IDontCode
/
Theodosius
2
1
Fork 2
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '414eb0ef10'
${ noResults }
Theodosius/doxygen/html/d5/d08/classtheo_1_1obf_1_1next__i...

193 lines
12 KiB
Raw Blame History

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.9.1"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>Theodosius: theo::obf::next_inst_pass_t Class Reference</title>
<link href="../../tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="../../jquery.js"></script>
<script type="text/javascript" src="../../dynsections.js"></script>
<link href="../../search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="../../search/searchdata.js"></script>
<script type="text/javascript" src="../../search/search.js"></script>
<link href="../../doxygen.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
<tbody>
<tr style="height: 56px;">
<td id="projectalign" style="padding-left: 0.5em;">
<div id="projectname">Theodosius
&#160;<span id="projectnumber">v3.0</span>
</div>
<div id="projectbrief">Jit linker, mapper, obfuscator, and mutator</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.9.1 -->
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
var searchBox = new SearchBox("searchBox", "../../search",false,'Search','.html');
/* @license-end */
</script>
<script type="text/javascript" src="../../menudata.js"></script>
<script type="text/javascript" src="../../menu.js"></script>
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
$(function() {
initMenu('../../',true,false,'search.php','Search');
$(document).ready(function() { init_search(); });
});
/* @license-end */</script>
<div id="main-nav"></div>
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
onkeydown="return searchBox.OnSearchSelectKey(event)">
</div>
<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0"
name="MSearchResults" id="MSearchResults">
</iframe>
</div>
<div id="nav-path" class="navpath">
<ul>
<li class="navelem"><a class="el" href="../../da/de6/namespacetheo.html">theo</a></li><li class="navelem"><a class="el" href="../../d5/da8/namespacetheo_1_1obf.html">obf</a></li><li class="navelem"><a class="el" href="../../d5/d08/classtheo_1_1obf_1_1next__inst__pass__t.html">next_inst_pass_t</a></li> </ul>
</div>
</div><!-- top -->
<div class="header">
<div class="summary">
<a href="#pub-methods">Public Member Functions</a> &#124;
<a href="#pub-static-methods">Static Public Member Functions</a> &#124;
<a href="../../d4/d3c/classtheo_1_1obf_1_1next__inst__pass__t-members.html">List of all members</a> </div>
<div class="headertitle">
<div class="title">theo::obf::next_inst_pass_t Class Reference</div> </div>
</div><!--header-->
<div class="contents">
<p>This pass is used to generate transformations and jmp code to change RIP to the next instruction.
<a href="../../d5/d08/classtheo_1_1obf_1_1next__inst__pass__t.html#details">More...</a></p>
<p><code>#include &lt;<a class="el" href="../../">next_inst_pass.hpp</a>&gt;</code></p>
<div class="dynheader">
Inheritance diagram for theo::obf::next_inst_pass_t:</div>
<div class="dyncontent">
<div class="center">
<img src="../../d5/d08/classtheo_1_1obf_1_1next__inst__pass__t.png" usemap="#theo::obf::next_5Finst_5Fpass_5Ft_map" alt=""/>
<map id="theo::obf::next_5Finst_5Fpass_5Ft_map" name="theo::obf::next_5Finst_5Fpass_5Ft_map">
<area href="../../d4/dad/classtheo_1_1obf_1_1pass__t.html" title="the pass_t class is a base clase for all passes made. you must override the pass_t::run virtual funct..." alt="theo::obf::pass_t" shape="rect" coords="0,0,158,24"/>
</map>
</div></div>
<table class="memberdecls">
<tr class="heading"><td colspan="2"><h2 class="groupheader"><a name="pub-methods"></a>
Public Member Functions</h2></td></tr>
<tr class="memitem:ae4cbba78b14c2b9da794386e4d92f40f"><td class="memItemLeft" align="right" valign="top">void&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="../../d5/d08/classtheo_1_1obf_1_1next__inst__pass__t.html#ae4cbba78b14c2b9da794386e4d92f40f">run</a> (<a class="el" href="../../d9/dd5/classtheo_1_1decomp_1_1symbol__t.html">decomp::symbol_t</a> *sym)</td></tr>
