improved reassembly speed

can now preemptively promote jmps to 32 bit so reassembly is faster
main
James 3 years ago
parent 9b2a12bd12
commit 51b61d400b

@ -1,21 +1,19 @@
.CODE
;Machine structure
;REGISTER = Register file(32 8 byte registers)
;REGISTER = Instruction Pointer
;REGISTER = Handler Table
;
RetNum PROC
XOR EAX,EAX
ContinueLoop:
ADD RAX,1
SUB RCX,1
ADD RCX,1
ADD RAX,2
SUB RAX,2
SUB RCX,1
JNZ ContinueLoop
ret
RetNum ENDP
NextFunction PROC
ret
NextFunction ENDP
ViSx0 proc
ViSx0 endp
ViZx0 proc
ViZx0 endp
END

@ -9,6 +9,6 @@
#define CODE_FLAG_GROUP_END (1<<5)
#define CODE_FLAG_HAS_ASM_OP (1<<6) //Call all of the pre assembly operations
#define CODE_FLAG_IS_RIP_REL (1<<7) //Figure out how to deal with this...
#define CODE_FLAG_DOESNT_READ_FLAGS (1<<8)
#endif

@ -138,7 +138,7 @@
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<WarningLevel>Level1</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
@ -160,6 +160,7 @@
<ClCompile Include="DataLog.cpp" />
<ClCompile Include="Flags.cpp" />
<ClCompile Include="Jit.cpp" />
<ClCompile Include="Jit2.cpp" />
<ClCompile Include="Junk.cpp" />
<ClCompile Include="NativeCode.cpp" />
<ClCompile Include="Main.cpp" />
@ -180,6 +181,7 @@
<ClInclude Include="DataLog.h" />
<ClInclude Include="Flags.h" />
<ClInclude Include="Jit.h" />
<ClInclude Include="Jit2.h" />
<ClInclude Include="Junk.h" />
<ClInclude Include="NativeCode.h" />
<ClInclude Include="Nop.h" />
@ -192,6 +194,7 @@
<ClInclude Include="Virtualizer.h" />
<ClInclude Include="VirtualMachine.h" />
<ClInclude Include="VmCode.h" />
<ClInclude Include="VMDefs.h" />
<ClInclude Include="Windas.h" />
<ClInclude Include="XedWrap.h" />
</ItemGroup>

@ -17,9 +17,6 @@
<ClInclude Include="Virtualizer.h">
<Filter>Virtualizer</Filter>
</ClInclude>
<ClInclude Include="VirtualMachine.h">
<Filter>VirtualMachine</Filter>
</ClInclude>
<ClInclude Include="RipXorInst.h">
<Filter>Obfuscator\Jit\RipXorInst</Filter>
</ClInclude>
@ -53,6 +50,15 @@
<ClInclude Include="Flags.h">
<Filter>Obfuscator\Flags</Filter>
</ClInclude>
<ClInclude Include="VirtualMachine.h">
<Filter>Virtualizer\VM</Filter>
</ClInclude>
<ClInclude Include="VMDefs.h">
<Filter>Virtualizer\VM</Filter>
</ClInclude>
<ClInclude Include="Jit2.h">
<Filter>Obfuscator\Jit</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Main.cpp" />
@ -68,9 +74,6 @@
<ClCompile Include="Virtualizer.cpp">
<Filter>Virtualizer</Filter>
</ClCompile>
<ClCompile Include="VirtualMachine.cpp">
<Filter>VirtualMachine</Filter>
</ClCompile>
<ClCompile Include="RipXorInst.cpp">
<Filter>Obfuscator\Jit\RipXorInst</Filter>
</ClCompile>
@ -104,6 +107,12 @@
<ClCompile Include="Flags.cpp">
<Filter>Obfuscator\Flags</Filter>
</ClCompile>
<ClCompile Include="VirtualMachine.cpp">
<Filter>Virtualizer\VM</Filter>
</ClCompile>
<ClCompile Include="Jit2.cpp">
<Filter>Obfuscator\Jit</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<Filter Include="Xed">
@ -115,9 +124,6 @@
<Filter Include="Virtualizer">
<UniqueIdentifier>{f74192e7-2064-44d2-983c-fac92f468c0a}</UniqueIdentifier>
</Filter>
<Filter Include="VirtualMachine">
<UniqueIdentifier>{d784ddc8-2452-41ff-bc20-582ec03b3eb5}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator">
<UniqueIdentifier>{cc5b78db-cdf7-4b83-9652-2722cbdec89e}</UniqueIdentifier>
</Filter>
@ -154,8 +160,13 @@
<Filter Include="Obfuscator\Flags">
<UniqueIdentifier>{296c0b55-edbb-45ab-b946-ec83e5441678}</UniqueIdentifier>
</Filter>
<Filter Include="Virtualizer\VM">
<UniqueIdentifier>{28de0895-3bf5-45ef-8293-92032c466572}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<MASM Include="Assembly.asm" />
<MASM Include="Assembly.asm">
<Filter>Virtualizer</Filter>
</MASM>
</ItemGroup>
</Project>

@ -33,10 +33,14 @@ BOOL FlgAreFlagsClobbered(PNATIVE_CODE_LINK Inst, PNATIVE_CODE_LINK Stop)
continue;
CONST XED_SIMPLE_FLAG* InstFlags = XedDecodedInstGetRflagsInfo(&T->XedInstruction);
CONST XED_FLAG_SET* FlagsRead = XedSimpleFlagGetReadFlagSet(InstFlags);
if (FlagsRead->flat & Ledger.flat)
return FALSE;
if (!(T->Flags & CODE_FLAG_DOESNT_READ_FLAGS))
{
CONST XED_FLAG_SET* FlagsRead = XedSimpleFlagGetReadFlagSet(InstFlags);
if (FlagsRead->flat & Ledger.flat)
return FALSE;
}
CONST XED_FLAG_SET* FlagsWritten = XedSimpleFlagGetWrittenFlagSet(InstFlags);
CONST XED_FLAG_SET* FlagsUndefined = XedSimpleFlagGetUndefinedFlagSet(InstFlags);

