[GH-ISSUE #369] Renaming question #169

New issue

Closed

opened 2026-02-27 15:49:10 +03:00 by kerem · 4 comments

kerem commented

2026-02-27 15:49:10 +03:00

Owner

Originally created by @Rottweiler on GitHub (Sep 5, 2015).
Original GitHub issue: https://github.com/quasar/Quasar/issues/369

In http://github.com/quasar/QuasarRAT/blob/master/Server/Core/Build/Renamer.cs

        if (typeDef.Namespace.StartsWith("xClient.Core.Compression")
            || typeDef.Namespace.StartsWith("xClient.Core.Networking")
            || typeDef.Namespace.StartsWith("xClient.Core.NetSerializer")
            || typeDef.Namespace.StartsWith("xClient.Core.ReverseProxy")
            || typeDef.Namespace.StartsWith("xClient.Core.MouseKeyHook")
            || typeDef.Namespace.StartsWith("xClient.Core.Packets")
            || typeDef.Namespace.StartsWith("xClient.Core.Recovery")
            || typeDef.HasInterfaces)
            return;

What is this based off of? Like what in those namespaces isn't compatible with renaming?

Originally created by @Rottweiler on GitHub (Sep 5, 2015). Original GitHub issue: https://github.com/quasar/Quasar/issues/369 In http://github.com/quasar/QuasarRAT/blob/master/Server/Core/Build/Renamer.cs ``` if (typeDef.Namespace.StartsWith("xClient.Core.Compression") || typeDef.Namespace.StartsWith("xClient.Core.Networking") || typeDef.Namespace.StartsWith("xClient.Core.NetSerializer") || typeDef.Namespace.StartsWith("xClient.Core.ReverseProxy") || typeDef.Namespace.StartsWith("xClient.Core.MouseKeyHook") || typeDef.Namespace.StartsWith("xClient.Core.Packets") || typeDef.Namespace.StartsWith("xClient.Core.Recovery") || typeDef.HasInterfaces) return; ``` What is this based off of? Like what in those namespaces isn't compatible with renaming?

kerem

2026-02-27 15:49:10 +03:00

closed this issue
added the
question
label

kerem commented

2026-02-27 15:49:11 +03:00

Author

Owner

@ghost commented on GitHub (Sep 5, 2015):

I started working on this, but if you wanted to look into it, load up the assembly in a .NET decompiler and you will see what is currently renamed. The namespaces won't be ignored when the design improves. Basically, any class that implements an interface that we don't have access to modifying (IDisposable) we need to ignore renaming the type, and the virtual methods that interact with the interface. I haven't determined what else we need to be careful of but if you want to delve into this go for it :P

Edit: Oh also, the types of packets need to be deserialized by the server correctly. I'm not sure if renaming the packet types will have an impact on the server, but I have a feeling it would.

Here is where I left off, if you, or anyone else decides to work on this.

private void RenameInType(TypeDefinition typeDef)
{
    //if (typeDef.Namespace.StartsWith("xClient.Core.Compression")
    //    || typeDef.Namespace.StartsWith("xClient.Core.Networking")
    //    || typeDef.Namespace.StartsWith("xClient.Core.NetSerializer")
    //    || typeDef.Namespace.StartsWith("xClient.Core.ReverseProxy")
    //    || typeDef.Namespace.StartsWith("xClient.Core.MouseKeyHook")
    //    || typeDef.Namespace.StartsWith("xClient.Core.Packets")
    //    || typeDef.Namespace.StartsWith("xClient.Core.Recovery"))
    //    return;

    if (typeDef.Namespace.StartsWith("xClient.Core.NetSerializer")
        || typeDef.Namespace.StartsWith("xClient.Core.ReverseProxy")
        || typeDef.Namespace.StartsWith("xClient.Core.Packets"))
        return;

    _typeOverloader.GiveName(typeDef);

    typeDef.Namespace = string.Empty;

