main
James 3 years ago
parent 5d46bc31dd
commit 28a54b454c

@ -164,9 +164,11 @@
<ClCompile Include="ObfMisc.cpp" /> <ClCompile Include="ObfMisc.cpp" />
<ClCompile Include="Obfuscator.cpp" /> <ClCompile Include="Obfuscator.cpp" />
<ClCompile Include="OpaqueBranching.cpp" /> <ClCompile Include="OpaqueBranching.cpp" />
<ClCompile Include="Pattern.cpp" />
<ClCompile Include="PEFile.cpp" /> <ClCompile Include="PEFile.cpp" />
<ClCompile Include="Random.cpp" /> <ClCompile Include="Random.cpp" />
<ClCompile Include="RipMovInst.cpp" /> <ClCompile Include="RipMovInst.cpp" />
<ClCompile Include="Symbos.cpp" />
<ClCompile Include="Virtualizer.cpp" /> <ClCompile Include="Virtualizer.cpp" />
<ClCompile Include="VirtualMachine.cpp" /> <ClCompile Include="VirtualMachine.cpp" />
<ClCompile Include="VmCode.cpp" /> <ClCompile Include="VmCode.cpp" />
@ -180,6 +182,7 @@
<ClInclude Include="Obfuscator.h" /> <ClInclude Include="Obfuscator.h" />
<ClInclude Include="PEFile.h" /> <ClInclude Include="PEFile.h" />
<ClInclude Include="Random.h" /> <ClInclude Include="Random.h" />
<ClInclude Include="Symbos.h" />
<ClInclude Include="Virtualizer.h" /> <ClInclude Include="Virtualizer.h" />
<ClInclude Include="VirtualMachine.h" /> <ClInclude Include="VirtualMachine.h" />
<ClInclude Include="VmCode.h" /> <ClInclude Include="VmCode.h" />
@ -188,7 +191,7 @@
<ClInclude Include="XedWrap.h" /> <ClInclude Include="XedWrap.h" />
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<MASM Include="Assembly.asm" /> <MASM Include="VMAssembly.asm" />
</ItemGroup> </ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" /> <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets"> <ImportGroup Label="ExtensionTargets">

@ -34,7 +34,10 @@
<Filter>Code</Filter> <Filter>Code</Filter>
</ClInclude> </ClInclude>
<ClInclude Include="PEFile.h"> <ClInclude Include="PEFile.h">
<Filter>File</Filter> <Filter>File\PEFile</Filter>
</ClInclude>
<ClInclude Include="Symbos.h">
<Filter>File\Symbols</Filter>
</ClInclude> </ClInclude>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
@ -72,10 +75,16 @@
<ClCompile Include="Flags.cpp"> <ClCompile Include="Flags.cpp">
<Filter>Code</Filter> <Filter>Code</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="CodeBlocks.cpp">
<Filter>Obfuscator</Filter>
</ClCompile>
<ClCompile Include="PEFile.cpp"> <ClCompile Include="PEFile.cpp">
<Filter>File</Filter> <Filter>File\PEFile</Filter>
</ClCompile> </ClCompile>
<ClCompile Include="CodeBlocks.cpp"> <ClCompile Include="Symbos.cpp">
<Filter>File\Symbols</Filter>
</ClCompile>
<ClCompile Include="Pattern.cpp">
<Filter>Obfuscator</Filter> <Filter>Obfuscator</Filter>
</ClCompile> </ClCompile>
</ItemGroup> </ItemGroup>
@ -101,9 +110,15 @@
<Filter Include="File"> <Filter Include="File">
<UniqueIdentifier>{86aae053-7113-4aef-b35f-ec023f771992}</UniqueIdentifier> <UniqueIdentifier>{86aae053-7113-4aef-b35f-ec023f771992}</UniqueIdentifier>
</Filter> </Filter>
<Filter Include="File\PEFile">
<UniqueIdentifier>{4e56113a-4855-4589-a0b0-d847c4f8125f}</UniqueIdentifier>
</Filter>
<Filter Include="File\Symbols">
<UniqueIdentifier>{0f4f6f9c-f554-46cc-8a9b-856dde106e37}</UniqueIdentifier>
</Filter>
</ItemGroup> </ItemGroup>
<ItemGroup> <ItemGroup>
<MASM Include="Assembly.asm"> <MASM Include="VMAssembly.asm">
<Filter>Virtualizer</Filter> <Filter>Virtualizer</Filter>
</MASM> </MASM>
</ItemGroup> </ItemGroup>

