//
//
Started By
sgwwt2425245f
, Mar 02 2019 04:22 PM
#2
Posted 02 March 2019 - 04:24 PM
#2
Posted 02 March 2019 - 04:24 PM
https://github.com/n.../RemoveSignCode
Dunno if this will work.. But.
Retired User - Checks in from time to time
#10
Posted 26 March 2019 - 11:28 PM
#10
Posted 26 March 2019 - 11:28 PM
The amount of bullshit people post here is ridiculous.
Either remove PE headers at runtime using RtlZeroMemory like this
[DllImport("Kernel32.dll", EntryPoint="RtlZeroMemory", SetLastError=false)] public static extern void ZeroMemory(IntPtr dest, IntPtr size); [DllImport("kernel32.dll", CharSet=CharSet.Auto)] public static extern IntPtr GetModuleHandle(string lpModuleName); [StructLayout(LayoutKind.Sequential)] public struct IMAGE_DOS_HEADER { [MarshalAs(UnmanagedType.ByValArray, SizeConst = 2)] public char[] e_magic; // Magic number public UInt16 e_cblp; // Bytes on last page of file public UInt16 e_cp; // Pages in file public UInt16 e_crlc; // Relocations public UInt16 e_cparhdr; // Size of header in paragraphs public UInt16 e_minalloc; // Minimum extra paragraphs needed public UInt16 e_maxalloc; // Maximum extra paragraphs needed public UInt16 e_ss; // Initial (relative) SS value public UInt16 e_sp; // Initial SP value public UInt16 e_csum; // Checksum public UInt16 e_ip; // Initial IP value public UInt16 e_cs; // Initial (relative) CS value public UInt16 e_lfarlc; // File address of relocation table public UInt16 e_ovno; // Overlay number [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)] public UInt16[] e_res1; // Reserved words public UInt16 e_oemid; // OEM identifier (for e_oeminfo) public UInt16 e_oeminfo; // OEM information; e_oemid specific [MarshalAs(UnmanagedType.ByValArray, SizeConst = 10)] public UInt16[] e_res2; // Reserved words public Int32 e_lfanew; // File address of new exe header private string _e_magic { get { return new string(e_magic); } } public bool isValid { get { return _e_magic == "MZ"; } } } [StructLayout(LayoutKind.Explicit)] public struct IMAGE_NT_HEADERS32 { [FieldOffset(0)] [MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)] public char[] Signature; [FieldOffset(4)] public IMAGE_FILE_HEADER FileHeader; [FieldOffset(24)] public IMAGE_OPTIONAL_HEADER32 OptionalHeader; private string _Signature { get { return new string(Signature); } } public bool isValid { get { return _Signature == "PE\0\0" && (OptionalHeader.Magic == PE.MagicType.IMAGE_NT_OPTIONAL_HDR32_MAGIC || OptionalHeader.Magic == PE.MagicType.IMAGE_NT_OPTIONAL_HDR64_MAGIC); } } } [StructLayout(LayoutKind.Sequential)] public struct IMAGE_FILE_HEADER { public UInt16 Machine; public UInt16 NumberOfSections; public UInt32 TimeDateStamp; public UInt32 PointerToSymbolTable; public UInt32 NumberOfSymbols; public UInt16 SizeOfOptionalHeader; public UInt16 Characteristics; } static void RemoveHeaders() { var moduleBase = (IntPtr)GetModuleHandle(IntPtr.Zero); var dosHeader = new IMAGE_DOS_HEADER(); Marshal.PtrToStructure(moduleBase, dosHeader); var ntHeadersPtr = (IntPtr)(moduleBase + dosHeader.e_lfanew); var ntHeaders = new IMAGE_NT_HEADERS32(); Marshal.PtrToStructure(ntHeadersPtr, ntHeaders); UInt32 sizeHeaders = ntHeaders.FileHeader.SizeOfOptionalHeader; ZeroMemory(moduleBase, sizeHeaders); }
Or use a file handle and do the same thing.
Users browsing this thread: