diff --git a/ShellcodeObfuscator/Obfuscator.cpp b/ShellcodeObfuscator/Obfuscator.cpp index d94ff22..28b51b0 100644 --- a/ShellcodeObfuscator/Obfuscator.cpp +++ b/ShellcodeObfuscator/Obfuscator.cpp @@ -71,88 +71,115 @@ bool obf_init_from_buffer(pobfuscator_t obf, void* buffer, int buffer_size) } } -bool obf_create_groups(pobfuscator_t obf, int group_size) +bool obf_create_groups(pobfuscator_t obf, int32_t group_size) { - //remake cuz this shit broke as fuck - - - //obf->groups.clear(); - - ///*if (group_size < 24) - // return false;*/ - - //int cur_group_id = 0, cur_size_in_bytes = 0; - //pcode_link_t start = obf->code_start->next; - //for (pcode_link_t t = obf->code_start->next; t;) - //{ - // pcode_link_t real_next = t->next; - // if (!(t->flags & CLFLAG_IS_GAGET) && !(t->flags & CLFLAG_IS_LABEL)) - // { - // if (cur_size_in_bytes + t->raw_data_size /*+ END_OF_GROUP_GAGT_SIZE*/ > group_size) - // { - // std::string group_label_name = "Group"; - // group_label_name.append(std::to_string(cur_group_id + 1)); - // pcode_link_t lab = new code_link_t; - // lab->flags = CLFLAG_IS_LABEL; - // lab->label_name = group_label_name; - // lab->group = cur_group_id; - - // pcode_link_t gadget = new code_link_t; - // gadget->flags = 0; - // gadget->label_name = ""; - // gadget->raw_data = new unsigned char[6]; - // gadget->raw_data_size = 6; - // gadget->group = cur_group_id; - // unsigned char gadget_data[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 }; - // memcpy(gadget->raw_data, gadget_data, 6); - - // pcode_link_t abs_addr = new code_link_t; - // abs_addr->flags = CLFLAG_IS_ABS_ADDR; - // abs_addr->label_name = group_label_name; - // abs_addr->raw_data = new unsigned char[8]; - // abs_addr->raw_data_size = 8; - // abs_addr->group = cur_group_id; - - // t->prev->next = gadget; - // gadget->next = abs_addr; - // abs_addr->next = lab; - // lab->next = t;// real_next; - - // gadget->prev = t->prev; - // abs_addr->prev = gadget; - // lab->prev = abs_addr; - // t->prev = lab; - - // - - // printf("creating group %d\n", cur_group_id); - // obf->groups.emplace_back(); - // obf->groups.back().size_in_bytes = cur_size_in_bytes + END_OF_GROUP_GAGT_SIZE; - // obf->groups.back().start = start; - // obf->groups.back().base_address = cur_group_id; - // cur_size_in_bytes = 0; - // cur_group_id++; - // start = t; - // } - // } - - // cur_size_in_bytes += t->raw_data_size; - // t->group = cur_group_id; - // t = real_next; - //} - - //obf->groups.emplace_back(); - //obf->groups.back().size_in_bytes = cur_size_in_bytes + 16; - //obf->groups.back().start = start; - //obf->groups.back().base_address = cur_group_id; - - //return true; + int cur_group_id = 0; + int cur_offset = 0; + + //assign instructions to groups + for (pcode_link_t t = obf->code_start->next; t; t = t->next) + { + if (!(t->flags & CLFLAG_IS_LABEL)) + { + if (!(t->flags & CLFLAG_IS_GAGET)) + { + if (cur_offset + t->raw_data_size > group_size) + { + ++cur_group_id; + cur_offset = 0; + } + } + cur_offset += t->raw_data_size; + t->group = cur_group_id; + } + } + + //assign labels to their proper groups + for (pcode_link_t t = obf->code_start->next; t; t = t->next) + { + if (t->flags & CLFLAG_IS_LABEL) + { + pcode_link_t t2 = t; + while (t2 && (t2->flags & CLFLAG_IS_LABEL)) { t2 = t2->next; } + if (t2) t->group = t2->group; + } + } + + //create group descriptors + obf->groups.clear(); + pcode_link_t start = obf->code_start->next; + cur_offset = 0; + pcode_link_t prev_meme = nullptr; + for (pcode_link_t t = obf->code_start->next; t; t = t->next) + { + if (start->group != t->group) + { + obf->groups.emplace_back(0, start, t->prev, cur_offset); + cur_offset = 0; + start = t; + } + cur_offset += t->raw_data_size; + prev_meme = t; + } + if (!prev_meme) + return false; + obf->groups.emplace_back(0, start, prev_meme, cur_offset); + + //append jumps to next group onto