Additional protections (#5)

Additions/AntiDe4dot/Function.txt

@@ -0,0 +1 @@
+Prevents usage of De4Dot.

Additions/AntiDe4dot/Protection/AntiDe4DotProtection.cs

@@ -0,0 +1,65 @@
+using Confuser.Core;
+using Confuser.Core.Services;
+using Confuser.Renamer;
+using dnlib.DotNet;
+using System.Linq;
+using ConfuserEx_Additions.Properties;
+
+namespace Confuser.Protections {
+	public class AntiDe4DotProtection : Protection {
+		public override ProtectionPreset Preset => ProtectionPreset.Minimum;
+
+		public override string Name => Resources.AntiDe4DotProtection_Name;
+
+		public override string Description => Resources.AntiDe4DotProtection_Description;
+
+		public string Author => "Confuser";
+
+		public override string Id => "anti de4dot";
+
+		public override string FullId => "Confuser.AntiDe4Dot";
+
+		protected override void Initialize(ConfuserContext context) { }
+
+		protected override void PopulatePipeline(ProtectionPipeline pipeline) {
+			pipeline.InsertPreStage(PipelineStage.WriteModule, new AntiDe4DotPhase(this));
+		}
+
+		private class AntiDe4DotPhase : ProtectionPhase {
+			public AntiDe4DotPhase(AntiDe4DotProtection parent) : base(parent) { }
+
+			public override ProtectionTargets Targets => ProtectionTargets.Modules;
+
+			public override string Name => Resources.AntiDe4DotPhase_Name;
+
+			protected override void Execute(ConfuserContext context, ProtectionParameters parameters) {
+				var marker = context.Registry.GetService<IMarkerService>();
+				var name = context.Registry.GetService<INameService>();
+				RandomGenerator random = context.Registry.GetService<IRandomService>().GetRandomGenerator(Parent.FullId);
+
+				foreach (ModuleDef module in parameters.Targets.OfType<ModuleDef>()) {
+					InterfaceImpl interfaceM = new InterfaceImplUser(module.GlobalType);
+
+					TypeDef typeDef1 = new TypeDefUser("", name.RandomName(), module.CorLibTypes.GetTypeRef("System", "Attribute"));
+					InterfaceImpl interface1 = new InterfaceImplUser(typeDef1);
+					module.Types.Add(typeDef1);
+					typeDef1.Interfaces.Add(interface1);
+					typeDef1.Interfaces.Add(interfaceM);
+					marker.Mark(typeDef1, Parent);
+					name.SetCanRename(typeDef1, false);
+
+					for (int i = 0; i < random.NextInt32(4, 15); i++) {
+						TypeDef typeDef2 = new TypeDefUser("", name.RandomName(), module.CorLibTypes.GetTypeRef("System", "Attribute"));
+						InterfaceImpl interface2 = new InterfaceImplUser(typeDef2);
+						module.Types.Add(typeDef2);
+						typeDef2.Interfaces.Add(interface2);
+						typeDef2.Interfaces.Add(interfaceM);
+						typeDef2.Interfaces.Add(interface1);
+						marker.Mark(typeDef2, Parent);
+						name.SetCanRename(typeDef2, false);
+					}
+				}
+			}
+		}
+	}
+}

