public void WriteLogicalTrashToTLSCallback(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier)
{
string TlsCallbackInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "tls_callback.inc");
int sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE);
int size_junk_added = 0;
string[] tls = TlsCallbackInc.ReadLines();
for (int i = 0; i < tls.Length; i++)
{
if (tls[i].Contains(";[JUNK_NO_PRESERVE]"))
{
int len_trash = Rand.Next(0x100, 0x200);
byte[] trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0);
size_junk_added += trash_buffer.Length;
tls[i] = trash_buffer.ToASMBuffer();
trash_buffer = new byte[0];
GC.Collect();
}
if (tls[i].Contains(";[JUNK_FUNCS]"))
{
int xx = Rand.Next(3 * Multiplier, 5 * Multiplier);
for (int jj = 0; jj < xx; jj++)
{
int func_len = Rand.Next(0x100, 0x120);
byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x1000);
tls[i] = string.Concat(tls[i], Environment.NewLine, func_buffer.ToASMBuffer(), Environment.NewLine);
}
}
}
if (File.Exists(TlsCallbackInc))
{
File.Delete(TlsCallbackInc);
}
TlsCallbackInc.WriteLines(tls);
sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE);
JCI.SIZE_TLS_CALLBACK = sizeOfTLS + 3; // prologue;
string AddrPayloadInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_address.inc");
string Format = "PAYLOAD_ADDRESS EQU 0x{0}";
Format = string.Format(Format, (JCI.SIZE_PRE_EP_FUNCTIONS + JCI.SIZE_TLS_CALLBACK + JCI.SIZE_EP_FUNCTION + JCI.SIZE_POST_EP_FUNCTIONS).ToString("X8"));
File.WriteAllText(AddrPayloadInc, Format);
GC.Collect();
}
public void WriteLogicalFunctionsToTextSection(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier)
{
string TxtSect = PE.PeDirectory.TextSectionPath.ReadText();
int size_pre_ep = 0;
int size_ep = 0;
int size_post_ep = 0;
int pre_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier);
int post_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier);
// pre - ep
for (int i = 0; i < pre_ep_func_cnt; i++)
{
int index_of = TxtSect.IndexOf(";[PRE_EP_FUNCTIONS]");
if (index_of > -1)
{
int func_len = Rand.Next(0x120, 0x200);
byte[] func_buffer;
if (Rand.NextDouble() >= 0.5)
func_buffer = new DataConstructor().GenData(func_len, func_len);
else
func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
// GenerateLogicalFunction(func_len, 0, 0, 0, 0);//GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
// Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer));
// pad entropy with zeros after func
//int pad_len = Rand.Next(0x10, 0x25);
//Array.Resize(ref func_buffer, func_buffer.Length + pad_len);
TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine);
size_pre_ep += func_buffer.Length;
}
}
JCI.SIZE_PRE_EP_FUNCTIONS = size_pre_ep;
// ep -
{
int index_of = TxtSect.IndexOf(";[EP_FUNCTION]");
if (index_of > -1)
{
int func_len = Rand.Next(0x120, 0x140); // const
byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
// pad entropy with zeros after func
//int pad_len = Rand.Next(0x10, 0x25);
//Array.Resize(ref func_buffer, func_buffer.Length + pad_len);
TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine);
size_ep += func_buffer.Length;
}
}
JCI.SIZE_EP_FUNCTION = size_ep;
//// post - ep
for (int i = 0; i < post_ep_func_cnt; i++)
{
int index_of = TxtSect.IndexOf(";[POST_EP_FUNCTIONS]");
if (index_of > -1)
{
int func_len = Rand.Next(0x120, 0x200);
byte[] func_buffer;
if (Rand.NextDouble() >= 0.5)
func_buffer = new DataConstructor().GenData(func_len, func_len);
else
func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
// Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer));
// pad entropy with zeros after func
//int pad_len = Rand.Next(0x10, 0x25);
//Array.Resize(ref func_buffer, func_buffer.Length + pad_len);
TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine);
size_post_ep += func_buffer.Length;
}
}
JCI.SIZE_POST_EP_FUNCTIONS = size_post_ep;
// PAD ENTROPY
//int size_of_entropy_pad = 0x200; ;// ALIGN_UP(Rand.Next(0x200, 0x1000), (int)PE.NtHeader.OptionalHeader.FileAlignment);
//byte[] zero_fill = new byte[0x1000];
//string path_inc = Path.Combine(PE.PeDirectory.IncludeDirectory, "zerofill.bin");
//path_inc.WriteFile(zero_fill);
// JCI.SIZE_ENTROPY_PAD = (size_of_entropy_pad * 2);
if (File.Exists(PE.PeDirectory.TextSectionPath))
File.Delete(PE.PeDirectory.TextSectionPath);
PE.PeDirectory.TextSectionPath.WriteText(TxtSect, StringEncoding.ASCII);
GC.Collect();
}
