Add earlyDetect() method to IDeobfuscator
This commit is contained in:
parent
d305faae09
commit
5fbda45d6d
|
@ -189,7 +189,6 @@ namespace de4dot {
|
|||
}
|
||||
|
||||
void detectObfuscator(IEnumerable<IDeobfuscator> deobfuscators) {
|
||||
IList<MemberReference> memberReferences = new List<MemberReference>(module.GetMemberReferences());
|
||||
|
||||
// The deobfuscators may call methods to deobfuscate control flow and decrypt
|
||||
// strings (statically) in order to detect the obfuscator.
|
||||
|
@ -197,8 +196,8 @@ namespace de4dot {
|
|||
savedMethodBodies = new SavedMethodBodies();
|
||||
|
||||
foreach (var deob in deobfuscators) {
|
||||
deob.init(module);
|
||||
deob.DeobfuscatedFile = this;
|
||||
deob.init(module, memberReferences);
|
||||
}
|
||||
|
||||
if (options.ForcedObfuscatorType != null) {
|
||||
|
@ -209,17 +208,37 @@ namespace de4dot {
|
|||
}
|
||||
}
|
||||
}
|
||||
else {
|
||||
else
|
||||
this.deob = earlyDetectObfuscator(deobfuscators) ?? detectObfuscator2(deobfuscators);
|
||||
}
|
||||
|
||||
IDeobfuscator earlyDetectObfuscator(IEnumerable<IDeobfuscator> deobfuscators) {
|
||||
IDeobfuscator detected = null;
|
||||
int detectVal = 0;
|
||||
foreach (var deob in deobfuscators) {
|
||||
int val = deob.earlyDetect();
|
||||
if (val > 0)
|
||||
Log.v("{0,3}: {1}", val, deob.Type);
|
||||
if (val > detectVal) {
|
||||
detectVal = val;
|
||||
detected = deob;
|
||||
}
|
||||
}
|
||||
return detected;
|
||||
}
|
||||
|
||||
IDeobfuscator detectObfuscator2(IEnumerable<IDeobfuscator> deobfuscators) {
|
||||
IDeobfuscator detected = null;
|
||||
int detectVal = 0;
|
||||
foreach (var deob in deobfuscators) {
|
||||
int val = deob.detect();
|
||||
Log.v("{0,3}: {1}", val, deob.Type);
|
||||
if (val > detectVal) {
|
||||
detectVal = val;
|
||||
this.deob = deob;
|
||||
}
|
||||
detected = deob;
|
||||
}
|
||||
}
|
||||
return detected;
|
||||
}
|
||||
|
||||
public void save() {
|
||||
|
|
|
@ -100,9 +100,8 @@ namespace de4dot.deobfuscators.CliSecure {
|
|||
this.options = options;
|
||||
}
|
||||
|
||||
public override void init(ModuleDefinition module, IList<MemberReference> memberReferences) {
|
||||
base.init(module, memberReferences);
|
||||
proxyDelegateFinder = new ProxyDelegateFinder(module, memberReferences);
|
||||
public override void init(ModuleDefinition module) {
|
||||
base.init(module);
|
||||
}
|
||||
|
||||
public override int detect() {
|
||||
|
@ -121,6 +120,7 @@ namespace de4dot.deobfuscators.CliSecure {
|
|||
}
|
||||
|
||||
protected override void scanForObfuscatorInternal() {
|
||||
proxyDelegateFinder = new ProxyDelegateFinder(module);
|
||||
findCliSecureAttribute();
|
||||
findCliSecureRtType();
|
||||
findStringDecryptBuffer();
|
||||
|
|
|
@ -23,8 +23,8 @@ using Mono.Cecil;
|
|||
|
||||
namespace de4dot.deobfuscators.CliSecure {
|
||||
class ProxyDelegateFinder : ProxyDelegateFinderBase {
|
||||
public ProxyDelegateFinder(ModuleDefinition module, IList<MemberReference> memberReferences)
|
||||
: base(module, memberReferences) {
|
||||
public ProxyDelegateFinder(ModuleDefinition module)
|
||||
: base(module) {
|
||||
}
|
||||
|
||||
protected override void getCallInfo(FieldDefinition field, out int methodIndex, out bool isVirtual) {
|
||||
|
|
|
@ -81,10 +81,14 @@ namespace de4dot.deobfuscators {
|
|||
DefaultDecrypterType = DecrypterType.Static;
|
||||
}
|
||||
|
||||
public virtual void init(ModuleDefinition module, IList<MemberReference> memberReferences) {
|
||||
public virtual void init(ModuleDefinition module) {
|
||||
this.module = module;
|
||||
}
|
||||
|
||||
public virtual int earlyDetect() {
|
||||
return 0;
|
||||
}
|
||||
|
||||
protected void scanForObfuscator() {
|
||||
if (scanForObfuscatorCalled)
|
||||
return;
|
||||
|
|
|
@ -52,10 +52,15 @@ namespace de4dot.deobfuscators {
|
|||
StringFeatures StringFeatures { get; }
|
||||
DecrypterType DefaultDecrypterType { get; }
|
||||
|
||||
// This is non-null only in init(), detect() and deobfuscateBegin().
|
||||
// This is non-null only in detect() and deobfuscateBegin().
