bool CheckInitMethod(MethodDef method) { var type = method.DeclaringType; if (type.NestedTypes.Count < 2 || type.NestedTypes.Count > 6) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "MoveFileEx") == null) { return(false); } var resolveHandler = DeobUtils.GetResolveMethod(method); if (resolveHandler == null) { return(false); } if (!DeobUtils.HasInteger(resolveHandler, ',') || !DeobUtils.HasInteger(resolveHandler, '|')) { return(false); } initMethod = method; resolverType = type; handlerMethod = resolveHandler; return(true); }
void Find() { var cflowDeobfuscator = new CflowDeobfuscator(new MethodCallInliner(true)); foreach (var type in module.Types) { if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null) { continue; } var resolver = new AssemblyResolver(type, cflowDeobfuscator); if (!resolver.Detected) { continue; } var patcher = new MemoryPatcher(type, cflowDeobfuscator); if (!patcher.Detected) { continue; } assemblyResolver = resolver; memoryPatcher = patcher; return; } }
bool FindDesktop(MethodDef method) { var type = method.DeclaringType; if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()")) { return(false); } if (type.Methods.Count < 3 || type.Methods.Count > 31) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null || DotNetUtils.GetPInvokeMethod(type, "kernel32.dll", "SetLastError") != null && DotNetUtils.GetPInvokeMethod(type, "kernel32.dll", "CloseHandle") != null && DotNetUtils.GetPInvokeMethod(type, "kernel32.dll", "OpenProcess") != null) { return(true); } if (DotNetUtils.GetPInvokeMethod(type, "mscoree", "CLRCreateInstance") == null) { return(false); } if (type.NestedTypes.Count != 3) { return(false); } if (!type.NestedTypes[0].IsInterface || !type.NestedTypes[1].IsInterface || !type.NestedTypes[2].IsInterface) { return(false); } return(true); }
bool Find(MethodDef methodToCheck) { if (methodToCheck == null) return false; foreach (var method in DotNetUtils.GetCalledMethods(module, methodToCheck)) { var type = method.DeclaringType; if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()")) continue; if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "LoadLibrary") == null) continue; if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "GetProcAddress") == null) continue; Deobfuscate(method); if (!ContainsString(method, "debugger is activ") && !ContainsString(method, "debugger is running") && !ContainsString(method, "Debugger detected") && !ContainsString(method, "Debugger was detected") && !ContainsString(method, "{0} was detected") && !ContainsString(method, "run under") && !ContainsString(method, "run with") && !ContainsString(method, "started under") && !ContainsString(method, "{0} detected") && !ContainsString(method, "{0} found")) continue; antiDebuggerType = type; antiDebuggerMethod = method; return true; } return false; }
static bool HasInitializeMethod(TypeDef type, string name) { var method = DotNetUtils.GetPInvokeMethod(type, name); if (method == null) { return(false); } var sig = method.MethodSig; if (sig.Params.Count != 1) { return(false); } if (sig.Params[0].GetElementType() != ElementType.I) { return(false); } var retType = sig.RetType.GetElementType(); if (retType != ElementType.Void && retType != ElementType.I4) { return(false); } return(true); }
bool CheckType_v14_r58564(TypeDef type, MethodDef initMethod) { var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect"); if (virtualProtect == null) { return(false); } if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)")) { return(false); } if (ConfuserUtils.CountCalls(initMethod, virtualProtect) != 3) { return(false); } if (!DeobUtils.HasInteger(initMethod, 224)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 240)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 267)) { return(false); } version = ConfuserVersion.v14_r58564; return(true); }
bool FindDesktop(MethodDef method) { var type = method.DeclaringType; if (!method.IsStatic || !DotNetUtils.IsMethod(method, "System.Void", "()")) { return(false); } if (type.Methods.Count < 3 || type.Methods.Count > 31) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") != null) { } else if (DotNetUtils.GetPInvokeMethod(type, "mscoree", "CLRCreateInstance") != null) { if (type.NestedTypes.Count != 3) { return(false); } if (!type.NestedTypes[0].IsInterface || !type.NestedTypes[1].IsInterface || !type.NestedTypes[2].IsInterface) { return(false); } } else { return(false); } return(true); }
