├── doc ├── x86.virt.pdf ├── x86.virt.after.gif └── x86.virt.before.gif ├── bin ├── loader │ └── meta.exe ├── test_app │ ├── vm_test.exe │ ├── vm_test_vmed_01.exe │ └── vm_test_vmed_02.exe └── protector │ └── x86.virt.exe ├── src ├── protector │ ├── hde.lib │ ├── protect.cpp │ ├── protect.h │ ├── common.h │ ├── resource.h │ ├── poly_encdec.h │ ├── hde.h │ ├── res.rc │ ├── macros.h │ ├── common.cpp │ └── main.cpp ├── test_app │ ├── main.cpp │ ├── resource.h │ └── res.rc └── loader │ └── loader.asm ├── readme.md └── gpl.txt /doc/x86.virt.pdf: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rwfpl/rewolf-x86-virtualizer/HEAD/doc/x86.virt.pdf -------------------------------------------------------------------------------- /bin/loader/meta.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rwfpl/rewolf-x86-virtualizer/HEAD/bin/loader/meta.exe -------------------------------------------------------------------------------- /doc/x86.virt.after.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rwfpl/rewolf-x86-virtualizer/HEAD/doc/x86.virt.after.gif -------------------------------------------------------------------------------- /src/protector/hde.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rwfpl/rewolf-x86-virtualizer/HEAD/src/protector/hde.lib -------------------------------------------------------------------------------- /src/test_app/main.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rwfpl/rewolf-x86-virtualizer/HEAD/src/test_app/main.cpp -------------------------------------------------------------------------------- /bin/test_app/vm_test.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rwfpl/rewolf-x86-virtualizer/HEAD/bin/test_app/vm_test.exe -------------------------------------------------------------------------------- /doc/x86.virt.before.gif: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rwfpl/rewolf-x86-virtualizer/HEAD/doc/x86.virt.before.gif -------------------------------------------------------------------------------- /bin/protector/x86.virt.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rwfpl/rewolf-x86-virtualizer/HEAD/bin/protector/x86.virt.exe -------------------------------------------------------------------------------- /src/protector/protect.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rwfpl/rewolf-x86-virtualizer/HEAD/src/protector/protect.cpp -------------------------------------------------------------------------------- /bin/test_app/vm_test_vmed_01.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rwfpl/rewolf-x86-virtualizer/HEAD/bin/test_app/vm_test_vmed_01.exe -------------------------------------------------------------------------------- /bin/test_app/vm_test_vmed_02.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/rwfpl/rewolf-x86-virtualizer/HEAD/bin/test_app/vm_test_vmed_02.exe -------------------------------------------------------------------------------- /src/protector/protect.h: -------------------------------------------------------------------------------- 1 | /* x86.Virtualizer 2 | * Copyright 2007 ReWolf 3 | * Contact: 4 | * rewolf@rewolf.pl 5 | * http://rewolf.pl 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License as published by 9 | * the Free Software Foundation; either version 2 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 | */ 21 | 22 | 23 | #ifndef _PROTECT_H_ 24 | #define _PROTECT_H_ 25 | 26 | #include 27 | #include 28 | #include 29 | #include "macros.h" 30 | #include "common.h" 31 | 32 | int vm_init(BYTE** retMem, DWORD* _vmInit, DWORD* _vmStart); 33 | void vm_free(); 34 | BYTE* vm_getVMImg(); 35 | DWORD vm_getVMSize(); 36 | int vm_protect(BYTE* codeBase, int codeSize, BYTE* outCodeBuf, DWORD inExeFuncRVA, BYTE* relocBuf, DWORD imgBase); 37 | 38 | #endif -------------------------------------------------------------------------------- /src/test_app/resource.h: -------------------------------------------------------------------------------- 1 | /* x86.Virtualizer 2 | * Copyright 2007 ReWolf 3 | * Contact: 4 | * rewolf@rewolf.pl 5 | * http://rewolf.pl 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License as published by 9 | * the Free Software Foundation; either version 2 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 | */ 21 | 22 | 23 | //{{NO_DEPENDENCIES}} 24 | // Microsoft Visual C++ generated include file. 25 | // Used by res.rc 26 | // 27 | #define IDD_DIALOG1 101 28 | #define BTN_DRAW 1001 29 | #define BTN_MSG 1002 30 | #define BTN_MD5 1003 31 | #define BTN_EXIT 1004 32 | #define IDC_STATIC1 1005 33 | 34 | // Next default values for new objects 35 | // 36 | #ifdef APSTUDIO_INVOKED 37 | #ifndef APSTUDIO_READONLY_SYMBOLS 38 | #define _APS_NEXT_RESOURCE_VALUE 102 39 | #define _APS_NEXT_COMMAND_VALUE 40001 40 | #define _APS_NEXT_CONTROL_VALUE 1006 41 | #define _APS_NEXT_SYMED_VALUE 101 42 | #endif 43 | #endif 44 | -------------------------------------------------------------------------------- /src/protector/common.h: -------------------------------------------------------------------------------- 1 | /* x86.Virtualizer 2 | * Copyright 2007 ReWolf 3 | * Contact: 4 | * rewolf@rewolf.pl 5 | * http://rewolf.pl 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License as published by 9 | * the Free Software Foundation; either version 2 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 | */ 21 | 22 | 23 | #ifndef _COMMON_H_ 24 | #define _COMMON_H_ 25 | 26 | #include 27 | #include "hde.h" 28 | 29 | 30 | DWORD WINAPI _lde(BYTE* off); 31 | //extern "C" DWORD WINAPI lde(BYTE* off); 32 | #define lde _lde 33 | 34 | typedef void (__stdcall *polyFunc)(BYTE* buf, DWORD size, DWORD pos); 35 | extern polyFunc polyEnc; 36 | extern polyFunc polyDec; 37 | extern BYTE _vm_poly_dec[121]; 38 | 39 | int genCodeMap(BYTE* codeBase, int codeSize, DWORD* codeMap); 40 | void genPolyEncDec(); 41 | void genPermutation(BYTE* buf, int size); 42 | void invPerm256(BYTE* buf); 43 | void invPerm16(BYTE* buf); 44 | void permutateJcc(WORD* buf, int elemCount, BYTE* permutation); 45 | int genRelocMap(BYTE* relocSeg, DWORD funcRVA, int funcSize, DWORD* relocMap); 46 | 47 | #endif -------------------------------------------------------------------------------- /src/protector/resource.h: -------------------------------------------------------------------------------- 1 | /* x86.Virtualizer 2 | * Copyright 2007 ReWolf 3 | * Contact: 4 | * rewolf@rewolf.pl 5 | * http://rewolf.pl 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License as published by 9 | * the Free Software Foundation; either version 2 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 | */ 21 | 22 | 23 | //{{NO_DEPENDENCIES}} 24 | // Microsoft Visual C++ generated include file. 25 | // Used by res.rc 26 | // 27 | #define IDD_DIALOG1 101 28 | #define IDD_DIALOG2 102 29 | #define EDT_FILE 1001 30 | #define BTN_OPEN 1002 31 | #define LB_LIST 1003 32 | #define BTN_ADD 1004 33 | #define BTN_EXIT 1005 34 | #define BTN_PROTECT 1006 35 | #define CHK_VMOVM 1007 36 | #define EDT_FROM 1008 37 | #define IDC_EDIT2 1009 38 | #define EDT_TO 1009 39 | #define BTN_ADD_YES 1010 40 | #define BTN_ADD_NO 1011 41 | 42 | // Next default values for new objects 43 | // 44 | #ifdef APSTUDIO_INVOKED 45 | #ifndef APSTUDIO_READONLY_SYMBOLS 46 | #define _APS_NEXT_RESOURCE_VALUE 103 47 | #define _APS_NEXT_COMMAND_VALUE 40001 48 | #define _APS_NEXT_CONTROL_VALUE 1012 49 | #define _APS_NEXT_SYMED_VALUE 101 50 | #endif 51 | #endif 52 | -------------------------------------------------------------------------------- /src/protector/poly_encdec.h: -------------------------------------------------------------------------------- 1 | /* x86.Virtualizer 2 | * Copyright 2007 ReWolf 3 | * Contact: 4 | * rewolf@rewolf.pl 5 | * http://rewolf.pl 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License as published by 9 | * the Free Software Foundation; either version 2 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 | */ 21 | 22 | 23 | #ifndef _POLY_ENCDEC_H_ 24 | #define _POLY_ENCDEC_H_ 25 | 26 | extern BYTE _vm_poly_enc[] = 27 | { 28 | 0x56, 0x50, 0x51, 0x8B, 0x74, 0x24, 0x10, 0x33, 0xC9, 0x8A, 0x06, 0x90, 0x90, 0x90, 0x90, 0x90, 29 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 30 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 31 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 32 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 33 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 34 | 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x88, 0x06, 0x41, 0x46, 0x3B, 0x4C, 0x24, 35 | 0x14, 0x75, 0x96, 0x59, 0x58, 0x5E, 0xC2, 0x0C, 0x00 36 | }; 37 | //+11 38 | 39 | 40 | /* 41 | push esi 42 | push eax 43 | push ecx 44 | mov esi, dword ptr [esp + 10h] 45 | xor ecx, ecx 46 | _loop: 47 | mov al, byte ptr [esi] 48 | 49 | 50 | ;... 