@ -6,102 +6,29 @@
#include "RipMovInst.h"
BOOL JitCheckFlagCollisions(CONST XED_FLAG_SET* FlagsRead, XED_FLAG_SET Ledger)
{
return ((FlagsRead->s.zf && FlagsRead->s.zf == Ledger.s.zf) ||
(FlagsRead->s.sf && FlagsRead->s.sf == Ledger.s.sf) ||
(FlagsRead->s.pf && FlagsRead->s.pf == Ledger.s.pf) ||
(FlagsRead->s.of && FlagsRead->s.of == Ledger.s.of) ||
(FlagsRead->s.cf && FlagsRead->s.cf == Ledger.s.cf) ||
(FlagsRead->s.af && FlagsRead->s.af == Ledger.s.af)
);
}
VOID JitUpdateConFlagsLedger(CONST XED_FLAG_SET* FlagsWritten, XED_FLAG_SET* Ledger)
{
if (FlagsWritten->s.zf)
Ledger->s.zf = FALSE;
if (FlagsWritten->s.sf)
Ledger->s.sf = FALSE;
if (FlagsWritten->s.pf)
Ledger->s.pf = FALSE;
if (FlagsWritten->s.of)
Ledger->s.of = FALSE;
if (FlagsWritten->s.cf)
Ledger->s.cf = FALSE;
if (FlagsWritten->s.af)
Ledger->s.af = FALSE;
}
BOOL JitDoesInstOverriteConditionFlags(PNATIVE_CODE_LINK Link)
{
CONST XED_SIMPLE_FLAG* SimpleFlags = XedDecodedInstGetRflagsInfo(&Link->XedInstruction);
CONST XED_FLAG_SET* FlagsWritten = XedSimpleFlagGetWrittenFlagSet(SimpleFlags);
CONST XED_FLAG_SET* FlagsUndefined = XedSimpleFlagGetUndefinedFlagSet(SimpleFlags);
return (FlagsWritten->s.zf &&
FlagsWritten->s.sf &&
FlagsWritten->s.pf &&
FlagsWritten->s.of &&
FlagsWritten->s.cf &&
FlagsUndefined->s.af
);
}
BOOL JitAreFlagsClobberedBeforeUse(PNATIVE_CODE_LINK Link)
{
XED_FLAG_SET Ledger;
Ledger.s.zf = TRUE;
Ledger.s.sf = TRUE;
Ledger.s.pf = TRUE;
Ledger.s.of = TRUE;
Ledger.s.cf = TRUE;
Ledger.s.af = TRUE;
for (PNATIVE_CODE_LINK T = Link->Next; T; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
CONST XED_SIMPLE_FLAG* SimpleFlags = XedDecodedInstGetRflagsInfo(&T->XedInstruction);
CONST XED_FLAG_SET* FlagsRead = XedSimpleFlagGetReadFlagSet(SimpleFlags);
CONST XED_FLAG_SET* FlagsWritten = XedSimpleFlagGetWrittenFlagSet(SimpleFlags);
if (JitCheckFlagCollisions(FlagsRead, Ledger))
return FALSE;
JitUpdateConFlagsLedger(FlagsWritten, &Ledger);
if (Ledger.flat == 0)
return TRUE;
}
return FALSE;
}
VOID JitMutateInstForXor(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData)
BOOL JitMutateInstForXor(PNATIVE_CODE_LINK Link, PUCHAR ToMutate, PJIT_BITWISE_DATA JitData)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PUCHAR Buffer = Link->RawData;
while (FourByte)
{
*(PULONG)Buffer ^= JitData->Data[2 - FourByte];
Buffer += 4;
*(PULONG)ToMutate ^= JitData->Data[2 - FourByte];
ToMutate += 4;
FourByte--;
}
if (TwoByte)
{
*(PUSHORT)Buffer ^= (USHORT)JitData->Data[3];
Buffer += 2;
*(PUSHORT)ToMutate ^= (USHORT)JitData->Data[3];
ToMutate += 2;
}
if (OneByte)
*(PUCHAR)Buffer ^= (UCHAR)JitData->Data[3];
*(PUCHAR)ToMutate ^= (UCHAR)JitData->Data[3];
return TRUE;
}
VOID JitMutateInstForOr(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData)
@ -287,7 +214,11 @@ PNATIVE_CODE_BLOCK JitEmitPreRipBitwiseOp(PNATIVE_CODE_LINK Link, PJIT_BITWISE_D
return NULL;
if (SaveFlags)
NcAppendToBlock(Block, FlgEmitPushfqInst());
{
PNATIVE_CODE_LINK PushF = FlgEmitPushfqInst();
PushF->Flags |= CODE_FLAG_DO_NOT_DIVIDE;
NcAppendToBlock(Block, PushF);
}
ULONG Count = FourByte;
while (Count)
@ -337,7 +268,11 @@ PNATIVE_CODE_BLOCK JitEmitPreRipBitwiseOp(PNATIVE_CODE_LINK Link, PJIT_BITWISE_D
}
if (SaveFlags)
NcAppendToBlock(Block, FlgEmitPopfqInst());
{
PNATIVE_CODE_LINK PopF = FlgEmitPopfqInst();
PopF->Flags |= CODE_FLAG_DO_NOT_DIVIDE;
NcAppendToBlock(Block, PopF);
}
return Block;
}
@ -353,7 +288,11 @@ PNATIVE_CODE_BLOCK JitEmitPostRipBitwiseOp(PNATIVE_CODE_LINK Link, PJIT_BITWISE_
return NULL;
if (SaveFlags)
NcAppendToBlock(Block, FlgEmitPushfqInst());
{
PNATIVE_CODE_LINK PushF = FlgEmitPushfqInst();
PushF->Flags |= CODE_FLAG_DO_NOT_DIVIDE;
NcAppendToBlock(Block, PushF);
}
ULONG Count = FourByte;
while (Count)
@ -409,7 +348,11 @@ PNATIVE_CODE_BLOCK JitEmitPostRipBitwiseOp(PNATIVE_CODE_LINK Link, PJIT_BITWISE_
}
if (SaveFlags)
NcAppendToBlock(Block, FlgEmitPopfqInst());
{
PNATIVE_CODE_LINK PopF = FlgEmitPopfqInst();
PopF->Flags |= CODE_FLAG_DO_NOT_DIVIDE;
NcAppendToBlock(Block, PopF);
}
return Block;
}