@ -29,7 +29,7 @@ BOOL FlgAreFlagsClobbered(PNATIVE_CODE_LINK Inst, PNATIVE_CODE_LINK Stop)
for (PNATIVE_CODE_LINK T = Inst->Next; T && T != Stop; T = T->Next) for (PNATIVE_CODE_LINK T = Inst->Next; T && T != Stop; T = T->Next)
{ {
if (T->Flags & CODE_FLAG_IS_LABEL) if (!XedDecodedInstUsesRflags(&T->XedInstruction) || T->Flags & CODE_FLAG_IS_LABEL)
continue; continue;
CONST XED_SIMPLE_FLAG* InstFlags = XedDecodedInstGetRflagsInfo(&T->XedInstruction); CONST XED_SIMPLE_FLAG* InstFlags = XedDecodedInstGetRflagsInfo(&T->XedInstruction);

@ -187,20 +187,76 @@ UCHAR IsEvenCode[]{
int main() int main()
{ {
CvInit(); XedTablesInit();
srand(time(NULL));
UCHAR TestCode[] = { 0x48, 0x8B, 0x84, 0xD1, 0xF0, 0x06, 0x00, 0x00 }; // { 0x48, 0x89, 0xC8 };
XED_DECODED_INST DecodedInst;
XedDecodedInstZero(&DecodedInst);
XedDecodedInstSetMode(&DecodedInst, XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b);
XED_ERROR_ENUM Err = XedDecode(&DecodedInst, TestCode, sizeof(TestCode));
if (Err != XED_ERROR_NONE)
{
printf("Failed to decode.\n");
system("pause");
return -1;
}
XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&DecodedInst);
printf("IClass: %s\n", XedIClassEnumToString(IClass));
CONST xed_inst_t* Inst = XedDecodedInstInst(&DecodedInst);
ULONG OperandCount = XedDecodedInstNumOperands(&DecodedInst);
for (ULONG i = 0; i < OperandCount; i++)
{
CONST xed_operand_t* Operand = XedInstOperand(Inst, i);
xed_operand_enum_t OperandName = XedOperandName(Operand);
printf("Operand Name: %s\n", XedOperandEnumToString(OperandName));
if (XedOperandIsRegister(OperandName))
{
xed_reg_enum_t RegEnum = XedDecodedInstGetReg(&DecodedInst, OperandName);
printf("Reg: %s\n", XedRegEnumToString(RegEnum));
}
if (OperandName == XED_OPERAND_MEM0 || OperandName == XED_OPERAND_MEM1)
{
ULONG MemOpIndex = OperandName - XED_OPERAND_MEM0;
printf("MemOpIdx: %u\n", MemOpIndex);
printf("Base Reg: %s\n", XedRegEnumToString(XedDecodedInstGetBaseReg(&DecodedInst, MemOpIndex)));
printf("Index Reg: %s\n", XedRegEnumToString(XedDecodedInstGetIndexReg(&DecodedInst, MemOpIndex)));
printf("Scale: %u\n", xed_decoded_inst_get_scale(&DecodedInst, MemOpIndex));
printf("Disp: %llu\n", xed_decoded_inst_get_memory_displacement(&DecodedInst, MemOpIndex));
}
}
//ULONG Delta = (*((PULONG)((PUCHAR)TestShelcode + 1))) + 5;