bool CheckMemoryManagerType(TypeDef type, MethodDef method) { // Only two fields: itself and a long int fields = 0; foreach (var field in type.Fields) { if (new SigComparer().Equals(field.FieldType, type) || field.FieldType.FullName == "System.Int64") { fields++; continue; } if (DotNetUtils.DerivesFromDelegate(DotNetUtils.GetType(module, field.FieldType))) { continue; } return(false); } if (fields != 2) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "SetProcessWorkingSetSize") == null) { return(false); } return(true); }
bool CheckInitMethod(MethodDef initMethod, out ObfuscatorVersion obfuscatorVersionTmp) { obfuscatorVersionTmp = ObfuscatorVersion.Unknown; if (initMethod == null) { return(false); } if (initMethod.Body == null) { return(false); } if (!initMethod.IsStatic) { return(false); } if (!DotNetUtils.IsMethod(initMethod, "System.Void", "(System.Boolean,System.Boolean)")) { return(false); } if (HasCodeString(initMethod, "E_FullTrust")) { if (DotNetUtils.GetPInvokeMethod(initMethod.DeclaringType, "user32", "CallWindowProcW") != null) { obfuscatorVersionTmp = ObfuscatorVersion.V4_1; } else { obfuscatorVersionTmp = ObfuscatorVersion.V4_0; } } else if (HasCodeString(initMethod, "Full Trust Required")) { obfuscatorVersionTmp = ObfuscatorVersion.V3; } else if (initMethod.DeclaringType.HasNestedTypes && new FieldTypes(initMethod.DeclaringType).All(fieldTypesV5)) { obfuscatorVersionTmp = ObfuscatorVersion.V5_0; } else { return(false); } return(true); }
protected override bool CheckType(TypeDef type, MethodDef initMethod) { if (type == null) { return(false); } if (type.Methods.Count != 3) { return(false); } var virtProtect = DotNetUtils.GetPInvokeMethod(type, "kernel32", "VirtualProtect"); if (virtProtect == null) { return(false); } if (!DotNetUtils.HasString(initMethod, "Broken file")) { return(false); } if ((decryptMethod = FindDecryptMethod(type)) == null) { return(false); } bool callsFileStreamCtor = DotNetUtils.CallsMethod(initMethod, "System.Void System.IO.FileStream::.ctor(System.String,System.IO.FileMode,System.IO.FileAccess,System.IO.FileShare)"); if (!DotNetUtils.HasString(initMethod, "Module error")) { version = ConfuserVersion.v14_r57884; } else if (virtProtect.IsPrivate && callsFileStreamCtor) { int calls = ConfuserUtils.CountCalls(initMethod, "System.Void System.Buffer::BlockCopy(System.Array,System.Int32,System.Array,System.Int32,System.Int32)"); if (calls <= 1) { version = ConfuserVersion.v14_r58564; } else if (calls == 2) { version = ConfuserVersion.v14_r58852; } else if (calls == 4) { version = ConfuserVersion.v15_r59014; } else { return(false); } } else if (callsFileStreamCtor) { version = ConfuserVersion.v14_r58004; } else if (DotNetUtils.CallsMethod(initMethod, "System.Int32 System.Object::GetHashCode()")) { if (DotNetUtils.HasString(initMethod, "<Unknown>")) { version = ConfuserVersion.v17_r72989; } else { version = ConfuserVersion.v16_r71742; } } else if (DotNetUtils.CallsMethod(decryptMethod, "System.Security.Cryptography.Rijndael System.Security.Cryptography.Rijndael::Create()")) { version = ConfuserVersion.v17_r73605; } else if (DotNetUtils.HasString(initMethod, "<Unknown>")) { version = ConfuserVersion.v18_r75288; } else { version = ConfuserVersion.v19_r75725; } return(true); }
bool CheckType_v14_r58852(TypeDef type, MethodDef initMethod) { var virtualProtect = DotNetUtils.GetPInvokeMethod(type, "VirtualProtect"); if (virtualProtect == null) { return(false); } if (!DotNetUtils.CallsMethod(initMethod, "System.IntPtr System.Runtime.InteropServices.Marshal::GetHINSTANCE(System.Reflection.Module)")) { return(false); } int virtualProtectCalls = ConfuserUtils.CountCalls(initMethod, virtualProtect); if (virtualProtectCalls != 14 && virtualProtectCalls != 16) { return(false); } if (!DeobUtils.HasInteger(initMethod, 0x3C)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 0x6c64746e)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 0x6c642e6c)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 0x6f43744e)) { return(false); } if (!DeobUtils.HasInteger(initMethod, 0x6e69746e)) { return(false); } int locallocs = ConfuserUtils.CountOpCode(initMethod, Code.Localloc); if (DeobUtils.HasInteger(initMethod, 0x18)) { version = ConfuserVersion.v14_r58852; } else if (virtualProtectCalls == 16) { version = ConfuserVersion.v16_r69339; } else if (virtualProtectCalls == 14) { if (locallocs == 2) { version = ConfuserVersion.v17_r74708; } else if (locallocs == 1) { if (DotNetUtils.HasString(initMethod, "<Unknown>")) { version = ConfuserVersion.v18_r75257; } else if (IsRev75725(initMethod)) { version = ConfuserVersion.v19_r75725; } else { version = ConfuserVersion.v19_r76186; } } else { return(false); } } else { return(false); } return(true); }
