Iizerd
/
Code_Virtualizer
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fixed rip moving

Browse Source
main
James 3 years ago
parent 6d9ce964bf
commit fa0967c2d5
9 changed files with 2139 additions and 3638 deletions
Show Stats Download Patch File Download Diff File

4
CodeVirtualizer/Jit.cpp
Unescape View File

@ -149,8 +149,6 @@ PNATIVE_CODE_BLOCK JitEmitPreRipMov(PNATIVE_CODE_LINK Link, INT32 Delta)
RipDelta += ((FourByte - Count) * 4); RipDelta += ((FourByte - Count) * 4);
RipDelta += Delta; RipDelta += Delta;
//Add the actual instruction //Add the actual instruction
printf("%p IS THE DATAOFFSET\n", DataOffset);
system("pause");
if (!JitEmitRipRelativeMovD(Block, RipDelta, DataOffset)) if (!JitEmitRipRelativeMovD(Block, RipDelta, DataOffset))
{ {
NcDeleteBlock(Block); NcDeleteBlock(Block);
@ -242,7 +240,7 @@ PNATIVE_CODE_BLOCK JitEmitPostRipMov(PNATIVE_CODE_LINK Link, INT32 Delta)
{ {
INT32 RipDelta = Link->RawDataSize - (FourByte * 4) - (TwoByte * 2); INT32 RipDelta = Link->RawDataSize - (FourByte * 4) - (TwoByte * 2);
RipDelta += (FourByte * DWORD_MOV_INST_LENGTH); RipDelta += (FourByte * DWORD_MOV_INST_LENGTH);
RipDelta += WORD_MOV_INST_LENGTH; RipDelta += (TwoByte * WORD_MOV_INST_LENGTH);
RipDelta += BYTE_MOV_INST_LENGTH; RipDelta += BYTE_MOV_INST_LENGTH;
RipDelta *= (-1); RipDelta *= (-1);
RipDelta += Delta; RipDelta += Delta;

63
CodeVirtualizer/Main.cpp
Unescape View File

@ -37,21 +37,75 @@ UCHAR TestBuffer[] = {
}; };
ULONG TestBufferSize = sizeof(TestBuffer); ULONG TestBufferSize = sizeof(TestBuffer);
UCHAR meme1[] = { 0x31, 0xc0 }; UCHAR meme1[] = { 0xb8, 0xde, 0xc0, 0xac, 0x0e };
UCHAR meme2[] = { 0xc3 };
int main() int main()
{ {
XedTablesInit(); XedTablesInit();
srand(time(NULL)); srand(time(NULL));
PNATIVE_CODE_LINK Return1776 = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
PNATIVE_CODE_LINK RetInst = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme2, sizeof(meme2));
PNATIVE_CODE_BLOCK Pre1 = JitEmitPreRipMov(Return1776);
PNATIVE_CODE_BLOCK Post1 = JitEmitPostRipMov(Return1776);
PNATIVE_CODE_BLOCK Pre2 = JitEmitPreRipMov(RetInst);
PNATIVE_CODE_BLOCK Post2 = JitEmitPostRipMov(RetInst);
NcAppendToBlock(Pre1, Return1776);
NcInsertBlockAfter(Pre1->End, Post1, 0);
Pre1->End = Post1->End;
NcInsertBlockAfter(Pre1->End, Pre2, 0);
Pre1->End = Pre2->End;
NcAppendToBlock(Pre1, RetInst);
NcInsertBlockAfter(Pre1->End, Post2, 0);
Pre1->End = Post2->End;
/*Pre->Start = Return1776;
Pre->End = Return1776;*/
for (ULONG i = 0; i < Return1776->RawDataSize; i++)
Return1776->RawData[i] = (UCHAR)rand();
for (ULONG i = 0; i < RetInst->RawDataSize; i++)
RetInst->RawData[i] = (UCHAR)rand();
/*NcDebugPrint(Pre);
NcPrintBlockCode(Pre);*/
ULONG AsmLen;
PVOID Asm = NcAssemble(Pre1, &AsmLen);
PUCHAR Tb = (PUCHAR)Asm;
for (uint32_t i = 0; i < AsmLen; i++)
{
std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
}
system("pause");
typedef ULONG64(*FnGet1776)();
FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen);
if (ExecBuffer)
{
printf("The numba was: %X\n", ExecBuffer());
printf("The numba was: %X\n", ExecBuffer());
printf("The numba was: %X\n", ExecBuffer());
printf("The numba was: %X\n", ExecBuffer());
NATIVE_CODE_BLOCK Block; }
//NcDebugPrint(Post);
/*NATIVE_CODE_BLOCK Block;
NcDisassemble(&Block, TestBuffer, TestBufferSize); NcDisassemble(&Block, TestBuffer, TestBufferSize);
PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1)); PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1));
NcInsertLinkBefore(Block.End->Prev->Prev->Prev->Prev, NewLink); NcInsertLinkBefore(Block.End->Prev->Prev->Prev->Prev, NewLink);
ULONG AssembledSize; ULONG AssembledSize;
PVOID AssembledBlock = NcAssemble(&Block, &AssembledSize); PVOID AssembledBlock = NcAssemble(&Block, &AssembledSize);
if (!AssembledBlock || !AssembledSize) if (!AssembledBlock || !AssembledSize)
@ -65,6 +119,7 @@ int main()
{ {
std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' '; std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' ';
} }
*/
//PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End); //PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End);

