Iizerd
/
Code_Virtualizer
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

reformat jit

Browse Source
main
James 3 years ago
parent f7b351fdb7
commit 71da702d2f
32 changed files with 53756 additions and 504 deletions
Show Stats Download Patch File Download Diff File

4
CodeVirtualizer/Assembly.asm
Unescape View File

@ -0,0 +1,4 @@
.CODE
END

9
CodeVirtualizer/Code.h
Unescape View File

@ -1,9 +1,10 @@
#ifndef __CODE_H
#define __CODE_H
#define CODE_FLAG_IS_LABEL (1<<0)
#define CODE_FLAG_IS_REL_JMP (1<<1)
#define CODE_FLAG_IS_INST (1<<2)
#define CODE_FLAG_DO_NOT_DIVIDE (1<<3)
#define CODE_FLAG_IS_LABEL (1<<0)
#define CODE_FLAG_IS_REL_JMP (1<<1)
#define CODE_FLAG_IS_INST (1<<2)
#define CODE_FLAG_DO_NOT_DIVIDE (1<<3)
#define CODE_FLAG_IS_OBFUSCATED (1<<4)
#endif

18
CodeVirtualizer/CodeVirtualizer.vcxproj
Unescape View File

@ -56,6 +56,7 @@
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
</ImportGroup>
<ImportGroup Label="Shared">
</ImportGroup>
@ -120,6 +121,7 @@
<ConformanceMode>true</ConformanceMode>
<LanguageStandard>stdcpp17</LanguageStandard>
<AdditionalIncludeDirectories>C:\%24Fanta\IntelXED\build\obj\wkit\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AssemblerOutput>All</AssemblerOutput>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
@ -127,6 +129,12 @@
<AdditionalLibraryDirectories>C:\%24Fanta\IntelXED\build\obj\wkit\lib;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>xed.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
<MASM>
<EnableAssemblyGeneratedCodeListing>true</EnableAssemblyGeneratedCodeListing>
</MASM>
<MASM>
<AssembledCodeListingFile>$(IntDir)\%(filename).lst</AssembledCodeListingFile>
</MASM>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
@ -149,13 +157,16 @@
</Link>
</ItemDefinitionGroup>
<ItemGroup>
<ClCompile Include="Jit.cpp" />
<ClCompile Include="Junk.cpp" />
<ClCompile Include="NativeCode.cpp" />
<ClCompile Include="Main.cpp" />
<ClCompile Include="Nop.cpp" />
<ClCompile Include="Obfuscator.cpp" />
<ClCompile Include="OpaqueBranching.cpp" />
<ClCompile Include="RipAndInst.cpp" />
<ClCompile Include="RipMovInst.cpp" />
<ClCompile Include="RipOrInst.cpp" />
<ClCompile Include="RipXorInst.cpp" />
<ClCompile Include="Virtualizer.cpp" />
<ClCompile Include="VirtualMachine.cpp" />
@ -164,12 +175,15 @@
</ItemGroup>
<ItemGroup>
<ClInclude Include="Code.h" />
<ClInclude Include="Jit.h" />
<ClInclude Include="Junk.h" />
<ClInclude Include="NativeCode.h" />
<ClInclude Include="Nop.h" />
<ClInclude Include="Obfuscator.h" />
<ClInclude Include="OpaqueBranching.h" />
<ClInclude Include="RipAndInst.h" />
<ClInclude Include="RipMovInst.h" />
<ClInclude Include="RipOrInst.h" />
<ClInclude Include="RipXorInst.h" />
<ClInclude Include="Virtualizer.h" />
<ClInclude Include="VirtualMachine.h" />
@ -177,7 +191,11 @@
<ClInclude Include="Windas.h" />
<ClInclude Include="XedWrap.h" />
</ItemGroup>
<ItemGroup>
<MASM Include="Assembly.asm" />
</ItemGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
<ImportGroup Label="ExtensionTargets">
<Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
</ImportGroup>
</Project>

21
CodeVirtualizer/CodeVirtualizer.vcxproj.filters
Unescape View File

@ -38,6 +38,15 @@
<ClInclude Include="OpaqueBranching.h">
<Filter>Obfuscator\Branching\OpaqueBranching</Filter>
</ClInclude>
<ClInclude Include="Jit.h">
<Filter>Obfuscator\Jit</Filter>
</ClInclude>
<ClInclude Include="RipAndInst.h">
<Filter>Obfuscator\Jit\RipAndInst</Filter>
</ClInclude>
<ClInclude Include="RipOrInst.h">
<Filter>Obfuscator\Jit\RipOrInst</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Main.cpp" />
@ -74,6 +83,15 @@
<ClCompile Include="OpaqueBranching.cpp">
<Filter>Obfuscator\Branching\OpaqueBranching</Filter>
</ClCompile>
<ClCompile Include="Jit.cpp">
<Filter>Obfuscator\Jit</Filter>
</ClCompile>
<ClCompile Include="RipAndInst.cpp">
<Filter>Obfuscator\Jit\RipAndInst</Filter>
</ClCompile>
<ClCompile Include="RipOrInst.cpp">
<Filter>Obfuscator\Jit\RipOrInst</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<Filter Include="Xed">
@ -119,4 +137,7 @@
<UniqueIdentifier>{9b60f523-bf84-4740-9ee6-b8f34a317078}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<MASM Include="Assembly.asm" />
</ItemGroup>
</Project>

