main
James 3 years ago
parent 51b61d400b
commit 5d46bc31dd

@ -5,6 +5,8 @@ VisualStudioVersion = 16.0.30413.136
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CodeVirtualizer", "CodeVirtualizer\CodeVirtualizer.vcxproj", "{BC5C8C97-FCB6-41A5-BFA0-56CB98491CA9}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "TestProject", "TestProject\TestProject.vcxproj", "{0949E81D-FAC5-471E-B533-CB0D9B53B346}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
@ -21,6 +23,14 @@ Global
{BC5C8C97-FCB6-41A5-BFA0-56CB98491CA9}.Release|x64.Build.0 = Release|x64
{BC5C8C97-FCB6-41A5-BFA0-56CB98491CA9}.Release|x86.ActiveCfg = Release|Win32
{BC5C8C97-FCB6-41A5-BFA0-56CB98491CA9}.Release|x86.Build.0 = Release|Win32
{0949E81D-FAC5-471E-B533-CB0D9B53B346}.Debug|x64.ActiveCfg = Debug|x64
{0949E81D-FAC5-471E-B533-CB0D9B53B346}.Debug|x64.Build.0 = Debug|x64
{0949E81D-FAC5-471E-B533-CB0D9B53B346}.Debug|x86.ActiveCfg = Debug|Win32
{0949E81D-FAC5-471E-B533-CB0D9B53B346}.Debug|x86.Build.0 = Debug|Win32
{0949E81D-FAC5-471E-B533-CB0D9B53B346}.Release|x64.ActiveCfg = Release|x64
{0949E81D-FAC5-471E-B533-CB0D9B53B346}.Release|x64.Build.0 = Release|x64
{0949E81D-FAC5-471E-B533-CB0D9B53B346}.Release|x86.ActiveCfg = Release|Win32
{0949E81D-FAC5-471E-B533-CB0D9B53B346}.Release|x86.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE

@ -7,13 +7,16 @@
;
ViSx0 proc
ViEnter PROC
MOV [RSP+8h],RCX
MOV [RSP+10h],RDX
MOV [RSP+18h],R8
MOV [RSP+20h],R9
ViSx0 endp
PUSH RAX
MOV RAX,0FFFFFFFFFFFFFFFFh
;RAX NOW POINTER TO VMDATA STRUCT
ViZx0 proc
ViZx0 endp
ViEnter ENDP
END

@ -0,0 +1,5 @@
#include "Obfuscator.h"
//Requires either being in the process address space, or relocations

@ -0,0 +1,13 @@
#ifndef __CODE_VIRTUALIZER_H
#define __CODE_VIRTUALIZER_H
#include <Windows.h>
#include "Obfuscator.h"
__declspec(dllexport) VOID CvInit();
__declspec(dllexport) PVOID CvDriverFunctionObfuscate(PVOID Code, ULONG CodeSize, PULONG OutSize, ULONG BranchCount, FLOAT MaxBranchSizePercentage);
__declspec(dllexport) VOID CvDeleteCode(PVOID Code);
#endif

@ -157,20 +157,16 @@
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="DataLog.cpp" />
<ClCompile Include="CodeBlocks.cpp" />
<ClCompile Include="Flags.cpp" />
<ClCompile Include="Jit.cpp" />
<ClCompile Include="Jit2.cpp" />
<ClCompile Include="Junk.cpp" />
<ClCompile Include="NativeCode.cpp" />
<ClCompile Include="Main.cpp" />
<ClCompile Include="Nop.cpp" />
<ClCompile Include="ObfMisc.cpp" />
<ClCompile Include="Obfuscator.cpp" />
<ClCompile Include="OpaqueBranching.cpp" />
<ClCompile Include="RipAndInst.cpp" />
<ClCompile Include="PEFile.cpp" />
<ClCompile Include="Random.cpp" />
<ClCompile Include="RipMovInst.cpp" />
<ClCompile Include="RipOrInst.cpp" />
<ClCompile Include="RipXorInst.cpp" />
<ClCompile Include="Virtualizer.cpp" />
<ClCompile Include="VirtualMachine.cpp" />
<ClCompile Include="VmCode.cpp" />
@ -178,19 +174,12 @@
</ItemGroup>
<ItemGroup>
<ClInclude Include="Code.h" />
<ClInclude Include="DataLog.h" />
<ClInclude Include="CodeVirtualizer.h" />
<ClInclude Include="Flags.h" />
<ClInclude Include="Jit.h" />
<ClInclude Include="Jit2.h" />
<ClInclude Include="Junk.h" />
<ClInclude Include="NativeCode.h" />
<ClInclude Include="Nop.h" />
<ClInclude Include="Obfuscator.h" />
<ClInclude Include="OpaqueBranching.h" />
<ClInclude Include="RipAndInst.h" />
<ClInclude Include="RipMovInst.h" />
<ClInclude Include="RipOrInst.h" />
<ClInclude Include="RipXorInst.h" />
<ClInclude Include="PEFile.h" />
<ClInclude Include="Random.h" />
<ClInclude Include="Virtualizer.h" />
<ClInclude Include="VirtualMachine.h" />
<ClInclude Include="VmCode.h" />

