Iizerd
/
Code_Virtualizer
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

started vm

Browse Source
main
James 3 years ago
parent ff37bc98d5
commit c610fd02d8
25 changed files with 616 additions and 225 deletions
Show Stats Download Patch File Download Diff File

2
CodeVirtualizer/CodeVirtualizer.h
Unescape View File

@ -6,7 +6,7 @@
__declspec(dllexport) VOID CvInit();
__declspec(dllexport) PVOID CvDriverFunctionObfuscate(PVOID Code, ULONG CodeSize, PULONG OutSize, ULONG BranchCount, FLOAT MaxBranchSizePercentage);
__declspec(dllexport) PVOID CvDriverFunctionObfuscate(PVOID Code, UINT CodeSize, PUINT OutSize, UINT BranchCount, FLOAT MaxBranchSizePercentage);
__declspec(dllexport) VOID CvDeleteCode(PVOID Code);

2
CodeVirtualizer/CodeVirtualizer.vcxproj
Unescape View File

@ -172,6 +172,7 @@
<ClCompile Include="Virtualizer.cpp" />
<ClCompile Include="VirtualMachine.cpp" />
<ClCompile Include="VmCode.cpp" />
<ClCompile Include="VirtualInstructionEmitter.cpp" />
<ClCompile Include="XedWrap.cpp" />
</ItemGroup>
<ItemGroup>
@ -187,6 +188,7 @@
<ClInclude Include="VirtualMachine.h" />
<ClInclude Include="VmCode.h" />
<ClInclude Include="VMDefs.h" />
<ClInclude Include="VirtualInstructionEmitter.h" />
<ClInclude Include="Windas.h" />
<ClInclude Include="XedWrap.h" />
</ItemGroup>

6
CodeVirtualizer/CodeVirtualizer.vcxproj.filters
Unescape View File

@ -39,6 +39,9 @@
<ClInclude Include="Symbos.h">
<Filter>File\Symbols</Filter>
</ClInclude>
<ClInclude Include="VirtualInstructionEmitter.h">
<Filter>Virtualizer\VM</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ClCompile Include="Main.cpp" />
@ -87,6 +90,9 @@
<ClCompile Include="Pattern.cpp">
<Filter>Obfuscator</Filter>
</ClCompile>
<ClCompile Include="VirtualInstructionEmitter.cpp">
<Filter>Virtualizer\VM</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<Filter Include="Xed">

