maybe something simpler before full virtualization

3 years ago · dcea33c072
parent 8122a76182
commit dcea33c072
11 changed files with 132 additions and 13 deletions
--- a/CodeVirtualizer/CodeVirtualizer.vcxproj
+++ b/CodeVirtualizer/CodeVirtualizer.vcxproj
@ -151,14 +151,18 @@
  <ItemGroup>
    <ClCompile Include="NativeCode.cpp" />
    <ClCompile Include="Main.cpp" />
    <ClCompile Include="CryptedCode.cpp" />
    <ClCompile Include="Virtualizer.cpp" />
    <ClCompile Include="VirtualMachine.cpp" />
    <ClCompile Include="VmCode.cpp" />
    <ClCompile Include="XedWrap.cpp" />
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="Code.h" />
    <ClInclude Include="NativeCode.h" />
    <ClInclude Include="CryptedCode.h" />
    <ClInclude Include="Virtualizer.h" />
    <ClInclude Include="VirtualMachine.h" />
    <ClInclude Include="VmCode.h" />
    <ClInclude Include="Windas.h" />
    <ClInclude Include="XedWrap.h" />
--- a/CodeVirtualizer/CodeVirtualizer.vcxproj.filters
+++ b/CodeVirtualizer/CodeVirtualizer.vcxproj.filters
@ -17,6 +17,12 @@
    <ClInclude Include="Virtualizer.h">
      <Filter>Virtualizer</Filter>
    </ClInclude>
    <ClInclude Include="VirtualMachine.h">
      <Filter>VirtualMachine</Filter>
    </ClInclude>
    <ClInclude Include="CryptedCode.h">
      <Filter>Obfuscator</Filter>
    </ClInclude>
  </ItemGroup>
  <ItemGroup>
    <ClCompile Include="Main.cpp" />
@ -32,6 +38,12 @@
    <ClCompile Include="Virtualizer.cpp">
      <Filter>Virtualizer</Filter>
    </ClCompile>
    <ClCompile Include="VirtualMachine.cpp">
      <Filter>VirtualMachine</Filter>
    </ClCompile>
    <ClCompile Include="CryptedCode.cpp">
      <Filter>Obfuscator</Filter>
    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <Filter Include="Xed">
@ -43,5 +55,14 @@
    <Filter Include="Virtualizer">
      <UniqueIdentifier>{f74192e7-2064-44d2-983c-fac92f468c0a}</UniqueIdentifier>
    </Filter>
    <Filter Include="Virtualizer\NewFilter1">
      <UniqueIdentifier>{65f3fdd3-b851-4e50-8a48-d1ecb4af2f91}</UniqueIdentifier>
    </Filter>
    <Filter Include="VirtualMachine">
      <UniqueIdentifier>{d784ddc8-2452-41ff-bc20-582ec03b3eb5}</UniqueIdentifier>
    </Filter>
    <Filter Include="Obfuscator">
      <UniqueIdentifier>{cc5b78db-cdf7-4b83-9652-2722cbdec89e}</UniqueIdentifier>
    </Filter>
  </ItemGroup>
 </Project>
--- a/CodeVirtualizer/CryptedCode.cpp
+++ b/CodeVirtualizer/CryptedCode.cpp
@ -0,0 +1,3 @@
 #include "CryptedCode.h"
 PNATIVE_CODE_BLOCK RxEmitXorForInstruction(PNATIVE_CODE_LINK Link);
--- a/CodeVirtualizer/CryptedCode.h
+++ b/CodeVirtualizer/CryptedCode.h
@ -0,0 +1,11 @@
 #ifndef __CRYPTED_CODE_H
 #define __CRYPTED_CODE_H
 #include "Windas.h"
 #include "XedWrap.h"
 #include "NativeCode.h"
