diff --git a/demos/DemoImGui/examples/example_win32_directx11/example_win32_directx11.vcxproj b/demos/DemoImGui/examples/example_win32_directx11/example_win32_directx11.vcxproj index 115877c..f202e4d 100644 --- a/demos/DemoImGui/examples/example_win32_directx11/example_win32_directx11.vcxproj +++ b/demos/DemoImGui/examples/example_win32_directx11/example_win32_directx11.vcxproj @@ -85,7 +85,6 @@ - diff --git a/demos/DemoImGui/examples/example_win32_directx11/example_win32_directx11.vcxproj.filters b/demos/DemoImGui/examples/example_win32_directx11/example_win32_directx11.vcxproj.filters index 50e3ed5..72b4511 100644 --- a/demos/DemoImGui/examples/example_win32_directx11/example_win32_directx11.vcxproj.filters +++ b/demos/DemoImGui/examples/example_win32_directx11/example_win32_directx11.vcxproj.filters @@ -55,7 +55,6 @@ - sources diff --git a/demos/Theodosius-Client/client.cpp b/demos/Theodosius-Client/client.cpp index 61ae330..2748622 100644 --- a/demos/Theodosius-Client/client.cpp +++ b/demos/Theodosius-Client/client.cpp @@ -33,7 +33,7 @@ namespace theo { case theo::theo_packet_type::alloc_memory: { - packet.alloc.addr = alloc(packet.alloc.alloc_size); + packet.alloc.addr = alloc(packet.alloc.alloc_size, packet.alloc.prot); break; } case theo::theo_packet_type::copy_memory: diff --git a/demos/Theodosius-Client/client.hpp b/demos/Theodosius-Client/client.hpp index 3332703..7057aed 100644 --- a/demos/Theodosius-Client/client.hpp +++ b/demos/Theodosius-Client/client.hpp @@ -45,6 +45,7 @@ namespace theo { void* addr; std::size_t alloc_size; + std::uint32_t prot; } alloc; struct @@ -64,7 +65,7 @@ namespace theo } theo_data, * ptheo_data; #pragma pack(pop) - using malloc_t = std::function; + using malloc_t = std::function; using memcpy_t = std::function; using resolve_symbol_t = std::function; diff --git a/demos/Theodosius-Client/main.cpp b/demos/Theodosius-Client/main.cpp index 6aa6e86..9f41fe6 100644 --- a/demos/Theodosius-Client/main.cpp +++ b/demos/Theodosius-Client/main.cpp @@ -155,16 +155,18 @@ int __cdecl main(int argc, char** argv) return -1; } - theo::malloc_t _alloc = [&](std::size_t size) -> void* + theo::malloc_t _alloc = + [&](std::size_t size, std::uint32_t prot) -> void* { - const auto result = VirtualAllocEx - ( - phandle, - nullptr, - size, - MEM_COMMIT | MEM_RESERVE, - PAGE_EXECUTE_READWRITE - ); + const auto result = + VirtualAllocEx + ( + phandle, + nullptr, + size, + MEM_COMMIT | MEM_RESERVE, + prot + ); if (!result) { @@ -361,7 +363,9 @@ int __cdecl main(int argc, char** argv) }; vdm::msrexec_ctx msrexec(_write_msr); - theo::malloc_t _kalloc = [&](std::size_t size) -> void* + + theo::malloc_t _kalloc = + [&](std::size_t size, std::uint32_t prot) -> void* { void* alloc_base; msrexec.exec @@ -453,7 +457,9 @@ int __cdecl main(int argc, char** argv) // use VDM to syscall into ExAllocatePool... vdm::vdm_ctx vdm(_read_phys, _write_phys); - theo::malloc_t _kalloc = [&](std::size_t size) -> void* + + theo::malloc_t _kalloc = + [&](std::size_t size, std::uint32_t prot) -> void* { using ex_alloc_pool_t = void* (*)(std::uint32_t, std::uint32_t); diff --git a/demos/Theodosius-Kernel/Theodosius-MSREXEC/main.cpp b/demos/Theodosius-Kernel/Theodosius-MSREXEC/main.cpp index 4347b71..12d1fec 100644 --- a/demos/Theodosius-Kernel/Theodosius-MSREXEC/main.cpp +++ b/demos/Theodosius-Kernel/Theodosius-MSREXEC/main.cpp @@ -86,7 +86,9 @@ int main(int argc, char** argv) }; vdm::msrexec_ctx msrexec(_write_msr); - theo::malloc_t _kalloc = [&](std::size_t size) -> void* + + theo::malloc_t _kalloc = + [&](std::size_t size, std::uint32_t prot) -> void* { void* alloc_base; msrexec.exec diff --git a/demos/Theodosius-Kernel/Theodosius-MSREXEC/theo.h b/demos/Theodosius-Kernel/Theodosius-MSREXEC/theo.h index 2cef67f..3615438 100644 --- a/demos/Theodosius-Kernel/Theodosius-MSREXEC/theo.h +++ b/demos/Theodosius-Kernel/Theodosius-MSREXEC/theo.h @@ -2,6 +2,7 @@ #include #include #include +#include #include namespace obfuscation{ class obfuscate; } @@ -9,7 +10,7 @@ namespace lnk { using obj_buffer_t = std::vector; } namespace theo { - using malloc_t = std::function; + using malloc_t = std::function; using memcpy_t = std::function; using resolve_symbol_t = std::function; @@ -22,8 +23,8 @@ namespace theo auto map_objs(std::vector& objs) -> bool; auto get_symbol(std::string symbol_name) -> std::uintptr_t; - malloc_t kalloc; - memcpy_t kmemcpy; + malloc_t alloc; + memcpy_t mcopy; resolve_symbol_t resolve_symbol; private: bool map_symbols(std::vector& objs); diff --git a/demos/Theodosius-Kernel/Theodosius-VDM/main.cpp b/demos/Theodosius-Kernel/Theodosius-VDM/main.cpp index 003efe7..ec1d272 100644 --- a/demos/Theodosius-Kernel/Theodosius-VDM/main.cpp +++ b/demos/Theodosius-Kernel/Theodosius-VDM/main.cpp @@ -95,7 +95,8 @@ int main(int argc, char** argv) // use VDM to syscall into ExAllocatePool... vdm::vdm_ctx vdm(_read_phys, _write_phys); - theo::malloc_t _kalloc = [&](std::size_t size) -> void* + theo::malloc_t _kalloc = + [&](std::size_t size, std::uint32_t prot) -> void* { using ex_alloc_pool_t = void* (*)(std::uint32_t, std::uint32_t); diff --git a/demos/Theodosius-Kernel/Theodosius-VDM/theo.h b/demos/Theodosius-Kernel/Theodosius-VDM/theo.h index 51b1206..3615438 100644 --- a/demos/Theodosius-Kernel/Theodosius-VDM/theo.h +++ b/demos/Theodosius-Kernel/Theodosius-VDM/theo.h @@ -10,7 +10,7 @@ namespace lnk { using obj_buffer_t = std::vector; } namespace theo { - using malloc_t = std::function; + using malloc_t = std::function; using memcpy_t = std::function; using resolve_symbol_t = std::function; diff --git a/demos/Theodosius-Server/client.cpp b/demos/Theodosius-Server/client.cpp index e946550..6266832 100644 --- a/demos/Theodosius-Server/client.cpp +++ b/demos/Theodosius-Server/client.cpp @@ -63,13 +63,14 @@ namespace theo return dest; } - void* client::wrapper_alloc(std::size_t size) const + void* client::wrapper_alloc(std::size_t size, std::uint32_t prot) const { theo_data* packet = new theo_data; memset(packet, NULL, sizeof theo_data); packet->type = theo_packet_type::alloc_memory; packet->alloc.alloc_size = size; + packet->alloc.prot = prot; if (send(client_socket, reinterpret_cast(packet), sizeof theo_data, NULL) == SOCKET_ERROR) @@ -147,8 +148,8 @@ namespace theo { case theo_packet_type::init: { - theo::malloc_t alloc = [&](std::size_t size) -> void* - { return this->wrapper_alloc(size); }; + theo::malloc_t alloc = [&](std::size_t size, std::uint32_t prot) -> void* + { return this->wrapper_alloc(size, prot); }; theo::memcpy_t mcopy = [&](void* dest, const void* src, std::size_t size) -> void* diff --git a/demos/Theodosius-Server/client.hpp b/demos/Theodosius-Server/client.hpp index ab46c9d..73fb7cd 100644 --- a/demos/Theodosius-Server/client.hpp +++ b/demos/Theodosius-Server/client.hpp @@ -44,6 +44,7 @@ namespace theo { void* addr; std::size_t alloc_size; + std::uint32_t prot; } alloc; struct @@ -72,7 +73,7 @@ namespace theo private: void handler() const; void* wrapper_memcpy(void* dest, const