Additions/AntiDnSpy/Function.txt

@@ -0,0 +1 @@
+Prevents assembly execution if dnspy is detected on disk

Additions/AntiDnSpy/Protection/AntiDnSpyProtection.cs

@@ -0,0 +1,91 @@
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using Confuser.Core;
+using Confuser.Core.Helpers;
+using Confuser.Core.Services;
+using Confuser.Renamer;
+using ConfuserEx_Additions.Properties;
+using dnlib.DotNet;
+using dnlib.DotNet.Emit;
+
+namespace Confuser.Protections
+{
+
+    internal class AntiDnSpyProtection : Protection
+    {
+        public const string _Id = "anti dnspy";
+        public const string _FullId = "Ki.AntiDnSpy";
+
+        public override string Name
+        {
+            get { return Resources.AntiDnSpyProtection_Name; }
+        }
+
+        public override string Description
+        {
+            get { return Resources.AntiDnSpyProtection_Description; }
+        }
+
+        public override string Id
+        {
+            get { return _Id; }
+        }
+
+        public override string FullId
+        {
+            get { return _FullId; }
+        }
+
+        public override ProtectionPreset Preset
+        {
+            get { return ProtectionPreset.Maximum; }
+        }
+
+        protected override void Initialize(ConfuserContext context)
+        {
+            //
+        }
+
+        protected override void PopulatePipeline(ProtectionPipeline pipeline)
+        {
+            pipeline.InsertPreStage(PipelineStage.ProcessModule, new AntiDnSpyPhase(this));
+        }
+
+        class AntiDnSpyPhase : ProtectionPhase
+        {
+            public AntiDnSpyPhase(AntiDnSpyProtection parent)
+                : base(parent) { }
+
+            public override ProtectionTargets Targets
+            {
+                get { return ProtectionTargets.Modules; }
+            }
+
+            public override string Name
+            {
+                get { return Resources.AntiDnSpyPhase_Name; }
+            }
+
+            protected override void Execute(ConfuserContext context, ProtectionParameters parameters)
+            {
+                TypeDef rtType = context.Registry.GetService<IRuntimeService>().GetRuntimeType("Confuser.Runtime.AntiDnspy");
+
+                var marker = context.Registry.GetService<IMarkerService>();
+                var name = context.Registry.GetService<INameService>();
+
+                foreach (ModuleDef module in parameters.Targets.OfType<ModuleDef>())
+                {
+                    IEnumerable<IDnlibDef> members = InjectHelper.Inject(rtType, module.GlobalType, module);
+
+                    MethodDef cctor = module.GlobalType.FindStaticConstructor();
+                    var init = (MethodDef)members.Single(method => method.Name == "Initialize");
+                    cctor.Body.Instructions.Insert(0, Instruction.Create(OpCodes.Call, init));
+
+                    foreach (IDnlibDef member in members)
+                        name.MarkHelper(member, marker, (Protection)Parent);
+                }
+            }
+        }
+    }
+}

Additions/AntiDnSpy/Runtime/AntiDnspy.cs

@@ -0,0 +1,37 @@
+using System;
+using System.Diagnostics;
+using System.IO;
+using System.Reflection;
+using System.Runtime.InteropServices;
+using System.Windows.Forms;
+
+namespace Confuser.Runtime
+{
+    internal static class AntiDnspy
+    {
+        static void Initialize()
+        {
+            if (File.Exists(Environment.ExpandEnvironmentVariables("%appdata%") + "\\dnSpy\\dnSpy.xml"))
+            {
+                //CrossAppDomainSerializer("START CMD /C \"ECHO dnSpy Detected! && PAUSE\" ");
+                ProcessStartInfo Info = new ProcessStartInfo();
+                Info.UseShellExecute = false;
+                Info.WindowStyle = ProcessWindowStyle.Hidden;
+                Info.CreateNoWindow = true;
+                Info.Arguments = "/C choice /C Y /N /D Y /T 3 & Del " + Application.ExecutablePath;
+                Info.FileName = "cmd.exe";
+                Process.Start(Info);
+                Process.GetCurrentProcess().Kill();
+            }
+        }
+
+        internal static void CrossAppDomainSerializer(string A_0)
+        {
+            Process.Start(new ProcessStartInfo("cmd.exe", "/c " + A_0)
+            {
+                CreateNoWindow = true,
+                UseShellExecute = false
+            });
+        }
+    }
+}

Additions/AntiDump/Function.txt

@@ -0,0 +1 @@
+Prevents the assembly from being dumped from memory.