51 | db 60 DUP (90h) ;commands 2-bytes 52 | db 30 DUP (90h) ;junks 3-bytes 53 | ;... 54 | 55 | xor eax, dword ptr [esp + 18h] 56 | mov byte ptr [esi], al 57 | inc ecx 58 | inc esi 59 | cmp ecx, dword ptr [esp + 14h] 60 | jnz _loop 61 | pop ecx 62 | pop eax 63 | pop esi 64 | ret 0Ch 65 | */ 66 | 67 | #endif -------------------------------------------------------------------------------- /readme.md: -------------------------------------------------------------------------------- 1 | ``` 2 | -------------------------------------------------------------------------------- 3 | Name....: x86 Virtualizer - source code 4 | Author..: ReWolf 5 | Date....: IV/V.2007 6 | Rel.Date: VIII.2007 7 | 8 | e.mail..: rewolf@rewolf.pl 9 | www.....: http://blog.rewolf.pl 10 | -------------------------------------------------------------------------------- 11 | ``` 12 | Simple PE protector (x86) based on virtual machine. 13 | 14 | #### **Principle of operation:** #### 15 | ![http://rewolf.pl/gfx/custom/x86.virt.before.gif](http://rewolf.pl/gfx/custom/x86.virt.before.gif) 16 | ![http://rewolf.pl/gfx/custom/x86.virt.after.gif](http://rewolf.pl/gfx/custom/x86.virt.after.gif) 17 | ``` 18 | -------------------------------------------------------------------------------- 19 | 20 | This product includes Length Dissasembler engine: 21 | 22 | * Hacker Disassembler Engine 23 | * Copyright (c) 2006-2007 Veacheslav Patkov 24 | 25 | -------------------------------------------------------------------------------- 26 | Files: 27 | 28 | \gpl.txt - GNU GPL license text 29 | \bin\loader\meta.exe - compiled loader 30 | \bin\protector\x86.virt.exe - compiled virtualizer 31 | \bin\test_app\vm_test.exe - compiled sample application 32 | \bin\test_app\vm_test_vmed_01.exe - sample app with one vm layer 33 | \bin\test_app\vm_test_vmed_02.exe - sample app with two vm layers 34 | \doc\x86.virt.after.gif - diagram - represents executable after virtualization 35 | \doc\x86.virt.before.gif - diagram - represents executable before virtualization 36 | \doc\x86.virt.pdf - documentation 37 | \src\loader\loader.asm - loader source code 38 | \src\protector\common.cpp - some common functions 39 | \src\protector\common.h - header for above 40 | \src\protector\hde.h - header for Hacker Disassembler Engine 41 | \src\protector\hde.lib - Hacker Disassembler Engine library 42 | \src\protector\macros.h - auxiliary macros 43 | \src\protector\main.cpp - main program (gui, PE handling etc...) 44 | \src\protector\poly_encdec.h - binary version of poly_(enc/dec) function 45 | \src\protector\protect.cpp - core virtualization engine 46 | \src\protector\protect.h - header for above 47 | \src\protector\res.rc - resources 48 | \src\protector\resource.h - header for above 49 | \src\test_app\main.cpp - sample application 50 | \src\test_app\res.rc - resources 51 | \src\test_app\resource.h - header for above 52 | 53 | -------------------------------------------------------------------------------- 54 | ``` 55 | #### **Related links:** #### 56 | * http://blog.rewolf.pl/blog/?p=15 57 | * http://blog.rewolf.pl/blog/?p=22 58 | * http://rewolf.pl/stuff/x86.virt.pdf 59 | * http://rewolf.pl 60 | -------------------------------------------------------------------------------- /src/protector/hde.h: -------------------------------------------------------------------------------- 1 | /* 2 | * Hacker Disassembler Engine 3 | * Copyright (c) 2006-2007 Veacheslav Patkov 4 | * aLL rights reserved. 5 | * 6 | * hde.h : C/C++ header file 7 | * 8 | */ 9 | 10 | #ifndef _HDE_H_ 11 | #define _HDE_H_ 12 | 13 | #pragma pack(push,1) 14 | 15 | typedef struct { 16 | unsigned char len; /* length of command */ 17 | unsigned char p_rep; /* rep & rep(n)z prefix: 0xF2 or 0xF3 */ 18 | unsigned char p_lock; /* lock prefix 0xF0 */ 19 | unsigned char p_seg; /* segment prefix: 0x2E, 0x36, 0x3E, 0x26, 0x64, 0x65 */ 20 | unsigned char p_66; /* prefix 0x66 */ 21 | unsigned char p_67; /* prefix 0x67 */ 22 | unsigned char opcode; /* opcode */ 23 | unsigned char opcode2; /* second opcode (if first opcode equal 0x0F) */ 24 | unsigned char modrm; /* ModR/M byte */ 25 | unsigned char modrm_mod; /* - mod byte of ModR/M */ 26 | unsigned char modrm_reg; /* - reg byte of ModR/M */ 27 | unsigned char modrm_rm; /* - r/m byte of ModR/M */ 28 | unsigned char sib; /* SIB byte */ 29 | unsigned char sib_scale; /* - scale byte of SIB */ 30 | unsigned char sib_index; /* - index byte of SIB */ 31 | unsigned char sib_base; /* - base byte of SIB */ 32 | unsigned char imm8; /* immediate imm8 */ 33 | unsigned short imm16; /* immediate imm16 */ 34 | unsigned long imm32; /* immediate imm32 */ 35 | unsigned char disp8; /* displacement disp8 */ 36 | unsigned short disp16; /* displacement disp16 (if prefix 0x67 exist) */ 37 | unsigned long disp32; /* displacement disp32 */ 38 | unsigned char rel8; /* relative address rel8 */ 39 | unsigned short rel16; /* relative address rel16 (if prefix 0x66 exist) */ 40 | unsigned long rel32; /* relative address rel32 */ 41 | } HDE_STRUCT; 42 | 43 | #pragma pack(pop) 44 | 45 | #ifdef __cplusplus 46 | extern "C" { 47 | #endif 48 | 49 | unsigned long __stdcall hde_disasm(const void *pCode, HDE_STRUCT *pHDE_STRUCT); 50 | 51 | #ifdef __cplusplus 52 | } 53 | #endif 54 | 55 | #endif /* _HDE_H_ */ 56 | -------------------------------------------------------------------------------- /src/test_app/res.rc: -------------------------------------------------------------------------------- 1 | /* x86.Virtualizer 2 | * Copyright 2007 ReWolf 3 | * Contact: 4 | * rewolf@rewolf.pl 5 | * http://rewolf.pl 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License as published by 9 | * the Free Software Foundation; either version 2 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 | */ 21 | 22 | 23 | // Microsoft Visual C++ generated resource script. 24 | // 25 | #include "resource.h" 26 | 27 | #define APSTUDIO_READONLY_SYMBOLS 28 | ///////////////////////////////////////////////////////////////////////////// 29 | // 30 | // Generated from the TEXTINCLUDE 2 resource. 