Find anti-debugger and tamper detection code
This commit is contained in:
parent
1a78c2dc8c
commit
4490c976b3
|
@ -57,11 +57,13 @@
|
|||
<Compile Include="CommandLineParser.cs" />
|
||||
<Compile Include="deobfuscators\CliSecure\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\CliSecure\ProxyDelegateFinder.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\AntiDebugger.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\AssemblyResolver.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\Deobfuscator.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\ResourceDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\ResourceResolver.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\StringDecrypter.cs" />
|
||||
<Compile Include="deobfuscators\CryptoObfuscator\TamperDetection.cs" />
|
||||
<Compile Include="deobfuscators\DeobfuscatorBase.cs" />
|
||||
<Compile Include="deobfuscators\DeobfuscatorInfoBase.cs" />
|
||||
<Compile Include="deobfuscators\DeobUtils.cs" />
|
||||
|
|
75
de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
Normal file
75
de4dot.code/deobfuscators/CryptoObfuscator/AntiDebugger.cs
Normal file
|
@ -0,0 +1,75 @@
|
|||
/*
|
||||
Copyright (C) 2011 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using Mono.Cecil;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||
class AntiDebugger {
|
||||
ModuleDefinition module;
|
||||
ISimpleDeobfuscator simpleDeobfuscator;
|
||||
IDeobfuscator deob;
|
||||
TypeDefinition antiDebuggerType;
|
||||
MethodDefinition antiDebuggerMethod;
|
||||
|
||||
public AntiDebugger(ModuleDefinition module, ISimpleDeobfuscator simpleDeobfuscator, IDeobfuscator deob) {
|
||||
this.module = module;
|
||||
this.simpleDeobfuscator = simpleDeobfuscator;
|
||||
this.deob = deob;
|
||||
}
|
||||
|
||||
public void find() {
|
||||
var mainMethod = module.EntryPoint;
|
||||
if (mainMethod == null)
|
||||
return;
|
||||
|
||||
foreach (var info in DotNetUtils.getCalledMethods(module, mainMethod)) {
|
||||
var type = info.Item1;
|
||||
var method = info.Item2;
|
||||
|
||||
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||
continue;
|
||||
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "LoadLibrary") == null)
|
||||
continue;
|
||||
if (DotNetUtils.getPInvokeMethod(type, "kernel32", "GetProcAddress") == null)
|
||||
continue;
|
||||
deobfuscate(method);
|
||||
if (!containsString(method, "debugger was detected"))
|
||||
continue;
|
||||
|
||||
antiDebuggerType = type;
|
||||
antiDebuggerMethod = method;
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
void deobfuscate(MethodDefinition method) {
|
||||
simpleDeobfuscator.deobfuscate(method);
|
||||
simpleDeobfuscator.decryptStrings(method, deob);
|
||||
}
|
||||
|
||||
bool containsString(MethodDefinition method, string part) {
|
||||
foreach (var s in DotNetUtils.getCodeStrings(method)) {
|
||||
if (s.Contains(part))
|
||||
return true;
|
||||
}
|
||||
return false;
|
||||
}
|
||||
}
|
||||
}
|
|
@ -25,8 +25,11 @@ using de4dot.blocks;
|
|||
namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||
class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
||||
const string DEFAULT_REGEX = @"!^[A-Z]{1,3}(?:`\d+)?$&!^c[0-9a-f]{32}(?:`\d+)?$&" + DeobfuscatorBase.DEFAULT_VALID_NAME_REGEX;
|
||||
BoolOption removeTamperProtection;
|
||||
|
||||
public DeobfuscatorInfo()
|
||||
: base("co", DEFAULT_REGEX) {
|
||||
removeTamperProtection = new BoolOption(null, makeArgName("tamper"), "Remove tamper protection code", true);
|
||||
}
|
||||
|
||||
internal static string ObfuscatorType {
|
||||
|
@ -40,11 +43,13 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
|||
public override IDeobfuscator createDeobfuscator() {