446
CodeVirtualizer/Jit.cpp
Unescape View File

@ -0,0 +1,446 @@
#include "Jit.h"
#include "RipXorInst.h"
#include "RipAndInst.h"
#include "RipOrInst.h"
#include "RipMovInst.h"
BOOL JitEmitPushfqInst(PNATIVE_CODE_BLOCK Block)
{
UCHAR RawData[] = { 0x9C };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, 1);
XedDecode(&Link->XedInstruction, Link->RawData, 1);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL JitEmitPopfqInst(PNATIVE_CODE_BLOCK Block)
{
UCHAR RawData[] = { 0x9D };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, 1);
XedDecode(&Link->XedInstruction, Link->RawData, 1);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL JitCheckFlagCollisions(CONST XED_FLAG_SET* FlagsRead, XED_FLAG_SET Ledger)
{
return ((FlagsRead->s.zf && FlagsRead->s.zf == Ledger.s.zf) ||
(FlagsRead->s.sf && FlagsRead->s.sf == Ledger.s.sf) ||
(FlagsRead->s.pf && FlagsRead->s.pf == Ledger.s.pf) ||
(FlagsRead->s.of && FlagsRead->s.of == Ledger.s.of) ||
(FlagsRead->s.cf && FlagsRead->s.cf == Ledger.s.cf) ||
(FlagsRead->s.af && FlagsRead->s.af == Ledger.s.af)
);
}
VOID JitUpdateConFlagsLedger(CONST XED_FLAG_SET* FlagsWritten, XED_FLAG_SET* Ledger)
{
if (FlagsWritten->s.zf)
Ledger->s.zf = FALSE;
if (FlagsWritten->s.sf)
Ledger->s.sf = FALSE;
if (FlagsWritten->s.pf)
Ledger->s.pf = FALSE;
if (FlagsWritten->s.of)
Ledger->s.of = FALSE;
if (FlagsWritten->s.cf)
Ledger->s.cf = FALSE;
if (FlagsWritten->s.af)
Ledger->s.af = FALSE;
}
BOOL JitDoesInstOverriteConditionFlags(PNATIVE_CODE_LINK Link)
{
CONST XED_SIMPLE_FLAG* SimpleFlags = XedDecodedInstGetRflagsInfo(&Link->XedInstruction);
CONST XED_FLAG_SET* FlagsWritten = XedSimpleFlagGetWrittenFlagSet(SimpleFlags);
CONST XED_FLAG_SET* FlagsUndefined = XedSimpleFlagGetUndefinedFlagSet(SimpleFlags);
return (FlagsWritten->s.zf &&
FlagsWritten->s.sf &&
FlagsWritten->s.pf &&
FlagsWritten->s.of &&
FlagsWritten->s.cf &&
FlagsUndefined->s.af
);
}
BOOL JitAreFlagsClobberedBeforeUse(PNATIVE_CODE_LINK Link)
{
XED_FLAG_SET Ledger;
Ledger.s.zf = TRUE;
Ledger.s.sf = TRUE;
Ledger.s.pf = TRUE;
Ledger.s.of = TRUE;
Ledger.s.cf = TRUE;
Ledger.s.af = TRUE;
for (PNATIVE_CODE_LINK T = Link->Next; T; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
CONST XED_SIMPLE_FLAG* SimpleFlags = XedDecodedInstGetRflagsInfo(&T->XedInstruction);
CONST XED_FLAG_SET* FlagsRead = XedSimpleFlagGetReadFlagSet(SimpleFlags);
CONST XED_FLAG_SET* FlagsWritten = XedSimpleFlagGetWrittenFlagSet(SimpleFlags);
if (JitCheckFlagCollisions(FlagsRead, Ledger))
return FALSE;
JitUpdateConFlagsLedger(FlagsWritten, &Ledger);
if (Ledger.flat == 0)
return TRUE;
}
return FALSE;
}
VOID JitMutateInstForXor(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PUCHAR Buffer = Link->RawData;
while (FourByte)
{
*(PULONG)Buffer ^= JitData->Data[2 - FourByte];
Buffer += 4;
FourByte--;
}
if (TwoByte)
{
*(PUSHORT)Buffer ^= (USHORT)JitData->Data[3];
Buffer += 2;
}
if (OneByte)
*(PUCHAR)Buffer ^= (UCHAR)JitData->Data[3];
}
VOID JitMutateInstForOr(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA XorData)
{
}
VOID JitMutateInstForAnd(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA XorData)
{
}
PNATIVE_CODE_BLOCK JitEmitPreRipMov(PNATIVE_CODE_LINK Link, INT32 Delta)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
Block->Start = Block->End = new NATIVE_CODE_LINK;
PUCHAR DataOffset = Link->RawData;
ULONG Count = FourByte;
while (Count)
{
//Account for remaining MOVs
INT32 RipDelta = (((Count - 1) * DWORD_MOV_INST_LENGTH) + (TwoByte * WORD_MOV_INST_LENGTH) + (OneByte * BYTE_MOV_INST_LENGTH));
//Account for already MOVd instructions
RipDelta += ((FourByte - Count) * 4);
RipDelta += Delta;
//Add the actual instruction
printf("%p IS THE DATAOFFSET\n", DataOffset);
system("pause");
if (!JitEmitRipRelativeMovD(Block, RipDelta, DataOffset))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
DataOffset += 4;
--Count;
}
if (TwoByte)
{
INT32 RipDelta = (OneByte * BYTE_MOV_INST_LENGTH);
RipDelta += (FourByte * 4);
RipDelta += Delta;
if (!JitEmitRipRelativeMovW(Block, RipDelta, DataOffset))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
DataOffset += 2;
}
if (OneByte)
{
INT32 RipDelta = 0;
RipDelta += (FourByte * 4) + (TwoByte * 2);
RipDelta += Delta;
if (!JitEmitRipRelativeMovB(Block, RipDelta, DataOffset))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
PNATIVE_CODE_LINK StartLink = Block->Start;
Block->Start = Block->Start->Next;
if (Block->Start)
Block->Start->Prev = NULL;
delete StartLink;
return Block;
}
PNATIVE_CODE_BLOCK JitEmitPostRipMov(PNATIVE_CODE_LINK Link, INT32 Delta)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
Block->Start = Block->End = new NATIVE_CODE_LINK;
ULONG ZeroValue = 0;
ULONG Count = FourByte;
while (Count)
{
INT32 RipDelta = Link->RawDataSize - ((FourByte - Count) * 4);
RipDelta += (FourByte - (Count - 1)) * DWORD_MOV_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
