You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

436 lines
10 KiB

#include "NativeCode.h"
_NATIVE_CODE_LINK::_NATIVE_CODE_LINK()
{
3 years ago
XedDecodedInstZero(&XedInstruction);
XedDecodedInstSetMode(&XedInstruction, XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b);
Flags = 0UL;
Next = Prev = NULL;
Block = NULL;
Label = 0UL;
RawData = NULL;
RawDataSize = 0UL;
}
_NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG LabelId, _NATIVE_CODE_BLOCK* B)
: _NATIVE_CODE_LINK()
{
Block = B;
Label = LabelId;
Flags = CODE_FLAG_IS_LABEL;
}
_NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG F, PVOID Rd, ULONG Rds)
: _NATIVE_CODE_LINK()
{
Flags = F;
RawDataSize = Rds;
RawData = new UCHAR[Rds];
if (Rd)
memcpy(RawData, Rd, Rds);
}
_NATIVE_CODE_LINK::~_NATIVE_CODE_LINK()
{
if (RawData)
delete RawData;
}
_NATIVE_CODE_BLOCK::_NATIVE_CODE_BLOCK()
{
Start = End = NULL;
3 years ago
LabelIds.clear();
}
VOID NcAppendToBlock(PNATIVE_CODE_BLOCK Block, PNATIVE_CODE_LINK Link)
{
if (!Link)
return;
Link->Block = Block;
Link->Prev = Block->End;
Link->Next = NULL;
if (!Block->End || !Block->Start)
{
Block->Start = Block->End = Link;
}
else
{
Block->End->Next = Link;
Block->End = Link;
}
}
VOID NcPrependToBlock(PNATIVE_CODE_BLOCK Block, PNATIVE_CODE_LINK Link)
{
if (!Link)
return;
Link->Block = Block;
Link->Next = Block->Start;
Link->Prev = NULL;
if (!Block->End || !Block->Start)
{
Block->Start = Block->End = Link;
}
else
{
Block->Start->Prev = Link;
Block->Start = Link;
}
}
VOID NcInsertLinkAfter(PNATIVE_CODE_LINK Link1, PNATIVE_CODE_LINK Link2)
{
if (Link1)
{
Link2->Prev = Link1;
Link2->Next = Link1->Next;
Link1->Next = Link2;
if (Link2->Next)
Link2->Next->Prev = Link2;
}
}
VOID NcInsertLinkBefore(PNATIVE_CODE_LINK Link1, PNATIVE_CODE_LINK Link2)
{
if (Link1)
{
Link2->Next = Link1;
Link2->Prev = Link1->Prev;
Link1->Prev = Link2;
if (Link2->Prev)
Link2->Prev->Next = Link2;
}
}
VOID NcUnlink(PNATIVE_CODE_LINK Link)
{
if (Link)
{
if (Link->Next)
Link->Next->Prev = Link->Prev;
if (Link->Prev)
Link->Prev->Next = Link->Next;
}
}
3 years ago
ULONG NcCalcBlockSize(PNATIVE_CODE_BLOCK Block)
{
ULONG TotalSize = 0;
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
TotalSize += T->RawDataSize;
}
return TotalSize;
}
ULONG NcGenUnusedLabelId(PNATIVE_CODE_BLOCK Block)
3 years ago
{
ULONG ReturnLabelId = rand();
3 years ago
while (StdFind(Block->LabelIds.begin(), Block->LabelIds.end(), ReturnLabelId) != Block->LabelIds.end())
3 years ago
ReturnLabelId = rand();
return ReturnLabelId;
}
3 years ago
VOID NcChangeLabelId(PNATIVE_CODE_BLOCK Block, ULONG Original, ULONG New)
3 years ago
{
3 years ago
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
3 years ago
{
if (((T->Flags & CODE_FLAG_IS_LABEL) || (T->Flags & CODE_FLAG_IS_REL_JMP)) && T->Label == Original)
3 years ago
T->Label = New;
}
}
VOID NcFixLabelsForBlocks(PNATIVE_CODE_BLOCK Block1, PNATIVE_CODE_BLOCK Block2)
{
for (PNATIVE_CODE_LINK T = Block2->Start; T; T = T->Next)
{
3 years ago
if ((T->Flags & CODE_FLAG_IS_LABEL) && StdFind(Block1->LabelIds.begin(), Block1->LabelIds.end(), T->Label) != Block1->LabelIds.end())
{
ULONG Lid = NcGenUnusedLabelId(Block1);
NcChangeLabelId(Block2, T->Label, Lid);
Block1->LabelIds.push_back(Lid);
}
3 years ago
}
}
3 years ago
BOOL NcInsertBlockAfter(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block, BOOL FixLabels)
{
3 years ago
if (!Link || !Link->Block || !Block || !Block->Start || !Block->End || Link->Block == Block)
