Find anti-debugger and tamper detection code
This commit is contained in:
parent
1a78c2dc8c
commit
4490c976b3
|
@ -57,11 +57,13 @@
|
||||||
<Compile Include="CommandLineParser.cs" />
|
<Compile Include="CommandLineParser.cs" />
|
||||||
<Compile Include="deobfuscators\CliSecure\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\CliSecure\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\CliSecure\ProxyDelegateFinder.cs" />
|
<Compile Include="deobfuscators\CliSecure\ProxyDelegateFinder.cs" />
|
||||||
|
<Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\ResourceDecrypter.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\ResourceDecrypter.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\ResourceResolver.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\ResourceResolver.cs" />
|
||||||
<Compile Include="deobfuscators\CryptoObfuscator\StringDecrypter.cs" />
|
<Compile Include="deobfuscators\CryptoObfuscator\StringDecrypter.cs" />
|
||||||
|
<Compile Include="deobfuscators\CryptoObfuscator\TamperDetection.cs" />
|
||||||
<Compile Include="deobfuscators\DeobfuscatorBase.cs" />
|
<Compile Include="deobfuscators\DeobfuscatorBase.cs" />
|
||||||
<Compile Include="deobfuscators\DeobfuscatorInfoBase.cs" />
|
<Compile Include="deobfuscators\DeobfuscatorInfoBase.cs" />
|
||||||
<Compile Include="deobfuscators\DeobUtils.cs" />
|
<Compile Include="deobfuscators\DeobUtils.cs" />
|
||||||
|
|
75
de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
Normal file
75
de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
Normal file
|
@ -0,0 +1,75 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using Mono.Cecil;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
|
namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
|
class AntiDebugger {
|
||||||
|
ModuleDefinition module;
|
||||||
|
ISimpleDeobfuscator simpleDeobfuscator;
|
||||||
|
IDeobfuscator deob;
|
||||||
|
TypeDefinition antiDebuggerType;
|
||||||
|
MethodDefinition antiDebuggerMethod;
|
||||||
|
|
||||||
|
public AntiDebugger(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
|
||||||
|
this.module = module;
|
||||||
|
this.simpleDeobfuscator = simpleDeobfuscator;
|
||||||
|
this.deob = deob;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void find() {
|
||||||
|
var mainMethod = module.EntryPoint;
|
||||||
|
if (mainMethod == null)
|
||||||
|
return;
|
||||||
|
|
||||||
|
foreach (var info in DotNetUtils.getCalledMethods(module, mainMethod)) {
|
||||||
|
var type = info.Item1;
|
||||||
|
var method = info.Item2;
|
||||||
|
|
||||||
|
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||||
|
continue;
|
||||||
|
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "LoadLibrary") == null)
|
||||||
|
continue;
|
||||||
|
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "GetProcAddress") == null)
|
||||||
|
continue;
|
||||||
|
deobfuscate(method);
|
||||||
|
if (!containsString(method, "debugger was detected"))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
antiDebuggerType = type;
|
||||||
|
antiDebuggerMethod = method;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
void deobfuscate(MethodDefinition method) {
|
||||||
|
simpleDeobfuscator.deobfuscate(method);
|
||||||
|
simpleDeobfuscator.decryptStrings(method, deob);
|
||||||
|
}
|
||||||
|
|
||||||
|
bool containsString(MethodDefinition method, string part) {
|
||||||
|
foreach (var s in DotNetUtils.getCodeStrings(method)) {
|
||||||
|
if (s.Contains(part))
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -25,8 +25,11 @@ using de4dot.blocks;
|
||||||
namespace de4dot.deobfuscators.CryptoObfuscator {
|
namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
||||||
const string DEFAULT_REGEX = @"!^[A-Z]{1,3}(?:`\d+)?$&!^c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
const string DEFAULT_REGEX = @"!^[A-Z]{1,3}(?:`\d+)?$&!^c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
||||||
|
BoolOption removeTamperProtection;
|
||||||
|
|
||||||
public DeobfuscatorInfo()
|
public DeobfuscatorInfo()
|
||||||
: base("co", DEFAULT_REGEX) {
|
: base("co", DEFAULT_REGEX) {
|
||||||
|
removeTamperProtection = new BoolOption(null, makeArgName("tamper"), "Remove tamper protection code", true);
|
||||||
}
|
}
|
||||||
|
|
||||||
internal static string ObfuscatorType {
|
internal static string ObfuscatorType {
|
||||||
|
@ -40,11 +43,13 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
public override IDeobfuscator createDeobfuscator() {
|
public override IDeobfuscator createDeobfuscator() {