@ -22,15 +22,7 @@ typedef struct _JIT_BITWISE_DATA
ULONG Data[5];
}JIT_BITWISE_DATA, *PJIT_BITWISE_DATA;
BOOL JitCheckFlagCollisions(CONST XED_FLAG_SET* FlagsRead, XED_FLAG_SET Ledger);
VOID JitUpdateConFlagsLedger(CONST XED_FLAG_SET* FlagsWritten, XED_FLAG_SET* Ledger);
BOOL JitDoesInstOverriteConditionFlags(PNATIVE_CODE_LINK Link);
BOOL JitAreFlagsClobberedBeforeUse(PNATIVE_CODE_LINK Link);
VOID JitMutateInstForXor(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData);
BOOL JitMutateInstForXor(PNATIVE_CODE_LINK Link, PUCHAR ToMutate, PJIT_BITWISE_DATA JitData);
VOID JitMutateInstForOr(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData);

@ -0,0 +1,50 @@
#include "Jit2.h"
PNATIVE_CODE_LINK JitEmitDwordOp();
BOOL JitMutateInstruction(PNATIVE_CODE_LINK Link, PUCHAR ToMutate, PJIT_MUTATE_DATA JitData)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
switch (JitData->Operation)
{
case JIT_XOR:
{
break;
}
case JIT_OR:
{
break;
}
case JIT_AND:
{
break;
}
case JIT_MOV:
{
for (ULONG i = 0; i < Link->RawDataSize; i++)
ToMutate[i] = (rand() % 255);
break;
}
}
return TRUE;
}
PNATIVE_CODE_BLOCK JitEmitPreOp(PNATIVE_CODE_LINK Link, PJIT_MUTATE_DATA Data, UCHAR OpType, BOOL SaveFlags, INT32 Delta)
{
return NULL;
}
PNATIVE_CODE_BLOCK JitEmitPostOp(PNATIVE_CODE_LINK Link, PJIT_MUTATE_DATA Data, UCHAR OpType, BOOL SaveFlags, INT32 Delta)
{
return NULL;
}

@ -0,0 +1,28 @@
#ifndef __JIT2_H
#define __JIT2_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
#define JIT_XOR 0
#define JIT_OR 1
#define JIT_AND 2
#define JIT_MOV 3
typedef struct _JIT_MUTATE_DATA
{
ULONG Part1[3];
USHORT Part2;
UCHAR Part3;
UCHAR Operation;
}JIT_MUTATE_DATA, *PJIT_MUTATE_DATA;
BOOL JitMutateInstruction(PNATIVE_CODE_LINK Link, PUCHAR ToMutate, PJIT_MUTATE_DATA JitData);
PNATIVE_CODE_BLOCK JitEmitPreOp(PNATIVE_CODE_LINK Link, PJIT_MUTATE_DATA Data, UCHAR OpType, BOOL SaveFlags = FALSE, INT32 Delta = 0);
PNATIVE_CODE_BLOCK JitEmitPostOp(PNATIVE_CODE_LINK Link, PJIT_MUTATE_DATA Data, UCHAR OpType, BOOL SaveFlags = FALSE, INT32 Delta = 0);
#endif