137
CodeVirtualizer/Main.cpp
Unescape View File

@ -9,13 +9,15 @@
#include "Obfuscator.h"
#include "Random.h"
#include "VirtualMachine.h"
__declspec(dllexport) VOID CvInit()
{
XedTablesInit();
srand(time(NULL));
}
__declspec(dllexport) PVOID CvDriverFunctionObfuscate(PVOID Code, ULONG CodeSize, PULONG OutSize, ULONG BranchCount, FLOAT MaxBranchSizePercentage)
__declspec(dllexport) PVOID CvDriverFunctionObfuscate(PVOID Code, UINT CodeSize, PUINT OutSize, UINT BranchCount, FLOAT MaxBranchSizePercentage)
{
//trip 0xCC alignment at end of code
while (((PUCHAR)Code)[CodeSize - 1] == 0xCC)
@ -49,7 +51,7 @@ __declspec(dllexport) PVOID CvDriverFunctionObfuscate(PVOID Code, ULONG CodeSize
Obf.RandomizeSpaceBetweenBranches = TRUE;
Obf.BranchRemainingInstructions = TRUE;
Obf.BranchChance = 75;
ULONG BranchesMade = */
UINT BranchesMade = */
while (BranchCount)
{
@ -70,7 +72,7 @@ __declspec(dllexport) VOID CvDeleteCode(PVOID Code)
}
VOID PrintByteArr(PVOID Buff, ULONG BufSize)
VOID PrintByteArr(PVOID Buff, UINT BufSize)
{
for (uint32_t i = 0; i < BufSize; i++)
{
@ -78,7 +80,7 @@ VOID PrintByteArr(PVOID Buff, ULONG BufSize)
}
}
PVOID MakeExecutableBuffer(PVOID Buffer, ULONG BufferSize)
PVOID MakeExecutableBuffer(PVOID Buffer, UINT BufferSize)
{
PVOID ExecBuffer = VirtualAlloc(nullptr, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!ExecBuffer)
@ -90,7 +92,7 @@ PVOID MakeExecutableBuffer(PVOID Buffer, ULONG BufferSize)
return ExecBuffer;
}
VOID PutToFile(PVOID Buffer, ULONG BufferSize)
VOID PutToFile(PVOID Buffer, UINT BufferSize)
{
std::ofstream fout;
//
@ -100,12 +102,12 @@ VOID PutToFile(PVOID Buffer, ULONG BufferSize)
fout.close();
}
ULONG64 TestShelcode(ULONG64 v1, ULONG64 v2, ULONG64 v3, ULONG64 v4)
UINT64 TestShelcode(UINT64 v1, UINT64 v2, UINT64 v3, UINT64 v4)
{
if (v4 == 0)
v4 = 2;
ULONG64 Value = 1;
UINT64 Value = 1;
for (int i = 1; i <= v1; i++)
{
Value *= i;
@ -117,7 +119,7 @@ ULONG64 TestShelcode(ULONG64 v1, ULONG64 v2, ULONG64 v3, ULONG64 v4)
return Value;
}
ULONG64 Nextfunction(ULONG64 v1)
UINT64 Nextfunction(UINT64 v1)
{
return v1 + 1;
}
@ -139,7 +141,7 @@ UCHAR TestBuffer[] = {
0x48, 0x87, 0x04, 0x24,
0xC3,
};
ULONG TestBufferSize = sizeof(TestBuffer);
UINT TestBufferSize = sizeof(TestBuffer);
UCHAR meme1[] = {
0x31, 0xc0,
@ -182,56 +184,69 @@ UCHAR IsEvenCode[]{
0xC3,
};
//EXTERN_C ULONG64 RetNum(ULONG64 Num);
//EXTERN_C BOOL IsEven(ULONG64 Num);
//EXTERN_C UINT64 RetNum(UINT64 Num);
//EXTERN_C BOOL IsEven(UINT64 Num);
int main()
{
XedGlobalInit();
srand(time(NULL));
UCHAR TestCode[] = { 0x48, 0x8B, 0x84, 0xD1, 0xF0, 0x06, 0x00, 0x00 }; // { 0x48, 0x89, 0xC8 };
XED_DECODED_INST DecodedInst;
XedDecodedInstZeroSetMode(&DecodedInst, &XedGlobalMachineState);
//XedDecodedInstZero(&DecodedInst);
//XedDecodedInstSetMode(&DecodedInst, XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b);
XED_ERROR_ENUM Err = XedDecode(&DecodedInst, TestCode, sizeof(TestCode));
if (Err != XED_ERROR_NONE)
UINT OutSize = 0;
PUCHAR Output = VmHandlerIRegLoadMem_BISO(VM_IREG_2, VM_OPSIZE_2, &OutSize); // VmHandlerPrologue(8, &OutSize);
if (Output && OutSize)
{
printf("Failed to decode.\n");
system("pause");
return -1;
PrintByteArr(Output, OutSize);
}
XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&DecodedInst);
printf("IClass: %s\n", XedIClassEnumToString(IClass));
printf("\n");
CONST xed_inst_t* Inst = XedDecodedInstInst(&DecodedInst);
ULONG OperandCount = XedDecodedInstNumOperands(&DecodedInst);
for (ULONG i = 0; i < OperandCount; i++)
for (UINT i = 0; i < VM_IREG_COUNT; i++)
{
CONST xed_operand_t* Operand = XedInstOperand(Inst, i);
xed_operand_enum_t OperandName = XedOperandName(Operand);
printf("Operand Name: %s\n", XedOperandEnumToString(OperandName));
if (XedOperandIsRegister(OperandName))
{
xed_reg_enum_t RegEnum = XedDecodedInstGetReg(&DecodedInst, OperandName);
printf("Reg: %s\n", XedRegEnumToString(RegEnum));
}
if (OperandName == XED_OPERAND_MEM0 || OperandName == XED_OPERAND_MEM1)
{
ULONG MemOpIndex = OperandName - XED_OPERAND_MEM0;
printf("MemOpIdx: %u\n", MemOpIndex);
printf("Base Reg: %s\n", XedRegEnumToString(XedDecodedInstGetBaseReg(&DecodedInst, MemOpIndex)));
printf("Index Reg: %s\n", XedRegEnumToString(XedDecodedInstGetIndexReg(&DecodedInst, MemOpIndex)));
printf("Scale: %u\n", xed_decoded_inst_get_scale(&DecodedInst, MemOpIndex));
printf("Disp: %llu\n", xed_decoded_inst_get_memory_displacement(&DecodedInst, MemOpIndex));
}
printf("IReg: %u, %s %s %s %s\n", i, XedRegEnumToString(VmIRegToXReg((VM_IREG_ENUM)i, VM_OPSIZE_1)), XedRegEnumToString(VmIRegToXReg((VM_IREG_ENUM)i, VM_OPSIZE_2)), XedRegEnumToString(VmIRegToXReg((VM_IREG_ENUM)i, VM_OPSIZE_4)), XedRegEnumToString(VmIRegToXReg((VM_IREG_ENUM)i, VM_OPSIZE_8)));
}
printf("Reg2: %s %s %s %s\n", XedRegEnumToString(VmGetRegOfSize(XED_REG_R15, VM_OPSIZE_1)), XedRegEnumToString(VmGetRegOfSize(XED_REG_R15, VM_OPSIZE_2)), XedRegEnumToString(VmGetRegOfSize(XED_REG_R15, VM_OPSIZE_4)), XedRegEnumToString(VmGetRegOfSize(XED_REG_R15, VM_OPSIZE_8)));
//UCHAR TestCode[] = { 0x48, 0x8B, 0x84, 0xD1, 0xF0, 0x06, 0x00, 0x00 }; // { 0x48, 0x89, 0xC8 };
//XED_DECODED_INST DecodedInst;
//XedDecodedInstZeroSetMode(&DecodedInst, &XedGlobalMachineState);
//XED_ERROR_ENUM Err = XedDecode(&DecodedInst, TestCode, sizeof(TestCode));
//if (Err != XED_ERROR_NONE)
//{
// printf("Failed to decode.\n");
// system("pause");
// return -1;
//}
//XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&DecodedInst);
//printf("IClass: %s\n", XedIClassEnumToString(IClass));
//
//CONST xed_inst_t* Inst = XedDecodedInstInst(&DecodedInst);
//UINT OperandCount = XedDecodedInstNumOperands(&DecodedInst);
//for (UINT i = 0; i < OperandCount; i++)
//{
// CONST xed_operand_t* Operand = XedInstOperand(Inst, i);
// xed_operand_enum_t OperandName = XedOperandName(Operand);
// printf("Operand Name: %s\n", XedOperandEnumToString(OperandName));
// if (XedOperandIsRegister(OperandName))
// {
// xed_reg_enum_t RegEnum = XedDecodedInstGetReg(&DecodedInst, OperandName);
// printf("Reg: %s\n", XedRegEnumToString(RegEnum));
// }
// if (OperandName == XED_OPERAND_MEM0 || OperandName == XED_OPERAND_MEM1)
// {
// UINT MemOpIndex = OperandName - XED_OPERAND_MEM0;
// printf("MemOpIdx: %u\n", MemOpIndex);
// printf("Base Reg: %s\n", XedRegEnumToString(XedDecodedInstGetBaseReg(&DecodedInst, MemOpIndex)));
// printf("Index Reg: %s\n", XedRegEnumToString(XedDecodedInstGetIndexReg(&DecodedInst, MemOpIndex)));
// printf("Scale: %u\n", XedDecodedInstGetScale(&DecodedInst, MemOpIndex));
// printf("Disp: %llu\n", XedDecodedInstGetMemoryDisplacement(&DecodedInst, MemOpIndex));
// }
//}
//xed_operand_values_t* Operands = xed_decoded_inst_operands(&DecodedInst);
//printf("Operand Count %u\n", OperandCount);
@ -246,9 +261,9 @@ int main()
//CvInit();
////ULONG Delta = (*((PULONG)((PUCHAR)TestShelcode + 1))) + 5;
////UINT Delta = (*((PUINT)((PUCHAR)TestShelcode + 1))) + 5;
////printf("Delta: %X\n", Delta);
//PVOID ActualFunction = TestShelcode; // (PVOID)((ULONG64)TestShelcode + Delta);
//PVOID ActualFunction = TestShelcode; // (PVOID)((UINT64)TestShelcode + Delta);
//printf("%llu %llu %llu %llu\n", TestShelcode(1, 2, 3, 4), TestShelcode(20, 20, 20, 4), TestShelcode(50, 50, 50, 0), Nextfunction(12));
//system("pause");
@ -286,7 +301,7 @@ int main()
//ObfGenerateOpaqueBranches(&Obf, &RetNumBlock);
//printf("Assembling %u %u", NcCountInstructions(&RetNumBlock), NcCalcBlockSizeInBytes(&RetNumBlock));
//ULONG AsmSize;
//UINT AsmSize;
//PVOID Asm = NcAssemble(&RetNumBlock, &AsmSize);
//if (!Asm)
//{
@ -297,7 +312,7 @@ int main()
//PutToFile(Asm, AsmSize);
//system("pause");
/*ULONG AsmSize;
/*UINT AsmSize;
PVOID Asm = CvDriverFunctionObfuscate(MemeBlock, 110, &AsmSize, 5, 0.5);
if (!Asm)
{
@ -308,7 +323,7 @@ int main()
PutToFile(Asm, AsmSize);
typedef ULONG64(*FnTestShelcode)(ULONG64, ULONG64, ULONG64, ULONG64);
typedef UINT64(*FnTestShelcode)(UINT64, UINT64, UINT64, UINT64);
PVOID Exec = NULL;
Exec = MakeExecutableBuffer(Asm, AsmSize);
if (!Exec)
@ -321,7 +336,7 @@ int main()
/*PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
typedef ULONG64(*FnRetNum)(ULONG Num);
typedef UINT64(*FnRetNum)(UINT Num);
printf("\n\nSize: %u Obfuscated: %llu Original: %llu\n\n", NcCountInstructions(&RetNumBlock), ((FnRetNum)Exec)(1776), ((FnRetNum)Exec)(1776));
NcDeleteBlock(&RetNumBlock);
@ -339,15 +354,15 @@ int main()
ObfObfuscate(&Obf, &Block);
NcDebugPrint(&Block);
ULONG ByteSize = NcCalcBlockSizeInBytes(&Block);
ULONG InstSize = NcCountInstructions(&Block);
UINT ByteSize = NcCalcBlockSizeInBytes(&Block);
UINT InstSize = NcCountInstructions(&Block);
printf("Bytes: %u, Insts: %u, FlagsMeme: %u.\n", ByteSize, InstSize, Obf.Flags);
ULONG AsmSize;
UINT AsmSize;
PVOID Asm = NcAssemble(&Block, &AsmSize);
PVOID Exec = MakeExecutableBuffer(Asm, AsmSize);
typedef ULONG(*FnGetFour)();
typedef UINT(*FnGetFour)();
printf("numba is: %u size is %u\n\n", ((FnGetFour)Exec)(), AsmSize);
PutToFile(Asm, AsmSize);*/
@ -371,14 +386,14 @@ int main()
///*Pre->Start = Return1776;
//Pre->End = Return1776;*/
//for (ULONG i = 0; i < Return1776->RawDataSize; i++)
//for (UINT i = 0; i < Return1776->RawDataSize; i++)
// Return1776->RawData[i] = (UCHAR)rand();
//for (ULONG i = 0; i < RetInst->RawDataSize; i++)
//for (UINT i = 0; i < RetInst->RawDataSize; i++)
// RetInst->RawData[i] = (UCHAR)rand();
//ULONG AsmLen;
//UINT AsmLen;
//PVOID Asm = NcAssemble(Pre1, &AsmLen);
//PUCHAR Tb = (PUCHAR)Asm;
//for (uint32_t i = 0; i < AsmLen; i++)
@ -388,7 +403,7 @@ int main()
//system("pause");
//typedef ULONG64(*FnGet1776)();
//typedef UINT64(*FnGet1776)();
//FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen);
//if (ExecBuffer)
//{
@ -411,7 +426,7 @@ int main()
PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
NcInsertLinkBefore(Block.End->Prev->Prev->Prev->Prev, NewLink);
ULONG AssembledSize;
UINT AssembledSize;
PVOID AssembledBlock = NcAssemble(&Block, &AssembledSize);
if (!AssembledBlock || !AssembledSize)
{