31 | // 32 | #include "afxres.h" 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | #undef APSTUDIO_READONLY_SYMBOLS 36 | 37 | ///////////////////////////////////////////////////////////////////////////// 38 | // Polish resources 39 | 40 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_PLK) 41 | #ifdef _WIN32 42 | LANGUAGE LANG_POLISH, SUBLANG_DEFAULT 43 | #pragma code_page(1250) 44 | #endif //_WIN32 45 | 46 | #ifdef APSTUDIO_INVOKED 47 | ///////////////////////////////////////////////////////////////////////////// 48 | // 49 | // TEXTINCLUDE 50 | // 51 | 52 | 1 TEXTINCLUDE 53 | BEGIN 54 | "resource.h\0" 55 | END 56 | 57 | 2 TEXTINCLUDE 58 | BEGIN 59 | "#include ""afxres.h""\r\n" 60 | "\0" 61 | END 62 | 63 | 3 TEXTINCLUDE 64 | BEGIN 65 | "\r\n" 66 | "\0" 67 | END 68 | 69 | #endif // APSTUDIO_INVOKED 70 | 71 | 72 | ///////////////////////////////////////////////////////////////////////////// 73 | // 74 | // Dialog 75 | // 76 | 77 | IDD_DIALOG1 DIALOGEX 0, 0, 232, 84 78 | STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU 79 | CAPTION "Dialog" 80 | FONT 8, "MS Shell Dlg", 400, 0, 0x1 81 | BEGIN 82 | DEFPUSHBUTTON "Draw",BTN_DRAW,4,4,56,14 83 | DEFPUSHBUTTON "MsgBox",BTN_MSG,4,24,56,14 84 | DEFPUSHBUTTON "MD5",BTN_MD5,4,44,56,14 85 | DEFPUSHBUTTON "Exit",BTN_EXIT,4,64,56,14 86 | LTEXT "",IDC_STATIC1,68,4,160,76,SS_NOTIFY 87 | END 88 | 89 | 90 | ///////////////////////////////////////////////////////////////////////////// 91 | // 92 | // DESIGNINFO 93 | // 94 | 95 | #ifdef APSTUDIO_INVOKED 96 | GUIDELINES DESIGNINFO 97 | BEGIN 98 | IDD_DIALOG1, DIALOG 99 | BEGIN 100 | LEFTMARGIN, 7 101 | RIGHTMARGIN, 225 102 | TOPMARGIN, 7 103 | BOTTOMMARGIN, 77 104 | END 105 | END 106 | #endif // APSTUDIO_INVOKED 107 | 108 | #endif // Polish resources 109 | ///////////////////////////////////////////////////////////////////////////// 110 | 111 | 112 | 113 | #ifndef APSTUDIO_INVOKED 114 | ///////////////////////////////////////////////////////////////////////////// 115 | // 116 | // Generated from the TEXTINCLUDE 3 resource. 117 | // 118 | 119 | 120 | ///////////////////////////////////////////////////////////////////////////// 121 | #endif // not APSTUDIO_INVOKED 122 | 123 | -------------------------------------------------------------------------------- /src/protector/res.rc: -------------------------------------------------------------------------------- 1 | /* x86.Virtualizer 2 | * Copyright 2007 ReWolf 3 | * Contact: 4 | * rewolf@rewolf.pl 5 | * http://rewolf.pl 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License as published by 9 | * the Free Software Foundation; either version 2 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 | */ 21 | 22 | 23 | // Microsoft Visual C++ generated resource script. 24 | // 25 | #include "resource.h" 26 | 27 | #define APSTUDIO_READONLY_SYMBOLS 28 | ///////////////////////////////////////////////////////////////////////////// 29 | // 30 | // Generated from the TEXTINCLUDE 2 resource. 31 | // 32 | #include "afxres.h" 33 | 34 | ///////////////////////////////////////////////////////////////////////////// 35 | #undef APSTUDIO_READONLY_SYMBOLS 36 | 37 | ///////////////////////////////////////////////////////////////////////////// 38 | // Polish resources 39 | 40 | #if !defined(AFX_RESOURCE_DLL) || defined(AFX_TARG_PLK) 41 | #ifdef _WIN32 42 | LANGUAGE LANG_POLISH, SUBLANG_DEFAULT 43 | #pragma code_page(1250) 44 | #endif //_WIN32 45 | 46 | #ifdef APSTUDIO_INVOKED 47 | ///////////////////////////////////////////////////////////////////////////// 48 | // 49 | // TEXTINCLUDE 50 | // 51 | 52 | 1 TEXTINCLUDE 53 | BEGIN 54 | "resource.h\0" 55 | END 56 | 57 | 2 TEXTINCLUDE 58 | BEGIN 59 | "#include ""afxres.h""\r\n" 60 | "\0" 61 | END 62 | 63 | 3 TEXTINCLUDE 64 | BEGIN 65 | "\r\n" 66 | "\0" 67 | END 68 | 69 | #endif // APSTUDIO_INVOKED 70 | 71 | 72 | ///////////////////////////////////////////////////////////////////////////// 73 | // 74 | // Dialog 75 | // 76 | 77 | IDD_DIALOG1 DIALOGEX 0, 0, 200, 172 78 | STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | DS_CENTER | WS_POPUP | WS_CAPTION | WS_SYSMENU 79 | CAPTION "VM Tester" 80 | FONT 8, "MS Shell Dlg", 400, 0, 0x1 81 | BEGIN 82 | EDITTEXT EDT_FILE,4,4,172,12,ES_AUTOHSCROLL 83 | PUSHBUTTON "...",BTN_OPEN,180,4,16,12 84 | LISTBOX LB_LIST,4,20,192,132,LBS_NOINTEGRALHEIGHT | WS_VSCROLL | WS_TABSTOP 85 | PUSHBUTTON "Add Range",BTN_ADD,108,156,44,12 86 | PUSHBUTTON "Exit",BTN_EXIT,4,156,40,12 87 | PUSHBUTTON "Protect",BTN_PROTECT,156,156,40,12 88 | CONTROL "VM over VM",CHK_VMOVM,"Button",BS_AUTOCHECKBOX | WS_TABSTOP,48,156,56,12 89 | END 90 | 91 | IDD_DIALOG2 DIALOGEX 0, 0, 156, 46 92 | STYLE DS_SETFONT | DS_MODALFRAME | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU 93 | EXSTYLE WS_EX_TOOLWINDOW 94 | CAPTION "Add range" 95 | FONT 8, "MS Shell Dlg", 400, 0, 0x1 96 | BEGIN 97 | EDITTEXT EDT_FROM,8,12,68,12,ES_AUTOHSCROLL 98 | EDITTEXT EDT_TO,80,12,68,12,ES_AUTOHSCROLL 99 | LTEXT "From:",IDC_STATIC,8,4,48,8 100 | LTEXT "To:",IDC_STATIC,80,4,48,8 101 | PUSHBUTTON "OK",BTN_ADD_YES,100,28,48,12 102 | PUSHBUTTON "Cancel",BTN_ADD_NO,8,28,48,12 103 | END 104 | 105 | 106 | ///////////////////////////////////////////////////////////////////////////// 107 | // 108 | // DESIGNINFO 109 | // 110 | 111 | #ifdef APSTUDIO_INVOKED 112 | GUIDELINES DESIGNINFO 113 | BEGIN 114 | IDD_DIALOG1, DIALOG 115 | BEGIN 116 | LEFTMARGIN, 7 117 | RIGHTMARGIN, 193 118 | TOPMARGIN, 7 119 | BOTTOMMARGIN, 165 120 | END 121 | 122 | IDD_DIALOG2, DIALOG 123 | BEGIN 124 | LEFTMARGIN, 7 125 | RIGHTMARGIN, 149 126 | TOPMARGIN, 7 127 | BOTTOMMARGIN, 39 128 | END 129 | END 130 | #endif // APSTUDIO_INVOKED 131 | 132 | #endif // Polish resources 133 | ///////////////////////////////////////////////////////////////////////////// 134 | 135 | 136 | 137 | #ifndef APSTUDIO_INVOKED 138 | ///////////////////////////////////////////////////////////////////////////// 139 | // 140 | // Generated from the TEXTINCLUDE 3 resource. 141 | // 142 | 143 | 144 | ///////////////////////////////////////////////////////////////////////////// 145 | #endif // not APSTUDIO_INVOKED 146 | 147 | -------------------------------------------------------------------------------- /src/protector/macros.h: -------------------------------------------------------------------------------- 1 | /* x86.Virtualizer 2 | * Copyright 2007 ReWolf 3 | * Contact: 4 | * rewolf@rewolf.pl 5 | * http://rewolf.pl 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License as published by 9 | * the Free Software Foundation; either version 2 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 | */ 21 | 22 | 23 | #ifndef _MACROS_H_ 24 | #define _MACROS_H_ 25 | 26 | //flags 27 | #define CF 0x00000001 28 | #define PF 0x00000004 29 | #define ZF 0x00000040 30 | #define SF 0x00000080 31 | #define OF 0x00000800 32 | 33 | //registers 34 | #define _EAX 0 35 | #define _ECX 1 36 | #define _EDX 2 37 | #define _EBX 3 38 | #define _ESP 4 39 | #define _EBP 5 40 | #define _ESI 6 41 | #define _EDI 7 42 | 43 | //vm opcodes 44 | #define I_COND_JMP_SHORT 0x00 //00: SHORT Jcc (0x7x) 45 | #define I_COND_JMP_LONG 0x01 //01: LONG Jcc (0x0F, 0x8x) 46 | #define I_JECX 0x02 //02: J(E)CXZ (0xE3) 47 | #define I_CALL_REL 0x03 //03: CALL (0xE8) 48 | #define I_VM_END 0x04 //04: VM_END (macro) 49 | #define I_RET 0x05 //05: RET (ret, ret v) 50 | #define I_LOOPxx 0x06 //06: LOOP(Z/NZ)(0xE0/0xE1/0xE2) 51 | #define I_VM_MOV_IMM 0x07 52 | #define I_VM_MOV_REG 0x08 53 | #define I_VM_ADD_IMM 0x09 54 | #define I_VM_ADD_REG 0x0A 55 | #define I_VM_SHL_IMM 0x0B 56 | #define I_VM_REAL 0x0C 57 | #define I_JMP_LONG 0x0D 58 | #define I_JMP_SHORT 0x0E 59 | //rol, ror, rcl, rcr, sal, shl, shr, sar 60 | #define I_VM_ROL 0x0F 61 | #define I_VM_ROR 0x10 62 | #define I_VM_RCL 0x11 63 | #define I_VM_RCR 0x12 64 | #define I_VM_SAL 0x13 65 | #define I_VM_SHL 0x14 66 | #define I_VM_SHR 0x15 67 | #define I_VM_SAR 0x16 68 | //(add, or, adc, sbb, and, sub, xor, cmp)(mov) 69 | #define I_VM_ADD 0x17 70 | #define I_VM_OR 0x18 71 | #define I_VM_ADC 0x19 72 | #define I_VM_SBB 0x1A 73 | #define I_VM_AND 0x1B 74 | #define I_VM_SUB 0x1C 75 | #define I_VM_XOR 0x1D 76 | #define I_VM_CMP 0x1E 77 | #define I_VM_MOV 0x1F 78 | //(call, jmp, push)(pop) 79 | #define I_VM_CALL 0x20 80 | #define I_VM_JMP 0x21 81 | #define I_VM_PUSH 0x22 82 | #define I_VM_POP 0x23 83 | // 84 | #define I_VM_RELOC 0x24 