@ -20,8 +20,12 @@ PVOID MakeExecutableBuffer(PVOID Buffer, ULONG BufferSize)
{
PVOID ExecBuffer = VirtualAlloc(nullptr, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!ExecBuffer)
{
printf("allocate failed.\n");
return NULL;
}
RtlCopyMemory(ExecBuffer, Buffer, BufferSize);
return ExecBuffer;
}
VOID PutToFile(PVOID Buffer, ULONG BufferSize)
@ -34,6 +38,28 @@ VOID PutToFile(PVOID Buffer, ULONG BufferSize)
fout.close();
}
ULONG64 TestShelcode(ULONG64 v1, ULONG64 v2, ULONG64 v3, ULONG64 v4)
{
if (v4 == 0)
v4 = 2;
ULONG64 Value = 1;
for (int i = 1; i <= v1; i++)
{
Value *= i;
Value += v3;
Value /= v4;
for (int i = 1; i <= v4; i++)
Value += v2 = i;
}
return Value;
}
ULONG64 Nextfunction(ULONG64 v1)
{
return v1 + 1;
}
UCHAR TestBuffer[] = {
0x48, 0x33, 0xC0,
0x48, 0x33, 0xC0,
@ -85,39 +111,59 @@ UCHAR RetNumCode[] = {
, 0xC3
};
UCHAR IsEvenCode[]{
0xF6, 0xC1, 0x01,
0x75, 0x05,
0x66, 0xB8, 0x01, 0x00,
0xC3,
0x33, 0xC0,
0xC3,
};
EXTERN_C ULONG64 RetNum(ULONG64 Num);
//EXTERN_C ULONG64 RetNum(ULONG64 Num);
//EXTERN_C BOOL IsEven(ULONG64 Num);
int main()
{
XedTablesInit();
srand(time(NULL));
//ULONG Delta = (*((PULONG)((PUCHAR)TestShelcode + 1))) + 5;
//printf("Delta: %X\n", Delta);
PVOID ActualFunction = TestShelcode; // (PVOID)((ULONG64)TestShelcode + Delta);
//system("pause");
printf("%llu %llu %llu %llu\n", TestShelcode(1, 2, 3, 4), TestShelcode(20, 20, 20, 4), TestShelcode(50, 50, 50, 0), Nextfunction(12));
system("pause");
PUCHAR MemeBlock = new UCHAR[110];
memcpy(MemeBlock, ActualFunction, 110);
PrintByteArr(MemeBlock, 110);
system("pause");
NATIVE_CODE_BLOCK RetNumBlock;
NcDisassemble(&RetNumBlock, RetNumCode, sizeof(RetNumCode));
//NcDisassemble(&RetNumBlock, RetNumCode, sizeof(RetNumCode));
NcDisassemble(&RetNumBlock, MemeBlock, 110);
if (!NcPromoteAllRelJmpTo32(&RetNumBlock))
{
printf("failed to promote all jmps.\n");
}
OPBR_SETS Obf;
Obf.Flags = 0;
Obf.ParentBlock = &RetNumBlock;
Obf.Divisor = 1.3F;
Obf.MaxDepth = 10;
Obf.MinBranchSize = 1;
Obf.ChanceForBranch = 50;
Obf.MinBranchSize = 5;
Obf.ChanceForBranch = 100;
Obf.MinDepthForBranch = 0;
ObfGenerateOpaqueBranches(&Obf, &RetNumBlock);
INSTMUT_SETS Obf2;
Obf2.MutateChance = 100;
ObfMutateInstructions(&Obf2, &RetNumBlock);
Obf.MinBranchSize = 27;
ObfGenerateOpaqueBranches(&Obf, &RetNumBlock);
/*Obf.MinBranchSize = 27;
Obf.MinBranchSize = 100;
printf("Size = %u\n", NcCountInstructions(&RetNumBlock, TRUE));
ObfGenerateOpaqueBranches(&Obf, &RetNumBlock);
Obf.MinBranchSize = 27;
ObfGenerateOpaqueBranches(&Obf, &RetNumBlock);*/
//NcDebugPrint(&RetNumBlock);
printf("Assembling %u %u", NcCountInstructions(&RetNumBlock), NcCalcBlockSizeInBytes(&RetNumBlock));
ULONG AsmSize;
PVOID Asm = NcAssemble(&RetNumBlock, &AsmSize);
if (!Asm)
@ -129,11 +175,24 @@ int main()
PutToFile(Asm, AsmSize);
system("pause");
PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
typedef ULONG64(*FnTestShelcode)(ULONG64, ULONG64, ULONG64, ULONG64);
PVOID Exec = NULL;
Exec = MakeExecutableBuffer(Asm, AsmSize);
if (!Exec)
{
printf("Failed to make buffer\n");
return 1;
}
printf("%llu %llu %llu %llu\n", ((FnTestShelcode)Exec)(1, 2, 3, 4), ((FnTestShelcode)Exec)(20, 20, 20, 4), ((FnTestShelcode)Exec)(50, 50, 50, 0), Nextfunction(12));
/*PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
typedef ULONG64(*FnRetNum)(ULONG Num);
printf("\n\nSize: %u Obfuscated: %llu Original: %llu\n\n", NcCountInstructions(&RetNumBlock), ((FnRetNum)Exec)(1776), RetNum(1776));
printf("\n\nSize: %u Obfuscated: %llu Original: %llu\n\n", NcCountInstructions(&RetNumBlock), ((FnRetNum)Exec)(1776), ((FnRetNum)Exec)(1776));
NcDeleteBlock(&RetNumBlock);
system("pause");
system("pause");*/
/*NATIVE_CODE_BLOCK Block;

