static void Main(string[] args) { var asmDef = AssemblyDef.Load(args[0]); var method = asmDef.ManifestModule.EntryPoint.DeclaringType.FindMethod("Foo"); var asmResolver = new AssemblyResolver(); var modCtx = new ModuleContext(asmResolver); var ast = new ILAST(method, modCtx); Console.WriteLine("-------------------------------"); Console.WriteLine(" Standard AST"); Console.WriteLine("-------------------------------"); foreach (Element element in ast.Elements) Console.WriteLine("{0}: {1}", element.GetType().Name, element); ILAST.SimplifyElements(ast.Elements); Console.WriteLine("\n-------------------------------"); Console.WriteLine(" Simplified AST"); Console.WriteLine("-------------------------------"); foreach (Element element in ast.Elements) Console.WriteLine("{0}: {1}", element.GetType().Name, element); Console.WriteLine(asmDef); }
public IObfuscatedFile SearchDeobfuscator(string filename) { ModuleContext context = new ModuleContext(); ObfuscatedFile.Options fileOptions = new ObfuscatedFile.Options { Filename = filename }; ObfuscatedFile ofile = CreateObfuscationFile(fileOptions, context); return ofile; }
public ILAST(MethodDef method, ModuleContext modCtx) { Method = method; Method.DeclaringType.Module.Context = modCtx; Elements = new List<Element>(); ProcessMethod(); }
public dnModule(byte[] module, string fileName, ModuleContext ctx) { RawData = module; ErrorMessage = null; Name = Path.GetFileName(fileName); var creator = new dnModuleStreamCreator(module, fileName); try { Image = new PEImage(creator, ImageLayout.File, true); } catch (Exception ex) { ErrorMessage += string.Format("Error while loading PE Image:{0}{1}{0}{0}", Environment.NewLine, ex); Image = null; return; } try { MetaData = MetaDataCreator.CreateMetaData(Image); } catch (Exception ex) { ErrorMessage += string.Format("Error while loading MetaData:{0}{1}{0}{0}", Environment.NewLine, ex); MetaData = null; return; } try { ModuleDef = (ModuleDefMD)loadInternal.Invoke(null, new object[] { MetaData, new ModuleCreationOptions { TryToLoadPdbFromDisk = true, Context = ctx } }); ModuleDef.EnableTypeDefFindCache = true; } catch (Exception ex) { ErrorMessage = string.Format("Error while loading ModuleDef:{0}{1}{0}{0}", Environment.NewLine, ex); ModuleDef = null; return; } if (ModuleDef.Assembly != null) Name = ModuleDef.Assembly.Name; else Name = ModuleDef.Name; if (string.IsNullOrEmpty(Name)) Name = Path.GetFileName(fileName); }
public FileSystemPath Execute(IAssemblyFile existingAssemblyFile, string newFileName, IProgressIndicator progressIndicator) { var context = new ModuleContext(); var fileOptions = new ObfuscatedFile.Options { Filename = existingAssemblyFile.Location.FullPath, NewFilename = newFileName, }; IObfuscatedFile obfuscationFile = CreateObfuscationFile(fileOptions, context); return Deobfuscate(obfuscationFile, progressIndicator); }
public ObfuscatedFile(Options options, ModuleContext moduleContext, IAssemblyClientFactory assemblyClientFactory, MemoryStream ms) { this.assemblyClientFactory = assemblyClientFactory; this.options = options; userStringDecrypterMethods = options.StringDecrypterMethods.Count > 0; options.Filename = Utils.getFullPath(options.Filename); assemblyModule = new AssemblyModule(options.Filename, moduleContext, ms); if (options.NewFilename == null) options.NewFilename = getDefaultNewFilename(); if (string.Equals(options.Filename, options.NewFilename, StringComparison.OrdinalIgnoreCase)) throw new UserException(string.Format("filename is same as new filename! ({0})", options.Filename)); }
public ObfuscatedFile CreateObfuscationFile(ObfuscatedFile.Options fileOptions, ModuleContext moduleContext) { ObfuscatedFile ofile = new ObfuscatedFile(fileOptions, moduleContext, new NewAppDomainAssemblyClientFactory()); ofile.DeobfuscatorContext = new DeobfuscatorContext(); try { ofile.Load(CreateDeobfuscatorInfos().Select(di => di.CreateDeobfuscator()).ToList()); } catch (Exception ex) { MessageBox.Show(ex.Message); return null; } return ofile; }
