From e5e21b87fd2e6e936b3ace90fa11597f1227c856 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Sat, 6 Mar 2021 12:30:26 -0800 Subject: [PATCH] going to add a virtual class for obfuscation and then inherit it for each type of obfuscation (mutation, encryption, and code flow obfuscation) --- DemoDrv/Theodosius.h | 4 +++- Theodosius/Theodosius.vcxproj | 4 +++- Theodosius/Theodosius.vcxproj.filters | 6 ++++++ Theodosius/Theodosius.vcxproj.user | 2 +- Theodosius/hmdm_ctx.cpp | 19 ++++++++++--------- Theodosius/linker/linker.cpp | 15 +++++++++++---- Theodosius/linker/linker.hpp | 9 ++++++++- Theodosius/obfuscation/obfuscation.cpp | 0 Theodosius/obfuscation/obfuscation.hpp | 7 +++++++ 9 files changed, 49 insertions(+), 17 deletions(-) create mode 100644 Theodosius/obfuscation/obfuscation.cpp create mode 100644 Theodosius/obfuscation/obfuscation.hpp diff --git a/DemoDrv/Theodosius.h b/DemoDrv/Theodosius.h index 37fba52..accc39a 100644 --- a/DemoDrv/Theodosius.h +++ b/DemoDrv/Theodosius.h @@ -1,6 +1,8 @@ #pragma once #include -#define ObfuscateRoutine __declspec(code_seg(".theo")) +#define ObfuscateRoutine __declspec(code_seg(".theo"), noinline) +#define MutatedRoutine __declspec(code_seg(".theo1"), noinline) +#define EncryptedRoutine __declspec(code_seg(".theo2"), noinline) extern "C" unsigned long DbgPrint(const char* format, ...); extern "C" unsigned long long IoGetCurrentProcess(); diff --git a/Theodosius/Theodosius.vcxproj b/Theodosius/Theodosius.vcxproj index deffcd7..8cea400 100644 --- a/Theodosius/Theodosius.vcxproj +++ b/Theodosius/Theodosius.vcxproj @@ -1,4 +1,4 @@ - + @@ -89,6 +89,7 @@ + @@ -96,6 +97,7 @@ + diff --git a/Theodosius/Theodosius.vcxproj.filters b/Theodosius/Theodosius.vcxproj.filters index 1c2f283..fcffd97 100644 --- a/Theodosius/Theodosius.vcxproj.filters +++ b/Theodosius/Theodosius.vcxproj.filters @@ -38,6 +38,9 @@ Source Files + + Source Files + @@ -199,6 +202,9 @@ Header Files + + Header Files + diff --git a/Theodosius/Theodosius.vcxproj.user b/Theodosius/Theodosius.vcxproj.user index ca6bd57..cfba79c 100644 --- a/Theodosius/Theodosius.vcxproj.user +++ b/Theodosius/Theodosius.vcxproj.user @@ -1,7 +1,7 @@  - C:\Users\_xeroxz\Desktop\drv + C:\Users\_xeroxz\Desktop\drv\DemoDrv.lib WindowsLocalDebugger diff --git a/Theodosius/hmdm_ctx.cpp b/Theodosius/hmdm_ctx.cpp index 75f6271..f7ebaa6 100644 --- a/Theodosius/hmdm_ctx.cpp +++ b/Theodosius/hmdm_ctx.cpp @@ -47,11 +47,11 @@ namespace drv { for (auto& obj : objs) { - for (auto symbol : lnk::sym::get_all(obj)) + for (auto& symbol : lnk::sym::get_all(obj)) { // dont map obfuscated routines into memory as they // get mapped differently... - if (symbol.obfuscate_routine) + if (symbol.obfuscate_type) continue; const auto symbol_mapped = @@ -77,7 +77,7 @@ namespace drv { for (auto& obj : objs) { - for (auto reloc : lnk::sym::get_relocs(obj)) + for (auto& reloc : lnk::sym::get_relocs(obj)) { if (reloc.type != IMAGE_REL_AMD64_ADDR64) { @@ -130,9 +130,9 @@ namespace drv { for (auto& obj : objs) { - for (auto symbol : lnk::sym::get_all(obj)) + for (auto& symbol : lnk::sym::get_all(obj)) { - if (!symbol.obfuscate_routine) + if (!symbol.obfuscate_type) continue; std::printf("> resolving obfuscated relocations for routine = %s\n", symbol.symbol_name.c_str()); @@ -361,10 +361,10 @@ namespace drv { for (auto& obj : objs) { - for (auto symbol : lnk::sym::get_all(obj)) + for (auto& symbol : lnk::sym::get_all(obj)) { // skip obfuscated routines for now... those get scattered... - if (!symbol.obfuscate_routine) + if (!symbol.obfuscate_type) continue; ZydisDecoder decoder; @@ -453,10 +453,10 @@ namespace drv { for (auto& obj : objs) { - for (auto symbol : lnk::sym::get_all(obj)) + for (auto& symbol : lnk::sym::get_all(obj)) { // skip obfuscated routines for now... those get scattered... - if (symbol.obfuscate_routine) + if (symbol.obfuscate_type) continue; mapped_symbols[symbol.symbol_name] = @@ -466,5 +466,6 @@ namespace drv symbol.symbol_name.c_str(), mapped_symbols[symbol.symbol_name], symbol.size); } } + return true; } } \ No newline at end of file diff --git a/Theodosius/linker/linker.cpp b/Theodosius/linker/linker.cpp index b05f5e4..bb917a0 100644 --- a/Theodosius/linker/linker.cpp +++ b/Theodosius/linker/linker.cpp @@ -234,11 +234,18 @@ namespace lnk symbol.type = symbol_table[idx].Type; symbol.size = get_symbol_size(symbol, obj); - if (!strncmp((char*)section_headers[ - symbol_table[idx].SectionNumber - 1].Name, ".theo", strlen(".theo") - 1)) - symbol.obfuscate_routine = true; + const auto section_name = + reinterpret_cast( + section_headers[symbol_table[idx].SectionNumber - 1].Name); + + if (!strncmp(section_name, ".theo", sizeof(".theo") - 1)) + symbol.obfuscate_type = theo_type::obfuscate; + else if (!strncmp(section_name, ".theo1", sizeof(".theo1") - 1)) + symbol.obfuscate_type = theo_type::mutate; + else if (!strncmp(section_name, ".theo2", sizeof(".theo2") - 1)) + symbol.obfuscate_type = theo_type::encrypt; else - symbol.obfuscate_routine = false; + symbol.obfuscate_type = (theo_type)NULL; // there can be more then one aux symbols... if (symbol_table[idx].NumberOfAuxSymbols) diff --git a/Theodosius/linker/linker.hpp b/Theodosius/linker/linker.hpp index 90eeedd..a52c67c 100644 --- a/Theodosius/linker/linker.hpp +++ b/Theodosius/linker/linker.hpp @@ -7,6 +7,13 @@ namespace lnk { + enum theo_type + { + obfuscate = 1, + mutate = 2, + encrypt = 3 + }; + struct symbol_t { // name of the symbol... not mangled... @@ -28,7 +35,7 @@ namespace lnk std::uint32_t size; // if this symbol is a function and is inside of a .theo section... - bool obfuscate_routine; + theo_type obfuscate_type; }; // redef of IMAGE_RELOCATION so that "VirtualAddress" diff --git a/Theodosius/obfuscation/obfuscation.cpp b/Theodosius/obfuscation/obfuscation.cpp new file mode 100644 index 0000000..e69de29 diff --git a/Theodosius/obfuscation/obfuscation.hpp b/Theodosius/obfuscation/obfuscation.hpp new file mode 100644 index 0000000..05e9075 --- /dev/null +++ b/Theodosius/obfuscation/obfuscation.hpp @@ -0,0 +1,7 @@ +#include +#include + +namespace obfuscation +{ + +} \ No newline at end of file