going to add a virtual class for obfuscation and then inherit it for

each type of obfuscation (mutation, encryption, and code flow obfuscation)
4 years ago · e5e21b87fd
parent 103c2304c8
commit e5e21b87fd
9 changed files with 49 additions and 17 deletions
--- a/DemoDrv/Theodosius.h
+++ b/DemoDrv/Theodosius.h
@ -1,6 +1,8 @@
 #pragma once
 #include <intrin.h>
-#define ObfuscateRoutine __declspec(code_seg(".theo"))
+#define ObfuscateRoutine __declspec(code_seg(".theo"), noinline)
+#define MutatedRoutine __declspec(code_seg(".theo1"), noinline)
+#define EncryptedRoutine __declspec(code_seg(".theo2"), noinline)

 extern "C" unsigned long DbgPrint(const char* format, ...);
 extern "C" unsigned long long IoGetCurrentProcess();
--- a/Theodosius/Theodosius.vcxproj
+++ b/Theodosius/Theodosius.vcxproj
@ -1,4 +1,4 @@
-<?xml version="1.0" encoding="utf-8"?>
+<?xml version="1.0" encoding="utf-8"?>
 <Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup Label="ProjectConfigurations">
    <ProjectConfiguration Include="Debug|x64">
@ -89,6 +89,7 @@
    <ClCompile Include="linker\linker.cpp" />
    <ClCompile Include="main.cpp" />
    <ClCompile Include="msrexec.cpp" />
+    <ClCompile Include="obfuscation\obfuscation.cpp" />
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="hmdm_ctx.h" />
@ -96,6 +97,7 @@
    <ClInclude Include="linker\linker.hpp" />
    <ClInclude Include="loadup.hpp" />
    <ClInclude Include="msrexec.hpp" />
+    <ClInclude Include="obfuscation\obfuscation.hpp" />
    <ClInclude Include="raw_driver.hpp" />
    <ClInclude Include="syscall_handler.h" />
    <ClInclude Include="utils.hpp" />
--- a/Theodosius/Theodosius.vcxproj.filters
+++ b/Theodosius/Theodosius.vcxproj.filters
@ -38,6 +38,9 @@
    <ClCompile Include="msrexec.cpp">
      <Filter>Source Files</Filter>
    </ClCompile>
+    <ClCompile Include="obfuscation\obfuscation.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="Zydis\Generated\EnumInstructionCategory.h">
@ -199,6 +202,9 @@
    <ClInclude Include="utils.hpp">
      <Filter>Header Files</Filter>
    </ClInclude>
+    <ClInclude Include="obfuscation\obfuscation.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
  </ItemGroup>
  <ItemGroup>
    <MASM Include="syscall_handler.asm">
--- a/Theodosius/Theodosius.vcxproj.user
+++ b/Theodosius/Theodosius.vcxproj.user
@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LocalDebuggerCommandArguments>C:\Users\_xeroxz\Desktop\drv</LocalDebuggerCommandArguments>
+    <LocalDebuggerCommandArguments>C:\Users\_xeroxz\Desktop\drv\DemoDrv.lib</LocalDebuggerCommandArguments>
    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
--- a/Theodosius/hmdm_ctx.cpp
+++ b/Theodosius/hmdm_ctx.cpp
@ -47,11 +47,11 @@ namespace drv
 	{
 		for (auto& obj : objs)
 		{
-			for (auto symbol : lnk::sym::get_all(obj))
+			for (auto& symbol : lnk::sym::get_all(obj))
 			{
 				// dont map obfuscated routines into memory as they
 				// get mapped differently...
-				if (symbol.obfuscate_routine)
+				if (symbol.obfuscate_type)
 					continue;