63
CodeVirtualizer/NativeCode.cpp
Unescape View File

@ -3,8 +3,7 @@
_NATIVE_CODE_LINK::_NATIVE_CODE_LINK()
{
XedDecodedInstZero(&XedInstruction);
XedDecodedInstSetMode(&XedInstruction, XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b);
XedDecodedInstZeroSetMode(&XedInstruction, &XedGlobalMachineState);
Flags = 0UL;
Next = Prev = NULL;
Block = NULL;
@ -14,7 +13,7 @@ _NATIVE_CODE_LINK::_NATIVE_CODE_LINK()
AsmOperations.clear();
}
_NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG LabelId, _NATIVE_CODE_BLOCK* B)
_NATIVE_CODE_LINK::_NATIVE_CODE_LINK(UINT LabelId, _NATIVE_CODE_BLOCK* B)
: _NATIVE_CODE_LINK()
{
Block = B;
@ -22,7 +21,7 @@ _NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG LabelId, _NATIVE_CODE_BLOCK* B)
Flags = CODE_FLAG_IS_LABEL;
}
_NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG F, PVOID Rd, ULONG Rds, BOOL Decode)
_NATIVE_CODE_LINK::_NATIVE_CODE_LINK(UINT F, PVOID Rd, UINT Rds, BOOL Decode)
: _NATIVE_CODE_LINK()
{
Flags = F;
@ -129,9 +128,9 @@ VOID NcUnlink(PNATIVE_CODE_LINK Link)
}
}
ULONG NcCountInstructions(PNATIVE_CODE_BLOCK Block, BOOL CountCombinedAsOne)
UINT NcCountInstructions(PNATIVE_CODE_BLOCK Block, BOOL CountCombinedAsOne)
{
ULONG InstructionCount = 0;
UINT InstructionCount = 0;
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
@ -143,9 +142,9 @@ ULONG NcCountInstructions(PNATIVE_CODE_BLOCK Block, BOOL CountCombinedAsOne)
return InstructionCount;
}
ULONG NcCalcBlockSizeInBytes(PNATIVE_CODE_BLOCK Block)
UINT NcCalcBlockSizeInBytes(PNATIVE_CODE_BLOCK Block)
{
ULONG TotalSize = 0;
UINT TotalSize = 0;
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{
if (T->Flags & CODE_FLAG_IS_LABEL)
@ -155,16 +154,16 @@ ULONG NcCalcBlockSizeInBytes(PNATIVE_CODE_BLOCK Block)
return TotalSize;
}
ULONG NcGenUnusedLabelId(PNATIVE_CODE_BLOCK Block)
UINT NcGenUnusedLabelId(PNATIVE_CODE_BLOCK Block)
{
ULONG ReturnLabelId = rand();
UINT ReturnLabelId = rand();
while (StdFind(Block->LabelIds.begin(), Block->LabelIds.end(), ReturnLabelId) != Block->LabelIds.end())
ReturnLabelId = rand();
Block->LabelIds.push_back(ReturnLabelId);
return ReturnLabelId;
}
VOID NcChangeLabelId(PNATIVE_CODE_BLOCK Block, ULONG Original, ULONG New)
VOID NcChangeLabelId(PNATIVE_CODE_BLOCK Block, UINT Original, UINT New)
{
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{
@ -256,7 +255,7 @@ BOOL NcInsertBlockStartToEnd(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNA
BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block)
{
ULONG CurrentLabelId = 0;
UINT CurrentLabelId = 0;
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
{
if (!(T->Flags & CODE_FLAG_IS_INST))
@ -266,7 +265,7 @@ BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block)
if (Category != XED_CATEGORY_COND_BR && Category != XED_CATEGORY_UNCOND_BR)
continue;
ULONG OperandCount = XedDecodedInstNumOperands(&T->XedInstruction);
UINT OperandCount = XedDecodedInstNumOperands(&T->XedInstruction);
if (OperandCount < 1)
continue;
@ -382,7 +381,7 @@ BOOL NcDeepCopyPartialBlock(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNAT
Block->LabelIds.clear();
Block->Start = Block->End = NULL;
for (ULONG L : Start->Block->LabelIds)
for (UINT L : Start->Block->LabelIds)
Block->LabelIds.push_back(L);
for (PNATIVE_CODE_LINK CurLink = Start; CurLink && CurLink != End->Next; CurLink = CurLink->Next)
@ -409,17 +408,14 @@ BOOL NcPromoteRelJmpTo32(PNATIVE_CODE_LINK Link)
if (XedDecodedInstGetBranchDisplacementWidth(&Link->XedInstruction) == 32)
return TRUE;
XED_STATE MachineState;
MachineState.mmode = XED_MACHINE_MODE_LONG_64;
MachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b;
XED_ENCODER_INSTRUCTION EncoderInstruction;
XED_ENCODER_REQUEST EncoderRequest;
UCHAR EncodeBuffer[15];
UINT ReturnedSize;
XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&Link->XedInstruction);
XedInst1(&EncoderInstruction, MachineState, IClass, 32, XedRelBr(0, 32));
XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState);
XedInst1(&EncoderInstruction, XedGlobalMachineState, IClass, 32, XedRelBr(0, 32));
XedEncoderRequestZeroSetMode(&EncoderRequest, &XedGlobalMachineState);
if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction))
return FALSE;
@ -432,7 +428,7 @@ BOOL NcPromoteRelJmpTo32(PNATIVE_CODE_LINK Link)
Link->RawData = new UCHAR[ReturnedSize];
RtlCopyMemory(Link->RawData, EncodeBuffer, ReturnedSize);
XedDecodedInstZeroSetMode(&Link->XedInstruction, &MachineState);
XedDecodedInstZeroSetMode(&Link->XedInstruction, &XedGlobalMachineState);
if (XED_ERROR_NONE != XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize))
return FALSE;
@ -536,7 +532,7 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block)
if (!NcGetDeltaToLabel(T, &BranchDisp))
return FALSE;
ULONG DispWidth = XedDecodedInstGetBranchDisplacementWidthBits(&T->XedInstruction);
UINT DispWidth = XedDecodedInstGetBranchDisplacementWidthBits(&T->XedInstruction);
if (log2(abs(BranchDisp)) + 1 > DispWidth)
{
//duh oh
@ -545,10 +541,7 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block)
DispWidth = 32;
//Encode new instruction
XED_STATE MachineState;
MachineState.mmode = XED_MACHINE_MODE_LONG_64;
MachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b;
//Encode new instruction
XED_ENCODER_INSTRUCTION EncoderInstruction;
XED_ENCODER_REQUEST EncoderRequest;
UCHAR EncodeBuffer[15];
@ -556,8 +549,8 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block)
XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&T->XedInstruction);
//Do the encoding
XedInst1(&EncoderInstruction, MachineState, IClass, DispWidth, XedRelBr(0, DispWidth));
XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState);
XedInst1(&EncoderInstruction, XedGlobalMachineState, IClass, DispWidth, XedRelBr(0, DispWidth));
XedEncoderRequestZeroSetMode(&EncoderRequest, &XedGlobalMachineState);
if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction))
return FALSE;
XED_ERROR_ENUM Err = XedEncode(&EncoderRequest, EncodeBuffer, 15, &ReturnedSize);
@ -571,7 +564,7 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block)
RtlCopyMemory(T->RawData, EncodeBuffer, ReturnedSize);
//Decode instruction so its proper and all that
XedDecodedInstZeroSetMode(&T->XedInstruction, &MachineState);
XedDecodedInstZeroSetMode(&T->XedInstruction, &XedGlobalMachineState);
if (XED_ERROR_NONE != XedDecode(&T->XedInstruction, T->RawData, T->RawDataSize))
return FALSE;
@ -604,7 +597,7 @@ BOOL NcHasIllegalInstructions(PNATIVE_CODE_BLOCK Block)
if (T->Flags & CODE_FLAG_IS_LABEL)
continue;
ULONG OperandCount = XedDecodedInstNumOperands(&T->XedInstruction);
UINT OperandCount = XedDecodedInstNumOperands(&T->XedInstruction);
if (OperandCount == 0)
continue;
@ -613,16 +606,16 @@ BOOL NcHasIllegalInstructions(PNATIVE_CODE_BLOCK Block)
return FALSE;
}
BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize)
BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, UINT BufferSize)
{
PUCHAR Buf = (PUCHAR)Buffer;
ULONG Offset = 0;
UINT Offset = 0;
while (Offset < BufferSize)
{
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK;
Link->Flags = CODE_FLAG_IS_INST;
ULONG PossibleSize = min(15, BufferSize - Offset);
UINT PossibleSize = min(15, BufferSize - Offset);
XED_ERROR_ENUM DecodeError = XedDecode(&Link->XedInstruction, (Buf + Offset), PossibleSize);
if (DecodeError != XED_ERROR_NONE)
{
@ -645,7 +638,7 @@ BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize)
return TRUE;
}
PVOID NcAssemble(PNATIVE_CODE_BLOCK Block, PULONG OutSize)
PVOID NcAssemble(PNATIVE_CODE_BLOCK Block, PUINT OutSize)
{
if (!NcFixRelJmps(Block))
return NULL;
@ -676,7 +669,7 @@ PVOID NcAssemble(PNATIVE_CODE_BLOCK Block, PULONG OutSize)
}
//assumes all jmps already promoted to 32 bit branch displacement size
PVOID NcAssembleEx(PNATIVE_CODE_BLOCK Block, PULONG OutSize)
PVOID NcAssembleEx(PNATIVE_CODE_BLOCK Block, PUINT OutSize)
{
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;)
{
@ -686,7 +679,7 @@ PVOID NcAssembleEx(PNATIVE_CODE_BLOCK Block, PULONG OutSize)
if (!NcGetDeltaToRandomLabel(T, &BranchDisp))
return FALSE;
ULONG DispWidth = XedDecodedInstGetBranchDisplacementWidth(&T->XedInstruction);
UINT DispWidth = XedDecodedInstGetBranchDisplacementWidth(&T->XedInstruction);
switch (DispWidth)
{
case 1: *(PINT8)&T->RawData[T->RawDataSize - DispWidth] = (INT8)BranchDisp; break;