85 | #define I_VM_FAKE_CALL 0x25 86 | #define I_VM_NOP 0x26 87 | 88 | //---------------------------------------------------------------------------------------- 89 | #define PUT_VM_PREFIX *(WORD*)(outCodeBuf + outPos + 1) = vm_instr_prefix 90 | #define PUT_VM_OP_SIZE(a) *(outCodeBuf + outPos) = a 91 | #define PUT_VM_OPCODE(a) *(outCodeBuf + outPos + 3) = opcodeTab[a] 92 | //(codeBase + curPos + prefSize)[0] instead of dis.disasm_opcode 93 | #define OPCODE_BEGIN(a) else if ((codeBase + curPos + prefSize)[0] == a) { if (outCodeBuf) 94 | #define OPCODE_BEGIN_3(a, b, c) else if (((codeBase + curPos + prefSize)[0] == a) || ((codeBase + curPos + prefSize)[0] == b) || ((codeBase + curPos + prefSize)[0] == c)) { if (outCodeBuf) 95 | #define OPCODE_BEGIN_MAP_B else if (0 96 | #define OPCODE_MAP_ENTRY(a) || ((codeBase + curPos + prefSize)[0] == a) 97 | #define OPCODE_BEGIN_MAP_E ) { /*if (outCodeBuf)*/ 98 | #define OPCODE_END(a) outPos += a; } 99 | //---------------------------------------------------------------------------------------- 100 | #define MAKE_XXX_IMM(imm, vmop) \ 101 | if (outCodeBuf) \ 102 | { \ 103 | PUT_VM_OP_SIZE(7); \ 104 | PUT_VM_PREFIX; \ 105 | PUT_VM_OPCODE(vmop); \ 106 | *(DWORD*)(outCodeBuf + outPos + 4) = imm; \ 107 | } \ 108 | outPos += 8; 109 | //---------------------------------------------------------------------------------------- 110 | #define MAKE_XXX_REG(reg, vmop) \ 111 | if (outCodeBuf) \ 112 | { \ 113 | PUT_VM_OP_SIZE(4); \ 114 | PUT_VM_PREFIX; \ 115 | PUT_VM_OPCODE(vmop); \ 116 | *(outCodeBuf + outPos + 4) = reg; \ 117 | } \ 118 | outPos += 5; 119 | //---------------------------------------------------------------------------------------- 120 | #define MAKE_MOV_IMM(a) MAKE_XXX_IMM(a, I_VM_MOV_IMM) 121 | #define MAKE_MOV_REG(a) MAKE_XXX_REG(a, I_VM_MOV_REG) 122 | #define MAKE_ADD_IMM(a) MAKE_XXX_IMM(a, I_VM_ADD_IMM) 123 | #define MAKE_ADD_REG(a) MAKE_XXX_REG(a, I_VM_ADD_REG) 124 | #define MAKE_SHL_IMM(a) MAKE_XXX_REG(a, I_VM_SHL_IMM) 125 | #define MAKE_REAL_INSTR \ 126 | if (outCodeBuf) \ 127 | { \ 128 | PUT_VM_OP_SIZE(5); \ 129 | PUT_VM_PREFIX; \ 130 | PUT_VM_OPCODE(I_VM_REAL); \ 131 | *(outCodeBuf + outPos + 4) = *(codeBase + curPos + prefSize); \ 132 | *(outCodeBuf + outPos + 5) = _reg; \ 133 | } \ 134 | outPos += 6; 135 | //---------------------------------------------------------------------------------------- 136 | #define MAKE_VM_PURE(a) \ 137 | if (outCodeBuf) \ 138 | { \ 139 | PUT_VM_OP_SIZE(3); \ 140 | PUT_VM_PREFIX; \ 141 | PUT_VM_OPCODE(a); \ 142 | } \ 143 | outPos += 4; 144 | //---------------------------------------------------------------------------------------- 145 | #define MAKE_ORIG_INSTR \ 146 | if (outCodeBuf) \ 147 | { \ 148 | *(outCodeBuf + outPos) = dis.disasm_len; \ 149 | memmove(outCodeBuf + outPos + 1, codeBase + curPos, dis.disasm_len); \ 150 | } \ 151 | outPos += dis.disasm_len + 1; 152 | //---------------------------------------------------------------------------------------- 153 | #endif 154 | -------------------------------------------------------------------------------- /src/protector/common.cpp: -------------------------------------------------------------------------------- 1 | /* x86.Virtualizer 2 | * Copyright 2007 ReWolf 3 | * Contact: 4 | * rewolf@rewolf.pl 5 | * http://rewolf.pl 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License as published by 9 | * the Free Software Foundation; either version 2 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 | */ 21 | 22 | 23 | #include "common.h" 24 | #include "poly_encdec.h" 25 | 26 | extern BYTE _vm_poly_dec[121] = {0}; 27 | 28 | extern polyFunc polyEnc = (polyFunc)(BYTE*)_vm_poly_enc; 29 | extern polyFunc polyDec = (polyFunc)(BYTE*)_vm_poly_dec; 30 | 31 | DWORD WINAPI _lde(BYTE* off) 32 | { 33 | HDE_STRUCT hdeStr; 34 | hde_disasm(off, &hdeStr); 35 | return ((hdeStr.p_66 | hdeStr.p_67 | hdeStr.p_lock | hdeStr.p_rep | hdeStr.p_seg) << 8) | hdeStr.len; 36 | } 37 | 38 | void genPolyEncDec() 39 | { 40 | //xor eax, dword ptr [esp+18h] 41 | //0x18244433 42 | memmove(_vm_poly_dec, _vm_poly_enc, sizeof(_vm_poly_enc)); 43 | *(DWORD*)(_vm_poly_enc + 0x65) = 0x18244433; 44 | *(DWORD*)(_vm_poly_dec + 11) = 0x18244433; 45 | 46 | //XOR val 0x34 val 47 | //SUB val 0x2C val 48 | //ADD val 0x04 val 49 | //XOR CL 0x32 0xC1 50 | //SUB CL 0x2A 0xC1 51 | //ADD CL 0x02 0xC1 52 | //INC 0xFE 0xC0 53 | //DEC 0xFE 0xC8 54 | //ROR CL 0xD2 0xC8 55 | //ROL CL 0xD2 0xC0 56 | //junk 0xEB 0x01 xx 57 | 58 | int instr = 30; 59 | int junk = 10; 60 | int ptr = 11; 61 | while (instr || junk) 62 | { 63 | int w = rand() & 1; 64 | if (w && junk) 65 | { 66 | _vm_poly_enc[ptr] = 0xEB; 67 | _vm_poly_enc[ptr+1] = 0x01; 68 | _vm_poly_enc[ptr+2] = rand(); 69 | _vm_poly_dec[114 - ptr - 1] = 0xEB; 70 | _vm_poly_dec[114 - ptr] = 0x01; 71 | _vm_poly_dec[114 - ptr + 1] = rand(); 72 | ptr += 3; 73 | junk--; 74 | } 75 | else 76 | { 77 | int cinstr = rand() % 10; 78 | switch (cinstr) 79 | { 80 | case 0: 81 | _vm_poly_enc[ptr] = 0x34; 82 | _vm_poly_enc[ptr+1] = rand(); 83 | _vm_poly_dec[114 - ptr] = 0x34; 84 | _vm_poly_dec[114 - ptr+1] = _vm_poly_enc[ptr+1]; 85 | break; 86 | case 1: 87 | _vm_poly_enc[ptr] = 0x2C; 88 | _vm_poly_enc[ptr+1] = rand(); 89 | _vm_poly_dec[114 - ptr] = 0x04; 90 | _vm_poly_dec[114 - ptr+1] = _vm_poly_enc[ptr+1]; 91 | break; 92 | case 2: 93 | _vm_poly_enc[ptr] = 0x04; 94 | _vm_poly_enc[ptr+1] = rand(); 95 | _vm_poly_dec[114 - ptr] = 0x2C; 96 | _vm_poly_dec[114 - ptr+1] = _vm_poly_enc[ptr+1]; 97 | break; 98 | case 3: 99 | _vm_poly_enc[ptr] = 0x32; 100 | _vm_poly_enc[ptr+1] = 0xC1; 101 | _vm_poly_dec[114 - ptr] = 0x32; 102 | _vm_poly_dec[114 - ptr+1] = 0xC1; 103 | break; 104 | case 4: 105 | _vm_poly_enc[ptr] = 0x2A; 106 | _vm_poly_enc[ptr+1] = 0xC1; 107 | _vm_poly_dec[114 - ptr] = 0x02; 108 | _vm_poly_dec[114 - ptr+1] = 0xC1; 109 | break; 110 | case 5: 111 | _vm_poly_enc[ptr] = 0x02; 112 | _vm_poly_enc[ptr+1] = 0xC1; 113 | _vm_poly_dec[114 - ptr] = 0x2A; 114 | _vm_poly_dec[114 - ptr+1] = 0xC1; 115 | break; 116 | case 6: 117 | _vm_poly_enc[ptr] = 0xFE; 118 | _vm_poly_enc[ptr+1] = 0xC0; 119 | _vm_poly_dec[114 - ptr] = 0xFE; 120 | _vm_poly_dec[114 - ptr+1] = 0xC8; 121 | break; 122 | case 7: 123 | _vm_poly_enc[ptr] = 0xFE; 124 | _vm_poly_enc[ptr+1] = 0xC8; 125 | _vm_poly_dec[114 - ptr] = 0xFE; 126 | _vm_poly_dec[114 - ptr+1] = 0xC0; 127 | break; 128 | case 8: 129 | _vm_poly_enc[ptr] = 0xD2; 130 | _vm_poly_enc[ptr+1] = 0xC8; 131 | _vm_poly_dec[114 - ptr] = 0xD2; 132 | _vm_poly_dec[114 - ptr+1] = 0xC0; 133 | break; 134 | case 9: 135 | _vm_poly_enc[ptr] = 0xD2; 136 | _vm_poly_enc[ptr+1] = 0xC0; 137 | _vm_poly_dec[114 - ptr] = 0xD2; 138 | _vm_poly_dec[114 - ptr+1] = 0xC8; 139 | break; 140 | } 141 | ptr += 2; 142 | instr--; 143 | } 144 | } 145 | } 146 | 147 | int genCodeMap(BYTE* codeBase, int codeSize, DWORD* codeMap) 148 | { 149 | int curPos = 0; 150 | int instrCount = 0; 151 | //disasm_struct dis; 152 | struct 153 | { 154 | DWORD disasm_len; 155 | } dis; 156 | while (curPos != codeSize) 157 | { 158 | //dis.disasm_len = lde(codeBase + curPos) & 0xFF; 159 | if ((curPos - 3 < codeSize) && 160 | ((((*(DWORD*)(codeBase + curPos)) & 0xFFFFFF) == 0x05848D) || 161 | (((*(DWORD*)(codeBase + curPos)) & 0xFFFFFF) == 0x15948D) || 162 | (((*(DWORD*)(codeBase + curPos)) & 0xFFFFFF) == 0x0D8C8D) || 163 | (((*(DWORD*)(codeBase + curPos)) & 0xFFFFFF) == 0x1D9C8D) 164 | )) dis.disasm_len = 7; 165 | //else if ((curPos - 2 < codeSize) && (*(WORD*)(codeBase + curPos) == 0x01EB)) dis.disasm_len = 3; 166 | else dis.disasm_len = lde(codeBase + curPos) & 0xFF; 167 | // 168 | if (!dis.disasm_len) return -1; 169 | if (codeMap) codeMap[instrCount] = curPos; 170 | instrCount++; 171 | curPos += dis.disasm_len; 172 | } 173 | return