-
-
[翻译]ConfuserEx保护选项
-
发表于: 2020-1-1 21:41 8503
-
ConfuserEx保护选项
Anti Debug Protection
ID: anti debug
Preset: Minimum
This protection prevents the assembly from being debugged or profiled.
此保护可防止对程序集进行调试或分析。
Parameters
参数
mode: This parameter define the used anti debug engine. Supported values are:
mode: 此参数定义使用的反调试引擎。支持的值如下:
safe: ConfuserEx would detect debugger/profiler using managed API
safe: ConfuserEx将使用托管API检测调试器/分析器
win32: ConfuserEx would detect debugger/profiler using unmanaged WinAPI
(Incompatible with OS other than Windows)
Win32:ConfuserEx将使用非托管WinAPI的检测调试器/分析器
(只兼容的操作系统Windows操作系统)
antinet: ConfuserEx would detect debugger/profiler using antinet by 0xd4d (Produces unverifiable modules, incompatibile with Mono)
antinet:ConfuserEx将使用antinet通过0xd4d检测调试器/探查器 (产生无法验证的模块,与Mono不兼容)
Default is safe.
默认是safe模式
Anti Dump Protection
ID: anti dump
Preset: Maximum
This protection prevents the assembly from being dumped from memory.
此保护可防止程序集从内存中转储。
This protection produces unverifiable modules.
This protection is incompatible with OS other than Windows due to usage of WinAPI.
这种保护会产生无法验证的模块。
由于使用WinAPI,因此此保护与Windows以外的其他操作系统不兼容。
Parameters
This protection has no parameters.
此保护没有参数。
Anti IL Dasm Protection
ID: anti ildasm
Preset: Minimum
This protection marks the module with a attribute that discourage ILDasm from disassembling it.
该保护功能用阻止ILDasm反编译的属性标记模块。
Note that this attribute, SuppressIldasmAttribute, can be circumvented quite easily and generally not respected by modern decompilers. This protection is just here for... completeness. :P
请注意,可以很容易地绕过此属性SuppressIldasmAttribute,并且现代反编译器通常不会使用它。这种保护只是为了……完整性。:P
Parameters
This protection has no parameters.
此保护没有参数
Anti Tamper Protection
ID: anti tamper
Preset: Maximum
This protection ensures the integrity of application.
这种保护确保了应用程序的完整性。
This protection encrypts the methods with the checksum of the whole module, to ensure that the module will load only if no modification has been made to it.
此保护使用整个模块的校验和对方法进行加密,以确保仅在未对其进行任何修改的情况下加载模块。
This protection produces unverifiable modules.
This protection is incompatible with OS other than Windows due to usage of WinAPI.
这种保护会产生无法验证的模块。
由于使用WinAPI,因此此保护与Windows以外的其他操作系统不兼容。
Parameters
mode: This parameter define the way ConfuserEx decrypts the methods. Supported values are:
· normal: ConfuserEx would validate the checksum and decrypt the methods at the start of application.
· normal:ConfuserEx将在应用程序启动时验证校验和并解密方法。
· jit: ConfuserEx would validate the checksum at the start of application, and decrypt the methods right before each method is being compiled using JIT hooks. (Incompatibile with Mono, and potentially future version of .NET Framework. Use with care.)
· jit:ConfuserEx将在应用程序启动时验证校验和,并在使用JIT挂钩编译每个方法之前对方法进行解密。(与Mono以及将来的.NET Framework版本不兼容。请谨慎使用。)
Default is normal.
key: This parameter define the way ConfuserEx derives the decryption key. Supported values are:
key:此参数定义ConfuserEx导出解密密钥的方式。支持的值为:
· normal: ConfuserEx would use static algorithms with random parameters to derive the decryption key.
· normal:ConfuserEx将使用带有随机参数的静态算法来产生解密密钥。
· dynamic: ConfuserEx would use dynamically generated algorithms to derive the decryption key.
· dynamic:ConfuserEx将使用动态生成的算法来产生解密密钥。
Default is normal.
(2)
Constants Protection
ID: constants
Preset: Normal
This protection encodes and compresses constants (numbers, strings, and initializers) in the code.
此保护对代码中的常量(数字,字符串和初始化程序)进行编码和压缩。
Parameters
mode: This parameter define the way ConfuserEx encode the constants. Supported values are:
mode:此参数定义ConfuserEx编码常量的方式。支持的值为:
· normal: ConfuserEx would use static algorithms with random parameters to encode the constants.
· normal:ConfuserEx将使用带有随机参数的静态算法对常量进行编码。
· dynamic: ConfuserEx would use dynamically generated algorithms to encode the constants.
