fixed some JCC issues... added new reloc type..

DemoDrv/DemoDrv.vcxproj

@@ -50,12 +50,15 @@
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
     <EnableInf2cat>false</EnableInf2cat>
+    <IncludePath>$(IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH)</IncludePath>
+    <ExecutablePath>$(LLVMInstallDir)\bin;$(ExecutablePath);</ExecutablePath>
   </PropertyGroup>
   <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
     <DebuggerFlavor>DbgengKernelDebugger</DebuggerFlavor>
     <EnableInf2cat>false</EnableInf2cat>
     <IntDir>$(SolutionDir)$(Platform)\$(Configuration)\</IntDir>
     <IncludePath>$(IncludePath);$(KMDF_INC_PATH)$(KMDF_VER_PATH)</IncludePath>
+    <ExecutablePath>$(LLVMInstallDir)\bin;$(ExecutablePath);</ExecutablePath>
   </PropertyGroup>
   <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
     <ClCompile>
@@ -99,6 +102,7 @@
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="Theodosius.h" />
+    <ClInclude Include="Types.h" />
   </ItemGroup>
   <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
   <ImportGroup Label="ExtensionTargets">

DemoDrv/DemoDrv.vcxproj.filters

@@ -18,5 +18,8 @@
     <ClInclude Include="Theodosius.h">
       <Filter>Header Files</Filter>
     </ClInclude>
+    <ClInclude Include="Types.h">
+      <Filter>Header Files</Filter>
+    </ClInclude>
   </ItemGroup>
 </Project>

DemoDrv/DriverEntry.cpp

@@ -1,8 +1,36 @@
 #include "Theodosius.h"
+#include "Types.h"
 
-MutateRoutine extern "C" void drv_entry()
+// this routine is not obfuscated...
+void PrintCR3()
+{
+	ULONG_PTR Cr3Value =
+		*reinterpret_cast<ULONG_PTR*>(
+			IoGetCurrentProcess() + CR3_OFFSET);
+
+	DbgPrint("> Current CR3 = 0x%p\n", Cr3Value);
+}
+
+ObfuscateRoutine void LoopDemo()
+{
+	// JCC's work! :)
+	for (auto idx = 0u; idx < 10; ++idx)
+		DbgPrint("> Loop Demo: %d\n", idx);
+}
+
+// entry point must be named "DrvEntry" for this example...
+MutateRoutine extern "C" void DrvEntry()
 {
 	DbgPrint("> Hello World!\n");
+
+	// non-exported symbols being resolved by jit linker...
 	DbgPrint("> PiDDBCacheTable = 0x%p\n", &PiDDBCacheTable);
 	DbgPrint("> win32kfull!NtUserRegisterShellPTPListener = 0x%p\n", &NtUserRegisterShellPTPListener);
+
+	// example of referencing itself...
+	DbgPrint("> DrvEntry = 0x%p\n", &DrvEntry);
+
+	// example of calling other obfuscated/non obfuscated routines...
+	PrintCR3();
+	LoopDemo();
 }

DemoDrv/Theodosius.h

@@ -1,11 +1,3 @@
 #pragma once
-#include <intrin.h>
 #define ObfuscateRoutine __declspec(code_seg(".theo"), noinline)
 #define MutateRoutine __declspec(code_seg(".theo1"), noinline)
-
-// win32kfull.sys export example...
-extern "C" void NtUserRegisterShellPTPListener();
-extern "C" void* PiDDBCacheTable;
-
-extern "C" unsigned long DbgPrint(const char* format, ...);
-extern "C" unsigned long long IoGetCurrentProcess();

DemoDrv/Types.h

@@ -0,0 +1,24 @@
+#pragma once
+#define NT_SUCCESS(x) ((x) >= 0)
+#define STATUS_INFO_LENGTH_MISMATCH 0xc0000004
+#define CR3_OFFSET 0x28
+
+using NTSTATUS = unsigned long;
+using PVOID = void*;
+
+using HANDLE = unsigned long;
+using UCHAR = unsigned char;
+using USHORT = unsigned short;
+using ULONG = unsigned long;
+using PULONG = unsigned long*;
+typedef unsigned long long ULONG_PTR;
+
+// this is a demo of resolving non-exported symbols...
+// win32kfull.sys export example...
+extern "C" void NtUserRegisterShellPTPListener();
+extern "C" void* PiDDBCacheTable;
+
+extern "C" unsigned char* IoGetCurrentProcess();
+extern "C" unsigned long DbgPrint(const char* format, ...);
+extern "C" PVOID ExAllocatePool(ULONG, ULONG);
+extern "C" void ExFreePool(PVOID);