public static IObfuscatedFile SearchDeobfuscator(string filename) { TheAssemblyResolver.Instance.ClearAll(); var fileOptions = new ObfuscatedFile.Options { Filename = filename }; var moduleContext = new ModuleContext(TheAssemblyResolver.Instance); var ofile = new ObfuscatedFile(fileOptions, moduleContext, new NewAppDomainAssemblyClientFactory()) { DeobfuscatorContext = new DeobfuscatorContext(), }; try { ofile.Load(CreateDeobfuscatorInfos().Select(di => di.CreateDeobfuscator()).ToList()); } catch (Exception) { return null; } return ofile; }
public Options() { ModuleContext = new ModuleContext(TheAssemblyResolver.Instance); DeobfuscatorInfos = new List<IDeobfuscatorInfo>(); Files = new List<IObfuscatedFile>(); SearchDirs = new List<SearchDir>(); DefaultStringDecrypterMethods = new List<string>(); RenamerFlags = RenamerFlags.RenameNamespaces | RenamerFlags.RenameTypes | RenamerFlags.RenameProperties | RenamerFlags.RenameEvents | RenamerFlags.RenameFields | RenamerFlags.RenameMethods | RenamerFlags.RenameMethodArgs | RenamerFlags.RenameGenericParams | RenamerFlags.RestorePropertiesFromNames | RenamerFlags.RestoreEventsFromNames | RenamerFlags.RestoreProperties | RenamerFlags.RestoreEvents; RenameSymbols = true; ControlFlowDeobfuscation = true; }
/// <summary> /// Finds an assembly that exactly matches the requested assembly /// </summary> /// <param name="assembly">Assembly to find</param> /// <param name="paths">Search paths or <c>null</c> if none</param> /// <param name="moduleContext">Module context</param> /// <returns>An <see cref="AssemblyDef"/> instance or <c>null</c> if an exact match /// couldn't be found.</returns> AssemblyDef FindExactAssembly(IAssembly assembly, IEnumerable <string> paths, ModuleContext moduleContext) { if (paths == null) { return(null); } var asmComparer = AssemblyNameComparer.CompareAll; foreach (var path in paths.GetSafeEnumerable()) { ModuleDefMD mod = null; try { mod = ModuleDefMD.Load(path, moduleContext); var asm = mod.Assembly; if (!asm.HasPublicKey && asm.Name == "mscorlib") { asm.PublicKey = new PublicKey(new byte[] { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }); } if (asm != null && asmComparer.Equals(assembly, asm)) { mod = null; return(asm); } } catch { } finally { if (mod != null) { mod.Dispose(); } } } return(null); }
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance /// </summary> /// <param name="peImage">PE image</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="ModuleDefMD"/> instance</returns> public static ModuleDefMD Load(IPEImage peImage, ModuleContext context) { return Load(MetaDataCreator.Load(peImage), new ModuleCreationOptions(context)); }
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance from a stream /// </summary> /// <remarks>This will read all bytes from the stream and call <see cref="Load(byte[],ModuleContext)"/>. /// It's better to use one of the other Load() methods.</remarks> /// <param name="stream">The stream (owned by caller)</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="ModuleDefMD"/> instance</returns> /// <exception cref="ArgumentNullException">If <paramref name="stream"/> is <c>null</c></exception> public static ModuleDefMD Load(Stream stream, ModuleContext context) { return Load(stream, new ModuleCreationOptions(context)); }
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance from a reflection module /// </summary> /// <param name="mod">An existing reflection module</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="ModuleDefMD"/> instance</returns> public static ModuleDefMD Load(System.Reflection.Module mod, ModuleContext context) { return Load(mod, new ModuleCreationOptions(context), GetImageLayout(mod)); }
