forked from IDontCode/Theodosius
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
167 lines
6.0 KiB
167 lines
6.0 KiB
// Copyright (c) 2022, _xeroxz
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are met:
|
|
//
|
|
// 1. Redistributions of source code must retain the above copyright notice,
|
|
// this list of conditions and the following disclaimer.
|
|
//
|
|
// 2. Redistributions in binary form must reproduce the above copyright notice,
|
|
// this list of conditions and the following disclaimer in the documentation
|
|
// and/or other materials provided with the distribution.
|
|
//
|
|
// 3. Neither the name of the copyright holder nor the names of its
|
|
// contributors may be used to endorse or promote products derived from
|
|
// this software without specific prior written permission.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
// AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
// IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
// ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
|
|
// LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
// SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
// INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
// CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
// ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
// POSSIBILITY OF SUCH DAMAGE.
|
|
//
|
|
|
|
#pragma once
|
|
#include <spdlog/spdlog.h>
|
|
#include <bit>
|
|
#include <bitset>
|
|
#include <functional>
|
|
#include <map>
|
|
#include <random>
|
|
|
|
#define XED_ENCODER
|
|
extern "C" {
|
|
#include <xed-decode.h>
|
|
#include <xed-interface.h>
|
|
}
|
|
|
|
/// <summary>
|
|
/// this namespace encompasses the code for transforming relocations.
|
|
/// </summary>
|
|
namespace theo::obf::transform {
|
|
|
|
/// <summary>
|
|
/// lambda function which takes in a 64bit value (relocation address) and a
|
|
/// 32bit value (random value used in transformation).
|
|
/// </summary>
|
|
using transform_t = std::function<std::size_t(std::size_t, std::uint32_t)>;
|
|
|
|
/// <summary>
|
|
/// operation_t is the base class for all types of transformations. classes that
|
|
/// inherit this class are singleton and simply call the super constructor
|
|
/// (operation_t::operation_t).
|
|
/// </summary>
|
|
class operation_t {
|
|
public:
|
|
/// <summary>
|
|
/// explicit constructor for operation_t
|
|
/// </summary>
|
|
/// <param name="op">lambda function when executed applies
|
|
/// transformations.</param> <param name="type">type of transformation, such
|
|
/// as XOR, ADD, SUB, etc...</param>
|
|
explicit operation_t(transform_t op, xed_iclass_enum_t type)
|
|
: m_transform(op), m_type(type) {}
|
|
|
|
/// <summary>
|
|
/// generates a native transform instruction given an existing instruction. it
|
|
/// works like so:
|
|
///
|
|
/// mov rax, &MessageBoxA ; original instruction with relocation
|
|
///
|
|
/// ; this function takes the first operand and out of the original
|
|
/// ; instruction and uses it to generate a transformation.
|
|
///
|
|
/// xor rax, 0x39280928 ; this would be an example output for the xor
|
|
/// ;operation.
|
|
///
|
|
/// </summary>
|
|
/// <param name="inst">instruction with a relocation to generate a
|
|
/// transformation for.</param> <param name="imm">random 32bit number used in
|
|
/// the generate transform.</param> <returns>returns the bytes of the native
|
|
/// instruction that was encoded.</returns>
|
|
std::vector<std::uint8_t> native(const xed_decoded_inst_t* inst,
|
|
std::uint32_t imm) {
|
|
std::uint32_t inst_len = {};
|
|
std::uint8_t inst_buff[XED_MAX_INSTRUCTION_BYTES];
|
|
|
|
xed_error_enum_t err;
|
|
xed_encoder_request_init_from_decode((xed_decoded_inst_s*)inst);
|
|
xed_encoder_request_t* req = (xed_encoder_request_t*)inst;
|
|
|
|
switch (m_type) {
|
|
case XED_ICLASS_ROR:
|
|
case XED_ICLASS_ROL:
|
|
xed_encoder_request_set_uimm0(req, imm, 1);
|
|
break;
|
|
default:
|
|
xed_encoder_request_set_uimm0(req, imm, 4);
|
|
break;
|
|
}
|
|
|
|
xed_encoder_request_set_iclass(req, m_type);
|
|
xed_encoder_request_set_operand_order(req, 1, XED_OPERAND_IMM0);
|
|
|
|
if ((err = xed_encode(req, inst_buff, sizeof(inst_buff), &inst_len)) !=
|
|
XED_ERROR_NONE) {
|
|
spdlog::error("failed to encode instruction... reason: {}",
|
|
xed_error_enum_t2str(err));
|
|
|
|
assert(err == XED_ERROR_NONE);
|
|
}
|
|
|
|
return std::vector<std::uint8_t>(inst_buff, inst_buff + inst_len);
|
|
}
|
|
|
|
/// <summary>
|
|
/// gets the inverse operation of the current operation.
|
|
/// </summary>
|
|
/// <returns>the inverse operation of the current operation.</returns>
|
|
xed_iclass_enum_t inverse() { return m_inverse_op[m_type]; }
|
|
|
|
/// <summary>
|
|
/// gets a pointer to the lambda function which contains the transform logic.
|
|
/// </summary>
|
|
/// <returns>a pointer to the lambda function which contains the transform
|
|
/// logic.</returns>
|
|
transform_t* get_transform() { return &m_transform; }
|
|
|
|
/// <summary>
|
|
/// gets the operation type. such as XED_ICLASS_ADD, XED_ICLASS_SUB, etc...
|
|
/// </summary>
|
|
/// <returns>the operation type. such as XED_ICLASS_ADD, XED_ICLASS_SUB,
|
|
/// etc...</returns>
|
|
xed_iclass_enum_t type() { return m_type; }
|
|
|
|
/// <summary>
|
|
/// generate a random number in a range.
|
|
/// </summary>
|
|
/// <param name="lowest">lowest value of the range.</param>
|
|
/// <param name="largest">highest value of the range.</param>
|
|
/// <returns>a random value in a range.</returns>
|
|
static std::size_t random(std::size_t lowest, std::size_t largest) {
|
|
std::random_device rd;
|
|
std::mt19937 gen(rd());
|
|
std::uniform_int_distribution<std::size_t> distr(lowest, largest);
|
|
return distr(gen);
|
|
}
|
|
|
|
private:
|
|
transform_t m_transform;
|
|
xed_iclass_enum_t m_type;
|
|
|
|
std::map<xed_iclass_enum_t, xed_iclass_enum_t> m_inverse_op = {
|
|
{XED_ICLASS_ADD, XED_ICLASS_SUB},
|
|
{XED_ICLASS_SUB, XED_ICLASS_ADD},
|
|
{XED_ICLASS_ROL, XED_ICLASS_ROR},
|
|
{XED_ICLASS_ROR, XED_ICLASS_ROL},
|
|
{XED_ICLASS_XOR, XED_ICLASS_XOR}};
|
|
};
|
|
|
|
} // namespace theo::obf::transform
|