end + for (uint32_t i = 0; i < obf->groups.size() - 1; i++) + { + pcode_group_t cur_group = &obf->groups[i]; + pcode_group_t next_group = &obf->groups[i+1]; + + //add jump gadget to end of current group + pcode_link_t gadget = new code_link_t; + gadget->flags = CLFLAG_IS_GAGET; + gadget->label_name = ""; + gadget->raw_data = new unsigned char[6]; + gadget->raw_data_size = 6; + gadget->group = i; + unsigned char gadget_data[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 }; + memcpy(gadget->raw_data, gadget_data, 6); + + pcode_link_t abs_addr = new code_link_t; + abs_addr->flags = (CLFLAG_IS_GAGET | CLFLAG_IS_ABS_ADDR); + abs_addr->label_name = std::string("Group") + std::to_string(i + 1); + abs_addr->raw_data = new unsigned char[8]; + abs_addr->raw_data_size = 8; + abs_addr->group = i; + + pcode_link_t real_next = cur_group->end->next; + cur_group->end->next = gadget; + gadget->next = abs_addr; + abs_addr->next = real_next; + + real_next->prev = abs_addr; + abs_addr->prev = gadget; + gadget->prev = cur_group->end; + + cur_group->end = abs_addr; + + //add label to beginning of next group + pcode_link_t next_group_label = new code_link_t; + next_group_label->flags = CLFLAG_IS_LABEL; + next_group_label->label_name = std::string("Group") + std::to_string(i + 1); + next_group_label->group = i + 1; + + pcode_link_t real_prev = next_group->start->prev; + next_group->start->prev = next_group_label; + real_prev->next = next_group_label; + next_group_label->next = next_group->start; + next_group_label->prev = real_prev; + next_group->start = next_group_label; + } + + return true; } void obf_replace_rel_jmps(pobfuscator_t obf) { // original_jump -------------------------. - // jmp 0x10(0xEB, 0x10) ------------------ | -----. + // jmp 0x0E(0xEB, 0x0E) ------------------ | -----. // jmp qword ptr[rip] <----------------' | // address here(8 bytes) | // not taken branch code <-----------------------' @@ -204,7 +231,7 @@ void obf_replace_rel_jmps(pobfuscator_t obf) } } -bool obf_replace_abs_jmps(pobfuscator_t obf) +bool obf_resolve_abs_addresses(pobfuscator_t obf) { for (pcode_link_t t = obf->code_start->next; t; t = t->next) { @@ -273,7 +300,6 @@ bool obf_gen_all_labels(pobfuscator_t obf) bool obf_gen_label(pobfuscator_t obf, pcode_link_t jmp, int32_t delta) { - obf->current_label_id++; pcode_link_t temp; //when going positive, counting starts at NEXT instruction(excluding size of jmp) //when negative, counting INCLUDES the size of the jmp instructrion @@ -316,7 +342,7 @@ bool obf_gen_label(pobfuscator_t obf, pcode_link_t jmp, int32_t delta) //couldnt find label, adding new one pcode_link_t new_label = new code_link_t; new_label->flags = CLFLAG_IS_LABEL; - new_label->label_name = std::to_string(obf->current_label_id); + new_label->label_name = std::to_string(++obf->current_label_id); jmp->label_name = new_label->label_name; new_label->next = temp; @@ -328,22 +354,41 @@ bool obf_gen_label(pobfuscator_t obf, pcode_link_t jmp, int32_t delta) return true; } +#include + void obf_dbg_print_code(pobfuscator_t obf) { + HANDLE StdHandle = GetStdHandle(STD_OUTPUT_HANDLE); + if (!StdHandle) + return; + + + for (pcode_link_t t = obf->code_start->next; t; t = t->next) { + if (t->group % 2) + SetConsoleTextAttribute(StdHandle, 12); + else + SetConsoleTextAttribute(StdHandle, 14); + if (t->flags & CLFLAG_IS_REL_JUMP) { - printf("\tJump to: %s ", t->label_name.data()); + printf("\tRel jmp to: %s\t\t", t->label_name.data()); } else if (t->flags & CLFLAG_IS_LABEL) { - printf("Label: %s ", t->label_name.data()); + //SetConsoleTextAttribute(StdHandle, 13); + printf("Label: %s \n", t->label_name.data()); + } + else if (t->flags & CLFLAG_IS_ABS_ADDR) + { + printf("\tAbs jmp to: %s\t", t->label_name.data()); } else { - printf("\tRegular Instruction. "); + printf("\tInstruction: \t\t"); } + if (!