@ -17,47 +17,24 @@
<ClInclude Include="Virtualizer.h">
<Filter>Virtualizer</Filter>
</ClInclude>
<ClInclude Include="RipXorInst.h">
<Filter>Obfuscator\Jit\RipXorInst</Filter>
</ClInclude>
<ClInclude Include="RipMovInst.h">
<Filter>Obfuscator\Jit\RipMovInst</Filter>
</ClInclude>
<ClInclude Include="Obfuscator.h">
<Filter>Obfuscator</Filter>
</ClInclude>
<ClInclude Include="Nop.h">
<Filter>Obfuscator\Nop</Filter>
</ClInclude>
<ClInclude Include="Junk.h">
<Filter>Obfuscator\Branching\Junk</Filter>
</ClInclude>
<ClInclude Include="OpaqueBranching.h">
<Filter>Obfuscator\Branching\OpaqueBranching</Filter>
</ClInclude>
<ClInclude Include="Jit.h">
<Filter>Obfuscator\Jit</Filter>
</ClInclude>
<ClInclude Include="RipAndInst.h">
<Filter>Obfuscator\Jit\RipAndInst</Filter>
</ClInclude>
<ClInclude Include="RipOrInst.h">
<Filter>Obfuscator\Jit\RipOrInst</Filter>
</ClInclude>
<ClInclude Include="DataLog.h">
<Filter>DataLog</Filter>
</ClInclude>
<ClInclude Include="Flags.h">
<Filter>Obfuscator\Flags</Filter>
</ClInclude>
<ClInclude Include="VirtualMachine.h">
<Filter>Virtualizer\VM</Filter>
</ClInclude>
<ClInclude Include="VMDefs.h">
<Filter>Virtualizer\VM</Filter>
</ClInclude>
<ClInclude Include="Jit2.h">
<Filter>Obfuscator\Jit</Filter>
<ClInclude Include="Random.h">
<Filter>Random</Filter>
</ClInclude>
<ClInclude Include="CodeVirtualizer.h" />
<ClInclude Include="Flags.h">
<Filter>Code</Filter>
</ClInclude>
<ClInclude Include="PEFile.h">
<Filter>File</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
@ -74,44 +51,32 @@
<ClCompile Include="Virtualizer.cpp">
<Filter>Virtualizer</Filter>
</ClCompile>
<ClCompile Include="RipXorInst.cpp">
<Filter>Obfuscator\Jit\RipXorInst</Filter>
</ClCompile>
<ClCompile Include="RipMovInst.cpp">
<Filter>Obfuscator\Jit\RipMovInst</Filter>
</ClCompile>
<ClCompile Include="Obfuscator.cpp">
<Filter>Obfuscator</Filter>
</ClCompile>
<ClCompile Include="Nop.cpp">
<Filter>Obfuscator\Nop</Filter>
</ClCompile>
<ClCompile Include="Junk.cpp">
<Filter>Obfuscator\Branching\Junk</Filter>
</ClCompile>
<ClCompile Include="OpaqueBranching.cpp">
<Filter>Obfuscator\Branching\OpaqueBranching</Filter>
<ClCompile Include="VirtualMachine.cpp">
<Filter>Virtualizer\VM</Filter>
</ClCompile>
<ClCompile Include="Jit.cpp">
<Filter>Obfuscator\Jit</Filter>
<ClCompile Include="Random.cpp">
<Filter>Random</Filter>
</ClCompile>
<ClCompile Include="RipAndInst.cpp">
<Filter>Obfuscator\Jit\RipAndInst</Filter>
<ClCompile Include="RipMovInst.cpp">
<Filter>Obfuscator</Filter>
</ClCompile>
<ClCompile Include="RipOrInst.cpp">
<Filter>Obfuscator\Jit\RipOrInst</Filter>
<ClCompile Include="OpaqueBranching.cpp">
<Filter>Obfuscator</Filter>
</ClCompile>
<ClCompile Include="DataLog.cpp">
<Filter>DataLog</Filter>
<ClCompile Include="ObfMisc.cpp">
<Filter>Obfuscator</Filter>
</ClCompile>
<ClCompile Include="Flags.cpp">
<Filter>Obfuscator\Flags</Filter>
<Filter>Code</Filter>
</ClCompile>
<ClCompile Include="VirtualMachine.cpp">
<Filter>Virtualizer\VM</Filter>
<ClCompile Include="PEFile.cpp">
<Filter>File</Filter>
</ClCompile>
<ClCompile Include="Jit2.cpp">
<Filter>Obfuscator\Jit</Filter>
<ClCompile Include="CodeBlocks.cpp">
<Filter>Obfuscator</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
@ -127,42 +92,15 @@
<Filter Include="Obfuscator">
<UniqueIdentifier>{cc5b78db-cdf7-4b83-9652-2722cbdec89e}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Nop">
<UniqueIdentifier>{4b1bac75-b456-46a5-ad8b-453ffef9eef9}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Branching">
<UniqueIdentifier>{3e2b0e35-a45c-42c4-9a63-df17442bd6eb}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Jit">
<UniqueIdentifier>{53f6966d-c6e0-422a-9e72-e94a5bab8958}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Jit\RipAndInst">
<UniqueIdentifier>{a15ab2ae-ba21-4f72-b110-ed3012cfefde}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Jit\RipOrInst">
<UniqueIdentifier>{aa4e6b0f-dd50-41e7-bc46-5dc8a6b44a62}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Jit\RipMovInst">
<UniqueIdentifier>{7040cc27-0179-47d5-9908-962d224b8c6e}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Jit\RipXorInst">
<UniqueIdentifier>{51b7ca69-a7e9-4634-9eb2-d70f211fe2d2}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Branching\Junk">
<UniqueIdentifier>{a280c509-ba7e-4660-93fb-459ffe274a17}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Branching\OpaqueBranching">
<UniqueIdentifier>{9b60f523-bf84-4740-9ee6-b8f34a317078}</UniqueIdentifier>
</Filter>
<Filter Include="DataLog">
<UniqueIdentifier>{b4404de7-66a7-4dac-b993-58db5b5b2989}</UniqueIdentifier>
</Filter>
<Filter Include="Obfuscator\Flags">
<UniqueIdentifier>{296c0b55-edbb-45ab-b946-ec83e5441678}</UniqueIdentifier>
</Filter>
<Filter Include="Virtualizer\VM">
<UniqueIdentifier>{28de0895-3bf5-45ef-8293-92032c466572}</UniqueIdentifier>
</Filter>
<Filter Include="Random">
<UniqueIdentifier>{5e10e90f-db2d-4a93-b2c4-70dbe085cdf9}</UniqueIdentifier>
</Filter>
<Filter Include="File">
<UniqueIdentifier>{86aae053-7113-4aef-b35f-ec023f771992}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<MASM Include="Assembly.asm">

@ -1 +0,0 @@
#include "DataLog.h"

@ -1,7 +0,0 @@
#ifndef __DATALOG_H
#define __DATALOG_H
#endif

@ -45,7 +45,7 @@ BOOL FlgAreFlagsClobbered(PNATIVE_CODE_LINK Inst, PNATIVE_CODE_LINK Stop)
CONST XED_FLAG_SET* FlagsWritten = XedSimpleFlagGetWrittenFlagSet(InstFlags);
CONST XED_FLAG_SET* FlagsUndefined = XedSimpleFlagGetUndefinedFlagSet(InstFlags);
Ledger.flat &= ~(Ledger.flat & (FlagsWritten->flat | FlagsUndefined->flat));
Ledger.flat &= ~(FlagsWritten->flat | FlagsUndefined->flat);
}
return TRUE;
}

@ -1,8 +1,6 @@
#ifndef __FLAGS_H
#define __FLAGS_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
PNATIVE_CODE_LINK FlgEmitPushfqInst();