14
CodeVirtualizer/NativeCode.cpp
Unescape View File

@ -28,6 +28,8 @@ _NATIVE_CODE_LINK::_NATIVE_CODE_LINK(ULONG F, PVOID Rd, ULONG Rds)
RawData = new UCHAR[Rds]; RawData = new UCHAR[Rds];
if (Rd) if (Rd)
RtlCopyMemory(RawData, Rd, Rds); RtlCopyMemory(RawData, Rd, Rds);
XedDecode(&XedInstruction, RawData, RawDataSize);
} }
_NATIVE_CODE_LINK::~_NATIVE_CODE_LINK() _NATIVE_CODE_LINK::~_NATIVE_CODE_LINK()
@ -120,7 +122,7 @@ VOID NcUnlink(PNATIVE_CODE_LINK Link)
ULONG NcCalcBlockSize(PNATIVE_CODE_BLOCK Block) ULONG NcCalcBlockSize(PNATIVE_CODE_BLOCK Block)
{ {
ULONG TotalSize = 0; ULONG TotalSize = 0;
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next) for (PNATIVE_CODE_LINK T = Block->Start; T != Block->End->Next; T = T->Next)
{ {
if (T->Flags & CODE_FLAG_IS_LABEL) if (T->Flags & CODE_FLAG_IS_LABEL)
continue; continue;
@ -173,7 +175,7 @@ BOOL NcInsertBlockAfter(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block, BOOL F
Block->Start->Prev = Link; Block->Start->Prev = Link;
Link->Next = Block->Start; Link->Next = Block->Start;
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next) for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
T->Block = Link->Block; T->Block = Link->Block;
return TRUE; return TRUE;
@ -193,7 +195,7 @@ BOOL NcInsertBlockBefore(PNATIVE_CODE_LINK Link, PNATIVE_CODE_BLOCK Block, BOOL
Block->End->Next = Link; Block->End->Next = Link;
Link->Prev = Block->End; Link->Prev = Block->End;
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next) for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
T->Block = Link->Block; T->Block = Link->Block;
return TRUE; return TRUE;
@ -504,7 +506,7 @@ PVOID NcAssemble(PNATIVE_CODE_BLOCK Block, PULONG OutSize)
PUCHAR BufferOffset = Buffer; PUCHAR BufferOffset = Buffer;
for (PNATIVE_CODE_LINK T = Block->Start; T != Block->End->Next; T = T->Next) for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{ {
if (T->Flags & CODE_FLAG_IS_LABEL) if (T->Flags & CODE_FLAG_IS_LABEL)
continue; continue;
@ -535,7 +537,7 @@ VOID NcDebugPrint(PNATIVE_CODE_BLOCK Block)
if (!ConsoleHandle) if (!ConsoleHandle)
return; return;
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next) for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{ {
if (T->Flags & CODE_FLAG_IS_LABEL) if (T->Flags & CODE_FLAG_IS_LABEL)
{ {
@ -561,7 +563,7 @@ VOID NcDebugPrint(PNATIVE_CODE_BLOCK Block)
VOID NcPrintBlockCode(PNATIVE_CODE_BLOCK Block) VOID NcPrintBlockCode(PNATIVE_CODE_BLOCK Block)
{ {
for (PNATIVE_CODE_LINK T = Block->Start; T; T = T->Next) for (PNATIVE_CODE_LINK T = Block->Start; T && T != Block->End->Next; T = T->Next)
{ {
if (!(T->Flags & CODE_FLAG_IS_LABEL)) if (!(T->Flags & CODE_FLAG_IS_LABEL))
{ {