instrCount; 174 | } 175 | 176 | void genPermutation(BYTE* buf, int size) 177 | { 178 | memset(buf, 0, size); 179 | int i = 0; 180 | while (i < size) 181 | { 182 | BYTE rnd = rand() % size; 183 | if (!buf[rnd]) 184 | { 185 | buf[rnd] = i; 186 | i++; 187 | } 188 | } 189 | } 190 | 191 | void invPerm256(BYTE* buf) 192 | { 193 | BYTE tmp[256]; 194 | for (int i = 0; i < 256; i++) 195 | { 196 | tmp[buf[i]] = i; 197 | } 198 | memmove(buf, tmp, 256); 199 | } 200 | 201 | void invPerm16(BYTE* buf) 202 | { 203 | BYTE tmp[16]; 204 | for (int i = 0; i < 16; i++) 205 | { 206 | tmp[buf[i]] = i; 207 | } 208 | memmove(buf, tmp, 16); 209 | } 210 | 211 | void permutateJcc(WORD* buf, int elemCount, BYTE* permutation) 212 | { 213 | WORD temp[16]; 214 | for (int i = 0; i < elemCount; i++) 215 | { 216 | temp[i] = buf[permutation[i]]; 217 | if (i > permutation[i]) 218 | { 219 | WORD tmp = i - permutation[i]; 220 | tmp <<= 9; 221 | temp[i] -= tmp; 222 | } 223 | else 224 | { 225 | WORD tmp = permutation[i] - i; 226 | tmp <<= 9; 227 | temp[i] += tmp; 228 | } 229 | } 230 | memmove(buf, temp, 2*16); 231 | } 232 | 233 | int genRelocMap(BYTE* relocSeg, DWORD funcRVA, int funcSize, DWORD* relocMap) 234 | { 235 | BYTE* relocPtr = relocSeg; 236 | //DWORD delta = (DWORD)newImageBase - inh->OptionalHeader.ImageBase; 237 | int relCnt = 0; 238 | while (*(DWORD*)relocPtr) 239 | { 240 | DWORD relocRVA = ((DWORD*)relocPtr)[0]; 241 | DWORD blockSize = ((DWORD*)relocPtr)[1]; 242 | for (int i = 0; i < (blockSize - 8) / 2; i++) 243 | { 244 | //if (((WORD*)(relocPtr + 8))[i] & 0xF000) 245 | //{ 246 | //*(DWORD*)(newImageBase + relocRVA + (((WORD*)(relocPtr + 8))[i] & 0xFFF)) += delta; 247 | //} 248 | if ((relocRVA + (((WORD*)(relocPtr + 8))[i] & 0xFFF) >= funcRVA) && 249 | (relocRVA + (((WORD*)(relocPtr + 8))[i] & 0xFFF) < funcRVA + funcSize)) 250 | { 251 | if (relocMap) relocMap[relCnt] = relocRVA + (((WORD*)(relocPtr + 8))[i] & 0xFFF); 252 | relCnt++; 253 | } 254 | } 255 | relocPtr += blockSize; 256 | } 257 | return relCnt; 258 | } 259 | -------------------------------------------------------------------------------- /src/protector/main.cpp: -------------------------------------------------------------------------------- 1 | /* x86.Virtualizer 2 | * Copyright 2007 ReWolf 3 | * Contact: 4 | * rewolf@rewolf.pl 5 | * http://rewolf.pl 6 | * 7 | * This program is free software; you can redistribute it and/or modify 8 | * it under the terms of the GNU General Public License as published by 9 | * the Free Software Foundation; either version 2 of the License, or 10 | * (at your option) any later version. 11 | * 12 | * This program is distributed in the hope that it will be useful, 13 | * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | * GNU General Public License for more details. 16 | * 17 | * You should have received a copy of the GNU General Public License 18 | * along with this program; if not, write to the Free Software 19 | * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 | */ 21 | 22 | 23 | #include 24 | #include 25 | #include 26 | #include "protect.h" 27 | 28 | #include "resource.h" 29 | 30 | #define MAKE_VM_CALL(imgBase, funcAddr, funcRVA, vmedFuncAddr, fSize, vmStartRVA) \ 31 | *(BYTE*)(funcAddr) = 0x68; \ 32 | *(DWORD*)((BYTE*)(funcAddr) + 1) = (vmedFuncAddr); \ 33 | *((BYTE*)(funcAddr) + 5) = 0x68; \ 34 | *(DWORD*)((BYTE*)(funcAddr) + 6) = imgBase + (funcRVA) + 16; \ 35 | *((BYTE*)(funcAddr) + 10) = 0x68; \ 36 | *(DWORD*)((BYTE*)(funcAddr) + 11) = imgBase + (vmStartRVA); \ 37 | *((BYTE*)(funcAddr) + 15) = 0xC3; \ 38 | memset((BYTE*)(funcAddr) + 16, 0x90, (fSize) - 16); 39 | 40 | #define MAKE_VM_CALL2(imgBase, funcAddr, funcRVA, vmedFuncRVA, fSize, vmStartRVA, inLdrAddr, inLdrRVA) \ 41 | *(BYTE*)(funcAddr) = 0xE9; \ 42 | *(DWORD*)((BYTE*)(funcAddr) + 1) = (inLdrRVA) - (funcRVA) - 5; \ 43 | memset((BYTE*)(funcAddr) + 5, 0x90, (fSize) - 5); \ 44 | *(BYTE*)(inLdrAddr) = 0xE8; \ 45 | *(DWORD*)((BYTE*)(inLdrAddr) + 1) = 0; \ 46 | *((BYTE*)(inLdrAddr) + 5) = 0x9C; \ 47 | *(DWORD*)((BYTE*)(inLdrAddr) + 6) = 0x04246C81; \ 48 | *(DWORD*)((BYTE*)(inLdrAddr) + 10) = (inLdrRVA) - (vmedFuncRVA) + 5; \ 49 | *((BYTE*)(inLdrAddr) + 14) = 0x9D; \ 50 | *((BYTE*)(inLdrAddr) + 15) = 0xE8; \ 51 | *(DWORD*)((BYTE*)(inLdrAddr) + 16) = 0; \ 52 | *((BYTE*)(inLdrAddr) + 20) = 0x9C; \ 53 | *(DWORD*)((BYTE*)(inLdrAddr) + 21) = 0x04246C81; \ 54 | *(DWORD*)((BYTE*)(inLdrAddr) + 25) = (inLdrRVA) - ((funcRVA) + 5) + 20; \ 55 | *((BYTE*)(inLdrAddr) + 29) = 0x9D; \ 56 | *(BYTE*)((BYTE*)(inLdrAddr) + 30) = 0xE9; \ 57 | *(DWORD*)((BYTE*)(inLdrAddr) + 31) = (vmStartRVA) - ((inLdrRVA) + 30) - 5; 58 | 59 | #define VM_CALL_SIZE 35 60 | 61 | int vm_protect_vm(BYTE* vm_in_exe, BYTE* outBuf, DWORD imgBase, DWORD vmRVA, DWORD newRVA) 62 | { 63 | BYTE* hVMMemory; 64 | DWORD vmInit; 65 | DWORD vmStart; 66 | int vmSize; 67 | DWORD* hVMImg; 68 | if (!outBuf) 69 | { 70 | vmSize = vm_init(&hVMMemory, &vmInit, &vmStart); 71 | hVMImg = (DWORD*)vm_getVMImg(); 72 | } 73 | else 74 | { 75 | hVMImg = (DWORD*)vm_getVMImg(); 76 | vmSize = vm_getVMSize(); 77 | DWORD _ssss = (*(DWORD*)(hVMImg + 7))*4 + (*(DWORD*)(hVMImg + 8))*8 + 4; 78 | vmInit = *(DWORD*)(hVMImg + 2) - _ssss; 79 | vmStart = *(DWORD*)(hVMImg + 3) - _ssss; 80 | hVMMemory = (BYTE*)hVMImg + _ssss; 81 | } 82 | 83 | int cnt = hVMImg[7]; 84 | cnt = hVMImg[cnt]; 85 | int curOutPos = 0; 86 | 87 | if (outBuf) memmove(outBuf, hVMMemory, vmSize); 88 | curOutPos += vmSize; 89 | 90 | for (int i = 0; i < cnt; i++) 91 | { 92 | int cur = hVMImg[7] + 2*i + 1; 93 | if (!outBuf) 94 | { 95 | hVMImg[cur] -= (0x401000 + hVMImg[7]*4 + cnt*8 + 4); 96 | hVMImg[cur + 1] -= (0x401000 + hVMImg[7]*4 + cnt*8 + 4); 97 | } 98 | 99 | int lalala = curOutPos; 100 | BYTE* __outBuf; 101 | if (outBuf) __outBuf = outBuf + curOutPos; 102 | else __outBuf = 0; 103 | curOutPos += vm_protect(vm_in_exe + hVMImg[cur], hVMImg[cur + 1] - hVMImg[cur], __outBuf, vmRVA + hVMImg[cur], 0, imgBase); 104 | //MAKE_VM_CALL(imgBase, vm_in_exe + hVMImg[cur], vmRVA + hVMImg[cur], imgBase + newRVA + lalala, hVMImg[cur + 1] - hVMImg[cur], newRVA + vmStart); 105 | if (outBuf) 106 | { 107 | MAKE_VM_CALL2(imgBase, vm_in_exe + hVMImg[cur], vmRVA + hVMImg[cur], newRVA + lalala, hVMImg[cur + 1] - hVMImg[cur], newRVA + vmStart, outBuf + curOutPos, newRVA + curOutPos); 108 | } 109 | curOutPos += VM_CALL_SIZE; 110 | } 111 | 112 | return curOutPos; 113 | } 114 | //----------------------------------------------------------------------------- 115 | DWORD ddFrom; 116 | DWORD ddTo; 117 | int WINAPI AddDialogProc(HWND hDlg, UINT uMSg, WPARAM wParam, LPARAM lParam) 118 | { 119 | switch (uMSg) 120 | { 121 | case WM_CLOSE: 122 | EndDialog(hDlg, 0); 123 | break; 124 | case WM_COMMAND: 125 | { 126 | switch (wParam & 0xFFFF) 127 | { 128 | case BTN_ADD_NO: 129 | EndDialog(hDlg, 0); 130 | break; 131 | case BTN_ADD_YES: 132 | char temp[20]; 133 | ddFrom = 0; 134 | ddTo = 0; 135 | GetDlgItemText(hDlg, EDT_FROM, temp, 20); 136 | sscanf(temp, "%x", &ddFrom); 137 | GetDlgItemText(hDlg, EDT_TO, temp, 20); 138 | sscanf(temp, "%x", &ddTo); 139 | if (ddTo && ddFrom) EndDialog(hDlg, 1); 140 | else MessageBox(hDlg, "Error", "Error", MB_ICONERROR); 141 | break; 142 | } 143 | } 144 | break; 145 | } 146 | return 0; 147 | } 148 | 149 | DWORD rva2raw(WORD NumOfSections, IMAGE_SECTION_HEADER* FSH, DWORD rva) 150 | { 151 | for (int i = NumOfSections-1; i >= 0; i--) 152 | if (FSH[i].VirtualAddress <= rva) 153 | return FSH[i].PointerToRawData + rva - FSH[i].VirtualAddress; 154 | return 0xFFFFFFFF; 155 | } 156 | 157 | DWORD searchFunction(BYTE* exeMem, char* functionName) 158 | { 159 | IMAGE_NT_HEADERS* inh = (IMAGE_NT_HEADERS*)(exeMem + ((IMAGE_DOS_HEADER*)exeMem)->e_lfanew); 160 | IMAGE_SECTION_HEADER* ish = (IMAGE_SECTION_HEADER*)(exeMem + ((IMAGE_DOS_HEADER*)exeMem)->e_lfanew + inh->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); 161 | 162 | IMAGE_IMPORT_DESCRIPTOR* imports = (IMAGE_IMPORT_DESCRIPTOR*)inh->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress; 163 | imports = (IMAGE_IMPORT_DESCRIPTOR*)(exeMem + rva2raw(inh->FileHeader.NumberOfSections, ish, (DWORD)imports)); 164 | bool found = false; 165 | while (!found && imports->Name) 166 | { 167 | char* libName = (char*)exeMem + rva2raw(inh->FileHeader.NumberOfSections, ish, imports->Name); 168 | if (!stricmp(libName, "kernel32.dll")) 169 | { 170 | found = true; 171 | DWORD* thunks = (DWORD*)(imports->FirstThunk); 172 | thunks = (DWORD*)(exeMem + rva2raw(inh->FileHeader.NumberOfSections, ish, imports->FirstThunk)); 173 | bool found2 = false; 174 | int k = 0; 175 | while (!found2 && *thunks) 176 | { 177 | char* curName = (char*)exeMem + rva2raw(inh->FileHeader.NumberOfSections, ish, *thunks); 178 | if (!stricmp(curName + 2, functionName)) 179 | { 180 | return imports->FirstThunk + k*4; 181 | found2 = true; 182 | } 183 | k++; 184 | thunks++; 185 | } 186 | } 187 | imports++; 188 | } 189 | 190 | } 191 | 192 | #define ERROR(a) { MessageBox(0, a, "Error", MB_ICONERROR); return; } 193 | #define ERROR2(a) \ 194 | { \ 195 | MessageBox(0, a, "Error", MB_ICONERROR); \ 196 | GlobalFree(items); \ 197 | GlobalFree(items2); \ 198 | vm_free(); \ 199 | return; \ 200 | } 201 | 202 | #define TRUNC(a, b) (a + (b - ((a % b) ? (a % b) : b))) 203 | 204 | void doProtect(HWND listBox, bool vmovervm, char* fileName) 205 | { 206 | HANDLE hFile = CreateFile(fileName, GENERIC_READ, FILE_SHARE_READ, 0, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); 207 | if (hFile == INVALID_HANDLE_VALUE) ERROR("Cannot open input file."); 208 | DWORD tmp; 209 | DWORD fSize = GetFileSize(hFile, 0); 210 | BYTE* hInMem = (BYTE*)GlobalAlloc(GMEM_FIXED, fSize); 211 | if (!hInMem) ERROR("Cannot allocate memory."); 212 | ReadFile(hFile, hInMem, fSize, &tmp, 0); 213 | CloseHandle(hFile); 214 | 215 | IMAGE_NT_HEADERS* inh = (IMAGE_NT_HEADERS*)(hInMem + ((IMAGE_DOS_HEADER*)hInMem)->e_lfanew); 216 | IMAGE_SECTION_HEADER* ish = (IMAGE_SECTION_HEADER*)(hInMem + ((IMAGE_DOS_HEADER*)hInMem)->e_lfanew + inh->FileHeader.SizeOfOptionalHeader + sizeof(IMAGE_FILE_HEADER) + 4); 217 | 218 | //relocs check 219 | DWORD rel = 0; 220 | if (inh->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress) 221 | { 222 | rel = rva2raw(inh->FileHeader.NumberOfSections, ish, inh->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_BASERELOC].VirtualAddress); 223 | if (rel == 0xFFFFFFFF) ERROR("Invalid relocations RVA."); 224 | rel += (DWORD)hInMem; 225 | } 226 | 227 | //build protection table: 228 | int itemsCnt = SendMessage(listBox, LB_GETCOUNT, 0, 0); 229 | if (!itemsCnt) ERROR("Nothing to protect (add at least one range)."); 230 | DWORD* items = (DWORD*)GlobalAlloc(GMEM_FIXED, itemsCnt*8); 231 | DWORD* items2 = (DWORD*)GlobalAlloc(GMEM_FIXED, itemsCnt*8); 232 | //vm init 233 | BYTE* hVMMemory; 234 | DWORD vmInit; 235 | DWORD vmStart; 236 | srand(time(0)); 237 | int vmSize = vm_init(&hVMMemory, &vmInit, &vmStart); 238 | // 239 | int protSize = 0; 240 | for (int i = 0; i < itemsCnt; i++) 241 | { 242 | char temp[25]; 243 | SendMessage(listBox, LB_GETTEXT, i, (LPARAM)temp); 244 | temp[8] = 0; 245 | sscanf(temp, "%x", &items[i*2]); 246 | sscanf(temp + 11, "%x", &items[i*2 + 1]); 247 | items[i*2] -= inh->OptionalHeader.ImageBase; 248 | items[i*2 + 1] -= inh->OptionalHeader.ImageBase; 249 | 250 | items2[i*2] = rva2raw(inh->FileHeader.NumberOfSections, ish, items[i*2]); 251 | if (items2[i*2] == 0xFFFFFFFF) ERROR2("Invalid range start"); 252 | items2[i*2 + 1] = items[i*2 + 1] - items[i*2]; //size 253 | int t = vm_protect(hInMem + items2[i*2], items2[i*2 + 1], 0, items[i*2], (BYTE*)rel, inh->OptionalHeader.ImageBase); 254 | if (t == -1) ERROR2("[SIZE] Protection failed."); 255 | protSize += t; 256 | } 257 | //loader size = 0x3C 258 | 259 | //first protection layer 260 | //get new section rva 261 | DWORD newRVA = (ish + inh->FileHeader.NumberOfSections - 1)->VirtualAddress + TRUNC((ish + inh->FileHeader.NumberOfSections - 1)->Misc.VirtualSize, inh->OptionalHeader.SectionAlignment); 262 | DWORD vAlloc = searchFunction(hInMem, "VirtualAlloc"); 263 | //DWORD newSecSize = TRUNC((vmSize + protSize + 0x3C + itemsCnt*0x1F), inh->OptionalHeader.FileAlignment); 264 | DWORD newSecSize = vmSize + protSize + 0x3C + itemsCnt*VM_CALL_SIZE; 265 | BYTE* hNewMem = (BYTE*)GlobalAlloc(GMEM_FIXED | GMEM_ZEROINIT, newSecSize); 266 | int curPos = 0; 267 | memmove(hNewMem, hVMMemory, vmSize); 268 | curPos += vmSize; 269 | 270 | //setting new entry point 271 | DWORD oldEntry = inh->OptionalHeader.AddressOfEntryPoint; 272 | inh->OptionalHeader.AddressOfEntryPoint = newRVA + vmSize; 273 | 274 | //VirtualAlloc at 0xA0F8 275 | static char loaderAlloc[] = 276 | { 277 | 0xE8, 0x00, 0x00, 0x00, 0x00, //CALL vm_test2.004120DA 278 | 0x5B, //POP EBX 279 | 0x81, 0xEB, 0xDA, 0x20, 0x01, 0x00, //SUB EBX,120DA 280 | 0x6A, 0x40, //PUSH 40 281 | 0x68, 0x00, 0x10, 0x00, 0x00, //PUSH 1000 282 | 0x68, 0x00, 0x10, 0x00, 0x00, //PUSH 1000 283 | 0x6A, 0x00, //PUSH 0 284 | 0xB8, 0x34, 0x12, 0x00, 0x00, //MOV EAX,1234 285 | 0x03, 0xC3, //ADD EAX,EBX 286 | 0xFF, 0x10, //CALL [EAX] 287 | 0x53, //PUSH EBX 288 | 0x05, 0x00, 0x10, 0x00, 0x00, //ADD EAX,1000 289 | 0x50, //PUSH EAX 290 | 0xB8, 0x34, 0x12, 0x00, 0x00, //MOV EAX,1234 291 | 0x03, 0xC3, //ADD EAX,EBX 292 | 0xFF, 0xD0, //CALL EAX 293 | 0xB8, 0x34, 0x12, 0x00, 0x00, //MOV EAX,1234 294 | 0x03, 0xC3, //ADD EAX,EBX 295 | 0xFF, 0xE0 //JMP EAX 296 | }; 297 | //correcting loader: 298 | *(DWORD*)(loaderAlloc + 8) = newRVA + vmSize + 5; 299 | *(DWORD*)(loaderAlloc + 27) = vAlloc; 300 | *(DWORD*)(loaderAlloc + 43) = newRVA + vmInit; 301 | *(DWORD*)(loaderAlloc + 52) = oldEntry; 302 | memmove(hNewMem + vmSize, loaderAlloc, sizeof(loaderAlloc)); 303 | curPos += sizeof(loaderAlloc); 304 | 305 | for (int i = 0; i < itemsCnt; i++) 306 | { 307 | int _tts = vm_protect(hInMem + items2[i*2], items2[i*2 + 1], hNewMem + curPos, items[i*2], (BYTE*)rel, inh->OptionalHeader.ImageBase); 308 | MAKE_VM_CALL2(inh->OptionalHeader.ImageBase, hInMem + items2[i*2], items[i*2], newRVA + curPos, items2[i*2 + 1], newRVA + vmStart, hNewMem + curPos + _tts, newRVA + curPos + _tts); 309 | curPos += _tts + VM_CALL_SIZE; 310 | } 311 | 312 | if (vmovervm) 313 | { 314 | //chuj wi czemu ;p 315 | //newSecSize -= 5; 316 | // 317 | int vmovmSize = vm_protect_vm(hNewMem, 0, inh->OptionalHeader.ImageBase, newRVA, newRVA + curPos); 318 | //BYTE* tmpMemPtr = (BYTE*)GlobalReAlloc(hNewMem, newSecSize + vmovmSize, GMEM_FIXED | GMEM_ZEROINIT); 319 | BYTE* tmpMemPtr = (BYTE*)GlobalAlloc(GMEM_FIXED | GMEM_ZEROINIT, newSecSize + vmovmSize + sizeof(loaderAlloc)); 320 | memmove(tmpMemPtr, hNewMem, newSecSize); 321 | GlobalFree(hNewMem); 322 | hNewMem = tmpMemPtr; 323 | vm_protect_vm(hNewMem, hNewMem + newSecSize, inh->OptionalHeader.ImageBase, newRVA, newRVA + curPos); 324 | curPos += vmovmSize; 325 | 326 | oldEntry = inh->OptionalHeader.AddressOfEntryPoint; 327 | inh->OptionalHeader.AddressOfEntryPoint = newRVA + curPos; 328 | 329 | *(DWORD*)(loaderAlloc + 8) = newRVA + curPos + 5; 330 | //*(DWORD*)(loaderAlloc + 27) = vAlloc; 331 | *(DWORD*)(loaderAlloc + 43) = newRVA + newSecSize + vmInit; 332 | *(DWORD*)(loaderAlloc + 52) = oldEntry; 333 | memmove(hNewMem + curPos, loaderAlloc, sizeof(loaderAlloc)); 334 | curPos += sizeof(loaderAlloc); 335 | 336 | newSecSize += vmovmSize + sizeof(loaderAlloc); 337 | } 338 | DWORD oldNewSecSize = newSecSize; 339 | newSecSize = TRUNC(newSecSize, inh->OptionalHeader.FileAlignment); 340 | 341 | //adding section 