You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
210 lines
16 KiB
210 lines
16 KiB
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
|
|
<html xmlns="http://www.w3.org/1999/xhtml">
|
|
<head>
|
|
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
|
|
<meta http-equiv="X-UA-Compatible" content="IE=11"/>
|
|
<meta name="generator" content="Doxygen 1.9.3"/>
|
|
<meta name="viewport" content="width=device-width, initial-scale=1"/>
|
|
<title>Theodosius: Theodosius - Jit linker, Mapper, Mutator, and Obfuscator</title>
|
|
<link href="tabs.css" rel="stylesheet" type="text/css"/>
|
|
<script type="text/javascript" src="jquery.js"></script>
|
|
<script type="text/javascript" src="dynsections.js"></script>
|
|
<link href="search/search.css" rel="stylesheet" type="text/css"/>
|
|
<script type="text/javascript" src="search/searchdata.js"></script>
|
|
<script type="text/javascript" src="search/search.js"></script>
|
|
<link href="doxygen.css" rel="stylesheet" type="text/css" />
|
|
</head>
|
|
<body>
|
|
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
|
|
<div id="titlearea">
|
|
<table cellspacing="0" cellpadding="0">
|
|
<tbody>
|
|
<tr id="projectrow">
|
|
<td id="projectlogo"><img alt="Logo" src="icon.png"/></td>
|
|
<td id="projectalign">
|
|
<div id="projectname">Theodosius<span id="projectnumber"> v3.0</span>
|
|
</div>
|
|
<div id="projectbrief">Jit linker, symbol mapper, and obfuscator</div>
|
|
</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
<!-- end header part -->
|
|
<!-- Generated by Doxygen 1.9.3 -->
|
|
<script type="text/javascript">
|
|
/* @license magnet:?xt=urn:btih:d3d9a9a6595521f9666a5e94cc830dab83b65699&dn=expat.txt MIT */
|
|
var searchBox = new SearchBox("searchBox", "search",'Search','.html');
|
|
/* @license-end */
|
|
</script>
|
|
<script type="text/javascript" src="menudata.js"></script>
|
|
<script type="text/javascript" src="menu.js"></script>
|
|
<script type="text/javascript">
|
|
/* @license magnet:?xt=urn:btih:d3d9a9a6595521f9666a5e94cc830dab83b65699&dn=expat.txt MIT */
|
|
$(function() {
|
|
initMenu('',true,false,'search.php','Search');
|
|
$(document).ready(function() { init_search(); });
|
|
});
|
|
/* @license-end */
|
|
</script>
|
|
<div id="main-nav"></div>
|
|
</div><!-- top -->
|
|
<!-- window showing the filter options -->
|
|
<div id="MSearchSelectWindow"
|
|
onmouseover="return searchBox.OnSearchSelectShow()"
|
|
onmouseout="return searchBox.OnSearchSelectHide()"
|
|
onkeydown="return searchBox.OnSearchSelectKey(event)">
|
|
</div>
|
|
|
|
<!-- iframe showing the search results (closed by default) -->
|
|
<div id="MSearchResultsWindow">
|
|
<iframe src="javascript:void(0)" frameborder="0"
|
|
name="MSearchResults" id="MSearchResults">
|
|
</iframe>
|
|
</div>
|
|
|
|
<div><div class="header">
|
|
<div class="headertitle"><div class="title">Theodosius - Jit linker, Mapper, Mutator, and Obfuscator </div></div>
|
|
</div><!--header-->
|
|
<div class="contents">
|
|
<div class="textblock"><p ><a class="anchor" id="md_README"></a> Theodosius (Theo for short) is a jit linker created for obfuscation. The project is extremely modular in design and supports both kernel and usermode projects. Theo works with static libraries rather than completely compiled binaries. This allows it to easily position, obfuscate, and scatter symbols anywhere as the project takes the place of the linker.</p>
|
|
<h2><a class="anchor" id="autotoc_md1"></a>
|
|
Table Of Contents</h2>
|
|
<ul>
|
|
<li><a href="https://githacks.org/_xeroxz/theodosius#theodosius-jit-linker-mapper-mutator-and-obfuscator">Theodosius - Jit linker, Mapper, Mutator, and Obfuscator</a><ul>
|
|
<li><a href="https://githacks.org/_xeroxz/theodosius#credit-and-dependencies">Credit And Dependencies</a></li>
|
|