 				const auto symbol_mapped =
@ -77,7 +77,7 @@ namespace drv
 	{
 		for (auto& obj : objs)
 		{
-			for (auto reloc : lnk::sym::get_relocs(obj))
+			for (auto& reloc : lnk::sym::get_relocs(obj))
 			{
 				if (reloc.type != IMAGE_REL_AMD64_ADDR64)
 				{
@ -130,9 +130,9 @@ namespace drv
 	{
 		for (auto& obj : objs)
 		{
-			for (auto symbol : lnk::sym::get_all(obj))
+			for (auto& symbol : lnk::sym::get_all(obj))
 			{
-				if (!symbol.obfuscate_routine)
+				if (!symbol.obfuscate_type)
 					continue;

 				std::printf("> resolving obfuscated relocations for routine = %s\n", symbol.symbol_name.c_str());
@ -361,10 +361,10 @@ namespace drv
 	{
 		for (auto& obj : objs)
 		{
-			for (auto symbol : lnk::sym::get_all(obj))
+			for (auto& symbol : lnk::sym::get_all(obj))
 			{
 				// skip obfuscated routines for now... those get scattered...
-				if (!symbol.obfuscate_routine)
+				if (!symbol.obfuscate_type)
 					continue;

 				ZydisDecoder decoder;
@ -453,10 +453,10 @@ namespace drv
 	{
 		for (auto& obj : objs)
 		{
-			for (auto symbol : lnk::sym::get_all(obj))
+			for (auto& symbol : lnk::sym::get_all(obj))
 			{
 				// skip obfuscated routines for now... those get scattered...
-				if (symbol.obfuscate_routine)
+				if (symbol.obfuscate_type)
 					continue;

 				mapped_symbols[symbol.symbol_name] =
@ -466,5 +466,6 @@ namespace drv
 					symbol.symbol_name.c_str(), mapped_symbols[symbol.symbol_name], symbol.size);
 			}
 		}
+		return true;
 	}
 }
--- a/Theodosius/linker/linker.cpp
+++ b/Theodosius/linker/linker.cpp
@ -234,11 +234,18 @@ namespace lnk
 				symbol.type = symbol_table[idx].Type;
 				symbol.size = get_symbol_size(symbol, obj);

-				if (!strncmp((char*)section_headers[
-						symbol_table[idx].SectionNumber - 1].Name, ".theo", strlen(".theo") - 1))
-					symbol.obfuscate_routine = true;
+				const auto section_name =
+					reinterpret_cast<const char*>(
+						section_headers[symbol_table[idx].SectionNumber - 1].Name);
+
+				if (!strncmp(section_name, ".theo", sizeof(".theo") - 1))
+					symbol.obfuscate_type = theo_type::obfuscate;
+				else if (!strncmp(section_name, ".theo1", sizeof(".theo1") - 1))
+					symbol.obfuscate_type = theo_type::mutate;
+				else if (!strncmp(section_name, ".theo2", sizeof(".theo2") - 1))
+					symbol.obfuscate_type = theo_type::encrypt;
 				else
-					symbol.obfuscate_routine = false;
+					symbol.obfuscate_type = (theo_type)NULL;

 				// there can be more then one aux symbols...
 				if (symbol_table[idx].NumberOfAuxSymbols)
--- a/Theodosius/linker/linker.hpp
+++ b/Theodosius/linker/linker.hpp
@ -7,6 +7,13 @@

 namespace lnk
 {
+	enum theo_type
+	{
+		obfuscate = 1,
+		mutate = 2,
+		encrypt = 3
+	};
+
 	struct symbol_t
 	{
 		// name of the symbol... not mangled...
@ -28,7 +35,7 @@ namespace lnk
 		std::uint32_t size;

 		// if this symbol is a function and is inside of a .theo section...
-		bool obfuscate_routine;
+		theo_type obfuscate_type;
 	};

 	// redef of IMAGE_RELOCATION so that "VirtualAddress"
--- a/Theodosius/obfuscation/obfuscation.cpp
+++ b/Theodosius/obfuscation/obfuscation.cpp
--- a/Theodosius/obfuscation/obfuscation.hpp
+++ b/Theodosius/obfuscation/obfuscation.hpp
@ -0,0 +1,7 @@
+#include <Zydis/Zydis.h>
+#include <cstdint>
+
+namespace obfuscation
+{
+
+}