Remove anti debugger type
This commit is contained in:
parent
38d94819ee
commit
4840a117cf
|
@ -67,6 +67,7 @@
|
||||||
<Compile Include="deobfuscators\Babel_NET\MemberReferenceConverter.cs" />
|
<Compile Include="deobfuscators\Babel_NET\MemberReferenceConverter.cs" />
|
||||||
<Compile Include="deobfuscators\Babel_NET\MethodBodyReader.cs" />
|
<Compile Include="deobfuscators\Babel_NET\MethodBodyReader.cs" />
|
||||||
<Compile Include="deobfuscators\Babel_NET\MethodReferenceReader.cs" />
|
<Compile Include="deobfuscators\Babel_NET\MethodReferenceReader.cs" />
|
||||||
|
<Compile Include="deobfuscators\Confuser\AntiDebugger.cs" />
|
||||||
<Compile Include="deobfuscators\Confuser\ConfuserUtils.cs" />
|
<Compile Include="deobfuscators\Confuser\ConfuserUtils.cs" />
|
||||||
<Compile Include="deobfuscators\Confuser\ConstantsFolder.cs" />
|
<Compile Include="deobfuscators\Confuser\ConstantsFolder.cs" />
|
||||||
<Compile Include="deobfuscators\Confuser\Deobfuscator.cs" />
|
<Compile Include="deobfuscators\Confuser\Deobfuscator.cs" />
|
||||||
|
|
94
de4dot.code/deobfuscators/Confuser/AntiDebugger.cs
Normal file
94
de4dot.code/deobfuscators/Confuser/AntiDebugger.cs
Normal file
|
@ -0,0 +1,94 @@
|
||||||
|
/*
|
||||||
|
Copyright (C) 2011-2012 de4dot@gmail.com
|
||||||
|
|
||||||
|
This file is part of de4dot.
|
||||||
|
|
||||||
|
de4dot is free software: you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation, either version 3 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
de4dot is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License
|
||||||
|
along with de4dot. If not, see <http://www.gnu.org/licenses/>.
|
||||||
|
*/
|
||||||
|
|
||||||
|
using Mono.Cecil;
|
||||||
|
using Mono.Cecil.Cil;
|
||||||
|
using de4dot.blocks;
|
||||||
|
|
||||||
|
namespace de4dot.code.deobfuscators.Confuser {
|
||||||
|
class AntiDebugger {
|
||||||
|
ModuleDefinition module;
|
||||||
|
MethodDefinition initMethod;
|
||||||
|
|
||||||
|
public MethodDefinition InitMethod {
|
||||||
|
get { return initMethod; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public TypeDefinition Type {
|
||||||
|
get { return initMethod != null ? initMethod.DeclaringType : null; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public bool Detected {
|
||||||
|
get { return initMethod != null; }
|
||||||
|
}
|
||||||
|
|
||||||
|
public AntiDebugger(ModuleDefinition module) {
|
||||||
|
this.module = module;
|
||||||
|
}
|
||||||
|
|
||||||
|
public void find() {
|
||||||
|
if (checkMethod(DotNetUtils.getModuleTypeCctor(module)))
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
bool checkMethod(MethodDefinition method) {
|
||||||
|
if (method == null || method.Body == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
foreach (var instr in method.Body.Instructions) {
|
||||||
|
if (instr.OpCode.Code != Code.Call)
|
||||||
|
continue;
|
||||||
|
var calledMethod = instr.Operand as MethodDefinition;
|
||||||
|
if (calledMethod == null)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (checkInitMethod(calledMethod)) {
|
||||||
|
initMethod = calledMethod;
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
static bool checkInitMethod(MethodDefinition method) {
|
||||||
|
if (method == null || method.Body == null || !method.IsStatic)
|
||||||
|
return false;
|
||||||
|
if (!DotNetUtils.isMethod(method, "System.Void", "()"))
|
||||||
|
return false;
|
||||||
|
if (!DotNetUtils.hasString(method, "COR_ENABLE_PROFILING"))
|
||||||
|
return false;
|
||||||
|
if (!DotNetUtils.hasString(method, "COR_PROFILER"))
|
||||||
|
return false;
|
||||||
|
if (!DotNetUtils.hasString(method, "Profiler detected"))
|
||||||
|
return false;
|
||||||
|
if (DotNetUtils.getPInvokeMethod(method.DeclaringType, "ntdll", "NtQueryInformationProcess") == null)
|
||||||
|
return false;
|
||||||
|
if (DotNetUtils.getPInvokeMethod(method.DeclaringType, "ntdll", "NtSetInformationProcess") == null)
|
||||||
|
return false;
|
||||||
|
if (DotNetUtils.getPInvokeMethod(method.DeclaringType, "kernel32", "CloseHandle") == null)
|
||||||
|
return false;
|
||||||
|
if (DotNetUtils.getPInvokeMethod(method.DeclaringType, "kernel32", "IsDebuggerPresent") == null)
|
||||||
|
return false;
|
||||||
|
if (DotNetUtils.getPInvokeMethod(method.DeclaringType, "kernel32", "OutputDebugString") == null)
|
||||||
|
return false;
|
||||||
|
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
|
@ -29,9 +29,11 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
