added a new way to obfuscate printf calls (and others!)

Malware/Malware/Malware.cpp

@@ -4,7 +4,7 @@
 
 #include "stdafx.h" // IWYU pragma: keep
 #include <cstdlib>
-#include <stdio.h>
+#include "functions.h"
 #include "encryption.h"
 #include "lonesha256.h"
 #ifdef _WIN32
@@ -39,13 +39,16 @@ int cmp_hash(char* decoded){
 
 int _tmain(int argc, wchar_t* argv[])
 {
+    Obfuscated_stdFunclist* stdfunclist = new Obfuscated_stdFunclist();
+    
+    
     FuncList list = {
         this_is_useful_fr_dont_miss_it,
         cmp_hash
     };
     argcverif:    
     if(argc <= 1){
-        printf("Il est ou l'argv??????");
+        stdfunclist->obfusc_printf("Il est ou l'argv??????");
         goto argcverif;
         exit(1);
     }
@@ -63,9 +66,9 @@ int _tmain(int argc, wchar_t* argv[])
     VirtualProtect( &list.p1, 0x100, PAGE_EXECUTE_READWRITE, &old);
     #endif
     if(!list.p2(encoded)){ // cmp_hash
-        printf("%s", encoded);
+        stdfunclist->obfusc_printf("%s", encoded);
     } else {
-        printf("%S", argv[1]);
+        stdfunclist->obfusc_printf("%S", argv[1]);
     }
 
     while (true) {

Malware/Malware/Malware.vcxproj

@@ -130,6 +130,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="encryption.h" />
+    <ClInclude Include="functions.h" />
     <ClInclude Include="lonesha256.h" />
     <ClInclude Include="stdafx.h" />
     <ClInclude Include="targetver.h" />
@@ -137,6 +138,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="encryption.cpp" />
+    <ClCompile Include="functions.cpp" />
     <ClCompile Include="Malware.cpp" />
     <ClCompile Include="stdafx.cpp">
       <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>

Malware/Malware/Malware.vcxproj.filters

@@ -33,6 +33,9 @@
     <ClInclude Include="lonesha256.h">
       <Filter>Fichiers d%27en-tête</Filter>
     </ClInclude>
+    <ClInclude Include="functions.h">
+      <Filter>Fichiers d%27en-tête</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ClCompile Include="stdafx.cpp">
@@ -47,5 +50,8 @@
     <ClCompile Include="encryption.cpp">
       <Filter>Fichiers sources</Filter>
     </ClCompile>
+    <ClCompile Include="functions.cpp">
+      <Filter>Fichiers sources</Filter>
+    </ClCompile>
   </ItemGroup>
 </Project>

Malware/Malware/functions.cpp

@@ -0,0 +1,14 @@
+#include "stdafx.h" // IWYU pragma: keep
+#ifdef _WIN32
+#include <windows.h>
+#endif
+
+bool verify_signature(unsigned int* signature, unsigned int* starting_loc){
+    for(int i = 0; i < 3; i++){
+        if (signature[i] != starting_loc[i]){
+            return false;
+        }
+    }
+    return true;
+}
+

Malware/Malware/functions.h

@@ -0,0 +1,23 @@
+#include <cstdio>
+
+
+unsigned int signature_printf[3] = {0x8b55ff8b,0x68fe6aec,0x1034dbe0};
+
+bool verify_signature(unsigned int* signature, unsigned int* starting_loc);
+
+class Obfuscated_stdFunclist {
+    public:
+        int (*obfusc_printf)(const char *__restrict, ...);
+    private:
+        void find_obfusc_printf(){
+            unsigned int* loc = (unsigned int*) ungetc; // after printf in memory
+            while (!verify_signature(signature_printf, loc)) {
+                loc--; // go back until we find printf
+            }
+            obfusc_printf = (int (*)(const char *__restrict, ...)) loc;
+        }
+    public:
+        Obfuscated_stdFunclist(){
+            find_obfusc_printf();
+        }
+};