    MemberOverloader methodOverloader = GetMethodOverloader(typeDef);
    MemberOverloader fieldOverloader = GetFieldOverloader(typeDef);
    MemberOverloader eventOverloader = GetEventOverloader(typeDef);

    if (typeDef.HasNestedTypes)
        foreach (TypeDefinition nestedType in typeDef.NestedTypes)
            RenameInType(nestedType);

    if (typeDef.HasMethods)
        foreach (MethodDefinition methodDef in typeDef.Methods.Where(
            methodDef => (!methodDef.IsConstructor && !methodDef.IsVirtual)))
                methodOverloader.GiveName(methodDef);

    if (typeDef.HasFields)
        foreach (FieldDefinition fieldDef in typeDef.Fields)
            fieldOverloader.GiveName(fieldDef);

    if (typeDef.HasEvents)
        foreach (EventDefinition eventDef in typeDef.Events)
            eventOverloader.GiveName(eventDef);
}

@ghost commented on GitHub (Sep 5, 2015): I started working on this, but if you wanted to look into it, load up the assembly in a .NET decompiler and you will see what is currently renamed. The namespaces won't be ignored when the design improves. Basically, any class that implements an interface that we don't have access to modifying (IDisposable) we need to ignore renaming the type, and the virtual methods that interact with the interface. I haven't determined what else we need to be careful of but if you want to delve into this go for it :P Edit: Oh also, the types of packets need to be deserialized by the server correctly. I'm not sure if renaming the packet types will have an impact on the server, but I have a feeling it would. Here is where I left off, if you, or anyone else decides to work on this. ``` C# private void RenameInType(TypeDefinition typeDef) { //if (typeDef.Namespace.StartsWith("xClient.Core.Compression") // || typeDef.Namespace.StartsWith("xClient.Core.Networking") // || typeDef.Namespace.StartsWith("xClient.Core.NetSerializer") // || typeDef.Namespace.StartsWith("xClient.Core.ReverseProxy") // || typeDef.Namespace.StartsWith("xClient.Core.MouseKeyHook") // || typeDef.Namespace.StartsWith("xClient.Core.Packets") // || typeDef.Namespace.StartsWith("xClient.Core.Recovery")) // return; if (typeDef.Namespace.StartsWith("xClient.Core.NetSerializer") || typeDef.Namespace.StartsWith("xClient.Core.ReverseProxy") || typeDef.Namespace.StartsWith("xClient.Core.Packets")) return; _typeOverloader.GiveName(typeDef); typeDef.Namespace = string.Empty; MemberOverloader methodOverloader = GetMethodOverloader(typeDef); MemberOverloader fieldOverloader = GetFieldOverloader(typeDef); MemberOverloader eventOverloader = GetEventOverloader(typeDef); if (typeDef.HasNestedTypes) foreach (TypeDefinition nestedType in typeDef.NestedTypes) RenameInType(nestedType); if (typeDef.HasMethods) foreach (MethodDefinition methodDef in typeDef.Methods.Where( methodDef => (!methodDef.IsConstructor && !methodDef.IsVirtual))) methodOverloader.GiveName(methodDef); if (typeDef.HasFields) foreach (FieldDefinition fieldDef in typeDef.Fields) fieldOverloader.GiveName(fieldDef); if (typeDef.HasEvents) foreach (EventDefinition eventDef in typeDef.Events) eventOverloader.GiveName(eventDef); } ```

kerem commented

2026-02-27 15:49:11 +03:00

Author

Owner

@MaxXor commented on GitHub (Sep 5, 2015):

It should be more flexible now. Some classes had conflicts with renaming when they implement interfaces or override virtual methods.

@MaxXor commented on GitHub (Sep 5, 2015): It should be more flexible now. Some classes had conflicts with renaming when they implement interfaces or override virtual methods.

kerem commented

2026-02-27 15:49:11 +03:00

Author

Owner

@DragonzMaster commented on GitHub (Mar 14, 2016):

@StingRaptor you can see this as it might help you.

@DragonzMaster commented on GitHub (Mar 14, 2016): @StingRaptor you can see this as it might help you.

kerem commented

2026-02-27 15:49:11 +03:00

Author

Owner

@yankejustin commented on GitHub (Mar 14, 2016):

@ghost I doubt the change in namespace would mess up deserialization. Perhaps serialization.
Honestly have not taken the time to look into why we need to exclude those namespaces. Would be nice to be able to remove it so we can allow users to obfuscate if necessary without issues . . .

@yankejustin commented on GitHub (Mar 14, 2016): @ghost I doubt the change in namespace would mess up deserialization. Perhaps serialization. Honestly have not taken the time to look into why we need to exclude those namespaces. Would be nice to be able to remove it so we can allow users to obfuscate if necessary without issues . . .