public unsafe int RandomizeImportTable()
{
string[] xp_dll_paths = Directory.GetFiles(ImportDirectory).Where(file => Path.GetExtension(file) == ".dll").ToArray();
for (int i = 0; i < xp_dll_paths.Length; i++)
{
ImportDLL xp_dll = new ImportDLL();
// ImportDLL win8_dll = new ImportDLL();
// xp
xp_dll.ModulePath = xp_dll_paths[i];
xp_dll.ModuleName = Path.GetFileNameWithoutExtension(xp_dll.ModulePath).ToUpper();
xp_dll.LoadedAddress = LoadLibraryEx(xp_dll.ModulePath, IntPtr.Zero, 0x1);
xp_dll.Functions = new Dictionary <string, IntPtr>();
XP_DLLS.Add(xp_dll);
// win8
//win8_dll.ModuleName = xp_dll.ModuleName;
//win8_dll.ModulePath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.SystemX86), win8_dll.ModuleName);
//win8_dll.LoadedAddress = LoadLibraryEx(win8_dll.ModulePath, IntPtr.Zero, 0x00000001);
//win8_dll.Functions = new Dictionary<string, IntPtr>();
//WIN8_DLLS.Add(win8_dll);
}
// walk exports to find functions to use
foreach (ImportDLL IDLL in XP_DLLS)
{
IMAGE_DOS_HEADER pIDH = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(IDLL.LoadedAddress, typeof(IMAGE_DOS_HEADER));
IMAGE_NT_HEADERS32 pINH = (IMAGE_NT_HEADERS32)Marshal.PtrToStructure((IntPtr)(IDLL.LoadedAddress + pIDH.e_lfanew), typeof(IMAGE_NT_HEADERS32));
IMAGE_DATA_DIRECTORY ExportDirectory = pINH.OptionalHeader.ExportTable;
IMAGE_EXPORT_DIRECTORY pIED = (IMAGE_EXPORT_DIRECTORY)Marshal.PtrToStructure(((IntPtr)IDLL.LoadedAddress + (int)ExportDirectory.VirtualAddress), typeof(IMAGE_EXPORT_DIRECTORY));
int NumberOfNamedFunctions = (int)pIED.NumberOfNames;
uint *lpAddressOfNames = (uint *)(IDLL.LoadedAddress + (int)pIED.AddressOfNames);
uint *lpAddressOfFunctions = (uint *)(IDLL.LoadedAddress + (int)pIED.AddressOfFunctions);
uint *lpAddressOfNameOrdinals = (uint *)(IDLL.LoadedAddress + (int)pIED.AddressOfNameOrdinals);
for (int i = 0; i < NumberOfNamedFunctions; i++)
{
uint lpFuncNameRVA = lpAddressOfNames[i];
char * szFuncName = (char *)(IDLL.LoadedAddress + (int)lpFuncNameRVA);
string FuncName = Marshal.PtrToStringAnsi((IntPtr)szFuncName);
IDLL.Functions.Add(FuncName, GetProcAddress(IDLL.LoadedAddress, FuncName));
}
}
// generate random amount of modules of which to select the functions from
int ModuleCount = Rand.Next(2, 4);
List <ImportDLL> AllModules = new List <ImportDLL>();
List <ImportDLL> SelectedModules = new List <ImportDLL>();
foreach (ImportDLL IDLL in XP_DLLS)
{
AllModules.Add(IDLL);
}
// Base modules
//SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "KERNEL32").First());
//SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "USER32").First());
//SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "GDI32").First());
//SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "OLEAUT32").First());
//SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "MSVCRT").First());
// Randomize modules
SelectedModules.AddRange(AllModules.OrderBy(x => Rand.Next()).Take(ModuleCount).ToList());
// Remove any overlapping modules
SelectedModules = SelectedModules.Distinct().ToList();
SelectedModules = SelectedModules.OrderBy(x => Rand.Next()).ToList();
// ensure compatability of each imported module function
foreach (ImportDLL IDLL in SelectedModules)
{
int NumberOfFunctions = Rand.Next(60, 90); // IDLL.Functions.Count; // Rand.Next(IDLL.Functions.Count / 16, IDLL.Functions.Count / 12);
//if (NumberOfFunctions < 50)
// NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 4, IDLL.Functions.Count / 2);
//else if (NumberOfFunctions > 50 && NumberOfFunctions < 100)
// NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 8, IDLL.Functions.Count / 4);
//else if (NumberOfFunctions > 100 && NumberOfFunctions < 200)
// NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 12, IDLL.Functions.Count / 4);
//else if (NumberOfFunctions > 200 && NumberOfFunctions < 400)
// NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 16, IDLL.Functions.Count / 8);
//else if (NumberOfFunctions > 400)
// NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 8, IDLL.Functions.Count / 4);
//if (NumberOfFunctions == 0)
// NumberOfFunctions += 1;
var SelectedFunctions = IDLL.Functions.OrderBy(x => Rand.Next()).Take(NumberOfFunctions);
List <string> CheckedFunctions = new List <string>();
foreach (var Function in SelectedFunctions)
{
IntPtr hCorrespondingLib = LoadLibraryA(IDLL.ModuleName);
IntPtr pFuncCheck = GetProcAddress(hCorrespondingLib, Function.Key);
if (null != pFuncCheck && pFuncCheck != IntPtr.Zero && !IsBlacklisted(Function.Key))
{
CheckedFunctions.Add(Function.Key);
}
else
{
Console.WriteLine("bad function {0}", Function.Key);
}
FreeLibrary(hCorrespondingLib);
}
ImportTable.Add(IDLL.ModuleName, CheckedFunctions);
}
return(SelectedModules.Count);
}
public unsafe int RandomizeImportTable()
{
string[] xp_dll_paths = Directory.GetFiles(ImportDirectory).Where(file => Path.GetExtension(file) == ".dll").ToArray();
for (int i = 0; i < xp_dll_paths.Length; i++)
{
ImportDLL xp_dll = new ImportDLL();
// ImportDLL win8_dll = new ImportDLL();
// xp
xp_dll.ModulePath = xp_dll_paths[i];
xp_dll.ModuleName = Path.GetFileNameWithoutExtension(xp_dll.ModulePath).ToUpper();
xp_dll.LoadedAddress = LoadLibraryEx(xp_dll.ModulePath, IntPtr.Zero, 0x1);
xp_dll.Functions = new Dictionary<string, IntPtr>();
XP_DLLS.Add(xp_dll);
// win8
//win8_dll.ModuleName = xp_dll.ModuleName;
//win8_dll.ModulePath = Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.SystemX86), win8_dll.ModuleName);
//win8_dll.LoadedAddress = LoadLibraryEx(win8_dll.ModulePath, IntPtr.Zero, 0x00000001);
//win8_dll.Functions = new Dictionary<string, IntPtr>();
//WIN8_DLLS.Add(win8_dll);
}
// walk exports to find functions to use
foreach (ImportDLL IDLL in XP_DLLS)
{
IMAGE_DOS_HEADER pIDH = (IMAGE_DOS_HEADER)Marshal.PtrToStructure(IDLL.LoadedAddress, typeof(IMAGE_DOS_HEADER));
IMAGE_NT_HEADERS32 pINH = (IMAGE_NT_HEADERS32)Marshal.PtrToStructure((IntPtr)(IDLL.LoadedAddress + pIDH.e_lfanew), typeof(IMAGE_NT_HEADERS32));
IMAGE_DATA_DIRECTORY ExportDirectory = pINH.OptionalHeader.ExportTable;
IMAGE_EXPORT_DIRECTORY pIED = (IMAGE_EXPORT_DIRECTORY)Marshal.PtrToStructure(((IntPtr)IDLL.LoadedAddress + (int)ExportDirectory.VirtualAddress), typeof(IMAGE_EXPORT_DIRECTORY));
int NumberOfNamedFunctions = (int)pIED.NumberOfNames;
