added page protections to theo::malloc_t....

3 years ago · 4ea2ba046b
parent dd0ec1946b
commit 4ea2ba046b
23 changed files with 64 additions and 50 deletions
--- a/demos/DemoImGui/examples/example_win32_directx11/example_win32_directx11.vcxproj
+++ b/demos/DemoImGui/examples/example_win32_directx11/example_win32_directx11.vcxproj
@ -85,7 +85,6 @@
  </ItemGroup>
  <ItemGroup>
    <None Include="..\..\misc\natvis\imgui.natvis" />
-    <None Include="..\README.txt" />
  </ItemGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets">
--- a/demos/DemoImGui/examples/example_win32_directx11/example_win32_directx11.vcxproj.filters
+++ b/demos/DemoImGui/examples/example_win32_directx11/example_win32_directx11.vcxproj.filters
@ -55,7 +55,6 @@
    </ClCompile>
  </ItemGroup>
  <ItemGroup>
-    <None Include="..\README.txt" />
    <None Include="..\..\misc\natvis\imgui.natvis">
      <Filter>sources</Filter>
    </None>
--- a/demos/Theodosius-Client/client.cpp
+++ b/demos/Theodosius-Client/client.cpp
@ -33,7 +33,7 @@ namespace theo
 			{
 				case theo::theo_packet_type::alloc_memory:
 				{
-					packet.alloc.addr = alloc(packet.alloc.alloc_size);
+					packet.alloc.addr = alloc(packet.alloc.alloc_size, packet.alloc.prot);
 					break;
 				}
 				case theo::theo_packet_type::copy_memory:
--- a/demos/Theodosius-Client/client.hpp
+++ b/demos/Theodosius-Client/client.hpp
@ -45,6 +45,7 @@ namespace theo
 			{
 				void* addr;
 				std::size_t alloc_size;
+				std::uint32_t prot;
 			} alloc;

 			struct
@ -64,7 +65,7 @@ namespace theo
 	} theo_data, * ptheo_data;
 #pragma pack(pop)

-	using malloc_t = std::function<decltype(malloc)>;
+	using malloc_t = std::function<void*(std::size_t, std::uint32_t)>;
 	using memcpy_t = std::function<decltype(memcpy)>;

 	using resolve_symbol_t = std::function<std::uintptr_t(const char*)>;
--- a/demos/Theodosius-Client/main.cpp
+++ b/demos/Theodosius-Client/main.cpp
@ -155,16 +155,18 @@ int __cdecl main(int argc, char** argv)
 				return -1;
 			}

-			theo::malloc_t _alloc = [&](std::size_t size) -> void*
+			theo::malloc_t _alloc = 
+				[&](std::size_t size, std::uint32_t prot) -> void*
 			{
-				const auto result = VirtualAllocEx
-				(
-					phandle,
-					nullptr,
-					size,
-					MEM_COMMIT | MEM_RESERVE,
-					PAGE_EXECUTE_READWRITE
-				);
+				const auto result = 
+					VirtualAllocEx
+					(
+						phandle,
+						nullptr,
+						size,
+						MEM_COMMIT | MEM_RESERVE,
+						prot
+					);

 				if (!result)
 				{
@ -361,7 +363,9 @@ int __cdecl main(int argc, char** argv)
 					};

 					vdm::msrexec_ctx msrexec(_write_msr);
-					theo::malloc_t _kalloc = [&](std::size_t size) -> void*
+
+					theo::malloc_t _kalloc = 
+						[&](std::size_t size, std::uint32_t prot) -> void*
 					{
 						void* alloc_base;
 						msrexec.exec
@ -453,7 +457,9 @@ int __cdecl main(int argc, char** argv)

 					// use VDM to syscall into ExAllocatePool...
 					vdm::vdm_ctx vdm(_read_phys, _write_phys);
-					theo::malloc_t _kalloc = [&](std::size_t size) -> void*
+
+					theo::malloc_t _kalloc = 
+						[&](std::size_t size, std::uint32_t prot) -> void*
 					{
 						using ex_alloc_pool_t =
 							void* (*)(std::uint32_t, std::uint32_t);
--- a/demos/Theodosius-Kernel/Theodosius-MSREXEC/main.cpp
+++ b/demos/Theodosius-Kernel/Theodosius-MSREXEC/main.cpp
@ -86,7 +86,9 @@ int main(int argc, char** argv)
 	};