(t->flags & CLFLAG_IS_LABEL)) { obf_print_byte_array(t->raw_data, t->raw_data_size); diff --git a/ShellcodeObfuscator/Obfuscator.h b/ShellcodeObfuscator/Obfuscator.h index a634775..93f67fc 100644 --- a/ShellcodeObfuscator/Obfuscator.h +++ b/ShellcodeObfuscator/Obfuscator.h @@ -19,34 +19,37 @@ extern "C" typedef struct _code_link_t { - _code_link_t* next; - _code_link_t* prev; + _code_link_t* next; + _code_link_t* prev; - uint32_t flags; - int group; - std::string label_name; + uint32_t flags; + int32_t group; + std::string label_name; xed_decoded_inst_t instruction; unsigned char* raw_data; - unsigned int raw_data_size; + unsigned int raw_data_size; }code_link_t, * pcode_link_t; typedef struct _code_group_t { - uint64_t base_address; + uint64_t base_address; pcode_link_t start; - int size_in_bytes; + pcode_link_t end; + int32_t size_in_bytes; + _code_group_t(uint64_t ba = 0, pcode_link_t s = nullptr, pcode_link_t e = nullptr, int32_t si = 0) + : base_address(ba), start(s), end(e), size_in_bytes(si) {}; }code_group_t, *pcode_group_t; typedef struct _obfuscator_t { - pcode_link_t code_start; - pcode_link_t code_end; - std::vector groups; - int group_size; - int current_label_id; - xed_machine_mode_enum_t machine_mode; - xed_address_width_enum_t addr_width; + pcode_link_t code_start; + pcode_link_t code_end; + std::vector groups; + int32_t group_size; + int32_t current_label_id; + xed_machine_mode_enum_t machine_mode; + xed_address_width_enum_t addr_width; }obfuscator_t, *pobfuscator_t; typedef void* (*FnAllocateMem)(unsigned long size); @@ -58,13 +61,13 @@ void obf_one_time_please(); bool obf_init_from_buffer(pobfuscator_t obf, void* buffer, int buffer_size); //creates the groups of instructions based on number of bytes -bool obf_create_groups(pobfuscator_t obf, int group_size); +bool obf_create_groups(pobfuscator_t obf, int32_t group_size); //replaces all relative jumps with the abs jump gadget void obf_replace_rel_jmps(pobfuscator_t obf); //replaces address in the abs jmp stub with the right address of the given label. -bool obf_replace_abs_jmps(pobfuscator_t obf); +bool obf_resolve_abs_addresses(pobfuscator_t obf); //return number of bytes needed to store given group size_t obf_get_group_size(pobfuscator_t obf, int group_id); diff --git a/ShellcodeObfuscator/main.cpp b/ShellcodeObfuscator/main.cpp index d29abc0..ff3e76f 100644 --- a/ShellcodeObfuscator/main.cpp +++ b/ShellcodeObfuscator/main.cpp @@ -18,21 +18,23 @@ int main(int argc, char** argv) { - unsigned char buffer[] = { 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0, 0xEB, 0x08, 0x48, 0x33, 0xC0, 0x7E, 0x03, 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0 };//{ 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0, 0xEB, 0xFB, 0x48, 0x33, 0xC0, 0x7E, 0xF6, 0xC3 }; + unsigned char buffer[] = { 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0, 0xEB, 0x08, 0x48, 0x33, 0xC0, 0x7E, 0x03, 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0, 0xEB, 0x08, 0x48, 0x33, 0xC0, 0x7E, 0x03, 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0 };//{ 0x48, 0x33, 0xC0, 0x48, 0x33, 0xC0, 0xEB, 0xFB, 0x48, 0x33, 0xC0, 0x7E, 0xF6, 0xC3 }; unsigned int buffer_size = sizeof(buffer); obfuscator_t obf; obf_one_time_please(); obf_init_from_buffer(&obf, buffer, buffer_size); obf_gen_all_labels(&obf); + obf_replace_rel_jmps(&obf); - obf_dbg_print_code(&obf); + obf_create_groups(&obf, 10); + obf_resolve_abs_addresses(&obf); printf("\n\n"); - obf_replace_rel_jmps(&obf); obf_dbg_print_code(&obf); - - /*obf_create_groups(&obf, 10); - for (int i = 0; i < obf.groups.size(); i++) + printf("%u is num of groups.