You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
79 lines
5.0 KiB
79 lines
5.0 KiB
\hypertarget{classtheo_1_1obf_1_1next__inst__pass__t}{}\doxysection{theo\+::obf\+::next\+\_\+inst\+\_\+pass\+\_\+t Class Reference}
|
|
\label{classtheo_1_1obf_1_1next__inst__pass__t}\index{theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}}
|
|
|
|
|
|
This pass is used to generate transformations and jmp code to change RIP to the next instruction.
|
|
|
|
|
|
|
|
|
|
{\ttfamily \#include $<$next\+\_\+inst\+\_\+pass.\+hpp$>$}
|
|
|
|
Inheritance diagram for theo\+::obf\+::next\+\_\+inst\+\_\+pass\+\_\+t\+:\begin{figure}[H]
|
|
\begin{center}
|
|
\leavevmode
|
|
\includegraphics[height=2.000000cm]{d5/d08/classtheo_1_1obf_1_1next__inst__pass__t}
|
|
\end{center}
|
|
\end{figure}
|
|
\doxysubsection*{Public Member Functions}
|
|
\begin{DoxyCompactItemize}
|
|
\item
|
|
void \mbox{\hyperlink{classtheo_1_1obf_1_1next__inst__pass__t_ae4cbba78b14c2b9da794386e4d92f40f}{run}} (\mbox{\hyperlink{classtheo_1_1decomp_1_1symbol__t}{decomp\+::symbol\+\_\+t}} $\ast$sym)
|
|
\begin{DoxyCompactList}\small\item\em virtual method which must be implimented by the pass that inherits this class. \end{DoxyCompactList}\end{DoxyCompactItemize}
|
|
\doxysubsection*{Static Public Member Functions}
|
|
\begin{DoxyCompactItemize}
|
|
\item
|
|
static \mbox{\hyperlink{classtheo_1_1obf_1_1next__inst__pass__t}{next\+\_\+inst\+\_\+pass\+\_\+t}} $\ast$ \mbox{\hyperlink{classtheo_1_1obf_1_1next__inst__pass__t_a964e6f5291ccba0442519f2563b3a2e9}{get}} ()
|
|
\end{DoxyCompactItemize}
|
|
|
|
|
|
\doxysubsection{Detailed Description}
|
|
This pass is used to generate transformations and jmp code to change RIP to the next instruction.
|
|
|
|
given the following code (get pml4 address from cr3)\+:
|
|
|
|
get\+\_\+pml4\+: 0\+: 48 c7 c0 ff 0f 00 00 mov rax,0xfff 7\+: 48 f7 d0 not rax a\+: 0f 20 da mov rdx,cr3 d\+: 48 21 c2 and rdx,rax 10\+: b1 00 mov cl,0x0 12\+: 48 d3 e2 shl rdx,cl 15\+: 48 89 d0 mov rax,rdx 18\+: c3 ret
|
|
|
|
this pass will break up each instruction so that it can be anywhere in a linear virtual address space. this pass will not work on rip relative code, however clang will not generate such code when compiled with \char`\"{}-\/mcmodel=large\char`\"{}
|
|
|
|
get\+\_\+pml4@0\+: mov rax, 0x\+FFF push \mbox{[}next\+\_\+inst\+\_\+addr\+\_\+enc\mbox{]} xor \mbox{[}rsp\mbox{]}, 0x3243342 ; a random number of transformations here... ret next\+\_\+inst\+\_\+addr\+\_\+enc\+: ; encrypted address of the next instruction goes here.
|
|
|
|
get\+\_\+pml4@7\+: not rax push \mbox{[}next\+\_\+inst\+\_\+addr\+\_\+enc\mbox{]} xor \mbox{[}rsp\mbox{]}, 0x93983498 ; a random number of transformations here... ret next\+\_\+inst\+\_\+addr\+\_\+enc\+: ; encrypted address of the next instruction goes here.
|
|
|
|
this process is continued for each instruction in the function. the last instruction \char`\"{}ret\char`\"{} will have no code generated for it as there is no next instruction.
|
|
|
|
this pass also only runs at the instruction level, theodosius internally breaks up functions inside of the \char`\"{}.\+split\char`\"{} section into individual instruction symbols. this process also creates a psuedo relocation which simply tells this pass that there needs to be a relocation to the next symbol. the offset for these psuedo relocations is zero.
|
|
|
|
\doxysubsection{Member Function Documentation}
|
|
\mbox{\Hypertarget{classtheo_1_1obf_1_1next__inst__pass__t_a964e6f5291ccba0442519f2563b3a2e9}\label{classtheo_1_1obf_1_1next__inst__pass__t_a964e6f5291ccba0442519f2563b3a2e9}}
|
|
\index{theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}!get@{get}}
|
|
\index{get@{get}!theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}}
|
|
\doxysubsubsection{\texorpdfstring{get()}{get()}}
|
|
{\footnotesize\ttfamily \mbox{\hyperlink{classtheo_1_1obf_1_1next__inst__pass__t}{next\+\_\+inst\+\_\+pass\+\_\+t}} $\ast$ theo\+::obf\+::next\+\_\+inst\+\_\+pass\+\_\+t\+::get (\begin{DoxyParamCaption}{ }\end{DoxyParamCaption})\hspace{0.3cm}{\ttfamily [static]}}
|
|
|
|
\mbox{\Hypertarget{classtheo_1_1obf_1_1next__inst__pass__t_ae4cbba78b14c2b9da794386e4d92f40f}\label{classtheo_1_1obf_1_1next__inst__pass__t_ae4cbba78b14c2b9da794386e4d92f40f}}
|
|
\index{theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}!run@{run}}
|
|
\index{run@{run}!theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}}
|
|
\doxysubsubsection{\texorpdfstring{run()}{run()}}
|
|
{\footnotesize\ttfamily void theo\+::obf\+::next\+\_\+inst\+\_\+pass\+\_\+t\+::run (\begin{DoxyParamCaption}\item[{\mbox{\hyperlink{classtheo_1_1decomp_1_1symbol__t}{decomp\+::symbol\+\_\+t}} $\ast$}]{sym }\end{DoxyParamCaption})\hspace{0.3cm}{\ttfamily [virtual]}}
|
|
|
|
|
|
|
|
virtual method which must be implimented by the pass that inherits this class.
|
|
|
|
|
|
\begin{DoxyParams}{Parameters}
|
|
{\em sym} & a symbol of the same type of m\+\_\+sym\+\_\+type.\\
|
|
\hline
|
|
\end{DoxyParams}
|
|
|
|
|
|
Implements \mbox{\hyperlink{classtheo_1_1obf_1_1pass__t_acfadc013ff0754d66a18baffdb1a61d1}{theo\+::obf\+::pass\+\_\+t}}.
|
|
|
|
|
|
|
|
The documentation for this class was generated from the following files\+:\begin{DoxyCompactItemize}
|
|
\item
|
|
include/obf/passes/\mbox{\hyperlink{next__inst__pass_8hpp}{next\+\_\+inst\+\_\+pass.\+hpp}}\item
|
|
src/obf/passes/\mbox{\hyperlink{next__inst__pass_8cpp}{next\+\_\+inst\+\_\+pass.\+cpp}}\end{DoxyCompactItemize}
|