<tr class="memdesc:ae4cbba78b14c2b9da794386e4d92f40f"><td class="mdescLeft">&#160;</td><td class="mdescRight">virtual method which must be implimented by the pass that inherits this class. <a href="../../d5/d08/classtheo_1_1obf_1_1next__inst__pass__t.html#ae4cbba78b14c2b9da794386e4d92f40f">More...</a><br /></td></tr>
<tr class="separator:ae4cbba78b14c2b9da794386e4d92f40f"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="inherit_header pub_methods_classtheo_1_1obf_1_1pass__t"><td colspan="2" onclick="javascript:toggleInherit('pub_methods_classtheo_1_1obf_1_1pass__t')"><img src="../../closed.png" alt="-"/>&#160;Public Member Functions inherited from <a class="el" href="../../d4/dad/classtheo_1_1obf_1_1pass__t.html">theo::obf::pass_t</a></td></tr>
<tr class="memitem:abd4ab22cc2822b968267be7f8397d611 inherit pub_methods_classtheo_1_1obf_1_1pass__t"><td class="memItemLeft" align="right" valign="top">&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="../../d4/dad/classtheo_1_1obf_1_1pass__t.html#abd4ab22cc2822b968267be7f8397d611">pass_t</a> (<a class="el" href="../../d9/dbd/namespacetheo_1_1decomp.html#af96177687d0ad683c5897d8fa01135f9">decomp::sym_type_t</a> <a class="el" href="../../d4/dad/classtheo_1_1obf_1_1pass__t.html#a46608a6c2dfb8ff657e44be9b50e0dfb">sym_type</a>)</td></tr>
<tr class="memdesc:abd4ab22cc2822b968267be7f8397d611 inherit pub_methods_classtheo_1_1obf_1_1pass__t"><td class="mdescLeft">&#160;</td><td class="mdescRight">the explicit constructor of the <a class="el" href="../../d4/dad/classtheo_1_1obf_1_1pass__t.html" title="the pass_t class is a base clase for all passes made. you must override the pass_t::run virtual funct...">pass_t</a> base class. <a href="../../d4/dad/classtheo_1_1obf_1_1pass__t.html#abd4ab22cc2822b968267be7f8397d611">More...</a><br /></td></tr>
<tr class="separator:abd4ab22cc2822b968267be7f8397d611 inherit pub_methods_classtheo_1_1obf_1_1pass__t"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:a46608a6c2dfb8ff657e44be9b50e0dfb inherit pub_methods_classtheo_1_1obf_1_1pass__t"><td class="memItemLeft" align="right" valign="top"><a class="el" href="../../d9/dbd/namespacetheo_1_1decomp.html#af96177687d0ad683c5897d8fa01135f9">decomp::sym_type_t</a>&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="../../d4/dad/classtheo_1_1obf_1_1pass__t.html#a46608a6c2dfb8ff657e44be9b50e0dfb">sym_type</a> ()</td></tr>
<tr class="memdesc:a46608a6c2dfb8ff657e44be9b50e0dfb inherit pub_methods_classtheo_1_1obf_1_1pass__t"><td class="mdescLeft">&#160;</td><td class="mdescRight">gets the passes symbol type. <a href="../../d4/dad/classtheo_1_1obf_1_1pass__t.html#a46608a6c2dfb8ff657e44be9b50e0dfb">More...</a><br /></td></tr>
<tr class="separator:a46608a6c2dfb8ff657e44be9b50e0dfb inherit pub_methods_classtheo_1_1obf_1_1pass__t"><td class="memSeparator" colspan="2">&#160;</td></tr>
</table><table class="memberdecls">
<tr class="heading"><td colspan="2"><h2 class="groupheader"><a name="pub-static-methods"></a>
Static Public Member Functions</h2></td></tr>
<tr class="memitem:a964e6f5291ccba0442519f2563b3a2e9"><td class="memItemLeft" align="right" valign="top">static <a class="el" href="../../d5/d08/classtheo_1_1obf_1_1next__inst__pass__t.html">next_inst_pass_t</a> *&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="../../d5/d08/classtheo_1_1obf_1_1next__inst__pass__t.html#a964e6f5291ccba0442519f2563b3a2e9">get</a> ()</td></tr>
<tr class="separator:a964e6f5291ccba0442519f2563b3a2e9"><td class="memSeparator" colspan="2">&#160;</td></tr>
</table>
<a name="details" id="details"></a><h2 class="groupheader">Detailed Description</h2>
<div class="textblock"><p>This pass is used to generate transformations and jmp code to change RIP to the next instruction. </p>
