public void WriteLogicalTrashToTLSCallback(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier) { string TlsCallbackInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "tls_callback.inc"); int sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE); int size_junk_added = 0; string[] tls = TlsCallbackInc.ReadLines(); for (int i = 0; i < tls.Length; i++) { if (tls[i].Contains(";[JUNK_NO_PRESERVE]")) { int len_trash = Rand.Next(0x100, 0x200); byte[] trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0); size_junk_added += trash_buffer.Length; tls[i] = trash_buffer.ToASMBuffer(); trash_buffer = new byte[0]; GC.Collect(); } if (tls[i].Contains(";[JUNK_FUNCS]")) { int xx = Rand.Next(3 * Multiplier, 5 * Multiplier); for (int jj = 0; jj < xx; jj++) { int func_len = Rand.Next(0x100, 0x120); byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x1000); tls[i] = string.Concat(tls[i], Environment.NewLine, func_buffer.ToASMBuffer(), Environment.NewLine); } } } if (File.Exists(TlsCallbackInc)) { File.Delete(TlsCallbackInc); } TlsCallbackInc.WriteLines(tls); sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE); JCI.SIZE_TLS_CALLBACK = sizeOfTLS + 3; // prologue; string AddrPayloadInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_address.inc"); string Format = "PAYLOAD_ADDRESS EQU 0x{0}"; Format = string.Format(Format, (JCI.SIZE_PRE_EP_FUNCTIONS + JCI.SIZE_TLS_CALLBACK + JCI.SIZE_EP_FUNCTION + JCI.SIZE_POST_EP_FUNCTIONS).ToString("X8")); File.WriteAllText(AddrPayloadInc, Format); GC.Collect(); }
public void WriteLogicalFunctionsToTextSection(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier) { string TxtSect = PE.PeDirectory.TextSectionPath.ReadText(); int size_pre_ep = 0; int size_ep = 0; int size_post_ep = 0; int pre_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier); int post_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier); // pre - ep for (int i = 0; i < pre_ep_func_cnt; i++) { int index_of = TxtSect.IndexOf(";[PRE_EP_FUNCTIONS]"); if (index_of > -1) { int func_len = Rand.Next(0x120, 0x200); byte[] func_buffer; if (Rand.NextDouble() >= 0.5) func_buffer = new DataConstructor().GenData(func_len, func_len); else func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); // GenerateLogicalFunction(func_len, 0, 0, 0, 0);//GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); // Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer)); // pad entropy with zeros after func //int pad_len = Rand.Next(0x10, 0x25); //Array.Resize(ref func_buffer, func_buffer.Length + pad_len); TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine); size_pre_ep += func_buffer.Length; } } JCI.SIZE_PRE_EP_FUNCTIONS = size_pre_ep; // ep - { int index_of = TxtSect.IndexOf(";[EP_FUNCTION]"); if (index_of > -1) { int func_len = Rand.Next(0x120, 0x140); // const byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); // pad entropy with zeros after func //int pad_len = Rand.Next(0x10, 0x25); //Array.Resize(ref func_buffer, func_buffer.Length + pad_len); TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine); size_ep += func_buffer.Length; } } JCI.SIZE_EP_FUNCTION = size_ep; //// post - ep for (int i = 0; i < post_ep_func_cnt; i++) { int index_of = TxtSect.IndexOf(";[POST_EP_FUNCTIONS]"); if (index_of > -1) { int func_len = Rand.Next(0x120, 0x200); byte[] func_buffer; if (Rand.NextDouble() >= 0.5) func_buffer = new DataConstructor().GenData(func_len, func_len); else func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); // Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer)); // pad entropy with zeros after func //int pad_len = Rand.Next(0x10, 0x25); //Array.Resize(ref func_buffer, func_buffer.Length + pad_len); TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine); size_post_ep += func_buffer.Length; } } JCI.SIZE_POST_EP_FUNCTIONS = size_post_ep; // PAD ENTROPY //int size_of_entropy_pad = 0x200; ;// ALIGN_UP(Rand.Next(0x200, 0x1000), (int)PE.NtHeader.OptionalHeader.FileAlignment); //byte[] zero_fill = new byte[0x1000]; //string path_inc = Path.Combine(PE.PeDirectory.IncludeDirectory, "zerofill.bin"); //path_inc.WriteFile(zero_fill); // JCI.SIZE_ENTROPY_PAD = (size_of_entropy_pad * 2); if (File.Exists(PE.PeDirectory.TextSectionPath)) File.Delete(PE.PeDirectory.TextSectionPath); PE.PeDirectory.TextSectionPath.WriteText(TxtSect, StringEncoding.ASCII); GC.Collect(); }