1
CodeVirtualizer/OpaqueBranching.cpp
Unescape View File

@ -135,6 +135,7 @@ PNATIVE_CODE_BLOCK ObfGenOpaqueBranch(PNATIVE_CODE_LINK Start, PNATIVE_CODE_LINK
NcAppendToBlock(Taken, new NATIVE_CODE_LINK(JmpLabel, Taken)); NcAppendToBlock(Taken, new NATIVE_CODE_LINK(JmpLabel, Taken));
NcInsertBlockAfter(NotTaken->End, Taken, FALSE); NcInsertBlockAfter(NotTaken->End, Taken, FALSE);
NotTaken->End = Taken->End;
delete Taken; delete Taken;
return NotTaken; return NotTaken;

1345
CodeVirtualizer/x64/Debug/Jit.cod
View File

File diff suppressed because it is too large Load Diff

2772
CodeVirtualizer/x64/Debug/Main.cod
View File

File diff suppressed because it is too large Load Diff

1491
CodeVirtualizer/x64/Debug/NativeCode.cod
View File

File diff suppressed because it is too large Load Diff

87
CodeVirtualizer/x64/Debug/OpaqueBranching.cod
Unescape View File

@ -607,7 +607,7 @@ pdata ENDS
; COMDAT pdata ; COMDAT pdata
pdata SEGMENT pdata SEGMENT
$pdata$?ObfGenOpaqueBranch@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@0@Z DD imagerel $LN29 $pdata$?ObfGenOpaqueBranch@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@0@Z DD imagerel $LN29
DD imagerel $LN29+1160 DD imagerel $LN29+1176
DD imagerel $unwind$?ObfGenOpaqueBranch@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@0@Z DD imagerel $unwind$?ObfGenOpaqueBranch@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@0@Z
pdata ENDS pdata ENDS
; COMDAT pdata ; COMDAT pdata
@ -4232,7 +4232,7 @@ $T12 = 808
$T13 = 840 $T13 = 840
$T14 = 872 $T14 = 872
$T15 = 904 $T15 = 904
tv214 = 920 tv216 = 920
tv204 = 920 tv204 = 920
tv189 = 920 tv189 = 920
tv171 = 920 tv171 = 920
@ -4297,7 +4297,7 @@ $LN3@ObfGenOpaq:
; 91 : return NULL; ; 91 : return NULL;
00086 33 c0 xor eax, eax 00086 33 c0 xor eax, eax
00088 e9 cc 03 00 00 jmp $LN1@ObfGenOpaq 00088 e9 dc 03 00 00 jmp $LN1@ObfGenOpaq
$LN2@ObfGenOpaq: $LN2@ObfGenOpaq:
; 92 : ; 92 :
@ -4319,7 +4319,7 @@ $LN2@ObfGenOpaq:
; 96 : return NULL; ; 96 : return NULL;
000ab 33 c0 xor eax, eax 000ab 33 c0 xor eax, eax
000ad e9 a7 03 00 00 jmp $LN1@ObfGenOpaq 000ad e9 b7 03 00 00 jmp $LN1@ObfGenOpaq
$LN4@ObfGenOpaq: $LN4@ObfGenOpaq:
; 97 : } ; 97 : }
@ -4367,7 +4367,7 @@ $LN10@ObfGenOpaq:
; 103 : return NULL; ; 103 : return NULL;
00113 33 c0 xor eax, eax 00113 33 c0 xor eax, eax
00115 e9 3f 03 00 00 jmp $LN1@ObfGenOpaq 00115 e9 4f 03 00 00 jmp $LN1@ObfGenOpaq