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance from a byte[] /// </summary> /// <param name="data">Contents of a .NET module/assembly</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="ModuleDefMD"/> instance</returns> public static ModuleDefMD Load(byte[] data, ModuleContext context) { return Load(data, new ModuleCreationOptions(context)); }
/// <summary> /// Constructor /// </summary> /// <param name="defaultModuleContext">Module context for all resolved assemblies</param> public AssemblyResolver(ModuleContext defaultModuleContext) : this(defaultModuleContext, true) { }
AssemblyDef FindClosestAssembly(IAssembly assembly, AssemblyDef closest, IEnumerable <string> paths, ModuleContext moduleContext) { if (paths == null) { return(closest); } var asmComparer = new AssemblyNameComparer(AssemblyNameComparerFlags.All); foreach (var path in paths.GetSafeEnumerable()) { ModuleDefMD mod = null; try { mod = ModuleDefMD.Load(path, moduleContext); var asm = mod.Assembly; if (asm != null && asmComparer.CompareClosest(assembly, closest, asm) == 1) { if (!IsCached(closest) && closest != null) { var closeMod = closest.ManifestModule; if (closeMod != null) { closeMod.Dispose(); } } closest = asm; mod = null; } } catch { } finally { if (mod != null) { mod.Dispose(); } } } return(closest); }
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance from a stream /// </summary> /// <remarks>This will read all bytes from the stream and call <see cref="Load(byte[],ModuleContext)"/>. /// It's better to use one of the other Load() methods.</remarks> /// <param name="stream">The stream (owned by caller)</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="ModuleDefMD"/> instance</returns> /// <exception cref="ArgumentNullException">If <paramref name="stream"/> is <c>null</c></exception> public static ModuleDefMD Load(Stream stream, ModuleContext context) { if (stream == null) throw new ArgumentNullException("stream"); if (stream.Length > int.MaxValue) throw new ArgumentException("Stream is too big"); var data = new byte[(int)stream.Length]; stream.Position = 0; if (stream.Read(data, 0, data.Length) != data.Length) throw new IOException("Could not read all bytes from the stream"); return Load(data, context); }
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance from a <see cref="DotNetFile"/> /// </summary> /// <param name="dnFile">The loaded .NET file</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="ModuleDefMD"/> instance that now owns <paramref name="dnFile"/></returns> public static ModuleDefMD Load(DotNetFile dnFile, ModuleContext context) { return new ModuleDefMD(dnFile, context); }
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance from a reflection module /// </summary> /// <param name="mod">An existing reflection module</param> /// <param name="context">Module context or <c>null</c></param> /// <param name="imageLayout">Image layout of the module in memory</param> /// <returns>A new <see cref="ModuleDefMD"/> instance</returns> public static ModuleDefMD Load(System.Reflection.Module mod, ModuleContext context, ImageLayout imageLayout) { IntPtr addr = Marshal.GetHINSTANCE(mod); if (addr == new IntPtr(-1)) throw new InvalidOperationException(string.Format("Module {0} has no HINSTANCE", mod)); return Load(addr, context, imageLayout); }
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance from a memory location /// </summary> /// <param name="addr">Address of a .NET module/assembly</param> /// <param name="context">Module context or <c>null</c></param> /// <param name="imageLayout">Image layout of the file in memory</param> /// <returns>A new <see cref="ModuleDefMD"/> instance</returns> public static ModuleDefMD Load(IntPtr addr, ModuleContext context, ImageLayout imageLayout) { DotNetFile dnFile = null; try { return Load(dnFile = DotNetFile.Load(addr, imageLayout), context); } catch { if (dnFile != null) dnFile.Dispose(); throw; } }