Theodosius/hmdm_ctx.cpp

@@ -47,7 +47,7 @@ namespace theo
 		}
 
 		std::printf("[+] linking complete...\n");
-		return mapped_symbols["drv_entry"];
+		return mapped_symbols["DrvEntry"];
 	}
 
 	bool hmm_ctx::map_symbols(std::vector<lnk::obj_buffer_t>& objs)
@@ -143,8 +143,8 @@ namespace theo
 					continue;
 				
 				std::printf("	> mapping obfuscated routine %s into memory...\n", symbol.symbol_name.c_str());
+				std::int32_t instruc_offset = 0u;
 
-				unsigned instruc_offset = 0u;
 				while (true) // TODO: this is bad code... dont do this!
 				{
 					auto symbol_name = symbol.symbol_name;
@@ -176,9 +176,16 @@ namespace theo
 
 						switch (reloc.type)
 						{
-							case obfuscation::reloc_type::none:
+							case obfuscation::reloc_type::jcc:
-								break;
+							{
+								const auto next_instruc_symbol =
+									std::string(symbol.symbol_name).append("@")
+										.append(std::to_string(instruc_offset + instruc_len + reloc.rva));
 
+								*reinterpret_cast<std::uintptr_t*>(fix_reloc_addr) =
+									mapped_symbols[next_instruc_symbol];
+								break;
+							}
 							case obfuscation::reloc_type::next_instruction_addr:
 							{
 								const auto next_instruc_symbol =
@@ -190,6 +197,10 @@ namespace theo
 
 								break; // we resolved our own relocation...
 							}
+							case obfuscation::reloc_type::none:
+							{
+								break;
+							}
 							default: 
 							{
 								// check this instruction to see if it needs any relocs...

Theodosius/main.cpp

@@ -180,18 +180,8 @@ int main(int argc, char** argv)
 						reinterpret_cast<const char*>(
 							drv_info->OffsetToFileName + drv_info->FullPathName);
 
-					__try
-					{
-						const auto temp_result =
-							utils::kmodule::get_export(drv_name, symbol_name);
-
-						if (!temp_result)
-							return true;
-
 					// false if we found the symbol...
-						return (!(result = temp_result));
+					return (!(result = utils::kmodule::get_export(drv_name, symbol_name)));
-					}
-					__except (EXCEPTION_EXECUTE_HANDLER) { return true; }
 				}
 			);
 		}

Theodosius/obfuscation/obfuscation.cpp

@@ -7,8 +7,11 @@ namespace obfuscation
 		:
 		instruction(info)
 	{
-		switch (instruction.first.mnemonic)
+		// idk what i did to zydis but + 1 fixed it?
+		// this is brutal... TODO: figure out tf is going on here...
+		switch (instruction.first.mnemonic + 1)
 		{
+		case ZYDIS_MNEMONIC_JLE:
 		case ZYDIS_MNEMONIC_JB:
 		case ZYDIS_MNEMONIC_JBE:
 		case ZYDIS_MNEMONIC_JCXZ:
@@ -16,7 +19,6 @@ namespace obfuscation
 		case ZYDIS_MNEMONIC_JKNZD:
 		case ZYDIS_MNEMONIC_JKZD:
 		case ZYDIS_MNEMONIC_JL:
-		case ZYDIS_MNEMONIC_JLE:
 		case ZYDIS_MNEMONIC_JNB:
 		case ZYDIS_MNEMONIC_JNBE:
 		case ZYDIS_MNEMONIC_JNL:
@@ -31,38 +33,53 @@ namespace obfuscation
 		case ZYDIS_MNEMONIC_JS:
 		case ZYDIS_MNEMONIC_JZ:
 		{
-			reloc_t inline_jmp_reloc
-			{
-				JMP_RIP_ADDR_IDX,
-				reloc_type::next_instruction_addr
-			};
-
 			const auto rva_fix_offset = instruction.first.length -
 				(instruction.first.operands[0].size / 8);
 
 			const auto rva_fix_addr =
 				instruction.second.data() + rva_fix_offset;
 