public class DeobfuscatorInfo : DeobfuscatorInfoBase {
|
||||||
public const string THE_NAME = "Confuser";
|
public const string THE_NAME = "Confuser";
|
||||||
public const string THE_TYPE = "cn";
|
public const string THE_TYPE = "cn";
|
||||||
|
BoolOption removeAntiDebug;
|
||||||
|
|
||||||
public DeobfuscatorInfo()
|
public DeobfuscatorInfo()
|
||||||
: base() {
|
: base() {
|
||||||
|
removeAntiDebug = new BoolOption(null, makeArgName("antidb"), "Remove anti debug code", true);
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string Name {
|
public override string Name {
|
||||||
|
@ -45,11 +47,13 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
public override IDeobfuscator createDeobfuscator() {
|
public override IDeobfuscator createDeobfuscator() {
|
||||||
return new Deobfuscator(new Deobfuscator.Options {
|
return new Deobfuscator(new Deobfuscator.Options {
|
||||||
ValidNameRegex = validNameRegex.get(),
|
ValidNameRegex = validNameRegex.get(),
|
||||||
|
RemoveAntiDebug = removeAntiDebug.get(),
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
protected override IEnumerable<Option> getOptionsInternal() {
|
protected override IEnumerable<Option> getOptionsInternal() {
|
||||||
return new List<Option>() {
|
return new List<Option>() {
|
||||||
|
removeAntiDebug,
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -60,8 +64,10 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
|
|
||||||
JitMethodsDecrypter jitMethodsDecrypter;
|
JitMethodsDecrypter jitMethodsDecrypter;
|
||||||
ProxyCallFixer proxyCallFixer;
|
ProxyCallFixer proxyCallFixer;
|
||||||
|
AntiDebugger antiDebugger;
|
||||||
|
|
||||||
internal class Options : OptionsBase {
|
internal class Options : OptionsBase {
|
||||||
|
public bool RemoveAntiDebug { get; set; }
|
||||||
}
|
}
|
||||||
|
|
||||||
public override string Type {
|
public override string Type {
|
||||||
|
@ -93,7 +99,8 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
int val = 0;
|
int val = 0;
|
||||||
|
|
||||||
int sum = toInt32(jitMethodsDecrypter.Detected) +
|
int sum = toInt32(jitMethodsDecrypter.Detected) +
|
||||||
toInt32(proxyCallFixer != null ? proxyCallFixer.Detected : false);
|
toInt32(proxyCallFixer != null ? proxyCallFixer.Detected : false) +
|
||||||
|
toInt32(antiDebugger != null ? antiDebugger.Detected : false);
|
||||||
if (sum > 0)
|
if (sum > 0)
|
||||||
val += 100 + 10 * (sum - 1);
|
val += 100 + 10 * (sum - 1);
|
||||||
|
|
||||||
|
@ -111,6 +118,8 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
void initTheRest() {
|
void initTheRest() {
|
||||||
proxyCallFixer = new ProxyCallFixer(module, getFileData(), DeobfuscatedFile);
|
proxyCallFixer = new ProxyCallFixer(module, getFileData(), DeobfuscatedFile);
|
||||||
proxyCallFixer.findDelegateCreator();
|
proxyCallFixer.findDelegateCreator();
|
||||||
|
antiDebugger = new AntiDebugger(module);
|
||||||
|
antiDebugger.find();
|
||||||
}
|
}
|
||||||
|
|
||||||
byte[] getFileData() {
|
byte[] getFileData() {
|
||||||
|
@ -141,10 +150,10 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
public override IDeobfuscator moduleReloaded(ModuleDefinition module) {
|
||||||
var newOne = new Deobfuscator(options);
|
var newOne = new Deobfuscator(options);
|
||||||
newOne.DeobfuscatedFile = DeobfuscatedFile;
|
newOne.DeobfuscatedFile = DeobfuscatedFile;
|
||||||
|
newOne.ModuleBytes = ModuleBytes;
|
||||||
newOne.setModule(module);
|
newOne.setModule(module);
|
||||||
newOne.jitMethodsDecrypter = new JitMethodsDecrypter(module, jitMethodsDecrypter);
|
newOne.jitMethodsDecrypter = new JitMethodsDecrypter(module, jitMethodsDecrypter);
|
||||||
newOne.initTheRest();
|
newOne.initTheRest();
|
||||||
newOne.ModuleBytes = ModuleBytes;
|
|
||||||
return newOne;
|
return newOne;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -156,6 +165,11 @@ namespace de4dot.code.deobfuscators.Confuser {
|
||||||
addTypeToBeRemoved(jitMethodsDecrypter.Type, "Method decrypter (JIT) type");
|
addTypeToBeRemoved(jitMethodsDecrypter.Type, "Method decrypter (JIT) type");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (options.RemoveAntiDebug) {
|
||||||
|
addModuleCctorInitCallToBeRemoved(antiDebugger.InitMethod);
|
||||||
|
addTypeToBeRemoved(antiDebugger.Type, "Anti debugger type");
|
||||||
|
}
|
||||||
|
|
||||||
proxyCallFixer.find();
|
proxyCallFixer.find();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue
Block a user