26
CodeVirtualizer/NativeCode.h
Unescape View File

@ -15,15 +15,15 @@ typedef struct _NATIVE_CODE_LINK
_NATIVE_CODE_LINK* Next;
_NATIVE_CODE_LINK* Prev;
_NATIVE_CODE_BLOCK* Block;
ULONG Flags;
ULONG Label;
UINT Flags;
UINT Label;
PUCHAR RawData;
ULONG RawDataSize;
UINT RawDataSize;
XED_DECODED_INST XedInstruction;
STDVECTOR<STDPAIR<FN_INST_ASM_OP, PVOID>> AsmOperations;
_NATIVE_CODE_LINK();
_NATIVE_CODE_LINK(ULONG LabelId, _NATIVE_CODE_BLOCK* B);
_NATIVE_CODE_LINK(ULONG F, PVOID Rd, ULONG Rds, BOOL Decode = FALSE);
_NATIVE_CODE_LINK(UINT LabelId, _NATIVE_CODE_BLOCK* B);
_NATIVE_CODE_LINK(UINT F, PVOID Rd, UINT Rds, BOOL Decode = FALSE);
~_NATIVE_CODE_LINK();
}NATIVE_CODE_LINK, *PNATIVE_CODE_LINK;
@ -31,7 +31,7 @@ typedef struct _NATIVE_CODE_BLOCK
{
PNATIVE_CODE_LINK Start;
PNATIVE_CODE_LINK End;
STDVECTOR<ULONG> LabelIds;
STDVECTOR<UINT> LabelIds;
_NATIVE_CODE_BLOCK();
}NATIVE_CODE_BLOCK, *PNATIVE_CODE_BLOCK;
@ -45,13 +45,13 @@ VOID NcInsertLinkBefore(PNATIVE_CODE_LINK Link1, PNATIVE_CODE_LINK Link2);
VOID NcUnlink(PNATIVE_CODE_LINK Link);
ULONG NcCountInstructions(PNATIVE_CODE_BLOCK Block, BOOL CountCombinedAsOne = FALSE);
UINT NcCountInstructions(PNATIVE_CODE_BLOCK Block, BOOL CountCombinedAsOne = FALSE);
ULONG NcCalcBlockSizeInBytes(PNATIVE_CODE_BLOCK Block);
UINT NcCalcBlockSizeInBytes(PNATIVE_CODE_BLOCK Block);
VOID NcChangeLabelId(PNATIVE_CODE_BLOCK Block1, ULONG Original, ULONG New);
VOID NcChangeLabelId(PNATIVE_CODE_BLOCK Block1, UINT Original, UINT New);
ULONG NcGenUnusedLabelId(PNATIVE_CODE_BLOCK Block);
UINT NcGenUnusedLabelId(PNATIVE_CODE_BLOCK Block);
VOID NcFixLabelsForBlocks(PNATIVE_CODE_BLOCK Block1, PNATIVE_CODE_BLOCK Block2);
@ -83,11 +83,11 @@ BOOL NcFixRelJmps(PNATIVE_CODE_BLOCK Block);
BOOL NcHasIllegalInstructions(PNATIVE_CODE_BLOCK Block);
BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize);
BOOL NcDisassemble(PNATIVE_CODE_BLOCK Block, PVOID Buffer, UINT BufferSize);
PVOID NcAssemble(PNATIVE_CODE_BLOCK Block, PULONG OutSize);
PVOID NcAssemble(PNATIVE_CODE_BLOCK Block, PUINT OutSize);
PVOID NcAssembleEx(PNATIVE_CODE_BLOCK Block, PULONG OutSize);
PVOID NcAssembleEx(PNATIVE_CODE_BLOCK Block, PUINT OutSize);
VOID NcDeleteBlock(PNATIVE_CODE_BLOCK Block);

12
CodeVirtualizer/Obfuscator.cpp
Unescape View File

@ -3,16 +3,16 @@
BOOL ObfiRandomizeInstruction(PNATIVE_CODE_LINK Link, PUCHAR ToMutate, PVOID Context)
{
for (ULONG i = 0; i < Link->RawDataSize; i++)
for (UINT i = 0; i < Link->RawDataSize; i++)
ToMutate[i] = RndGetRandomInt(0, 255);
return TRUE;
}
VOID ObfGenOpaqueBranch(PNATIVE_CODE_BLOCK Block, FLOAT BranchSizePercentage)
{
ULONG BlockSize = NcCountInstructions(Block, TRUE);
ULONG BranchSize = (FLOAT)BlockSize * BranchSizePercentage;
ULONG BranchStartPos = RndGetRandomInt(0, BlockSize - 1 - BranchSize);
UINT BlockSize = NcCountInstructions(Block, TRUE);
UINT BranchSize = (FLOAT)BlockSize * BranchSizePercentage;
UINT BranchStartPos = RndGetRandomInt(0, BlockSize - 1 - BranchSize);
PNATIVE_CODE_LINK BranchStart = BranchStartPos ? NULL : Block->Start;
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;)
{
@ -46,9 +46,9 @@ VOID ObfGenOpaqueBranch(PNATIVE_CODE_BLOCK Block, FLOAT BranchSizePercentage)
}
}
ULONG ObfMutateInstructions(PNATIVE_CODE_BLOCK Block, ULONG MutateChance, BOOL MutateFirst, BOOL MutateOnlyFirst)
UINT ObfMutateInstructions(PNATIVE_CODE_BLOCK Block, UINT MutateChance, BOOL MutateFirst, BOOL MutateOnlyFirst)
{
ULONG MutatedInstructions = 0;
UINT MutatedInstructions = 0;
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next;)
{
if ((T->Flags & CODE_FLAG_IS_LABEL) || (T->Flags & CODE_FLAG_DO_NOT_DIVIDE) || (T->Flags & CODE_FLAG_IS_REL_JMP))

8
CodeVirtualizer/Obfuscator.h
Unescape View File

@ -27,22 +27,22 @@ PNATIVE_CODE_BLOCK JitEmitPostRipMov(PNATIVE_CODE_LINK Link, INT32 Delta = 0);
VOID ObfGenOpaqueBranch(PNATIVE_CODE_BLOCK Block, FLOAT BranchSizePercentage);
ULONG ObfMutateInstructions(PNATIVE_CODE_BLOCK Block, ULONG MutateChance, BOOL MutateFirst, BOOL MutateOnlyFirst);
UINT ObfMutateInstructions(PNATIVE_CODE_BLOCK Block, UINT MutateChance, BOOL MutateFirst, BOOL MutateOnlyFirst);
XED_ICLASS_ENUM ObfGetRandomJccClass();
PNATIVE_CODE_LINK ObfGenRandomJcc(ULONG LabelId, ULONG DisplacementSize = 32);
PNATIVE_CODE_LINK ObfGenRandomJcc(UINT LabelId, UINT DisplacementSize = 32);
PNATIVE_CODE_LINK ObfGenJmpToLabel(ULONG LabelId, ULONG DisplacementSize = 32);
PNATIVE_CODE_LINK ObfGenJmpToLabel(UINT LabelId, UINT DisplacementSize = 32);
BOOL ObfCreateOpaqueBranches(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Taken);
//Combines the two branches into one block that can easily be patched into the code
//Resulting block is put into NotTaken
BOOL ObfCombineOpaqueBranches(PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Taken, ULONG JccLabel, ULONG JmpLabel);
BOOL ObfCombineOpaqueBranches(PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Taken, UINT JccLabel, UINT JmpLabel);