 PNATIVE_CODE_BLOCK RxEmitXorForInstruction(PNATIVE_CODE_LINK Link);
 #endif
--- a/CodeVirtualizer/NativeCode.cpp
+++ b/CodeVirtualizer/NativeCode.cpp
@ -4,16 +4,18 @@ _NATIVE_CODE_LINK::_NATIVE_CODE_LINK()
 {
 	XedDecodedInstZero(&XedInst);
 	XedDecodedInstSetMode(&XedInst, XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b);
-	Flags = 0;
+	Flags = 0UL;
 	Next = Prev = NULL;
-	Label = 0;
+	Block = NULL;
 	Label = 0UL;
 	RawData = NULL;
 	RawDataSize = 0UL;
 }
-_NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG LabelId)
+_NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG LabelId, _NATIVE_CODE_BLOCK* B)
 	: _NATIVE_CODE_LINK()
 {
 	Block = B;
 	Label = LabelId;
 	Flags = CODE_FLAG_IS_LABEL;
 }
@ -59,14 +61,33 @@ VOID NcConcat(PNATIVE_CODE_BLOCK Block1, PNATIVE_CODE_BLOCK Block2)
 	//update the label names so that there are no conflicts between the two blocks
 }
-VOID NcInsertBlockAfter(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block)
+BOOL NcInsertBlockAfter(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block)
 {
 }
-VOID NcInsertBlockBfore(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block)
+BOOL NcInsertBlockBefore(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block)
 {
 	if (!Link || !Link->Block || !Block || !Block->Start || !Block->End)
 		return FALSE;
 	if (Block->HasRelativeJumps && Link->Block->HasRelativeJumps)
 	{
 		//TODO: increment all labels inside of the block being added
 		return FALSE;
 	}
 	else
 	{
 		if (Link->Prev)
 			Link->Prev->Next = Block->Start;
 		Block->Start->Prev = Link->Prev;
 		Block->End->Next = Link;
 		Link->Prev = Block->End;
 		return TRUE;
 	}
 	return FALSE;
 }
 BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block)
@ -111,10 +132,11 @@ BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block)
 		}
 		else
 		{
-			NcInsertLinkBefore(JmpPos, new NATIVE_CODE_LINK(CurrentLabelId));
+			NcInsertLinkBefore(JmpPos, new NATIVE_CODE_LINK(CurrentLabelId, Block));
 			T->Label = CurrentLabelId;
 			++CurrentLabelId;
 		}
 		Block->HasRelativeJumps = TRUE;
 		T->Flags |= CODE_FLAG_IS_REL_JMP;
 	}
 	return TRUE;
@ -181,7 +203,7 @@ BOOL NcFromBuffer(PNATIVE_CODE_BLOCK Block, PVOID Buffer, ULONG BufferSize)
 			delete Link;
 			return FALSE;
 		}
-
+		Link->Block = Block;
 		Link->Prev = Block->End;
 		Block->End->Next = Link;
 		Block->End = Link;
@ -236,4 +258,5 @@ VOID NcDebugPrint(PNATIVE_CODE_BLOCK Block)
 			}
 		}
 	}
-}
+}
--- a/CodeVirtualizer/NativeCode.h
+++ b/CodeVirtualizer/NativeCode.h
@ -5,24 +5,27 @@
 #include "XedWrap.h"
 #include "Code.h"
 struct _NATIVE_CODE_BLOCK;
 typedef struct _NATIVE_CODE_LINK
 {
 	_NATIVE_CODE_LINK*	Next;
 	_NATIVE_CODE_LINK*	Prev;
-
+	_NATIVE_CODE_BLOCK* Block;
 	ULONG				Flags;