void* src, std::size_t size) const; - void* wrapper_alloc(std::size_t size) const; + void* wrapper_alloc(std::size_t size, std::uint32_t prot) const; std::uintptr_t wrapper_resolve_symbol(const char* symbol_name) const; const SOCKET client_socket; diff --git a/demos/Theodosius-Server/main.cpp b/demos/Theodosius-Server/main.cpp index 19e3742..7aa1577 100644 --- a/demos/Theodosius-Server/main.cpp +++ b/demos/Theodosius-Server/main.cpp @@ -95,6 +95,7 @@ int __cdecl main(int argc, char** argv) sockaddr socket_info; int socket_info_len = sizeof socket_info; + const auto psocket_info = reinterpret_cast(&socket_info); diff --git a/demos/Theodosius-Server/theo.h b/demos/Theodosius-Server/theo.h index cb37658..3615438 100644 --- a/demos/Theodosius-Server/theo.h +++ b/demos/Theodosius-Server/theo.h @@ -10,7 +10,7 @@ namespace lnk { using obj_buffer_t = std::vector; } namespace theo { - using malloc_t = std::function; + using malloc_t = std::function; using memcpy_t = std::function; using resolve_symbol_t = std::function; @@ -23,8 +23,8 @@ namespace theo auto map_objs(std::vector& objs) -> bool; auto get_symbol(std::string symbol_name) -> std::uintptr_t; - malloc_t kalloc; - memcpy_t kmemcpy; + malloc_t alloc; + memcpy_t mcopy; resolve_symbol_t resolve_symbol; private: bool map_symbols(std::vector& objs); diff --git a/demos/Theodosius-Usermode/main.cpp b/demos/Theodosius-Usermode/main.cpp index 2edaa7d..22a53bb 100644 --- a/demos/Theodosius-Usermode/main.cpp +++ b/demos/Theodosius-Usermode/main.cpp @@ -92,16 +92,17 @@ int main(int argc, char** argv) return -1; } - theo::malloc_t _alloc = [&](std::size_t size) -> void* + theo::malloc_t _alloc = [&](std::size_t size, std::uint32_t prot) -> void* { - const auto result = VirtualAllocEx - ( - phandle, - nullptr, - size, - MEM_COMMIT | MEM_RESERVE, - PAGE_EXECUTE_READWRITE - ); + const auto result = + VirtualAllocEx + ( + phandle, + nullptr, + size, + MEM_COMMIT | MEM_RESERVE, + prot + ); if (!result) { diff --git a/demos/Theodosius-Usermode/theo.h b/demos/Theodosius-Usermode/theo.h index 3c2d2fe..3615438 100644 --- a/demos/Theodosius-Usermode/theo.h +++ b/demos/Theodosius-Usermode/theo.h @@ -5,12 +5,12 @@ #include #include -namespace obfuscation { class obfuscate; } +namespace obfuscation{ class obfuscate; } namespace lnk { using obj_buffer_t = std::vector; } namespace theo { - using malloc_t = std::function; + using malloc_t = std::function; using memcpy_t = std::function; using resolve_symbol_t = std::function; @@ -21,10 +21,10 @@ namespace theo public: explicit hmm_ctx(const mapper_routines_t& routines); auto map_objs(std::vector& objs) -> bool; - auto get_symbol(std::string symbol_name)->std::uintptr_t; + auto get_symbol(std::string symbol_name) -> std::uintptr_t; - malloc_t kalloc; - memcpy_t kmemcpy; + malloc_t alloc; + memcpy_t mcopy; resolve_symbol_t resolve_symbol; private: bool map_symbols(std::vector& objs); diff --git a/dependencies/Zydis.rar b/dependencies/Zydis.rar deleted file mode 100644 index 8b1679e..0000000 Binary files a/dependencies/Zydis.rar and /dev/null differ diff --git a/dependencies/asmjit.rar b/dependencies/asmjit.rar deleted file mode 100644 index 01bd74e..0000000 Binary files a/dependencies/asmjit.rar and /dev/null differ diff --git a/dependencies/llvm-obfuscator.rar b/dependencies/dependencies.rar similarity index 97% rename from dependencies/llvm-obfuscator.rar rename to dependencies/dependencies.rar index b8cf1e8..496ed25 100644 Binary