<p>given the following code (get pml4 address from cr3):</p>
<p>get_pml4: 0: 48 c7 c0 ff 0f 00 00 mov rax,0xfff 7: 48 f7 d0 not rax a: 0f 20 da mov rdx,cr3 d: 48 21 c2 and rdx,rax 10: b1 00 mov cl,0x0 12: 48 d3 e2 shl rdx,cl 15: 48 89 d0 mov rax,rdx 18: c3 ret</p>
<p>this pass will break up each instruction so that it can be anywhere in a linear virtual address space. this pass will not work on rip relative code, however clang will not generate such code when compiled with "-mcmodel=large"</p>
<p>get_pml4@0: mov rax, 0xFFF push [next_inst_addr_enc] xor [rsp], 0x3243342 ; a random number of transformations here... ret next_inst_addr_enc: ; encrypted address of the next instruction goes here.</p>
<p>get_pml4@7: not rax push [next_inst_addr_enc] xor [rsp], 0x93983498 ; a random number of transformations here... ret next_inst_addr_enc: ; encrypted address of the next instruction goes here.</p>
<p>this process is continued for each instruction in the function. the last instruction "ret" will have no code generated for it as there is no next instruction.</p>
<p>this pass also only runs at the instruction level, theodosius internally breaks up functions inside of the ".split" section into individual instruction symbols. this process also creates a psuedo relocation which simply tells this pass that there needs to be a relocation to the next symbol. the offset for these psuedo relocations is zero.</p>
</div><h2 class="groupheader">Member Function Documentation</h2>
<a id="a964e6f5291ccba0442519f2563b3a2e9"></a>
<h2 class="memtitle"><span class="permalink"><a href="#a964e6f5291ccba0442519f2563b3a2e9">&#9670;&nbsp;</a></span>get()</h2>
<div class="memitem">
<div class="memproto">
<table class="mlabels">
<tr>
<td class="mlabels-left">
<table class="memname">
<tr>
<td class="memname"><a class="el" href="../../d5/d08/classtheo_1_1obf_1_1next__inst__pass__t.html">next_inst_pass_t</a> * theo::obf::next_inst_pass_t::get </td>
<td>(</td>
<td class="paramname"></td><td>)</td>
<td></td>
</tr>
</table>
</td>
<td class="mlabels-right">
<span class="mlabels"><span class="mlabel">static</span></span> </td>
</tr>
</table>
</div><div class="memdoc">
</div>
</div>
<a id="ae4cbba78b14c2b9da794386e4d92f40f"></a>
<h2 class="memtitle"><span class="permalink"><a href="#ae4cbba78b14c2b9da794386e4d92f40f">&#9670;&nbsp;</a></span>run()</h2>
<div class="memitem">
<div class="memproto">
<table class="mlabels">
<tr>
<td class="mlabels-left">
<table class="memname">
<tr>
<td class="memname">void theo::obf::next_inst_pass_t::run </td>
<td>(</td>
<td class="paramtype"><a class="el" href="../../d9/dd5/classtheo_1_1decomp_1_1symbol__t.html">decomp::symbol_t</a> *&#160;</td>
<td class="paramname"><em>sym</em></td><td>)</td>
<td></td>
</tr>
</table>
</td>
<td class="mlabels-right">
<span class="mlabels"><span class="mlabel">virtual</span></span> </td>
</tr>
</table>
</div><div class="memdoc">
<p>virtual method which must be implimented by the pass that inherits this class. </p>
<dl class="params"><dt>Parameters</dt><dd>
<table class="params">
<tr><td class="paramname">sym</td><td>a symbol of the same type of m_sym_type.</td></tr>
</table>
</dd>
</dl>
<p>Implements <a class="el" href="../../d4/dad/classtheo_1_1obf_1_1pass__t.html#acfadc013ff0754d66a18baffdb1a61d1">theo::obf::pass_t</a>.</p>
</div>
</div>
<hr/>The documentation for this class was generated from the following files:<ul>
<li>include/obf/passes/<a class="el" href="../../">next_inst_pass.hpp</a></li>
<li>src/obf/passes/<a class="el" href="../../">next_inst_pass.cpp</a></li>
</ul>
</div><!-- contents -->
<!-- start footer part -->
<hr class="footer"/><address class="footer"><small>
Generated by&#160;<a href="https://www.doxygen.org/index.html"><img class="footer" src="../../doxygen.svg" width="104" height="31" alt="doxygen"/></a> 1.9.1
</small></address>
</body>
</html>
Reference in new issue View Git Blame Copy Permalink