maybe something simpler before full virtualization

3 years ago · dcea33c072
parent 8122a76182
commit dcea33c072
11 changed files with 132 additions and 13 deletions
--- a/CodeVirtualizer/CodeVirtualizer.vcxproj
+++ b/CodeVirtualizer/CodeVirtualizer.vcxproj
@ -151,14 +151,18 @@
  <ItemGroup>
    <ClCompile Include="NativeCode.cpp" />
    <ClCompile Include="Main.cpp" />
+    <ClCompile Include="CryptedCode.cpp" />
    <ClCompile Include="Virtualizer.cpp" />
+    <ClCompile Include="VirtualMachine.cpp" />
    <ClCompile Include="VmCode.cpp" />
    <ClCompile Include="XedWrap.cpp" />
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="Code.h" />
    <ClInclude Include="NativeCode.h" />
+    <ClInclude Include="CryptedCode.h" />
    <ClInclude Include="Virtualizer.h" />
+    <ClInclude Include="VirtualMachine.h" />
    <ClInclude Include="VmCode.h" />
    <ClInclude Include="Windas.h" />
    <ClInclude Include="XedWrap.h" />
--- a/CodeVirtualizer/CodeVirtualizer.vcxproj.filters
+++ b/CodeVirtualizer/CodeVirtualizer.vcxproj.filters
@ -17,6 +17,12 @@
    <ClInclude Include="Virtualizer.h">
      <Filter>Virtualizer</Filter>
    </ClInclude>
+    <ClInclude Include="VirtualMachine.h">
+      <Filter>VirtualMachine</Filter>
+    </ClInclude>
+    <ClInclude Include="CryptedCode.h">
+      <Filter>Obfuscator</Filter>
+    </ClInclude>
  </ItemGroup>
  <ItemGroup>
    <ClCompile Include="Main.cpp" />
@ -32,6 +38,12 @@
    <ClCompile Include="Virtualizer.cpp">
      <Filter>Virtualizer</Filter>
    </ClCompile>
+    <ClCompile Include="VirtualMachine.cpp">
+      <Filter>VirtualMachine</Filter>
+    </ClCompile>
+    <ClCompile Include="CryptedCode.cpp">
+      <Filter>Obfuscator</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <Filter Include="Xed">
@ -43,5 +55,14 @@
    <Filter Include="Virtualizer">
      <UniqueIdentifier>{f74192e7-2064-44d2-983c-fac92f468c0a}</UniqueIdentifier>
    </Filter>
+    <Filter Include="Virtualizer\NewFilter1">
+      <UniqueIdentifier>{65f3fdd3-b851-4e50-8a48-d1ecb4af2f91}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="VirtualMachine">
+      <UniqueIdentifier>{d784ddc8-2452-41ff-bc20-582ec03b3eb5}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="Obfuscator">
+      <UniqueIdentifier>{cc5b78db-cdf7-4b83-9652-2722cbdec89e}</UniqueIdentifier>
+    </Filter>
  </ItemGroup>
 </Project>
--- a/CodeVirtualizer/CryptedCode.cpp
+++ b/CodeVirtualizer/CryptedCode.cpp
@ -0,0 +1,3 @@
+#include "CryptedCode.h"
+
+PNATIVE_CODE_BLOCK RxEmitXorForInstruction(PNATIVE_CODE_LINK Link);
--- a/CodeVirtualizer/CryptedCode.h
+++ b/CodeVirtualizer/CryptedCode.h
@ -0,0 +1,11 @@
+#ifndef __CRYPTED_CODE_H
+#define __CRYPTED_CODE_H
+
+#include "Windas.h"
+#include "XedWrap.h"
+#include "NativeCode.h"
+
+PNATIVE_CODE_BLOCK RxEmitXorForInstruction(PNATIVE_CODE_LINK Link);
+
+
+#endif
--- a/CodeVirtualizer/NativeCode.cpp
+++ b/CodeVirtualizer/NativeCode.cpp
@ -4,16 +4,18 @@ _NATIVE_CODE_LINK::_NATIVE_CODE_LINK()
 {
 	XedDecodedInstZero(&XedInst);
 	XedDecodedInstSetMode(&XedInst, XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b);
-	Flags = 0;
+	Flags = 0UL;
 	Next = Prev = NULL;
-	Label = 0;
+	Block = NULL;
+	Label = 0UL;
 	RawData = NULL;
 	RawDataSize = 0UL;
 }

-_NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG LabelId)
+_NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG LabelId, _NATIVE_CODE_BLOCK* B)
 	: _NATIVE_CODE_LINK()
 {
+	Block = B;
 	Label = LabelId;
 	Flags = CODE_FLAG_IS_LABEL;
 }
@ -59,14 +61,33 @@ VOID NcConcat(PNATIVE_CODE_BLOCK Block1, PNATIVE_CODE_BLOCK Block2)
 	//update the label names so that there are no conflicts between the two blocks
 }

-VOID NcInsertBlockAfter(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block)
+BOOL NcInsertBlockAfter(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block)
 {

 }

-VOID NcInsertBlockBfore(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block)
+BOOL NcInsertBlockBefore(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block)
 {
+	if (!Link || !Link->Block || !Block || !Block->Start || !Block->End)
+		return FALSE;

+	if (Block->HasRelativeJumps && Link->Block->HasRelativeJumps)
+	{
+		//TODO: increment all labels inside of the block being added
+		return FALSE;
+	}
+	else
+	{
+		if (Link->Prev)
+			Link->Prev->Next = Block->Start;
+		Block->Start->Prev = Link->Prev;
+
+		Block->End->Next = Link;
+		Link->Prev = Block->End;
+		return TRUE;
+	}
+
+	return FALSE;
 }

 BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block)
@ -111,10 +132,11 @@ BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block)
 		}
 		else
 		{
-			NcInsertLinkBefore(JmpPos, new NATIVE_CODE_LINK(CurrentLabelId));
+			NcInsertLinkBefore(JmpPos, new NATIVE_CODE_LINK(CurrentLabelId, Block));
 			T->Label = CurrentLabelId;
 			++CurrentLabelId;
 		}
+		Block->HasRelativeJumps = TRUE;
 		T->Flags |= CODE_FLAG_IS_REL_JMP;
 	}
 	return TRUE;
@ -181,7 +203,7 @@ BOOL NcFromBuffer(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize)
 			delete Link;
 			return FALSE;
 		}
-
+		Link->Block = Block;
 		Link->Prev = Block->End;
 		Block->End->Next = Link;
 		Block->End = Link;
@ -236,4 +258,5 @@ VOID NcDebugPrint(PNATIVE_CODE_BLOCK Block)
 			}
 		}
 	}
-}
+}
+
--- a/CodeVirtualizer/NativeCode.h
+++ b/CodeVirtualizer/NativeCode.h
@ -5,24 +5,27 @@
 #include "XedWrap.h"
 #include "Code.h"

+struct _NATIVE_CODE_BLOCK;
+
 typedef struct _NATIVE_CODE_LINK
 {
 	_NATIVE_CODE_LINK*	Next;
 	_NATIVE_CODE_LINK*	Prev;
-
+	_NATIVE_CODE_BLOCK* Block;
 	ULONG				Flags;
 	ULONG				Label;
 	PUCHAR				RawData;
 	ULONG				RawDataSize;
 	XED_DECODED_INST	XedInst;
 	_NATIVE_CODE_LINK();
-	_NATIVE_CODE_LINK(ULONG LabelId);
+	_NATIVE_CODE_LINK(ULONG LabelId, _NATIVE_CODE_BLOCK* B);
 }NATIVE_CODE_LINK, *PNATIVE_CODE_LINK;

 typedef struct _NATIVE_CODE_BLOCK
 {
 	PNATIVE_CODE_LINK Start;
 	PNATIVE_CODE_LINK End;
+	BOOL HasRelativeJumps;
 }NATIVE_CODE_BLOCK, *PNATIVE_CODE_BLOCK;

 VOID NcInsertLinkAfter(PNATIVE_CODE_LINK Link1, PNATIVE_CODE_LINK Link2);
@ -33,9 +36,9 @@ VOID NcUnlink(PNATIVE_CODE_LINK Link);

 VOID NcConcat(PNATIVE_CODE_BLOCK Block1, PNATIVE_CODE_BLOCK Block2);

-VOID NcInsertBlockAfter(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block);
+BOOL NcInsertBlockAfter(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block);

-VOID NcInsertBlockBfore(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block);
+BOOL NcInsertBlockBefore(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block);

 BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block);

@ -48,4 +51,5 @@ VOID NcDelete(PNATIVE_CODE_BLOCK Block);
 VOID NcDebugPrint(PNATIVE_CODE_BLOCK Block);


+
 #endif
--- a/CodeVirtualizer/VirtualMachine.cpp
+++ b/CodeVirtualizer/VirtualMachine.cpp
@ -0,0 +1,11 @@
+#include "VirtualMachine.h"
+
+
+PUCHAR VmEmitVmEnter(PULONG Size)
+{
+	return NULL;
+}
+PUCHAR VmEmitVmExit(PULONG Size)
+{
+	return NULL;
+}
--- a/CodeVirtualizer/VirtualMachine.h
+++ b/CodeVirtualizer/VirtualMachine.h
@ -0,0 +1,21 @@
+#ifndef __VIRTUAL_MACHINE_H
+#define __VIRTUAL_MACHINE_H
+
+#include "Windas.h"
+#include "XedWrap.h"
+
+typedef struct _VM_DATA
+{
+	PVOID RegisterFile[32];
+}VM_DATA, *PVM_DATA;
+
+/*
+* VmEnter:
+* Move all x86 8 byte registers into storage inside of VM_DATA structure.
+* Move address of VM_DATA structure into rcx
+* Move virtual instruction pointer into rdx
+*/
+PUCHAR VmEmitVmEnter(PULONG Size);
+PUCHAR VmEmitVmExit(PULONG Size);
+
+#endif
--- a/CodeVirtualizer/Virtualizer.cpp
+++ b/CodeVirtualizer/Virtualizer.cpp
@ -1 +1,15 @@
-#include "Virtualizer.h"
+#include "Virtualizer.h"
+
+BOOL ViCanHandleInst(PNATIVE_CODE_LINK Link)
+{
+	return TRUE;
+}
+BOOL ViValidateNativeCodeBlock(PNATIVE_CODE_BLOCK Block)
+{
+	for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
+	{
+		if (!ViCanHandleInst(T))
+			return FALSE;
+	}
+	return TRUE;
+}
--- a/CodeVirtualizer/Virtualizer.h
+++ b/CodeVirtualizer/Virtualizer.h
@ -6,6 +6,13 @@
 #include "NativeCode.h"


+/*
+* 
+* 
+* 
+*/
+
 BOOL ViCanHandleInst(PNATIVE_CODE_LINK Link);
+BOOL ViValidateNativeCodeBlock(PNATIVE_CODE_BLOCK Block);

 #endif
--- a/x64/Debug/CodeVirtualizer.ilk
+++ b/x64/Debug/CodeVirtualizer.ilk