@ -253,6 +253,7 @@ BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block)
INT32 BranchDisplacement = XedDecodedInstGetBranchDisplacement(&T->XedInstruction);
PNATIVE_CODE_LINK JmpPos = NcValidateJmp(T, BranchDisplacement);
printf("Ended.\n");
if (!JmpPos)
{
printf("Failed to validate jump. Type: %s, Displacement: %d\n", XedCategoryEnumToString(Category), BranchDisplacement);
@ -277,15 +278,15 @@ BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block)
PNATIVE_CODE_LINK NcValidateJmp(PNATIVE_CODE_LINK Jmp, INT32 Delta)
{
printf("Started.\n");
PNATIVE_CODE_LINK T;
if (Delta > 0)
{
T = Jmp->Next;
while (Delta > 0 && T)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
Delta -= XedDecodedInstGetLength(&T->XedInstruction);
if (!(T->Flags & CODE_FLAG_IS_LABEL))
Delta -= XedDecodedInstGetLength(&T->XedInstruction);
T = T->Next;
}
if (Delta != 0 || !T)
@ -299,11 +300,12 @@ PNATIVE_CODE_LINK NcValidateJmp(PNATIVE_CODE_LINK Jmp, INT32 Delta)
T = Jmp;
while (T)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
Delta += XedDecodedInstGetLength(&T->XedInstruction);
if (Delta >= 0)
break;
if (!(T->Flags & CODE_FLAG_IS_LABEL))
{
Delta += XedDecodedInstGetLength(&T->XedInstruction);
if (Delta >= 0)
break;
}
T = T->Prev;
}
if (Delta != 0 || !T)
@ -312,7 +314,7 @@ PNATIVE_CODE_LINK NcValidateJmp(PNATIVE_CODE_LINK Jmp, INT32 Delta)
T = T->Next;
return T;
}
return Jmp;
return Jmp->Next;
}
PNATIVE_CODE_LINK NcDeepCopyLink(PNATIVE_CODE_LINK Link)
@ -373,6 +375,58 @@ BOOL NcDeepCopyBlock(PNATIVE_CODE_BLOCK Block, PNATIVE_CODE_BLOCK BlockCopy)
return NcDeepCopyPartialBlock(Block->Start, Block->End, BlockCopy);
}
BOOL NcPromoteRelJmpTo32(PNATIVE_CODE_LINK Link)
{
ULONG OldSize = Link->RawDataSize;
if (XedDecodedInstGetBranchDisplacementWidth(&Link->XedInstruction) == 32)
return TRUE;
XED_STATE MachineState;
MachineState.mmode = XED_MACHINE_MODE_LONG_64;
MachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b;
XED_ENCODER_INSTRUCTION EncoderInstruction;
XED_ENCODER_REQUEST EncoderRequest;
UCHAR EncodeBuffer[15];
UINT ReturnedSize;
XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&Link->XedInstruction);
//Do the encoding
XedInst1(&EncoderInstruction, MachineState, IClass, 32, XedRelBr(0, 32));
XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState);
if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction))
return FALSE;
XED_ERROR_ENUM Err = XedEncode(&EncoderRequest, EncodeBuffer, 15, &ReturnedSize);
if (XED_ERROR_NONE != Err)
return FALSE;
//fixup T->RawData
delete[] Link->RawData;
Link->RawDataSize = ReturnedSize;
Link->RawData = new UCHAR[ReturnedSize];
RtlCopyMemory(Link->RawData, EncodeBuffer, ReturnedSize);
//Decode instruction so its proper and all that
XedDecodedInstZeroSetMode(&Link->XedInstruction, &MachineState);
if (XED_ERROR_NONE != XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize))
return FALSE;
return TRUE;
}
BOOL NcPromoteAllRelJmpTo32(PNATIVE_CODE_BLOCK Block)
{
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_REL_JMP)
{
if (!NcPromoteRelJmpTo32(T))
return FALSE;
}
}
return TRUE;
}
BOOL NcGetDeltaToLabel(PNATIVE_CODE_LINK Link, PINT32 DeltaOut)
{
INT32 Delta = 0;
@ -426,19 +480,6 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block)
if (DispWidth == 32)
return FALSE;
////Grow displacement width to required size
//DispWidth *= 2;
////Check again
//if (log2(abs(BranchDisp)) + 1 > DispWidth)
//{
// if (DispWidth == 32)
// return FALSE;
// //Grow once more if not already at 32
// DispWidth *= 2;
//}
DispWidth = 32;
//Encode new instruction
@ -548,6 +589,7 @@ PVOID NcAssemble(PNATIVE_CODE_BLOCK Block, PULONG OutSize)
Op.first(T, BufferOffset, Op.second);
}
BufferOffset += T->RawDataSize;
}
return Buffer;

@ -20,7 +20,7 @@ typedef struct _NATIVE_CODE_LINK
PUCHAR RawData;
ULONG RawDataSize;
XED_DECODED_INST XedInstruction;
STDVECTOR<STDPAIR<FN_INST_ASM_OP, PVOID>> AsmOperations;
STDVECTOR<STDPAIR<FN_INST_ASM_OP, PVOID>> AsmOperations;
_NATIVE_CODE_LINK();
_NATIVE_CODE_LINK(ULONG LabelId, _NATIVE_CODE_BLOCK* B);
_NATIVE_CODE_LINK(ULONG F, PVOID Rd, ULONG Rds, BOOL Decode = FALSE);
@ -69,6 +69,10 @@ BOOL NcDeepCopyPartialBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNAT
BOOL NcDeepCopyBlock(PNATIVE_CODE_BLOCK Block, PNATIVE_CODE_BLOCK BlockCopy);
BOOL NcPromoteRelJmpTo32(PNATIVE_CODE_LINK Link);
BOOL NcPromoteAllRelJmpTo32(PNATIVE_CODE_BLOCK Block);
BOOL NcGetDeltaToLabel(PNATIVE_CODE_LINK Link, PINT32 DeltaOut);
BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block);

@ -14,7 +14,7 @@ VOID ObfGenerateOpaqueBranches(POPBR_SETS Obf, PNATIVE_CODE_BLOCK Block, ULONG D
return;
ULONG InstructionCount = NcCountInstructions(Block, TRUE);
if (InstructionCount > Obf->MinBranchSize)
if (InstructionCount >= Obf->MinBranchSize)
{
ULONG TargetCount = (ULONG)((FLOAT)InstructionCount / Obf->Divisor);
ULONG CurrentCount = 0;
@ -94,6 +94,7 @@ VOID ObfMutateInstructions(PINSTMUT_SETS Obf, PNATIVE_CODE_BLOCK Block)
{
PNATIVE_CODE_BLOCK PreOp = JitEmitPreRipMov(T);
PNATIVE_CODE_BLOCK PostOp = JitEmitPostRipMov(T);
PreOp->Start->Flags |= CODE_FLAG_GROUP_START;
PostOp->End->Flags |= CODE_FLAG_GROUP_END;
T->Flags |= CODE_FLAG_DO_NOT_DIVIDE;

@ -141,3 +141,4 @@ BOOL ObfInsertOpaqueBranchBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End,
}
return TRUE;
}

@ -0,0 +1,18 @@
#ifndef __VMDEFS_H
#define __VMDEFS_H
enum VM_ICLASS_ENUM : UCHAR
{
VM_ICLASS_ENTER,
VM_ICLASS_EXIT,
VM_ICLASS_MOV,
VM_ICLASS_SX,
VM_ICLASS_ZX,
VM_ICLASS_ADD,
VM_ICLASS_SUB,
VM_ICLASS_MUL,
VM_ICLASS_DIV,
};
#endif

@ -3,12 +3,18 @@
#include "Windas.h"
#include "XedWrap.h"
#include "VMDefs.h"
typedef struct _VM_DATA
{
PVOID RegisterFile[32];
}VM_DATA, *PVM_DATA;
typedef struct _VM_EMITTER
{
}VM_EMITTER, *PVM_EMITTER;
/*
* VmEnter:
* Move all x86 8 byte registers into storage inside of VM_DATA structure.
@ -18,4 +24,9 @@ typedef struct _VM_DATA
PUCHAR VmEmitVmEnter(PULONG Size);
PUCHAR VmEmitVmExit(PULONG Size);
PUCHAR VmEmitMove();
PUCHAR VmEmitSignExtend(PVM_EMITTER Emitter, UCHAR StartSize, UCHAR FinalSize, PULONG Size);
PUCHAR VmEmitZeroExtend(PVM_EMITTER Emitter, UCHAR StartSize, UCHAR FinalSize, PULONG Size);
#endif

