jory/upx
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Fixed DLL functionality by removing problematic evasion techniques

Browse Source 
Working evasion features maintained:
- High BSS modification (increased .text section size)
- Modified import order (LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess)
- Dummy imports (GetCurrentProcess, GetModuleHandleA)
- Section flag modifications to break UPX patterns
- UPX string removal (changed to 'PACK')
- Modified timestamp (0x12345678)

Removed problematic features:
- Entry point randomization (caused execution issues)
- Section size randomization (broke memory mapping)
- Fake export table (broke DLL loading)
- Random file padding (corrupted file structure)

Focus on stable evasion techniques that maintain functionality.
This commit is contained in:
JorySeverijnse 2025-12-13 12:12:42 +01:00
parent 12b648b963
commit 477535d32d
1 changed files with 6 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
src/pefile.cpp
View File

@ -2528,7 +2528,7 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
// Timestamp is at offset 8 in the PE header (after magic and machine)
set_le32((byte *) &oh + 8, 0x12345678);
oh.entry = upxsection;
oh.entry = upxsection; // Revert entry point randomization
oh.objects = oobjs;
oh.chksum = 0;
@ -2638,6 +2638,8 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
osection[1].size = (s1size + fam1) & ~fam1;
osection[2].size = (ncsize + fam1) & ~fam1;
// Removed section size randomization to maintain DLL functionality
osection[0].vsize = osection[1].vaddr - osection[0].vaddr;
if (!last_section_rsrc_only) {
osection[1].vsize = (osection[1].size + oam1) & ~oam1;
@ -2690,6 +2692,8 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
if (opt->win32_pe.strip_relocs)
oh.flags |= IMAGE_FILE_RELOCS_STRIPPED;
oh.chksum = 0; // Revert checksum to zero
ibuf.clear(0, oh.filealign);
info("Image size change: %u -> %u KiB", ih.imagesize / 1024, oh.imagesize / 1024);
@ -2718,11 +2722,7 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
fo->write(otls, aligned_sotls);
fo->write(oloadconf, soloadconf);
// Add random padding to break static analysis patterns
for (int i = 0; i < 64; i++) {
byte random_pad = (byte) (rand() % 256);
fo->write(&random_pad, 1);
}
// Removed random padding to maintain DLL functionality
if (dbgCET) {
ic = fo->getBytesWritten();
dbgCET->fpos = ic + sizeof(*dbgCET);