optional delta

3 years ago · 9368f5288a
parent 56744c559a
commit 9368f5288a
4 changed files with 24 additions and 11 deletions
--- a/CodeVirtualizer/RipMovInst.cpp
+++ b/CodeVirtualizer/RipMovInst.cpp
@ -82,7 +82,7 @@ BOOL ObfEmitRipRelativeMovB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Dat
 	return TRUE;
 }

-PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link)
+PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToInst)
 {
 	ULONG FourByte = Link->RawDataSize / 4;
 	ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
@ -99,6 +99,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link)
 		INT32 RipDelta = (((Count - 1) * DWORD_MOV_INST_LENGTH) + (TwoByte * WORD_MOV_INST_LENGTH) + (OneByte * BYTE_MOV_INST_LENGTH));
 		//Account for already MOVd instructions
 		RipDelta += ((FourByte - Count) * 4);
+		RipDelta += DeltaToInst;
 		//Add the actual instruction
 		if (!ObfEmitRipRelativeMovD(Block, RipDelta, DataOffset))
 		{
@ -114,6 +115,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link)
 	{
 		INT32 RipDelta = (OneByte * BYTE_MOV_INST_LENGTH);
 		RipDelta += (FourByte * 4);
+		RipDelta += DeltaToInst;
 		if (!ObfEmitRipRelativeMovW(Block, RipDelta, DataOffset))
 		{
 			NcDelete(Block);
@ -127,6 +129,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link)
 	{
 		INT32 RipDelta = 0;
 		RipDelta += (FourByte * 4) + (TwoByte * 2);
+		RipDelta += DeltaToInst;
 		if (!ObfEmitRipRelativeMovB(Block, RipDelta, DataOffset))
 		{
 			NcDelete(Block);
@ -144,7 +147,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link)
 	return Block;
 }

-PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link)
+PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToInst)
 {
 	ULONG FourByte = Link->RawDataSize / 4;
 	ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
@ -160,6 +163,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link)
 		INT32 RipDelta = Link->RawDataSize - ((FourByte - Count) * 4);
 		RipDelta += (FourByte - (Count - 1)) * DWORD_MOV_INST_LENGTH;
 		RipDelta *= (-1);
+		RipDelta += DeltaToInst;
 		if (!ObfEmitRipRelativeMovD(Block, RipDelta, (PUCHAR)&ZeroValue))
 		{
 			NcDelete(Block);
@ -175,7 +179,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link)
 		RipDelta += (FourByte * DWORD_MOV_INST_LENGTH);
 		RipDelta += WORD_MOV_INST_LENGTH;
 		RipDelta *= (-1);
-
+		RipDelta += DeltaToInst;
 		if (!ObfEmitRipRelativeMovW(Block, RipDelta, (PUCHAR)&ZeroValue))
 		{
 			NcDelete(Block);
@ -191,6 +195,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link)
 		RipDelta += WORD_MOV_INST_LENGTH;
 		RipDelta += BYTE_MOV_INST_LENGTH;
 		RipDelta *= (-1);
+		RipDelta += DeltaToInst;
 		if (!ObfEmitRipRelativeMovB(Block, RipDelta, (PUCHAR)&ZeroValue))
 		{
 			NcDelete(Block);
@ -206,4 +211,5 @@ PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link)
 	delete StartLink;

 	return Block;
-}
+}
+
--- a/CodeVirtualizer/RipMovInst.h
+++ b/CodeVirtualizer/RipMovInst.h
@ -23,9 +23,9 @@ BOOL ObfEmitRipRelativeMovW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Dat

 BOOL ObfEmitRipRelativeMovB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data);

-PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link);
+PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToInst);

-PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link);
+PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToInst);



--- a/CodeVirtualizer/RipXorInst.cpp
+++ b/CodeVirtualizer/RipXorInst.cpp
@ -150,7 +150,7 @@ VOID ObfXorInstBytes(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData)

 }

-PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags)
+PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags, INT32 DeltaToInst)
 {
 	ULONG FourByte = Link->RawDataSize / 4;
 	ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
@ -177,6 +177,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA X
 			RipDelta += 1;
 		//Account for already XORd instructions
 		RipDelta += ((FourByte - Count) * 4);
+		RipDelta += DeltaToInst;
 		//Add the actual instruction
 		if (!ObfEmitRipRelativeXorD(Block, RipDelta, XorData->Data[FourByte-Count]))
 		{
@ -193,6 +194,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA X
 		if (SaveFlags)
 			RipDelta += 1;
 		RipDelta += (FourByte * 4);
+		RipDelta += DeltaToInst;
 		if (!ObfEmitRipRelativeXorW(Block, RipDelta, XorData->Data[3]))
 		{
 			NcDelete(Block);
@ -207,6 +209,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA X
 		if (SaveFlags)
 			RipDelta += 1;
 		RipDelta += (FourByte * 4) + (TwoByte * 2);
+		RipDelta += DeltaToInst;
 		if (!ObfEmitRipRelativeXorB(Block, RipDelta, XorData->Data[4]))
 		{
 			NcDelete(Block);
@ -231,7 +234,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA X
 	return Block;
 }

-PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags)
+PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags, INT32 DeltaToInst)
 {
 	ULONG FourByte = Link->RawDataSize / 4;
 	ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
@ -256,6 +259,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA
 			RipDelta += 1;
 		RipDelta += (FourByte - (Count - 1)) * DWORD_XOR_INST_LENGTH;
 		RipDelta *= (-1);
+		RipDelta += DeltaToInst;
 		if (!ObfEmitRipRelativeXorD(Block, RipDelta, XorData->Data[FourByte - Count]))
 		{
 			NcDelete(Block);
@ -273,7 +277,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA
 		RipDelta += (FourByte * DWORD_XOR_INST_LENGTH);
 		RipDelta += WORD_XOR_INST_LENGTH;
 		RipDelta *= (-1);
-
+		RipDelta += DeltaToInst;
 		if (!ObfEmitRipRelativeXorW(Block, RipDelta, XorData->Data[3]))
 		{
 			NcDelete(Block);
@ -291,6 +295,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA
 		RipDelta += WORD_XOR_INST_LENGTH;
 		RipDelta += BYTE_XOR_INST_LENGTH;
 		RipDelta *= (-1);
+		RipDelta += DeltaToInst;
 		if (!ObfEmitRipRelativeXorB(Block, RipDelta, XorData->Data[4]))
 		{
 			NcDelete(Block);
--- a/CodeVirtualizer/RipXorInst.h
+++ b/CodeVirtualizer/RipXorInst.h
@ -35,9 +35,11 @@ BOOL ObfEmitRipRelativeXorB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Valu

 VOID ObfXorInstBytes(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData);

-PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags);
+PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags, INT32 DeltaToInst
+	
+	= 0);

-PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags);
+PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags, INT32 DeltaToInst = 0);