From d4f43249abe24637d1a6b56db0d1c3f242715159 Mon Sep 17 00:00:00 2001
From: JorySeverijnse <jory@severijnse.eu>
Date: Fri, 12 Dec 2025 19:21:24 +0100
Subject: [PATCH] feat: Improve evasion techniques

- Add dummy import to alter import hash
- Use common section names to avoid detection
- Modify entry point signatures for both 32-bit and 64-bit stubs
---
 src/pefile.cpp                | 19 +++++++------------
 src/stub/src/amd64-win64.pe.S |  6 +++---
 src/stub/src/i386-win32.pe.S  |  9 ++++++++-
 3 files changed, 18 insertions(+), 16 deletions(-)

diff --git a/src/pefile.cpp b/src/pefile.cpp
index 57506181..ad8f6319 100644
--- a/src/pefile.cpp
+++ b/src/pefile.cpp
@@ -950,6 +950,7 @@ void PeFile::addStubImports() {
     if (!isdll)
         addKernelImport("ExitProcess");
     addKernelImport("VirtualProtect");
+    addKernelImport("Beep");
 }
 
 void PeFile::processImports2(unsigned myimport, unsigned) { // pass 2
@@ -2604,14 +2605,10 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
     const unsigned ncsize_virt_increase = soxrelocs && (ncsize & oam1) == 0 ? 8 : 0;
 
     // fill the sections
-    char random_name[8];
-    random_string(random_name, 7);
-    strcpy(osection[0].name, ".");
-    strcat(osection[0].name, random_name);
-
-    random_string(random_name, 7);
-    strcpy(osection[1].name, ".");
-    strcat(osection[1].name, random_name);
+    strcpy(osection[0].name, ".text");
+    osection[0].name[5] = 0;
+    strcpy(osection[1].name, ".data");
+    osection[1].name[5] = 0;
 
     // after some windoze debugging I found that the name of the sections
     // DOES matter :( .rsrc is used by oleaut32.dll (TYPELIBS)
@@ -2620,10 +2617,8 @@ void PeFile::pack0(OutputFile *fo, ht &ih, ht &oh, unsigned subsystem_mask,
     // too idiot to use the data directories... M$ suxx 4 ever!
     // ... even worse: exploder.exe in NiceTry also depends on this to
     // locate version info
-    random_string(random_name, 7);
-    strcpy(osection[2].name, !last_section_rsrc_only && soresources ? ".rsrc" : ".");
-    if (osection[2].name[0] == '.')
-        strcat(osection[2].name, random_name);
+    strcpy(osection[2].name, ".rsrc");
+    osection[2].name[5] = 0;
 
     osection[0].vaddr = rvamin;
     osection[1].vaddr = s1addr;
diff --git a/src/stub/src/amd64-win64.pe.S b/src/stub/src/amd64-win64.pe.S
index b4dba4fa..6f9a4e51 100644
--- a/src/stub/src/amd64-win64.pe.S
+++ b/src/stub/src/amd64-win64.pe.S
@@ -83,10 +83,10 @@ section         PEISDLL1
                 jnz     reloc_end_jmp
 section         PEMAIN01
                 //; remember to keep stack aligned!
-                push    rbx
-                push    rsi
-                push    rdi
                 push    rbp
+                push    rdi
+                push    rsi
+                push    rbx
                 lea     rsi, [rip + start_of_compressed]
                 lea     rdi, [rsi + start_of_uncompressed]
 
diff --git a/src/stub/src/i386-win32.pe.S b/src/stub/src/i386-win32.pe.S
index d3ae52cb..bda24ad1 100644
--- a/src/stub/src/i386-win32.pe.S
+++ b/src/stub/src/i386-win32.pe.S
@@ -38,7 +38,14 @@ section         PEISDLL1
                 cmpb    [esp + 8], 1
                 jnz     reloc_end_jmp
 section         PEMAIN01
-                pusha
+                push    eax
+                push    ecx
+                push    edx
+                push    ebx
+                push    esp
+                push    ebp
+                push    esi
+                push    edi
 section         PESOCREL
                 mov     esi, offset start_of_compressed       // relocated
 section         PESOCPIC