if (!JitEmitRipRelativeMovD(Block, RipDelta, (PUCHAR)&ZeroValue))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
--Count;
}
if (TwoByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4);
RipDelta += (FourByte * DWORD_MOV_INST_LENGTH);
RipDelta += WORD_MOV_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
if (!JitEmitRipRelativeMovW(Block, RipDelta, (PUCHAR)&ZeroValue))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (OneByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4) - (TwoByte * 2);
RipDelta += (FourByte * DWORD_MOV_INST_LENGTH);
RipDelta += WORD_MOV_INST_LENGTH;
RipDelta += BYTE_MOV_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
if (!JitEmitRipRelativeMovB(Block, RipDelta, (PUCHAR)&ZeroValue))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
PNATIVE_CODE_LINK StartLink = Block->Start;
Block->Start = Block->Start->Next;
if (Block->Start)
Block->Start->Prev = NULL;
delete StartLink;
return Block;
}
BOOL JitiEmitWrapperD(ULONG OpType, PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
switch (OpType)
{
case JIT_BITWISE_XOR: return JitEmitRipRelativeXorD(Block, RipDelta, Value);
case JIT_BITWISE_AND: return JitEmitRipRelativeAndD(Block, RipDelta, Value);
case JIT_BITWISE_OR: return JitEmitRipRelativeOrD(Block, RipDelta, Value);
}
}
BOOL JitiEmitWrapperW(ULONG OpType, PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
switch (OpType)
{
case JIT_BITWISE_XOR: return JitEmitRipRelativeXorW(Block, RipDelta, Value);
case JIT_BITWISE_AND: return JitEmitRipRelativeAndW(Block, RipDelta, Value);
case JIT_BITWISE_OR: return JitEmitRipRelativeOrW(Block, RipDelta, Value);
}
}
BOOL JitiEmitWrapperB(ULONG OpType, PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
switch (OpType)
{
case JIT_BITWISE_XOR: return JitEmitRipRelativeXorB(Block, RipDelta, Value);
case JIT_BITWISE_AND: return JitEmitRipRelativeAndB(Block, RipDelta, Value);
case JIT_BITWISE_OR: return JitEmitRipRelativeOrB(Block, RipDelta, Value);
}
}
PNATIVE_CODE_BLOCK JitEmitPreRipBitwiseOp(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData, ULONG OpType, BOOL SaveFlags, INT32 Delta)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
if (!Block)
return NULL;
if (SaveFlags && !JitEmitPushfqInst(Block))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
ULONG Count = FourByte;
while (Count)
{
INT32 RipDelta = (((Count - 1) * DWORD_RIP_INST_LENGTH) + (TwoByte * WORD_RIP_INST_LENGTH) + (OneByte * BYTE_RIP_INST_LENGTH));
if (SaveFlags)
RipDelta += 1;
RipDelta += ((FourByte - Count) * 4);
RipDelta += Delta;
if (!JitiEmitWrapperD(OpType, Block, RipDelta, JitData->Data[FourByte - Count]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
--Count;
}
if (TwoByte)
{
INT32 RipDelta = (OneByte * BYTE_RIP_INST_LENGTH);
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte * 4);
RipDelta += Delta;
if (!JitiEmitWrapperW(OpType, Block, RipDelta, JitData->Data[3]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (OneByte)
{
INT32 RipDelta = 0;
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte * 4) + (TwoByte * 2);
RipDelta += Delta;
if (!JitiEmitWrapperB(OpType, Block, RipDelta, JitData->Data[4]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (SaveFlags && !JitEmitPopfqInst(Block))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
return Block;
}
PNATIVE_CODE_BLOCK JitEmitPostRipBitwiseOp(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData, ULONG OpType, BOOL SaveFlags, INT32 Delta)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
if (!Block)
return NULL;
if (SaveFlags && !JitEmitPushfqInst(Block))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
ULONG Count = FourByte;
while (Count)
{
INT32 RipDelta = Link->RawDataSize - ((FourByte - Count) * 4);
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte - (Count - 1)) * DWORD_RIP_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
if (!JitiEmitWrapperD(OpType, Block, RipDelta, JitData->Data[FourByte - Count]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
--Count;
}
if (TwoByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4);
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte * DWORD_RIP_INST_LENGTH);
RipDelta += WORD_RIP_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
if (!JitiEmitWrapperW(OpType, Block, RipDelta, JitData->Data[3]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (OneByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4) - (TwoByte * 2);
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte * DWORD_RIP_INST_LENGTH);
RipDelta += WORD_RIP_INST_LENGTH;
RipDelta += BYTE_RIP_INST_LENGTH;
RipDelta *= (-1);
RipDelta += Delta;
if (!JitiEmitWrapperB(OpType, Block, RipDelta, JitData->Data[4]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (SaveFlags && !JitEmitPopfqInst(Block))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
return Block;
}