bool CheckMethod_safe(TypeDef type, MethodDef initMethod) { if (type == DotNetUtils.GetModuleType(module)) { if (!DotNetUtils.HasString(initMethod, "Debugger detected (Managed)")) { return(false); } if (!CheckProfilerStrings1(initMethod)) { return(false); } version = ConfuserVersion.v14_r57588_safe; } else { var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess"); if (ntQueryInformationProcess == null) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null) { return(false); } var antiDebugMethod = GetAntiDebugMethod(type, initMethod); if (antiDebugMethod == null) { return(false); } bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)") || DotNetUtils.HasString(antiDebugMethod, "Debugger is detected (Managed)"); if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) { return(false); } if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0) { return(false); } if (!CheckProfilerStrings1(initMethod) && !CheckProfilerStrings2(initMethod)) { return(false); } int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)"); if (failFastCalls != 2) { return(false); } if (hasDebuggerStrings) { if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) { version = ConfuserVersion.v16_r61954_safe; } else if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null) { version = ConfuserVersion.v17_r73822_safe; } else if (CheckProfilerStrings1(initMethod)) { version = ConfuserVersion.v17_r74021_safe; } else { version = ConfuserVersion.v19_r76119_safe; } } else { version = ConfuserVersion.v19_r78363_safe; } } return(true); }
bool CheckMethod_normal(TypeDef type, MethodDef initMethod) { var ntQueryInformationProcess = DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtQueryInformationProcess"); if (ntQueryInformationProcess == null) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "ntdll", "NtSetInformationProcess") == null) { return(false); } if (DotNetUtils.GetPInvokeMethod(type, "kernel32", "CloseHandle") == null) { return(false); } var antiDebugMethod = GetAntiDebugMethod(type, initMethod); if (antiDebugMethod == null) { return(false); } bool hasDebuggerStrings = DotNetUtils.HasString(antiDebugMethod, "Debugger detected (Managed)"); if (DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) { int failFastCalls = ConfuserUtils.CountCalls(antiDebugMethod, "System.Void System.Environment::FailFast(System.String)"); if (failFastCalls != 6 && failFastCalls != 8) { return(false); } if (!CheckProfilerStrings1(initMethod)) { return(false); } if (!DotNetUtils.CallsMethod(antiDebugMethod, "System.Void System.Threading.Thread::.ctor(System.Threading.ParameterizedThreadStart)")) { if (!hasDebuggerStrings) { return(false); } if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2) { return(false); } version = ConfuserVersion.v16_r61954_normal; } else if (failFastCalls == 8) { if (!hasDebuggerStrings) { return(false); } if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 2) { return(false); } version = ConfuserVersion.v17_r73822_normal; } else if (failFastCalls == 6) { if (DotNetUtils.GetPInvokeMethod(type, "IsDebuggerPresent") == null) { return(false); } if (ConfuserUtils.CountCalls(antiDebugMethod, ntQueryInformationProcess) != 0) { return(false); } if (hasDebuggerStrings) { version = ConfuserVersion.v17_r74021_normal; } else { version = ConfuserVersion.v19_r78363_normal; } } else { return(false); } } else if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Threading.ThreadStart::.ctor(System.Object,System.IntPtr)")) { if (!hasDebuggerStrings) { return(false); } if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()")) { return(false); } if (!CheckProfilerStrings1(antiDebugMethod)) { return(false); } version = ConfuserVersion.v14_r57588_normal; } else { if (!hasDebuggerStrings) { return(false); } if (!DotNetUtils.CallsMethod(initMethod, "System.Void System.Diagnostics.Process::EnterDebugMode()")) { return(false); } if (!CheckProfilerStrings1(antiDebugMethod)) { return(false); } version = ConfuserVersion.v14_r60785_normal; } return(true); }