 	vdm::msrexec_ctx msrexec(_write_msr);
-	theo::malloc_t _kalloc = [&](std::size_t size) -> void*
+
+	theo::malloc_t _kalloc = 
+		[&](std::size_t size, std::uint32_t prot) -> void*
 	{
 		void* alloc_base;
 		msrexec.exec
--- a/demos/Theodosius-Kernel/Theodosius-MSREXEC/theo.h
+++ b/demos/Theodosius-Kernel/Theodosius-MSREXEC/theo.h
@ -2,6 +2,7 @@
 #include <Windows.h>
 #include <string>
 #include <vector>
+#include <functional>
 #include <map>

 namespace obfuscation{ class obfuscate; }
@ -9,7 +10,7 @@ namespace lnk { using obj_buffer_t = std::vector<std::uint8_t>; }

 namespace theo
 {
-	using malloc_t = std::function<decltype(malloc)>;
+	using malloc_t = std::function<void*(std::size_t bytes, std::uint32_t prot)>;
 	using memcpy_t = std::function<decltype(memcpy)>;

 	using resolve_symbol_t = std::function<std::uintptr_t(const char*)>;
@ -22,8 +23,8 @@ namespace theo
 		auto map_objs(std::vector<lnk::obj_buffer_t>& objs) -> bool;
 		auto get_symbol(std::string symbol_name) -> std::uintptr_t;

-		malloc_t kalloc;
-		memcpy_t kmemcpy;
+		malloc_t alloc;
+		memcpy_t mcopy;
 		resolve_symbol_t resolve_symbol;
 	private:
 		bool map_symbols(std::vector<lnk::obj_buffer_t>& objs);
--- a/demos/Theodosius-Kernel/Theodosius-VDM/main.cpp
+++ b/demos/Theodosius-Kernel/Theodosius-VDM/main.cpp
@ -95,7 +95,8 @@ int main(int argc, char** argv)

 	// use VDM to syscall into ExAllocatePool...
 	vdm::vdm_ctx vdm(_read_phys, _write_phys);
-	theo::malloc_t _kalloc = [&](std::size_t size) -> void*
+	theo::malloc_t _kalloc = 
+		[&](std::size_t size, std::uint32_t prot) -> void*
 	{
 		using ex_alloc_pool_t =
 			void* (*)(std::uint32_t, std::uint32_t);
--- a/demos/Theodosius-Kernel/Theodosius-VDM/theo.h
+++ b/demos/Theodosius-Kernel/Theodosius-VDM/theo.h
@ -10,7 +10,7 @@ namespace lnk { using obj_buffer_t = std::vector<std::uint8_t>; }

 namespace theo
 {
-	using malloc_t = std::function<decltype(malloc)>;
+	using malloc_t = std::function<void*(std::size_t bytes, std::uint32_t prot)>;
 	using memcpy_t = std::function<decltype(memcpy)>;

 	using resolve_symbol_t = std::function<std::uintptr_t(const char*)>;
--- a/demos/Theodosius-Server/client.cpp
+++ b/demos/Theodosius-Server/client.cpp
@ -63,13 +63,14 @@ namespace theo
 		return dest;
 	}

-	void* client::wrapper_alloc(std::size_t size) const
+	void* client::wrapper_alloc(std::size_t size, std::uint32_t prot) const
 	{
 		theo_data* packet = new theo_data;
 		memset(packet, NULL, sizeof theo_data);

 		packet->type = theo_packet_type::alloc_memory;
 		packet->alloc.alloc_size = size;
+		packet->alloc.prot = prot;

 		if (send(client_socket, reinterpret_cast<char*>(packet), 
 			sizeof theo_data, NULL) == SOCKET_ERROR)
@ -147,8 +148,8 @@ namespace theo
 			{
 				case theo_packet_type::init:
 				{
-					theo::malloc_t alloc = [&](std::size_t size) -> void*
-					{ return this->wrapper_alloc(size); };
+					theo::malloc_t alloc = [&](std::size_t size, std::uint32_t prot) -> void*
+					{ return this->wrapper_alloc(size, prot); };

 					theo::memcpy_t mcopy = 
 						[&](void* dest, const void* src, std::size_t size) -> void*
--- a/demos/Theodosius-Server/client.hpp
+++ b/demos/Theodosius-Server/client.hpp
@ -44,6 +44,7 @@ namespace theo
 			{
 				void* addr;
 				std::size_t alloc_size;
+				std::uint32_t prot;
 			} alloc;

