diff options
| author | Toni Uhlig <matzeton@googlemail.com> | 2023-12-23 14:38:40 +0100 |
|---|---|---|
| committer | Toni Uhlig <matzeton@googlemail.com> | 2023-12-23 14:38:40 +0100 |
| commit | 45c5c880c7be81b186a033253075c951553f9e30 (patch) | |
| tree | c13af44fc9ca4267835f64e81b85a01b0533f3f1 /CRT | |
| parent | 5dcb460cc71c808d83484df580d2a8c50d4760a1 (diff) | |
Added basic CXX string obfuscation via constexpr.
* obfuscate functions names retrieved via MmGetSystemRoutineAddress
* add two new static libs: libcnative (C-only) and libcxxnative (CXX-only)
Signed-off-by: Toni Uhlig <matzeton@googlemail.com>
Diffstat (limited to 'CRT')
| -rwxr-xr-x | CRT/gen_wrapper.sh | 23 | ||||
| -rw-r--r-- | CRT/kcrt.c | 1 | ||||
| -rw-r--r-- | CRT/ntdll_zw_functions.c | 100 | ||||
| -rw-r--r-- | CRT/obfuscate.hpp | 163 |
4 files changed, 276 insertions, 11 deletions
diff --git a/CRT/gen_wrapper.sh b/CRT/gen_wrapper.sh index d383d56..4e26162 100755 --- a/CRT/gen_wrapper.sh +++ b/CRT/gen_wrapper.sh @@ -57,11 +57,19 @@ while read -r line; do STATICS="${STATICS}\nstatic ${fnname}_t _${fnname} = NULL;" INITS=$(cat <<EOF ${INITS} +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"${fnname}")); +#else RtlInitUnicodeString(&fnName, L"${fnname}"); - _${fnname} = MmGetSystemRoutineAddress(&fnName); +#endif + _${fnname} = (${fnname}_t)MmGetSystemRoutineAddress(&fnName); if (_${fnname} == NULL) { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\\\n"), skCrypt("System routine ${fnname} not found.")); +#else DbgPrint("%s\\\n", "System routine ${fnname} not found."); +#endif retval++; } EOF @@ -110,6 +118,12 @@ cat <<EOF /* This file was auto generated by $(basename ${0}) */ #include <ntddk.h> +#ifdef __cplusplus +#define _KERNEL_MODE 1 +#include "obfuscate.hpp" + +extern "C" { +#endif EOF echo "${TYPEDEFS}" echo "${STATICS}" @@ -127,3 +141,10 @@ cat <<EOF } EOF echo "${WRAPPERS}" + +cat <<EOF + +#ifdef __cplusplus +}; +#endif +EOF @@ -280,7 +280,6 @@ NTSTATUS __cdecl _CRT_DriverEntry(struct _DRIVER_OBJECT * DriverObject, PUNICODE int zw_retval = ntdll_zw_functions(); if (zw_retval != 0) { - DbgPrint("ERROR: Missing %d required system routines.\n", zw_retval); return STATUS_NOT_IMPLEMENTED; } diff --git a/CRT/ntdll_zw_functions.c b/CRT/ntdll_zw_functions.c index f01da2c..3cd6fde 100644 --- a/CRT/ntdll_zw_functions.c +++ b/CRT/ntdll_zw_functions.c @@ -1,6 +1,12 @@ /* This file was auto generated by gen_wrapper.sh */ #include <ntddk.h> +#ifdef __cplusplus +#define _KERNEL_MODE 1 +#include "obfuscate.hpp" + +extern "C" { +#endif typedef NTSTATUS NTAPI (*ObOpenObjectByPointer_t) (_In_ PVOID obj, _In_ ULONG HandleAttributes, _In_ PACCESS_STATE PassedAccessState, _In_ ACCESS_MASK DesiredAccess, _In_ POBJECT_TYPE objType, _In_ KPROCESSOR_MODE AccessMode, _Out_ PHANDLE Handle); typedef NTSTATUS NTAPI (*MmCopyMemory_t) (_In_ PVOID TargetAddress, _In_ PVOID SourceAddress, _In_ SIZE_T NumberOfBytes, _In_ ULONG Flags, _Out_ PSIZE_T NumberOfBytesTransferred); @@ -27,67 +33,139 @@ int __cdecl ntdll_zw_functions (void) int retval = 0; UNICODE_STRING fnName; +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"ObOpenObjectByPointer")); +#else RtlInitUnicodeString(&fnName, L"ObOpenObjectByPointer"); - _ObOpenObjectByPointer = MmGetSystemRoutineAddress(&fnName); +#endif + _ObOpenObjectByPointer = (ObOpenObjectByPointer_t)MmGetSystemRoutineAddress(&fnName); if (_ObOpenObjectByPointer == NULL) { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\n"), skCrypt("System routine ObOpenObjectByPointer not found.")); +#else DbgPrint("%s\n", "System routine ObOpenObjectByPointer not found."); +#endif retval++; } +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"MmCopyMemory")); +#else RtlInitUnicodeString(&fnName, L"MmCopyMemory"); - _MmCopyMemory = MmGetSystemRoutineAddress(&fnName); +#endif + _MmCopyMemory = (MmCopyMemory_t)MmGetSystemRoutineAddress(&fnName); if (_MmCopyMemory == NULL) { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\n"), skCrypt("System routine MmCopyMemory not found.")); +#else DbgPrint("%s\n", "System routine MmCopyMemory not found."); +#endif retval++; } +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"MmCopyVirtualMemory")); +#else RtlInitUnicodeString(&fnName, L"MmCopyVirtualMemory"); - _MmCopyVirtualMemory = MmGetSystemRoutineAddress(&fnName); +#endif + _MmCopyVirtualMemory = (MmCopyVirtualMemory_t)MmGetSystemRoutineAddress(&fnName); if (_MmCopyVirtualMemory == NULL) { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\n"), skCrypt("System routine MmCopyVirtualMemory not found.")); +#else DbgPrint("%s\n", "System routine MmCopyVirtualMemory not found."); +#endif retval++; } +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"RtlLookupFunctionEntry")); +#else RtlInitUnicodeString(&fnName, L"RtlLookupFunctionEntry"); - _RtlLookupFunctionEntry = MmGetSystemRoutineAddress(&fnName); +#endif + _RtlLookupFunctionEntry = (RtlLookupFunctionEntry_t)MmGetSystemRoutineAddress(&fnName); if (_RtlLookupFunctionEntry == NULL) { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\n"), skCrypt("System routine RtlLookupFunctionEntry not found.")); +#else DbgPrint("%s\n", "System routine RtlLookupFunctionEntry not found."); +#endif retval++; } +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"ZwTraceControl")); +#else RtlInitUnicodeString(&fnName, L"ZwTraceControl"); - _ZwTraceControl = MmGetSystemRoutineAddress(&fnName); +#endif + _ZwTraceControl = (ZwTraceControl_t)MmGetSystemRoutineAddress(&fnName); if (_ZwTraceControl == NULL) { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwTraceControl not found.")); +#else DbgPrint("%s\n", "System routine ZwTraceControl not found."); +#endif retval++; } +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"ZwTraceEvent")); +#else RtlInitUnicodeString(&fnName, L"ZwTraceEvent"); - _ZwTraceEvent = MmGetSystemRoutineAddress(&fnName); +#endif + _ZwTraceEvent = (ZwTraceEvent_t)MmGetSystemRoutineAddress(&fnName); if (_ZwTraceEvent == NULL) { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwTraceEvent not found.")); +#else DbgPrint("%s\n", "System routine ZwTraceEvent not found."); +#endif retval++; } +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"ZwQueryVirtualMemory")); +#else RtlInitUnicodeString(&fnName, L"ZwQueryVirtualMemory"); - _ZwQueryVirtualMemory = MmGetSystemRoutineAddress(&fnName); +#endif + _ZwQueryVirtualMemory = (ZwQueryVirtualMemory_t)MmGetSystemRoutineAddress(&fnName); if (_ZwQueryVirtualMemory == NULL) { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwQueryVirtualMemory not found.")); +#else DbgPrint("%s\n", "System routine ZwQueryVirtualMemory not found."); +#endif retval++; } +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"ZwProtectVirtualMemory")); +#else RtlInitUnicodeString(&fnName, L"ZwProtectVirtualMemory"); - _ZwProtectVirtualMemory = MmGetSystemRoutineAddress(&fnName); +#endif + _ZwProtectVirtualMemory = (ZwProtectVirtualMemory_t)MmGetSystemRoutineAddress(&fnName); if (_ZwProtectVirtualMemory == NULL) { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwProtectVirtualMemory not found.")); +#else DbgPrint("%s\n", "System routine ZwProtectVirtualMemory not found."); +#endif retval++; } +#ifdef __cplusplus + RtlInitUnicodeString(&fnName, skCrypt(L"ZwQuerySystemInformation")); +#else RtlInitUnicodeString(&fnName, L"ZwQuerySystemInformation"); - _ZwQuerySystemInformation = MmGetSystemRoutineAddress(&fnName); +#endif + _ZwQuerySystemInformation = (ZwQuerySystemInformation_t)MmGetSystemRoutineAddress(&fnName); if (_ZwQuerySystemInformation == NULL) { +#ifdef __cplusplus + DbgPrint(skCrypt("%s\n"), skCrypt("System routine ZwQuerySystemInformation not found.")); +#else DbgPrint("%s\n", "System routine ZwQuerySystemInformation not found."); +#endif retval++; } @@ -208,3 +286,7 @@ NTSTATUS NTAPI WrapperZwQuerySystemInformation (_In_ int SystemInformationClass, { return _ZwQuerySystemInformation (SystemInformationClass, SystemInformation, SystemInformationLength, ReturnLength); } + +#ifdef __cplusplus +}; +#endif diff --git a/CRT/obfuscate.hpp b/CRT/obfuscate.hpp new file mode 100644 index 0000000..5522aad --- /dev/null +++ b/CRT/obfuscate.hpp @@ -0,0 +1,163 @@ +#pragma once + +/*____________________________________________________________________________________________________________ + +Original Author: skadro +Github: https://github.com/skadro-official +License: See end of file + +skCrypter + Compile-time, Usermode + Kernelmode, safe and lightweight string crypter library for C++11+ + + *Not removing this part is appreciated* +____________________________________________________________________________________________________________*/ + +#ifdef _KERNEL_MODE + namespace std + { + // STRUCT TEMPLATE remove_reference + template <class _Ty> + struct remove_reference { + using type = _Ty; + }; + + template <class _Ty> + struct remove_reference<_Ty&> { + using type = _Ty; + }; + + template <class _Ty> + struct remove_reference<_Ty&&> { + using type = _Ty; + }; + + template <class _Ty> + using remove_reference_t = typename remove_reference<_Ty>::type; + + // STRUCT TEMPLATE remove_const + template <class _Ty> + struct remove_const { // remove top-level const qualifier + using type = _Ty; + }; + + template <class _Ty> + struct remove_const<const _Ty> { + using type = _Ty; + }; + + template <class _Ty> + using remove_const_t = typename remove_const<_Ty>::type; + } +#else + #include <type_traits> +#endif + +namespace skc +{ + template<class _Ty> + using clean_type = typename std::remove_const_t<std::remove_reference_t<_Ty>>; + + template <int _size, char _key1, char _key2, typename T> + class skCrypter + { + public: + __forceinline constexpr skCrypter(T* data) + { + crypt(data); + } + + __forceinline T* get() + { + return _storage; + } + + __forceinline int size() // (w)char count + { + return _size; + } + + __forceinline char key() + { + return _key1; + } + + __forceinline T* encrypt() + { + if (!isEncrypted()) + crypt(_storage); + + return _storage; + } + + __forceinline T* decrypt() + { + if (isEncrypted()) + crypt(_storage); + + return _storage; + } + + __forceinline bool isEncrypted() + { + return _storage[_size - 1] != 0; + } + + __forceinline void clear() // set full storage to 0 + { + for (int i = 0; i < _size; i++) + { + _storage[i] = 0; + } + } + + __forceinline operator T* () + { + decrypt(); + + return _storage; + } + + private: + __forceinline constexpr void crypt(T* data) + { + for (int i = 0; i < _size; i++) + { + _storage[i] = data[i] ^ (_key1 + i % (1 + _key2)); + } + } + + T _storage[_size]{}; + }; +} + +#define skCrypt(str) skCrypt_key(str, __TIME__[4], __TIME__[7]) +#define skCrypt_key(str, key1, key2) []() { \ + constexpr static auto crypted = skc::skCrypter \ + <sizeof(str) / sizeof(str[0]), key1, key2, skc::clean_type<decltype(str[0])>>((skc::clean_type<decltype(str[0])>*)str); \ + return crypted; }() + +/*________________________________________________________________________________ + +MIT License + +Copyright (c) 2020 skadro + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in all +copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE +SOFTWARE. + +________________________________________________________________________________*/ |