@ -1,358 +0,0 @@
#include "Jit.h"
#include "Flags.h"
#include "RipXorInst.h"
#include "RipAndInst.h"
#include "RipOrInst.h"
#include "RipMovInst.h"
BOOL JitMutateInstForXor(PNATIVE_CODE_LINK Link, PUCHAR ToMutate, PJIT_BITWISE_DATA JitData)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
while (FourByte)
{
*(PULONG)ToMutate ^= JitData->Data[2 - FourByte];
ToMutate += 4;
FourByte--;
}
if (TwoByte)
{
*(PUSHORT)ToMutate ^= (USHORT)JitData->Data[3];
ToMutate += 2;
}
if (OneByte)
*(PUCHAR)ToMutate ^= (UCHAR)JitData->Data[3];
return TRUE;
}
VOID JitMutateInstForOr(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData)
{
}
VOID JitMutateInstForAnd(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData)
{
}
PNATIVE_CODE_BLOCK JitEmitPreRipMov(PNATIVE_CODE_LINK Link, INT32 Delta)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
Block->Start = Block->End = new NATIVE_CODE_LINK;
PUCHAR DataOffset = Link->RawData;
ULONG Count = FourByte;
while (Count)
{
//Account for remaining MOVs
INT32 RipDelta = (((Count - 1) * DWORD_MOV_INST_LENGTH) + (TwoByte * WORD_MOV_INST_LENGTH) + (OneByte * BYTE_MOV_INST_LENGTH));
//Account for already MOVd instructions
RipDelta += ((FourByte - Count) * 4);
RipDelta += Delta;
//Add the actual instruction
if (!JitEmitRipRelativeMovD(Block, RipDelta, DataOffset))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
DataOffset += 4;
--Count;
}
if (TwoByte)
{
INT32 RipDelta = (OneByte * BYTE_MOV_INST_LENGTH);
RipDelta += (FourByte * 4);
RipDelta += Delta;
if (!JitEmitRipRelativeMovW(Block, RipDelta, DataOffset))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
DataOffset += 2;
}
if (OneByte)
{
INT32 RipDelta = 0;
RipDelta += (FourByte * 4) + (TwoByte * 2);
RipDelta += Delta;
if (!JitEmitRipRelativeMovB(Block, RipDelta, DataOffset))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
PNATIVE_CODE_LINK StartLink = Block->Start;
Block->Start = Block->Start->Next;
if (Block->Start)
Block->Start->Prev = NULL;
delete StartLink;
return Block;
}
PNATIVE_CODE_BLOCK JitEmitPostRipMov(PNATIVE_CODE_LINK Link, INT32 Delta)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
Block->Start = Block->End = new NATIVE_CODE_LINK;
ULONG ZeroValue = 0;
ULONG Count = FourByte;
while (Count)
{
INT32 RipDelta = Link->RawDataSize - ((FourByte - Count) * 4);
RipDelta += (FourByte - (Count - 1)) * DWORD_MOV_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
ZeroValue = rand();
if (!JitEmitRipRelativeMovD(Block, RipDelta, (PUCHAR)&ZeroValue))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
--Count;
}
if (TwoByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4);
RipDelta += (FourByte * DWORD_MOV_INST_LENGTH);
RipDelta += WORD_MOV_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
ZeroValue = rand();
if (!JitEmitRipRelativeMovW(Block, RipDelta, (PUCHAR)&ZeroValue))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (OneByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4) - (TwoByte * 2);
RipDelta += (FourByte * DWORD_MOV_INST_LENGTH);
RipDelta += (TwoByte * WORD_MOV_INST_LENGTH);
RipDelta += BYTE_MOV_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
ZeroValue = rand();
if (!JitEmitRipRelativeMovB(Block, RipDelta, (PUCHAR)&ZeroValue))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
PNATIVE_CODE_LINK StartLink = Block->Start;
Block->Start = Block->Start->Next;
if (Block->Start)
Block->Start->Prev = NULL;
delete StartLink;
return Block;
}
INLINE BOOL JitiEmitWrapperD(ULONG OpType, PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
switch (OpType)
{
case JIT_BITWISE_XOR: return JitEmitRipRelativeXorD(Block, RipDelta, Value);
case JIT_BITWISE_AND: return JitEmitRipRelativeAndD(Block, RipDelta, Value);
case JIT_BITWISE_OR: return JitEmitRipRelativeOrD(Block, RipDelta, Value);
}
}
INLINE BOOL JitiEmitWrapperW(ULONG OpType, PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
switch (OpType)
{
case JIT_BITWISE_XOR: return JitEmitRipRelativeXorW(Block, RipDelta, Value);
case JIT_BITWISE_AND: return JitEmitRipRelativeAndW(Block, RipDelta, Value);
case JIT_BITWISE_OR: return JitEmitRipRelativeOrW(Block, RipDelta, Value);
}
}
INLINE BOOL JitiEmitWrapperB(ULONG OpType, PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
switch (OpType)
{
case JIT_BITWISE_XOR: return JitEmitRipRelativeXorB(Block, RipDelta, Value);
case JIT_BITWISE_AND: return JitEmitRipRelativeAndB(Block, RipDelta, Value);
case JIT_BITWISE_OR: return JitEmitRipRelativeOrB(Block, RipDelta, Value);
}
}
PNATIVE_CODE_BLOCK JitEmitPreRipBitwiseOp(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData, ULONG OpType, BOOL SaveFlags, INT32 Delta)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
if (!Block)
return NULL;
if (SaveFlags)
{
PNATIVE_CODE_LINK PushF = FlgEmitPushfqInst();
PushF->Flags |= CODE_FLAG_DO_NOT_DIVIDE;
NcAppendToBlock(Block, PushF);
}
ULONG Count = FourByte;
while (Count)
{
INT32 RipDelta = (((Count - 1) * DWORD_RIP_INST_LENGTH) + (TwoByte * WORD_RIP_INST_LENGTH) + (OneByte * BYTE_RIP_INST_LENGTH));
if (SaveFlags)
RipDelta += 1;
RipDelta += ((FourByte - Count) * 4);
RipDelta += Delta;
if (!JitiEmitWrapperD(OpType, Block, RipDelta, JitData->Data[FourByte - Count]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
--Count;
}
if (TwoByte)
{
INT32 RipDelta = (OneByte * BYTE_RIP_INST_LENGTH);
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte * 4);
RipDelta += Delta;
if (!JitiEmitWrapperW(OpType, Block, RipDelta, JitData->Data[3]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (OneByte)
{
INT32 RipDelta = 0;
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte * 4) + (TwoByte * 2);
RipDelta += Delta;
if (!JitiEmitWrapperB(OpType, Block, RipDelta, JitData->Data[4]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (SaveFlags)
{
PNATIVE_CODE_LINK PopF = FlgEmitPopfqInst();
PopF->Flags |= CODE_FLAG_DO_NOT_DIVIDE;
NcAppendToBlock(Block, PopF);
}
return Block;
}
PNATIVE_CODE_BLOCK JitEmitPostRipBitwiseOp(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData, ULONG OpType, BOOL SaveFlags, INT32 Delta)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
if (!Block)
return NULL;
if (SaveFlags)
{
PNATIVE_CODE_LINK PushF = FlgEmitPushfqInst();
PushF->Flags |= CODE_FLAG_DO_NOT_DIVIDE;
NcAppendToBlock(Block, PushF);
}
ULONG Count = FourByte;
while (Count)
{
INT32 RipDelta = Link->RawDataSize - ((FourByte - Count) * 4);
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte - (Count - 1)) * DWORD_RIP_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
if (!JitiEmitWrapperD(OpType, Block, RipDelta, JitData->Data[FourByte - Count]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
--Count;
}
if (TwoByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4);
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte * DWORD_RIP_INST_LENGTH);
RipDelta += WORD_RIP_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
if (!JitiEmitWrapperW(OpType, Block, RipDelta, JitData->Data[3]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (OneByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4) - (TwoByte * 2);
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte * DWORD_RIP_INST_LENGTH);
RipDelta += WORD_RIP_INST_LENGTH;
RipDelta += BYTE_RIP_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
if (!JitiEmitWrapperB(OpType, Block, RipDelta, JitData->Data[4]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (SaveFlags)
{
PNATIVE_CODE_LINK PopF = FlgEmitPopfqInst();
PopF->Flags |= CODE_FLAG_DO_NOT_DIVIDE;
NcAppendToBlock(Block, PopF);
}
return Block;
}

@ -1,39 +0,0 @@
#ifndef __JIT_H
#define __JIT_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
#define DWORD_RIP_INST_LENGTH 10
#define WORD_RIP_INST_LENGTH 9
#define BYTE_RIP_INST_LENGTH 7
#define DWORD_MOV_INST_LENGTH 10
#define WORD_MOV_INST_LENGTH 9
#define BYTE_MOV_INST_LENGTH 7
#define JIT_BITWISE_XOR 0
#define JIT_BITWISE_AND 1
#define JIT_BITWISE_OR 2
typedef struct _JIT_BITWISE_DATA
{
ULONG Data[5];
}JIT_BITWISE_DATA, *PJIT_BITWISE_DATA;
BOOL JitMutateInstForXor(PNATIVE_CODE_LINK Link, PUCHAR ToMutate, PJIT_BITWISE_DATA JitData);
VOID JitMutateInstForOr(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData);
VOID JitMutateInstForAnd(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData);
PNATIVE_CODE_BLOCK JitEmitPreRipMov(PNATIVE_CODE_LINK Link, INT32 Delta = 0);
PNATIVE_CODE_BLOCK JitEmitPostRipMov(PNATIVE_CODE_LINK Link, INT32 Delta = 0);
PNATIVE_CODE_BLOCK JitEmitPreRipBitwiseOp(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData, ULONG OpType, BOOL SaveFlags = TRUE, INT32 Delta = 0);
PNATIVE_CODE_BLOCK JitEmitPostRipBitwiseOp(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData, ULONG OpType, BOOL SaveFlags = TRUE, INT32 Delta = 0);
#endif

@ -1,50 +0,0 @@
#include "Jit2.h"
PNATIVE_CODE_LINK JitEmitDwordOp();
BOOL JitMutateInstruction(PNATIVE_CODE_LINK Link, PUCHAR ToMutate, PJIT_MUTATE_DATA JitData)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
switch (JitData->Operation)
{
case JIT_XOR:
{
break;
}
case JIT_OR:
{
break;
}
case JIT_AND:
{
break;
}
case JIT_MOV:
{
for (ULONG i = 0; i < Link->RawDataSize; i++)
ToMutate[i] = (rand() % 255);
break;
}
}
return TRUE;
}
PNATIVE_CODE_BLOCK JitEmitPreOp(PNATIVE_CODE_LINK Link, PJIT_MUTATE_DATA Data, UCHAR OpType, BOOL SaveFlags, INT32 Delta)
{
return NULL;
}
PNATIVE_CODE_BLOCK JitEmitPostOp(PNATIVE_CODE_LINK Link, PJIT_MUTATE_DATA Data, UCHAR OpType, BOOL SaveFlags, INT32 Delta)
{
return NULL;
}

@ -1,28 +0,0 @@
#ifndef __JIT2_H
#define __JIT2_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
#define JIT_XOR 0
#define JIT_OR 1
#define JIT_AND 2
#define JIT_MOV 3
typedef struct _JIT_MUTATE_DATA
{
ULONG Part1[3];
USHORT Part2;
UCHAR Part3;
UCHAR Operation;
}JIT_MUTATE_DATA, *PJIT_MUTATE_DATA;
BOOL JitMutateInstruction(PNATIVE_CODE_LINK Link, PUCHAR ToMutate, PJIT_MUTATE_DATA JitData);
PNATIVE_CODE_BLOCK JitEmitPreOp(PNATIVE_CODE_LINK Link, PJIT_MUTATE_DATA Data, UCHAR OpType, BOOL SaveFlags = FALSE, INT32 Delta = 0);
PNATIVE_CODE_BLOCK JitEmitPostOp(PNATIVE_CODE_LINK Link, PJIT_MUTATE_DATA Data, UCHAR OpType, BOOL SaveFlags = FALSE, INT32 Delta = 0);
#endif