//printf("Delta: %X\n", Delta);
PVOID ActualFunction = TestShelcode; // (PVOID)((ULONG64)TestShelcode + Delta);
printf("%llu %llu %llu %llu\n", TestShelcode(1, 2, 3, 4), TestShelcode(20, 20, 20, 4), TestShelcode(50, 50, 50, 0), Nextfunction(12));
system("pause");
PUCHAR MemeBlock = new UCHAR[110];
memcpy(MemeBlock, ActualFunction, 110);
PrintByteArr(MemeBlock, 110); //xed_operand_values_t* Operands = xed_decoded_inst_operands(&DecodedInst);
//printf("Operand Count %u\n", OperandCount);
//printf("%s\n", xed_reg_enum_t2str(xed_operand_values_get_base_reg(Operands, 0)));
////printf("%s\n", xed_reg_enum_t2str(xed_operand_values_get_base_reg(Operands, 1)));
//printf("%u is length.\n", xed_operand_values_get_memory_displacement_length(Operands));
//printf("%u memop count\n", xed_operand_values_number_of_memory_operands(Operands));
//printf("");
system("pause"); system("pause");
}
//CvInit();
////ULONG Delta = (*((PULONG)((PUCHAR)TestShelcode + 1))) + 5;
////printf("Delta: %X\n", Delta);
//PVOID ActualFunction = TestShelcode; // (PVOID)((ULONG64)TestShelcode + Delta);
//printf("%llu %llu %llu %llu\n", TestShelcode(1, 2, 3, 4), TestShelcode(20, 20, 20, 4), TestShelcode(50, 50, 50, 0), Nextfunction(12));
//system("pause");
//PUCHAR MemeBlock = new UCHAR[110];
//memcpy(MemeBlock, ActualFunction, 110);
//PrintByteArr(MemeBlock, 110);
//system("pause");
@ -240,7 +296,7 @@ int main()
//PutToFile(Asm, AsmSize); //PutToFile(Asm, AsmSize);
//system("pause"); //system("pause");
ULONG AsmSize; /*ULONG AsmSize;
PVOID Asm = CvDriverFunctionObfuscate(MemeBlock, 110, &AsmSize, 5, 0.5); PVOID Asm = CvDriverFunctionObfuscate(MemeBlock, 110, &AsmSize, 5, 0.5);
if (!Asm) if (!Asm)
{ {
@ -259,7 +315,7 @@ int main()
printf("Failed to make buffer\n"); printf("Failed to make buffer\n");
return 1; return 1;
} }
printf("%llu %llu %llu %llu\n", ((FnTestShelcode)Exec)(1, 2, 3, 4), ((FnTestShelcode)Exec)(20, 20, 20, 4), ((FnTestShelcode)Exec)(50, 50, 50, 0), Nextfunction(12)); printf("%llu %llu %llu %llu\n", ((FnTestShelcode)Exec)(1, 2, 3, 4), ((FnTestShelcode)Exec)(20, 20, 20, 4), ((FnTestShelcode)Exec)(50, 50, 50, 0), Nextfunction(12));*/
@ -390,6 +446,5 @@ int main()
NcPrintBlockCode(NewBlock); NcPrintBlockCode(NewBlock);
} }
system("pause");*/ system("pause");*/
}