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance from a reflection module /// </summary> /// <param name="mod">An existing reflection module</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="ModuleDefMD"/> instance</returns> public static ModuleDefMD Load(System.Reflection.Module mod, ModuleContext context) { return Load(mod, context, GetImageLayout(mod)); }
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance from a byte[] /// </summary> /// <param name="data">Contents of a .NET module/assembly</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="ModuleDefMD"/> instance</returns> public static ModuleDefMD Load(byte[] data, ModuleContext context) { DotNetFile dnFile = null; try { return Load(dnFile = DotNetFile.Load(data), context); } catch { if (dnFile != null) dnFile.Dispose(); throw; } }
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance from a file /// </summary> /// <param name="fileName">File name of an existing .NET module/assembly</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="ModuleDefMD"/> instance</returns> public static ModuleDefMD Load(string fileName, ModuleContext context) { DotNetFile dnFile = null; try { return Load(dnFile = DotNetFile.Load(fileName), context); } catch { if (dnFile != null) dnFile.Dispose(); throw; } }
public AssemblyModule(string filename, ModuleContext moduleContext) { this.filename = Utils.GetFullPath(filename); this.moduleContext = moduleContext; }
/// <summary> /// Constructor /// </summary> /// <param name="dnFile">The loaded .NET file</param> /// <param name="context">Module context or <c>null</c></param> /// <exception cref="ArgumentNullException">If <paramref name="dnFile"/> is <c>null</c></exception> ModuleDefMD(DotNetFile dnFile, ModuleContext context) : base(null, 1) { #if DEBUG if (dnFile == null) throw new ArgumentNullException("dnFile"); #endif this.dnFile = dnFile; this.context = context; Initialize(); this.Kind = GetKind(); this.Characteristics = MetaData.PEImage.ImageNTHeaders.FileHeader.Characteristics; this.DllCharacteristics = MetaData.PEImage.ImageNTHeaders.OptionalHeader.DllCharacteristics; this.RuntimeVersion = MetaData.VersionString; this.Machine = MetaData.PEImage.ImageNTHeaders.FileHeader.Machine; this.Cor20HeaderFlags = MetaData.ImageCor20Header.Flags; this.Cor20HeaderRuntimeVersion = (uint)(MetaData.ImageCor20Header.MajorRuntimeVersion << 16) | MetaData.ImageCor20Header.MinorRuntimeVersion; this.TablesHeaderVersion = MetaData.TablesStream.Version; }
private IObfuscatedFile UpdateObfuscationFileWithOptions(De4dotWrapper de4Dot, string location, string newFile) { ObfuscatedFile.Options options = new ObfuscatedFile.Options(); options.ControlFlowDeobfuscation = this.EnableControlFlowDeobfuscation; options.NewFilename = newFile; options.KeepObfuscatorTypes = this.KeepObfuscatorClasses; options.Filename = location; var context = new ModuleContext(); ObfuscatedFile result = de4Dot.CreateObfuscationFile(options, context); return result; }
/// <summary> /// Creates an <see cref="AssemblyDef"/> instance from a file /// </summary> /// <param name="fileName">File name of an existing .NET assembly</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="AssemblyDef"/> instance</returns> /// <exception cref="ArgumentNullException">If <paramref name="fileName"/> is <c>null</c></exception> /// <exception cref="BadImageFormatException">If it's not a .NET assembly (eg. not a .NET file or only a .NET module)</exception> public static AssemblyDef Load(string fileName, ModuleContext context) { return Load(fileName, new ModuleCreationOptions(context)); }
