Iizerd
/
Shellcode_Obfuscator
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

zydis these nutz in ur mouth

Browse Source
master
James 3 years ago
parent 7efc4bacd0
commit 77c11fa473
16 changed files with 149 additions and 194 deletions
Show Stats Download Patch File Download Diff File

280
ShellcodeObfuscator/Obfuscator.cpp
Unescape View File

@ -73,106 +73,97 @@ bool obf_init_from_buffer(pobfuscator_t obf, void* buffer, int buffer_size)
bool obf_create_groups(pobfuscator_t obf, int group_size) bool obf_create_groups(pobfuscator_t obf, int group_size)
{ {
//remake cuz this shit broke as fuck
obf->groups.clear();
if (group_size < 24) //obf->groups.clear();
return false;
///*if (group_size < 24)
int cur_group_id = 0, cur_size_in_bytes = 0; // return false;*/
pcode_link_t start = obf->code_start->next;
for (pcode_link_t t = obf->code_start->next; t; t = t->next) //int cur_group_id = 0, cur_size_in_bytes = 0;
{ //pcode_link_t start = obf->code_start->next;
if (!(t->flags & CLFLAG_IS_GAGET)) //for (pcode_link_t t = obf->code_start->next; t;)
{ //{
if (cur_size_in_bytes + t->raw_data_size + 16 > group_size) // pcode_link_t real_next = t->next;
{ // if (!(t->flags & CLFLAG_IS_GAGET) && !(t->flags & CLFLAG_IS_LABEL))
// {
pcode_link_t push_rax = new code_link_t; // if (cur_size_in_bytes + t->raw_data_size /*+ END_OF_GROUP_GAGT_SIZE*/ > group_size)
push_rax->flags = 0; // {
push_rax->label_name = ""; // std::string group_label_name = "Group";
push_rax->raw_data = new unsigned char[1]; // group_label_name.append(std::to_string(cur_group_id + 1));
push_rax->raw_data_size = 1; // pcode_link_t lab = new code_link_t;
push_rax->group = cur_group_id; // lab->flags = CLFLAG_IS_LABEL;
*(unsigned char*)push_rax->raw_data = 0x50; // lab->label_name = group_label_name;
push_rax->label_name = ""; // lab->group = cur_group_id;
pcode_link_t mov_address = new code_link_t; // pcode_link_t gadget = new code_link_t;
mov_address->flags = CLFLAG_IS_GROUP_JMP; // gadget->flags = 0;
mov_address->label_name = t->label_name; // gadget->label_name = "";
mov_address->raw_data = new unsigned char[10]; // gadget->raw_data = new unsigned char[6];
mov_address->raw_data_size = 10; // gadget->raw_data_size = 6;
mov_address->group = cur_group_id; // gadget->group = cur_group_id;
unsigned char mov_address_data[] = { 0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F }; // unsigned char gadget_data[] = { 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 };
memcpy(mov_address->raw_data, mov_address_data, 10); // memcpy(gadget->raw_data, gadget_data, 6);
pcode_link_t xchg_rax_rsp = new code_link_t; // pcode_link_t abs_addr = new code_link_t;
xchg_rax_rsp->flags = 0; // abs_addr->flags = CLFLAG_IS_ABS_ADDR;
xchg_rax_rsp->label_name = ""; // abs_addr->label_name = group_label_name;
xchg_rax_rsp->raw_data = new unsigned char[4]; // abs_addr->raw_data = new unsigned char[8];
xchg_rax_rsp->raw_data_size = 4; // abs_addr->raw_data_size = 8;
xchg_rax_rsp->group = cur_group_id; // abs_addr->group = cur_group_id;
unsigned char xchg_rax_rsp_data[] = { 0x48, 0x87, 0x04, 0x24 };
memcpy(xchg_rax_rsp->raw_data, xchg_rax_rsp_data, 4); // t->prev->next = gadget;
// gadget->next = abs_addr;
pcode_link_t ret = new code_link_t; // abs_addr->next = lab;
ret->flags = 0; // lab->next = t;// real_next;
ret->label_name = "";
ret->raw_data = new unsigned char[1]; // gadget->prev = t->prev;
ret->raw_data_size = 1; // abs_addr->prev = gadget;
ret->group = cur_group_id; // lab->prev = abs_addr;