<li><a href="https://githacks.org/_xeroxz/theodosius#linking-dynamic-and-static">Linking - Dynamic And Static</a><ul>
|
|
<li><a href="https://githacks.org/_xeroxz/theodosius#what-is-a-linker">What Is A Linker</a></li>
|
|
<li><a href="https://githacks.org/_xeroxz/theodosius#object-files">Object Files</a></li>
|
|
<li><a href="https://githacks.org/_xeroxz/theodosius#static-linking">Static Linking</a></li>
|
|
<li><a href="https://githacks.org/_xeroxz/theodosius#dynamic-linking">Dynamic Linking</a></li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="https://githacks.org/_xeroxz/theodosius#usage-using-theodosius">Usage - Using Theodosius</a><ul>
|
|
<li><a href="https://githacks.org/_xeroxz/theodosius#integrating-clang">Integrating Clang</a><ul>
|
|
<li><a href="https://githacks.org/_xeroxz/theodosius#requirements">Requirements</a> <br />
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="https://githacks.org/_xeroxz/theodosius#rip-relative-addressing">RIP Relative Addressing</a></li>
|
|
<li><a href="https://githacks.org/_xeroxz/theodosius#bsd-3-clause-license">License - BSD 3-Clause</a></li>
|
|
</ul>
|
|
<h2><a class="anchor" id="autotoc_md2"></a>
|
|
Credit And Dependencies</h2>
|
|
<ul>
|
|
<li><a href="https://github.com/btbd">BTBD</a> - Huge thanks for providing suggestions and bouncing ideas back and forth.<ul>
|
|
<li><a href="https://github.com/btbd/smap">SMAP</a> - scatter mapper, this project is heavily influenced by SMAP.</li>
|
|
</ul>
|
|
</li>
|
|
<li><a href="https://github.com/intelxed/xed">XED</a></li>
|
|
<li><a href="https://github.com/gabime/spdlog">spdlog</a></li>
|
|
<li><a href="https://github.com/can1357/linux-pe">linux-pe</a></li>
|
|
<li><a href="https://github.com/build-cpp/cmkr">cmkr</a></li>
|
|
</ul>
|
|
<h2><a class="anchor" id="autotoc_md3"></a>
|
|
Building</h2>
|
|
<p >Download and install cmake on your system, then execute the following command in the root dir of this project:</p>
|
|
<ul>
|
|
<li><code>cmake -B build</code></li>
|
|
</ul>
|
|
<p >Then navigate into <code>dependencies/xed/</code> and run <code>python3 mfile.py</code>. Building XED can be tricky on windows, I suggest you use the visual studios console since it has env vars to everything needed to build XED. linux seems to build it just fine...</p>
|
|
<h1><a class="anchor" id="autotoc_md4"></a>
|
|
Linking - Dynamic And Static</h1>
|
|
<h3><a class="anchor" id="autotoc_md5"></a>
|
|
What Is A Linker</h3>
|
|
<p >A linker is a program which takes object files produces by a compiler and generates a final executable native to the operating system. A linker interfaces with not only object files but also static libraries, "lib" files. What is a "lib" file? Well a lib file is just an archive of obj's. You can invision it as a zip/rar without any compression, just concatination of said object files.</p>
|
|
<p >Theo is a jit linker, which means it will link objs together and map them into memory all at once. For usability however, instead of handling object files, Theo can parse entire lib files and extract the objects out of the lib.</p>
|
|
<h3><a class="anchor" id="autotoc_md6"></a>
|
|
Object Files</h3>
|
|
<p >If you define a c++ file called "main.cpp" the compiler will generate an object file by the name of "main.obj". When you refer to data or code defined in another c/c++ file, the linker uses a symbol table to resolve the address of said code/data. In this situation I am the linker and I resolve all of your symbols :).</p>
|
|
<h3><a class="anchor" id="autotoc_md7"></a>
|
|
Static Linking</h3>
|
|
