|
|
|
#include "Theodosius.h"
|
|
|
|
inline int a = 10; // c++17 tests (c++1z...)
|
|
|
|
|
|
|
|
// this routine is not obfuscated...
|
|
|
|
THEO_OBFUSCATE(void PrintCR3()
|
|
|
|
{
|
|
|
|
ULONG_PTR Cr3Value =
|
|
|
|
*reinterpret_cast<ULONG_PTR*>(
|
|
|
|
IoGetCurrentProcess() + CR3_OFFSET);
|
|
|
|
|
|
|
|
DbgPrint("> Current CR3 = 0x%p\n", Cr3Value);
|
|
|
|
|
|
|
|
// non-exported symbols being resolved by jit linker...
|
|
|
|
DbgPrint("> PiDDBCacheTable = 0x%p\n", &PiDDBCacheTable);
|
|
|
|
DbgPrint("> win32kfull!NtUserRegisterShellPTPListener = 0x%p\n", &NtUserRegisterShellPTPListener);
|
|
|
|
|
|
|
|
// example of referencing itself...
|
|
|
|
DbgPrint("> PrintCR3 = 0x%p\n", &PrintCR3);
|
|
|
|
})
|
|
|
|
|
|
|
|
THEO_OBFUSCATE(LLVM_BCF void LoopDemo(unsigned* result)
|
|
|
|
{
|
|
|
|
// JCC's work! :)
|
|
|
|
for (auto idx = 0u; idx < 10; ++idx)
|
|
|
|
// addresses to variables on the stack work! :)
|
|
|
|
*result = idx;
|
|
|
|
})
|
|
|
|
|
|
|
|
THEO_MUTATE(LLVM_BCF LLVM_SUB extern "C" void DrvEntry()
|
|
|
|
{
|
|
|
|
// example of calling other obfuscated/non obfuscated routines...
|
|
|
|
PrintCR3();
|
|
|
|
|
|
|
|
unsigned result = 0u;
|
|
|
|
LoopDemo(&result);
|
|
|
|
})
|