@ -98,4 +98,6 @@ ULONG ObfMutateInstructions(PNATIVE_CODE_BLOCK Block, ULONG MutateChance, BOOL M
T = RealNext; T = RealNext;
} }
return MutatedInstructions; return MutatedInstructions;
} }

@ -7,12 +7,11 @@
#include "NativeCode.h" #include "NativeCode.h"
#include "Random.h" #include "Random.h"
//Jit
#define DWORD_MOV_INST_LENGTH 10 #define DWORD_MOV_INST_LENGTH 10
#define WORD_MOV_INST_LENGTH 9 #define WORD_MOV_INST_LENGTH 9
#define BYTE_MOV_INST_LENGTH 7 #define BYTE_MOV_INST_LENGTH 7
//Jit
BOOL JitEmitRipRelativeMovD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data); BOOL JitEmitRipRelativeMovD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
BOOL JitEmitRipRelativeMovW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data); BOOL JitEmitRipRelativeMovW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
@ -47,4 +46,6 @@ BOOL ObfCombineOpaqueBranches(PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Ta
#endif #endif

@ -1,40 +1,23 @@
#include "PEFile.h" #include "PEFile.h"
VOID FiLoadFile(PPE_FILE File, PVOID RawData, ULONG RawDataSize) //VOID FiLoadFile(PPE_FILE File, PVOID RawData, ULONG RawDataSize)
{ //{
File->RawData = RawData; // File->RawData = RawData;
File->RawDataSize = RawDataSize; // File->RawDataSize = RawDataSize;
File->Flags = NULL; // File->Flags = NULL;
//
File->DosHeader = (PIMAGE_DOS_HEADER)File->RawData; // File->DosHeader = (PIMAGE_DOS_HEADER)File->RawData;
if (File->DosHeader->e_magic != IMAGE_DOS_SIGNATURE) // if (File->DosHeader->e_magic != IMAGE_DOS_SIGNATURE)
return; // return;
//
File->NtHeaders = (PIMAGE_NT_HEADERS)((PUCHAR)File + File->DosHeader->e_lfanew); // File->NtHeaders = (PIMAGE_NT_HEADERS)((PUCHAR)File + File->DosHeader->e_lfanew);
if (File->NtHeaders->Signature != IMAGE_NT_SIGNATURE) // if (File->NtHeaders->Signature != IMAGE_NT_SIGNATURE)
return; // return;
//
File->FileHeader = &(File->NtHeaders->FileHeader); // File->FileHeader = &(File->NtHeaders->FileHeader);
File->SectionHeaders = (PIMAGE_SECTION_HEADER)((PUCHAR)File->FileHeader + sizeof(IMAGE_FILE_HEADER) + File->FileHeader->SizeOfOptionalHeader); // File->SectionHeaders = (PIMAGE_SECTION_HEADER)((PUCHAR)File->FileHeader + sizeof(IMAGE_FILE_HEADER) + File->FileHeader->SizeOfOptionalHeader);
//
File->Flags |= PEFI_IS_LOADED; // File->Flags |= PEFI_IS_LOADED;
} //}
VOID FiWriteFile(PPE_FILE File, STDSTRING CONST& Path)
{
//xD
}
VOID FILoadSymbols(PPE_FILE File, PVOID PdbFileData)
{
}
VOID FiDestroy(PPE_FILE File)
{
}
BOOL FiGood(PPE_FILE File)
{
return (File->Flags & PEFI_IS_LOADED);
}

@ -3,34 +3,4 @@
#include "Windas.h" #include "Windas.h"
#define PEFI_IS_LOADED (1<<0)
#define PEFI_SYMBOLS_LOADED (1<<1)
typedef struct _PEFI_SECTION
{
PVOID RawData;
ULONG RawDataSize;
}PEFI_SECTION, *PPEFI_SECTION;
typedef struct _PE_FILE
{
PVOID RawData;
ULONG RawDataSize;
ULONG Flags;
PIMAGE_DOS_HEADER DosHeader;
PIMAGE_NT_HEADERS NtHeaders;
PIMAGE_FILE_HEADER FileHeader;
PIMAGE_SECTION_HEADER SectionHeaders;
STDVECTOR<UCHAR> SymbolData;
}PE_FILE, *PPE_FILE;
VOID FiLoadFile(PPE_FILE File, PVOID RawData, ULONG RawDataSize);
VOID FiWriteFile(PPE_FILE File, STDSTRING CONST& Path);
VOID FILoadSymbols(PPE_FILE File, PVOID PdbFileData);
VOID FiDestroy(PPE_FILE File);
BOOL FiGood(PPE_FILE File);
#endif #endif

@ -0,0 +1 @@
#include "Obfuscator.h"

@ -0,0 +1,4 @@
#ifndef __SYMBOLS_H
#define __SYMBOLS_H
#endif

@ -2,7 +2,12 @@
BOOL ViCanHandleInst(PNATIVE_CODE_LINK Link) BOOL ViCanHandleInst(PNATIVE_CODE_LINK Link)
{ {
return TRUE;
switch (XedDecodedInstGetIClass(&Link->XedInstruction))
{
case XED_ICLASS_MOV: return TRUE;
}
return FALSE;
} }
BOOL ViValidateNativeCodeBlock(PNATIVE_CODE_BLOCK Block) BOOL ViValidateNativeCodeBlock(PNATIVE_CODE_BLOCK Block)
{ {

@ -23,7 +23,8 @@
* Jit -> Jit related function * Jit -> Jit related function
* Xed -> Xed macro wrapper * Xed -> Xed macro wrapper
* Vm -> Virtual Machine function * Vm -> Virtual Machine function
* Fi -> File stuff used to dissasemble PE files * Fi -> File related things
* Sff -> shellcode file format
*/ */