51
CodeVirtualizer/Jit.h
Unescape View File

@ -0,0 +1,51 @@
#ifndef __JIT_H
#define __JIT_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
#define DWORD_RIP_INST_LENGTH 10
#define WORD_RIP_INST_LENGTH 9
#define BYTE_RIP_INST_LENGTH 7
#define DWORD_MOV_INST_LENGTH 10
#define WORD_MOV_INST_LENGTH 9
#define BYTE_MOV_INST_LENGTH 7
#define JIT_BITWISE_XOR 0
#define JIT_BITWISE_AND 1
#define JIT_BITWISE_OR 2
typedef struct _JIT_BITWISE_DATA
{
ULONG Data[5];
}JIT_BITWISE_DATA, *PJIT_BITWISE_DATA;
BOOL JitEmitPushfqInst(PNATIVE_CODE_BLOCK Block);
BOOL JitEmitPopfqInst(PNATIVE_CODE_BLOCK Block);
BOOL JitCheckFlagCollisions(CONST XED_FLAG_SET* FlagsRead, XED_FLAG_SET Ledger);
VOID JitUpdateConFlagsLedger(CONST XED_FLAG_SET* FlagsWritten, XED_FLAG_SET* Ledger);
BOOL JitDoesInstOverriteConditionFlags(PNATIVE_CODE_LINK Link);
BOOL JitAreFlagsClobberedBeforeUse(PNATIVE_CODE_LINK Link);
VOID JitMutateInstForXor(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA XorData);
VOID JitMutateInstForOr(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA XorData);
VOID JitMutateInstForAnd(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA XorData);
PNATIVE_CODE_BLOCK JitEmitPreRipMov(PNATIVE_CODE_LINK Link, INT32 Delta = 0);
PNATIVE_CODE_BLOCK JitEmitPostRipMov(PNATIVE_CODE_LINK Link, INT32 Delta = 0);
PNATIVE_CODE_BLOCK JitEmitPreRipBitwiseOp(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData, ULONG OpType, BOOL SaveFlags = TRUE, INT32 Delta = 0);
PNATIVE_CODE_BLOCK JitEmitPostRipBitwiseOp(PNATIVE_CODE_LINK Link, PJIT_BITWISE_DATA JitData, ULONG OpType, BOOL SaveFlags = TRUE, INT32 Delta = 0);
#endif

18
CodeVirtualizer/Main.cpp
Unescape View File

@ -7,8 +7,9 @@
#include "RipXorInst.h"
#include "RipMovInst.h"
#include "OpaqueBranching.h"
#include "Jit.h"
UCHAR TestBuffer[]{
UCHAR TestBuffer[] = {
0x48, 0x33, 0xC0,
0x48, 0x33, 0xC0,
0xEB, 0x0E,
@ -30,32 +31,31 @@ ULONG TestBufferSize = sizeof(TestBuffer);
int main()
{
XedTablesInit();
srand(time(NULL));
/*srand(time(NULL));
NATIVE_CODE_BLOCK Block;
NcDisassemble(&Block, TestBuffer, TestBufferSize);
PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End);
NcDebugPrint(OpaqueBranch);
system("pause");
system("pause");*/
/*NATIVE_CODE_LINK T;
NATIVE_CODE_LINK T;
T.RawDataSize = 10;
T.RawData = new UCHAR[10];
memset(T.RawData, 0xAA, 10);
XOR_INST_DATA Data;
RtlSecureZeroMemory(&Data, sizeof(XOR_INST_DATA));
PNATIVE_CODE_BLOCK NewBlock = ObfEmitPreMovForInst(&T);
JIT_BITWISE_DATA Data;
RtlSecureZeroMemory(&Data, sizeof(JIT_BITWISE_DATA));
PNATIVE_CODE_BLOCK NewBlock = JitEmitPreRipMov(&T);
if (NewBlock)
{
printf("\n");
NcDebugPrint(NewBlock);
printf("\n");
NcPrintBlockCode(NewBlock);
}*/
//PNATIVE_CODE_LINK temp = new NATIVE_CODE_LINK("Hello");
}
system("pause");
}