@ -6,6 +6,7 @@
#include <vector>
#include <iostream>
#include <iomanip>
#include <algorithm>
#define INLINE inline
#define STDSTRING std::string

@ -1,47 +1,38 @@
Microsoft (R) Macro Assembler (x64) Version 14.27.29111.0 10/26/21 20:35:01
Microsoft (R) Macro Assembler (x64) Version 14.27.29111.0 10/30/21 17:19:32
Assembly.asm Page 1 - 1
00000000 .CODE
;Machine structure
;REGISTER = Register file(32 8 byte registers)
;REGISTER = Instruction Pointer
;REGISTER = Handler Table
;
00000000 RetNum PROC
00000000 33 C0 XOR EAX,EAX
00000002 ContinueLoop:
00000002 48/ 83 C0 01 ADD RAX,1
00000006 48/ 83 E9 01 SUB RCX,1
0000000A 48/ 83 C1 01 ADD RCX,1
0000000E 48/ 83 C0 02 ADD RAX,2
00000012 48/ 83 E8 02 SUB RAX,2
00000016 48/ 83 E9 01 SUB RCX,1
0000001A 75 E6 JNZ ContinueLoop
0000001C C3 ret
0000001D RetNum ENDP
0000001D NextFunction PROC
0000001D C3 ret
0000001E NextFunction ENDP
00000000 ViSx0 proc
END
Microsoft (R) Macro Assembler (x64) Version 14.27.29111.0 10/26/21 20:35:01
Assembly.asm Symbols 2 - 1
00000000 ViSx0 endp
00000000 ViZx0 proc
00000000 ViZx0 endp
Procedures, parameters, and locals:
END
Microsoft (R) Macro Assembler (x64) Version 14.27.29111.0 10/30/21 17:19:32
Assembly.asm Symbols 2 - 1
N a m e Type Value Attr
NextFunction . . . . . . . . . . P 0000001D _TEXT Length= 00000001 Public
RetNum . . . . . . . . . . . . . P 00000000 _TEXT Length= 0000001D Public
ContinueLoop . . . . . . . . . L 00000002 _TEXT
Symbols:
Procedures, parameters, and locals:
N a m e Type Value Attr
ViSx0 . . . . . . . . . . . . . P 00000000 _TEXT Length= 00000000 Public
ViZx0 . . . . . . . . . . . . . P 00000000 _TEXT Length= 00000000 Public
0 Warnings
0 Errors

File diff suppressed because it is too large Load Diff

@ -64,6 +64,7 @@ __165C22CB_ios DB 01H
__BB81F87E_xlocmon DB 01H
__A0B61CF9_time@h DB 01H
__886F7F70_xloctime DB 01H
__0ED96A82_algorithm DB 01H
__296E625F_xed-util@h DB 01H
__642E1CAE_xed-iform-map@h DB 01H
__5ABB6AAF_xed-inst@h DB 01H

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

@ -64,6 +64,7 @@ __165C22CB_ios DB 01H
__BB81F87E_xlocmon DB 01H
__A0B61CF9_time@h DB 01H
__886F7F70_xloctime DB 01H
__0ED96A82_algorithm DB 01H
__296E625F_xed-util@h DB 01H
__642E1CAE_xed-iform-map@h DB 01H
__5ABB6AAF_xed-inst@h DB 01H