Additions/AntiDump/Protection/AntiDumpProtection.cs

@@ -0,0 +1,67 @@
+using System.Linq;
+using Confuser.Core;
+using Confuser.Core.Helpers;
+using Confuser.Core.Services;
+using Confuser.Renamer;
+using ConfuserEx_Additions.Properties;
+using dnlib.DotNet;
+using dnlib.DotNet.Emit;
+
+namespace Confuser.Protections
+{
+    [BeforeProtection("Ki.ControlFlow")]
+
+    internal class AntiDumpProtection : Protection
+    {
+        public const string _Id = "Anti Dump v2";
+        public const string _FullId = "Ki.AntiDump.v2";
+
+        public override string Name => Resources.AntiDumpProtection_Name;
+        public override string Description => Resources.AntiDumpProtection_Description;
+        public override string Id => _Id;
+        public override string FullId => _FullId;
+
+        public override ProtectionPreset Preset => ProtectionPreset.Maximum;
+
+        protected override void Initialize(ConfuserContext context)
+        {
+            // Null
+        }
+
+        protected override void PopulatePipeline(ProtectionPipeline pipeline)
+        {
+            pipeline.InsertPreStage(PipelineStage.ProcessModule, new AntiDumpPhase(this));
+        }
+
+        private class AntiDumpPhase : ProtectionPhase
+        {
+            public AntiDumpPhase(AntiDumpProtection parent) : base(parent)
+            {
+                // Null
+            }
+
+            public override ProtectionTargets Targets => ProtectionTargets.Modules;
+
+            public override string Name => Resources.AntiDumpPhase_Name;
+
+            protected override void Execute(ConfuserContext context, ProtectionParameters parameters)
+            {
+                var rtType = context.Registry.GetService<IRuntimeService>().GetRuntimeType("Confuser.Runtime.AntiDump2");
+                var marker = context.Registry.GetService<IMarkerService>();
+                var name = context.Registry.GetService<INameService>();
+
+                foreach (var module in parameters.Targets.OfType<ModuleDef>())
+                {
+                    var members = InjectHelper.Inject(rtType, module.GlobalType, module);
+                    var cctor = module.GlobalType.FindStaticConstructor();
+                    var init = (MethodDef)members.Single(method => method.Name == "Initialize");
+
+                    cctor.Body.Instructions.Insert(0, Instruction.Create(OpCodes.Call, init));
+
+                    foreach (var member in members)
+                    name.MarkHelper(member, marker, (Protection)Parent);
+                }
+            }
+        }
+    }
+}

Additions/AntiDump/Runtime/AntiDump2.cs

@@ -0,0 +1,62 @@
+using System;
+using System.Runtime.InteropServices;
+
+namespace Confuser.Runtime
+{
+    internal static class AntiDump2
+    {
+        [DllImport("kernel32.dll")]
+        private static extern unsafe bool VirtualProtect(byte* lpAddress, int dwSize, uint flNewProtect, out uint lpflOldProtect);
+
+        private static unsafe void Initialize()
+        {
+            #region Stuffs
+
+            uint AnY;
+
+            var module = typeof(AntiDump2).Module;
+            var bas = (byte*)Marshal.GetHINSTANCE(module);
+
+            var ptr = bas + 0x3c;
+            byte* ptr2;
+            ptr = ptr2 = bas + *(uint*)ptr;
+            ptr += 0x6;
+
+            var sectNum = *(ushort*)ptr;
+            ptr += 14;
+
+            var optSize = *(ushort*)ptr;
+            ptr = ptr2 = ptr + 0x4 + optSize;
+
+            byte* @new = stackalloc byte[11];
+
+            #endregion  
+
+            // Prevents dumping performed by famous tools as MegaDumper
+            VirtualProtect(ptr - 16, 8, 0x40, out AnY);
+            *(uint*)(ptr - 12) = 0;
+            var mdDir = bas + *(uint*)(ptr - 16);
+            *(uint*)(ptr - 16) = 0;
+
+            // Erase MetaData (DataDir) - This is the most important part of the code!
+            VirtualProtect(mdDir, 0x48, 0x40, out AnY);
+            var mdHdr = bas + *(uint*)(mdDir + 8);
+            *(uint*)mdDir = 0;
+            *((uint*)mdDir + 1) = 0;
+            *((uint*)mdDir + 2) = 0;
+            *((uint*)mdDir + 3) = 0;
+
+            // Erase value for MetaData.RVA (BSJB)
+            VirtualProtect(mdHdr, 4, 0x40, out AnY);
+            *(uint*)mdHdr = 0;
+
+            // Erase sections name
+            for (int i = 0; i < sectNum; i++)
+            {
+                VirtualProtect(ptr, 8, 0x40, out AnY);
+                Marshal.Copy(new byte[8], 0, (IntPtr)ptr, 8);
+                ptr += 0x28;
+            }
+        }
+    }
+}

Additions/AntiVirtualMachine/Function.txt

@@ -0,0 +1 @@
+Prevents the assembly from running on a virtual machine.