5
CodeVirtualizer/NativeCode.cpp
Unescape View File

@ -383,7 +383,10 @@ PVOID NcAssemble(PNATIVE_CODE_BLOCK Block)
VOID NcDeleteBlock(PNATIVE_CODE_BLOCK Block)
{
for (PNATIVE_CODE_LINK T = Block->Start; T;)
if (!Block->Start || !Block->End)
return;
for (PNATIVE_CODE_LINK T = Block->Start; T != Block->End->Next;)
{
PNATIVE_CODE_LINK Next = T->Next;
delete T;

38
CodeVirtualizer/RipAndInst.cpp
Unescape View File

@ -0,0 +1,38 @@
#include "RipAndInst.h"
BOOL JitEmitRipRelativeAndD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x81, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
*(PULONG)&Link->RawData[6] = Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL JitEmitRipRelativeAndW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x66, 0x83, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[3] = RipDelta;
*(PUSHORT)&Link->RawData[7] = (USHORT)Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL JitEmitRipRelativeAndB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x80, 0x25, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
*(PUCHAR)&Link->RawData[6] = (UCHAR)Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}

16
CodeVirtualizer/RipAndInst.h
Unescape View File

@ -0,0 +1,16 @@
#ifndef __RIP_AND_INST_H
#define __RIP_AND_INST_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
BOOL JitEmitRipRelativeAndD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
BOOL JitEmitRipRelativeAndW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
BOOL JitEmitRipRelativeAndB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
#endif

159
CodeVirtualizer/RipMovInst.cpp
Unescape View File

@ -1,173 +1,38 @@
#include "RipMovInst.h"
BOOL ObfEmitRipRelativeMovD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data)
BOOL JitEmitRipRelativeMovD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data)
{
UCHAR RawData[] = { 0xC7, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[DWORD_MOV_INST_RIP_OFFSET] = RipDelta;
memcpy(&Link->RawData[DWORD_MOV_INST_MOV_OFFSET], Data, 4);
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
memcpy(&Link->RawData[6], Data, 4);
printf("%p memes\n", Link);
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL ObfEmitRipRelativeMovW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data)
BOOL JitEmitRipRelativeMovW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data)
{
UCHAR RawData[] = { 0x66, 0xC7, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[WORD_MOV_INST_RIP_OFFSET] = RipDelta;
memcpy(&Link->RawData[WORD_MOV_INST_MOV_OFFSET], Data, 2);
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[3] = RipDelta;
memcpy(&Link->RawData[7], Data, 2);
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL ObfEmitRipRelativeMovB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data)
BOOL JitEmitRipRelativeMovB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data)
{
UCHAR RawData[] = { 0xC6, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[BYTE_MOV_INST_RIP_OFFSET] = RipDelta;
Link->RawData[BYTE_MOV_INST_MOV_OFFSET] = *Data;
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
Link->RawData[6] = *Data;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToInst)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
Block->Start = Block->End = new NATIVE_CODE_LINK;
PUCHAR DataOffset = Link->RawData;
ULONG Count = FourByte;
while (Count)
{
//Account for remaining MOVs
INT32 RipDelta = (((Count - 1) * DWORD_MOV_INST_LENGTH) + (TwoByte * WORD_MOV_INST_LENGTH) + (OneByte * BYTE_MOV_INST_LENGTH));
//Account for already MOVd instructions
RipDelta += ((FourByte - Count) * 4);
RipDelta += DeltaToInst;
//Add the actual instruction
printf("%p IS THE DATAOFFSET\n", DataOffset);
system("pause");
if (!ObfEmitRipRelativeMovD(Block, RipDelta, DataOffset))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
DataOffset += 4;
--Count;
}
if (TwoByte)
{
INT32 RipDelta = (OneByte * BYTE_MOV_INST_LENGTH);
RipDelta += (FourByte * 4);
RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeMovW(Block, RipDelta, DataOffset))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
DataOffset += 2;
}
if (OneByte)
{
INT32 RipDelta = 0;
RipDelta += (FourByte * 4) + (TwoByte * 2);
RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeMovB(Block, RipDelta, DataOffset))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
PNATIVE_CODE_LINK StartLink = Block->Start;
Block->Start = Block->Start->Next;
if (Block->Start)
Block->Start->Prev = NULL;
delete StartLink;
return Block;
}
PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToInst)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
Block->Start = Block->End = new NATIVE_CODE_LINK;
ULONG ZeroValue = 0;
ULONG Count = FourByte;
while (Count)
{
INT32 RipDelta = Link->RawDataSize - ((FourByte - Count) * 4);
RipDelta += (FourByte - (Count - 1)) * DWORD_MOV_INST_LENGTH;
RipDelta *= (-1);
RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeMovD(Block, RipDelta, (PUCHAR)&ZeroValue))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
--Count;
}
if (TwoByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4);
RipDelta += (FourByte * DWORD_MOV_INST_LENGTH);
RipDelta += WORD_MOV_INST_LENGTH;
RipDelta *= (-1);
RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeMovW(Block, RipDelta, (PUCHAR)&ZeroValue))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (OneByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4) - (TwoByte * 2);
RipDelta += (FourByte * DWORD_MOV_INST_LENGTH);
RipDelta += WORD_MOV_INST_LENGTH;
RipDelta += BYTE_MOV_INST_LENGTH;
RipDelta *= (-1);
RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeMovB(Block, RipDelta, (PUCHAR)&ZeroValue))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
PNATIVE_CODE_LINK StartLink = Block->Start;
Block->Start = Block->Start->Next;
if (Block->Start)
Block->Start->Prev = NULL;
delete StartLink;
return Block;
}