@ -64,6 +64,7 @@ __165C22CB_ios DB 01H
__BB81F87E_xlocmon DB 01H
__A0B61CF9_time@h DB 01H
__886F7F70_xloctime DB 01H
__0ED96A82_algorithm DB 01H
__296E625F_xed-util@h DB 01H
__642E1CAE_xed-iform-map@h DB 01H
__5ABB6AAF_xed-inst@h DB 01H
@ -5142,7 +5143,8 @@ $LN5@ObfMutateI:
000e3 e8 00 00 00 00 call ?JitEmitPostRipMov@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@H@Z ; JitEmitPostRipMov
000e8 48 89 45 68 mov QWORD PTR PostOp$4[rbp], rax
; 97 : PreOp->Start->Flags |= CODE_FLAG_GROUP_START;
; 97 :
; 98 : PreOp->Start->Flags |= CODE_FLAG_GROUP_START;
000ec 48 8b 45 48 mov rax, QWORD PTR PreOp$3[rbp]
000f0 48 8b 00 mov rax, QWORD PTR [rax]
@ -5152,7 +5154,7 @@ $LN5@ObfMutateI:
000fd 48 8b 09 mov rcx, QWORD PTR [rcx]
00100 89 41 18 mov DWORD PTR [rcx+24], eax
; 98 : PostOp->End->Flags |= CODE_FLAG_GROUP_END;
; 99 : PostOp->End->Flags |= CODE_FLAG_GROUP_END;
00103 48 8b 45 68 mov rax, QWORD PTR PostOp$4[rbp]
00107 48 8b 40 08 mov rax, QWORD PTR [rax+8]
@ -5162,7 +5164,7 @@ $LN5@ObfMutateI:
00115 48 8b 49 08 mov rcx, QWORD PTR [rcx+8]
00119 89 41 18 mov DWORD PTR [rcx+24], eax
; 99 : T->Flags |= CODE_FLAG_DO_NOT_DIVIDE;
; 100 : T->Flags |= CODE_FLAG_DO_NOT_DIVIDE;
0011c 48 8b 45 08 mov rax, QWORD PTR T$1[rbp]
00120 8b 40 18 mov eax, DWORD PTR [rax+24]
@ -5170,7 +5172,7 @@ $LN5@ObfMutateI:
00126 48 8b 4d 08 mov rcx, QWORD PTR T$1[rbp]
0012a 89 41 18 mov DWORD PTR [rcx+24], eax
; 100 : T->Flags |= CODE_FLAG_HAS_ASM_OP;
; 101 : T->Flags |= CODE_FLAG_HAS_ASM_OP;
0012d 48 8b 45 08 mov rax, QWORD PTR T$1[rbp]
00131 8b 40 18 mov eax, DWORD PTR [rax+24]
@ -5178,7 +5180,7 @@ $LN5@ObfMutateI:
00137 48 8b 4d 08 mov rcx, QWORD PTR T$1[rbp]
0013b 89 41 18 mov DWORD PTR [rcx+24], eax
; 101 : T->AsmOperations.emplace_back((FN_INST_ASM_OP)ObfiRandomizeInstruction, (PVOID)NULL);
; 102 : T->AsmOperations.emplace_back((FN_INST_ASM_OP)ObfiRandomizeInstruction, (PVOID)NULL);
0013e 48 8b 45 08 mov rax, QWORD PTR T$1[rbp]
00142 48 05 f0 00 00
@ -5200,23 +5202,23 @@ $LN5@ObfMutateI:
00 00 mov rcx, QWORD PTR tv144[rbp]
0017d e8 00 00 00 00 call ??$emplace_back@P6AHPEAU_NATIVE_CODE_LINK@@PEAEPEAX@ZPEAX@?$vector@U?$pair@P6AHPEAU_NATIVE_CODE_LINK@@PEAEPEAX@ZPEAX@std@@V?$allocator@U?$pair@P6AHPEAU_NATIVE_CODE_LINK@@PEAEPEAX@ZPEAX@std@@@2@@std@@QEAA@$$QEAP6AHPEAU_NATIVE_CODE_LINK@@PEAEPEAX@Z$$QEAPEAX@Z ; std::vector<std::pair<int (__cdecl*)(_NATIVE_CODE_LINK *,unsigned char *,void *),void *>,std::allocator<std::pair<int (__cdecl*)(_NATIVE_CODE_LINK *,unsigned char *,void *),void *> > >::emplace_back<int (__cdecl*)(_NATIVE_CODE_LINK *,unsigned char *,void *),void *>
; 102 :
; 103 : NcInsertBlockBefore(T, PreOp, FALSE);
; 103 :
; 104 : NcInsertBlockBefore(T, PreOp, FALSE);
00182 45 33 c0 xor r8d, r8d
00185 48 8b 55 48 mov rdx, QWORD PTR PreOp$3[rbp]
00189 48 8b 4d 08 mov rcx, QWORD PTR T$1[rbp]
0018d e8 00 00 00 00 call ?NcInsertBlockBefore@@YAHPEAU_NATIVE_CODE_LINK@@PEAU_NATIVE_CODE_BLOCK@@H@Z ; NcInsertBlockBefore
; 104 : NcInsertBlockAfter(T, PostOp, FALSE);
; 105 : NcInsertBlockAfter(T, PostOp, FALSE);
00192 45 33 c0 xor r8d, r8d
00195 48 8b 55 68 mov rdx, QWORD PTR PostOp$4[rbp]
00199 48 8b 4d 08 mov rcx, QWORD PTR T$1[rbp]
0019d e8 00 00 00 00 call ?NcInsertBlockAfter@@YAHPEAU_NATIVE_CODE_LINK@@PEAU_NATIVE_CODE_BLOCK@@H@Z ; NcInsertBlockAfter
; 105 :
; 106 : if (T == Block->End)
; 106 :
; 107 : if (T == Block->End)
001a2 48 8b 85 e8 01
00 00 mov rax, QWORD PTR Block$[rbp]
@ -5224,7 +5226,7 @@ $LN5@ObfMutateI:
001ad 48 39 45 08 cmp QWORD PTR T$1[rbp], rax
001b1 75 13 jne SHORT $LN8@ObfMutateI
; 107 : Block->End = PostOp->End;
; 108 : Block->End = PostOp->End;
001b3 48 8b 85 e8 01
00 00 mov rax, QWORD PTR Block$[rbp]
@ -5233,7 +5235,7 @@ $LN5@ObfMutateI:
001c2 48 89 48 08 mov QWORD PTR [rax+8], rcx
$LN8@ObfMutateI:
; 108 : if (T == Block->Start)
; 109 : if (T == Block->Start)
001c6 48 8b 85 e8 01
00 00 mov rax, QWORD PTR Block$[rbp]
@ -5241,7 +5243,7 @@ $LN8@ObfMutateI:
001d0 48 39 45 08 cmp QWORD PTR T$1[rbp], rax
001d4 75 11 jne SHORT $LN9@ObfMutateI
; 109 : Block->Start = PreOp->Start;
; 110 : Block->Start = PreOp->Start;
001d6 48 8b 85 e8 01
00 00 mov rax, QWORD PTR Block$[rbp]
@ -5250,8 +5252,8 @@ $LN8@ObfMutateI:
001e4 48 89 08 mov QWORD PTR [rax], rcx
$LN9@ObfMutateI:
; 110 :
; 111 : if (Block->Start == T)
; 111 :
; 112 : if (Block->Start == T)
001e7 48 8b 85 e8 01
00 00 mov rax, QWORD PTR Block$[rbp]
@ -5259,7 +5261,7 @@ $LN9@ObfMutateI:
001f2 48 39 08 cmp QWORD PTR [rax], rcx
001f5 75 11 jne SHORT $LN10@ObfMutateI
; 112 : Block->Start = PreOp->Start;
; 113 : Block->Start = PreOp->Start;
001f7 48 8b 85 e8 01
00 00 mov rax, QWORD PTR Block$[rbp]
@ -5268,7 +5270,7 @@ $LN9@ObfMutateI:
00205 48 89 08 mov QWORD PTR [rax], rcx
$LN10@ObfMutateI:
; 113 : if (Block->End == T)
; 114 : if (Block->End == T)
00208 48 8b 85 e8 01
00 00 mov rax, QWORD PTR Block$[rbp]
@ -5276,7 +5278,7 @@ $LN10@ObfMutateI:
00213 48 39 48 08 cmp QWORD PTR [rax+8], rcx
00217 75 13 jne SHORT $LN11@ObfMutateI
; 114 : Block->End = PostOp->End;
; 115 : Block->End = PostOp->End;
00219 48 8b 85 e8 01
00 00 mov rax, QWORD PTR Block$[rbp]
@ -5285,8 +5287,8 @@ $LN10@ObfMutateI:
00228 48 89 48 08 mov QWORD PTR [rax+8], rcx
$LN11@ObfMutateI:
; 115 :
; 116 : delete PreOp;
; 116 :
; 117 : delete PreOp;
0022c 48 8b 45 48 mov rax, QWORD PTR PreOp$3[rbp]
00230 48 89 85 88 01
@ -5307,7 +5309,7 @@ $LN13@ObfMutateI:
00 mov QWORD PTR tv170[rbp], 0
$LN14@ObfMutateI:
; 117 : delete PostOp;
; 118 : delete PostOp;
00266 48 8b 45 68 mov rax, QWORD PTR PostOp$4[rbp]
0026a 48 89 85 a8 01
@ -5329,19 +5331,19 @@ $LN15@ObfMutateI:
$LN16@ObfMutateI:
$LN7@ObfMutateI:
; 118 : }
; 119 :
; 120 : T = RealNext;
; 119 : }
; 120 :
; 121 : T = RealNext;
002a0 48 8b 45 28 mov rax, QWORD PTR RealNext$2[rbp]
002a4 48 89 45 08 mov QWORD PTR T$1[rbp], rax
; 121 : }
; 122 : }
002a8 e9 9c fd ff ff jmp $LN2@ObfMutateI
$LN3@ObfMutateI:
; 122 : }
; 123 : }
002ad 48 8d a5 c8 01
00 00 lea rsp, QWORD PTR [rbp+456]

