From b897ded79c07a5ce347a7d3232f552d2818da24e Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Mon, 8 Mar 2021 20:00:14 +0000 Subject: [PATCH] Update README.md --- README.md | 47 ++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 46 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 78a6d7c..6d6f41f 100644 --- a/README.md +++ b/README.md @@ -582,9 +582,54 @@ Once compiled the assembly will look like this. Note that each reference to symb 0X13F: DrvEntry endp ``` -Theo calculates the size of each symbol by subtracting the address of the next symbol (in the same section), from the address of the symbol itself. If the symbol is the last one in a section, the distance between the start of the symbol and the end of the section is used. Now lets take a look at what happens when we link/map this routine. +Theo calculates the size of each symbol by subtracting the address of the next symbol (in the same section), from the address of the symbol itself. If the symbol is the last one in a section, the distance between the start of the symbol and the end of the section is used. Now lets take a look at what happens when we link/map this routine. Theo starts by allocating space for all non-obfuscated symbols. +``` +[+] allocating space for symbols... + > ??_C@_0BG@GFEIGDHO@?$DO?5Current?5CR3?5?$DN?50x?$CFp?6?$AA@ allocated at = 0xFFFF998BC5361FB0, size = 22 + > ??_C@_0BB@HGKDPLMC@?$DO?5Loop?5Demo?3?5?$CFd?6?$AA@ allocated at = 0xFFFF998BC5364FA0, size = 17 + > ??_C@_0BA@LBLNBFIC@?$DO?5Hello?5World?$CB?6?$AA@ allocated at = 0xFFFF998BC5365FA0, size = 16 + > ??_C@_0BK@PLIIADON@?$DO?5PiDDBCacheTable?5?$DN?50x?$CFp?6?$AA@ allocated at = 0xFFFF998BC5366EA0, size = 26 + > ??_C@_0DE@FLODGMCP@?$DO?5win32kfull?$CBNtUserRegisterShell@ allocated at = 0xFFFF998BC5366EE0, size = 52 + > ??_C@_0BD@JGNLDBEI@?$DO?5DrvEntry?5?$DN?50x?$CFp?6?$AA@ allocated at = 0xFFFF998BC5366F40, size = 19 + > ?PrintCR3@@YAXXZ allocated at = 0xFFFF998BC5366F80, size = 58 +``` + +As you can see, each string gets its own pool, each global variable does too, and every non-obfuscated routine is mapped into its own pool. The memory however, has not been copied yet since there are relocations that need to happen before they are copied into memory (in PrintCr3). + +The next thing Theo does is allocate space for obfuscated routines. In the `DemoDrv`, there is a demo for each type of obfuscation (just mutation and control flow obfuscation for now). + +``` +[+] allocating space for obfuscated symbols... + > ?LoopDemo@@YAXXZ allocated = 0xFFFF998BC5369DA0, size = 18 + > ?LoopDemo@@YAXXZ@4 allocated = 0xFFFF998BC5369DE0, size = 22 + > ?LoopDemo@@YAXXZ@12 allocated = 0xFFFF998BC5369E20, size = 19 + > fixing JCC rva... + > new rva = 0xe + > old rva = 0x2a + > ?LoopDemo@@YAXXZ@17 allocated = 0xFFFF998BC5369E60, size = 34 + > ?LoopDemo@@YAXXZ@23 allocated = 0xFFFF998BC5369EB0, size = 18 + > ?LoopDemo@@YAXXZ@27 allocated = 0xFFFF998BC5369EF0, size = 24 + > ?LoopDemo@@YAXXZ@37 allocated = 0xFFFF998BC5369F30, size = 24 + > ?LoopDemo@@YAXXZ@47 allocated = 0xFFFF998BC5369F70, size = 16 + > ?LoopDemo@@YAXXZ@49 allocated = 0xFFFF998BC5369FA0, size = 18 + > ?LoopDemo@@YAXXZ@53 allocated = 0xFFFF998BC5368BA0, size = 17 + > ?LoopDemo@@YAXXZ@56 allocated = 0xFFFF998BC5368BE0, size = 18 + > ?LoopDemo@@YAXXZ@60 allocated = 0xFFFF998BC5368C20, size = 14 + > ?LoopDemo@@YAXXZ@65 allocated = 0xFFFF998BC5368C50, size = 18 + > ?LoopDemo@@YAXXZ@69 allocated = 0xFFFF998BC5368C90, size = 15 +``` + +As you can see, Theo uses Zydis to go over all routines marked for obfuscation and generates new symbols for each instruction inside of the routine. The symbol goes by `[RoutineName]@[Instruction Offset]`. Note that JCC's are indeed rip relative, these need to be fixed. + +``` +> fixing JCC rva... + > new rva = 0xe + > old rva = 0x2a +> ?LoopDemo@@YAXXZ@17 allocated = 0xFFFF998BC5369E60, size = 34 +``` +Note that in DemoDrv there is a function called "LoopDemo" which is obfuscated. Instead of the JCC instruction branching to the conditional code, it instead branches to an inline jmp. If it doesnt branch, then it simply jumps to the next instruction like normal. ### Usermode Example