NumberOfNames; uint *lpAddressOfNames = (uint *)(IDLL.LoadedAddress + (int)pIED.AddressOfNames); uint *lpAddressOfFunctions = (uint *)(IDLL.LoadedAddress + (int)pIED.AddressOfFunctions); uint *lpAddressOfNameOrdinals = (uint *)(IDLL.LoadedAddress + (int)pIED.AddressOfNameOrdinals); for (int i = 0; i < NumberOfNamedFunctions; i++) { uint lpFuncNameRVA = lpAddressOfNames[i]; char * szFuncName = (char *)(IDLL.LoadedAddress + (int)lpFuncNameRVA); string FuncName = Marshal.PtrToStringAnsi((IntPtr)szFuncName); IDLL.Functions.Add(FuncName, GetProcAddress(IDLL.LoadedAddress, FuncName)); } } // generate random amount of modules of which to select the functions from int ModuleCount = Rand.Next(2, 4); List <ImportDLL> AllModules = new List <ImportDLL>(); List <ImportDLL> SelectedModules = new List <ImportDLL>(); foreach (ImportDLL IDLL in XP_DLLS) { AllModules.Add(IDLL); } // Base modules //SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "KERNEL32").First()); //SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "USER32").First()); //SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "GDI32").First()); //SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "OLEAUT32").First()); //SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "MSVCRT").First()); // Randomize modules SelectedModules.AddRange(AllModules.OrderBy(x => Rand.Next()).Take(ModuleCount).ToList()); // Remove any overlapping modules SelectedModules = SelectedModules.Distinct().ToList(); SelectedModules = SelectedModules.OrderBy(x => Rand.Next()).ToList(); // ensure compatability of each imported module function foreach (ImportDLL IDLL in SelectedModules) { int NumberOfFunctions = Rand.Next(60, 90); // IDLL.Functions.Count; // Rand.Next(IDLL.Functions.Count / 16, IDLL.Functions.Count / 12); //if (NumberOfFunctions < 50) // NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 4, IDLL.Functions.Count / 2); //else if (NumberOfFunctions > 50 && NumberOfFunctions < 100) // NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 8, IDLL.Functions.Count / 4); //else if (NumberOfFunctions > 100 && NumberOfFunctions < 200) // NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 12, IDLL.Functions.Count / 4); //else if (NumberOfFunctions > 200 && NumberOfFunctions < 400) // NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 16, IDLL.Functions.Count / 8); //else if (NumberOfFunctions > 400) // NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 8, IDLL.Functions.Count / 4); //if (NumberOfFunctions == 0) // NumberOfFunctions += 1; var SelectedFunctions = IDLL.Functions.OrderBy(x => Rand.Next()).Take(NumberOfFunctions); List <string> CheckedFunctions = new List <string>(); foreach (var Function in SelectedFunctions) { IntPtr hCorrespondingLib = LoadLibraryA(IDLL.ModuleName); IntPtr pFuncCheck = GetProcAddress(hCorrespondingLib, Function.Key); if (null != pFuncCheck && pFuncCheck != IntPtr.Zero && !IsBlacklisted(Function.Key)) { CheckedFunctions.Add(Function.Key); } else { Console.WriteLine("bad function {0}", Function.Key); } FreeLibrary(hCorrespondingLib); } ImportTable.Add(IDLL.ModuleName, CheckedFunctions); } return(SelectedModules.Count); }
public unsafe int RandomizeImportTable() { string[] xp_dll_paths = Directory.GetFiles(ImportDirectory).Where(file => Path.GetExtension(file) == ".dll").ToArray(); for (int i = 0; i < xp_dll_paths.Length; i++) { ImportDLL xp_dll = new ImportDLL(); // ImportDLL win8_dll = new ImportDLL(); // xp xp_dll.ModulePath = xp_dll_paths[i]; xp_dll.ModuleName = Path.GetFileNameWithoutExtension(xp_dll.ModulePath).ToUpper(); xp_dll.LoadedAddress = LoadLibraryEx(xp_dll.ModulePath, IntPtr.Zero, 0x1); xp_dll.Functions = new Dictionary<string, IntPtr>(); XP_DLLS.Add(xp_dll); // win8 //win8_dll.ModuleName = xp_dll.ModuleName; //win8_dll.ModulePath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.SystemX86), win8_dll.ModuleName); //win8_dll.LoadedAddress = LoadLibraryEx(win8_dll.ModulePath, IntPtr.Zero, 0x00000001); //win8_dll.Functions = new Dictionary<string, IntPtr>(); //WIN8_DLLS.Add(win8_dll); } // walk exports to find functions to use foreach (ImportDLL IDLL in XP_DLLS) { IMAGE_DOS_HEADER pIDH = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(IDLL.LoadedAddress, typeof(IMAGE_DOS_HEADER)); IMAGE_NT_HEADERS32 pINH = (IMAGE_NT_HEADERS32)Marshal.PtrToStructure((IntPtr)(IDLL.LoadedAddress + pIDH.e_lfanew), typeof(IMAGE_NT_HEADERS32)); IMAGE_DATA_DIRECTORY ExportDirectory = pINH.OptionalHeader.ExportTable; IMAGE_EXPORT_DIRECTORY pIED = (IMAGE_EXPORT_DIRECTORY)Marshal.PtrToStructure(((IntPtr)IDLL.LoadedAddress + (int)ExportDirectory.VirtualAddress), typeof(IMAGE_EXPORT_DIRECTORY)); int NumberOfNamedFunctions = (int)pIED.NumberOfNames; uint* lpAddressOfNames = (uint*)(IDLL.LoadedAddress + (int)pIED.AddressOfNames); uint* lpAddressOfFunctions = (uint*)(IDLL.LoadedAddress + (int)pIED.AddressOfFunctions); uint* lpAddressOfNameOrdinals = (uint*)(IDLL.LoadedAddress + (int)pIED.AddressOfNameOrdinals); for (int i = 0; i < NumberOfNamedFunctions; i++) { uint lpFuncNameRVA = lpAddressOfNames[i]; char* szFuncName = (char*)(IDLL.LoadedAddress + (int)lpFuncNameRVA); string FuncName = Marshal.PtrToStringAnsi((IntPtr)szFuncName); IDLL.Functions.Add(FuncName, GetProcAddress(IDLL.LoadedAddress, FuncName)); } } // generate random amount of modules of which to select the functions from int ModuleCount = Rand.Next(2, 4); List<ImportDLL> AllModules = new List<ImportDLL>(); List<ImportDLL> SelectedModules = new List<ImportDLL>(); foreach (ImportDLL IDLL in XP_DLLS) AllModules.Add(IDLL); // Base modules //SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "KERNEL32").First()); //SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "USER32").First()); //SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "GDI32").First()); //SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "OLEAUT32").First()); //SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "MSVCRT").First()); // Randomize modules SelectedModules.AddRange(AllModules.OrderBy(x => Rand.Next()).Take(ModuleCount).ToList()); // Remove any overlapping modules SelectedModules = SelectedModules.Distinct().ToList(); SelectedModules = SelectedModules.OrderBy(x => Rand.Next()).ToList(); // ensure compatability of each imported module function foreach (ImportDLL IDLL in SelectedModules) { int NumberOfFunctions = Rand.Next(60, 90); // IDLL.Functions.Count; // Rand.Next(IDLL.Functions.Count / 16, IDLL.Functions.Count / 12); //if (NumberOfFunctions < 50) // NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 4, IDLL.Functions.Count / 2); //else if (NumberOfFunctions > 50 && NumberOfFunctions < 100) // NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 8, IDLL.Functions.Count / 4); //else if (NumberOfFunctions > 100 && NumberOfFunctions < 200) // NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 12, IDLL.Functions.Count / 4); //else if (NumberOfFunctions > 200 && NumberOfFunctions < 400) // NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 16, IDLL.Functions.Count / 8); //else if (NumberOfFunctions > 400) // NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 8, IDLL.Functions.Count / 4); //if (NumberOfFunctions == 0) // NumberOfFunctions += 1; var SelectedFunctions = IDLL.Functions.OrderBy(x => Rand.Next()).Take(NumberOfFunctions); List<string> CheckedFunctions = new List<string>(); foreach (var Function in SelectedFunctions) { IntPtr hCorrespondingLib = LoadLibraryA(IDLL.ModuleName); IntPtr pFuncCheck = GetProcAddress(hCorrespondingLib, Function.Key); if (null != pFuncCheck && pFuncCheck != IntPtr.Zero && !IsBlacklisted(Function.Key)) CheckedFunctions.Add(Function.Key); else Console.WriteLine("bad function {0}", Function.Key); FreeLibrary(hCorrespondingLib); } ImportTable.Add(IDLL.ModuleName, CheckedFunctions); } return SelectedModules.Count; }