#include #include #include #include "Windas.h" #include "XedWrap.h" #include "NativeCode.h" #include "Obfuscator.h" VOID PrintByteArr(PVOID Buff, ULONG BufSize) { for (uint32_t i = 0; i < BufSize; i++) { std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)((PUCHAR)Buff)[i] << ' '; } } PVOID MakeExecutableBuffer(PVOID Buffer, ULONG BufferSize) { PVOID ExecBuffer = VirtualAlloc(nullptr, BufferSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE); if (!ExecBuffer) return NULL; RtlCopyMemory(ExecBuffer, Buffer, BufferSize); } VOID PutToFile(PVOID Buffer, ULONG BufferSize) { std::ofstream fout; // fout.open("C:\\Users\\James\\Desktop\\fantern\\Test.m", std::ios::binary | std::ios::out); //fout.open("C:\\Users\\Iizerd\\Desktop\\Leeg Hake\\Test.m", std::ios::binary | std::ios::out); fout.write((PCHAR)Buffer, BufferSize); fout.close(); } UCHAR TestBuffer[] = { 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0, //0xEB, 0x0E, 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0, //0x7E, 0x06, 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0, //0xEB, 0xF8, 0x50, 0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F, 0x48, 0x87, 0x04, 0x24, 0xC3, }; ULONG TestBufferSize = sizeof(TestBuffer); UCHAR meme1[] = { 0x31, 0xc0, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0x83, 0xc0, 0x01, 0xc3, }; UCHAR RetNumCode[] = { 0x33, 0xC0 , 0x48, 0x83, 0xC0, 0x01 , 0x48, 0x83, 0xE9, 0x01 , 0x48, 0x83, 0xC1, 0x01 , 0x48, 0x83, 0xC0, 0x02 , 0x48, 0x83, 0xE8, 0x02 , 0x48, 0x83, 0xE9, 0x01 , 0x75, 0xE6 , 0xC3 }; EXTERN_C ULONG64 RetNum(ULONG64 Num); int main() { XedTablesInit(); srand(time(NULL)); system("pause"); NATIVE_CODE_BLOCK RetNumBlock; NcDisassemble(&RetNumBlock, RetNumCode, sizeof(RetNumCode)); OBFUSCATOR Obf; Obf.Flags = 0; Obf.MinSizeForOpaqueBranch = 1; Obf.InstructionMutateChance = 100; Obf.OpaqueBranchChance = 100; Obf.MinDepthForRandomOpaqueBranch = 0; Obf.GlobalBlock = &RetNumBlock; Obf.BlockDivisionFactor = 2; Obf.MaxDepth = 800000; ObfObfuscate1(&Obf, &RetNumBlock); Obf.MinSizeForOpaqueBranch = 5; Obf.InstructionMutateChance = 0; Obf.OpaqueBranchChance = 100; ObfObfuscate1(&Obf, &RetNumBlock, 0); Obf.MinSizeForOpaqueBranch = 50; ObfObfuscate1(&Obf, &RetNumBlock, 0); printf("Finished second pas.\n"); //Obf.MinSizeForOpaqueBranch = 200; //ObfObfuscate1(&Obf, &RetNumBlock); //Obf.MinSizeForOpaqueBranch = 30; //ObfObfuscate(&Obf, &RetNumBlock); NcDebugPrint(&RetNumBlock); ULONG AsmSize; PVOID Asm = NcAssemble(&RetNumBlock, &AsmSize); if (!Asm) { printf("failed to assemble\n"); system("pause"); return 1; } PutToFile(Asm, AsmSize); system("pause"); PVOID Exec = MakeExecutableBuffer(Asm, AsmSize); typedef ULONG64(*FnRetNum)(ULONG Num); printf("\n\nSize: %u Obfuscated: %llu Original: %llu\n\n", NcCountInstructions(&RetNumBlock), ((FnRetNum)Exec)(1776), RetNum(1776)); NcDeleteBlock(&RetNumBlock); system("pause"); /*NATIVE_CODE_BLOCK Block; NcDisassemble(&Block, meme1, sizeof(meme1)); OBFUSCATOR Obf; Obf.Flags = 0; Obf.MinSizeForOpaqueBranch = 12; Obf.GlobalBlock = &Block; ObfObfuscate(&Obf, &Block); Obf.MinSizeForOpaqueBranch = 4; ObfObfuscate(&Obf, &Block); NcDebugPrint(&Block); ULONG ByteSize = NcCalcBlockSizeInBytes(&Block); ULONG InstSize = NcCountInstructions(&Block); printf("Bytes: %u, Insts: %u, FlagsMeme: %u.