opaque branching done

main
James 3 years ago
parent c1db74be04
commit f7b351fdb7

@ -6,6 +6,7 @@
#include "NativeCode.h"
#include "RipXorInst.h"
#include "RipMovInst.h"
#include "OpaqueBranching.h"
UCHAR TestBuffer[]{
0x48, 0x33, 0xC0,
@ -29,53 +30,18 @@ ULONG TestBufferSize = sizeof(TestBuffer);
int main()
{
XedTablesInit();
xed_state_t state;
state.mmode = XED_MACHINE_MODE_LONG_64;
state.stack_addr_width = XED_ADDRESS_WIDTH_64b;
srand(time(NULL));
xed_encoder_instruction_t inst;
//xed_inst2(&inst, state, XED_ICLASS_ADD, 0, xed_reg(XED_REG_EAX),
// xed_mem_bd(XED_REG_EDX, xed_disp(0x11223344, 32), 32));
xed_inst1(&inst, state, XED_ICLASS_JLE, 32, xed_relbr(0x1776, 32));
xed_encoder_request_t request;
xed_encoder_request_zero_set_mode(&request, &state);
if (!xed_convert_to_encoder_request(&request, &inst))
{
printf("failed to convert instruction.\n");
system("pause");
return -1;
}
unsigned char storage[15];
unsigned int len;
xed_error_enum_t err = xed_encode(&request, storage, 15, &len);
if (err != XED_ERROR_NONE)
{
printf("XedEncode failed with error %s\n", XedErrorEnumToString(err));
NATIVE_CODE_BLOCK Block;
NcDisassemble(&Block, TestBuffer, TestBufferSize);
PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End);
NcDebugPrint(OpaqueBranch);
system("pause");
return FALSE;
}
printf("len: %u\n", len);
for (int i = 0; i < len; i++)
{
std::cout << std::setw(2) << std::setfill('0') << std::hex << (INT)storage[i] << ' ';
}
std::cout << '\n';
return -1;
NATIVE_CODE_BLOCK Block;
XedTablesInit();
NcDisassemble(&Block, TestBuffer, TestBufferSize);
NcDebugPrint(&Block);
NATIVE_CODE_LINK T;
/*NATIVE_CODE_LINK T;
T.RawDataSize = 10;
T.RawData = new UCHAR[10];
memset(T.RawData, 0xAA, 10);
@ -88,7 +54,7 @@ int main()
NcDebugPrint(NewBlock);
printf("\n");
NcPrintBlockCode(NewBlock);
}
}*/
//PNATIVE_CODE_LINK temp = new NATIVE_CODE_LINK("Hello");
system("pause");