return FALSE;
3 years ago
if (FixLabels && Block->LabelIds.size() && Link->Block->LabelIds.size())
3 years ago
NcFixLabelsForBlocks(Link->Block, Block);
if (Link->Next)
Link->Next->Prev = Block->End;
Block->End->Next = Link->Next;
Block->Start->Prev = Link;
Link->Next = Block->Start;
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
T->Block = Link->Block;
return TRUE;
}
3 years ago
BOOL NcInsertBlockBefore(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block, BOOL FixLabels)
{
if (!Link || !Link->Block || !Block || !Block->Start || !Block->End)
return FALSE;
3 years ago
if (FixLabels && Block->LabelIds.size() && Link->Block->LabelIds.size())
3 years ago
NcFixLabelsForBlocks(Link->Block, Block);
if (Link->Prev)
Link->Prev->Next = Block->Start;
Block->Start->Prev = Link->Prev;
Block->End->Next = Link;
Link->Prev = Block->End;
3 years ago
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
T->Block = Link->Block;
return TRUE;
}
BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block)
{
ULONG CurrentLabelId = 0;
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
{
3 years ago
if (!(T->Flags & CODE_FLAG_IS_INST))
continue;
3 years ago
XED_CATEGORY_ENUM Category = XedDecodedInstGetCategory(&T->XedInstruction);
if (Category != XED_CATEGORY_COND_BR && Category != XED_CATEGORY_UNCOND_BR)
continue;
3 years ago
ULONG OperandCount = XedDecodedInstNumOperands(&T->XedInstruction);
if (OperandCount < 1)
continue;
3 years ago
CONST XED_INST* Inst = XedDecodedInstInst(&T->XedInstruction);
if (!Inst)
continue;
3 years ago
CONST XED_OPERAND* Operand = XedInstOperand(Inst, 0);
if (!Operand)
continue;
XED_OPERAND_TYPE_ENUM OperandType = XedOperandType(Operand);
if (OperandType != XED_OPERAND_TYPE_IMM && OperandType != XED_OPERAND_TYPE_IMM_CONST)
continue;
3 years ago
INT32 BranchDisplacement = XedDecodedInstGetBranchDisplacement(&T->XedInstruction);
PNATIVE_CODE_LINK JmpPos = NcValidateJmp(T, BranchDisplacement);
if (!JmpPos)
{
3 years ago
printf("Failed to validate jump. Type: %s, Displacement: %d\n", XedCategoryEnumToString(Category), BranchDisplacement);
return FALSE;
}
if (JmpPos->Prev && (JmpPos->Prev->Flags & CODE_FLAG_IS_LABEL))
{
T->Label = JmpPos->Prev->Label;
}
else
{
NcInsertLinkBefore(JmpPos, new NATIVE_CODE_LINK(CurrentLabelId, Block));
3 years ago
Block->LabelIds.push_back(CurrentLabelId);
3 years ago
T->Label = CurrentLabelId;
++CurrentLabelId;
}
3 years ago
T->Flags |= CODE_FLAG_IS_REL_JMP;
}
3 years ago
return TRUE;
}
PNATIVE_CODE_LINK NcValidateJmp(PNATIVE_CODE_LINK Jmp, INT32 Delta)
{
3 years ago
PNATIVE_CODE_LINK T;
if (Delta > 0)
{
3 years ago
T = Jmp->Next;
while (Delta > 0 && T)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
3 years ago
Delta -= XedDecodedInstGetLength(&T->XedInstruction);
3 years ago
T = T->Next;
}
if (Delta != 0 || !T)
return NULL;
while (T && (T->Flags & CODE_FLAG_IS_LABEL))
T = T->Next;
return T;
}
3 years ago
else if (Delta < 0)
{
3 years ago
T = Jmp;
while (T)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
3 years ago
Delta += XedDecodedInstGetLength(&T->XedInstruction);
3 years ago
if (Delta >= 0)
break;
3 years ago
T = T->Prev;
3 years ago
}
if (Delta != 0 || !T)
return NULL;
while (T && (T->Flags & CODE_FLAG_IS_LABEL))
T = T->Next;
return T;
}
3 years ago
return Jmp;
}
3 years ago
PNATIVE_CODE_LINK NcDeepCopyLink(PNATIVE_CODE_LINK Link)
{
if (Link->Flags & CODE_FLAG_IS_LABEL)
{
return new NATIVE_CODE_LINK(Link->Label, NULL);
