Update code to handle unpacked native images
This commit is contained in:
parent
26f4afeff3
commit
28ec2485fc
|
@ -33,8 +33,24 @@ namespace de4dot {
|
||||||
this.filename = Utils.getFullPath(filename);
|
this.filename = Utils.getFullPath(filename);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ReaderParameters getReaderParameters() {
|
||||||
|
return new ReaderParameters(ReadingMode.Deferred) {
|
||||||
|
AssemblyResolver = AssemblyResolver.Instance
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
public ModuleDefinition load() {
|
public ModuleDefinition load() {
|
||||||
readFile();
|
return setModule(ModuleDefinition.ReadModule(filename, getReaderParameters()));
|
||||||
|
}
|
||||||
|
|
||||||
|
public ModuleDefinition load(byte[] fileData) {
|
||||||
|
return setModule(ModuleDefinition.ReadModule(new MemoryStream(fileData), getReaderParameters()));
|
||||||
|
}
|
||||||
|
|
||||||
|
ModuleDefinition setModule(ModuleDefinition newModule) {
|
||||||
|
module = newModule;
|
||||||
|
AssemblyResolver.Instance.addModule(module);
|
||||||
|
module.FullyQualifiedName = filename;
|
||||||
return module;
|
return module;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -47,25 +63,9 @@ namespace de4dot {
|
||||||
}
|
}
|
||||||
|
|
||||||
public ModuleDefinition reload(byte[] newModuleData, Dictionary<uint, DumpedMethod> dumpedMethods) {
|
public ModuleDefinition reload(byte[] newModuleData, Dictionary<uint, DumpedMethod> dumpedMethods) {
|
||||||
var oldModuleName = module.FullyQualifiedName;
|
AssemblyResolver.Instance.removeModule(module);
|
||||||
var assemblyResolver = AssemblyResolver.Instance;
|
|
||||||
assemblyResolver.removeModule(module);
|
|
||||||
DotNetUtils.typeCaches.invalidate(module);
|
DotNetUtils.typeCaches.invalidate(module);
|
||||||
|
return setModule(ModuleDefinition.ReadModule(new MemoryStream(newModuleData), getReaderParameters(), dumpedMethods));
|
||||||
var readerParameters = new ReaderParameters(ReadingMode.Deferred);
|
|
||||||
readerParameters.AssemblyResolver = assemblyResolver;
|
|
||||||
module = ModuleDefinition.ReadModule(new MemoryStream(newModuleData), readerParameters, dumpedMethods);
|
|
||||||
assemblyResolver.addModule(module);
|
|
||||||
module.FullyQualifiedName = oldModuleName;
|
|
||||||
return module;
|
|
||||||
}
|
|
||||||
|
|
||||||
void readFile() {
|
|
||||||
var assemblyResolver = AssemblyResolver.Instance;
|
|
||||||
var readerParameters = new ReaderParameters(ReadingMode.Deferred);
|
|
||||||
readerParameters.AssemblyResolver = assemblyResolver;
|
|
||||||
module = ModuleDefinition.ReadModule(filename, readerParameters);
|
|
||||||
assemblyResolver.addModule(module);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string ToString() {
|
public override string ToString() {
|
||||||
|
|
|
@ -30,6 +30,7 @@ using de4dot.blocks;
|
||||||
using de4dot.blocks.cflow;
|
using de4dot.blocks.cflow;
|
||||||
using de4dot.AssemblyClient;
|
using de4dot.AssemblyClient;
|
||||||
using de4dot.renamer;
|
using de4dot.renamer;
|
||||||
|
using de4dot.PE;
|
||||||
|
|
||||||
namespace de4dot {
|
namespace de4dot {
|
||||||
class ObfuscatedFile : IObfuscatedFile, IDeobfuscatedFile {
|
class ObfuscatedFile : IObfuscatedFile, IDeobfuscatedFile {
|
||||||
|
@ -151,7 +152,7 @@ namespace de4dot {
|
||||||
}
|
}
|
||||||
|
|
||||||
public void load(IEnumerable<IDeobfuscator> deobfuscators) {
|
public void load(IEnumerable<IDeobfuscator> deobfuscators) {
|
||||||
module = assemblyModule.load();
|
loadModule(deobfuscators);
|
||||||
AssemblyResolver.Instance.addSearchDirectory(Utils.getDirName(Filename));
|
AssemblyResolver.Instance.addSearchDirectory(Utils.getDirName(Filename));
|
||||||
AssemblyResolver.Instance.addSearchDirectory(Utils.getDirName(NewFilename));
|
AssemblyResolver.Instance.addSearchDirectory(Utils.getDirName(NewFilename));
|
||||||
|
|
||||||
|
@ -163,6 +164,36 @@ namespace de4dot {
|
||||||
initializeDeobfuscator();
|
initializeDeobfuscator();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void loadModule(IEnumerable<IDeobfuscator> deobfuscators) {