@ -64,6 +64,7 @@ __165C22CB_ios DB 01H
__BB81F87E_xlocmon DB 01H
__A0B61CF9_time@h DB 01H
__886F7F70_xloctime DB 01H
__0ED96A82_algorithm DB 01H
__296E625F_xed-util@h DB 01H
__642E1CAE_xed-iform-map@h DB 01H
__5ABB6AAF_xed-inst@h DB 01H

@ -64,6 +64,7 @@ __165C22CB_ios DB 01H
__BB81F87E_xlocmon DB 01H
__A0B61CF9_time@h DB 01H
__886F7F70_xloctime DB 01H
__0ED96A82_algorithm DB 01H
__296E625F_xed-util@h DB 01H
__642E1CAE_xed-iform-map@h DB 01H
__5ABB6AAF_xed-inst@h DB 01H

@ -64,6 +64,7 @@ __165C22CB_ios DB 01H
__BB81F87E_xlocmon DB 01H
__A0B61CF9_time@h DB 01H
__886F7F70_xloctime DB 01H
__0ED96A82_algorithm DB 01H
__296E625F_xed-util@h DB 01H
__642E1CAE_xed-iform-map@h DB 01H
__5ABB6AAF_xed-inst@h DB 01H

@ -64,6 +64,7 @@ __165C22CB_ios DB 01H
__BB81F87E_xlocmon DB 01H
__A0B61CF9_time@h DB 01H
__886F7F70_xloctime DB 01H
__0ED96A82_algorithm DB 01H
__296E625F_xed-util@h DB 01H
__642E1CAE_xed-iform-map@h DB 01H
__5ABB6AAF_xed-inst@h DB 01H

@ -64,6 +64,7 @@ __165C22CB_ios DB 01H
__BB81F87E_xlocmon DB 01H
__A0B61CF9_time@h DB 01H
__886F7F70_xloctime DB 01H
__0ED96A82_algorithm DB 01H
__296E625F_xed-util@h DB 01H
__642E1CAE_xed-iform-map@h DB 01H
__5ABB6AAF_xed-inst@h DB 01H

@ -64,6 +64,7 @@ __165C22CB_ios DB 01H
__BB81F87E_xlocmon DB 01H
__A0B61CF9_time@h DB 01H
__886F7F70_xloctime DB 01H
__0ED96A82_algorithm DB 01H
__296E625F_xed-util@h DB 01H
__642E1CAE_xed-iform-map@h DB 01H
__5ABB6AAF_xed-inst@h DB 01H

@ -64,6 +64,7 @@ __165C22CB_ios DB 01H
__BB81F87E_xlocmon DB 01H
__A0B61CF9_time@h DB 01H
__886F7F70_xloctime DB 01H
__0ED96A82_algorithm DB 01H
__296E625F_xed-util@h DB 01H
__642E1CAE_xed-iform-map@h DB 01H
__5ABB6AAF_xed-inst@h DB 01H

@ -64,6 +64,7 @@ __165C22CB_ios DB 01H
__BB81F87E_xlocmon DB 01H
__A0B61CF9_time@h DB 01H
__886F7F70_xloctime DB 01H
__0ED96A82_algorithm DB 01H
__FA675702_VmCode@h DB 01H
__B456BB99_VmCode@cpp DB 01H
__7EA464AF_istream DB 01H

@ -64,6 +64,7 @@ __165C22CB_ios DB 01H
__BB81F87E_xlocmon DB 01H
__A0B61CF9_time@h DB 01H
__886F7F70_xloctime DB 01H
__0ED96A82_algorithm DB 01H
__296E625F_xed-util@h DB 01H
__642E1CAE_xed-iform-map@h DB 01H
__5ABB6AAF_xed-inst@h DB 01H

Loading…
Cancel
Save