 			struct
@ -72,7 +73,7 @@ namespace theo
 	private:
 		void handler() const;
 		void* wrapper_memcpy(void* dest, const void* src, std::size_t size) const;
-		void* wrapper_alloc(std::size_t size) const;
+		void* wrapper_alloc(std::size_t size, std::uint32_t prot) const;
 		std::uintptr_t wrapper_resolve_symbol(const char* symbol_name) const;

 		const SOCKET client_socket;
--- a/demos/Theodosius-Server/main.cpp
+++ b/demos/Theodosius-Server/main.cpp
@ -95,6 +95,7 @@ int __cdecl main(int argc, char** argv)

 		sockaddr socket_info;
 		int socket_info_len = sizeof socket_info;
+
 		const auto psocket_info = 
 			reinterpret_cast<sockaddr_in*>(&socket_info);

--- a/demos/Theodosius-Server/theo.h
+++ b/demos/Theodosius-Server/theo.h
@ -10,7 +10,7 @@ namespace lnk { using obj_buffer_t = std::vector<std::uint8_t>; }

 namespace theo
 {
-	using malloc_t = std::function<decltype(malloc)>;
+	using malloc_t = std::function<void*(std::size_t bytes, std::uint32_t prot)>;
 	using memcpy_t = std::function<decltype(memcpy)>;

 	using resolve_symbol_t = std::function<std::uintptr_t(const char*)>;
@ -23,8 +23,8 @@ namespace theo
 		auto map_objs(std::vector<lnk::obj_buffer_t>& objs) -> bool;
 		auto get_symbol(std::string symbol_name) -> std::uintptr_t;

-		malloc_t kalloc;
-		memcpy_t kmemcpy;
+		malloc_t alloc;
+		memcpy_t mcopy;
 		resolve_symbol_t resolve_symbol;
 	private:
 		bool map_symbols(std::vector<lnk::obj_buffer_t>& objs);
--- a/demos/Theodosius-Usermode/main.cpp
+++ b/demos/Theodosius-Usermode/main.cpp
@ -92,16 +92,17 @@ int main(int argc, char** argv)
 		return -1;
 	}

-	theo::malloc_t _alloc = [&](std::size_t size) -> void*
+	theo::malloc_t _alloc = [&](std::size_t size, std::uint32_t prot) -> void*
 	{
-		const auto result = VirtualAllocEx
-		(
-			phandle, 
-			nullptr, 
-			size, 
-			MEM_COMMIT | MEM_RESERVE, 
-			PAGE_EXECUTE_READWRITE
-		);
+		const auto result = 
+			VirtualAllocEx
+			(
+				phandle, 
+				nullptr, 
+				size, 
+				MEM_COMMIT | MEM_RESERVE, 
+				prot
+			);

 		if (!result)
 		{
--- a/demos/Theodosius-Usermode/theo.h
+++ b/demos/Theodosius-Usermode/theo.h
@ -5,12 +5,12 @@
 #include <functional>
 #include <map>

-namespace obfuscation { class obfuscate; }
+namespace obfuscation{ class obfuscate; }
 namespace lnk { using obj_buffer_t = std::vector<std::uint8_t>; }

 namespace theo
 {
-	using malloc_t = std::function<decltype(malloc)>;
+	using malloc_t = std::function<void*(std::size_t bytes, std::uint32_t prot)>;
 	using memcpy_t = std::function<decltype(memcpy)>;

 	using resolve_symbol_t = std::function<std::uintptr_t(const char*)>;
@ -21,10 +21,10 @@ namespace theo
 	public:
 		explicit hmm_ctx(const mapper_routines_t& routines);
 		auto map_objs(std::vector<lnk::obj_buffer_t>& objs) -> bool;
-		auto get_symbol(std::string symbol_name)->std::uintptr_t;
+		auto get_symbol(std::string symbol_name) -> std::uintptr_t;

-		malloc_t kalloc;
-		memcpy_t kmemcpy;
+		malloc_t alloc;
+		memcpy_t mcopy;
 		resolve_symbol_t resolve_symbol;
 	private:
 		bool map_symbols(std::vector<lnk::obj_buffer_t>& objs);
--- a/dependencies/Zydis.rar
+++ b/dependencies/Zydis.rar
--- a/dependencies/asmjit.rar
+++ b/dependencies/asmjit.rar
--- a/dependencies/llvm-obfuscator.rar
+++ b/dependencies/llvm-obfuscator.rar
--- a/include/theo.h
+++ b/include/theo.h
@ -10,7 +10,7 @@ namespace lnk { using obj_buffer_t = std::vector<std::uint8_t>; }