23
CodeVirtualizer/RipMovInst.h
Unescape View File

@ -5,28 +5,11 @@
#include "XedWrap.h"
#include "NativeCode.h"
#define DWORD_MOV_INST_LENGTH 10
#define DWORD_MOV_INST_RIP_OFFSET 2
#define DWORD_MOV_INST_MOV_OFFSET 6
BOOL JitEmitRipRelativeMovD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
#define WORD_MOV_INST_LENGTH 9
#define WORD_MOV_INST_RIP_OFFSET 3
#define WORD_MOV_INST_MOV_OFFSET 7
#define BYTE_MOV_INST_LENGTH 7
#define BYTE_MOV_INST_RIP_OFFSET 2
#define BYTE_MOV_INST_MOV_OFFSET 6
BOOL ObfEmitRipRelativeMovD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
BOOL ObfEmitRipRelativeMovW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
BOOL ObfEmitRipRelativeMovB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToInst = 0);
PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToInst = 0);
BOOL JitEmitRipRelativeMovW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
BOOL JitEmitRipRelativeMovB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);
#endif

38
CodeVirtualizer/RipOrInst.cpp
Unescape View File

@ -0,0 +1,38 @@
#include "RipOrInst.h"
BOOL JitEmitRipRelativeOrD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x81, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
*(PULONG)&Link->RawData[6] = Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL JitEmitRipRelativeOrW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x66, 0x83, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[3] = RipDelta;
*(PUSHORT)&Link->RawData[7] = (USHORT)Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL JitEmitRipRelativeOrB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x80, 0x0D, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
*(PUCHAR)&Link->RawData[6] = (UCHAR)Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}

16
CodeVirtualizer/RipOrInst.h
Unescape View File

@ -0,0 +1,16 @@
#ifndef __RIP_OR_INST_H
#define __RIP_OR_INST_H
#include "Windas.h"
#include "XedWrap.h"
#include "NativeCode.h"
BOOL JitEmitRipRelativeOrD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
BOOL JitEmitRipRelativeOrW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
BOOL JitEmitRipRelativeOrB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
#endif