20
CodeVirtualizer/OpaqueBranching.cpp
Unescape View File

@ -22,19 +22,16 @@ XED_ICLASS_ENUM ObfGetRandomJccClass()
return XED_ICLASS_JLE;
}
PNATIVE_CODE_LINK ObfGenRandomJcc(ULONG LabelId, ULONG DisplacementWidth)
PNATIVE_CODE_LINK ObfGenRandomJcc(UINT LabelId, UINT DisplacementWidth)
{
XED_STATE MachineState;
MachineState.mmode = XED_MACHINE_MODE_LONG_64;
MachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b;
XED_ENCODER_INSTRUCTION EncoderInstruction;
XED_ENCODER_REQUEST EncoderRequest;
UCHAR EncodeBuffer[15];
UINT ReturnedSize;
XedInst1(&EncoderInstruction, MachineState, ObfGetRandomJccClass(), DisplacementWidth, XedRelBr(0, DisplacementWidth));
XedInst1(&EncoderInstruction, XedGlobalMachineState, ObfGetRandomJccClass(), DisplacementWidth, XedRelBr(0, DisplacementWidth));
XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState);
XedEncoderRequestZeroSetMode(&EncoderRequest, &XedGlobalMachineState);
if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction))
return NULL;
@ -53,19 +50,16 @@ PNATIVE_CODE_LINK ObfGenRandomJcc(ULONG LabelId, ULONG DisplacementWidth)
return Link;
}
PNATIVE_CODE_LINK ObfGenJmpToLabel(ULONG LabelId, ULONG DisplacementWidth)
PNATIVE_CODE_LINK ObfGenJmpToLabel(UINT LabelId, UINT DisplacementWidth)
{
XED_STATE MachineState;
MachineState.mmode = XED_MACHINE_MODE_LONG_64;
MachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b;
XED_ENCODER_INSTRUCTION EncoderInstruction;
XED_ENCODER_REQUEST EncoderRequest;
UCHAR EncodeBuffer[15];
UINT ReturnedSize;
XedInst1(&EncoderInstruction, MachineState, XED_ICLASS_JMP, DisplacementWidth, XedRelBr(0, DisplacementWidth));
XedInst1(&EncoderInstruction, XedGlobalMachineState, XED_ICLASS_JMP, DisplacementWidth, XedRelBr(0, DisplacementWidth));
XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState);
XedEncoderRequestZeroSetMode(&EncoderRequest, &XedGlobalMachineState);
if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction))
return NULL;
@ -89,7 +83,7 @@ BOOL ObfCreateOpaqueBranches(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End, PNA
return (NcDeepCopyPartialBlock(Start, End, Taken) && !NcDeepCopyPartialBlock(Start, End, NotTaken));
}
BOOL ObfCombineOpaqueBranches(PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Taken, ULONG JccLabel, ULONG JmpLabel)
BOOL ObfCombineOpaqueBranches(PNATIVE_CODE_BLOCK NotTaken, PNATIVE_CODE_BLOCK Taken, UINT JccLabel, UINT JmpLabel)
{
PNATIVE_CODE_LINK Jcc = ObfGenRandomJcc(JccLabel);
if (!Jcc)

2
CodeVirtualizer/PEFile.cpp
Unescape View File

@ -1,7 +1,7 @@
#include "PEFile.h"
//VOID FiLoadFile(PPE_FILE File, PVOID RawData, ULONG RawDataSize)
//VOID FiLoadFile(PPE_FILE File, PVOID RawData, UINT RawDataSize)
//{
// File->RawData = RawData;
// File->RawDataSize = RawDataSize;

2
CodeVirtualizer/Random.cpp
Unescape View File

@ -5,7 +5,7 @@ INT RndGetRandomInt(INT min, INT max)
{
std::random_device rd;
std::default_random_engine generator(rd());
std::uniform_int_distribution<ULONG> distribution(min, max);
std::uniform_int_distribution<UINT> distribution(min, max);
return distribution(generator);
}

18
CodeVirtualizer/RipMovInst.cpp
Unescape View File

@ -38,15 +38,15 @@ BOOL JitEmitRipRelativeMovB(PNATIVE_CODE_BLOCK Block, INT32 RipDelta, PUCHAR Dat
PNATIVE_CODE_BLOCK JitEmitPreRipMov(PNATIVE_CODE_LINK Link, INT32 Delta)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
UINT FourByte = Link->RawDataSize / 4;
UINT TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
UINT OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
Block->Start = Block->End = new NATIVE_CODE_LINK;
PUCHAR DataOffset = Link->RawData;
ULONG Count = FourByte;
UINT Count = FourByte;
while (Count)
{
//Account for remaining MOVs
@ -103,15 +103,15 @@ PNATIVE_CODE_BLOCK JitEmitPreRipMov(PNATIVE_CODE_LINK Link, INT32 Delta)
PNATIVE_CODE_BLOCK JitEmitPostRipMov(PNATIVE_CODE_LINK Link, INT32 Delta)
{
ULONG FourByte = Link->RawDataSize / 4;
ULONG TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
ULONG OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
UINT FourByte = Link->RawDataSize / 4;
UINT TwoByte = (Link->RawDataSize - (FourByte * 4)) / 2;
UINT OneByte = (Link->RawDataSize - (FourByte * 4) - (TwoByte * 2));
PNATIVE_CODE_BLOCK Block = new NATIVE_CODE_BLOCK;
Block->Start = Block->End = new NATIVE_CODE_LINK;
ULONG ZeroValue = 0;
ULONG Count = FourByte;
UINT ZeroValue = 0;
UINT Count = FourByte;
while (Count)
{
INT32 RipDelta = Link->RawDataSize - ((FourByte - Count) * 4);

17
CodeVirtualizer/VMAssembly.asm
Unescape View File

@ -1,22 +1,13 @@
.CODE
;Machine structure
;REGISTER = Register file(32 8 byte registers)
;REGISTER = Instruction Pointer
;REGISTER = Handler Table
;
ViEnter PROC
MOV [RSP+8h],RCX
MOV [RSP+10h],RDX
MOV [RSP+18h],R8
MOV [RSP+20h],R9
mov [rsp+8h],rdi
mov rdi,0FFFFFFFFFFFFFFFFh
PUSH RAX
MOV RAX,0FFFFFFFFFFFFFFFFh
;RAX NOW POINTER TO VMDATA STRUCT
;store registers now
ret
ViEnter ENDP
END

123
CodeVirtualizer/VMDefs.h
Unescape View File

@ -1,18 +1,125 @@
#ifndef __VMDEFS_H
#define __VMDEFS_H
#include "Windas.h"
enum VM_ICLASS_ENUM : UCHAR
union VM_IMM
{
UINT8 u8;
UINT16 u16;
UINT32 u32;
UINT64 u64;
INT8 i8;
INT16 i16;
INT32 i32;
INT64 i64;
PVOID Raw;
};
enum VM_MEMOP_TYPE_ENUM : UCHAR
{
VM_MEMOP_B,
VM_MEMOP_BD,
VM_MEMOP_BIS,
VM_MEMOP_BISD,
VM_MEMOP_TYPE_COUNT
};
enum VM_IREG_ENUM : UCHAR
{
VM_IREG_0,
VM_IREG_1,
VM_IREG_2,
VM_IREG_COUNT,
};
enum VM_OPERAND_SIZE_ENUM : UCHAR
{
VM_OPSIZE_1,
VM_OPSIZE_2,
VM_OPSIZE_4,
VM_OPSIZE_8,
VM_OPSIZE_COUNT
};
enum VM_ICLASS_ENUM : USHORT
{
VM_ICLASS_ENTER,
VM_ICLASS_EXIT,
VM_ICLASS_MOV,
VM_ICLASS_SX,
VM_ICLASS_ZX,
VM_ICLASS_ADD,
VM_ICLASS_SUB,
VM_ICLASS_MUL,
VM_ICLASS_DIV,
//Loading from memory into internal registers
//Need to support 3 modes: [BASE], [BASE+OFFSET], [BASE+INDEX*SCALE+OFFSET]
//for 4 possible sizes(1,2,4,8)
//for 3 possible register spots(rax,rbx,rcx
//3 * 4 * 3 = 72
VM_ICLASS_LD_IREG_MEM_START,
VM_ICLASS_LD_IREG_MEM_END = VM_ICLASS_LD_IREG_MEM_START + (VM_IREG_COUNT * VM_OPSIZE_COUNT * VM_MEMOP_TYPE_COUNT) - 1,
//Storing internal registers into memory
VM_ICLASS_ST_IREG_MEM_START,
VM_ICLASS_ST_IREG_MEM_END = VM_ICLASS_ST_IREG_MEM_START + (VM_IREG_COUNT * VM_OPSIZE_COUNT * VM_MEMOP_TYPE_COUNT) - 1,
//Loading scratch registers into internal registers
VM_ICLASS_LD_IREG_REG_START,
VM_ICLASS_LD_IREG_REG_END = VM_ICLASS_LD_IREG_REG_START + (VM_IREG_COUNT * VM_OPSIZE_COUNT) - 1,
//storing internal registers into scratch registers
VM_ICLASS_ST_IREG_REG_START,
VM_ICLASS_ST_IREG_REG_END = VM_ICLASS_ST_IREG_REG_START + (VM_IREG_COUNT * VM_OPSIZE_COUNT) - 1,
//Loading Immediate Values into internal registers
VM_ICLASS_LD_IREG_IMM_START,
VM_ICLASS_LD_IREG_IMM_END = VM_ICLASS_LD_IREG_IMM_START + (VM_IREG_COUNT * VM_OPSIZE_COUNT) - 1,
VM_ICLASS_COUNT,
};
enum VM_REG_ENUM : UCHAR
{
VM_REG_0, //0-15 reserved for converted native registers.
VM_REG_1,
VM_REG_2,
VM_REG_3,
VM_REG_4,
VM_REG_5,
VM_REG_6,
VM_REG_7,
VM_REG_8,
VM_REG_9,
VM_REG_10,
VM_REG_11,
VM_REG_12,
VM_REG_13,
VM_REG_14,
VM_REG_15,
//VM_REG_16, //scratch registers
//VM_REG_17,
//VM_REG_18,
//VM_REG_19,
//VM_REG_20,
//VM_REG_21,
//VM_REG_22,
//VM_REG_23,
//VM_REG_24,
//VM_REG_25,
//VM_REG_26,
//VM_REG_27,
//VM_REG_28,
//VM_REG_29,
//VM_REG_30,
//VM_REG_31,
VM_REG_COUNT
};
typedef struct _VM_HEADER
{
PVOID RegisterFile[VM_REG_COUNT];
PVOID RegisterStorage[16];
PVOID HandlerTable[1];
UINT HandlerTableSize;
}VM_HEADER, * PVM_HEADER;
#endif