*(unsigned char*)ret->raw_data = 0xC3; // t->prev = lab;
t->prev->next = push_rax; //
push_rax->next = mov_address;
mov_address->next = xchg_rax_rsp; // printf("creating group %d\n", cur_group_id);
xchg_rax_rsp->next = ret; // obf->groups.emplace_back();
ret->next = t; // obf->groups.back().size_in_bytes = cur_size_in_bytes + END_OF_GROUP_GAGT_SIZE;
// obf->groups.back().start = start;
ret->prev = xchg_rax_rsp; // obf->groups.back().base_address = cur_group_id;
xchg_rax_rsp->prev = mov_address; // cur_size_in_bytes = 0;
mov_address->prev = push_rax; // cur_group_id++;
push_rax->prev = t->prev; // start = t;
t->prev = ret; // }
// }
printf("creating group %d\n", cur_group_id);
obf->groups.emplace_back(); // cur_size_in_bytes += t->raw_data_size;
obf->groups.back().size_in_bytes = cur_size_in_bytes + 16; // t->group = cur_group_id;
obf->groups.back().start = start; // t = real_next;
cur_size_in_bytes = 0; //}
cur_group_id++;
start = t; //obf->groups.emplace_back();
} //obf->groups.back().size_in_bytes = cur_size_in_bytes + 16;
} //obf->groups.back().start = start;
//obf->groups.back().base_address = cur_group_id;
cur_size_in_bytes += t->raw_data_size;
t->group = cur_group_id; //return true;
}
obf->groups.emplace_back();
obf->groups.back().size_in_bytes = cur_size_in_bytes + 16;
obf->groups.back().start = start;
return true;
} }
void obf_replace_rel_jmps(pobfuscator_t obf) void obf_replace_rel_jmps(pobfuscator_t obf)
{ // original_jump -------------------------. { // original_jump -------------------------.
// jmp 0x10 0xEB, 0x10 | // jmp 0x10(0xEB, 0x10) ------------------ | -----.
// push rax 0x50, <----' // jmp qword ptr[rip] <----------------' |
// mov rax,abs_address 0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F, // address here(8 bytes) |
// xchg rax,[rsp] 0x48, 0x87, 0x04, 0x24, // not taken branch code <-----------------------'
// ret 0xC3
for (pcode_link_t t = obf->code_start->next; t;) for (pcode_link_t t = obf->code_start->next; t;)
{ {
pcode_link_t real_next = t->next;
if (t->flags & CLFLAG_IS_REL_JUMP) if (t->flags & CLFLAG_IS_REL_JUMP)
{ {
pcode_link_t real_next = t->next;
unsigned int inst_len = xed_decoded_inst_get_length(&t->instruction);
unsigned int jmp_delta_width = xed_decoded_inst_get_branch_displacement_width(&t->instruction); unsigned int jmp_delta_width = xed_decoded_inst_get_branch_displacement_width(&t->instruction);
unsigned int opcode_size = inst_len - jmp_delta_width; unsigned int opcode_size = t->raw_data_size - jmp_delta_width;
switch (jmp_delta_width) switch (jmp_delta_width)
{ {
@ -185,72 +176,37 @@ void obf_replace_rel_jmps(pobfuscator_t obf)
} }
t->flags = CLFLAG_IS_GAGET; t->flags = CLFLAG_IS_GAGET;
pcode_link_t jmp_around_gagt = new code_link_t; pcode_link_t gadget = new code_link_t;
jmp_around_gagt->flags = CLFLAG_IS_GAGET; gadget->flags = CLFLAG_IS_GAGET;
jmp_around_gagt->label_name = ""; gadget->label_name = "";
jmp_around_gagt->raw_data = new unsigned char[2]; gadget->raw_data = new unsigned char[8];
jmp_around_gagt->raw_data_size = 2; gadget->raw_data_size = 8;
unsigned char jmp_around_gagt_data[] = { 0xEB, 0x10 }; unsigned char gadget_data[] = { 0xEB, 0x0E, 0xFF, 0x25, 0x00, 0x00, 0x00, 0x00 };
memcpy(jmp_around_gagt->raw_data, jmp_around_gagt_data, 2); memcpy(gadget->raw_data, gadget_data, 8);
pcode_link_t abs_addr = new code_link_t;
pcode_link_t push_rax = new code_link_t; abs_addr->flags = (CLFLAG_IS_GAGET | CLFLAG_IS_ABS_ADDR);