@ -1 +0,0 @@
#include "Junk.h"

@ -1,9 +0,0 @@
#ifndef __JUNK_CODE_H
#define __JUNK_CODE_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
#endif

@ -7,6 +7,68 @@
#include "XedWrap.h"
#include "NativeCode.h"
#include "Obfuscator.h"
#include "Random.h"
__declspec(dllexport) VOID CvInit()
{
XedTablesInit();
srand(time(NULL));
}
__declspec(dllexport) PVOID CvDriverFunctionObfuscate(PVOID Code, ULONG CodeSize, PULONG OutSize, ULONG BranchCount, FLOAT MaxBranchSizePercentage)
{
//trip 0xCC alignment at end of code
while (((PUCHAR)Code)[CodeSize - 1] == 0xCC)
{
//printf("%X", ((PUCHAR)Code)[CodeSize - 1]);
--CodeSize;
}
NATIVE_CODE_BLOCK CodeBlock;
if (!NcDisassemble(&CodeBlock, Code, CodeSize))
{
return NULL;
}
//printf("Dissasembled.\n");
if (!NcPromoteAllRelJmpTo32(&CodeBlock))
{
return NULL;
}
//printf("Jmps Fixed.\n");
/*OPBR_SETS Obf;
Obf.Flags = 0;
Obf.ParentBlock = &CodeBlock;
Obf.MinBranchLength = InstructionCount / 5 ;
Obf.BranchLengthChangeAmount = 4;
Obf.SpaceBetweenBranches = 10;
Obf.BranchLengthChangeAmount = 4;
Obf.BranchImmediately = FALSE;
Obf.RandomizeBranchChangeAmount = TRUE;
Obf.RandomizeSpaceBetweenBranches = TRUE;
Obf.BranchRemainingInstructions = TRUE;
Obf.BranchChance = 75;
ULONG BranchesMade = */
while (BranchCount)
{
ObfGenOpaqueBranch(&CodeBlock, RndGetRandomFloat(0.F, MaxBranchSizePercentage));
BranchCount--;
}
//if (MutSettings)
// ObfMutateInstructions(MutSettings, &CodeBlock);
return NcAssembleEx(&CodeBlock, OutSize);
}
__declspec(dllexport) VOID CvDeleteCode(PVOID Code)
{
if (Code)
delete[] Code;
}
VOID PrintByteArr(PVOID Buff, ULONG BufSize)
{
@ -125,8 +187,8 @@ UCHAR IsEvenCode[]{
int main()
{
XedTablesInit();
srand(time(NULL));
CvInit();
//ULONG Delta = (*((PULONG)((PUCHAR)TestShelcode + 1))) + 5;
//printf("Delta: %X\n", Delta);
PVOID ActualFunction = TestShelcode; // (PVOID)((ULONG64)TestShelcode + Delta);
@ -140,40 +202,54 @@ int main()
PrintByteArr(MemeBlock, 110);
system("pause");
NATIVE_CODE_BLOCK RetNumBlock;
//NcDisassemble(&RetNumBlock, RetNumCode, sizeof(RetNumCode));
NcDisassemble(&RetNumBlock, MemeBlock, 110);
if (!NcPromoteAllRelJmpTo32(&RetNumBlock))
{
printf("failed to promote all jmps.\n");
}
OPBR_SETS Obf;
Obf.Flags = 0;
Obf.ParentBlock = &RetNumBlock;
Obf.Divisor = 1.3F;
Obf.MaxDepth = 10;
Obf.MinBranchSize = 5;
Obf.ChanceForBranch = 100;
Obf.MinDepthForBranch = 0;
ObfGenerateOpaqueBranches(&Obf, &RetNumBlock);
INSTMUT_SETS Obf2;
Obf2.MutateChance = 100;
ObfMutateInstructions(&Obf2, &RetNumBlock);
Obf.MinBranchSize = 100;
printf("Size = %u\n", NcCountInstructions(&RetNumBlock, TRUE));
ObfGenerateOpaqueBranches(&Obf, &RetNumBlock);
printf("Assembling %u %u", NcCountInstructions(&RetNumBlock), NcCalcBlockSizeInBytes(&RetNumBlock));
//NATIVE_CODE_BLOCK RetNumBlock;
////NcDisassemble(&RetNumBlock, RetNumCode, sizeof(RetNumCode));
//NcDisassemble(&RetNumBlock, MemeBlock, 110);
//if (!NcPromoteAllRelJmpTo32(&RetNumBlock))
//{
// printf("failed to promote all jmps.\n");
//}
//OPBR_SETS Obf;
//Obf.Flags = 0;
//Obf.ParentBlock = &RetNumBlock;
//Obf.Divisor = 1.7F;
//Obf.MaxDepth = 10;
//Obf.MinBranchSize = 5;
//Obf.ChanceForBranch = 80;
//Obf.MinDepthForBranch = 0;
//ObfGenerateOpaqueBranches(&Obf, &RetNumBlock);
//INSTMUT_SETS Obf2;
//Obf2.MutateChance = 100;
////ObfMutateInstructions(&Obf2, &RetNumBlock);
//Obf.MinBranchSize = 40;
//printf("Size = %u\n", NcCountInstructions(&RetNumBlock, TRUE));
//Obf.ChanceForBranch = 100;
//ObfGenerateOpaqueBranches(&Obf, &RetNumBlock);
//printf("Assembling %u %u", NcCountInstructions(&RetNumBlock), NcCalcBlockSizeInBytes(&RetNumBlock));
//ULONG AsmSize;
//PVOID Asm = NcAssemble(&RetNumBlock, &AsmSize);
//if (!Asm)
//{
// printf("failed to assemble\n");
// system("pause");
// return 1;
//}
//PutToFile(Asm, AsmSize);
//system("pause");
ULONG AsmSize;
PVOID Asm = NcAssemble(&RetNumBlock, &AsmSize);
PVOID Asm = CvDriverFunctionObfuscate(MemeBlock, 110, &AsmSize, 5, 0.5);
if (!Asm)
{
printf("failed to assemble\n");
printf("failed to obfuscate ngiga\n");
system("pause");
return 1;
return 2;
}
PutToFile(Asm, AsmSize);
system("pause");
typedef ULONG64(*FnTestShelcode)(ULONG64, ULONG64, ULONG64, ULONG64);
PVOID Exec = NULL;
@ -316,3 +392,4 @@ int main()
system("pause");*/
}