<p >Static linking is when the linker links entire routines not created by you, into your code. Say <code>memcpy</code> (if its not inlined), will be staticlly linked with the CRT. Static linking also allows for your code to be more independant as all the code you need you bring with you. However, with Theo, you cannot link static libraries which are not compiled with <code>mcmodel=large</code>. Theo supports actual static linking, in other words, using multiple static libraries at the same time.</p>
|
|
<h3><a class="anchor" id="autotoc_md8"></a>
|
|
Dynamic Linking</h3>
|
|
<p >Dynamic linking is when external symbols are resolved at runtime. This is done by imports and exports in DLL's (dynamiclly linked libraries). Theo supports "dynamic linking", or in better terms, linking against exported routines. You can see examples of this inside of both usermode and kernelmode examples.</p>
|
|
<h1><a class="anchor" id="autotoc_md9"></a>
|
|
Usage - Using Theodosius</h1>
|
|
<h2><a class="anchor" id="autotoc_md10"></a>
|
|
Integrating Clang</h2>
|
|
<p >For integration with visual studios please open install <a href="https://marketplace.visualstudio.com/items?itemName=MarekAniola.mangh-llvm2019">llvm2019</a> extension, or <a href="https://marketplace.visualstudio.com/items?itemName=LLVMExtensions.llvm-toolchain">llvm2017</a> extension. Once installed, create or open a visual studio project which you want to use with LLVM-Obfuscator and Theo. Open <em><b>Properties</b></em> --> <em><b>Configuration Properties</b></em> —> <em><b>General</b></em>, then set <em><b>Platform Toolset</b></em> to <em><b>LLVM</b></em>.</p>
|
|
<p >Once LLVM is selected, under the <em><b>LLVM</b></em> tab change the clang-cl location to the place where you extracted <a href="https://githacks.org/_xeroxz/theodosius/-/blob/cc9496ccceba3d1f0916859ddb2583be9362c908/resources/clang-cl.rar">clang-cl.rar</a>. Finally under <em><b>Additional Compiler Options</b></em> (same LLVM tab), set the following: <code>-Xclang -std=c++1z -Xclang -mcode-model -Xclang large -Xclang -fno-jump-tables -mllvm -split -mllvm -split_num=4 -mllvm -sub_loop=4</code>.</p>
|
|
<p >Please refer to the <a href="https://github.com/obfuscator-llvm/obfuscator/wiki">LLVM-Obfuscator Wiki</a> for more information on commandline arguments.</p>
|
|
<h4><a class="anchor" id="autotoc_md11"></a>
|
|
Requirements</h4>
|
|
<ul>
|
|
<li>No SEH support, do not add <code>__try/__except</code> in your code.</li>
|
|
<li>No CFG (control flow guard) support. Please disable this in C/C++ —> Code Generation —> Control Flow Guard</li>
|
|
<li>No Stack Security Check Support. Please disablel this in C/C++ —> Code Generation —> Security Check (/GS-)</li>
|
|
<li>Your project must be set to produce a .lib file.</li>
|
|
<li>Your project must not link with other static libraries which are not compiled with <code>-Xclang -mcmodel-large</code>.</li>
|
|
<li>Project must be compiled with the following flags<ul>
|
|
<li><code>-Xclang -mcmodel=large</code>, removes RIP relative addressing besides JCC's.</li>
|
|
<li><code>-Xclang -fno-jump-tables</code>, removes jump tables created by switch cases.</li>
|
|
<li><code>/Zc:threadSafeInit-</code>, static will not use TLS (thread local storage).</li>
|
|
</ul>
|
|
</li>
|
|
</ul>
|
|
<h2><a class="anchor" id="autotoc_md12"></a>
|
|
RIP Relative Addressing</h2>
|
|
<p >In order to allow for a routine to be scattered throughout a 64bit address space, RIP relative addressing must not be used. In order to facilitate this, a very special version of clang-cl is used which can use <code>mcmodel=large</code>. This will generate instructions which do not use RIP relative addressing when referencing symbols outside of the routine in which the instruction itself resides. The only exception to this is JCC instructions, (besides call) also known as branching instructions. Take this c++ code for an example:</p>
|
|
<div class="fragment"><div class="line">ObfuscateRoutine </div>
|
|