}
else
3 years ago
{ PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(Link->Flags, Link->RawData, Link->RawDataSize);
NewLink->Label = Link->Label;
3 years ago
XED_ERROR_ENUM DecodeError = XedDecode(&NewLink->XedInstruction, Link->RawData, Link->RawDataSize);
if (DecodeError != XED_ERROR_NONE)
{
3 years ago
printf("XedDecode failed in NcDeepCopyLink: %s\n", XedErrorEnumToString(DecodeError));
delete NewLink;
return NULL;
}
return NewLink;
}
}
PNATIVE_CODE_BLOCK NcDeepCopyPartialBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End)
{
3 years ago
if (!Start || !End || !Start->Block || Start->Block != End->Block)
return NULL;
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
if (!Block)
return NULL;
3 years ago
for (ULONG L : Start->Block->LabelIds)
Block->LabelIds.push_back(L);
for (PNATIVE_CODE_LINK CurLink = Start; CurLink != End->Next; CurLink = CurLink->Next)
{
3 years ago
PNATIVE_CODE_LINK Temp = NcDeepCopyLink(CurLink);
if (!Temp)
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
NcAppendToBlock(Block, Temp);
}
return Block;
}
PNATIVE_CODE_BLOCK NcDeepCopyBlock(PNATIVE_CODE_BLOCK Block)
{
return NcDeepCopyPartialBlock(Block->Start, Block->End);
}
BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize)
{
PUCHAR Buf = (PUCHAR)Buffer;
ULONG Offset = 0;
while (Offset < BufferSize)
{
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK;
3 years ago
Link->Flags = CODE_FLAG_IS_INST;
ULONG PossibleSize = min(15, BufferSize - Offset);
3 years ago
XED_ERROR_ENUM DecodeError = XedDecode(&Link->XedInstruction, (Buf + Offset), PossibleSize);
if (DecodeError != XED_ERROR_NONE)
{
printf("XedDecode failed with error %s\n", XedErrorEnumToString(DecodeError));
NcDeleteBlock(Block);
delete Link;
return FALSE;
}
3 years ago
Link->RawDataSize = XedDecodedInstGetLength(&Link->XedInstruction);
Link->RawData = new UCHAR[Link->RawDataSize];
memcpy(Link->RawData, (Buf + Offset), Link->RawDataSize);
NcAppendToBlock(Block, Link);
3 years ago
Offset += Link->RawDataSize;
}
3 years ago
NcCreateLabels(Block);
return TRUE;
}
PVOID NcAssemble(PNATIVE_CODE_BLOCK Block)
{
3 years ago
//TODO: handle post assembly editing for Jit obfuscation types(maybe a vector of post assembly processing traits inside of NATIVE_CODE_LINK)
return NULL;
}
VOID NcDeleteBlock(PNATIVE_CODE_BLOCK Block)
{
for (PNATIVE_CODE_LINK T = Block->Start; T;)
{
PNATIVE_CODE_LINK Next = T->Next;
delete T;
T = Next;
}
}
3 years ago
VOID NcDebugPrint(PNATIVE_CODE_BLOCK Block)
{
HANDLE ConsoleHandle = GetStdHandle(STD_OUTPUT_HANDLE);
if (!ConsoleHandle)
return;
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
{
SetConsoleTextAttribute(ConsoleHandle, FOREGROUND_GREEN | FOREGROUND_RED);
printf("Label: %u\n", T->Label);
}
else
{
3 years ago
XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&T->XedInstruction);
3 years ago
if (T->Flags & CODE_FLAG_IS_REL_JMP)
{
SetConsoleTextAttribute(ConsoleHandle, FOREGROUND_GREEN | FOREGROUND_RED);
printf("%s: %u\n", XedIClassEnumToString(IClass), T->Label);
}
else
{
SetConsoleTextAttribute(ConsoleHandle, FOREGROUND_GREEN | FOREGROUND_BLUE);
printf("%s\n", XedIClassEnumToString(IClass));
}
}
}
}
VOID NcPrintBlockCode(PNATIVE_CODE_BLOCK Block)
{
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
{
if (!(T->Flags & CODE_FLAG_IS_LABEL))
{
for (uint32_t i = 0; i < T->RawDataSize; i++)
{
std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)T->RawData[i] << ' ';
}
}
}
}