|
||||||
return new Deobfuscator(new Deobfuscator.Options {
|
return new Deobfuscator(new Deobfuscator.Options {
|
||||||
ValidNameRegex = validNameRegex.get(),
|
ValidNameRegex = validNameRegex.get(),
|
||||||
|
RemoveTamperProtection = removeTamperProtection.get(),
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
protected override IEnumerable<Option> getOptionsInternal() {
|
protected override IEnumerable<Option> getOptionsInternal() {
|
||||||
return new List<Option>() {
|
return new List<Option>() {
|
||||||
|
removeTamperProtection,
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -59,8 +64,11 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
ResourceResolver resourceResolver;
|
ResourceResolver resourceResolver;
|
||||||
AssemblyResolver assemblyResolver;
|
AssemblyResolver assemblyResolver;
|
||||||
StringDecrypter stringDecrypter;
|
StringDecrypter stringDecrypter;
|
||||||
|
TamperDetection tamperDetection;
|
||||||
|
AntiDebugger antiDebugger;
|
||||||
|
|
||||||
internal class Options : OptionsBase {
|
internal class Options : OptionsBase {
|
||||||
|
public bool RemoveTamperProtection { get; set; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string Type {
|
public override string Type {
|
||||||
|
@ -91,6 +99,8 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
val += 10;
|
val += 10;
|
||||||
if (stringDecrypter.Detected)
|
if (stringDecrypter.Detected)
|
||||||
val += 10;
|
val += 10;
|
||||||
|
if (tamperDetection.Detected)
|
||||||
|
val += 10;
|
||||||
|
|
||||||
return val;
|
return val;
|
||||||
}
|
}
|
||||||
|
@ -107,7 +117,9 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
foundObfuscatedSymbols = true;
|
foundObfuscatedSymbols = true;
|
||||||
|
|
||||||
stringDecrypter = new StringDecrypter(module);
|
stringDecrypter = new StringDecrypter(module);
|
||||||
stringDecrypter.detect();
|
stringDecrypter.find();
|
||||||
|
tamperDetection = new TamperDetection(module);
|
||||||
|
tamperDetection.find();
|
||||||
}
|
}
|
||||||
|
|
||||||
void initializeVersion(TypeDefinition attr) {
|
void initializeVersion(TypeDefinition attr) {
|
||||||
|
@ -153,8 +165,12 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
staticStringDecrypter.add(stringDecrypter.StringDecrypterMethod, (method, args) => {
|
staticStringDecrypter.add(stringDecrypter.StringDecrypterMethod, (method, args) => {
|
||||||
return stringDecrypter.decrypt((int)args[0]);
|
return stringDecrypter.decrypt((int)args[0]);
|
||||||
});
|
});
|
||||||
|
DeobfuscatedFile.stringDecryptersAdded();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
|
||||||
|
antiDebugger.find();
|
||||||
|
|
||||||
dumpEmbeddedAssemblies();
|
dumpEmbeddedAssemblies();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -45,7 +45,7 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
this.module = module;
|
this.module = module;
|
||||||
}
|
}
|
||||||
|
|
||||||
public void detect() {
|
public void find() {
|
||||||
TypeDefinition type;
|
TypeDefinition type;
|
||||||
MethodDefinition method;
|
MethodDefinition method;
|
||||||
if (!findStringDecrypterType(out type, out method))
|
if (!findStringDecrypterType(out type, out method))
|
||||||
|
|
|
@ -0,0 +1,59 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using Mono.Cecil;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
|
namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||||
|
class TamperDetection {
|
||||||
|
ModuleDefinition module;
|
||||||
|
TypeDefinition tamperType;
|
||||||
|
MethodDefinition tamperMethod;
|
||||||
|
|
||||||
|
public bool Detected {
|
||||||
|
get { return tamperMethod != null; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public TamperDetection(ModuleDefinition module) {
|
||||||
|
this.module = module;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void find() {
|
||||||
|
var mainMethod = module.EntryPoint;
|
||||||
|
if (mainMethod == null)
|
||||||
|
return;
|
||||||
|
|
||||||
|
foreach (var info in DotNetUtils.getCalledMethods(module, mainMethod)) {
|
||||||
|
var type = info.Item1;
|
||||||
|
var method = info.Item2;
|
||||||
|
|
||||||
|
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||||
|
continue;
|
||||||
|
if (type.Methods.Count != 3)
|
||||||
|
continue;
|
||||||
|
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") == null)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
tamperType = type;
|
||||||
|
tamperMethod = method;
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user