· dynamic:ConfuserEx将使用动态生成的算法对常量进行编码
· x86: ConfuserEx would use dynamically generated native x86 expressions to encode the constants. (Produces unverifiable modules)
· x86:ConfuserEx将使用动态生成的本机x86表达式对常量进行编码。(产生无法验证的模块
Default is normal.
默认为normal。
decoderCount: This parameter is an integer value defining how many constant decoder ConfuserEx would generate. Default is 5.
decoderCount:此参数是一个整数值,定义ConfuserEx将生成多少个常量解码器。默认值为5。
Since each decoder has slight differences, more decoders would make manual decoding of constants by attackers more annoying, but the result file size would increase.
由于每个解码器都有细微的差异,更多的解码器会使攻击者对常数的手动解码更加麻烦,但是最终文件的大小会增加。
elements: This parameter defines what type of constants would be encoded. Possible values are a combination of:
elements:此参数定义要编码的常量类型。可能的值是以下各项的组合:
· S: String constants (excluding primitive constants)
· S:字符串常量(不包括基本常量)
· N: Numeric constants (excluding primitive constants)
· N:数值常数(不包括基本常量)
· P: Primitive constants (empty strings and commonly used numbers, e.g. 0, -1, 1, 2, etc.)
· P:基本常量(空字符串和常用数字,例如0,-1、1、2等)
· I: Array initializer (Those using RuntimeHelpers.InitializeArray)
· I:数组初始值设定项(使用RuntimeHelpers.InitializeArray的初始值设定项)
The value is case-insensitive. For example, a value of "SI" indicates non-empty strings and initializers should be encoded. Default is "SI".
该值不区分大小写。例如,值“ SI”表示非空字符串,并且应该对初始化程序进行编码。默认值为“ SI”。
cfg: This parameter is a boolean value whether decoding of constants are based on a control flow dependent state variable. Default is false.
Enabling it would greatly enhance the strength of protection but the runtime performance may have a impact.
cfg:此参数是一个布尔值,常量的解码是否基于与控制流有关的状态变量。默认值为false。
启用它会极大地增强保护强度,但是运行时性能可能会产生影响。
Control Flow Protection
ID: ctrl flow
Preset: Normal
This protection mangles the code in the methods so that decompilers cannot decompile the methods.
这种保护会破坏方法中的代码,以便反编译器无法反编译方法。
Parameters
type: This parameter define how ConfuserEx mangles the method code. Supported values are:
type:此参数定义ConfuserEx如何处理方法代码。支持的值为:
switch: ConfuserEx would insert a switch-base state machine to reorder the codes.
switch:ConfuserEx将插入一个基于switch的状态机以对代码重新排序。
jump: ConfuserEx would inserts jumps in methods to produce traditional spaghetti code. (Produces unverifiable modules)
jump:ConfuserEx将在方法中插入跳转以产生传统的意大利面条式代码。(产生无法验证的模块)
Default is switch.
默认为switch。
predicate: This parameter define how ConfuserEx store the state variable if type is set to switch. Supported values are:
predicate:此参数定义如果将type设置为switch,则ConfuserEx如何存储状态变量。支持的值为:
normal: ConfuserEx would use the state variable directly.
normal:ConfuserEx将直接使用状态变量。
expression: ConfuserEx would encode the state variable using dynamically generated expressions.
expression:ConfuserEx将使用动态生成的表达式对状态变量进行编码。
x86: ConfuserEx would encode the state variable using dynamically generated native x86 expressions. (Produces unverifiable modules)
x86:ConfuserEx将使用动态生成的本机x86表达式对状态变量进行编码。(产生无法验证的模块)
Default is normal.
intensity: This parameter is a integer value from 0 to 100, indicates how large is each split code block. Default is 60.
Intensity:此参数是0到100之间的整数值,指示每个拆分代码块的大小。默认值为60。
depth: This parameter define how deep is the generated expression if predicate is set to expressionor x86. Default is 4.
depth:此参数定义将predicate 设置为expression或x86时生成的表达式的深度。默认值是4
junk: This parameter is a boolean value indicates whether junk codes would be inserted. Default is false. (Produces unverifiable modules)
junk: 此参数是一个布尔值,指示是否插入垃圾代码。默认值为false。(产生无法验证的模块)
Invalid Metadata Protection
ID: invalid metadata
Preset: Maximum
This protection adds invalid metadata to modules to prevent disassembler/decompiler from opening them.
此保护将无效的元数据添加到模块中,以防止反汇编程序/反编译器打开它们。
This protection produces unverifiable modules.
This protection may not be compatible with Mono.