@ -1,4 +1,5 @@
#include "NativeCode.h"
#include "Random.h"
_NATIVE_CODE_LINK::_NATIVE_CODE_LINK()
{
@ -223,6 +224,36 @@ BOOL NcInsertBlockBefore(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block, BOOL
return TRUE;
}
BOOL NcInsertBlockStartToEnd(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNATIVE_CODE_BLOCK NewBlock)
{
NewBlock->Start->Prev = Start->Prev;
NewBlock->End->Next = End->Next;
if (Start->Prev)
Start->Prev->Next = NewBlock->Start;
if (End->Next)
End->Next->Prev = NewBlock->End;
if (Start->Block->Start == Start)
Start->Block->Start = NewBlock->Start;
if (Start->Block->End == End)
Start->Block->End = NewBlock->End;
//Update Block for the current isntructions
for (PNATIVE_CODE_LINK T = NewBlock->Start; T && T != NewBlock->End->Next; T = T->Next)
T->Block = Start->Block;
PNATIVE_CODE_LINK EndBlock = End->Next;
for (PNATIVE_CODE_LINK T = Start; T && T != EndBlock;)
{
PNATIVE_CODE_LINK RealNext = T->Next;
delete T;
T = RealNext;
}
return TRUE;
}
BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block)
{
ULONG CurrentLabelId = 0;
@ -253,7 +284,6 @@ BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block)
INT32 BranchDisplacement = XedDecodedInstGetBranchDisplacement(&T->XedInstruction);
PNATIVE_CODE_LINK JmpPos = NcValidateJmp(T, BranchDisplacement);
printf("Ended.\n");
if (!JmpPos)
{
printf("Failed to validate jump. Type: %s, Displacement: %d\n", XedCategoryEnumToString(Category), BranchDisplacement);
@ -278,7 +308,6 @@ BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block)
PNATIVE_CODE_LINK NcValidateJmp(PNATIVE_CODE_LINK Jmp, INT32 Delta)
{
printf("Started.\n");
PNATIVE_CODE_LINK T;
if (Delta > 0)
{
@ -377,7 +406,6 @@ BOOL NcDeepCopyBlock(PNATIVE_CODE_BLOCK Block, PNATIVE_CODE_BLOCK BlockCopy)
BOOL NcPromoteRelJmpTo32(PNATIVE_CODE_LINK Link)
{
ULONG OldSize = Link->RawDataSize;
if (XedDecodedInstGetBranchDisplacementWidth(&Link->XedInstruction) == 32)
return TRUE;
@ -390,7 +418,6 @@ BOOL NcPromoteRelJmpTo32(PNATIVE_CODE_LINK Link)
UINT ReturnedSize;
XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&Link->XedInstruction);
//Do the encoding
XedInst1(&EncoderInstruction, MachineState, IClass, 32, XedRelBr(0, 32));
XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState);
if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction))
@ -400,13 +427,11 @@ BOOL NcPromoteRelJmpTo32(PNATIVE_CODE_LINK Link)
if (XED_ERROR_NONE != Err)
return FALSE;
//fixup T->RawData
delete[] Link->RawData;
Link->RawDataSize = ReturnedSize;
Link->RawData = new UCHAR[ReturnedSize];
RtlCopyMemory(Link->RawData, EncodeBuffer, ReturnedSize);
//Decode instruction so its proper and all that
XedDecodedInstZeroSetMode(&Link->XedInstruction, &MachineState);
if (XED_ERROR_NONE != XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize))
return FALSE;
@ -463,6 +488,44 @@ BOOL NcGetDeltaToLabel(PNATIVE_CODE_LINK Link, PINT32 DeltaOut)
return FALSE;
}
BOOL NcGetDeltaToRandomLabel(PNATIVE_CODE_LINK Link, PINT32 DeltaOut)
{
std::vector<INT32> Deltas;
INT32 Delta = 0;
//First checking backwards because I feel like thats the direction most jmps are in
for (PNATIVE_CODE_LINK T = Link; T; T = T->Prev)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
{
if (T->Label == Link->Label)
{
Deltas.push_back(Delta);
}
continue;
}
Delta -= T->RawDataSize;
}
//Now check forwards
Delta = 0;
for (PNATIVE_CODE_LINK T = Link->Next; T; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
{
if (T->Label == Link->Label)
{
Deltas.push_back(Delta);
}
continue;
}
Delta += T->RawDataSize;
}
if (Deltas.size() == 0)
return FALSE;
*DeltaOut = Deltas[RndGetRandomInt(0, Deltas.size() - 1)];
return TRUE;
}
BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block)
{
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;)
@ -533,6 +596,23 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block)
return TRUE;
}
BOOL NcHasIllegalInstructions(PNATIVE_CODE_BLOCK Block)
{
//Iterate through and check for rip relative instructions
/*for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
ULONG OperandCount = XedDecodedInstNumOperands(&T->XedInstruction);
if (OperandCount == 0)
continue;
}*/
return FALSE;
}
BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize)
{
PUCHAR Buf = (PUCHAR)Buffer;
@ -572,7 +652,7 @@ PVOID NcAssemble(PNATIVE_CODE_BLOCK Block, PULONG OutSize)
*OutSize = NcCalcBlockSizeInBytes(Block);
PUCHAR Buffer = (PUCHAR)malloc(*OutSize);
PUCHAR Buffer = new UCHAR[*OutSize]; // (PUCHAR)malloc(*OutSize);
if (!Buffer)
return NULL;
@ -595,9 +675,52 @@ PVOID NcAssemble(PNATIVE_CODE_BLOCK Block, PULONG OutSize)
return Buffer;
}
PVOID NcAssembleEx(PNATIVE_CODE_BLOCK Block, PULONG OutSize, BOOL ChooseRandomDuplicateLabel)
//assumes all jmps already promoted to 32 bit branch displacement size
PVOID NcAssembleEx(PNATIVE_CODE_BLOCK Block, PULONG OutSize)
{
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;)
{
if (T->Flags & CODE_FLAG_IS_REL_JMP)
{
INT32 BranchDisp = 0;
if (!NcGetDeltaToRandomLabel(T, &BranchDisp))
return FALSE;
ULONG DispWidth = XedDecodedInstGetBranchDisplacementWidth(&T->XedInstruction);
switch (DispWidth)
{
case 1: *(PINT8)&T->RawData[T->RawDataSize - DispWidth] = (INT8)BranchDisp; break;
case 2: *(PINT16)&T->RawData[T->RawDataSize - DispWidth] = (INT16)BranchDisp; break;
case 4: *(PINT32)&T->RawData[T->RawDataSize - DispWidth] = (INT32)BranchDisp; break;
}
}
T = T->Next;
}
*OutSize = NcCalcBlockSizeInBytes(Block);
PUCHAR Buffer = new UCHAR[*OutSize];
if (!Buffer)
return NULL;
PUCHAR BufferOffset = Buffer;
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
RtlCopyMemory(BufferOffset, T->RawData, T->RawDataSize);
if (T->Flags & CODE_FLAG_HAS_ASM_OP)
{
for (STDPAIR<FN_INST_ASM_OP, PVOID> CONST& Op : T->AsmOperations)
Op.first(T, BufferOffset, Op.second);
}
BufferOffset += T->RawDataSize;
}
return Buffer;
}
VOID NcDeleteBlock(PNATIVE_CODE_BLOCK Block)

@ -59,6 +59,8 @@ BOOL NcInsertBlockAfter(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block, BOOL F
BOOL NcInsertBlockBefore(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block, BOOL FixLabels = TRUE);
BOOL NcInsertBlockStartToEnd(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNATIVE_CODE_BLOCK NewBlock);
BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block);
PNATIVE_CODE_LINK NcValidateJmp(PNATIVE_CODE_LINK Link, INT32 Delta);
@ -75,13 +77,17 @@ BOOL NcPromoteAllRelJmpTo32(PNATIVE_CODE_BLOCK Block);
BOOL NcGetDeltaToLabel(PNATIVE_CODE_LINK Link, PINT32 DeltaOut);
BOOL NcGetDeltaToRandomLabel(PNATIVE_CODE_LINK Link, PINT32 DeltaOut);
BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block);
BOOL NcHasIllegalInstructions(PNATIVE_CODE_BLOCK Block);
BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize);
PVOID NcAssemble(PNATIVE_CODE_BLOCK Block, PULONG OutSize);
PVOID NcAssembleEx(PNATIVE_CODE_BLOCK Block, PULONG OutSize, BOOL ChooseRandomDuplicateLabel);
PVOID NcAssembleEx(PNATIVE_CODE_BLOCK Block, PULONG OutSize);
VOID NcDeleteBlock(PNATIVE_CODE_BLOCK Block);

@ -1,21 +0,0 @@
#include "Nop.h"
PNATIVE_CODE_LINK NcEmitNop()
{
UCHAR RawData[] = { 0x90 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, 1, TRUE);
//XedDecode(&Link->XedInstruction, Link->RawData, 1);
return Link;
}
BOOL NcEmitNopGroup(ULONG Count, PNATIVE_CODE_BLOCK Block)
{
if (Count < 1)
return FALSE;
while (Count)
{
NcAppendToBlock(Block, NcEmitNop());
Count--;
}
return TRUE;
}

@ -1,12 +0,0 @@
#ifndef __NOP_H
#define __NOP_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
PNATIVE_CODE_LINK NcEmitNop();
BOOL NcEmitNopGroup(ULONG Count, PNATIVE_CODE_BLOCK Block);
#endif

@ -0,0 +1 @@
#include "Obfuscator.h"