|
||||
return new Deobfuscator(new Deobfuscator.Options {
|
||||
ValidNameRegex = validNameRegex.get(),
|
||||
RemoveTamperProtection = removeTamperProtection.get(),
|
||||
});
|
||||
}
|
||||
|
||||
protected override IEnumerable<Option> getOptionsInternal() {
|
||||
return new List<Option>() {
|
||||
removeTamperProtection,
|
||||
};
|
||||
}
|
||||
}
|
||||
|
@ -59,8 +64,11 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
|||
ResourceResolver resourceResolver;
|
||||
AssemblyResolver assemblyResolver;
|
||||
StringDecrypter stringDecrypter;
|
||||
TamperDetection tamperDetection;
|
||||
AntiDebugger antiDebugger;
|
||||
|
||||
internal class Options : OptionsBase {
|
||||
public bool RemoveTamperProtection { get; set; }
|
||||
}
|
||||
|
||||
public override string Type {
|
||||
|
@ -91,6 +99,8 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
|||
val += 10;
|
||||
if (stringDecrypter.Detected)
|
||||
val += 10;
|
||||
if (tamperDetection.Detected)
|
||||
val += 10;
|
||||
|
||||
return val;
|
||||
}
|
||||
|
@ -107,7 +117,9 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
|||
foundObfuscatedSymbols = true;
|
||||
|
||||
stringDecrypter = new StringDecrypter(module);
|
||||
stringDecrypter.detect();
|
||||
stringDecrypter.find();
|
||||
tamperDetection = new TamperDetection(module);
|
||||
tamperDetection.find();
|
||||
}
|
||||
|
||||
void initializeVersion(TypeDefinition attr) {
|
||||
|
@ -153,8 +165,12 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
|||
staticStringDecrypter.add(stringDecrypter.StringDecrypterMethod, (method, args) => {
|
||||
return stringDecrypter.decrypt((int)args[0]);
|
||||
});
|
||||
DeobfuscatedFile.stringDecryptersAdded();
|
||||
}
|
||||
|
||||
antiDebugger = new AntiDebugger(module, DeobfuscatedFile, this);
|
||||
antiDebugger.find();
|
||||
|
||||
dumpEmbeddedAssemblies();
|
||||
}
|
||||
|
||||
|
|
|
@ -45,7 +45,7 @@ namespace de4dot.deobfuscators.CryptoObfuscator {
|
|||
this.module = module;
|
||||
}
|
||||
|
||||
public void detect() {
|
||||
public void find() {
|
||||
TypeDefinition type;
|
||||
MethodDefinition method;
|
||||
if (!findStringDecrypterType(out type, out method))
|
||||
|
|
|
@ -0,0 +1,59 @@
|
|||
/*
|
||||
Copyright (C) 2011 de4dot@gmail.com
|
||||
|
||||
This file is part of de4dot.
|
||||
|
||||
de4dot is free software: you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation, either version 3 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
de4dot is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||
*/
|
||||
|
||||
using Mono.Cecil;
|
||||
using de4dot.blocks;
|
||||
|
||||
namespace de4dot.deobfuscators.CryptoObfuscator {
|
||||
class TamperDetection {
|
||||
ModuleDefinition module;
|
||||
TypeDefinition tamperType;
|
||||
MethodDefinition tamperMethod;
|
||||
|
||||
public bool Detected {
|
||||
get { return tamperMethod != null; }
|
||||
}
|
||||
|
||||
public TamperDetection(ModuleDefinition module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public void find() {
|
||||
var mainMethod = module.EntryPoint;
|
||||
if (mainMethod == null)
|
||||
return;
|
||||
|
||||
foreach (var info in DotNetUtils.getCalledMethods(module, mainMethod)) {
|
||||
var type = info.Item1;
|
||||
var method = info.Item2;
|
||||
|
||||
if (!method.IsStatic || !DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||
continue;
|
||||
if (type.Methods.Count != 3)
|
||||
continue;
|
||||
if (DotNetUtils.getPInvokeMethod(type, "mscoree", "StrongNameSignatureVerificationEx") == null)
|
||||
continue;
|
||||
|
||||
tamperType = type;
|
||||
tamperMethod = method;
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
Loading…
Reference in New Issue
Block a user