/// <summary> /// Finds an assembly that exactly matches the requested assembly /// </summary> /// <param name="assembly">Assembly name to find</param> /// <param name="paths">Search paths or <c>null</c> if none</param> /// <param name="moduleContext">Module context</param> /// <returns>An <see cref="AssemblyDef"/> instance or <c>null</c> if an exact match /// couldn't be found.</returns> AssemblyDef FindExactAssembly(IAssembly assembly, IEnumerable <string> paths, ModuleContext moduleContext) { if (paths == null) { return(null); } var asmComparer = new AssemblyNameComparer(AssemblyNameComparerFlags.All); foreach (var path in paths.GetSafeEnumerable()) { ModuleDefMD mod = null; try { mod = ModuleDefMD.Load(path, moduleContext); var asm = mod.Assembly; if (asm != null && asmComparer.Equals(assembly, asm)) { mod = null; return(asm); } } catch { } finally { if (mod != null) { mod.Dispose(); } } } return(null); }
/// <summary> /// Creates an <see cref="AssemblyDef"/> instance from a memory location /// </summary> /// <param name="addr">Address of a .NET assembly</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="AssemblyDef"/> instance</returns> /// <exception cref="ArgumentNullException">If <paramref name="addr"/> is <c>null</c></exception> /// <exception cref="BadImageFormatException">If it's not a .NET assembly (eg. not a .NET file or only a .NET module)</exception> public static AssemblyDef Load(IntPtr addr, ModuleContext context) { return Load(addr, new ModuleCreationOptions(context)); }
/// <summary> /// Constructor /// </summary> /// <param name="context">Module context</param> public ModuleCreationOptions(ModuleContext context) { this.Context = context; }
/// <summary> /// Constructor /// </summary> /// <param name="context">Module context</param> public ModuleCreationOptions(ModuleContext context) => Context = context;
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance from a file /// </summary> /// <param name="fileName">File name of an existing .NET module/assembly</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="ModuleDefMD"/> instance</returns> public static ModuleDefMD Load(string fileName, ModuleContext context) { return Load(fileName, new ModuleCreationOptions(context)); }
/// <summary> /// Finds an assembly that exactly matches the requested assembly /// </summary> /// <param name="assembly">Assembly name to find</param> /// <param name="paths">Search paths or <c>null</c> if none</param> /// <param name="moduleContext">Module context</param> /// <returns>An <see cref="AssemblyDef"/> instance or <c>null</c> if an exact match /// couldn't be found.</returns> AssemblyDef FindExactAssembly(AssemblyNameInfo assembly, IEnumerable<string> paths, ModuleContext moduleContext) { if (paths == null) return null; var asmComparer = new AssemblyNameComparer(AssemblyNameComparerFlags.All); foreach (var path in paths) { ModuleDefMD mod = null; try { mod = ModuleDefMD.Load(path, moduleContext); var asm = mod.Assembly; if (asm != null && asmComparer.Equals(assembly, new AssemblyNameInfo(asm))) { mod = null; return asm; } } catch { } finally { if (mod != null) mod.Dispose(); } } return null; }
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance from a reflection module /// </summary> /// <param name="mod">An existing reflection module</param> /// <param name="context">Module context or <c>null</c></param> /// <param name="imageLayout">Image layout of the module in memory</param> /// <returns>A new <see cref="ModuleDefMD"/> instance</returns> public static ModuleDefMD Load(System.Reflection.Module mod, ModuleContext context, ImageLayout imageLayout) { return Load(mod, new ModuleCreationOptions(context), imageLayout); }
/// <summary> /// Creates a <see cref="ModuleDefMD"/> instance from a memory location /// </summary> /// <param name="addr">Address of a .NET module/assembly</param> /// <param name="context">Module context or <c>null</c></param> /// <param name="imageLayout">Image layout of the file in memory</param> /// <returns>A new <see cref="ModuleDefMD"/> instance</returns> public static ModuleDefMD Load(IntPtr addr, ModuleContext context, ImageLayout imageLayout) { return Load(MetaDataCreator.Load(addr, imageLayout), new ModuleCreationOptions(context)); }