@ -4,10 +4,23 @@ XED_ICLASS_ENUM ObfGetRandomJccClass()
{
switch (rand() % 15)
{
default:
return XED_ICLASS_JLE;
case 0: return XED_ICLASS_JL;
case 1: return XED_ICLASS_JLE;
case 2: return XED_ICLASS_JNB;
case 3: return XED_ICLASS_JNBE;
case 4: return XED_ICLASS_JNL;
case 5: return XED_ICLASS_JNLE;
case 6: return XED_ICLASS_JNO;
case 7: return XED_ICLASS_JNP;
case 8: return XED_ICLASS_JNS;
case 9: return XED_ICLASS_JNZ;
case 10: return XED_ICLASS_JO;
case 11: return XED_ICLASS_JP;
case 12: return XED_ICLASS_JRCXZ;
case 13: return XED_ICLASS_JS;
case 14: return XED_ICLASS_JZ;
}
return XED_ICLASS_JLE;
}
PNATIVE_CODE_LINK ObfGenRandomJcc(ULONG LabelId, ULONG DisplacementWidth)
@ -17,11 +30,10 @@ PNATIVE_CODE_LINK ObfGenRandomJcc(ULONG LabelId, ULONG DisplacementWidth)
MachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b;
XED_ENCODER_INSTRUCTION EncoderInstruction;
XED_ENCODER_REQUEST EncoderRequest;
ULONG DispWidth = ((rand() % 2) ? 16 : 32);
UCHAR EncodeBuffer[15];
UINT ReturnedSize;
XedInst1(&EncoderInstruction, MachineState, ObfGetRandomJccClass(), DispWidth, XedRelBr(0, DispWidth));
XedInst1(&EncoderInstruction, MachineState, ObfGetRandomJccClass(), DisplacementWidth, XedRelBr(0, DisplacementWidth));
XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState);
if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction))
@ -37,16 +49,43 @@ PNATIVE_CODE_LINK ObfGenRandomJcc(ULONG LabelId, ULONG DisplacementWidth)
return NULL;
}
Link->Label = LabelId;
Link->Flags = (CODE_FLAG_IS_INST | CODE_FLAG_IS_REL_JMP);
return Link;
}
PNATIVE_CODE_LINK ObfGenJmpForOpaqueBranch(ULONG LabelId, ULONG DisplacementWidth)
PNATIVE_CODE_LINK ObfGenJmpToLabel(ULONG LabelId, ULONG DisplacementWidth)
{
XED_STATE MachineState;
MachineState.mmode = XED_MACHINE_MODE_LONG_64;
MachineState.stack_addr_width = XED_ADDRESS_WIDTH_64b;
XED_ENCODER_INSTRUCTION EncoderInstruction;
XED_ENCODER_REQUEST EncoderRequest;
UCHAR EncodeBuffer[15];
UINT ReturnedSize;
XedInst1(&EncoderInstruction, MachineState, XED_ICLASS_JMP, DisplacementWidth, XedRelBr(0, DisplacementWidth));
XedEncoderRequestZeroSetMode(&EncoderRequest, &MachineState);
if (!XedConvertToEncoderRequest(&EncoderRequest, &EncoderInstruction))
return NULL;
if (XED_ERROR_NONE != XedEncode(&EncoderRequest, EncodeBuffer, 15, &ReturnedSize))
return NULL;
PNATIVE_CODE_LINK Link = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, EncodeBuffer, ReturnedSize);
if (XED_ERROR_NONE != XedDecode(&Link->XedInstruction, Link->RawData, Link->RawDataSize))
{
delete Link;
return NULL;
}
Link->Label = LabelId;
Link->Flags = (CODE_FLAG_IS_INST | CODE_FLAG_IS_REL_JMP);
return Link;
}
PNATIVE_CODE_BLOCK ObfGenerateOpaqueBranch(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End)
PNATIVE_CODE_BLOCK ObfGenOpaqueBranch(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End)
{
if (!Start || !End || !Start->Block || Start->Block != End->Block)
return NULL;
@ -78,7 +117,7 @@ PNATIVE_CODE_BLOCK ObfGenerateOpaqueBranch(PNATIVE_CODE_LINK Start, PNATIVE_CODE
delete NotTaken;
return NULL;
}
PNATIVE_CODE_LINK Jmp = ObfGenJmpForOpaqueBranch(JmpLabel);
PNATIVE_CODE_LINK Jmp = ObfGenJmpToLabel(JmpLabel);
if (!Jmp)
{
delete Jcc;

@ -7,11 +7,11 @@
XED_ICLASS_ENUM ObfGetRandomJccClass();
PNATIVE_CODE_LINK ObfGenRandomJcc(ULONG LabelId, ULONG DisplacementSize = 4);
PNATIVE_CODE_LINK ObfGenRandomJcc(ULONG LabelId, ULONG DisplacementSize = 32);
PNATIVE_CODE_LINK ObfGenJmpForOpaqueBranch(ULONG LabelId, ULONG DisplacementSize = 4);
PNATIVE_CODE_LINK ObfGenJmpToLabel(ULONG LabelId, ULONG DisplacementSize = 32);
PNATIVE_CODE_BLOCK ObfGenerateOpaqueBranch(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End);
PNATIVE_CODE_BLOCK ObfGenOpaqueBranch(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK End);

Binary file not shown.
Loading…
Cancel
Save