\n", obf.groups.size()); + + + /*for (int i = 0; i < obf.groups.size(); i++) { printf("\nprinting group %d \n", i); obf_dbg_print_group(&obf, i); diff --git a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.command.1.tlog b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.command.1.tlog index f89d5ac..168cb3b 100644 Binary files a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.command.1.tlog and b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.command.1.tlog differ diff --git a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.read.1.tlog b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.read.1.tlog index faf595d..d2ba163 100644 Binary files a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.read.1.tlog and b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.read.1.tlog differ diff --git a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.write.1.tlog b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.write.1.tlog index b2da6df..a63b80d 100644 Binary files a/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.write.1.tlog and b/ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.write.1.tlog differ diff --git a/ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.Build.CppClean.log b/ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.Build.CppClean.log index f06ac1d..7af31cf 100644 --- a/ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.Build.CppClean.log +++ b/ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.Build.CppClean.log @@ -1,12 +1,11 @@ -c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\vc142.pdb -c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\vc142.idb -c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\main.obj -c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\obfuscator.obj -c:\$fanta\shellcodeobfuscator\x64\debug\shellcodeobfuscator.exe -c:\$fanta\shellcodeobfuscator\x64\debug\shellcodeobfuscator.ilk -c:\$fanta\shellcodeobfuscator\x64\debug\shellcodeobfuscator.pdb +c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\vc142.pdb c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\vc142.idb +c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\main.obj +c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\obfuscator.obj +c:\$fanta\shellcode-obfuscator\x64\debug\shellcodeobfuscator.exe c:\$fanta\shellcode-obfuscator\x64\debug\shellcodeobfuscator.ilk +c:\$fanta\shellcode-obfuscator\x64\debug\shellcodeobfuscator.pdb +c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\obfuscator.new.obj.enc c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.command.1.tlog c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.read.1.tlog c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.write.1.tlog diff --git a/ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.log b/ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.log index d058111..102143b 100644 --- a/ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.log +++ b/ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.log @@ -1,2 +1,6 @@ - main.cpp + Obfuscator.cpp +C:\$Fanta\shellcode-obfuscator\ShellcodeObfuscator\Obfuscator.cpp(86,39): warning C4018: '>': signed/unsigned mismatch +C:\$Fanta\shellcode-obfuscator\ShellcodeObfuscator\Obfuscator.cpp(418,20): warning C4018: '<': signed/unsigned mismatch +C:\$Fanta\shellcode-obfuscator\ShellcodeObfuscator\Obfuscator.cpp(280): warning C4715: 'obf_get_group_size': not all control paths return a value +C:\$Fanta\shellcode-obfuscator\ShellcodeObfuscator\Obfuscator.cpp(72): warning C4715: 'obf_init_from_buffer': not all control paths return a value ShellcodeObfuscator.vcxproj -> C:\$Fanta\shellcode-obfuscator\x64\Debug\ShellcodeObfuscator.exe diff --git a/ShellcodeObfuscator/x64/Debug/vc142.idb b/ShellcodeObfuscator/x64/Debug/vc142.idb index 0eb5cb9..233c73e 100644 Binary files a/ShellcodeObfuscator/x64/Debug/vc142.idb and b/ShellcodeObfuscator/x64/Debug/vc142.idb differ diff --git a/x64/Debug/ShellcodeObfuscator.ilk b/x64/Debug/ShellcodeObfuscator.ilk index 6e5ef5d..3189767 100644 Binary files a/x64/Debug/ShellcodeObfuscator.ilk and b/x64/Debug/ShellcodeObfuscator.ilk differ