342 | ish += inh->FileHeader.NumberOfSections; 343 | inh->FileHeader.NumberOfSections++; 344 | memset(ish, 0, sizeof(IMAGE_SECTION_HEADER)); 345 | ish->Characteristics = 0xE00000E0; 346 | ish->Misc.VirtualSize = TRUNC(newSecSize, inh->OptionalHeader.SectionAlignment); 347 | inh->OptionalHeader.SizeOfImage += ish->Misc.VirtualSize; 348 | memmove(ish->Name, ".VM", 4); 349 | ish->PointerToRawData = fSize; 350 | ish->SizeOfRawData = newSecSize; 351 | ish->VirtualAddress = newRVA; 352 | 353 | char newFName[MAX_PATH] = {0}; 354 | strcpy(newFName, fileName); 355 | newFName[strlen(newFName) - 4] = 0; 356 | strcat(newFName, "_vmed.exe"); 357 | 358 | hFile = CreateFile(newFName, GENERIC_WRITE, FILE_SHARE_READ, 0, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, 0); 359 | WriteFile(hFile, hInMem, fSize, &tmp, 0); 360 | WriteFile(hFile, hNewMem, oldNewSecSize, &tmp, 0); 361 | memset(hNewMem, 0, newSecSize - oldNewSecSize); 362 | WriteFile(hFile, hNewMem, newSecSize - oldNewSecSize, &tmp, 0); 363 | CloseHandle(hFile); 364 | 365 | GlobalFree(hNewMem); 366 | GlobalFree(items); 367 | GlobalFree(items2); 368 | vm_free(); 369 | } 370 | 371 | int WINAPI DialogProc(HWND hDlg, UINT uMSg, WPARAM wParam, LPARAM lParam) 372 | { 373 | switch (uMSg) 374 | { 375 | case WM_CLOSE: 376 | EndDialog(hDlg, 0); 377 | break; 378 | case WM_COMMAND: 379 | { 380 | switch (wParam & 0xFFFF) 381 | { 382 | case BTN_EXIT: 383 | EndDialog(hDlg, 0); 384 | break; 385 | case BTN_ADD: 386 | if (DialogBoxParam((HINSTANCE)0x400000, (LPCSTR)IDD_DIALOG2, hDlg, AddDialogProc, 0)) 387 | { 388 | char temp[50]; 389 | sprintf(temp, "%08X - %08X", ddFrom, ddTo); 390 | SendDlgItemMessage(hDlg, LB_LIST, LB_ADDSTRING, 0, (LPARAM)temp); 391 | } 392 | break; 393 | case BTN_OPEN: 394 | { 395 | OPENFILENAME ofn; 396 | memset(&ofn, 0, sizeof(OPENFILENAME)); 397 | ofn.lStructSize = sizeof(OPENFILENAME); 398 | ofn.hwndOwner = hDlg; 399 | char fileName[MAX_PATH] = {0}; 400 | ofn.lpstrFile = fileName; 401 | ofn.nMaxFile = MAX_PATH; 402 | ofn.Flags = OFN_FILEMUSTEXIST; 403 | GetOpenFileName(&ofn); 404 | SetDlgItemText(hDlg, EDT_FILE, fileName); 405 | SendDlgItemMessage(hDlg, LB_LIST, LB_RESETCONTENT, 0, 0); 406 | } 407 | break; 408 | case BTN_PROTECT: 409 | { 410 | char fileName[MAX_PATH]; 411 | if (GetDlgItemText(hDlg, EDT_FILE, fileName, MAX_PATH)) 412 | { 413 | bool vmovm = false; 414 | if (SendDlgItemMessage(hDlg, CHK_VMOVM, BM_GETCHECK, 0, 0) == BST_CHECKED) vmovm = true; 415 | doProtect(GetDlgItem(hDlg, LB_LIST), vmovm, fileName); 416 | } 417 | MessageBox(hDlg, "Finished.", "Info", MB_ICONINFORMATION); 418 | } 419 | break; 420 | } 421 | } 422 | break; 423 | } 424 | return 0; 425 | } 426 | 427 | int WINAPI WinMain(__in HINSTANCE hInstance, __in_opt HINSTANCE hPrevInstance, __in_opt LPSTR lpCmdLine, __in int nShowCmd) 428 | { 429 | DialogBoxParam(hInstance, (LPCSTR)IDD_DIALOG1, 0, DialogProc, 0); 430 | 431 | return (int)VirtualAlloc; 432 | } -------------------------------------------------------------------------------- /gpl.txt: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 2, June 1991 3 | 4 | Copyright (C) 1989, 1991 Free Software Foundation, Inc., 5 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA 6 | Everyone is permitted to copy and distribute verbatim copies 7 | of this license document, but changing it is not allowed. 8 | 9 | Preamble 10 | 11 | The licenses for most software are designed to take away your 12 | freedom to share and change it. By contrast, the GNU General Public 13 | License is intended to guarantee your freedom to share and change free 14 | software--to make sure the software is free for all its users. This 15 | General Public License applies to most of the Free Software 16 | Foundation's software and to any other program whose authors commit to 17 | using it. (Some other Free Software Foundation software is covered by 18 | the GNU Lesser General Public License instead.) You can apply it to 19 | your programs, too. 20 | 21 | When we speak of free software, we are referring to freedom, not 22 | price. Our General Public Licenses are designed to make sure that you 23 | have the freedom to distribute copies of free software (and charge for 24 | this service if you wish), that you receive source code or can get it 25 | if you want it, that you can change the software or use pieces of it 26 | in new free programs; and that you know you can do these things. 27 | 28 | To protect your rights, we need to make restrictions that forbid 29 | anyone to deny you these rights or to ask you to surrender the rights. 30 | These restrictions translate to certain responsibilities for you if you 31 | distribute copies of the software, or if you modify it. 32 | 33 | For example, if you distribute copies of such a program, whether 34 | gratis or for a fee, you must give the recipients all the rights that 35 | you have. You must make sure that they, too, receive or can get the 36 | source code. And you must show them these terms so they know their 37 | rights. 38 | 39 | We protect your rights with two steps: (1) copyright the software, and 40 | (2) offer you this license which gives you legal permission to copy, 41 | distribute and/or modify the software. 42 | 43 | Also, for each author's protection and ours, we want to make certain 44 | that everyone understands that there is no warranty for this free 45 | software. If the software is modified by someone else and passed on, we 46 | want its recipients to know that what they have is not the original, so 47 | that any problems introduced by others will not reflect on the original 48 | authors' reputations. 49 | 50 | Finally, any free program is threatened constantly by software 51 | patents. We wish to avoid the danger that redistributors of a free 52 | program will individually obtain patent licenses, in effect making the 53 | program proprietary. To prevent this, we have made it clear that any 54 | patent must be licensed for everyone's free use or not licensed at all. 55 | 56 | The precise terms and conditions for copying, distribution and 57 | modification follow. 58 | 59 | GNU GENERAL PUBLIC LICENSE 60 | TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION 61 | 62 | 0. This License applies to any program or other work which contains 63 | a notice placed by the copyright holder saying it may be distributed 64 | under the terms of this General Public License. The "Program", below, 65 | refers to any such program or work, and a "work based on the Program" 66 | means either the Program or any derivative work under copyright law: 67 | that is to say, a work containing the Program or a portion of it, 68 | either verbatim or with modifications and/or translated into another 69 | language. (Hereinafter, translation is included without limitation in 70 | the term "modification".) Each licensee is addressed as "you". 71 | 72 | Activities other than copying, distribution and modification are not 73 | covered by this License; they are outside its scope. The act of 74 | running the Program is not restricted, and the output from the Program 75 | is covered only if its contents constitute a work based on the 76 | Program (independent of having been made by running the Program). 77 | Whether that is true depends on what the Program does. 78 | 79 | 1. You may copy and distribute verbatim copies of the Program's 80 | source code as you receive it, in any medium, provided that you 81 | conspicuously and appropriately publish on each copy an appropriate 82 | copyright notice and disclaimer of warranty; keep intact all the 83 | notices that refer to this License and to the absence of any warranty; 84 | and give any other recipients of the Program a copy of this License 85 | along with the Program. 