+			reloc_t inline_jmp_reloc
+			{
+				reloc_type::next_instruction_addr,
+				JMP_RIP_ADDR_IDX
+			};
+
+			reloc_t inline_jmp_branch
+			{
+				reloc_type::jcc,
+				JMP_RIP_ADDR_IDX,
+				*reinterpret_cast<std::int32_t*>(rva_fix_addr)
+			};
+
 			std::printf("			> fixing JCC rva...\n");
 			std::printf("				> new rva = 0x%x\n", JMP_RIP_SIZE);
 			std::printf("				> old rva = 0x%x\n",
-				*reinterpret_cast<std::uint32_t*>(rva_fix_addr));
+				*reinterpret_cast<std::int32_t*>(rva_fix_addr));
 
 			// when you inherit obfuscate please be mindful of JCC rvas...
-			*reinterpret_cast<std::uint32_t*>(rva_fix_addr) = JMP_RIP_SIZE;
+			*reinterpret_cast<std::int32_t*>(rva_fix_addr) = JMP_RIP_SIZE;
 
 			gadget_stack.push_back({ instruction.second, {} });
 			gadget_stack.push_back({ jmp_rip, inline_jmp_reloc });
-			gadget_stack.push_back({ jmp_rip, inline_jmp_reloc });
+			gadget_stack.push_back({ jmp_rip, inline_jmp_branch });
 			break;
 		}
 		case ZYDIS_MNEMONIC_JMP:
 		{
+			const auto rva_fix_offset = instruction.first.length -
+				(instruction.first.operands[0].size / 8);
+
+			const auto rva_fix_addr =
+				instruction.second.data() + rva_fix_offset;
+
 			reloc_t inline_jmp_reloc
 			{
+				reloc_type::jcc,
 				JMP_RIP_ADDR_IDX,
-				reloc_type::next_instruction_addr 
+				*reinterpret_cast<std::int32_t*>(rva_fix_addr)
 			};
+
 			gadget_stack.push_back({ jmp_rip, inline_jmp_reloc });
 			break;
 		}
@@ -75,8 +92,8 @@ namespace obfuscation
 		{
 			reloc_t inline_jmp_reloc
 			{
-				JMP_RIP_ADDR_IDX,
+				reloc_type::next_instruction_addr,
-				reloc_type::next_instruction_addr
+				JMP_RIP_ADDR_IDX
 			};
 
 			gadget_stack.push_back({ instruction.second, {} });
@@ -157,6 +174,6 @@ namespace obfuscation
 		// instruction gets executed...
 		gadget_stack.insert(
 			gadget_stack.begin(), 
-				{ std::move(stack_palindrome), {NULL, reloc_type::none} });
+				{ std::move(stack_palindrome), {reloc_type::none, NULL, NULL } });
 	}
 }

Theodosius/obfuscation/obfuscation.hpp

@@ -22,13 +22,15 @@ namespace obfuscation
 	enum class reloc_type
 	{
 		none = -1,
-		next_instruction_addr = 1
+		jcc = 1,
+		next_instruction_addr = 2
 	};
 
 	struct reloc_t
 	{
-		std::uint32_t offset;
 		reloc_type type;
+		std::uint32_t offset;
+		std::int32_t rva;
 	};
 
 	using instruction_info_t = std::pair<ZydisDecodedInstruction, std::vector<std::uint8_t>>;

Theodosius/utils.hpp

@@ -284,6 +284,13 @@ namespace utils
 							DONT_RESOLVE_DLL_REFERENCES
 						);
 
+					if (!module_base)
+					{
+						// free the RTL_PROCESS_MODULES buffer...
+						VirtualFree(buffer, NULL, MEM_RELEASE);
+						return NULL;
+					}
+
 					const auto image_base =
 						reinterpret_cast<std::uintptr_t>(
 							modules->Modules[idx].ImageBase);