uint* lpAddressOfNames = (uint*)(IDLL.LoadedAddress + (int)pIED.AddressOfNames);
uint* lpAddressOfFunctions = (uint*)(IDLL.LoadedAddress + (int)pIED.AddressOfFunctions);
uint* lpAddressOfNameOrdinals = (uint*)(IDLL.LoadedAddress + (int)pIED.AddressOfNameOrdinals);
for (int i = 0; i < NumberOfNamedFunctions; i++)
{
uint lpFuncNameRVA = lpAddressOfNames[i];
char* szFuncName = (char*)(IDLL.LoadedAddress + (int)lpFuncNameRVA);
string FuncName = Marshal.PtrToStringAnsi((IntPtr)szFuncName);
IDLL.Functions.Add(FuncName, GetProcAddress(IDLL.LoadedAddress, FuncName));
}
}
// generate random amount of modules of which to select the functions from
int ModuleCount = Rand.Next(2, 4);
List<ImportDLL> AllModules = new List<ImportDLL>();
List<ImportDLL> SelectedModules = new List<ImportDLL>();
foreach (ImportDLL IDLL in XP_DLLS)
AllModules.Add(IDLL);
// Base modules
//SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "KERNEL32").First());
//SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "USER32").First());
//SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "GDI32").First());
//SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "OLEAUT32").First());
//SelectedModules.Add(XP_DLLS.Where(DLL => DLL.ModuleName == "MSVCRT").First());
// Randomize modules
SelectedModules.AddRange(AllModules.OrderBy(x => Rand.Next()).Take(ModuleCount).ToList());
// Remove any overlapping modules
SelectedModules = SelectedModules.Distinct().ToList();
SelectedModules = SelectedModules.OrderBy(x => Rand.Next()).ToList();
// ensure compatability of each imported module function
foreach (ImportDLL IDLL in SelectedModules)
{
int NumberOfFunctions = Rand.Next(60, 90); // IDLL.Functions.Count; // Rand.Next(IDLL.Functions.Count / 16, IDLL.Functions.Count / 12);
//if (NumberOfFunctions < 50)
// NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 4, IDLL.Functions.Count / 2);
//else if (NumberOfFunctions > 50 && NumberOfFunctions < 100)
// NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 8, IDLL.Functions.Count / 4);
//else if (NumberOfFunctions > 100 && NumberOfFunctions < 200)
// NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 12, IDLL.Functions.Count / 4);
//else if (NumberOfFunctions > 200 && NumberOfFunctions < 400)
// NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 16, IDLL.Functions.Count / 8);
//else if (NumberOfFunctions > 400)
// NumberOfFunctions = Rand.Next(IDLL.Functions.Count / 8, IDLL.Functions.Count / 4);
//if (NumberOfFunctions == 0)
// NumberOfFunctions += 1;
var SelectedFunctions = IDLL.Functions.OrderBy(x => Rand.Next()).Take(NumberOfFunctions);
List<string> CheckedFunctions = new List<string>();
foreach (var Function in SelectedFunctions)
{
IntPtr hCorrespondingLib = LoadLibraryA(IDLL.ModuleName);
IntPtr pFuncCheck = GetProcAddress(hCorrespondingLib, Function.Key);
if (null != pFuncCheck && pFuncCheck != IntPtr.Zero && !IsBlacklisted(Function.Key))
CheckedFunctions.Add(Function.Key);
else
Console.WriteLine("bad function {0}", Function.Key);
FreeLibrary(hCorrespondingLib);
}
ImportTable.Add(IDLL.ModuleName, CheckedFunctions);
}
return SelectedModules.Count;
}
