going to add a virtual class for obfuscation and then inherit it for

each type of obfuscation (mutation, encryption, and code flow
obfuscation)
2.0
_xeroxz 4 years ago
parent 103c2304c8
commit e5e21b87fd

@ -1,6 +1,8 @@
#pragma once
#include <intrin.h>
#define ObfuscateRoutine __declspec(code_seg(".theo"))
#define ObfuscateRoutine __declspec(code_seg(".theo"), noinline)
#define MutatedRoutine __declspec(code_seg(".theo1"), noinline)
#define EncryptedRoutine __declspec(code_seg(".theo2"), noinline)
extern "C" unsigned long DbgPrint(const char* format, ...);
extern "C" unsigned long long IoGetCurrentProcess();

@ -1,4 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|x64">
@ -89,6 +89,7 @@
<ClCompile Include="linker\linker.cpp" />
<ClCompile Include="main.cpp" />
<ClCompile Include="msrexec.cpp" />
<ClCompile Include="obfuscation\obfuscation.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="hmdm_ctx.h" />
@ -96,6 +97,7 @@
<ClInclude Include="linker\linker.hpp" />
<ClInclude Include="loadup.hpp" />
<ClInclude Include="msrexec.hpp" />
<ClInclude Include="obfuscation\obfuscation.hpp" />
<ClInclude Include="raw_driver.hpp" />
<ClInclude Include="syscall_handler.h" />
<ClInclude Include="utils.hpp" />

@ -38,6 +38,9 @@
<ClCompile Include="msrexec.cpp">
<Filter>Source Files</Filter>
</ClCompile>
<ClCompile Include="obfuscation\obfuscation.cpp">
<Filter>Source Files</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="Zydis\Generated\EnumInstructionCategory.h">
@ -199,6 +202,9 @@
<ClInclude Include="utils.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="obfuscation\obfuscation.hpp">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<MASM Include="syscall_handler.asm">

@ -1,7 +1,7 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LocalDebuggerCommandArguments>C:\Users\_xeroxz\Desktop\drv</LocalDebuggerCommandArguments>
<LocalDebuggerCommandArguments>C:\Users\_xeroxz\Desktop\drv\DemoDrv.lib</LocalDebuggerCommandArguments>
<DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">

@ -47,11 +47,11 @@ namespace drv
{
for (auto& obj : objs)
{
for (auto symbol : lnk::sym::get_all(obj))
for (auto& symbol : lnk::sym::get_all(obj))
{
// dont map obfuscated routines into memory as they
// get mapped differently...
if (symbol.obfuscate_routine)
if (symbol.obfuscate_type)
continue;
const auto symbol_mapped =
@ -77,7 +77,7 @@ namespace drv
{
for (auto& obj : objs)
{
for (auto reloc : lnk::sym::get_relocs(obj))
for (auto& reloc : lnk::sym::get_relocs(obj))
{
if (reloc.type != IMAGE_REL_AMD64_ADDR64)
{
@ -130,9 +130,9 @@ namespace drv
{
for (auto& obj : objs)
{
for (auto symbol : lnk::sym::get_all(obj))
for (auto& symbol : lnk::sym::get_all(obj))
{
if (!symbol.obfuscate_routine)
if (!symbol.obfuscate_type)
continue;
std::printf("> resolving obfuscated relocations for routine = %s\n", symbol.symbol_name.c_str());
@ -361,10 +361,10 @@ namespace drv
{
for (auto& obj : objs)
{
for (auto symbol : lnk::sym::get_all(obj))
for (auto& symbol : lnk::sym::get_all(obj))
{
// skip obfuscated routines for now... those get scattered...
if (!symbol.obfuscate_routine)
if (!symbol.obfuscate_type)
continue;
ZydisDecoder decoder;
@ -453,10 +453,10 @@ namespace drv
{
for (auto& obj : objs)
{
for (auto symbol : lnk::sym::get_all(obj))
for (auto& symbol : lnk::sym::get_all(obj))
{
// skip obfuscated routines for now... those get scattered...
if (symbol.obfuscate_routine)
if (symbol.obfuscate_type)
continue;
mapped_symbols[symbol.symbol_name] =
@ -466,5 +466,6 @@ namespace drv
symbol.symbol_name.c_str(), mapped_symbols[symbol.symbol_name], symbol.size);
}
}
return true;
}
}

@ -234,11 +234,18 @@ namespace lnk
symbol.type = symbol_table[idx].Type;
symbol.size = get_symbol_size(symbol, obj);
if (!strncmp((char*)section_headers[
symbol_table[idx].SectionNumber - 1].Name, ".theo", strlen(".theo") - 1))
symbol.obfuscate_routine = true;
const auto section_name =
reinterpret_cast<const char*>(
section_headers[symbol_table[idx].SectionNumber - 1].Name);
if (!strncmp(section_name, ".theo", sizeof(".theo") - 1))
symbol.obfuscate_type = theo_type::obfuscate;
else if (!strncmp(section_name, ".theo1", sizeof(".theo1") - 1))
symbol.obfuscate_type = theo_type::mutate;
else if (!strncmp(section_name, ".theo2", sizeof(".theo2") - 1))
symbol.obfuscate_type = theo_type::encrypt;
else
symbol.obfuscate_routine = false;
symbol.obfuscate_type = (theo_type)NULL;
// there can be more then one aux symbols...
if (symbol_table[idx].NumberOfAuxSymbols)

@ -7,6 +7,13 @@
namespace lnk
{
enum theo_type
{
obfuscate = 1,
mutate = 2,
encrypt = 3
};
struct symbol_t
{
// name of the symbol... not mangled...
@ -28,7 +35,7 @@ namespace lnk
std::uint32_t size;
// if this symbol is a function and is inside of a .theo section...
bool obfuscate_routine;
theo_type obfuscate_type;
};
// redef of IMAGE_RELOCATION so that "VirtualAddress"

@ -0,0 +1,7 @@
#include <Zydis/Zydis.h>
#include <cstdint>
namespace obfuscation
{
}
Loading…
Cancel
Save