I have a program that decrypts encrypted DLLs and can execute exported functions. The DLL cannot be runned if copy its code, all imports and relocations need to be saved and inserted after decrypting.
My encrypting program:
1. Parses DLL headers
2. Parses exports, find specified export and sets it as entry point
3. Parses imports, saves library names and function names/ordinals
4. Parses relocations, saves addresses of address location and address value
5. Packs the whole DLL as byte array and adds saved imports and relocations
6. Encrypts this payload and outputs as char string
My decrypting program:
1. Decrypts the payload stored as constant value
2. Unpacks the payload, reads imports and relocations
3. Allocates memory for the payload
4. Loads import functions with LoadLibraryA() and GetProcAddress()
5. Inserts address of loaded functions instead of the import thunks
6. Replace all relocations with address within the allocated memory
7. Cast the saved entry point to the export function typedef and execute it
But this is not enough and some DLLs crash with access violation, breakpoint execution, stack corruption and etc. How to get the correct payload for morph engine?
My encrypting program:
1. Parses DLL headers
2. Parses exports, find specified export and sets it as entry point
3. Parses imports, saves library names and function names/ordinals
4. Parses relocations, saves addresses of address location and address value
5. Packs the whole DLL as byte array and adds saved imports and relocations
6. Encrypts this payload and outputs as char string
My decrypting program:
1. Decrypts the payload stored as constant value
2. Unpacks the payload, reads imports and relocations
3. Allocates memory for the payload
4. Loads import functions with LoadLibraryA() and GetProcAddress()
5. Inserts address of loaded functions instead of the import thunks
6. Replace all relocations with address within the allocated memory
7. Cast the saved entry point to the export function typedef and execute it
But this is not enough and some DLLs crash with access violation, breakpoint execution, stack corruption and etc. How to get the correct payload for morph engine?