$LN5@ObfGenOpaq: $LN5@ObfGenOpaq:
; 104 : } ; 104 : }
@ -4486,7 +4486,7 @@ $LN14@ObfGenOpaq:
; 118 : return NULL; ; 118 : return NULL;
00234 33 c0 xor eax, eax 00234 33 c0 xor eax, eax
00236 e9 1e 02 00 00 jmp $LN1@ObfGenOpaq 00236 e9 2e 02 00 00 jmp $LN1@ObfGenOpaq
$LN6@ObfGenOpaq: $LN6@ObfGenOpaq:
; 119 : } ; 119 : }
@ -4583,7 +4583,7 @@ $LN20@ObfGenOpaq:
; 128 : return NULL; ; 128 : return NULL;
00320 33 c0 xor eax, eax 00320 33 c0 xor eax, eax
00322 e9 32 01 00 00 jmp $LN1@ObfGenOpaq 00322 e9 42 01 00 00 jmp $LN1@ObfGenOpaq
$LN7@ObfGenOpaq: $LN7@ObfGenOpaq:
; 129 : } ; 129 : }
@ -4674,50 +4674,57 @@ $LN24@ObfGenOpaq:
00412 48 8b 48 08 mov rcx, QWORD PTR [rax+8] 00412 48 8b 48 08 mov rcx, QWORD PTR [rax+8]
00416 e8 00 00 00 00 call ?NcInsertBlockAfter@@YAHPEAU_NATIVE_CODE_LINK@@PEAU_NATIVE_CODE_BLOCK@@H@Z ; NcInsertBlockAfter 00416 e8 00 00 00 00 call ?NcInsertBlockAfter@@YAHPEAU_NATIVE_CODE_LINK@@PEAU_NATIVE_CODE_BLOCK@@H@Z ; NcInsertBlockAfter
; 138 : ; 138 : NotTaken->End = Taken->End;
; 139 : delete Taken;
0041b 48 8b 45 08 mov rax, QWORD PTR NotTaken$[rbp]
0041f 48 8b 4d 28 mov rcx, QWORD PTR Taken$[rbp]
00423 48 8b 49 08 mov rcx, QWORD PTR [rcx+8]
00427 48 89 48 08 mov QWORD PTR [rax+8], rcx
; 139 :
; 140 : delete Taken;
0041b 48 8b 45 28 mov rax, QWORD PTR Taken$[rbp] 0042b 48 8b 45 28 mov rax, QWORD PTR Taken$[rbp]
0041f 48 89 85 88 03 0042f 48 89 85 88 03
00 00 mov QWORD PTR $T15[rbp], rax 00 00 mov QWORD PTR $T15[rbp], rax
00426 48 83 bd 88 03 00436 48 83 bd 88 03
00 00 00 cmp QWORD PTR $T15[rbp], 0 00 00 00 cmp QWORD PTR $T15[rbp], 0
0042e 74 1a je SHORT $LN25@ObfGenOpaq 0043e 74 1a je SHORT $LN25@ObfGenOpaq
00430 ba 01 00 00 00 mov edx, 1 00440 ba 01 00 00 00 mov edx, 1
00435 48 8b 8d 88 03 00445 48 8b 8d 88 03
00 00 mov rcx, QWORD PTR $T15[rbp] 00 00 mov rcx, QWORD PTR $T15[rbp]
0043c e8 00 00 00 00 call ??_G_NATIVE_CODE_BLOCK@@QEAAPEAXI@Z 0044c e8 00 00 00 00 call ??_G_NATIVE_CODE_BLOCK@@QEAAPEAXI@Z
00441 48 89 85 98 03 00451 48 89 85 98 03
00 00 mov QWORD PTR tv214[rbp], rax 00 00 mov QWORD PTR tv216[rbp], rax
00448 eb 0b jmp SHORT $LN26@ObfGenOpaq 00458 eb 0b jmp SHORT $LN26@ObfGenOpaq
$LN25@ObfGenOpaq: $LN25@ObfGenOpaq:
0044a 48 c7 85 98 03 0045a 48 c7 85 98 03
00 00 00 00 00 00 00 00 00 00
00 mov QWORD PTR tv214[rbp], 0 00 mov QWORD PTR tv216[rbp], 0
$LN26@ObfGenOpaq: $LN26@ObfGenOpaq:
; 140 : return NotTaken; ; 141 : return NotTaken;