push_rax->flags = CLFLAG_IS_GAGET; abs_addr->label_name = t->label_name;
push_rax->label_name = ""; t->label_name = "";
push_rax->raw_data = new unsigned char[1]; abs_addr->raw_data = new unsigned char[8];
push_rax->raw_data_size = 1; abs_addr->raw_data_size = 8;
*(unsigned char*)push_rax->raw_data = 0x50;
push_rax->label_name = ""; t->next = gadget;
gadget->next = abs_addr;
abs_addr->next = real_next;
pcode_link_t mov_address = new code_link_t;
mov_address->flags = (CLFLAG_IS_ABS_ADDR | CLFLAG_IS_GAGET); if (real_next) real_next->prev = abs_addr;
mov_address->label_name = t->label_name; abs_addr->prev = gadget;
mov_address->raw_data = new unsigned char[10]; gadget->prev = t;
mov_address->raw_data_size = 10;
unsigned char mov_address_data[] = { 0x48, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x0F };
memcpy(mov_address->raw_data, mov_address_data, 10);
pcode_link_t xchg_rax_rsp = new code_link_t;
xchg_rax_rsp->flags = CLFLAG_IS_GAGET;
xchg_rax_rsp->label_name = "";
xchg_rax_rsp->raw_data = new unsigned char[4];
xchg_rax_rsp->raw_data_size = 4;
unsigned char xchg_rax_rsp_data[] = { 0x48, 0x87, 0x04, 0x24 };
memcpy(xchg_rax_rsp->raw_data, xchg_rax_rsp_data, 4);
pcode_link_t ret = new code_link_t;
ret->flags = CLFLAG_IS_GAGET;
ret->label_name = "";
ret->raw_data = new unsigned char[1];
ret->raw_data_size = 1;
*(unsigned char*)ret->raw_data = 0xC3;
t->next = jmp_around_gagt;
jmp_around_gagt->next = push_rax;
push_rax->next = mov_address;
mov_address->next = xchg_rax_rsp;
xchg_rax_rsp->next = ret;
ret->next = real_next;
real_next->prev = ret;
ret->prev = xchg_rax_rsp;
xchg_rax_rsp->prev = mov_address;
mov_address->prev = push_rax;
push_rax->prev = jmp_around_gagt;
jmp_around_gagt->prev = t;
t = real_next;
continue;
} }
t = t->next; t = real_next;
} }
} }
bool obf_replace_abs_jmps(pobfuscator_t obf) bool obf_replace_abs_jmps(pobfuscator_t obf)
{ {
for (pcode_link_t t = obf->code_start->next; t;) for (pcode_link_t t = obf->code_start->next; t; t = t->next)
{ {
if (t->flags & CLFLAG_IS_ABS_ADDR) if (t->flags & CLFLAG_IS_ABS_ADDR)
{ {
@ -270,7 +226,6 @@ bool obf_replace_abs_jmps(pobfuscator_t obf)
} }
} }
return false; return false;
continue;
have_label_found: have_label_found:
uint64_t addr = obf->groups[temp->group].base_address; uint64_t addr = obf->groups[temp->group].base_address;
@ -280,9 +235,12 @@ bool obf_replace_abs_jmps(pobfuscator_t obf)
{ {
break; break;
} }
addr += temp->raw_data_size; if (!(temp2->flags & CLFLAG_IS_LABEL))
{
addr += temp2->raw_data_size;
}
} }
*(uint64_t*)((unsigned char*)t->raw_data + 2) = addr; *(uint64_t*)((unsigned char*)t->raw_data) = addr;
} }
} }
return true; return true;
@ -374,22 +332,22 @@ void obf_dbg_print_code(pobfuscator_t obf)
{ {
for (pcode_link_t t = obf->code_start->next; t; t = t->next) for (pcode_link_t t = obf->code_start->next; t; t = t->next)
{ {
if (!(t->flags & CLFLAG_IS_LABEL)) if (t->flags & CLFLAG_IS_REL_JUMP)
{
obf_print_byte_array(t->raw_data, t->raw_data_size);
}
/*if (t->flags & CLFLAG_IS_REL_JUMP)
{ {
printf("\tJump to: %s\n", t->label_name.data()); printf("\tJump to: %s ", t->label_name.data());
} }
else if (t->flags & CLFLAG_IS_LABEL) else if (t->flags & CLFLAG_IS_LABEL)
{ {
printf("Label: %s\n", t->label_name.data()); printf("Label: %s ", t->label_name.data());
} }
else else
{ {
printf("\tRegular Instruction.\n"); printf("\tRegular Instruction. ");
}*/ }
if (!(t->flags & CLFLAG_IS_LABEL))
{
obf_print_byte_array(t->raw_data, t->raw_data_size);
}
} }
} }

