You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
146 lines
8.6 KiB
146 lines
8.6 KiB
\hypertarget{classtheo_1_1obf_1_1next__inst__pass__t}{}\doxysection{theo\+::obf\+::next\+\_\+inst\+\_\+pass\+\_\+t Class Reference}
|
|
\label{classtheo_1_1obf_1_1next__inst__pass__t}\index{theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}}
|
|
|
|
|
|
This pass is used to generate transformations and jmp code to change RIP to the next instruction.
|
|
|
|
|
|
|
|
|
|
{\ttfamily \#include $<$next\+\_\+inst\+\_\+pass.\+hpp$>$}
|
|
|
|
Inheritance diagram for theo\+::obf\+::next\+\_\+inst\+\_\+pass\+\_\+t\+:\begin{figure}[H]
|
|
\begin{center}
|
|
\leavevmode
|
|
\includegraphics[height=2.000000cm]{d5/d08/classtheo_1_1obf_1_1next__inst__pass__t}
|
|
\end{center}
|
|
\end{figure}
|
|
\doxysubsection*{Public Member Functions}
|
|
\begin{DoxyCompactItemize}
|
|
\item
|
|
void \mbox{\hyperlink{classtheo_1_1obf_1_1next__inst__pass__t_ae4cbba78b14c2b9da794386e4d92f40f}{run}} (\mbox{\hyperlink{classtheo_1_1decomp_1_1symbol__t}{decomp\+::symbol\+\_\+t}} $\ast$sym)
|
|
\begin{DoxyCompactList}\small\item\em virtual method which must be implimented by the pass that inherits this class. \end{DoxyCompactList}\end{DoxyCompactItemize}
|
|
\doxysubsection*{Static Public Member Functions}
|
|
\begin{DoxyCompactItemize}
|
|
\item
|
|
static \mbox{\hyperlink{classtheo_1_1obf_1_1next__inst__pass__t}{next\+\_\+inst\+\_\+pass\+\_\+t}} $\ast$ \mbox{\hyperlink{classtheo_1_1obf_1_1next__inst__pass__t_a964e6f5291ccba0442519f2563b3a2e9}{get}} ()
|
|
\end{DoxyCompactItemize}
|
|
|
|
|
|
\doxysubsection{Detailed Description}
|
|
This pass is used to generate transformations and jmp code to change RIP to the next instruction.
|
|
|
|
given the following code (get pml4 address from cr3)\+:
|
|
|
|
get\+\_\+pml4\+: 0\+: 48 c7 c0 ff 0f 00 00 mov rax,0xfff 7\+: 48 f7 d0 not rax a\+: 0f 20 da mov rdx,cr3 d\+: 48 21 c2 and rdx,rax 10\+: b1 00 mov cl,0x0 12\+: 48 d3 e2 shl rdx,cl 15\+: 48 89 d0 mov rax,rdx 18\+: c3 ret
|
|
|
|
this pass will break up each instruction so that it can be anywhere in a linear virtual address space. this pass will not work on rip relative code, however clang will not generate such code when compiled with \char`\"{}-\/mcmodel=large\char`\"{}
|
|
|
|
get\+\_\+pml4@0\+: mov rax, 0x\+FFF push \mbox{[}next\+\_\+inst\+\_\+addr\+\_\+enc\mbox{]} xor \mbox{[}rsp\mbox{]}, 0x3243342 ; a random number of transformations here... ret next\+\_\+inst\+\_\+addr\+\_\+enc\+: ; encrypted address of the next instruction goes here.
|
|
|
|
get\+\_\+pml4@7\+: not rax push \mbox{[}next\+\_\+inst\+\_\+addr\+\_\+enc\mbox{]} xor \mbox{[}rsp\mbox{]}, 0x93983498 ; a random number of transformations here... ret next\+\_\+inst\+\_\+addr\+\_\+enc\+: ; encrypted address of the next instruction goes here.
|
|
|
|
this process is continued for each instruction in the function. the last instruction \char`\"{}ret\char`\"{} will have no code generated for it as there is no next instruction.
|
|
|
|
this pass also only runs at the instruction level, theodosius internally breaks up functions inside of the \char`\"{}.\+split\char`\"{} section into individual instruction symbols. this process also creates a psuedo relocation which simply tells this pass that there needs to be a relocation to the next symbol. the offset for these psuedo relocations is zero.