@ -4,21 +4,16 @@
BOOL ObfiRandomizeInstruction(PNATIVE_CODE_LINK Link, PUCHAR ToMutate, PVOID Context)
{
for (ULONG i = 0; i < Link->RawDataSize; i++)
ToMutate[i] = (rand() % 255);
ToMutate[i] = RndGetRandomInt(0, 255);
return TRUE;
}
VOID ObfGenerateOpaqueBranches(POPBR_SETS Obf, PNATIVE_CODE_BLOCK Block, ULONG Depth)
VOID ObfGenOpaqueBranch(PNATIVE_CODE_BLOCK Block, FLOAT BranchSizePercentage)
{
if (Depth > Obf->MaxDepth)
return;
ULONG InstructionCount = NcCountInstructions(Block, TRUE);
if (InstructionCount >= Obf->MinBranchSize)
{
ULONG TargetCount = (ULONG)((FLOAT)InstructionCount / Obf->Divisor);
ULONG CurrentCount = 0;
PNATIVE_CODE_LINK NewBlockStart = Block->Start;
ULONG BlockSize = NcCountInstructions(Block, TRUE);
ULONG BranchSize = (FLOAT)BlockSize * BranchSizePercentage;
ULONG BranchStartPos = RndGetRandomInt(0, BlockSize - 1 - BranchSize);
PNATIVE_CODE_LINK BranchStart = BranchStartPos ? NULL : Block->Start;
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;)
{
if (T->Flags & CODE_FLAG_IS_LABEL || (T->Flags & CODE_FLAG_DO_NOT_DIVIDE && !(T->Flags & CODE_FLAG_GROUP_END)))
@ -27,59 +22,33 @@ VOID ObfGenerateOpaqueBranches(POPBR_SETS Obf, PNATIVE_CODE_BLOCK Block, ULONG D
continue;
}
if (++CurrentCount >= TargetCount)
{
if (Depth >= Obf->MinDepthForBranch && (rand() % 100) <= Obf->ChanceForBranch && CurrentCount >= Obf->MinBranchSize)
if (BranchStartPos)
{
NATIVE_CODE_BLOCK NotTaken, Taken;
ObfCreateOpaqueBranches(NewBlockStart, T, &NotTaken, &Taken);
ObfGenerateOpaqueBranches(Obf, &NotTaken, Depth + 1);
ObfGenerateOpaqueBranches(Obf, &Taken, Depth + 1);
ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->ParentBlock), NcGenUnusedLabelId(Obf->ParentBlock));
ObfInsertOpaqueBranchBlock(NewBlockStart, T, &NotTaken);
T = NotTaken.End;
--BranchStartPos;
if (BranchStartPos == 0)
BranchStart = T;
T = T->Next;
continue;
}
else
{
NATIVE_CODE_BLOCK TempBlock;
if (NcDeepCopyPartialBlock(NewBlockStart, T, &TempBlock))
if (BranchSize)
{
ObfGenerateOpaqueBranches(Obf, &TempBlock, Depth + 1);
ObfInsertOpaqueBranchBlock(NewBlockStart, T, &TempBlock);
}
T = TempBlock.End;
}
NewBlockStart = T->Next;
CurrentCount = 0;
}
--BranchSize;
T = T->Next;
continue;
}
if (NewBlockStart) //Deal with remaining instructions in the block
{
if (Depth >= Obf->MinDepthForBranch && (rand() % 100) <= Obf->ChanceForBranch && CurrentCount >= Obf->MinBranchSize)
{
NATIVE_CODE_BLOCK NotTaken, Taken;
ObfCreateOpaqueBranches(NewBlockStart, Block->End, &NotTaken, &Taken);
ObfGenerateOpaqueBranches(Obf, &NotTaken, Depth + 1);
ObfGenerateOpaqueBranches(Obf, &Taken, Depth + 1);
ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Obf->ParentBlock), NcGenUnusedLabelId(Obf->ParentBlock));
ObfInsertOpaqueBranchBlock(NewBlockStart, Block->End, &NotTaken);
}
else
{
NATIVE_CODE_BLOCK TempBlock;
if (NcDeepCopyPartialBlock(NewBlockStart, Block->End, &TempBlock))
{
ObfGenerateOpaqueBranches(Obf, &TempBlock, Depth + 1);
ObfInsertOpaqueBranchBlock(NewBlockStart, Block->End, &TempBlock);
}
}
}
ObfCreateOpaqueBranches(BranchStart, T, &NotTaken, &Taken);
ObfCombineOpaqueBranches(&NotTaken, &Taken, NcGenUnusedLabelId(Block), NcGenUnusedLabelId(Block));
NcInsertBlockStartToEnd(BranchStart, T, &NotTaken);
return;
}
}
VOID ObfMutateInstructions(PINSTMUT_SETS Obf, PNATIVE_CODE_BLOCK Block)
ULONG ObfMutateInstructions(PNATIVE_CODE_BLOCK Block, ULONG MutateChance, BOOL MutateFirst, BOOL MutateOnlyFirst)
{
ULONG MutatedInstructions = 0;
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;)
{
if ((T->Flags & CODE_FLAG_IS_LABEL) || (T->Flags & CODE_FLAG_DO_NOT_DIVIDE) || (T->Flags & CODE_FLAG_IS_REL_JMP))
@ -90,8 +59,10 @@ VOID ObfMutateInstructions(PINSTMUT_SETS Obf, PNATIVE_CODE_BLOCK Block)
PNATIVE_CODE_LINK RealNext = T->Next;
if ((rand() % 100) <= Obf->MutateChance)
if (RndGetRandomInt(0, 100) <= MutateChance || MutateFirst)
{
MutateFirst = FALSE;
PNATIVE_CODE_BLOCK PreOp = JitEmitPreRipMov(T);
PNATIVE_CODE_BLOCK PostOp = JitEmitPostRipMov(T);
@ -116,8 +87,15 @@ VOID ObfMutateInstructions(PINSTMUT_SETS Obf, PNATIVE_CODE_BLOCK Block)
delete PreOp;
delete PostOp;
MutatedInstructions++;
if (MutateOnlyFirst)
return MutatedInstructions;
}
T = RealNext;
}
return MutatedInstructions;
}

@ -5,33 +5,46 @@
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
#include "Jit.h"
#include "OpaqueBranching.h"
#define OBF_ATTRIBUTE_JIT (1<<0)
#define OBF_ATTRIBUTE_OPAQUE_BRANCHES (1<<1)
#define OBF_ATTRIBUTE_RANDOMIZE_DIVISOR (1<<2)
typedef struct _OPBR_SETS
{
ULONG MaxDepth;
ULONG MinBranchSize;
FLOAT Divisor;
ULONG Flags;
ULONG MinDepthForBranch;
ULONG ChanceForBranch;
PNATIVE_CODE_BLOCK ParentBlock;
}OPBR_SETS, *POPBR_SETS;
typedef struct _INSTMUT_SETS
{
ULONG MutateStart;
ULONG MutateChance;
}INSTMUT_SETS, *PINSTMUT_SETS;
//Recursive obfuscation routine using opaque branches and jit
VOID ObfGenerateOpaqueBranches(POPBR_SETS Obf, PNATIVE_CODE_BLOCK Block, ULONG Depth = 0);
VOID ObfMutateInstructions(PINSTMUT_SETS Obf, PNATIVE_CODE_BLOCK Block);
#include "Random.h"
#define DWORD_MOV_INST_LENGTH 10
#define WORD_MOV_INST_LENGTH 9
#define BYTE_MOV_INST_LENGTH 7
//Jit
BOOL JitEmitRipRelativeMovD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
BOOL JitEmitRipRelativeMovW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
BOOL JitEmitRipRelativeMovB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
PNATIVE_CODE_BLOCK JitEmitPreRipMov(PNATIVE_CODE_LINK Link, INT32 Delta = 0);
PNATIVE_CODE_BLOCK JitEmitPostRipMov(PNATIVE_CODE_LINK Link, INT32 Delta = 0);
VOID ObfGenOpaqueBranch(PNATIVE_CODE_BLOCK Block, FLOAT BranchSizePercentage);
ULONG ObfMutateInstructions(PNATIVE_CODE_BLOCK Block, ULONG MutateChance, BOOL MutateFirst, BOOL MutateOnlyFirst);
XED_ICLASS_ENUM ObfGetRandomJccClass();
PNATIVE_CODE_LINK ObfGenRandomJcc(ULONG LabelId, ULONG DisplacementSize = 32);
PNATIVE_CODE_LINK ObfGenJmpToLabel(ULONG LabelId, ULONG DisplacementSize = 32);
BOOL ObfCreateOpaqueBranches(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Taken);
//Combines the two branches into one block that can easily be patched into the code
//Resulting block is put into NotTaken
BOOL ObfCombineOpaqueBranches(PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Taken, ULONG JccLabel, ULONG JmpLabel);
#endif