这种保护会产生无法验证的模块。
此保护可能与Mono不兼容。
Parameters
This protection has no parameters.
此保护没有参数。
Name Protection
ID: rename
Preset: Minimum
This protection obfuscate the symbols' name so the decompiled source code can neither be compiled nor read.
这种保护会混淆符号的名称,因此无法编译或读取反编译的源代码。
Parameters
mode: This parameter define the way ConfuserEx renames symbols. Supported values are:
mode:此参数定义ConfuserEx重命名符号的方式。支持的值为:
empty: ConfuserEx would rename all symbols to a empty string.
empty:ConfuserEx会将所有符号重命名为空字符串。
Expect many problems when using this mode.
使用此模式时会遇到很多问题。
unicode: ConfuserEx would rename symbols to Unicode unreadable characters.
Reflection may not work in this mode.
unicode:ConfuserEx会将符号重命名为Unicode无法读取的字符。
在这种模式下,反射可能不正常运行。
ascii: ConfuserEx would rename symbols to readable ASCII characters.
ascii:ConfuserEx会将符号重命名为可读的ASCII字符。
Reflection may not work in this mode.
在这种模式下,反射可能不正常运行。
letters: ConfuserEx would rename symbols to English letters.
letters:ConfuserEx会将符号重命名为英文字母。
decodable: ConfuserEx would rename symbols to decodable string. The obfuscated name mapping would be saved to output folder in the file "symbols.map".
decodable:ConfuserEx会将符号重命名为可解码的字符串。混淆的名称映射将保存到文件“ symbols.map”中的输出文件夹中。
sequential: ConfuserEx would rename symbols to sequential string. The obfuscated name mapping would be saved to output folder in the file "symbols.map".
sequential:ConfuserEx会将符号重命名为顺序字符串。混淆的名称映射将保存到文件“ symbols.map”中的输出文件夹中。
reversible: ConfuserEx would encrypt the symbols. The obfuscated names could be decoded by providing the password used in obfuscation.
reversible:ConfuserEx将加密符号。可以通过提供混淆中使用的密码来对混淆后的名称进行解码。
debug: ConfuserEx would add an underscore before the symbols. Not intended for production use.
debug:ConfuserEx将在符号前添加下划线。不适用于发布产品。
Default is unicode.
默认值为unicode。
Other parameters :
其他参数:
password: This parameter is a string value, indicates the password ConfuserEx should use to encrypt the symbol names when reversible mode is used. Only effective on modules. Default is null.
password:此参数是一个字符串值,表示使用可逆模式时ConfuserEx应该使用该密码来加密符号名称。仅对模块有效。默认为空。
renameArgs: This parameter is a boolean value, indicates whether ConfuserEx should remove the name of methods' parameters. Default is true.
namedArgs:此参数是一个布尔值,指示ConfuserEx是否应删除方法参数的名称。默认值为true。
renEnum: This parameter is a boolean value, indicates whether ConfuserEx should change the name of enum values. Default is false.
renEnum:此参数是一个布尔值,指示ConfuserEx是否应更改枚举值的名称。默认值为false
flatten: This parameter is a boolean value, indicates whether ConfuserEx should flatten the types by removing the namespaces. Default is true.
flatten:此参数是一个布尔值,指示ConfuserEx是否应通过删除名称空间来展平类型。默认值为true。
forceRen: This parameter is a boolean value, indicates whether ConfuserEx should rename the symbols even if the analyzer shows that it should not be renamed. Default is false.
forceRen:此参数是一个布尔值,指示ConfuserEx是否应重命名符号,即使分析器显示不应重命名这些符号。默认值为false。
renPublic: This parameter is a boolean value, indicates whether ConfuserEx should rename the symbols even if the item is visible outside the assembly. Default is false.
renPublic:此参数是一个布尔值,指示ConfuserEx是否应重命名符号,即使该项目在程序集之外也可见。默认值为false。
renPdb: This parameter is a boolean value, indicates whether ConfuserEx should rename the variable names and the file names in PDB. Default is false.
renPdb:此参数是一个布尔值,指示ConfuserEx是否应重命名PDB中的变量名和文件名。默认值为false。
renXaml: This parameter is a boolean value, indicates whether ConfuserEx should rename the XAML file name. Default is true.
renXaml:此参数是一个布尔值,指示ConfuserEx是否应重命名XAML文件名。默认值为true。
Usage in CLI
<protection id="rename">
<argument name="mode" value="unicode" />
<argument name="renEnum" value="true" />
</protection>
(3)
Reference Proxy Protection
ID: ref proxy
Preset: Normal
This protection encodes and hides references to type/method/fields.
