fix: address all Son of Anubhav review findings

[mranv]

Summary

Full remediation of all findings from the Son of Anubhav code review across 5 commits.

Severity	Finding	Fix
Critical	SIZE_T overflow before HeapAlloc in MutationEngine.c	Overflow guard added before buffer allocation
High	Cargo-cult no-op HeapFree(NULL) in error path	Deleted
High	FindCleanTrampoline returned first 0F 05 C3 without RUNTIME_FUNCTION validation	Gadget now verified inside a valid RUNTIME_FUNCTION entry (consistent with FindJmpRbxGadget)
High	O(n²) bubble sort for SSN table in Syscalls.c	Replaced with insertion sort — O(n) on nearly-sorted ntdll exports
High	DJB2_SEED could be 0, producing degenerate hash distribution	Range changed from [0,254] to [1,254] matching XOR_SEED convention
High	--preset RANDOM allowed duplicate DLL indices	Deduplication loop added; all three indices guaranteed unique
Medium	EVASION_FLAG_UNHOOK misnamed (loader feature, not evasion check)	Renamed to OPSEC_FLAG_UNHOOK across OpsecFlags.h, Stub.cpp, Builder.cpp
Medium	No junk inserted before first setup block — predictable offset-0 anchor	Removed if (i > 0) guard; all four blocks now receive leading junk/NOP
Medium	MutationEngine.c used stdlib rand()/srand() while rest of codebase uses XORshift	Replaced with local mut_rand()/mut_srand() XORshift; stdlib.h dependency removed
Medium	Polish comment /* Mapuj czyste kopie */ in English codebase	Translated to English

Commits

• 081a220 fix(MutationEngine): overflow guard, drop no-op HeapFree, add leading junk entropy
• dd6a8db fix(ApiHashing,Unhooker): DJB2_SEED non-zero range, translate Polish comment
• 84bf6ab fix(Syscalls): insertion sort for SSN table, RUNTIME_FUNCTION guard on trampoline
• fb94438 fix(OpsecFlags,Builder): rename EVASION_FLAG_UNHOOK→OPSEC_FLAG_UNHOOK, unique RANDOM preset indices
• b964bb2 fix(MutationEngine): replace stdlib rand()/srand() with local XORshift PRNG

Test plan

• Build Stub project (MSVC) — no new warnings or errors
• Build Builder project (MSVC) — no new warnings or errors
• Run Builder.exe payload.exe out.exe --preset RANDOM multiple times — verify no duplicate DLL indices in output log
• Run Builder.exe payload.exe out.exe --unhook — verify flag accepted, stub behaves correctly
• Verify mutated stub executes payload correctly end-to-end

Summary by CodeRabbit

Release Notes

• New Features

  • --preset RANDOM now ensures generated values are uniquely distributed.
  • Enhanced syscall discovery to avoid problematic regions using PE metadata validation.

• Bug Fixes

  • Fixed hash seed calculation to prevent zero values.
  • Added buffer overflow protection during payload processing.

• Refactor

  • Improved random number generation mechanism across modules.
  • Optimized syscall entry sorting algorithm for better efficiency.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 53453192-2a76-4032-905b-8e4e564ff6d8

📥 Commits

Reviewing files that changed from the base of the PR and between 680ce18 and b964bb2.

📒 Files selected for processing (7)

• Builder/Builder.cpp
• Engine/MutationEngine.c
• Engine/OpsecFlags.h
• Stub/ApiHashing.cpp
• Stub/Stub.cpp
• Stub/Syscalls.c
• Stub/Unhooker.c

---

📝 Walkthrough

Walkthrough

These changes improve OPSEC mechanisms and code entropy through flag standardization, randomization hardening, and syscall validation enhancements. The flag EVASION_FLAG_UNHOOK is renamed to OPSEC_FLAG_UNHOOK throughout, the mutation engine implements a local XORshift PRNG, DLL index randomization enforces uniqueness, and syscall location validation now integrates PE exception directory inspection.

Changes

Cohort / File(s)	Summary
OPSEC Flag Standardization Engine/OpsecFlags.h, Stub/Stub.cpp, Stub/Unhooker.c	Renames security flag from EVASION_FLAG_UNHOOK to OPSEC_FLAG_UNHOOK, updates conditional references and related documentation to clarify KnownDlls registry mapping.
Builder Configuration & Randomization Builder/Builder.cpp	Enforces uniqueness of randomly-generated DLL indices using modulo-10 collision correction. Updates --unhook CLI flag binding to set OPSEC_FLAG_UNHOOK instead of EVASION_FLAG_UNHOOK.
Mutation Engine & Entropy Hardening Engine/MutationEngine.c, Stub/ApiHashing.cpp	Replaces rand()/srand() with deterministic local XORshift PRNG implementation. Unconditionally inserts junk/NOP before every setup block. Adds payload length overflow check. Recalculates compile-time DJB2 seed to avoid zero initialization.
Syscall Resolution Robustness Stub/Syscalls.c	Refactors syscall SSN assignment sorting from bubble-sort to insertion-sort. Enhances FindCleanTrampoline to validate candidate locations against PE exception directory RUNTIME_FUNCTION entries before acceptance, with fallback to original behavior if table unavailable.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~22 minutes

Poem

🐰 nose twitches excitedly
The opsec flags now lead the way,
DLL uniqueness keeps chaos at bay,
XORshift PRNG hops with entropy's grace,
Syscall validation finds its clean place,
Sorting gets sharper, defenses grow strong—
Security hops along all day long! 🐇

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 64.29% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'fix: address all Son of Anubhav review findings' is generic and vague, using a catch-all phrase that does not convey the specific nature of the changes without reading the full PR description.	Consider a more specific title that highlights a primary change, such as 'fix: enforce DLL index uniqueness and replace stdlib PRNG with XORshift' or 'fix: add DJB2 seed validation, syscall trampoline guard, and flag renaming'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/son-of-anubhav-review

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}