@ -1,8 +1,8 @@
#include "OpaqueBranching.h"
#include "Obfuscator.h"
XED_ICLASS_ENUM ObfGetRandomJccClass()
{
switch (rand() % 14)
switch (RndGetRandomInt(0, 14))
{
case 0: return XED_ICLASS_JL;
case 1: return XED_ICLASS_JLE;
@ -112,33 +112,3 @@ BOOL ObfCombineOpaqueBranches(PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Ta
return TRUE;
}
BOOL ObfInsertOpaqueBranchBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNATIVE_CODE_BLOCK OpaqueBranchBlock)
{
OpaqueBranchBlock->Start->Prev = Start->Prev;
OpaqueBranchBlock->End->Next = End->Next;
if (Start->Prev)
Start->Prev->Next = OpaqueBranchBlock->Start;
if (End->Next)
End->Next->Prev = OpaqueBranchBlock->End;
if (Start->Block->Start == Start)
Start->Block->Start = OpaqueBranchBlock->Start;
if (Start->Block->End == End)
Start->Block->End = OpaqueBranchBlock->End;
//Update group for the current isntructions
for (PNATIVE_CODE_LINK T = OpaqueBranchBlock->Start; T && T != OpaqueBranchBlock->End->Next; T = T->Next)
T->Block = Start->Block;
PNATIVE_CODE_LINK EndBlock = End->Next;
for (PNATIVE_CODE_LINK T = Start; T && T != EndBlock;)
{
PNATIVE_CODE_LINK RealNext = T->Next;
delete T;
T = RealNext;
}
return TRUE;
}

@ -5,19 +5,5 @@
#include "XedWrap.h"
#include "NativeCode.h"
XED_ICLASS_ENUM ObfGetRandomJccClass();
PNATIVE_CODE_LINK ObfGenRandomJcc(ULONG LabelId, ULONG DisplacementSize = 32);
PNATIVE_CODE_LINK ObfGenJmpToLabel(ULONG LabelId, ULONG DisplacementSize = 32);
BOOL ObfCreateOpaqueBranches(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Taken);
//Combines the two branches into one block that can easily be patched into the code
//Resulting block is put into NotTaken
BOOL ObfCombineOpaqueBranches(PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Taken, ULONG JccLabel, ULONG JmpLabel);
BOOL ObfInsertOpaqueBranchBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNATIVE_CODE_BLOCK OpaqueBranchBlock);
#endif

@ -0,0 +1,40 @@
#include "PEFile.h"
VOID FiLoadFile(PPE_FILE File, PVOID RawData, ULONG RawDataSize)
{
File->RawData = RawData;
File->RawDataSize = RawDataSize;
File->Flags = NULL;
File->DosHeader = (PIMAGE_DOS_HEADER)File->RawData;
if (File->DosHeader->e_magic != IMAGE_DOS_SIGNATURE)
return;
File->NtHeaders = (PIMAGE_NT_HEADERS)((PUCHAR)File + File->DosHeader->e_lfanew);
if (File->NtHeaders->Signature != IMAGE_NT_SIGNATURE)
return;
File->FileHeader = &(File->NtHeaders->FileHeader);
File->SectionHeaders = (PIMAGE_SECTION_HEADER)((PUCHAR)File->FileHeader + sizeof(IMAGE_FILE_HEADER) + File->FileHeader->SizeOfOptionalHeader);
File->Flags |= PEFI_IS_LOADED;
}
VOID FiWriteFile(PPE_FILE File, STDSTRING CONST& Path)
{
//xD
}
VOID FILoadSymbols(PPE_FILE File, PVOID PdbFileData)
{
}
VOID FiDestroy(PPE_FILE File)
{
}
BOOL FiGood(PPE_FILE File)
{
return (File->Flags & PEFI_IS_LOADED);
}

@ -0,0 +1,36 @@
#ifndef __PEFILE_H
#define __PEFILE_H
#include "Windas.h"
#define PEFI_IS_LOADED (1<<0)
#define PEFI_SYMBOLS_LOADED (1<<1)
typedef struct _PEFI_SECTION
{
PVOID RawData;
ULONG RawDataSize;
}PEFI_SECTION, *PPEFI_SECTION;
typedef struct _PE_FILE
{
PVOID RawData;
ULONG RawDataSize;
ULONG Flags;
PIMAGE_DOS_HEADER DosHeader;
PIMAGE_NT_HEADERS NtHeaders;
PIMAGE_FILE_HEADER FileHeader;
PIMAGE_SECTION_HEADER SectionHeaders;
STDVECTOR<UCHAR> SymbolData;
}PE_FILE, *PPE_FILE;
VOID FiLoadFile(PPE_FILE File, PVOID RawData, ULONG RawDataSize);
VOID FiWriteFile(PPE_FILE File, STDSTRING CONST& Path);
VOID FILoadSymbols(PPE_FILE File, PVOID PdbFileData);
VOID FiDestroy(PPE_FILE File);
BOOL FiGood(PPE_FILE File);
#endif

@ -0,0 +1,18 @@
#include "Random.h"
INT RndGetRandomInt(INT min, INT max)
{
std::random_device rd;
std::default_random_engine generator(rd());
std::uniform_int_distribution<ULONG> distribution(min, max);
return distribution(generator);
}
FLOAT RndGetRandomFloat(FLOAT min, FLOAT max)
{
std::random_device Random;
std::mt19937 RandomGenerator(Random());
std::uniform_real<FLOAT> RandomDistribute(min, max);
return RandomDistribute(RandomGenerator);
}

@ -0,0 +1,12 @@
#ifndef __RANDOM_H
#define __RANDOM_H
#include "Windas.h"
INT RndGetRandomInt(INT min, INT max);
FLOAT RndGetRandomFloat(FLOAT min, FLOAT max);
#endif

@ -1,38 +0,0 @@
#include "RipAndInst.h"
BOOL JitEmitRipRelativeAndD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x81, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
*(PULONG)&Link->RawData[6] = Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL JitEmitRipRelativeAndW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x66, 0x83, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[3] = RipDelta;
*(PUSHORT)&Link->RawData[7] = (USHORT)Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL JitEmitRipRelativeAndB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x80, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
*(PUCHAR)&Link->RawData[6] = (UCHAR)Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}

@ -1,16 +0,0 @@
#ifndef __RIP_AND_INST_H
#define __RIP_AND_INST_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
BOOL JitEmitRipRelativeAndD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
BOOL JitEmitRipRelativeAndW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
BOOL JitEmitRipRelativeAndB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
#endif

