enkomio · May 28, 2024 21:19 · AshrafBasry · May 26, 2020 · enkomio · May 29, 2020
diff --git a/Ploutus.D_rebuilder.fs b/Ploutus.D_rebuilder.fs
 open System
 open System.Linq
 open System.Reflection
 open System.Runtime.CompilerServices
 open System.Collections
 open System.Collections.Generic
 open System.Diagnostics
 open Microsoft.Diagnostics.Runtime
 open dnlib.DotNet
 open dnlib.DotNet.Emit
 open dnlib.IO

 let runAllStaticConstructor(assembly: Assembly) =
    assembly.GetTypes()
    |> Seq.iter(fun assemblyType -> 
        RuntimeHelpers.RunClassConstructor(assemblyType.TypeHandle)
    )

 let getMsilStorage(assembly: Assembly) =
    let assemblyType = assembly.GetType("yasttpQOrHx2jEkiUL.P9ZBIKXMsRMxLdTfcG")
    let storageField = assemblyType.GetField("k6dbsY0qhy",  BindingFlags.NonPublic ||| BindingFlags.Static)
    let hashTable = storageField.GetValue(null) :?> Hashtable
    hashTable.Cast<DictionaryEntry>()
    |> Seq.map(fun kv -> 
        // extract bytes array
        let bytesField = 
            kv.Value.GetType().GetFields(BindingFlags.Instance ||| BindingFlags.NonPublic)
            |> Seq.find(fun field -> field.FieldType.IsArray)
        let msilBytes = bytesField.GetValue(kv.Value) :?> Byte array        
        (kv.Key :?> Int64, msilBytes))
    |> Map.ofSeq
    
 let getAssemblyBaseAddress(assembly: Assembly) =
    let pid = Process.GetCurrentProcess().Id
    let dataTarget = DataTarget.AttachToProcess(pid, uint32 5000, AttachFlag.Passive)
    let runtime = dataTarget.ClrVersions.[0].CreateRuntime()    
    let assemblyModule = runtime.Modules |> Seq.find(fun m -> m.Name.Equals(assembly.Location))
    let baseAddress = int32 assemblyModule.ImageBase
    dataTarget.Dispose()
    baseAddress
    
 [<EntryPoint>]
 let main argv = 
    let fullPath = @"PloutusD_d93342bd12ef44d92bf58ed2f0f88443385a0192804a5d0976352484c0d37685.exe"
    let assembly = Assembly.LoadFile(fullPath)

    // run all static constructor to fill the protection dictionary containing the real MSIL bytecode
    runAllStaticConstructor(assembly)

    // retrieve the dictionary via reflection. This is higly dependant to a specific sample, the field name may change from sample to sample
    let msilStorage = getMsilStorage(assembly)     

    // get the malware base addres in order to calculate the method body address
    let baseAddress = getAssemblyBaseAddress(assembly)

    // use a modified version of dnlib in order to set the real MSIL bytecode
    let dnModule = ModuleDefMD.Load(fullPath)    
    dnModule.Types
    |> Seq.map(fun t -> t.Methods)
    |> Seq.concat
    |> Seq.filter(fun dnMethod -> dnMethod.HasBody)
    |> Seq.iter(fun dnMethod ->
        dnMethod.Body.KeepOldMaxStack <- true
            
        // skip the body header
        let offset = int32 dnMethod.Body.HeaderSize        
        let ilAddress = int32 dnMethod.RVA + baseAddress + offset
            
        if msilStorage.ContainsKey(int64 ilAddress) then
            let realMsilBytes = msilStorage.[int64 ilAddress]
            dnMethod.Body.MaxStack <- uint16 50
                
            // set the body via raw buffer. This property is not present in the real dnlib code :P
            dnMethod.Body.RawBody <- new List<Byte>(realMsilBytes)

            Console.WriteLine("Rebuit: " + dnMethod.FullName)
    )

    // finally write back the new assembly
    dnModule.Write(fullPath + "_rebuilt")
    0
	open System
	open System.Linq
	open System.Reflection
	open System.Runtime.CompilerServices
	open System.Collections
	open System.Collections.Generic
	open System.Diagnostics
	open Microsoft.Diagnostics.Runtime
	open dnlib.DotNet
	open dnlib.DotNet.Emit
	open dnlib.IO

	let runAllStaticConstructor(assembly: Assembly) =
	assembly.GetTypes()
	\|> Seq.iter(fun assemblyType ->
	RuntimeHelpers.RunClassConstructor(assemblyType.TypeHandle)
	)

	let getMsilStorage(assembly: Assembly) =
	let assemblyType = assembly.GetType("yasttpQOrHx2jEkiUL.P9ZBIKXMsRMxLdTfcG")
	let storageField = assemblyType.GetField("k6dbsY0qhy", BindingFlags.NonPublic \|\|\| BindingFlags.Static)
	let hashTable = storageField.GetValue(null) :?> Hashtable
	hashTable.Cast<DictionaryEntry>()
	\|> Seq.map(fun kv ->
	// extract bytes array
	let bytesField =
	kv.Value.GetType().GetFields(BindingFlags.Instance \|\|\| BindingFlags.NonPublic)
	\|> Seq.find(fun field -> field.FieldType.IsArray)
	let msilBytes = bytesField.GetValue(kv.Value) :?> Byte array
	(kv.Key :?> Int64, msilBytes))
	\|> Map.ofSeq

	let getAssemblyBaseAddress(assembly: Assembly) =
	let pid = Process.GetCurrentProcess().Id
	let dataTarget = DataTarget.AttachToProcess(pid, uint32 5000, AttachFlag.Passive)
	let runtime = dataTarget.ClrVersions.[0].CreateRuntime()
	let assemblyModule = runtime.Modules \|> Seq.find(fun m -> m.Name.Equals(assembly.Location))
	let baseAddress = int32 assemblyModule.ImageBase
	dataTarget.Dispose()
	baseAddress

	[<EntryPoint>]
	let main argv =
	let fullPath = @"PloutusD_d93342bd12ef44d92bf58ed2f0f88443385a0192804a5d0976352484c0d37685.exe"
	let assembly = Assembly.LoadFile(fullPath)

	// run all static constructor to fill the protection dictionary containing the real MSIL bytecode
	runAllStaticConstructor(assembly)

	// retrieve the dictionary via reflection. This is higly dependant to a specific sample, the field name may change from sample to sample
	let msilStorage = getMsilStorage(assembly)

	// get the malware base addres in order to calculate the method body address
	let baseAddress = getAssemblyBaseAddress(assembly)

	// use a modified version of dnlib in order to set the real MSIL bytecode
	let dnModule = ModuleDefMD.Load(fullPath)
	dnModule.Types
	\|> Seq.map(fun t -> t.Methods)
	\|> Seq.concat
	\|> Seq.filter(fun dnMethod -> dnMethod.HasBody)
	\|> Seq.iter(fun dnMethod ->
	dnMethod.Body.KeepOldMaxStack <- true

	// skip the body header
	let offset = int32 dnMethod.Body.HeaderSize
	let ilAddress = int32 dnMethod.RVA + baseAddress + offset

	if msilStorage.ContainsKey(int64 ilAddress) then
	let realMsilBytes = msilStorage.[int64 ilAddress]
	dnMethod.Body.MaxStack <- uint16 50

	// set the body via raw buffer. This property is not present in the real dnlib code :P
	dnMethod.Body.RawBody <- new List<Byte>(realMsilBytes)

	Console.WriteLine("Rebuit: " + dnMethod.FullName)
	)

	// finally write back the new assembly
	dnModule.Write(fullPath + "_rebuilt")
	0