|
|
|
|
\doxysubsection{Member Function Documentation}
|
|
\mbox{\Hypertarget{classtheo_1_1obf_1_1next__inst__pass__t_a964e6f5291ccba0442519f2563b3a2e9}\label{classtheo_1_1obf_1_1next__inst__pass__t_a964e6f5291ccba0442519f2563b3a2e9}}
|
|
\index{theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}!get@{get}}
|
|
\index{get@{get}!theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}}
|
|
\doxysubsubsection{\texorpdfstring{get()}{get()}}
|
|
{\footnotesize\ttfamily \mbox{\hyperlink{classtheo_1_1obf_1_1next__inst__pass__t}{next\+\_\+inst\+\_\+pass\+\_\+t}} $\ast$ theo\+::obf\+::next\+\_\+inst\+\_\+pass\+\_\+t\+::get (\begin{DoxyParamCaption}{ }\end{DoxyParamCaption})\hspace{0.3cm}{\ttfamily [static]}}
|
|
|
|
|
|
\begin{DoxyCode}{0}
|
|
\DoxyCodeLine{34 \{}
|
|
\DoxyCodeLine{35 \textcolor{keyword}{static} next\_inst\_pass\_t obj;}
|
|
\DoxyCodeLine{36 \textcolor{keywordflow}{return} \&obj;}
|
|
\DoxyCodeLine{37 \}}
|
|
|
|
\end{DoxyCode}
|
|
\mbox{\Hypertarget{classtheo_1_1obf_1_1next__inst__pass__t_ae4cbba78b14c2b9da794386e4d92f40f}\label{classtheo_1_1obf_1_1next__inst__pass__t_ae4cbba78b14c2b9da794386e4d92f40f}}
|
|
\index{theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}!run@{run}}
|
|
\index{run@{run}!theo::obf::next\_inst\_pass\_t@{theo::obf::next\_inst\_pass\_t}}
|
|
\doxysubsubsection{\texorpdfstring{run()}{run()}}
|
|
{\footnotesize\ttfamily void theo\+::obf\+::next\+\_\+inst\+\_\+pass\+\_\+t\+::run (\begin{DoxyParamCaption}\item[{\mbox{\hyperlink{classtheo_1_1decomp_1_1symbol__t}{decomp\+::symbol\+\_\+t}} $\ast$}]{sym }\end{DoxyParamCaption})\hspace{0.3cm}{\ttfamily [virtual]}}
|
|
|
|
|
|
|
|
virtual method which must be implimented by the pass that inherits this class.
|
|
|
|
|
|
\begin{DoxyParams}{Parameters}
|
|
{\em sym} & a symbol of the same type of m\+\_\+sym\+\_\+type.\\
|
|
\hline
|
|
\end{DoxyParams}
|
|
|
|
|
|
Implements \mbox{\hyperlink{classtheo_1_1obf_1_1pass__t_acfadc013ff0754d66a18baffdb1a61d1}{theo\+::obf\+::pass\+\_\+t}}.
|
|
|
|
|
|
\begin{DoxyCode}{0}
|
|
\DoxyCodeLine{38 \{}
|
|
\DoxyCodeLine{39 std::optional<recomp::reloc\_t*> reloc;}
|
|
\DoxyCodeLine{40 \textcolor{keywordflow}{if} (!(reloc = has\_next\_inst\_reloc(sym)).has\_value())}
|
|
\DoxyCodeLine{41 \textcolor{keywordflow}{return};}
|
|
\DoxyCodeLine{42 }
|
|
\DoxyCodeLine{43 xed\_decoded\_inst\_t inst = m\_tmp\_inst;}
|
|
\DoxyCodeLine{44 std::vector<std::uint8\_t> new\_inst\_bytes =}
|
|
\DoxyCodeLine{45 \mbox{\hyperlink{namespacetheo_1_1obf_1_1transform_a416c6c93ce55a4ab9f70592951d15704}{transform::generate}}(\&inst, reloc.value(), 3, 6);}
|
|
\DoxyCodeLine{46 }
|
|
\DoxyCodeLine{47 \textcolor{comment}{// add a push [rip+offset] and update reloc-\/>offset()...}}
|
|
\DoxyCodeLine{48 \textcolor{comment}{//}}
|
|
\DoxyCodeLine{49 std::uint32\_t inst\_len = \{\};}
|
|
\DoxyCodeLine{50 std::uint8\_t inst\_buff[XED\_MAX\_INSTRUCTION\_BYTES];}