@ -1,4 +1,4 @@
#include "RipMovInst.h"
#include "Obfuscator.h"
BOOL JitEmitRipRelativeMovD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data)
{
@ -35,3 +35,137 @@ BOOL JitEmitRipRelativeMovB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Dat
NcAppendToBlock(Block, Link);
return TRUE;
}
PNATIVE_CODE_BLOCK JitEmitPreRipMov(PNATIVE_CODE_LINK Link, INT32 Delta)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
Block->Start = Block->End = new NATIVE_CODE_LINK;
PUCHAR DataOffset = Link->RawData;
ULONG Count = FourByte;
while (Count)
{
//Account for remaining MOVs
INT32 RipDelta = (((Count - 1) * DWORD_MOV_INST_LENGTH) + (TwoByte * WORD_MOV_INST_LENGTH) + (OneByte * BYTE_MOV_INST_LENGTH));
//Account for already MOVd instructions
RipDelta += ((FourByte - Count) * 4);
RipDelta += Delta;
//Add the actual instruction
if (!JitEmitRipRelativeMovD(Block, RipDelta, DataOffset))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
DataOffset += 4;
--Count;
}
if (TwoByte)
{
INT32 RipDelta = (OneByte * BYTE_MOV_INST_LENGTH);
RipDelta += (FourByte * 4);
RipDelta += Delta;
if (!JitEmitRipRelativeMovW(Block, RipDelta, DataOffset))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
DataOffset += 2;
}
if (OneByte)
{
INT32 RipDelta = 0;
RipDelta += (FourByte * 4) + (TwoByte * 2);
RipDelta += Delta;
if (!JitEmitRipRelativeMovB(Block, RipDelta, DataOffset))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
PNATIVE_CODE_LINK StartLink = Block->Start;
Block->Start = Block->Start->Next;
if (Block->Start)
Block->Start->Prev = NULL;
delete StartLink;
return Block;
}
PNATIVE_CODE_BLOCK JitEmitPostRipMov(PNATIVE_CODE_LINK Link, INT32 Delta)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
Block->Start = Block->End = new NATIVE_CODE_LINK;
ULONG ZeroValue = 0;
ULONG Count = FourByte;
while (Count)
{
INT32 RipDelta = Link->RawDataSize - ((FourByte - Count) * 4);
RipDelta += (FourByte - (Count - 1)) * DWORD_MOV_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
ZeroValue = rand();
if (!JitEmitRipRelativeMovD(Block, RipDelta, (PUCHAR)&ZeroValue))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
--Count;
}
if (TwoByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4);
RipDelta += (FourByte * DWORD_MOV_INST_LENGTH);
RipDelta += WORD_MOV_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
ZeroValue = rand();
if (!JitEmitRipRelativeMovW(Block, RipDelta, (PUCHAR)&ZeroValue))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (OneByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4) - (TwoByte * 2);
RipDelta += (FourByte * DWORD_MOV_INST_LENGTH);
RipDelta += (TwoByte * WORD_MOV_INST_LENGTH);
RipDelta += BYTE_MOV_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
ZeroValue = rand();
if (!JitEmitRipRelativeMovB(Block, RipDelta, (PUCHAR)&ZeroValue))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
PNATIVE_CODE_LINK StartLink = Block->Start;
Block->Start = Block->Start->Next;
if (Block->Start)
Block->Start->Prev = NULL;
delete StartLink;
return Block;
}

@ -1,15 +0,0 @@
#ifndef __RIP_MOV_INST_H
#define __RIP_MOV_INST_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
BOOL JitEmitRipRelativeMovD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
BOOL JitEmitRipRelativeMovW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
BOOL JitEmitRipRelativeMovB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
#endif

@ -1,38 +0,0 @@
#include "RipOrInst.h"
BOOL JitEmitRipRelativeOrD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x81, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
*(PULONG)&Link->RawData[6] = Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL JitEmitRipRelativeOrW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x66, 0x83, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[3] = RipDelta;
*(PUSHORT)&Link->RawData[7] = (USHORT)Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL JitEmitRipRelativeOrB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x80, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
*(PUCHAR)&Link->RawData[6] = (UCHAR)Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}

@ -1,16 +0,0 @@
#ifndef __RIP_OR_INST_H
#define __RIP_OR_INST_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
BOOL JitEmitRipRelativeOrD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
BOOL JitEmitRipRelativeOrW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
BOOL JitEmitRipRelativeOrB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
#endif

@ -1,38 +0,0 @@
#include "RipXorInst.h"
BOOL JitEmitRipRelativeXorD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x81, 0x35, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
*(PULONG)&Link->RawData[6] = Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL JitEmitRipRelativeXorW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x66, 0x81, 0x35, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[3] = RipDelta;
*(PUSHORT)&Link->RawData[7] = (USHORT)Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL JitEmitRipRelativeXorB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x80, 0x35, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
*(PUCHAR)&Link->RawData[6] = (UCHAR)Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}

@ -1,16 +0,0 @@
#ifndef __RIP_XOR_INST_H
#define __RIP_XOR_INST_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
BOOL JitEmitRipRelativeXorD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
BOOL JitEmitRipRelativeXorW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
BOOL JitEmitRipRelativeXorB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
#endif

@ -13,3 +13,13 @@ BOOL ViValidateNativeCodeBlock(PNATIVE_CODE_BLOCK Block)
}
return TRUE;
}
BOOL VmEmitEnter(ULONG ArgumentCount, PNATIVE_CODE_BLOCK Block)
{
}
BOOL VmEmitExit(ULONG ArgumentCount, PNATIVE_CODE_BLOCK Block)
{
}

@ -7,12 +7,32 @@
/*
* Structure:
*
* Instructions:
* - Two byte opcode
* -
*
*
* LOC register(Frame pointer):
* - A register for which all local variables are addressed from
* - Specific instructions for quick access of stuff around this ptr
* - Example Frame:
* - [Previous function variables
* - [Return Address
* - [Previous Functions LOC
* - LOC->[Empty Stack Space
*
*
* -VmEnter will essentially "call into" the vm and will be created using a function to rearrange and push arguments based on the arguments passed to said function.
*/
BOOL ViCanHandleInst(PNATIVE_CODE_LINK Link);
BOOL ViValidateNativeCodeBlock(PNATIVE_CODE_BLOCK Block);
BOOL VmEmitEnter(ULONG ArgumentCount, PNATIVE_CODE_BLOCK Block);
BOOL VmEmitExit(ULONG ArgumentCount, PNATIVE_CODE_BLOCK Block);
#endif

@ -7,6 +7,7 @@
#include <iostream>
#include <iomanip>
#include <algorithm>
#include <random>
#define INLINE inline
#define STDSTRING std::string
@ -22,6 +23,7 @@
* Jit -> Jit related function
* Xed -> Xed macro wrapper
* Vm -> Virtual Machine function
* Fi -> File stuff used to dissasemble PE files
*/

@ -2,24 +2,8 @@
virtualize x86_64
# Ideas:
- Handle inputted buffers only for now, no nonsense with files yet.
- Output buffers containing the vm(with required instructions), vm handler table(offsets to insturctions in vm buffer), and one containing the x86 code(with the vm code right along side it(this means fixing up all relative jumps and rip relative instructions.. ugh >:| ))
- I want the vm code to be embedded right alongside the x86, so you see like
```
x86 instruction
x86 instruction
vmenter(which jumps to some place based on the handler table)
vm opcode (vm opcode and bytecode which looks like jibberish)
vm opcode
vm opcode
vm exits back to here ---.
x86 instruction <----`
x86 instruction
```
# Todo:
- Setup some il rope like structure to contain all x86 instructions
- Functions to find groups of x86 instructions that i can handle/convert into my vm.(the larger the group the better)
- Learn file structure, what are reallocations and how do imports work?!?
# Obfuscator
- Opaque Branching
- Just in time instruction Mutation with RIP relative bitwise operating and moving
- Junk: Both garbage with jmps to jump around it, and code that does something, then undos what it did.
-

@ -0,0 +1,7 @@
#include <Windows.h>
int main()
{
}

@ -0,0 +1,150 @@
<?xml version="1.0" encoding="utf-8"?>
<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup Label="ProjectConfigurations">
<ProjectConfiguration Include="Debug|Win32">
<Configuration>Debug</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|Win32">
<Configuration>Release</Configuration>
<Platform>Win32</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Debug|x64">
<Configuration>Debug</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
<ProjectConfiguration Include="Release|x64">
<Configuration>Release</Configuration>
<Platform>x64</Platform>
</ProjectConfiguration>
</ItemGroup>
<PropertyGroup Label="Globals">
<VCProjectVersion>16.0</VCProjectVersion>
<Keyword>Win32Proj</Keyword>
<ProjectGuid>{0949e81d-fac5-471e-b533-cb0d9b53b346}</ProjectGuid>
<RootNamespace>TestProject</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>true</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>Unicode</CharacterSet>
<SpectreMitigation>false</SpectreMitigation>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
</ImportGroup>
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<LinkIncremental>true</LinkIncremental>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>true</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
<WarningLevel>Level3</WarningLevel>
<FunctionLevelLinking>true</FunctionLevelLinking>
<IntrinsicFunctions>false</IntrinsicFunctions>
<SDLCheck>true</SDLCheck>
<PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
<ConformanceMode>true</ConformanceMode>
<Optimization>Disabled</Optimization>
<WholeProgramOptimization>false</WholeProgramOptimization>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<GenerateDebugInformation>true</GenerateDebugInformation>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="Main.cpp" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
</ImportGroup>
</Project>

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<ClCompile Include="Main.cpp" />
</ItemGroup>
</Project>

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="utf-8"?>
<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup />
</Project>
Loading…
Cancel
Save