public void WriteLogicalTrashToTLSCallback(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier) { string TlsCallbackInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "tls_callback.inc"); int sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE); int size_junk_added = 0; string[] tls = TlsCallbackInc.ReadLines(); for (int i = 0; i < tls.Length; i++) { if (tls[i].Contains(";[JUNK_NO_PRESERVE]")) { int len_trash = Rand.Next(0x100, 0x200); byte[] trash_buffer = GenerateLogicalTrash(len_trash, 0, 0, 0, 0); size_junk_added += trash_buffer.Length; tls[i] = trash_buffer.ToASMBuffer(); trash_buffer = new byte[0]; GC.Collect(); } if (tls[i].Contains(";[JUNK_FUNCS]")) { int xx = Rand.Next(3 * Multiplier, 5 * Multiplier); for (int jj = 0; jj < xx; jj++) { int func_len = Rand.Next(0x100, 0x120); byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x1000); tls[i] = string.Concat(tls[i], Environment.NewLine, func_buffer.ToASMBuffer(), Environment.NewLine); } } } if (File.Exists(TlsCallbackInc)) File.Delete(TlsCallbackInc); TlsCallbackInc.WriteLines(tls); sizeOfTLS = PEFactory.ComputeArbitrarySize(TlsCallbackInc, PE); JCI.SIZE_TLS_CALLBACK = sizeOfTLS + 3; // prologue; string AddrPayloadInc = Path.Combine(PE.PeDirectory.IncludeDirectory, "payload_address.inc"); string Format = "PAYLOAD_ADDRESS EQU 0x{0}"; Format = string.Format(Format, (JCI.SIZE_PRE_EP_FUNCTIONS + JCI.SIZE_TLS_CALLBACK + JCI.SIZE_EP_FUNCTION + JCI.SIZE_POST_EP_FUNCTIONS).ToString("X8")); File.WriteAllText(AddrPayloadInc, Format); GC.Collect(); }
public void WriteLogicalFunctionsToTextSection(xNewPE PE, ref JunkCodeInfo JCI, int Multiplier) { string TxtSect = PE.PeDirectory.TextSectionPath.ReadText(); int size_pre_ep = 0; int size_ep = 0; int size_post_ep = 0; int pre_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier); int post_ep_func_cnt = Rand.Next(5 * Multiplier, 10 * Multiplier); // pre - ep for (int i = 0; i < pre_ep_func_cnt; i++) { int index_of = TxtSect.IndexOf(";[PRE_EP_FUNCTIONS]"); if (index_of > -1) { int func_len = Rand.Next(0x120, 0x200); byte[] func_buffer; if (Rand.NextDouble() >= 0.5) { func_buffer = new DataConstructor().GenData(func_len, func_len); } else { func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); } // GenerateLogicalFunction(func_len, 0, 0, 0, 0);//GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); // Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer)); // pad entropy with zeros after func //int pad_len = Rand.Next(0x10, 0x25); //Array.Resize(ref func_buffer, func_buffer.Length + pad_len); TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine); size_pre_ep += func_buffer.Length; } } JCI.SIZE_PRE_EP_FUNCTIONS = size_pre_ep; // ep - { int index_of = TxtSect.IndexOf(";[EP_FUNCTION]"); if (index_of > -1) { int func_len = Rand.Next(0x120, 0x140); // const byte[] func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); // pad entropy with zeros after func //int pad_len = Rand.Next(0x10, 0x25); //Array.Resize(ref func_buffer, func_buffer.Length + pad_len); TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine); size_ep += func_buffer.Length; } } JCI.SIZE_EP_FUNCTION = size_ep; //// post - ep for (int i = 0; i < post_ep_func_cnt; i++) { int index_of = TxtSect.IndexOf(";[POST_EP_FUNCTIONS]"); if (index_of > -1) { int func_len = Rand.Next(0x120, 0x200); byte[] func_buffer; if (Rand.NextDouble() >= 0.5) { func_buffer = new DataConstructor().GenData(func_len, func_len); } else { func_buffer = GenerateLogicalFunction(func_len, 0, 1, IMAGE_BASE + 0x1000, 0x100000); } // Console.WriteLine("Entropy Func: {0}", calc_entropy(func_buffer)); // pad entropy with zeros after func //int pad_len = Rand.Next(0x10, 0x25); //Array.Resize(ref func_buffer, func_buffer.Length + pad_len); TxtSect = TxtSect.Insert(index_of, func_buffer.ToASMBuffer() + Environment.NewLine); size_post_ep += func_buffer.Length; } } JCI.SIZE_POST_EP_FUNCTIONS = size_post_ep; // PAD ENTROPY //int size_of_entropy_pad = 0x200; ;// ALIGN_UP(Rand.Next(0x200, 0x1000), (int)PE.NtHeader.OptionalHeader.FileAlignment); //byte[] zero_fill = new byte[0x1000]; //string path_inc = Path.Combine(PE.PeDirectory.IncludeDirectory, "zerofill.bin"); //path_inc.WriteFile(zero_fill); // JCI.SIZE_ENTROPY_PAD = (size_of_entropy_pad * 2); if (File.Exists(PE.PeDirectory.TextSectionPath)) { File.Delete(PE.PeDirectory.TextSectionPath); } PE.PeDirectory.TextSectionPath.WriteText(TxtSect, StringEncoding.ASCII); GC.Collect(); }