2011-09-22 10:55:30 +08:00
|
|
|
|
/*
|
2013-01-02 00:03:16 +08:00
|
|
|
|
Copyright (C) 2011-2013 de4dot@gmail.com
|
2011-09-22 10:55:30 +08:00
|
|
|
|
|
|
|
|
|
This file is part of de4dot.
|
|
|
|
|
|
|
|
|
|
de4dot is free software: you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation, either version 3 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
de4dot is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
using System;
|
|
|
|
|
using System.Collections.Generic;
|
2012-12-20 09:06:09 +08:00
|
|
|
|
using dnlib.PE;
|
|
|
|
|
using dnlib.DotNet;
|
|
|
|
|
using dnlib.DotNet.Writer;
|
2011-09-22 10:55:30 +08:00
|
|
|
|
using de4dot.blocks;
|
2012-01-11 11:38:02 +08:00
|
|
|
|
using de4dot.blocks.cflow;
|
2011-12-09 16:02:06 +08:00
|
|
|
|
using de4dot.code.renamer;
|
2011-09-22 10:55:30 +08:00
|
|
|
|
|
2011-12-09 16:02:06 +08:00
|
|
|
|
namespace de4dot.code.deobfuscators {
|
|
|
|
|
public interface IDeobfuscatorOptions {
|
2011-09-22 10:55:30 +08:00
|
|
|
|
bool RenameResourcesInCode { get; }
|
|
|
|
|
}
|
|
|
|
|
|
2011-09-28 22:06:10 +08:00
|
|
|
|
public enum DecrypterType {
|
|
|
|
|
Default,
|
|
|
|
|
None,
|
|
|
|
|
Static,
|
|
|
|
|
Delegate,
|
|
|
|
|
Emulate,
|
|
|
|
|
}
|
|
|
|
|
|
2011-09-22 10:55:30 +08:00
|
|
|
|
[Flags]
|
2011-12-09 16:02:06 +08:00
|
|
|
|
public enum StringFeatures {
|
2011-10-27 04:00:32 +08:00
|
|
|
|
AllowNoDecryption = 1,
|
|
|
|
|
AllowStaticDecryption = 2,
|
|
|
|
|
AllowDynamicDecryption = 4,
|
2011-09-22 10:55:30 +08:00
|
|
|
|
AllowAll = AllowNoDecryption | AllowStaticDecryption | AllowDynamicDecryption,
|
|
|
|
|
}
|
|
|
|
|
|
2011-11-09 19:08:48 +08:00
|
|
|
|
[Flags]
|
2011-12-09 16:02:06 +08:00
|
|
|
|
public enum RenamingOptions {
|
2011-11-09 19:08:48 +08:00
|
|
|
|
RemoveNamespaceIfOneType = 1,
|
2012-05-03 22:47:34 +08:00
|
|
|
|
RenameResourceKeys = 2,
|
2011-11-09 19:08:48 +08:00
|
|
|
|
}
|
|
|
|
|
|
2012-11-21 20:57:13 +08:00
|
|
|
|
public interface IDeobfuscator : INameChecker, IDisposable {
|
2011-09-22 10:55:30 +08:00
|
|
|
|
string Type { get; }
|
2011-11-12 18:31:07 +08:00
|
|
|
|
string TypeLong { get; }
|
2011-09-22 10:55:30 +08:00
|
|
|
|
string Name { get; }
|
|
|
|
|
IDeobfuscatorOptions TheOptions { get; }
|
|
|
|
|
IOperations Operations { get; set; }
|
2012-12-01 10:24:12 +08:00
|
|
|
|
MetaDataFlags MetaDataFlags { get; }
|
2011-09-28 22:06:10 +08:00
|
|
|
|
StringFeatures StringFeatures { get; }
|
2011-11-09 19:08:48 +08:00
|
|
|
|
RenamingOptions RenamingOptions { get; }
|
2011-09-28 22:06:10 +08:00
|
|
|
|
DecrypterType DefaultDecrypterType { get; }
|
2012-04-30 04:22:43 +08:00
|
|
|
|
IEnumerable<IBlocksDeobfuscator> BlocksDeobfuscators { get; }
|
2011-09-22 10:55:30 +08:00
|
|
|
|
|
2011-10-09 01:33:12 +08:00
|
|
|
|
// This is non-null only in detect() and deobfuscateBegin().
|
2011-09-22 10:55:30 +08:00
|
|
|
|
IDeobfuscatedFile DeobfuscatedFile { get; set; }
|
|
|
|
|
|
2011-12-01 01:26:36 +08:00
|
|
|
|
// Returns null or the unpacked .NET PE file
|
2012-11-09 18:34:23 +08:00
|
|
|
|
byte[] unpackNativeFile(IPEImage peImage);
|
2011-12-01 01:26:36 +08:00
|
|
|
|
|
2012-11-01 23:42:02 +08:00
|
|
|
|
void init(ModuleDefMD module);
|
2011-10-09 01:33:12 +08:00
|
|
|
|
|
2011-10-26 20:29:12 +08:00
|
|
|
|
// Returns 0 if it's not detected, or > 0 if detected (higher value => more likely true).
|
|
|
|
|
// This method is always called.
|
2011-09-22 10:55:30 +08:00
|
|
|
|
int detect();
|
|
|
|
|
|
2011-10-26 20:29:12 +08:00
|
|
|
|
// If the obfuscator has encrypted parts of the file, then this method should return the
|
2011-10-29 08:23:48 +08:00
|
|
|
|
// decrypted file. true is returned if args have been initialized, false otherwise.
|
2012-07-24 23:02:27 +08:00
|
|
|
|
bool getDecryptedModule(int count, ref byte[] newFileData, ref DumpedMethods dumpedMethods);
|
2011-10-26 20:29:12 +08:00
|
|
|
|
|
|
|
|
|
// This is only called if getDecryptedModule() != null, and after the module has been
|
|
|
|
|
// reloaded. Should return a new IDeobfuscator with the same options and the new module.
|
2012-11-01 23:42:02 +08:00
|
|
|
|
IDeobfuscator moduleReloaded(ModuleDefMD module);
|
2011-10-26 20:29:12 +08:00
|
|
|
|
|
2011-09-22 10:55:30 +08:00
|
|
|
|
// Called before all other deobfuscation methods
|
|
|
|
|
void deobfuscateBegin();
|
|
|
|
|
|
|
|
|
|
// Called before the code is deobfuscated
|
|
|
|
|
void deobfuscateMethodBegin(Blocks blocks);
|
|
|
|
|
|
2011-10-27 04:16:51 +08:00
|
|
|
|
// Return true if we should deobfuscate control flow again
|
|
|
|
|
bool deobfuscateOther(Blocks blocks);
|
|
|
|
|
|
2011-09-22 10:55:30 +08:00
|
|
|
|
// Called after deobfuscateMethodBegin() but before deobfuscateMethodEnd()
|
|
|
|
|
void deobfuscateStrings(Blocks blocks);
|
|
|
|
|
|
|
|
|
|
// Called after the code has been deobfuscated
|
|
|
|
|
void deobfuscateMethodEnd(Blocks blocks);
|
|
|
|
|
|
|
|
|
|
// Called after all deobfuscation methods
|
|
|
|
|
void deobfuscateEnd();
|
|
|
|
|
|
2012-05-30 01:07:01 +08:00
|
|
|
|
// Returns all string decrypter method tokens
|
2012-02-25 13:25:40 +08:00
|
|
|
|
IEnumerable<int> getStringDecrypterMethods();
|
2011-09-22 10:55:30 +08:00
|
|
|
|
}
|
|
|
|
|
}
|