<div class="line"><span class="keyword">extern</span> <span class="stringliteral">"C"</span> <span class="keywordtype">int</span> ModuleEntry()</div>
|
|
<div class="line">{</div>
|
|
<div class="line"> MessageBoxA(0, <span class="stringliteral">"Demo"</span>, <span class="stringliteral">"Hello From Obfuscated Routine!"</span>, 0);</div>
|
|
<div class="line"> UsermodeMutateDemo();</div>
|
|
<div class="line"> UsermodeNoObfuscation();</div>
|
|
<div class="line">}</div>
|
|
</div><!-- fragment --><p >This c++ function, compiled by clang-cl with <code>mcmodel=large</code>, will generate a routine with the following instructions:</p>
|
|
<div class="fragment"><div class="line">0x00: ; void UsermodeNoObfuscation(void)</div>
|
|
<div class="line">0x00: public ?UsermodeNoObfuscation@@YAXXZ</div>
|
|
<div class="line">0x00: ?UsermodeNoObfuscation@@YAXXZ proc near ; CODE XREF: ModuleEntry+42↓p</div>
|
|
<div class="line">0x00: var_4 = dword ptr -4</div>
|
|
<div class="line">0x00: 48 83 EC 28 sub rsp, 28h</div>
|
|
<div class="line">0x04: C7 44 24 24 00 00 00 00 mov [rsp+28h+var_4], 0</div>
|
|
<div class="line">0x0C: loc_C:</div>
|
|
<div class="line">0x0C: 83 7C 24 24 05 cmp [rsp+28h+var_4], 5</div>
|
|
<div class="line">0x11: 0F 83 38 00 00 00 jnb loc_4F</div>
|
|
<div class="line">0x17: 31 C0 xor eax, eax</div>
|
|
<div class="line">0x19: 48 BA 28 01 00 00 00 00 00 00 mov rdx, offset ??_C@_04DKDMNOEB@Demo?$AA@ ; "Demo"</div>
|
|
<div class="line">0x23: 49 B8 00 01 00 00 00 00 00 00 mov r8, offset ??_C@_0CD@JEJKPGNA@Hello?5... ; "Hello From Non-Obfuscated Routine!"</div>
|
|
<div class="line">0x2D: 48 B8 A0 01 00 00 00 00 00 00 mov rax, offset MessageBoxA</div>
|
|
<div class="line">0x37: 45 31 C9 xor r9d, r9d ; uType</div>
|
|
<div class="line">0x3A: 44 89 C9 mov ecx, r9d ; hWnd</div>
|
|
<div class="line">0x3D: FF D0 call rax ; MessageBoxA</div>
|
|
<div class="line">0x3F: 8B 44 24 24 mov eax, [rsp+28h+var_4]</div>
|
|
<div class="line">0x43: 83 C0 01 add eax, 1</div>
|
|
<div class="line">0x46: 89 44 24 24 mov [rsp+28h+var_4], eax</div>
|
|
<div class="line">0x4A: E9 BD FF FF FF jmp loc_C</div>
|
|
<div class="line">0x4F: loc_4F:</div>
|
|
<div class="line">0x4F: 48 83 C4 28 add rsp, 28h</div>
|
|
<div class="line">0x53: C3 retn</div>
|
|
<div class="line">0x53: ?UsermodeNoObfuscation@@YAXXZ endp</div>
|
|
</div><!-- fragment --><p >As you can see from the code above, (sorry for the terrible syntax highlighting), references to strings and calls to functions are done by first loading the address of the symbol into a register and then interfacing with the symbol.</p>
|
|
<div class="fragment"><div class="line">0x2D: 48 B8 A0 01 00 00 00 00 00 00 mov rax, offset MessageBoxA</div>
|
|
<div class="line">; ...</div>
|
|
<div class="line">0x3D: FF D0 call rax ; MessageBoxA</div>
|
|
</div><!-- fragment --><p >Each of these instructions can be anywhere in virtual memory and it would not effect code execution one bit.</p>
|
|
<h1><a class="anchor" id="autotoc_md13"></a>
|
|
BSD 3-Clause License</h1>
|
|
<p >Copyright (c) 2022, _xeroxz All rights reserved.</p>
|
|
<p >Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
|
|
<ol type="1">
|
|
<li>Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.</li>
|
|
<li>Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.</li>
|
|
<li>Neither the name of the copyright holder nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.</li>
|
|
</ol>
|
|
<p >THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. </p>
|
|
</div></div><!-- PageDoc -->
|
|
</div><!-- contents -->
|
|
<!-- start footer part -->
|
|
<hr class="footer"/><address class="footer"><small>
|
|
Generated by <a href="https://www.doxygen.org/index.html"><img class="footer" src="doxygen.svg" width="104" height="31" alt="doxygen"/></a> 1.9.3
|
|
</small></address>
|
|
</body>
|
|
</html>
|