26
CodeVirtualizer/VirtualInstructionEmitter.cpp
Unescape View File

@ -0,0 +1,26 @@
#include "VirtualInstructionEmitter.h"
PVM_CODE_LINK VmEmitterIRegLoadMem_B(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, VM_REG_ENUM Base)
{
}
PVM_CODE_LINK VmEmitterIRegLoadMem_BO(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, VM_REG_ENUM Base, VM_IMM Offset)
{
}
PVM_CODE_LINK VmEmitterIRegLoadMem_BISO(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, VM_REG_ENUM Base, VM_REG_ENUM Index, VM_OPERAND_SIZE_ENUM Scale, VM_IMM Offset)
{
}
PVM_CODE_LINK VmEmitterIRegLoadReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, VM_REG_ENUM Reg)
{
}
PVM_CODE_LINK VmEmitterIRegStoreReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, VM_REG_ENUM Reg)
{
}
PVM_CODE_LINK VmEmitterIRegLoadImm(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, VM_IMM Immediate)
{
}

15
CodeVirtualizer/VirtualInstructionEmitter.h
Unescape View File

@ -0,0 +1,15 @@
#ifndef __VM_INST_EMITTER_H
#define __VM_INST_EMITTER_H
#include "VmCode.h"
#include "VMDefs.h"
PVM_CODE_LINK VmEmitterIRegLoadMem_B(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, VM_REG_ENUM Base);
PVM_CODE_LINK VmEmitterIRegLoadMem_BO(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, VM_REG_ENUM Base, VM_IMM Offset);
PVM_CODE_LINK VmEmitterIRegLoadMem_BISO(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, VM_REG_ENUM Base, VM_REG_ENUM Index, VM_OPERAND_SIZE_ENUM Scale, VM_IMM Offset);
PVM_CODE_LINK VmEmitterIRegLoadReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, VM_REG_ENUM Reg);
PVM_CODE_LINK VmEmitterIRegStoreReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, VM_REG_ENUM Reg);
PVM_CODE_LINK VmEmitterIRegLoadImm(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, VM_IMM Immediate);
#endif