|
||||||
|
try {
|
||||||
|
module = assemblyModule.load();
|
||||||
|
}
|
||||||
|
catch (BadImageFormatException) {
|
||||||
|
if (!unpackNativeImage(deobfuscators))
|
||||||
|
throw new BadImageFormatException();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
bool unpackNativeImage(IEnumerable<IDeobfuscator> deobfuscators) {
|
||||||
|
var peImage = new PeImage(Utils.readFile(Filename));
|
||||||
|
|
||||||
|
foreach (var deob in deobfuscators) {
|
||||||
|
try {
|
||||||
|
var unpackedData = deob.unpackNativeFile(peImage);
|
||||||
|
if (unpackedData == null)
|
||||||
|
continue;
|
||||||
|
module = assemblyModule.load(unpackedData);
|
||||||
|
this.deob = deob;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
catch {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
void initializeDeobfuscator() {
|
void initializeDeobfuscator() {
|
||||||
if (options.StringDecrypterType == DecrypterType.Default)
|
if (options.StringDecrypterType == DecrypterType.Default)
|
||||||
options.StringDecrypterType = deob.DefaultDecrypterType;
|
options.StringDecrypterType = deob.DefaultDecrypterType;
|
||||||
|
@ -199,6 +230,15 @@ namespace de4dot {
|
||||||
if (!options.ControlFlowDeobfuscation || options.StringDecrypterType == DecrypterType.None)
|
if (!options.ControlFlowDeobfuscation || options.StringDecrypterType == DecrypterType.None)
|
||||||
savedMethodBodies = new SavedMethodBodies();
|
savedMethodBodies = new SavedMethodBodies();
|
||||||
|
|
||||||
|
// It's not null if it unpacked a native file
|
||||||
|
if (this.deob != null) {
|
||||||
|
deob.init(module);
|
||||||
|
deob.DeobfuscatedFile = this;
|
||||||
|
deob.earlyDetect();
|
||||||
|
deob.detect();
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
foreach (var deob in deobfuscators) {
|
foreach (var deob in deobfuscators) {
|
||||||
deob.init(module);
|
deob.init(module);
|
||||||
deob.DeobfuscatedFile = this;
|
deob.DeobfuscatedFile = this;
|
||||||
|
|
|
@ -23,6 +23,7 @@ using Mono.Cecil;
|
||||||
using Mono.Cecil.Cil;
|
using Mono.Cecil.Cil;
|
||||||
using Mono.MyStuff;
|
using Mono.MyStuff;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
|
using de4dot.PE;
|
||||||
|
|
||||||
namespace de4dot.deobfuscators {
|
namespace de4dot.deobfuscators {
|
||||||
abstract class DeobfuscatorBase : IDeobfuscator, IWriterListener {
|
abstract class DeobfuscatorBase : IDeobfuscator, IWriterListener {
|
||||||
|
@ -83,6 +84,10 @@ namespace de4dot.deobfuscators {
|
||||||
DefaultDecrypterType = DecrypterType.Static;
|
DefaultDecrypterType = DecrypterType.Static;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public virtual byte[] unpackNativeFile(PeImage peImage) {
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
|
||||||
public virtual void init(ModuleDefinition module) {
|
public virtual void init(ModuleDefinition module) {
|
||||||
setModule(module);
|
setModule(module);
|
||||||
}
|
}
|
||||||
|
|
|
@ -23,6 +23,7 @@ using Mono.Cecil;
|
||||||
using Mono.MyStuff;
|
using Mono.MyStuff;
|
||||||
using de4dot.blocks;
|
using de4dot.blocks;
|
||||||
using de4dot.renamer;
|
using de4dot.renamer;
|
||||||
|
using de4dot.PE;
|
||||||
|
|
||||||
namespace de4dot.deobfuscators {
|
namespace de4dot.deobfuscators {
|
||||||
interface IDeobfuscatorOptions {
|
interface IDeobfuscatorOptions {
|
||||||
|
@ -66,6 +67,9 @@ namespace de4dot.deobfuscators {
|
||||||
// Return true if methods can be inlined
|
// Return true if methods can be inlined
|
||||||
bool CanInlineMethods { get; }
|
bool CanInlineMethods { get; }
|
||||||
|
|
||||||
|
// Returns null or the unpacked .NET PE file
|
||||||
|
byte[] unpackNativeFile(PeImage peImage);
|
||||||
|
|
||||||
void init(ModuleDefinition module);
|
void init(ModuleDefinition module);
|
||||||
|
|
||||||
// Same as detect() but may be used by deobfuscators to detect obfuscator that decrypt
|
// Same as detect() but may be used by deobfuscators to detect obfuscator that decrypt
|
||||||
|
|
Loading…
Reference in New Issue
Block a user