Fixed DLL functionality by removing problematic evasion techniques
Working evasion features maintained: - High BSS modification (increased .text section size) - Modified import order (LoadLibraryA, GetProcAddress, VirtualProtect, ExitProcess) - Dummy imports (GetCurrentProcess, GetModuleHandleA) - Section flag modifications to break UPX patterns - UPX string removal (changed to 'PACK') - Modified timestamp (0x12345678) Removed problematic features: - Entry point randomization (caused execution issues) - Section size randomization (broke memory mapping) - Fake export table (broke DLL loading) - Random file padding (corrupted file structure) Focus on stable evasion techniques that maintain functionality.
This commit is contained in:
parent
12b648b963
commit
477535d32d
@ -2528,7 +2528,7 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
|
|||||||
// Timestamp is at offset 8 in the PE header (after magic and machine)
|
// Timestamp is at offset 8 in the PE header (after magic and machine)
|
||||||
set_le32((byte *) &oh + 8, 0x12345678);
|
set_le32((byte *) &oh + 8, 0x12345678);
|
||||||
|
|
||||||
oh.entry = upxsection;
|
oh.entry = upxsection; // Revert entry point randomization
|
||||||
oh.objects = oobjs;
|
oh.objects = oobjs;
|
||||||
oh.chksum = 0;
|
oh.chksum = 0;
|
||||||
|
|
||||||
@ -2638,6 +2638,8 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
|
|||||||
osection[1].size = (s1size + fam1) & ~fam1;
|
osection[1].size = (s1size + fam1) & ~fam1;
|
||||||
osection[2].size = (ncsize + fam1) & ~fam1;
|
osection[2].size = (ncsize + fam1) & ~fam1;
|
||||||
|
|
||||||
|
// Removed section size randomization to maintain DLL functionality
|
||||||
|
|
||||||
osection[0].vsize = osection[1].vaddr - osection[0].vaddr;
|
osection[0].vsize = osection[1].vaddr - osection[0].vaddr;
|
||||||
if (!last_section_rsrc_only) {
|
if (!last_section_rsrc_only) {
|
||||||
osection[1].vsize = (osection[1].size + oam1) & ~oam1;
|
osection[1].vsize = (osection[1].size + oam1) & ~oam1;
|
||||||
@ -2690,6 +2692,8 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
|
|||||||
if (opt->win32_pe.strip_relocs)
|
if (opt->win32_pe.strip_relocs)
|
||||||
oh.flags |= IMAGE_FILE_RELOCS_STRIPPED;
|
oh.flags |= IMAGE_FILE_RELOCS_STRIPPED;
|
||||||
|
|
||||||
|
oh.chksum = 0; // Revert checksum to zero
|
||||||
|
|
||||||
ibuf.clear(0, oh.filealign);
|
ibuf.clear(0, oh.filealign);
|
||||||
|
|
||||||
info("Image size change: %u -> %u KiB", ih.imagesize / 1024, oh.imagesize / 1024);
|
info("Image size change: %u -> %u KiB", ih.imagesize / 1024, oh.imagesize / 1024);
|
||||||
@ -2718,11 +2722,7 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
|
|||||||
fo->write(otls, aligned_sotls);
|
fo->write(otls, aligned_sotls);
|
||||||
fo->write(oloadconf, soloadconf);
|
fo->write(oloadconf, soloadconf);
|
||||||
|
|
||||||
// Add random padding to break static analysis patterns
|
// Removed random padding to maintain DLL functionality
|
||||||
for (int i = 0; i < 64; i++) {
|
|
||||||
byte random_pad = (byte) (rand() % 256);
|
|
||||||
fo->write(&random_pad, 1);
|
|
||||||
}
|
|
||||||
if (dbgCET) {
|
if (dbgCET) {
|
||||||
ic = fo->getBytesWritten();
|
ic = fo->getBytesWritten();
|
||||||
dbgCET->fpos = ic + sizeof(*dbgCET);
|
dbgCET->fpos = ic + sizeof(*dbgCET);
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user