193
CodeVirtualizer/VirtualMachine.cpp
Unescape View File

@ -1,11 +1,196 @@
#include "VirtualMachine.h"
PUCHAR VmEmitVmEnter(PULONG Size)
XED_REG_ENUM VmOperandSizeToRegEnumBase(VM_OPERAND_SIZE_ENUM OperandSize)
{
return NULL;
switch (OperandSize)
{
case VM_OPSIZE_1: return XED_REG_GPR8_FIRST;
case VM_OPSIZE_2: return XED_REG_GPR16_FIRST;
case VM_OPSIZE_4: return XED_REG_GPR32_FIRST;
case VM_OPSIZE_8: return XED_REG_GPR64_FIRST;
}
return XED_REG_INVALID;
}
PUCHAR VmEmitVmExit(PULONG Size)
XED_REG_ENUM VmGetRegOfSize(XED_REG_ENUM Reg, VM_OPERAND_SIZE_ENUM OperandSize)
{
if (Reg >= XED_REG_GPR8_FIRST && Reg <= XED_REG_GPR8_LAST)
{
return (XED_REG_ENUM)(VmOperandSizeToRegEnumBase(OperandSize) + (Reg - XED_REG_GPR8_FIRST));
}
else if (Reg >= XED_REG_GPR16_FIRST && Reg <= XED_REG_GPR16_LAST)
{
return (XED_REG_ENUM)(VmOperandSizeToRegEnumBase(OperandSize) + (Reg - XED_REG_GPR16_FIRST));
}
if (Reg >= XED_REG_GPR32_FIRST && Reg <= XED_REG_GPR32_LAST)
{
return (XED_REG_ENUM)(VmOperandSizeToRegEnumBase(OperandSize) + (Reg - XED_REG_GPR32_FIRST));
}
else if (Reg >= XED_REG_GPR64_FIRST && Reg <= XED_REG_GPR64_LAST)
{
return (XED_REG_ENUM)(VmOperandSizeToRegEnumBase(OperandSize) + (Reg - XED_REG_GPR64_FIRST));
}
return XED_REG_INVALID;
}
XED_REG_ENUM VmIRegToXReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize)
{
switch (IReg)
{
case VM_IREG_0: return VmGetRegOfSize(XED_REG_RAX, OperandSize);
case VM_IREG_1: return VmGetRegOfSize(XED_REG_RBX, OperandSize);
case VM_IREG_2: return VmGetRegOfSize(XED_REG_RCX, OperandSize);
}
return XED_REG_INVALID;
//Less portable version.
/*if (OperandSize == VM_OPSIZE_1)
{
return (XED_REG_ENUM)(XED_REG_AL + IReg);
}
return (XED_REG_ENUM)(XED_REG_AX + (16 * (OperandSize - 1)) + IReg);*/
}
PUCHAR VmHandlerPrologue(UINT InstructionSize, PUINT OutSize, XED_REG_ENUM Vip, XED_REG_ENUM HandlerTableReg)
{
// add rdx, InstructionSize + Prologue Size
// movzx r8,byte ptr[rdx]
// jmp qword ptr[rsi+r8*8h]
XED_ENCODER_INSTRUCTION InstList[3];
InstructionSize += VM_HANDLER_PROLOGUE_SIZE;
XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(Vip), XedImm0(InstructionSize, 32));
XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemB(Vip, 16));
XedInst1(&InstList[2], XedGlobalMachineState, XED_ICLASS_JMP, 64, XedMemBISD(HandlerTableReg, XED_REG_R8, 8, XedDisp(0, 0), 64));
PUCHAR Ret = XedEncodeInstructions(InstList, 3, OutSize);
if (*OutSize == VM_HANDLER_PROLOGUE_SIZE)
return Ret;
delete[] Ret;
InstructionSize -= VM_HANDLER_PROLOGUE_SIZE;
InstructionSize += *OutSize;
XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(Vip), XedImm0(InstructionSize, 32));
XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemB(Vip, 16));
XedInst1(&InstList[2], XedGlobalMachineState, XED_ICLASS_JMP, 64, XedMemBISD(HandlerTableReg, XED_REG_R8, 8, XedDisp(0, 0), 64));
return XedEncodeInstructions(InstList, 3, OutSize);
}
PUCHAR VmHandlerIRegLoadMem_B(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize)
{
/*
* movzx r8,byte ptr[rdx+2]
* mov r8, qword ptr[rbp+r8*8]
* mov (ireg), (size) ptr[r8]
*/
UINT OpSizeBits = VmOpSizeToBits(OperandSize);
XED_ENCODER_INSTRUCTION InstList[3];
XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemBD(XED_REG_RDX, XedDisp(2, 8), 8));
XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOV, 64, XedReg(XED_REG_R8), XedMemBISD(XED_REG_RBP, XED_REG_R8, 8, XedDisp(0,0), 64));
XedInst2(&InstList[2], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemB(XED_REG_R8, OpSizeBits));
return XedEncodeInstructions(InstList, 3, OutSize);
}
PUCHAR VmHandlerIRegLoadMem_BO(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize)
{
return NULL;
/*
* movzx r8,byte ptr[rdx+2]
* mov r8, qword ptr[rbp+r8*8]
* mov r9, dword ptr[rdx+3]
* mov (ireg), (size) ptr[r8+r9]
*/
UINT OpSizeBits = VmOpSizeToBits(OperandSize);
XED_ENCODER_INSTRUCTION InstList[4];
XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemBD(XED_REG_RDX, XedDisp(2, 8), 8));
XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOV, 64, XedReg(XED_REG_R8), XedMemBISD(XED_REG_RBP, XED_REG_R8, 8, XedDisp(0, 0), 64));
XedInst2(&InstList[2], XedGlobalMachineState, XED_ICLASS_MOVSXD, 64, XedReg(XED_REG_R9), XedMemBD(XED_REG_RDX, XedDisp(3, 8), 32));
XedInst2(&InstList[3], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemBISD(XED_REG_R8, XED_REG_R9, 1, XedDisp(0, 0), OpSizeBits));
return XedEncodeInstructions(InstList, 4, OutSize);
}
PUCHAR VmHandlerIRegLoadMem_BIS(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize)
{
/*
* movzx r8,byte ptr[rdx+2]
* mov r8, qword ptr[rbp+r8*8]
* movzx r9, byte ptr[rdx+3]
* mov r9, qword ptr[rbp+r9*8]
* movzx r10, byte ptr[rdx+4] ;load scale value(unsigned)
* imul r9,r10
* mov (ireg), (size) ptr[r8+r9]
*/
UINT OpSizeBits = VmOpSizeToBits(OperandSize);
XED_ENCODER_INSTRUCTION InstList[7];
XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemBD(XED_REG_RDX, XedDisp(2, 8), 8));
XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOV, 64, XedReg(XED_REG_R8), XedMemBISD(XED_REG_RBP, XED_REG_R8, 8, XedDisp(0, 0), 64));
XedInst2(&InstList[2], XedGlobalMachineState, XED_ICLASS_MOVSX, 64, XedReg(XED_REG_R9), XedMemBD(XED_REG_RDX, XedDisp(3, 8), 8));
XedInst2(&InstList[3], XedGlobalMachineState, XED_ICLASS_MOV, 64, XedReg(XED_REG_R9), XedMemBISD(XED_REG_RBP, XED_REG_R9, 8, XedDisp(0, 0), 64));
XedInst2(&InstList[4], XedGlobalMachineState, XED_ICLASS_MOVSX, 64, XedReg(XED_REG_R10), XedMemBD(XED_REG_RDX, XedDisp(4, 8), 8));
XedInst2(&InstList[5], XedGlobalMachineState, XED_ICLASS_IMUL, 64, XedReg(XED_REG_R9), XedReg(XED_REG_R10));
XedInst2(&InstList[6], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemBISD(XED_REG_R8, XED_REG_R9, 1, XedDisp(0, 0), OpSizeBits));
return XedEncodeInstructions(InstList, 7, OutSize);
}
PUCHAR VmHandlerIRegLoadMem_BISO(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize)
{
/*
* movzx r8, byte ptr[rdx+2]
* mov r8, qword ptr[rbp+r8*8]
* movzx r9, byte ptr[rdx+3]
* mov r9, qword ptr[rbp+r9*8]
* movzx r10, byte ptr[rdx+4] ;load scale value(unsigned)
* imul r9, r10
* movsxd r10, dword ptr[rdx+5] ;load immediate displacement
* add r9, r10 ;add immediate displacement
* mov (ireg), (size) ptr[r8+r9]
*/
UINT OpSizeBits = VmOpSizeToBits(OperandSize);
XED_ENCODER_INSTRUCTION InstList[9];
XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemBD(XED_REG_RDX, XedDisp(2, 8), 8));
XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOV, 64, XedReg(XED_REG_R8), XedMemBISD(XED_REG_RBP, XED_REG_R8, 8, XedDisp(0, 0), 64));
XedInst2(&InstList[2], XedGlobalMachineState, XED_ICLASS_MOVSX, 64, XedReg(XED_REG_R9), XedMemBD(XED_REG_RDX, XedDisp(3, 8), 8));
XedInst2(&InstList[3], XedGlobalMachineState, XED_ICLASS_MOV, 64, XedReg(XED_REG_R9), XedMemBISD(XED_REG_RBP, XED_REG_R9, 8, XedDisp(0, 0), 64));
XedInst2(&InstList[4], XedGlobalMachineState, XED_ICLASS_MOVSX, 64, XedReg(XED_REG_R10), XedMemBD(XED_REG_RDX, XedDisp(4, 8), 8));
XedInst2(&InstList[5], XedGlobalMachineState, XED_ICLASS_IMUL, 64, XedReg(XED_REG_R9), XedReg(XED_REG_R10));
XedInst2(&InstList[6], XedGlobalMachineState, XED_ICLASS_MOVSXD, 64, XedReg(XED_REG_R10), XedMemBD(XED_REG_RDX, XedDisp(5, 8), 32));
XedInst2(&InstList[7], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(XED_REG_R9), XedReg(XED_REG_R10));
XedInst2(&InstList[8], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemBISD(XED_REG_R8, XED_REG_R9, 1, XedDisp(0, 0), OpSizeBits));
return XedEncodeInstructions(InstList, 9, OutSize);
}
PUCHAR VmHandlerIRegLoadReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize)
{
/*
* movzx r8,byte ptr[rdx+2]
* mov (ireg), (size) ptr[rbp+r8*8]
*/
UINT OpSizeBits = VmOpSizeToBits(OperandSize);
XED_ENCODER_INSTRUCTION InstList[2];
XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemBD(XED_REG_RDX, XedDisp(2, 8), 8));
XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemBISD(XED_REG_RBP, XED_REG_R8, 8, XedDisp(0, 0), OpSizeBits));
return XedEncodeInstructions(InstList, 2, OutSize);
}
PUCHAR VmHandlerIRegStoreReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize)
{
/*
* movzx r8,byte ptr[rdx+2]
* mov (size) ptr[rbp+r8*8], (ireg)
*/
UINT OpSizeBits = VmOpSizeToBits(OperandSize);
XED_ENCODER_INSTRUCTION InstList[2];
XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemBD(XED_REG_RDX, XedDisp(2, 8), 8));
XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedMemBISD(XED_REG_RBP, XED_REG_R8, 8, XedDisp(0, 0), OpSizeBits), XedReg(VmIRegToXReg(IReg, OperandSize)));
return XedEncodeInstructions(InstList, 2, OutSize);
}
PUCHAR VmHandlerIRegLoadImm(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize)
{
/*
* mov (ireg), size ptr[rdx+2]
*/
UINT OpSizeBits = VmOpSizeToBits(OperandSize);
XED_ENCODER_INSTRUCTION InstList[1];
XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemBD(XED_REG_RDX, XedDisp(2, 8), OpSizeBits));
return XedEncodeInstructions(InstList, 1, OutSize);
}

48
CodeVirtualizer/VirtualMachine.h
Unescape View File

@ -4,29 +4,43 @@
#include "Windas.h"
#include "XedWrap.h"
#include "VMDefs.h"
#include "NativeCode.h"
#include "VmCode.h"
typedef struct _VM_DATA
{
PVOID RegisterFile[32];
}VM_DATA, *PVM_DATA;
#define VmIRegLoadMemDefaultCode(IReg, OpSize, MemOpType) (VM_ICLASS_LD_IREG_MEM_START + (VM_OPSIZE_COUNT * VM_MEMOP_TYPE_COUNT * (IReg)) + (VM_MEMOP_TYPE_COUNT * (OpSize)) + (MemOpType))
#define VmIRegStoreMemDefaultCode(IReg, OpSize, MemOpType) (VM_ICLASS_ST_IREG_MEM_START + (VM_OPSIZE_COUNT * VM_MEMOP_TYPE_COUNT * (IReg)) + (VM_MEMOP_TYPE_COUNT * (OpSize)) + (MemOpType))
#define VmIRegLoadRegDefaultCode(IReg, OpSize) (VM_ICLASS_LD_IREG_REG_START + (VM_OPSIZE_COUNT * (IReg)) + (OpSize))
#define VmIRegStoreRegDefaultCode(IReg, OpSize) (VM_ICLASS_ST_IREG_REG_START + (VM_OPSIZE_COUNT * (IReg)) + (OpSize))
#define VmIRegLoadImmDefaultCode(IReg, OpSize) (VM_ICLASS_LD_IREG_IMM_START + (VM_OPSIZE_COUNT * (IReg)) + (OpSize))
typedef struct _VM_EMITTER
{
}VM_EMITTER, *PVM_EMITTER;
#define VmOpSizeToBytes(OpSize) (pow(2, (UCHAR)OpSize))
#define VmOpSizeToBits(OpSize) (VmOpSizeToBytes(OpSize) * 8)
/*
* VmEnter:
* Move all x86 8 byte registers into storage inside of VM_DATA structure.
* Move address of VM_DATA structure into rcx
* Move virtual instruction pointer into rdx
* Vm Structure:
* RDI = VM_HEADER
* RSI = Handler Table
* RDX = Vm Instruction Pointer
* RBP = Vm Register file
* RAX = IREG0
* RBX = IREG1
* RCX = IREG2
*
* R8 = Not ever saved. Uses ATM: HandlerJmp,
*/
PUCHAR VmEmitVmEnter(PULONG Size);
PUCHAR VmEmitVmExit(PULONG Size);
XED_REG_ENUM VmOperandSizeToRegEnumBase(VM_OPERAND_SIZE_ENUM OperandSize);
XED_REG_ENUM VmGetRegOfSize(XED_REG_ENUM Reg, VM_OPERAND_SIZE_ENUM OperandSize);
XED_REG_ENUM VmIRegToXReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize);
PUCHAR VmEmitMove();
PUCHAR VmEmitSignExtend(PVM_EMITTER Emitter, UCHAR StartSize, UCHAR FinalSize, PULONG Size);
PUCHAR VmEmitZeroExtend(PVM_EMITTER Emitter, UCHAR StartSize, UCHAR FinalSize, PULONG Size);
#define VM_HANDLER_PROLOGUE_SIZE 15
PUCHAR VmHandlerPrologue(UINT InstructionSize, PUINT OutSize, XED_REG_ENUM Vip = XED_REG_RDX, XED_REG_ENUM HandlerTableReg = XED_REG_RSI);
PUCHAR VmHandlerIRegLoadMem_B(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize);
PUCHAR VmHandlerIRegLoadMem_BO(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize);
PUCHAR VmHandlerIRegLoadMem_BIS(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize);
PUCHAR VmHandlerIRegLoadMem_BISO(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize);
PUCHAR VmHandlerIRegLoadReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize);
PUCHAR VmHandlerIRegStoreReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize);
PUCHAR VmHandlerIRegLoadImm(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, PUINT OutSize);
#endif