|
||||
IDeobfuscatedFile DeobfuscatedFile { get; set; }
|
||||
|
||||
void init(ModuleDefinition module, IList<MemberReference> memberReferences);
|
||||
void init(ModuleDefinition module);
|
||||
|
||||
// Same as detect() but may be used by deobfuscators to detect obfuscator that decrypt
|
||||
// metadata at runtime. Code in detect() assume they can access everything. 0 should be
|
||||
// returned if not detected.
|
||||
int earlyDetect();
|
||||
|
||||
// Returns 0 if it's not detected, or > 0 if detected (higher value => more likely true)
|
||||
int detect();
|
||||
|
|
|
@ -54,9 +54,9 @@ namespace de4dot.deobfuscators {
|
|||
get { return delegateCreatorMethod != null; }
|
||||
}
|
||||
|
||||
public ProxyDelegateFinderBase(ModuleDefinition module, IList<MemberReference> memberReferences) {
|
||||
public ProxyDelegateFinderBase(ModuleDefinition module) {
|
||||
this.module = module;
|
||||
this.memberReferences = memberReferences;
|
||||
this.memberReferences = new List<MemberReference>(module.GetMemberReferences());
|
||||
}
|
||||
|
||||
public void setDelegateCreatorMethod(MethodDefinition delegateCreatorMethod) {
|
||||
|
|
|
@ -106,9 +106,8 @@ namespace de4dot.deobfuscators.SmartAssembly {
|
|||
StringFeatures = StringFeatures.AllowStaticDecryption;
|
||||
}
|
||||
|
||||
public override void init(ModuleDefinition module, IList<MemberReference> memberReferences) {
|
||||
base.init(module, memberReferences);
|
||||
proxyDelegateFinder = new ProxyDelegateFinder(module, memberReferences);
|
||||
public override void init(ModuleDefinition module) {
|
||||
base.init(module);
|
||||
automatedErrorReportingFinder = new AutomatedErrorReportingFinder(module);
|
||||
tamperProtectionRemover = new TamperProtectionRemover(module);
|
||||
}
|
||||
|
@ -134,6 +133,7 @@ namespace de4dot.deobfuscators.SmartAssembly {
|
|||
}
|
||||
|
||||
protected override void scanForObfuscatorInternal() {
|
||||
proxyDelegateFinder = new ProxyDelegateFinder(module);
|
||||
findSmartAssemblyAttributes();
|
||||
findAutomatedErrorReportingType();
|
||||
memoryManagerInfo = new MemoryManagerInfo(module);
|
||||
|
|
|
@ -40,8 +40,8 @@ namespace de4dot.deobfuscators.SmartAssembly {
|
|||
specialCharsDict[specialChars[i]] = i;
|
||||
}
|
||||
|
||||
public ProxyDelegateFinder(ModuleDefinition module, IList<MemberReference> memberReferences)
|
||||
: base(module, memberReferences) {
|
||||
public ProxyDelegateFinder(ModuleDefinition module)
|
||||
: base(module) {
|
||||
}
|
||||
|
||||
protected override void getCallInfo(FieldDefinition field, out int methodIndex, out bool isVirtual) {
|
||||
|
|
|
@ -42,7 +42,7 @@ namespace de4dot.deobfuscators.Unknown {
|
|||
}
|
||||
|
||||
class Deobfuscator : DeobfuscatorBase {
|
||||
string obfuscatorName = "Unknown Obfuscator";
|
||||
string obfuscatorName;
|
||||
|
||||
internal class Options : OptionsBase {
|
||||
}
|
||||
|
@ -52,22 +52,34 @@ namespace de4dot.deobfuscators.Unknown {
|
|||
}
|
||||
|
||||
public override string Name {
|
||||
get { return obfuscatorName; }
|
||||
get { return obfuscatorName ?? "Unknown Obfuscator"; }
|
||||
}
|
||||
|
||||
public Deobfuscator(Options options)
|
||||
: base(options) {
|
||||
}
|
||||
|
||||
public override int detect() {
|
||||
scanForObfuscator();
|
||||
return 1;
|
||||
void setName(string name) {
|
||||
if (obfuscatorName == null && name != null)
|
||||
obfuscatorName = name;
|
||||
}
|
||||
|
||||
protected override void scanForObfuscatorInternal() {
|
||||
var name = scanTypes();
|
||||
if (name != null)
|
||||
obfuscatorName = name;
|
||||
public override int earlyDetect() {
|
||||
setName(earlyScanTypes());
|
||||
return obfuscatorName != null ? 1 : 0;
|
||||
}
|
||||
|
||||
string earlyScanTypes() {
|
||||
foreach (var type in module.Types) {
|
||||
if (type.FullName == "ConfusedByAttribute")
|
||||
return "Confuser";
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
public override int detect() {
|
||||
setName(scanTypes());
|
||||
return 1;
|
||||
}
|
||||
|
||||
string scanTypes() {
|
||||
|
@ -96,8 +108,6 @@ namespace de4dot.deobfuscators.Unknown {
|
|||
return "Spices.Net Obfuscator";
|
||||
if (type.FullName == "YanoAttribute")
|
||||
return "Yano Obfuscator";
|
||||
if (type.FullName == "ConfusedByAttribute")
|
||||
return "Confuser";
|
||||
}
|
||||
return checkCryptoObfuscator();
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue
Block a user