files a/dependencies/llvm-obfuscator.rar and b/dependencies/dependencies.rar differ diff --git a/include/theo.h b/include/theo.h index 51b1206..3615438 100644 --- a/include/theo.h +++ b/include/theo.h @@ -10,7 +10,7 @@ namespace lnk { using obj_buffer_t = std::vector; } namespace theo { - using malloc_t = std::function; + using malloc_t = std::function; using memcpy_t = std::function; using resolve_symbol_t = std::function; diff --git a/unknown.png b/resources/imgs/unknown.png similarity index 100% rename from unknown.png rename to resources/imgs/unknown.png diff --git a/resources/clang-cl.rar b/resources/llvm-obfuscator-compiled.rar similarity index 100% rename from resources/clang-cl.rar rename to resources/llvm-obfuscator-compiled.rar diff --git a/src/Theodosius/theo.cpp b/src/Theodosius/theo.cpp index b8044f7..a935677 100644 --- a/src/Theodosius/theo.cpp +++ b/src/Theodosius/theo.cpp @@ -213,8 +213,9 @@ namespace theo // these symbols are generated by llvm-obfuscator as "x" and "y"... else if (reloc.raw_symbol.StorageClass == IMAGE_SYM_CLASS_EXTERNAL && reloc.raw_symbol.Value) { - const auto zero_me = alloc(reloc.raw_symbol.Value); + const auto zero_me = alloc(reloc.raw_symbol.Value, PAGE_READWRITE); const auto zero_size = malloc(reloc.raw_symbol.Value); + memset(zero_size, NULL, reloc.raw_symbol.Value); mcopy(zero_me, zero_size, reloc.raw_symbol.Value); free(zero_size); @@ -383,7 +384,7 @@ namespace theo // these symbols are generated by llvm-obfuscator as "x" and "y"... else if (reloc.raw_symbol.StorageClass == IMAGE_SYM_CLASS_EXTERNAL && reloc.raw_symbol.Value) { - const auto zero_me = alloc(reloc.raw_symbol.Value); + const auto zero_me = alloc(reloc.raw_symbol.Value, PAGE_READWRITE); const auto zero_size = malloc(reloc.raw_symbol.Value); memset(zero_size, NULL, reloc.raw_symbol.Value); mcopy(zero_me, zero_size, reloc.raw_symbol.Value); @@ -527,7 +528,7 @@ namespace theo mapped_symbols[new_symbol] = reinterpret_cast( - alloc(new_gadget->get_size())); + alloc(new_gadget->get_size(), PAGE_EXECUTE_READWRITE)); obfuscated_gadgets[mapped_symbols[new_symbol]] = new_gadget; DBG_PRINT("\t\t> %s allocated = 0x%p, size = %d\n", new_symbol.c_str(), @@ -565,7 +566,7 @@ namespace theo if (symbol.type == IMAGE_SYM_FUNCTION) { mapped_symbols[symbol.symbol_name] = - reinterpret_cast(alloc(symbol.size)); + reinterpret_cast(alloc(symbol.size, PAGE_EXECUTE_READWRITE)); DBG_PRINT("\t> %s allocated at = 0x%p, size = %d\n", symbol.symbol_name.c_str(), mapped_symbols[symbol.symbol_name], symbol.size); @@ -584,7 +585,7 @@ namespace theo { mapped_symbols[data_section_sym] = reinterpret_cast(alloc( - section_headers[symbol.section_number - 1].SizeOfRawData)); + section_headers[symbol.section_number - 1].SizeOfRawData, PAGE_READWRITE)); DBG_PRINT("\t> section %s allocated at = 0x%p, size = %d\n", data_section_sym.c_str(), @@ -638,7 +639,7 @@ namespace theo { mapped_symbols[data_section_sym] = reinterpret_cast(alloc( - section_headers[idx].SizeOfRawData)); + section_headers[idx].SizeOfRawData, PAGE_READWRITE)); DBG_PRINT("\t> section %s allocated at = 0x%p, size = %d\n", data_section_sym.c_str(), diff --git a/src/Theodosius/theo.h b/src/Theodosius/theo.h index 28c70c7..f38adf2 100644 --- a/src/Theodosius/theo.h +++ b/src/Theodosius/theo.h @@ -16,7 +16,7 @@ #pragma comment(lib, "Dbghelp.lib") namespace theo { - using malloc_t = std::function; + using malloc_t = std::function; using memcpy_t = std::function; using resolve_symbol_t = std::function;