/// <summary> /// Constructor /// </summary> /// <param name="defaultModuleContext">Module context for all resolved assemblies</param> /// <param name="addOtherSearchPaths">If <c>true</c>, add other common assembly search /// paths, not just the module search paths and the GAC.</param> public AssemblyResolver(ModuleContext defaultModuleContext, bool addOtherSearchPaths) { this.defaultModuleContext = defaultModuleContext; if (addOtherSearchPaths) AddOtherSearchPaths(postSearchPaths); }
static List<AssemblyDef> LoadAssemblies(string target) { AssemblyResolver asmResolver = new AssemblyResolver(); ModuleContext modCtx = new ModuleContext(asmResolver); asmResolver.DefaultModuleContext = modCtx; asmResolver.EnableTypeDefCache = true; var directory = Path.GetFullPath(Path.GetDirectoryName(target)); asmResolver.PreSearchPaths.Add(directory); List<AssemblyDef> assemblies = new List<AssemblyDef>(); foreach (var asm in Directory.GetFiles(directory, "*.*") .Where(f=>Path.GetExtension(f.ToLower()) == ".exe" || Path.GetExtension(f.ToLower())==".dll")) { try { var def = AssemblyDef.Load(asm); def.Modules[0].Context = modCtx; asmResolver.AddToCache(def); assemblies.Add(def); } catch { //Ignore } } return assemblies; }
/// <summary> /// Constructor /// </summary> /// <param name="context">Module context</param> public ModuleCreationOptions(ModuleContext context) { this.Context = context; this.PdbImplementation = PdbImplType.Default; this.TryToLoadPdbFromDisk = true; }
/// <summary> /// Creates an <see cref="AssemblyDef"/> instance from a byte[] /// </summary> /// <param name="data">Contents of a .NET assembly</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="AssemblyDef"/> instance</returns> /// <exception cref="ArgumentNullException">If <paramref name="data"/> is <c>null</c></exception> /// <exception cref="BadImageFormatException">If it's not a .NET assembly (eg. not a .NET file or only a .NET module)</exception> public static AssemblyDef Load(byte[] data, ModuleContext context) { return Load(data, new ModuleCreationOptions(context)); }
/// <summary> /// Constructor /// </summary> /// <param name="context">Module context</param> public ModuleCreationOptions(ModuleContext context) { this.Context = context; this.PdbImplementation = PdbImplType.Default; }
/// <summary> /// Creates an <see cref="AssemblyDef"/> instance from a stream /// </summary> /// <remarks>This will read all bytes from the stream and call <see cref="Load(byte[],ModuleContext)"/>. /// It's better to use one of the other Load() methods.</remarks> /// <param name="stream">The stream</param> /// <param name="context">Module context or <c>null</c></param> /// <returns>A new <see cref="AssemblyDef"/> instance</returns> /// <exception cref="ArgumentNullException">If <paramref name="stream"/> is <c>null</c></exception> /// <exception cref="BadImageFormatException">If it's not a .NET assembly (eg. not a .NET file or only a .NET module)</exception> public static AssemblyDef Load(Stream stream, ModuleContext context) { return Load(stream, new ModuleCreationOptions(context)); }
AssemblyDef FindClosestAssembly(AssemblyNameInfo assembly, AssemblyDef closest, IEnumerable<string> paths, ModuleContext moduleContext) { if (paths == null) return closest; var asmComparer = new AssemblyNameComparer(AssemblyNameComparerFlags.All); foreach (var path in paths) { ModuleDefMD mod = null; try { mod = ModuleDefMD.Load(path, moduleContext); var asm = mod.Assembly; if (asm != null && asmComparer.CompareClosest(assembly, new AssemblyNameInfo(closest), new AssemblyNameInfo(asm)) == 1) { if (!IsCached(closest) && closest != null && closest.ManifestModule != null) closest.ManifestModule.Dispose(); closest = asm; mod = null; } } catch { } finally { if (mod != null) mod.Dispose(); } } return closest; }