diff --git a/CodeVirtualizer/RipMovInst.cpp b/CodeVirtualizer/RipMovInst.cpp index 89f2dbc..7e7e439 100644 --- a/CodeVirtualizer/RipMovInst.cpp +++ b/CodeVirtualizer/RipMovInst.cpp @@ -82,7 +82,7 @@ BOOL ObfEmitRipRelativeMovB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Dat return TRUE; } -PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link) +PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToInst) { ULONG FourByte = Link->RawDataSize / 4; ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2; @@ -99,6 +99,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link) INT32 RipDelta = (((Count - 1) * DWORD_MOV_INST_LENGTH) + (TwoByte * WORD_MOV_INST_LENGTH) + (OneByte * BYTE_MOV_INST_LENGTH)); //Account for already MOVd instructions RipDelta += ((FourByte - Count) * 4); + RipDelta += DeltaToInst; //Add the actual instruction if (!ObfEmitRipRelativeMovD(Block, RipDelta, DataOffset)) { @@ -114,6 +115,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link) { INT32 RipDelta = (OneByte * BYTE_MOV_INST_LENGTH); RipDelta += (FourByte * 4); + RipDelta += DeltaToInst; if (!ObfEmitRipRelativeMovW(Block, RipDelta, DataOffset)) { NcDelete(Block); @@ -127,6 +129,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link) { INT32 RipDelta = 0; RipDelta += (FourByte * 4) + (TwoByte * 2); + RipDelta += DeltaToInst; if (!ObfEmitRipRelativeMovB(Block, RipDelta, DataOffset)) { NcDelete(Block); @@ -144,7 +147,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link) return Block; } -PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link) +PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToInst) { ULONG FourByte = Link->RawDataSize / 4; ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2; @@ -160,6 +163,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link) INT32 RipDelta = Link->RawDataSize - ((FourByte - Count) * 4); RipDelta += (FourByte - (Count - 1)) * DWORD_MOV_INST_LENGTH; RipDelta *= (-1); + RipDelta += DeltaToInst; if (!ObfEmitRipRelativeMovD(Block, RipDelta, (PUCHAR)&ZeroValue)) { NcDelete(Block); @@ -175,7 +179,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link) RipDelta += (FourByte * DWORD_MOV_INST_LENGTH); RipDelta += WORD_MOV_INST_LENGTH; RipDelta *= (-1); - + RipDelta += DeltaToInst; if (!ObfEmitRipRelativeMovW(Block, RipDelta, (PUCHAR)&ZeroValue)) { NcDelete(Block); @@ -191,6 +195,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link) RipDelta += WORD_MOV_INST_LENGTH; RipDelta += BYTE_MOV_INST_LENGTH; RipDelta *= (-1); + RipDelta += DeltaToInst; if (!ObfEmitRipRelativeMovB(Block, RipDelta, (PUCHAR)&ZeroValue)) { NcDelete(Block); @@ -206,4 +211,5 @@ PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link) delete StartLink; return Block; -} \ No newline at end of file +} + diff --git a/CodeVirtualizer/RipMovInst.h b/CodeVirtualizer/RipMovInst.h index eb7bb2c..12c1bc8 100644 --- a/CodeVirtualizer/RipMovInst.h +++ b/CodeVirtualizer/RipMovInst.h @@ -23,9 +23,9 @@ BOOL ObfEmitRipRelativeMovW(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Dat BOOL ObfEmitRipRelativeMovB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Data); -PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link); +PNATIVE_CODE_BLOCK ObfEmitPreMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToInst); -PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link); +PNATIVE_CODE_BLOCK ObfEmitPostMovForInst(PNATIVE_CODE_LINK Link, INT32 DeltaToInst); diff --git a/CodeVirtualizer/RipXorInst.cpp b/CodeVirtualizer/RipXorInst.cpp index 6a9f360..0a0ef5a 100644 --- a/CodeVirtualizer/RipXorInst.cpp +++ b/CodeVirtualizer/RipXorInst.cpp @@ -150,7 +150,7 @@ VOID ObfXorInstBytes(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData) } -PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags) +PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags, INT32 DeltaToInst) { ULONG FourByte = Link->RawDataSize / 4; ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2; @@ -177,6 +177,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA X RipDelta += 1; //Account for already XORd instructions RipDelta += ((FourByte - Count) * 4); + RipDelta += DeltaToInst; //Add the actual instruction if (!ObfEmitRipRelativeXorD(Block, RipDelta, XorData->Data[FourByte-Count])) { @@ -193,6 +194,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA X if (SaveFlags) RipDelta += 1; RipDelta += (FourByte * 4); + RipDelta += DeltaToInst; if (!ObfEmitRipRelativeXorW(Block, RipDelta, XorData->Data[3])) { NcDelete(Block); @@ -207,6 +209,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA X if (SaveFlags) RipDelta += 1; RipDelta += (FourByte * 4) + (TwoByte * 2); + RipDelta += DeltaToInst; if (!ObfEmitRipRelativeXorB(Block, RipDelta, XorData->Data[4])) { NcDelete(Block); @@ -231,7 +234,7 @@ PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA X return Block; } -PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags) +PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags, INT32 DeltaToInst) { ULONG FourByte = Link->RawDataSize / 4; ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2; @@ -256,6 +259,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA RipDelta += 1; RipDelta += (FourByte - (Count - 1)) * DWORD_XOR_INST_LENGTH; RipDelta *= (-1); + RipDelta += DeltaToInst; if (!ObfEmitRipRelativeXorD(Block, RipDelta, XorData->Data[FourByte - Count])) { NcDelete(Block); @@ -273,7 +277,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA RipDelta += (FourByte * DWORD_XOR_INST_LENGTH); RipDelta += WORD_XOR_INST_LENGTH; RipDelta *= (-1); - + RipDelta += DeltaToInst; if (!ObfEmitRipRelativeXorW(Block, RipDelta, XorData->Data[3])) { NcDelete(Block); @@ -291,6 +295,7 @@ PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA RipDelta += WORD_XOR_INST_LENGTH; RipDelta += BYTE_XOR_INST_LENGTH; RipDelta *= (-1); + RipDelta += DeltaToInst; if (!ObfEmitRipRelativeXorB(Block, RipDelta, XorData->Data[4])) { NcDelete(Block); diff --git a/CodeVirtualizer/RipXorInst.h b/CodeVirtualizer/RipXorInst.h index dbc72ff..1337a14 100644 --- a/CodeVirtualizer/RipXorInst.h +++ b/CodeVirtualizer/RipXorInst.h @@ -35,9 +35,11 @@ BOOL ObfEmitRipRelativeXorB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, ULONG Valu VOID ObfXorInstBytes(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData); -PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags); +PNATIVE_CODE_BLOCK ObfEmitPreXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags, INT32 DeltaToInst + + = 0); -PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags); +PNATIVE_CODE_BLOCK ObfEmitPostXorForInst(PNATIVE_CODE_LINK Link, PXOR_INST_DATA XorData, BOOL SaveFlags, INT32 DeltaToInst = 0);