 	ULONG				Label;
 	PUCHAR				RawData;
 	ULONG				RawDataSize;
 	XED_DECODED_INST	XedInst;
 	_NATIVE_CODE_LINK();
-	_NATIVE_CODE_LINK(ULONG LabelId);
+	_NATIVE_CODE_LINK(ULONG LabelId, _NATIVE_CODE_BLOCK* B);
 }NATIVE_CODE_LINK, *PNATIVE_CODE_LINK;
 typedef struct _NATIVE_CODE_BLOCK
 {
 	PNATIVE_CODE_LINK Start;
 	PNATIVE_CODE_LINK End;
 	BOOL HasRelativeJumps;
 }NATIVE_CODE_BLOCK, *PNATIVE_CODE_BLOCK;
 VOID NcInsertLinkAfter(PNATIVE_CODE_LINK Link1, PNATIVE_CODE_LINK Link2);
@ -33,9 +36,9 @@ VOID NcUnlink(PNATIVE_CODE_LINK Link);
 VOID NcConcat(PNATIVE_CODE_BLOCK Block1, PNATIVE_CODE_BLOCK Block2);
-VOID NcInsertBlockAfter(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block);
+BOOL NcInsertBlockAfter(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block);
-VOID NcInsertBlockBfore(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block);
+BOOL NcInsertBlockBefore(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block);
 BOOL NcCreateLabels(PNATIVE_CODE_BLOCK Block);
@ -48,4 +51,5 @@ VOID NcDelete(PNATIVE_CODE_BLOCK Block);
 VOID NcDebugPrint(PNATIVE_CODE_BLOCK Block);
 #endif
--- a/CodeVirtualizer/VirtualMachine.cpp
+++ b/CodeVirtualizer/VirtualMachine.cpp
@ -0,0 +1,11 @@
 #include "VirtualMachine.h"
 PUCHAR VmEmitVmEnter(PULONG Size)
 {
 	return NULL;
 }
 PUCHAR VmEmitVmExit(PULONG Size)
 {
 	return NULL;
 }
--- a/CodeVirtualizer/VirtualMachine.h
+++ b/CodeVirtualizer/VirtualMachine.h
@ -0,0 +1,21 @@
 #ifndef __VIRTUAL_MACHINE_H
 #define __VIRTUAL_MACHINE_H
 #include "Windas.h"
 #include "XedWrap.h"
 typedef struct _VM_DATA
 {
 	PVOID RegisterFile[32];
 }VM_DATA, *PVM_DATA;
 /*
 * VmEnter:
 * Move all x86 8 byte registers into storage inside of VM_DATA structure.
 * Move address of VM_DATA structure into rcx
 * Move virtual instruction pointer into rdx
 */
 PUCHAR VmEmitVmEnter(PULONG Size);
 PUCHAR VmEmitVmExit(PULONG Size);
 #endif
--- a/CodeVirtualizer/Virtualizer.cpp
+++ b/CodeVirtualizer/Virtualizer.cpp
@ -1 +1,15 @@
-#include "Virtualizer.h"
+#include "Virtualizer.h"
 BOOL ViCanHandleInst(PNATIVE_CODE_LINK Link)
 {
 	return TRUE;
 }
 BOOL ViValidateNativeCodeBlock(PNATIVE_CODE_BLOCK Block)
 {
 	for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next)
 	{
 		if (!ViCanHandleInst(T))
 			return FALSE;
 	}
 	return TRUE;
 }
--- a/CodeVirtualizer/Virtualizer.h
+++ b/CodeVirtualizer/Virtualizer.h
@ -6,6 +6,13 @@
 #include "NativeCode.h"
 /*
 * 
 * 
 * 
 */
 BOOL ViCanHandleInst(PNATIVE_CODE_LINK Link);
 BOOL ViValidateNativeCodeBlock(PNATIVE_CODE_BLOCK Block);
 #endif
--- a/x64/Debug/CodeVirtualizer.ilk
+++ b/x64/Debug/CodeVirtualizer.ilk
		`@ -0,0 +1,3 @@`
							`#include "CryptedCode.h"`

							`PNATIVE_CODE_BLOCK RxEmitXorForInstruction(PNATIVE_CODE_LINK Link);`