\hypertarget{classtheo_1_1obf_1_1next__inst__pass__t}{}\doxysection{theo\+::obf\+::next\+\_\+inst\+\_\+pass\+\_\+t Class Reference}
\label{classtheo_1_1obf_1_1next__inst__pass__t}\index{theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}}


This pass is used to generate transformations and jmp code to change RIP to the next instruction.  




{\ttfamily \#include $<$next\+\_\+inst\+\_\+pass.\+hpp$>$}



Inheritance diagram for theo\+::obf\+::next\+\_\+inst\+\_\+pass\+\_\+t\+:
% FIG 0


Collaboration diagram for theo\+::obf\+::next\+\_\+inst\+\_\+pass\+\_\+t\+:
% FIG 1
\doxysubsection*{Public Member Functions}
\begin{DoxyCompactItemize}
\item 
void \mbox{\hyperlink{classtheo_1_1obf_1_1next__inst__pass__t_ae4cbba78b14c2b9da794386e4d92f40f}{run}} (\mbox{\hyperlink{classtheo_1_1decomp_1_1symbol__t}{decomp\+::symbol\+\_\+t}} $\ast$sym)
\begin{DoxyCompactList}\small\item\em virtual method which must be implimented by the pass that inherits this class. \end{DoxyCompactList}\end{DoxyCompactItemize}
\doxysubsection*{Static Public Member Functions}
\begin{DoxyCompactItemize}
\item 
static \mbox{\hyperlink{classtheo_1_1obf_1_1next__inst__pass__t}{next\+\_\+inst\+\_\+pass\+\_\+t}} $\ast$ \mbox{\hyperlink{classtheo_1_1obf_1_1next__inst__pass__t_a267f1fee5cbe3d7bc6d173af499a6f9d}{get}} ()
\end{DoxyCompactItemize}


\doxysubsection{Detailed Description}
This pass is used to generate transformations and jmp code to change RIP to the next instruction. 

given the following code (get pml4 address from cr3)\+:

get\+\_\+pml4\+: 0\+: 48 c7 c0 ff 0f 00 00 mov rax,0xfff 7\+: 48 f7 d0 not rax a\+: 0f 20 da mov rdx,cr3 d\+: 48 21 c2 and rdx,rax 10\+: b1 00 mov cl,0x0 12\+: 48 d3 e2 shl rdx,cl 15\+: 48 89 d0 mov rax,rdx 18\+: c3 ret

this pass will break up each instruction so that it can be anywhere in a linear virtual address space. this pass will not work on rip relative code, however clang will not generate such code when compiled with \char`\"{}-\/mcmodel=large\char`\"{}

get\+\_\+pml4@0\+: mov rax, 0x\+FFF push \mbox{[}next\+\_\+inst\+\_\+addr\+\_\+enc\mbox{]} xor \mbox{[}rsp\mbox{]}, 0x3243342 ; a random number of transformations here... ret next\+\_\+inst\+\_\+addr\+\_\+enc\+: ; encrypted address of the next instruction goes here.

get\+\_\+pml4@7\+: not rax push \mbox{[}next\+\_\+inst\+\_\+addr\+\_\+enc\mbox{]} xor \mbox{[}rsp\mbox{]}, 0x93983498 ; a random number of transformations here... ret next\+\_\+inst\+\_\+addr\+\_\+enc\+: ; encrypted address of the next instruction goes here.

this process is continued for each instruction in the function. the last instruction \char`\"{}ret\char`\"{} will have no code generated for it as there is no next instruction.

this pass also only runs at the instruction level, theodosius internally breaks up functions inside of the \char`\"{}.\+split\char`\"{} section into individual instruction symbols. this process also creates a psuedo relocation which simply tells this pass that there needs to be a relocation to the next symbol. the offset for these psuedo relocations is zero.

Definition at line 85 of file next\+\_\+inst\+\_\+pass.\+hpp.



\doxysubsection{Member Function Documentation}
\mbox{\Hypertarget{classtheo_1_1obf_1_1next__inst__pass__t_a267f1fee5cbe3d7bc6d173af499a6f9d}\label{classtheo_1_1obf_1_1next__inst__pass__t_a267f1fee5cbe3d7bc6d173af499a6f9d}} 
\index{theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}!get@{get}}
\index{get@{get}!theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}}
\doxysubsubsection{\texorpdfstring{get()}{get()}}
{\footnotesize\ttfamily static \mbox{\hyperlink{classtheo_1_1obf_1_1next__inst__pass__t}{next\+\_\+inst\+\_\+pass\+\_\+t}}$\ast$ theo\+::obf\+::next\+\_\+inst\+\_\+pass\+\_\+t\+::get (\begin{DoxyParamCaption}{ }\end{DoxyParamCaption})\hspace{0.3cm}{\ttfamily [static]}}

\mbox{\Hypertarget{classtheo_1_1obf_1_1next__inst__pass__t_ae4cbba78b14c2b9da794386e4d92f40f}\label{classtheo_1_1obf_1_1next__inst__pass__t_ae4cbba78b14c2b9da794386e4d92f40f}} 
\index{theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}!run@{run}}
\index{run@{run}!theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}}
\doxysubsubsection{\texorpdfstring{run()}{run()}}
{\footnotesize\ttfamily void theo\+::obf\+::next\+\_\+inst\+\_\+pass\+\_\+t\+::run (\begin{DoxyParamCaption}\item[{\mbox{\hyperlink{classtheo_1_1decomp_1_1symbol__t}{decomp\+::symbol\+\_\+t}} $\ast$}]{sym }\end{DoxyParamCaption})\hspace{0.3cm}{\ttfamily [virtual]}}



virtual method which must be implimented by the pass that inherits this class. 


\begin{DoxyParams}{Parameters}
{\em sym} & a symbol of the same type of m\+\_\+sym\+\_\+type.\\
\hline
\end{DoxyParams}


Implements \mbox{\hyperlink{classtheo_1_1obf_1_1pass__t_acfadc013ff0754d66a18baffdb1a61d1}{theo\+::obf\+::pass\+\_\+t}}.



The documentation for this class was generated from the following file\+:\begin{DoxyCompactItemize}
\item 
include/obf/passes/\mbox{\hyperlink{next__inst__pass_8hpp}{next\+\_\+inst\+\_\+pass.\+hpp}}\end{DoxyCompactItemize}