24
CodeVirtualizer/Virtualizer.cpp
Unescape View File

@ -2,29 +2,31 @@
BOOL ViCanHandleInst(PNATIVE_CODE_LINK Link)
{
switch (XedDecodedInstGetIClass(&Link->XedInstruction))
{
case XED_ICLASS_MOV: return TRUE;
}
return FALSE;
}
BOOL ViValidateNativeCodeBlock(PNATIVE_CODE_BLOCK Block)
BOOL ViValidateNativeCodeBlock(PVIRTUALIZER Vm, PNATIVE_CODE_BLOCK Block)
{
for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{
if (!ViCanHandleInst(T))
return FALSE;
}
return TRUE;
}
BOOL VmEmitEnter(ULONG ArgumentCount, PNATIVE_CODE_BLOCK Block)
{
}
//Cant handle RIP relative instructions.
CONST XED_INST* Inst = XedDecodedInstInst(&T->XedInstruction);
UINT OperandCount = XedDecodedInstNumOperands(&T->XedInstruction);
for (UINT i = 0; i < OperandCount; i++)
{
XED_OPERAND_ENUM OperandName = XedOperandName(XedInstOperand(Inst, i));
BOOL VmEmitExit(ULONG ArgumentCount, PNATIVE_CODE_BLOCK Block)
{
if ((OperandName == XED_OPERAND_MEM0 || OperandName == XED_OPERAND_MEM1)
&& XedDecodedInstGetBaseReg(&T->XedInstruction, OperandName - XED_OPERAND_MEM0) == XED_REG_RIP)
return FALSE;
}
}
return TRUE;
}

27
CodeVirtualizer/Virtualizer.h
Unescape View File

@ -4,7 +4,7 @@
#include "Code.h"
#include "VmCode.h"
#include "NativeCode.h"
#include "VMDefs.h"
/*
* Structure:
@ -13,26 +13,17 @@
* - Two byte opcode
* -
*
*
* LOC register(Frame pointer):
* - A register for which all local variables are addressed from
* - Specific instructions for quick access of stuff around this ptr
* - Example Frame:
* - [Previous function variables
* - [Return Address
* - [Previous Functions LOC
* - LOC->[Empty Stack Space
*
*
* -VmEnter will essentially "call into" the vm and will be created using a function to rearrange and push arguments based on the arguments passed to said function.
* Replace the code of the original code with random bytes and somewhere within it put the entry into the vm
* Put the address of the virtual function code into rax, then jmp to vmenter.
*/
typedef struct _VIRTUALIZER
{
UCHAR DefaultInstructions[VM_ICLASS_COUNT];
PNATIVE_CODE_BLOCK Block;
}VIRTUALIZER, *PVIRTUALIZER;
BOOL ViCanHandleInst(PNATIVE_CODE_LINK Link);
BOOL ViValidateNativeCodeBlock(PNATIVE_CODE_BLOCK Block);
BOOL VmEmitEnter(ULONG ArgumentCount, PNATIVE_CODE_BLOCK Block);
BOOL VmEmitExit(ULONG ArgumentCount, PNATIVE_CODE_BLOCK Block);
BOOL ViValidateNativeCodeBlock(PVIRTUALIZER Vm, PNATIVE_CODE_BLOCK Block);
#endif

8
CodeVirtualizer/VmCode.cpp
Unescape View File

@ -5,11 +5,13 @@ _VM_CODE_LINK::_VM_CODE_LINK()
Flags = 0;
Next = Prev = NULL;
Label = 0;
RawData = NULL;
RawDataSize = 0UL;
InstData = NULL;
InstDataSize = 0UL;
PrologueData = NULL;
PrologueDataSize = 0UL;
}
_VM_CODE_LINK::_VM_CODE_LINK(ULONG LabelId)
_VM_CODE_LINK::_VM_CODE_LINK(UINT LabelId)
: _VM_CODE_LINK()
{
Label = LabelId;

14
CodeVirtualizer/VmCode.h
Unescape View File

@ -9,13 +9,17 @@ typedef struct _VM_CODE_LINK
_VM_CODE_LINK* Next;
_VM_CODE_LINK* Prev;
ULONG Flags;
ULONG Label;
PUCHAR RawData;
ULONG RawDataSize;
UINT Flags;
UINT Label;
PUCHAR InstData;
UINT InstDataSize;
PUCHAR PrologueData;
PUCHAR PrologueDataSize;
_VM_CODE_LINK();
_VM_CODE_LINK(ULONG LabelId);
_VM_CODE_LINK(UINT LabelId);
}VM_CODE_LINK, *PVM_CODE_LINK;
typedef struct _VM_CODE_BLOCK

1
CodeVirtualizer/Windas.h
Unescape View File

@ -8,6 +8,7 @@
#include <iomanip>
#include <algorithm>
#include <random>
#include <cmath>
#define INLINE inline
#define STDSTRING std::string

37
CodeVirtualizer/XedWrap.cpp
Unescape View File

@ -1,9 +1,44 @@
#include "XedWrap.h"
VOID XedInit()
VOID XedGlobalInit()
{
XedTablesInit();
XedGlobalMachineState;
XedGlobalMachineState.mmode = XED_MACHINE_MODE_LONG_64;
XedGlobalMachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b;
}
PUCHAR XedEncodeInstructions(XED_ENCODER_INSTRUCTION* InstList, UINT InstCount, PUINT OutSize)
{
XED_ENCODER_REQUEST EncoderRequest;
UINT ReturnedSize = 0;
UINT TotalSize = 0;
XED_ERROR_ENUM Err = XED_ERROR_NONE;
*OutSize = 0;
PUCHAR EncodeBuffer = new UCHAR[InstCount * 15];
if (!EncodeBuffer)
return NULL;
for (UINT i = 0; i < InstCount; i++)
{
XedEncoderRequestZeroSetMode(&EncoderRequest, &XedGlobalMachineState);
if (!XedConvertToEncoderRequest(&EncoderRequest, &InstList[i]) || XED_ERROR_NONE != (Err = XedEncode(&EncoderRequest, &EncodeBuffer[TotalSize], 15, &ReturnedSize)))
{
printf("Error encoding instruction: %u, %s\n", i, XedErrorEnumToString(Err));
return NULL;
}
TotalSize += ReturnedSize;
}
PUCHAR RetBuffer = new UCHAR[TotalSize];
if (!RetBuffer)
{
delete[] EncodeBuffer;
return NULL;
}
RtlCopyMemory(RetBuffer, EncodeBuffer, TotalSize);
*OutSize = TotalSize;
return RetBuffer;
}

10
CodeVirtualizer/XedWrap.h
Unescape View File

@ -44,6 +44,8 @@ extern "C"
#define XedDecodedInstGetSegReg xed_decoded_inst_get_seg_reg
#define XedDecodedInstGetBaseReg xed_decoded_inst_get_base_reg
#define XedDecodedInstGetIndexReg xed_decoded_inst_get_index_reg
#define XedDecodedInstGetScale xed_decoded_inst_get_scale
#define XedDecodedInstGetMemoryDisplacement xed_decoded_inst_get_memory_displacement
#define XedInstOperand xed_inst_operand
@ -89,9 +91,15 @@ extern "C"
#define XedRelBr xed_relbr
#define XedReg xed_reg
#define XedDisp xed_disp
#define XedMemB xed_mem_b
#define XedMemBD xed_mem_bd
#define XedMemBISD xed_mem_bisd
#define XedSimm0 xed_simm0
#define XedImm0 xed_imm0
inline XED_STATE XedGlobalMachineState;
VOID XedInit();
VOID XedGlobalInit();
PUCHAR XedEncodeInstructions(XED_ENCODER_INSTRUCTION* InstList, UINT InstCount, PUINT OutSize);
#endif
Write Preview
Loading…
Cancel
Save