diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2019-04-11 13:25:03 +0200 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2019-04-11 13:25:03 +0200 |
| commit | ebfb487ee1ca70ca9fbc29b18df0d0aa0d753e83 (patch) | |
| tree | 910542a0c35b68c490a4114c736c25058fc9330d | |
| parent | bdd60b3cb093d995e00126507824a460de984b3f (diff) | |
function crypter template
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
| -rw-r--r-- | .gitignore | 2 | ||||
| -rw-r--r-- | Makefile | 10 | ||||
| -rw-r--r-- | funccrypt.c | 100 |
3 files changed, 110 insertions, 2 deletions
@@ -8,6 +8,8 @@ sc-test sc-test_x64 funcjmp_simple_x86 funcjmp_ext_x86 +funccrypt +funccrypt_x64 exec_crypter exec_crypter_x64 exec_payload @@ -34,7 +34,7 @@ SOURCES = $(wildcard *.c) TARGETS = $(patsubst %.c,%,$(SOURCES)) ifeq ($(LBITS),64) -all: $(TARGETS) exec_payload_x64 exec_crypter_x64 overflow_x64 overflow_tcp_x64 sc-test_x64 shellcode crypter +all: $(TARGETS) exec_payload_x64 exec_crypter_x64 overflow_x64 overflow_tcp_x64 sc-test_x64 funccrypt_x64 shellcode crypter else all: $(TARGETS) shellcode crypter endif @@ -69,6 +69,12 @@ exec_crypter_x64: exec_payload_x64_bin.o exec_crypter.c $(CC) $(ECFLAGS) -m64 -D_NOTASKID=1 -o $@.o -c exec_crypter.c $(CC) $(ECFLAGS) -m64 -D_NOTASKID=1 -o $@ exec_payload_x64_bin.o exec_crypter_x64.o +funccrypt: funccrypt.c + $(CC) $(ECFLAGS) -o $@ $< + +funccrypt_x64: funccrypt.c + $(CC) $(ECFLAGS) -m64 -o $@ $< + debug: $(MAKE) -C . CFLAGS="-g" @@ -91,7 +97,7 @@ clean: ifneq ($(SF),) $(RM) -f $(patsubst %,%$(SF),$(TARGETS)) endif - $(RM) -f exec_payload_x64 exec_crypter_x64 overflow_x64 overflow_tcp_x64 sc-test_x64 + $(RM) -f exec_payload_x64 exec_crypter_x64 overflow_x64 overflow_tcp_x64 sc-test_x64 funccrypt_x64 ifneq ($(SF),) $(RM) -f exec_payload_x64$(SF) exec_crypter_x64$(SF) overflow_x64$(SF) overflow_tcp_x64$(SF) sc-test_x64$(SF) endif diff --git a/funccrypt.c b/funccrypt.c new file mode 100644 index 0000000..7ab37ca --- /dev/null +++ b/funccrypt.c @@ -0,0 +1,100 @@ +#include <stdio.h> +#include <stdlib.h> +#include <stdint.h> + +#define CRYPT_PROLOGUE \ + { \ + asm volatile goto("jmp %l0 \n" \ + : : : : cr_prologue); \ + asm volatile( \ + ".byte 0xDE, 0xC0, 0xDE, 0xC0; \n" \ + ); \ + } \ + cr_prologue: { +#define CRYPT_EPILOGUE \ + } { \ + asm volatile goto("jmp %l0 \n" \ + : : : : cr_epilogue); \ + asm volatile( \ + ".byte 0xFE, 0xCA, 0xFE, 0xCA; \n" \ + ); \ + } \ + cr_epilogue: \ + asm volatile("nop; \n"); + +typedef enum crypt_return { + CRET_ERROR, CRET_PROLOGUE, CRET_EPILOGUE +} crypt_return; + + +static int crypted_fn(int arg0, char *arg1, void *arg2) +{ + CRYPT_PROLOGUE + printf("I'm decrypted ..\n"); + for (int i = 0; i < 32; ++i) + printf("%d ", i); + puts(""); + CRYPT_EPILOGUE + + return 0x66; +} + +static void crypted_fn2(void) +{ + CRYPT_PROLOGUE + printf("Another decrypted fn..\n"); + CRYPT_EPILOGUE +} + +static crypt_return crypt_func(void *fn_start) +{ + enum crypt_return cret = CRET_ERROR; + uint8_t *fnbuf = (uint8_t *) fn_start; + const uint32_t prologue_marker = 0xC0DEC0DE; + const uint32_t epilogue_marker = 0xCAFECAFE; + + printf("Fn: %p\n", fnbuf); + for (int i = 0; i < 0x100; ++i) { + if (cret == CRET_ERROR && + *(uint32_t *) &fnbuf[i] == prologue_marker) + { + printf("Prologue Marker: %p\n", &fnbuf[i]); + cret = CRET_PROLOGUE; + } else + if (cret == CRET_PROLOGUE && + *(uint32_t *) &fnbuf[i] == epilogue_marker) + { + printf("Epilogue Marker: %p\n", &fnbuf[i]); + cret = CRET_EPILOGUE; + break; + } + } + + return cret; +} + +static void printHexBuf(uint8_t *buf, size_t siz, size_t chars_per_line) +{ + for (int i = 0; i < siz; ++i) { + printf("%02X ", buf[i]); + if ((i+1) % chars_per_line == 0) + printf("\n"); + } + printf("\n"); +} + +int main(void) +{ + printf("crypted_fn:\n"); + printHexBuf((uint8_t *)crypted_fn, 32, 16); + printf("crypted_fn2:\n"); + printHexBuf((uint8_t *)crypted_fn2, 32, 16); + + printf("crypt_func:\n"); + crypt_func((void *)crypted_fn); + crypt_func((void *)crypted_fn2); + + printf("\noutput:\n"); + printf("crypted_fn: 0x%X\n", crypted_fn(0, NULL, NULL)); + crypted_fn2(); +} |