297
CodeVirtualizer/RipXorInst.cpp
Unescape View File

@ -1,311 +1,38 @@
#include "RipXorInst.h"
BOOL ObfEmitPushfqInst(PNATIVE_CODE_BLOCK Block)
{
UCHAR RawData[] = { 0x9C };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, 1);
XedDecode(&Link->XedInstruction, Link->RawData, 1);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL ObfEmitPopfqInst(PNATIVE_CODE_BLOCK Block)
{
UCHAR RawData[] = { 0x9D };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, 1);
XedDecode(&Link->XedInstruction, Link->RawData, 1);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL ObfEmitRipRelativeXorD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
BOOL JitEmitRipRelativeXorD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x81, 0x35, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[DWORD_XOR_INST_RIP_OFFSET] = RipDelta;
*(PULONG)&Link->RawData[DWORD_XOR_INST_XOR_OFFSET] = Value;
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
*(PULONG)&Link->RawData[6] = Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL ObfEmitRipRelativeXorW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
BOOL JitEmitRipRelativeXorW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x66, 0x81, 0x35, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[WORD_XOR_INST_RIP_OFFSET] = RipDelta;
*(PUSHORT)&Link->RawData[WORD_XOR_INST_XOR_OFFSET] = (USHORT)Value;
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[3] = RipDelta;
*(PUSHORT)&Link->RawData[7] = (USHORT)Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
BOOL ObfEmitRipRelativeXorB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
BOOL JitEmitRipRelativeXorB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value)
{
UCHAR RawData[] = { 0x80, 0x35, 0x00, 0x00, 0x00, 0x00, 0x00 };
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[BYTE_XOR_INST_RIP_OFFSET] = RipDelta;
*(PUCHAR)&Link->RawData[BYTE_XOR_INST_XOR_OFFSET] = (UCHAR)Value;
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST | CODE_FLAG_DO_NOT_DIVIDE, RawData, sizeof(RawData));
*(PINT32)&Link->RawData[2] = RipDelta;
*(PUCHAR)&Link->RawData[6] = (UCHAR)Value;
XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize);
NcAppendToBlock(Block, Link);
return TRUE;
}
VOID ObfXorInstBytes(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PUCHAR Buffer = Link->RawData;
while (FourByte)
{
*(PULONG)Buffer ^= XorData->Data[2 - FourByte];
Buffer += 4;
FourByte--;
}
if (TwoByte)
{
*(PUSHORT)Buffer ^= (USHORT)XorData->Data[3];
Buffer += 2;
}
if (OneByte)
*(PUCHAR)Buffer ^= (UCHAR)XorData->Data[3];
}
BOOL ObfiCheckXorFlagCollisions(CONST XED_FLAG_SET* FlagsRead, XED_FLAG_SET Ledger)
{
return ((FlagsRead->s.zf && FlagsRead->s.zf == Ledger.s.zf) ||
(FlagsRead->s.sf && FlagsRead->s.sf == Ledger.s.sf) ||
(FlagsRead->s.pf && FlagsRead->s.pf == Ledger.s.pf) ||
(FlagsRead->s.of && FlagsRead->s.of == Ledger.s.of) ||
(FlagsRead->s.cf && FlagsRead->s.cf == Ledger.s.cf) ||
(FlagsRead->s.af && FlagsRead->s.af == Ledger.s.af)
);
}
VOID ObfiUpdateXorLedger(CONST XED_FLAG_SET* FlagsWritten, XED_FLAG_SET* Ledger)
{
if (FlagsWritten->s.zf)
Ledger->s.zf = FALSE;
if (FlagsWritten->s.sf)
Ledger->s.sf = FALSE;
if (FlagsWritten->s.pf)
Ledger->s.pf = FALSE;
if (FlagsWritten->s.of)
Ledger->s.of = FALSE;
if (FlagsWritten->s.cf)
Ledger->s.cf = FALSE;
if (FlagsWritten->s.af)
Ledger->s.af = FALSE;
}
BOOL ObfDoesInstWriteToAllXorFlags(PNATIVE_CODE_LINK Link)
{
CONST XED_SIMPLE_FLAG* SimpleFlags = XedDecodedInstGetRflagsInfo(&Link->XedInstruction);
CONST XED_FLAG_SET* FlagsWritten = XedSimpleFlagGetWrittenFlagSet(SimpleFlags);
CONST XED_FLAG_SET* FlagsUndefined = XedSimpleFlagGetUndefinedFlagSet(SimpleFlags);
return (FlagsWritten->s.zf &&
FlagsWritten->s.sf &&
FlagsWritten->s.pf &&
FlagsWritten->s.of &&
FlagsWritten->s.cf &&
FlagsUndefined->s.af
);
}
BOOL ObfAreXorFlagsClobberedBeforeUse(PNATIVE_CODE_LINK Link)
{
XED_FLAG_SET Ledger;
Ledger.s.zf = TRUE;
Ledger.s.sf = TRUE;
Ledger.s.pf = TRUE;
Ledger.s.of = TRUE;
Ledger.s.cf = TRUE;
Ledger.s.af = TRUE;
for (PNATIVE_CODE_LINK T = Link->Next; T; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
CONST XED_SIMPLE_FLAG* SimpleFlags = XedDecodedInstGetRflagsInfo(&T->XedInstruction);
CONST XED_FLAG_SET* FlagsRead = XedSimpleFlagGetReadFlagSet(SimpleFlags);
CONST XED_FLAG_SET* FlagsWritten = XedSimpleFlagGetWrittenFlagSet(SimpleFlags);
if (ObfiCheckXorFlagCollisions(FlagsRead, Ledger))
return FALSE;
ObfiUpdateXorLedger(FlagsWritten, &Ledger);
if (Ledger.flat == 0)
return TRUE;
}
return FALSE;
}
PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags, INT32 DeltaToInst)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
if (!Block)
return NULL;
if (SaveFlags && !ObfEmitPushfqInst(Block))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
ULONG Count = FourByte;
while (Count)
{
//Account for remaining XORs
INT32 RipDelta = (((Count - 1) * DWORD_XOR_INST_LENGTH) + (TwoByte * WORD_XOR_INST_LENGTH) + (OneByte * BYTE_XOR_INST_LENGTH));
//Account for POPFQ
if (SaveFlags)
RipDelta += 1;
//Account for already XORd instructions
RipDelta += ((FourByte - Count) * 4);
RipDelta += DeltaToInst;
//Add the actual instruction
if (!ObfEmitRipRelativeXorD(Block, RipDelta, XorData->Data[FourByte-Count]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
--Count;
}
if (TwoByte)
{
INT32 RipDelta = (OneByte * BYTE_XOR_INST_LENGTH);
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte * 4);
RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeXorW(Block, RipDelta, XorData->Data[3]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (OneByte)
{
INT32 RipDelta = 0;
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte * 4) + (TwoByte * 2);
RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeXorB(Block, RipDelta, XorData->Data[4]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (SaveFlags && !ObfEmitPopfqInst(Block))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
return Block;
}
PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags, INT32 DeltaToInst)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
if (!Block)
return NULL;
if (SaveFlags && !ObfEmitPushfqInst(Block))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
ULONG Count = FourByte;
while (Count)
{
INT32 RipDelta = Link->RawDataSize - ((FourByte - Count) * 4);
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte - (Count - 1)) * DWORD_XOR_INST_LENGTH;
RipDelta *= (-1);
RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeXorD(Block, RipDelta, XorData->Data[FourByte - Count]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
--Count;
}
if (TwoByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4);
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte * DWORD_XOR_INST_LENGTH);
RipDelta += WORD_XOR_INST_LENGTH;
RipDelta *= (-1);
RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeXorW(Block, RipDelta, XorData->Data[3]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (OneByte)
{
INT32 RipDelta = Link->RawDataSize - (FourByte * 4) - (TwoByte * 2);
if (SaveFlags)
RipDelta += 1;
RipDelta += (FourByte * DWORD_XOR_INST_LENGTH);
RipDelta += WORD_XOR_INST_LENGTH;
RipDelta += BYTE_XOR_INST_LENGTH;
RipDelta *= (-1);
RipDelta += DeltaToInst;
if (!ObfEmitRipRelativeXorB(Block, RipDelta, XorData->Data[4]))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
}
if (SaveFlags && !ObfEmitPopfqInst(Block))
{
NcDeleteBlock(Block);
delete Block;
return NULL;
}
return Block;
}