\n", ByteSize, InstSize, Obf.Flags); ULONG AsmSize; PVOID Asm = NcAssemble(&Block, &AsmSize); PVOID Exec = MakeExecutableBuffer(Asm, AsmSize); typedef ULONG(*FnGetFour)(); printf("numba is: %u size is %u\n\n", ((FnGetFour)Exec)(), AsmSize); PutToFile(Asm, AsmSize);*/ //PNATIVE_CODE_LINK Return1776 = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1)); //PNATIVE_CODE_LINK RetInst = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme2, sizeof(meme2)); //PNATIVE_CODE_BLOCK Pre1 = JitEmitPreRipMov(Return1776); //PNATIVE_CODE_BLOCK Post1 = JitEmitPostRipMov(Return1776); //PNATIVE_CODE_BLOCK Pre2 = JitEmitPreRipMov(RetInst); //PNATIVE_CODE_BLOCK Post2 = JitEmitPostRipMov(RetInst); //NcAppendToBlock(Pre1, Return1776); //NcInsertBlockAfter(Pre1->End, Post1, 0); //Pre1->End = Post1->End; //NcInsertBlockAfter(Pre1->End, Pre2, 0); //Pre1->End = Pre2->End; //NcAppendToBlock(Pre1, RetInst); //NcInsertBlockAfter(Pre1->End, Post2, 0); //Pre1->End = Post2->End; ///*Pre->Start = Return1776; //Pre->End = Return1776;*/ //for (ULONG i = 0; i < Return1776->RawDataSize; i++) // Return1776->RawData[i] = (UCHAR)rand(); //for (ULONG i = 0; i < RetInst->RawDataSize; i++) // RetInst->RawData[i] = (UCHAR)rand(); //ULONG AsmLen; //PVOID Asm = NcAssemble(Pre1, &AsmLen); //PUCHAR Tb = (PUCHAR)Asm; //for (uint32_t i = 0; i < AsmLen; i++) //{ // std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' '; //} //system("pause"); //typedef ULONG64(*FnGet1776)(); //FnGet1776 ExecBuffer = (FnGet1776)MakeExecutableBuffer(Asm, AsmLen); //if (ExecBuffer) //{ // printf("The numba was: %X\n", ExecBuffer()); // printf("The numba was: %X\n", ExecBuffer()); // printf("The numba was: %X\n", ExecBuffer()); // printf("The numba was: %X\n", ExecBuffer()); //} //NcDebugPrint(Post); /*NATIVE_CODE_BLOCK Block; NcDisassemble(&Block, TestBuffer, TestBufferSize); PNATIVE_CODE_LINK NewLink = new NATIVE_CODE_LINK(CODE_FLAG_IS_INST, meme1, sizeof(meme1)); NcInsertLinkBefore(Block.End->Prev->Prev->Prev->Prev, NewLink); ULONG AssembledSize; PVOID AssembledBlock = NcAssemble(&Block, &AssembledSize); if (!AssembledBlock || !AssembledSize) { printf("Something failed nicka.\n"); system("pause"); return -1; } PUCHAR Tb = (PUCHAR)AssembledBlock; for (uint32_t i = 0; i < AssembledSize; i++) { std::cout << std::hex << std::setw(2) << std::setfill('0') << (int)Tb[i] << ' '; } */ //PNATIVE_CODE_BLOCK OpaqueBranch = ObfGenOpaqueBranch(Block.Start, Block.End); //NcDebugPrint(OpaqueBranch); /*NATIVE_CODE_LINK T; T.RawDataSize = 10; T.RawData = new UCHAR[10]; memset(T.RawData, 0xAA, 10); JIT_BITWISE_DATA Data; RtlSecureZeroMemory(&Data, sizeof(JIT_BITWISE_DATA)); PNATIVE_CODE_BLOCK NewBlock = JitEmitPreRipMov(&T); if (NewBlock) { printf("\n"); NcDebugPrint(NewBlock); printf("\n"); NcPrintBlockCode(NewBlock); } system("pause");*/ }