这种保护可以编码和隐藏对类型/方法/字段的引用。
Parameters
mode: This parameter define the way ConfuserEx hide the references. Supported values are:
mode:此参数定义ConfuserEx隐藏引用的方式。支持的值为:
mild: ConfuserEx would add an indirection method as proxy.
mild:ConfuserEx将添加一个间接方法作为代理。
strong: ConfuserEx would add a dynamic method delegate as proxy.
strong:ConfuserEx将添加一个动态方法委托作为代理。
ftn: ConfuserEx would use function pointer as proxy. Not implemented yet.
ftn:ConfuserEx将使用函数指针作为代理。尚未实施。
Default is mild.
默认值为mild。
encoding: This parameter define the way ConfuserEx encodes the method references. Supported values are:
encoding:此参数定义ConfuserEx对方法引用进行编码的方式。支持的值为
normal: ConfuserEx would use static algorithms with random parameters to encode the references.
normal:ConfuserEx将使用带有随机参数的静态算法对引用进行编码。
expression: ConfuserEx would use dynamically generated expressions to encode the references.
expression:ConfuserEx将使用动态生成的表达式对引用进行编码。
x86: ConfuserEx would use dynamically generated native x86 expressions to encode the references. (Produces unverifiable modules)
x86:ConfuserEx将使用动态生成的本机x86表达式对引用进行编码。(产生无法验证的模块)
Default is normal.
默认为normal。
internal: This parameter is a boolean value, indicates whether ConfuserEx should also hide internal references. Default is false.
internal:此参数是一个布尔值,指示ConfuserEx是否也应隐藏内部引用。默认值为false。
typeErasure: This parameter is a boolean value, indicates whether ConfuserEx should hide the types of method parameters. Default is false.
ypeErasure:此参数是一个布尔值,指示ConfuserEx是否应隐藏方法参数的类型。默认值为false。
depth: This parameter define how deep is the generated expression if encoding is set to expressionor x86. Default is 3.
depth:此参数定义如果将编码设置为expression或x86,则生成的表达式的深度。默认值为3。
initCount: This parameter define how many delegate initializer should be added if mode is set to strong. Default is 16.
initCount:此参数定义如果将mode 设置为strong,则应添加多少个委托初始化器。默认值为16。
Resources Protection
This protection encodes and compresses the embedded resources.
此保护可对嵌入式资源进行编码和压缩。
Parameters
mode: This parameter define the way ConfuserEx encodes the resources. Supported values are:
mode:此参数定义ConfuserEx编码资源的方式。支持的值为:
normal: ConfuserEx would use static algorithms with random parameters to encode the resources.
normal:ConfuserEx将使用带有随机参数的静态算法来编码资源。
dynamic: ConfuserEx would use dynamically generated algorithms to encode the resources.
dynamic:ConfuserEx将使用动态生成的算法对资源进行编码。
Default is normal.
默认为normal。
Packers
Packers in ConfuserEx have a unique identifer and they're used to post-process the output as a whole.
ConfuserEx中的Packers具有唯一的标识符,它们用于对输出进行整体后处理。
Packers may have parameters for different behaviors. Currently, ConfuserEx has the following built-in packers:
打包程序可能具有用于不同行为的参数。当前,ConfuserEx具有以下内置包装器:
Compressor
ID: compressor
This packer reduces the size of output using LZMA compression algorithm. Only one executable module may be in the project and it would be used as the main entry module.
该打包程序使用LZMA压缩算法来减小输出的大小。项目中可能只有一个可执行模块,它将用作主输入模块
Parameters
key: This parameter define the way ConfuserEx derives the decryption key. Supported values are:
· normal: ConfuserEx would use static algorithms with random parameters to derive the decryption key.
· normal:ConfuserEx将使用带有随机参数的静态算法来导出解密密钥。
· dynamic: ConfuserEx would use dynamically generated algorithms to derive the decryption key.
· dynamic:ConfuserEx将使用动态生成的算法来导出解密密钥。
Default is normal.
默认为normal。
compat: This parameter is a boolean value, indicates whether ConfuserEx should use compatibility mode that works with Mono. Default is false.
compat:此参数是一个布尔值,指示ConfuserEx是否应使用与Mono兼容的兼容模式。默认值为false。
Example:
<packer id="compressor">
<argument name="main" value="<module name>"/>
<argument name="key" value="normal"/>
</packer>
微信公众号:软件安全
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
- [求助]拍了两根数据线,快递只收到一根,求退还1500看雪币 6922
- [翻译]ConfuserEx保护选项 8504
- [原创]一种通过傀儡进程加载Quasar RAT.NET样本 3212
- [原创]pchunter逆向笔记 15161