40
CodeVirtualizer/RipXorInst.h
Unescape View File

@ -5,45 +5,11 @@
#include "XedWrap.h"
#include "NativeCode.h"
#define DWORD_XOR_INST_LENGTH 10
#define DWORD_XOR_INST_RIP_OFFSET 2
#define DWORD_XOR_INST_XOR_OFFSET 6
BOOL JitEmitRipRelativeXorD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
#define WORD_XOR_INST_LENGTH 9
#define WORD_XOR_INST_RIP_OFFSET 3
#define WORD_XOR_INST_XOR_OFFSET 7
BOOL JitEmitRipRelativeXorW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
#define BYTE_XOR_INST_LENGTH 7
#define BYTE_XOR_INST_RIP_OFFSET 2
#define BYTE_XOR_INST_XOR_OFFSET 6
typedef struct _XOR_INST_DATA
{
ULONG Data[5];
}XOR_INST_DATA, *PXOR_INST_DATA;
BOOL ObfEmitPushfqInst(PNATIVE_CODE_BLOCK Block);
BOOL ObfEmitPopfqInst(PNATIVE_CODE_BLOCK Block);
BOOL ObfEmitRipRelativeXorD(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
BOOL ObfEmitRipRelativeXorW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
BOOL ObfEmitRipRelativeXorB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);
VOID ObfXorInstBytes(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData);
//Used to see if the PreXor needs to save the flags.
//If all flags are written to by the XORs are also written to by the target inst theres no point in saving flags
BOOL ObfDoesInstWriteToAllXorFlags(PNATIVE_CODE_LINK Link);
BOOL ObfAreXorFlagsClobberedBeforeUse(PNATIVE_CODE_LINK Link);
PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags, INT32 DeltaToInst = 0);
PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags, INT32 DeltaToInst = 0);
BOOL JitEmitRipRelativeXorB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Value);

2
CodeVirtualizer/Windas.h
Unescape View File

@ -17,7 +17,7 @@
* Nc -> Native Code function
* Vc -> Virtual Code function
* Obf -> Obfuscator function
* Obfi -> Internal obfuscator function
* Jit -> Jit related function
* Xed -> Xed macro wrapper
* Vm -> Virtual Machine function
*/

15
CodeVirtualizer/x64/Debug/Assembly.lst
Unescape View File

@ -0,0 +1,15 @@
Microsoft (R) Macro Assembler (x64) Version 14.27.29111.0 10/11/21 20:38:55
Assembly.asm Page 1 - 1
00000000 .CODE
END
Microsoft (R) Macro Assembler (x64) Version 14.27.29111.0 10/11/21 20:38:55
Assembly.asm Symbols 2 - 1
0 Warnings
0 Errors

7876
CodeVirtualizer/x64/Debug/Jit.cod
View File

File diff suppressed because it is too large Load Diff

1378
CodeVirtualizer/x64/Debug/Junk.cod
View File

File diff suppressed because it is too large Load Diff

2079
CodeVirtualizer/x64/Debug/Main.cod
View File

File diff suppressed because it is too large Load Diff

19742
CodeVirtualizer/x64/Debug/NativeCode.cod
View File

File diff suppressed because it is too large Load Diff

1833
CodeVirtualizer/x64/Debug/Nop.cod
View File

File diff suppressed because it is too large Load Diff

8
CodeVirtualizer/x64/Debug/Obfuscator.cod
Unescape View File

@ -0,0 +1,8 @@
; Listing generated by Microsoft (R) Optimizing Compiler Version 19.27.29111.0
include listing.inc
INCLUDELIB MSVCRTD
INCLUDELIB OLDNAMES
END

9523
CodeVirtualizer/x64/Debug/OpaqueBranching.cod
View File

File diff suppressed because it is too large Load Diff

2484
CodeVirtualizer/x64/Debug/RipMovInst.cod
View File

File diff suppressed because it is too large Load Diff

2205
CodeVirtualizer/x64/Debug/RipXorInst.cod
View File

File diff suppressed because it is too large Load Diff

1484
CodeVirtualizer/x64/Debug/VirtualMachine.cod
View File

File diff suppressed because it is too large Load Diff

1520
CodeVirtualizer/x64/Debug/Virtualizer.cod
View File

File diff suppressed because it is too large Load Diff

1534
CodeVirtualizer/x64/Debug/VmCode.cod
View File

File diff suppressed because it is too large Load Diff

1378
CodeVirtualizer/x64/Debug/XedWrap.cod
View File

File diff suppressed because it is too large Load Diff

BIN
x64/Debug/CodeVirtualizer.ilk
View File

Binary file not shown.
Write Preview
Loading…
Cancel
Save