@ -11,11 +11,13 @@ extern "C"
#define XED_DECODED_INST xed_decoded_inst_t #define XED_DECODED_INST xed_decoded_inst_t
#define XED_INST xed_inst_t #define XED_INST xed_inst_t
#define XED_OPERAND xed_operand_t #define XED_OPERAND xed_operand_t
#define XED_OPERAND_ENUM xed_operand_enum_t
#define XED_SIMPLE_FLAG xed_simple_flag_t #define XED_SIMPLE_FLAG xed_simple_flag_t
#define XED_FLAG_SET xed_flag_set_t #define XED_FLAG_SET xed_flag_set_t
#define XED_STATE xed_state_t #define XED_STATE xed_state_t
#define XED_ENCODER_INSTRUCTION xed_encoder_instruction_t #define XED_ENCODER_INSTRUCTION xed_encoder_instruction_t
#define XED_ENCODER_REQUEST xed_encoder_request_t #define XED_ENCODER_REQUEST xed_encoder_request_t
#define XED_REG_ENUM xed_reg_enum_t
#define XED_OPERAND_TYPE_ENUM xed_operand_type_enum_t #define XED_OPERAND_TYPE_ENUM xed_operand_type_enum_t
#define XED_ERROR_ENUM xed_error_enum_t #define XED_ERROR_ENUM xed_error_enum_t
@ -36,15 +38,37 @@ extern "C"
#define XedDecodedInstInst xed_decoded_inst_inst #define XedDecodedInstInst xed_decoded_inst_inst
#define XedDecodedInstNumOperands xed_decoded_inst_noperands #define XedDecodedInstNumOperands xed_decoded_inst_noperands
#define XedDecodedInstGetIClass xed_decoded_inst_get_iclass #define XedDecodedInstGetIClass xed_decoded_inst_get_iclass
#define XedDecodedInstUsesRflags xed_decoded_inst_uses_rflags
#define XedDecodedInstGetRflagsInfo xed_decoded_inst_get_rflags_info #define XedDecodedInstGetRflagsInfo xed_decoded_inst_get_rflags_info
#define XedDecodedInstGetReg xed_decoded_inst_get_reg
#define XedDecodedInstGetSegReg xed_decoded_inst_get_seg_reg
#define XedDecodedInstGetBaseReg xed_decoded_inst_get_base_reg
#define XedDecodedInstGetIndexReg xed_decoded_inst_get_index_reg
#define XedInstOperand xed_inst_operand
#define XedInstOperand xed_inst_operand
#define XedOperandType xed_operand_type #define XedOperandType xed_operand_type
#define XedOperandName xed_operand_name
#define XedOperandIsRegister xed_operand_is_register
#define XedOperandWidth xed_operand_width
#define XedOperandWidthBits xed_operand_width_bits
#define XedOperandIsMemoryAddressingRegister xed_operand_is_memory_addressing_register
#define XedOperandReadWriteAction xed_operand_rw
#define XedOperandRead xed_operand_read
#define XedOperandReadOnly xed_operand_read_only
#define XedOperandWritten xed_operand_written
#define XedOperandWrittenOnly xed_operand_written_only
#define XedOperandReadAndWritten xed_operand_read_and_written
#define XedOperandConditionalRead xed_operand_conditional_read
#define XedOperandConditionalWrite xed_operand_conditional_write
#define XedIClassEnumToString xed_iclass_enum_t2str #define XedIClassEnumToString xed_iclass_enum_t2str
#define XedErrorEnumToString xed_error_enum_t2str #define XedErrorEnumToString xed_error_enum_t2str
#define XedCategoryEnumToString xed_category_enum_t2str #define XedCategoryEnumToString xed_category_enum_t2str
#define XedOperandEnumToString xed_operand_enum_t2str
#define XedRegEnumToString xed_reg_enum_t2str
#define XedSimpleFlagGetReadFlagSet xed_simple_flag_get_read_flag_set #define XedSimpleFlagGetReadFlagSet xed_simple_flag_get_read_flag_set
#define XedSimpleFlagGetWrittenFlagSet xed_simple_flag_get_written_flag_set #define XedSimpleFlagGetWrittenFlagSet xed_simple_flag_get_written_flag_set

Loading…
Cancel
Save