00455 48 8b 45 08 mov rax, QWORD PTR NotTaken$[rbp] 00465 48 8b 45 08 mov rax, QWORD PTR NotTaken$[rbp]
$LN1@ObfGenOpaq: $LN1@ObfGenOpaq:
; 141 : } ; 142 : }
00459 48 8b f8 mov rdi, rax 00469 48 8b f8 mov rdi, rax
0045c 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32] 0046c 48 8d 4d e0 lea rcx, QWORD PTR [rbp-32]
00460 48 8d 15 00 00 00470 48 8d 15 00 00
00 00 lea rdx, OFFSET FLAT:?ObfGenOpaqueBranch@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@0@Z$rtcFrameData 00 00 lea rdx, OFFSET FLAT:?ObfGenOpaqueBranch@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@0@Z$rtcFrameData
00467 e8 00 00 00 00 call _RTC_CheckStackVars 00477 e8 00 00 00 00 call _RTC_CheckStackVars
0046c 48 8b c7 mov rax, rdi 0047c 48 8b c7 mov rax, rdi
0046f 48 8b 8d a0 03 0047f 48 8b 8d a0 03
00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp] 00 00 mov rcx, QWORD PTR __$ArrayPad$[rbp]
00476 48 33 cd xor rcx, rbp 00486 48 33 cd xor rcx, rbp
00479 e8 00 00 00 00 call __security_check_cookie 00489 e8 00 00 00 00 call __security_check_cookie
0047e 48 8d a5 b8 03 0048e 48 8d a5 b8 03
00 00 lea rsp, QWORD PTR [rbp+952] 00 00 lea rsp, QWORD PTR [rbp+952]
00485 5f pop rdi 00495 5f pop rdi
00486 5d pop rbp 00496 5d pop rbp
00487 c3 ret 0 00497 c3 ret 0
?ObfGenOpaqueBranch@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@0@Z ENDP ; ObfGenOpaqueBranch ?ObfGenOpaqueBranch@@YAPEAU_NATIVE_CODE_BLOCK@@PEAU_NATIVE_CODE_LINK@@0@Z ENDP ; ObfGenOpaqueBranch
_TEXT ENDS _TEXT ENDS
; COMDAT text$x ; COMDAT text$x
@ -4739,7 +4746,7 @@ $T12 = 808
$T13 = 840 $T13 = 840
$T14 = 872 $T14 = 872
$T15 = 904 $T15 = 904
tv214 = 920 tv216 = 920
tv204 = 920 tv204 = 920
tv189 = 920 tv189 = 920
tv171 = 920 tv171 = 920
@ -4789,7 +4796,7 @@ $T12 = 808
$T13 = 840 $T13 = 840
$T14 = 872 $T14 = 872
$T15 = 904 $T15 = 904
tv214 = 920 tv216 = 920
tv204 = 920 tv204 = 920
tv189 = 920 tv189 = 920
tv171 = 920 tv171 = 920
@ -4840,7 +4847,7 @@ $T12 = 808
$T13 = 840 $T13 = 840
$T14 = 872 $T14 = 872
$T15 = 904 $T15 = 904
tv214 = 920 tv216 = 920
tv204 = 920 tv204 = 920
tv189 = 920 tv189 = 920
tv171 = 920 tv171 = 920
@ -4891,7 +4898,7 @@ $T12 = 808
$T13 = 840 $T13 = 840
$T14 = 872 $T14 = 872
$T15 = 904 $T15 = 904
tv214 = 920 tv216 = 920
tv204 = 920 tv204 = 920
tv189 = 920 tv189 = 920
tv171 = 920 tv171 = 920

BIN
x64/Debug/CodeVirtualizer.ilk
View File

Binary file not shown.
Write Preview
Loading…
Cancel
Save