Update README.md

2.0
_xeroxz 4 years ago
parent 0e7c1ad6ef
commit b897ded79c

@ -582,9 +582,54 @@ Once compiled the assembly will look like this. Note that each reference to symb
0X13F: DrvEntry endp
```
Theo calculates the size of each symbol by subtracting the address of the next symbol (in the same section), from the address of the symbol itself. If the symbol is the last one in a section, the distance between the start of the symbol and the end of the section is used. Now lets take a look at what happens when we link/map this routine.
Theo calculates the size of each symbol by subtracting the address of the next symbol (in the same section), from the address of the symbol itself. If the symbol is the last one in a section, the distance between the start of the symbol and the end of the section is used. Now lets take a look at what happens when we link/map this routine. Theo starts by allocating space for all non-obfuscated symbols.
```
[+] allocating space for symbols...
> ??_C@_0BG@GFEIGDHO@?$DO?5Current?5CR3?5?$DN?50x?$CFp?6?$AA@ allocated at = 0xFFFF998BC5361FB0, size = 22
> ??_C@_0BB@HGKDPLMC@?$DO?5Loop?5Demo?3?5?$CFd?6?$AA@ allocated at = 0xFFFF998BC5364FA0, size = 17
> ??_C@_0BA@LBLNBFIC@?$DO?5Hello?5World?$CB?6?$AA@ allocated at = 0xFFFF998BC5365FA0, size = 16
> ??_C@_0BK@PLIIADON@?$DO?5PiDDBCacheTable?5?$DN?50x?$CFp?6?$AA@ allocated at = 0xFFFF998BC5366EA0, size = 26
> ??_C@_0DE@FLODGMCP@?$DO?5win32kfull?$CBNtUserRegisterShell@ allocated at = 0xFFFF998BC5366EE0, size = 52
> ??_C@_0BD@JGNLDBEI@?$DO?5DrvEntry?5?$DN?50x?$CFp?6?$AA@ allocated at = 0xFFFF998BC5366F40, size = 19
> ?PrintCR3@@YAXXZ allocated at = 0xFFFF998BC5366F80, size = 58
```
As you can see, each string gets its own pool, each global variable does too, and every non-obfuscated routine is mapped into its own pool. The memory however, has not been copied yet since there are relocations that need to happen before they are copied into memory (in PrintCr3).
The next thing Theo does is allocate space for obfuscated routines. In the `DemoDrv`, there is a demo for each type of obfuscation (just mutation and control flow obfuscation for now).
```
[+] allocating space for obfuscated symbols...
> ?LoopDemo@@YAXXZ allocated = 0xFFFF998BC5369DA0, size = 18
> ?LoopDemo@@YAXXZ@4 allocated = 0xFFFF998BC5369DE0, size = 22
> ?LoopDemo@@YAXXZ@12 allocated = 0xFFFF998BC5369E20, size = 19
> fixing JCC rva...
> new rva = 0xe
> old rva = 0x2a
> ?LoopDemo@@YAXXZ@17 allocated = 0xFFFF998BC5369E60, size = 34
> ?LoopDemo@@YAXXZ@23 allocated = 0xFFFF998BC5369EB0, size = 18
> ?LoopDemo@@YAXXZ@27 allocated = 0xFFFF998BC5369EF0, size = 24
> ?LoopDemo@@YAXXZ@37 allocated = 0xFFFF998BC5369F30, size = 24
> ?LoopDemo@@YAXXZ@47 allocated = 0xFFFF998BC5369F70, size = 16
> ?LoopDemo@@YAXXZ@49 allocated = 0xFFFF998BC5369FA0, size = 18
> ?LoopDemo@@YAXXZ@53 allocated = 0xFFFF998BC5368BA0, size = 17
> ?LoopDemo@@YAXXZ@56 allocated = 0xFFFF998BC5368BE0, size = 18
> ?LoopDemo@@YAXXZ@60 allocated = 0xFFFF998BC5368C20, size = 14
> ?LoopDemo@@YAXXZ@65 allocated = 0xFFFF998BC5368C50, size = 18
> ?LoopDemo@@YAXXZ@69 allocated = 0xFFFF998BC5368C90, size = 15
```
As you can see, Theo uses Zydis to go over all routines marked for obfuscation and generates new symbols for each instruction inside of the routine. The symbol goes by `[RoutineName]@[Instruction Offset]`. Note that JCC's are indeed rip relative, these need to be fixed.
```
> fixing JCC rva...
> new rva = 0xe
> old rva = 0x2a
> ?LoopDemo@@YAXXZ@17 allocated = 0xFFFF998BC5369E60, size = 34
```
Note that in DemoDrv there is a function called "LoopDemo" which is obfuscated. Instead of the JCC instruction branching to the conditional code, it instead branches to an inline jmp. If it doesnt branch, then it simply jumps to the next instruction like normal.
### Usermode Example

Loading…
Cancel
Save