|
|
\DoxyCodeLine{51 }
|
|
\DoxyCodeLine{52 xed\_error\_enum\_t err;}
|
|
\DoxyCodeLine{53 xed\_encoder\_request\_t req;}
|
|
\DoxyCodeLine{54 xed\_state\_t istate\{XED\_MACHINE\_MODE\_LONG\_64, XED\_ADDRESS\_WIDTH\_64b\};}
|
|
\DoxyCodeLine{55 }
|
|
\DoxyCodeLine{56 xed\_encoder\_request\_zero\_set\_mode(\&req, \&istate);}
|
|
\DoxyCodeLine{57 xed\_encoder\_request\_set\_effective\_operand\_width(\&req, 64);}
|
|
\DoxyCodeLine{58 xed\_encoder\_request\_set\_iclass(\&req, XED\_ICLASS\_PUSH);}
|
|
\DoxyCodeLine{59 }
|
|
\DoxyCodeLine{60 xed\_encoder\_request\_set\_mem0(\&req);}
|
|
\DoxyCodeLine{61 xed\_encoder\_request\_set\_operand\_order(\&req, 0, XED\_OPERAND\_MEM0);}
|
|
\DoxyCodeLine{62 }
|
|
\DoxyCodeLine{63 xed\_encoder\_request\_set\_base0(\&req, XED\_REG\_RIP);}
|
|
\DoxyCodeLine{64 xed\_encoder\_request\_set\_seg0(\&req, XED\_REG\_INVALID);}
|
|
\DoxyCodeLine{65 xed\_encoder\_request\_set\_index(\&req, XED\_REG\_INVALID);}
|
|
\DoxyCodeLine{66 xed\_encoder\_request\_set\_scale(\&req, 0);}
|
|
\DoxyCodeLine{67 }
|
|
\DoxyCodeLine{68 xed\_encoder\_request\_set\_memory\_operand\_length(\&req, 8);}
|
|
\DoxyCodeLine{69 xed\_encoder\_request\_set\_memory\_displacement(\&req, new\_inst\_bytes.size() + 1,}
|
|
\DoxyCodeLine{70 1);}
|
|
\DoxyCodeLine{71 }
|
|
\DoxyCodeLine{72 \textcolor{keywordflow}{if} ((err = xed\_encode(\&req, inst\_buff, \textcolor{keyword}{sizeof}(inst\_buff), \&inst\_len)) !=}
|
|
\DoxyCodeLine{73 XED\_ERROR\_NONE) \{}
|
|
\DoxyCodeLine{74 spdlog::info(\textcolor{stringliteral}{"{}failed to encode instruction... reason: \{\}"{}},}
|
|
\DoxyCodeLine{75 xed\_error\_enum\_t2str(err));}
|
|
\DoxyCodeLine{76 }
|
|
\DoxyCodeLine{77 assert(err == XED\_ERROR\_NONE);}
|
|
\DoxyCodeLine{78 \}}
|
|
\DoxyCodeLine{79 }
|
|
\DoxyCodeLine{80 new\_inst\_bytes.insert(new\_inst\_bytes.begin(), inst\_buff,}
|
|
\DoxyCodeLine{81 inst\_buff + inst\_len);}
|
|
\DoxyCodeLine{82 }
|
|
\DoxyCodeLine{83 \textcolor{comment}{// put a return instruction at the end of the decrypt instructions...}}
|
|
\DoxyCodeLine{84 \textcolor{comment}{//}}
|
|
\DoxyCodeLine{85 new\_inst\_bytes.push\_back(0xC3);}
|
|
\DoxyCodeLine{86 }
|
|
\DoxyCodeLine{87 sym-\/>data().insert(sym-\/>data().end(), new\_inst\_bytes.begin(),}
|
|
\DoxyCodeLine{88 new\_inst\_bytes.end());}
|
|
\DoxyCodeLine{89 }
|
|
\DoxyCodeLine{90 reloc.value()-\/>offset(sym-\/>data().size());}
|
|
\DoxyCodeLine{91 sym-\/>data().resize(sym-\/>data().size() + 8);}
|
|
\DoxyCodeLine{92 \}}
|
|
|
|
\end{DoxyCode}
|
|
|
|
|
|
The documentation for this class was generated from the following files\+:\begin{DoxyCompactItemize}
|
|
\item
|
|
include/obf/passes/\mbox{\hyperlink{next__inst__pass_8hpp}{next\+\_\+inst\+\_\+pass.\+hpp}}\item
|
|
src/obf/passes/\mbox{\hyperlink{next__inst__pass_8cpp}{next\+\_\+inst\+\_\+pass.\+cpp}}\end{DoxyCompactItemize}
|