public void WriteLogicalTrashToTLSCallback(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier)
{
string TlsCallbackInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "tls_callback.inc");
int sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE);
int size_junk_added = 0;
string[] tls = TlsCallbackInc.ReadLines();
for (int i = 0; i < tls.Length; i++)
{
if (tls[i].Contains(";[JUNK_NO_PRESERVE]"))
{
int len_trash = Rand.Next(0x100, 0x200);
byte[] trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0);
size_junk_added += trash_buffer.Length;
tls[i] = trash_buffer.ToASMBuffer();
trash_buffer = new byte[0];
GC.Collect();
}
if (tls[i].Contains(";[JUNK_FUNCS]"))
{
int xx = Rand.Next(3 * Multiplier, 5 * Multiplier);
for (int jj = 0; jj < xx; jj++)
{
int func_len = Rand.Next(0x100, 0x120);
byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x1000);
tls[i] = string.Concat(tls[i], Environment.NewLine, func_buffer.ToASMBuffer(), Environment.NewLine);
}
}
}
if (File.Exists(TlsCallbackInc))
File.Delete(TlsCallbackInc);
TlsCallbackInc.WriteLines(tls);
sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE);
JCI.SIZE_TLS_CALLBACK = sizeOfTLS + 3; // prologue;
string AddrPayloadInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_address.inc");
string Format = "PAYLOAD_ADDRESS EQU 0x{0}";
Format = string.Format(Format, (JCI.SIZE_PRE_EP_FUNCTIONS + JCI.SIZE_TLS_CALLBACK + JCI.SIZE_EP_FUNCTION + JCI.SIZE_POST_EP_FUNCTIONS).ToString("X8"));
File.WriteAllText(AddrPayloadInc, Format);
GC.Collect();
}
public void WriteLogicalFunctionsToTextSection(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier)
{
string TxtSect = PE.PeDirectory.TextSectionPath.ReadText();
int size_pre_ep = 0;
int size_ep = 0;
int size_post_ep = 0;
int pre_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier);
int post_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier);
// pre - ep
for (int i = 0; i < pre_ep_func_cnt; i++)
{
int index_of = TxtSect.IndexOf(";[PRE_EP_FUNCTIONS]");
if (index_of > -1)
{
int func_len = Rand.Next(0x120, 0x200);
byte[] func_buffer;
if (Rand.NextDouble() >= 0.5)
{
func_buffer = new DataConstructor().GenData(func_len, func_len);
}
else
{
func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
}
// GenerateLogicalFunction(func_len, 0, 0, 0, 0);//GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
// Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer));
// pad entropy with zeros after func
//int pad_len = Rand.Next(0x10, 0x25);
//Array.Resize(ref func_buffer, func_buffer.Length + pad_len);
TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine);
size_pre_ep += func_buffer.Length;
}
}
JCI.SIZE_PRE_EP_FUNCTIONS = size_pre_ep;
// ep -
{
int index_of = TxtSect.IndexOf(";[EP_FUNCTION]");
if (index_of > -1)
{
int func_len = Rand.Next(0x120, 0x140); // const
byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
// pad entropy with zeros after func
//int pad_len = Rand.Next(0x10, 0x25);
//Array.Resize(ref func_buffer, func_buffer.Length + pad_len);
TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine);
size_ep += func_buffer.Length;
}
}
JCI.SIZE_EP_FUNCTION = size_ep;
//// post - ep
for (int i = 0; i < post_ep_func_cnt; i++)
{
int index_of = TxtSect.IndexOf(";[POST_EP_FUNCTIONS]");
if (index_of > -1)
{
int func_len = Rand.Next(0x120, 0x200);
byte[] func_buffer;
if (Rand.NextDouble() >= 0.5)
{
func_buffer = new DataConstructor().GenData(func_len, func_len);
}
else
{
func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000);
}
// Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer));
// pad entropy with zeros after func
//int pad_len = Rand.Next(0x10, 0x25);
//Array.Resize(ref func_buffer, func_buffer.Length + pad_len);
TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine);
size_post_ep += func_buffer.Length;
}
}
JCI.SIZE_POST_EP_FUNCTIONS = size_post_ep;
// PAD ENTROPY
//int size_of_entropy_pad = 0x200; ;// ALIGN_UP(Rand.Next(0x200, 0x1000), (int)PE.NtHeader.OptionalHeader.FileAlignment);
//byte[] zero_fill = new byte[0x1000];
//string path_inc = Path.Combine(PE.PeDirectory.IncludeDirectory, "zerofill.bin");
//path_inc.WriteFile(zero_fill);
// JCI.SIZE_ENTROPY_PAD = (size_of_entropy_pad * 2);
if (File.Exists(PE.PeDirectory.TextSectionPath))
{
File.Delete(PE.PeDirectory.TextSectionPath);
}
PE.PeDirectory.TextSectionPath.WriteText(TxtSect, StringEncoding.ASCII);
GC.Collect();
}