6
ShellcodeObfuscator/Obfuscator.h
Unescape View File

@ -13,7 +13,9 @@ extern "C"
#define CLFLAG_IS_REL_JUMP (1<<1) #define CLFLAG_IS_REL_JUMP (1<<1)
#define CLFLAG_IS_ABS_ADDR (1<<2) #define CLFLAG_IS_ABS_ADDR (1<<2)
#define CLFLAG_IS_GAGET (1<<3) #define CLFLAG_IS_GAGET (1<<3)
#define CLFLAG_IS_GROUP_JMP (1<<4)
#define ABS_JUMP_GAGT_SIZE 16
#define END_OF_GROUP_GAGT_SIZE 14
typedef struct _code_link_t typedef struct _code_link_t
{ {
@ -47,6 +49,8 @@ typedef struct _obfuscator_t
xed_address_width_enum_t addr_width; xed_address_width_enum_t addr_width;
}obfuscator_t, *pobfuscator_t; }obfuscator_t, *pobfuscator_t;
typedef void* (*FnAllocateMem)(unsigned long size);
//snickers //snickers
void obf_one_time_please(); void obf_one_time_please();

12
ShellcodeObfuscator/main.cpp
Unescape View File

@ -25,13 +25,17 @@ int main(int argc, char** argv)
obf_one_time_please(); obf_one_time_please();
obf_init_from_buffer(&obf, buffer, buffer_size); obf_init_from_buffer(&obf, buffer, buffer_size);
obf_gen_all_labels(&obf); obf_gen_all_labels(&obf);
//obf_replace_rel_jmps(&obf);
obf_dbg_print_code(&obf);
printf("\n\n");
obf_replace_rel_jmps(&obf);
obf_dbg_print_code(&obf); obf_dbg_print_code(&obf);
obf_create_groups(&obf, 28);
/*obf_create_groups(&obf, 10);
for (int i = 0; i < obf.groups.size(); i++) for (int i = 0; i < obf.groups.size(); i++)
{ {
printf("printing group %d \n", i); printf("\nprinting group %d \n", i);
obf_dbg_print_group(&obf, i); obf_dbg_print_group(&obf, i);
} }*/
system("pause"); system("pause");
} }

BIN
ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.command.1.tlog
View File

Binary file not shown.

BIN
ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.read.1.tlog
View File

Binary file not shown.

BIN
ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/CL.write.1.tlog
View File

Binary file not shown.

4
ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/ShellcodeObfuscator.lastbuildstate
Unescape View File

@ -1,2 +1,2 @@
PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.19041.0: PlatformToolSet=v142:VCToolArchitecture=Native32Bit:VCToolsVersion=14.27.29110:TargetPlatformVersion=10.0.19041.0:VcpkgTriplet=x64-windows:
Debug|x64|C:\$Fanta\ShellcodeObfuscator\| Debug|x64|C:\$Fanta\shellcode-obfuscator\|

BIN
ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/link.command.1.tlog
View File

Binary file not shown.