 namespace theo
 {
-	using malloc_t = std::function<decltype(malloc)>;
+	using malloc_t = std::function<void*(std::size_t bytes, std::uint32_t prot)>;
 	using memcpy_t = std::function<decltype(memcpy)>;

 	using resolve_symbol_t = std::function<std::uintptr_t(const char*)>;
--- a/resources/imgs/unknown.png
+++ b/resources/imgs/unknown.png
--- a/resources/llvm-obfuscator-compiled.rar
+++ b/resources/llvm-obfuscator-compiled.rar
--- a/src/Theodosius/theo.cpp
+++ b/src/Theodosius/theo.cpp
@ -213,8 +213,9 @@ namespace theo
 				// these symbols are generated by llvm-obfuscator as "x" and "y"... 
 				else if (reloc.raw_symbol.StorageClass == IMAGE_SYM_CLASS_EXTERNAL && reloc.raw_symbol.Value)
 				{
-					const auto zero_me = alloc(reloc.raw_symbol.Value);
+					const auto zero_me = alloc(reloc.raw_symbol.Value, PAGE_READWRITE);
 					const auto zero_size = malloc(reloc.raw_symbol.Value);
+
 					memset(zero_size, NULL, reloc.raw_symbol.Value);
 					mcopy(zero_me, zero_size, reloc.raw_symbol.Value);
 					free(zero_size);
@ -383,7 +384,7 @@ namespace theo
 										// these symbols are generated by llvm-obfuscator as "x" and "y"... 
 										else if (reloc.raw_symbol.StorageClass == IMAGE_SYM_CLASS_EXTERNAL && reloc.raw_symbol.Value)
 										{
-											const auto zero_me = alloc(reloc.raw_symbol.Value);
+											const auto zero_me = alloc(reloc.raw_symbol.Value, PAGE_READWRITE);
 											const auto zero_size = malloc(reloc.raw_symbol.Value);
 											memset(zero_size, NULL, reloc.raw_symbol.Value);
 											mcopy(zero_me, zero_size, reloc.raw_symbol.Value);
@ -527,7 +528,7 @@ namespace theo

 					mapped_symbols[new_symbol] =
 						reinterpret_cast<std::uintptr_t>(
-							alloc(new_gadget->get_size()));
+							alloc(new_gadget->get_size(), PAGE_EXECUTE_READWRITE));

 					obfuscated_gadgets[mapped_symbols[new_symbol]] = new_gadget;
 					DBG_PRINT("\t\t> %s allocated = 0x%p, size = %d\n", new_symbol.c_str(),
@ -565,7 +566,7 @@ namespace theo
 				if (symbol.type == IMAGE_SYM_FUNCTION)
 				{
 					mapped_symbols[symbol.symbol_name] =
-						reinterpret_cast<std::uintptr_t>(alloc(symbol.size));
+						reinterpret_cast<std::uintptr_t>(alloc(symbol.size, PAGE_EXECUTE_READWRITE));

 					DBG_PRINT("\t> %s allocated at = 0x%p, size = %d\n",
 						symbol.symbol_name.c_str(), mapped_symbols[symbol.symbol_name], symbol.size);
@ -584,7 +585,7 @@ namespace theo
 					{
 						mapped_symbols[data_section_sym] =
 							reinterpret_cast<std::uintptr_t>(alloc(
-								section_headers[symbol.section_number - 1].SizeOfRawData));
+								section_headers[symbol.section_number - 1].SizeOfRawData, PAGE_READWRITE));

 						DBG_PRINT("\t> section %s allocated at = 0x%p, size = %d\n",
 							data_section_sym.c_str(),
@ -638,7 +639,7 @@ namespace theo
 				{
 					mapped_symbols[data_section_sym] =
 						reinterpret_cast<std::uintptr_t>(alloc(
-							section_headers[idx].SizeOfRawData));
+							section_headers[idx].SizeOfRawData, PAGE_READWRITE));

 					DBG_PRINT("\t> section %s allocated at = 0x%p, size = %d\n",
 						data_section_sym.c_str(),
--- a/src/Theodosius/theo.h
+++ b/src/Theodosius/theo.h
@ -16,7 +16,7 @@
 #pragma comment(lib, "Dbghelp.lib")
 namespace theo
 {
-	using malloc_t = std::function<decltype(malloc)>;
+	using malloc_t = std::function<void*(std::size_t bytes, std::uint32_t prot)>;
 	using memcpy_t = std::function<decltype(memcpy)>;

 	using resolve_symbol_t = std::function<std::uintptr_t(const char*)>;