Update README.md

2.0
_xeroxz 4 years ago
parent 500fb51007
commit f5652f5f4f

@ -57,39 +57,34 @@ This c++ function, compiled by clang-cl with `mcmodel=large`, will generate a ro
0x53: ?UsermodeNoObfuscation@@YAXXZ endp
```
# Obfuscation
The usage of the word obfuscation in this project is use to define any changes made to code, this includes code flow. `obfuscation::obfuscate`, a base class, which is inherited and expanded upon by `obfuscation::mutation`, obfuscates code flow by inserting `JMP [RIP+0x0]` instructions after every single instruction. This allows for a routine to be broken up into unique allocations of memory and thus provides more canvas room for creative ideas.
As you can see from the code above, (sorry for the terrible syntax highlighting), references to strings and calls to functions are done by first loading the address of the symbol into a register and then interfacing with the symbol.
### Obfuscation - Base Class
```nasm
0x2D: 48 B8 A0 01 00 00 00 00 00 00 mov rax, offset MessageBoxA
; ...
0x3D: FF D0 call rax ; MessageBoxA
```
The base class, as described in the above section, contains a handful of util routines and a single explicit constructor which is the corner stone of the class. The constructor fixes JCC relative virtual addresses so that if the condition is met, instead of jumping instruction pointer relativitly, it will jump to an addition jmp (`JMP [RIP+0x0]`). LEA, nor CALL are rip relative, even for symbols defined inside of the routine in which the instruction is compiled into. In other words JCC instructions are the only instruction pointer relative instructions that are generated.
Each of these instructions can be anywhere in virtual memory and it would not effect code execution one bit. However this is not the case with routines which have conditional branches. Take the following c++ code for example.
```cpp
reloc_t inline_jmp_reloc
ObfuscateRoutine
void LoopDemo()
{
reloc_type::next_instruction_addr,
JMP_RIP_ADDR_IDX
};
for (auto idx = 0u; idx < 10; ++idx)
DbgPrint("> Loop Demo: %d\n", idx);
}
```
reloc_t inline_jmp_branch
{
reloc_type::jcc,
JMP_RIP_ADDR_IDX,
*reinterpret_cast<std::int32_t*>(rva_fix_addr)
};
This c++ function, compiled by clang-cl with `mcmodel=large`, will generate a routine with the following instructions:
# Obfuscation
std::printf("> fixing JCC rva...\n");
std::printf("> new rva = 0x%x\n", JMP_RIP_SIZE);
std::printf("> old rva = 0x%x\n", *reinterpret_cast<std::int32_t*>(rva_fix_addr));
The usage of the word obfuscation in this project is use to define any changes made to code, this includes code flow. `obfuscation::obfuscate`, a base class, which is inherited and expanded upon by `obfuscation::mutation`, obfuscates code flow by inserting `JMP [RIP+0x0]` instructions after every single instruction. This allows for a routine to be broken up into unique allocations of memory and thus provides more canvas room for creative ideas.
// when you inherit obfuscate please be mindful of JCC rvas...
*reinterpret_cast<std::int32_t*>(rva_fix_addr) = JMP_RIP_SIZE;
### Obfuscation - Base Class
gadget_stack.push_back({ instruction.second, {} });
gadget_stack.push_back({ jmp_rip, inline_jmp_reloc });
gadget_stack.push_back({ jmp_rip, inline_jmp_branch });
```
The base class, as described in the above section, contains a handful of util routines and a single explicit constructor which is the corner stone of the class. The constructor fixes JCC relative virtual addresses so that if the condition is met, instead of jumping instruction pointer relativitly, it will jump to an addition jmp (`JMP [RIP+0x0]`). LEA, nor CALL are rip relative, even for symbols defined inside of the routine in which the instruction is compiled into. In other words JCC instructions are the only instruction pointer relative instructions that are generated.
### Mutation - Inherts Obfuscation

Loading…
Cancel
Save