BIN
ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/link.read.1.tlog
View File

Binary file not shown.

BIN
ShellcodeObfuscator/x64/Debug/Shellcod.ad60371b.tlog/link.write.1.tlog
View File

Binary file not shown.

28
ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.Build.CppClean.log
Unescape View File

@ -1,21 +1,15 @@
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\vc142.pdb c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\vc142.pdb
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\vc142.idb c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\vc142.idb
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\obfuscator.obj
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\main.obj c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\main.obj
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\obfuscator.obj
c:\$fanta\shellcodeobfuscator\x64\debug\shellcodeobfuscator.exe
c:\$fanta\shellcodeobfuscator\x64\debug\shellcodeobfuscator.ilk
c:\$fanta\shellcodeobfuscator\x64\debug\shellcodeobfuscator.pdb c:\$fanta\shellcodeobfuscator\x64\debug\shellcodeobfuscator.pdb
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.command.1.tlog c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\vc142.idb
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.read.1.tlog c:\$fanta\shellcode-obfuscator\x64\debug\shellcodeobfuscator.ilk
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.write.1.tlog c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.command.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link-cvtres.read.1.tlog c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.read.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link-cvtres.write.1.tlog c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\cl.write.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link-rc.read.1.tlog c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.command.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link-rc.write.1.tlog c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.read.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328-cvtres.read.1.tlog c:\$fanta\shellcode-obfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.write.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328-cvtres.write.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328-rc.read.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328-rc.write.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328.read.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.1328.write.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.command.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.read.1.tlog
c:\$fanta\shellcodeobfuscator\shellcodeobfuscator\x64\debug\shellcod.ad60371b.tlog\link.write.1.tlog

2
ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.exe.recipe
Unescape View File

@ -1,6 +1,6 @@
<?xml version="1.0" encoding="utf-8"?> <?xml version="1.0" encoding="utf-8"?>
<Project> <Project>
<ProjectOutputs>C:\$Fanta\ShellcodeObfuscator\x64\Debug\ShellcodeObfuscator.exe</ProjectOutputs> <ProjectOutputs>C:\$Fanta\shellcode-obfuscator\x64\Debug\ShellcodeObfuscator.exe</ProjectOutputs>
<ContentFiles></ContentFiles> <ContentFiles></ContentFiles>
<SatelliteDlls></SatelliteDlls> <SatelliteDlls></SatelliteDlls>
<NonRecipeFileRefs></NonRecipeFileRefs> <NonRecipeFileRefs></NonRecipeFileRefs>

10
ShellcodeObfuscator/x64/Debug/ShellcodeObfuscator.log
Unescape View File

@ -1,8 +1,2 @@
 Obfuscator.cpp  main.cpp
C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(353,20): warning C4018: '<': signed/unsigned mismatch ShellcodeObfuscator.vcxproj -> C:\$Fanta\shellcode-obfuscator\x64\Debug\ShellcodeObfuscator.exe
main.cpp
Generating Code...
C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(246): warning C4715: 'obf_get_group_size': not all control paths return a value
C:\$Fanta\ShellcodeObfuscator\ShellcodeObfuscator\Obfuscator.cpp(72): warning C4715: 'obf_init_from_buffer': not all control paths return a value
LINK : warning LNK4098: defaultlib 'LIBCMT' conflicts with use of other libs; use /NODEFAULTLIB:library
ShellcodeObfuscator.vcxproj -> C:\$Fanta\ShellcodeObfuscator\x64\Debug\ShellcodeObfuscator.exe

BIN
ShellcodeObfuscator/x64/Debug/vc142.idb
View File

Binary file not shown.

1
ShellcodeObfuscator/x64/Debug/vcpkg.applocal.log
Unescape View File

@ -0,0 +1 @@


BIN
x64/Debug/ShellcodeObfuscator.ilk
View File

Binary file not shown.
Write Preview
Loading…
Cancel
Save