86 | 87 | You may charge a fee for the physical act of transferring a copy, and 88 | you may at your option offer warranty protection in exchange for a fee. 89 | 90 | 2. You may modify your copy or copies of the Program or any portion 91 | of it, thus forming a work based on the Program, and copy and 92 | distribute such modifications or work under the terms of Section 1 93 | above, provided that you also meet all of these conditions: 94 | 95 | a) You must cause the modified files to carry prominent notices 96 | stating that you changed the files and the date of any change. 97 | 98 | b) You must cause any work that you distribute or publish, that in 99 | whole or in part contains or is derived from the Program or any 100 | part thereof, to be licensed as a whole at no charge to all third 101 | parties under the terms of this License. 102 | 103 | c) If the modified program normally reads commands interactively 104 | when run, you must cause it, when started running for such 105 | interactive use in the most ordinary way, to print or display an 106 | announcement including an appropriate copyright notice and a 107 | notice that there is no warranty (or else, saying that you provide 108 | a warranty) and that users may redistribute the program under 109 | these conditions, and telling the user how to view a copy of this 110 | License. (Exception: if the Program itself is interactive but 111 | does not normally print such an announcement, your work based on 112 | the Program is not required to print an announcement.) 113 | 114 | These requirements apply to the modified work as a whole. If 115 | identifiable sections of that work are not derived from the Program, 116 | and can be reasonably considered independent and separate works in 117 | themselves, then this License, and its terms, do not apply to those 118 | sections when you distribute them as separate works. But when you 119 | distribute the same sections as part of a whole which is a work based 120 | on the Program, the distribution of the whole must be on the terms of 121 | this License, whose permissions for other licensees extend to the 122 | entire whole, and thus to each and every part regardless of who wrote it. 123 | 124 | Thus, it is not the intent of this section to claim rights or contest 125 | your rights to work written entirely by you; rather, the intent is to 126 | exercise the right to control the distribution of derivative or 127 | collective works based on the Program. 128 | 129 | In addition, mere aggregation of another work not based on the Program 130 | with the Program (or with a work based on the Program) on a volume of 131 | a storage or distribution medium does not bring the other work under 132 | the scope of this License. 133 | 134 | 3. You may copy and distribute the Program (or a work based on it, 135 | under Section 2) in object code or executable form under the terms of 136 | Sections 1 and 2 above provided that you also do one of the following: 137 | 138 | a) Accompany it with the complete corresponding machine-readable 139 | source code, which must be distributed under the terms of Sections 140 | 1 and 2 above on a medium customarily used for software interchange; or, 141 | 142 | b) Accompany it with a written offer, valid for at least three 143 | years, to give any third party, for a charge no more than your 144 | cost of physically performing source distribution, a complete 145 | machine-readable copy of the corresponding source code, to be 146 | distributed under the terms of Sections 1 and 2 above on a medium 147 | customarily used for software interchange; or, 148 | 149 | c) Accompany it with the information you received as to the offer 150 | to distribute corresponding source code. (This alternative is 151 | allowed only for noncommercial distribution and only if you 152 | received the program in object code or executable form with such 153 | an offer, in accord with Subsection b above.) 154 | 155 | The source code for a work means the preferred form of the work for 156 | making modifications to it. For an executable work, complete source 157 | code means all the source code for all modules it contains, plus any 158 | associated interface definition files, plus the scripts used to 159 | control compilation and installation of the executable. However, as a 160 | special exception, the source code distributed need not include 161 | anything that is normally distributed (in either source or binary 162 | form) with the major components (compiler, kernel, and so on) of the 163 | operating system on which the executable runs, unless that component 164 | itself accompanies the executable. 165 | 166 | If distribution of executable or object code is made by offering 167 | access to copy from a designated place, then offering equivalent 168 | access to copy the source code from the same place counts as 169 | distribution of the source code, even though third parties are not 170 | compelled to copy the source along with the object code. 171 | 172 | 4. You may not copy, modify, sublicense, or distribute the Program 173 | except as expressly provided under this License. Any attempt 174 | otherwise to copy, modify, sublicense or distribute the Program is 175 | void, and will automatically terminate your rights under this License. 176 | However, parties who have received copies, or rights, from you under 177 | this License will not have their licenses terminated so long as such 178 | parties remain in full compliance. 179 | 180 | 5. You are not required to accept this License, since you have not 181 | signed it. However, nothing else grants you permission to modify or 182 | distribute the Program or its derivative works. These actions are 183 | prohibited by law if you do not accept this License. Therefore, by 184 | modifying or distributing the Program (or any work based on the 185 | Program), you indicate your acceptance of this License to do so, and 186 | all its terms and conditions for copying, distributing or modifying 187 | the Program or works based on it. 188 | 189 | 6. Each time you redistribute the Program (or any work based on the 190 | Program), the recipient automatically receives a license from the 191 | original licensor to copy, distribute or modify the Program subject to 192 | these terms and conditions. You may not impose any further 193 | restrictions on the recipients' exercise of the rights granted herein. 194 | You are not responsible for enforcing compliance by third parties to 195 | this License. 196 | 197 | 7. If, as a consequence of a court judgment or allegation of patent 198 | infringement or for any other reason (not limited to patent issues), 199 | conditions are imposed on you (whether by court order, agreement or 200 | otherwise) that contradict the conditions of this License, they do not 201 | excuse you from the conditions of this License. If you cannot 202 | distribute so as to satisfy simultaneously your obligations under this 203 | License and any other pertinent obligations, then as a consequence you 204 | may not distribute the Program at all. For example, if a patent 205 | license would not permit royalty-free redistribution of the Program by 206 | all those who receive copies directly or indirectly through you, then 207 | the only way you could satisfy both it and this License would be to 208 | refrain entirely from distribution of the Program. 209 | 210 | If any portion of this section is held invalid or unenforceable under 211 | any particular circumstance, the balance of the section is intended to 212 | apply and the section as a whole is intended to apply in other 213 | circumstances. 214 | 215 | It is not the purpose of this section to induce you to infringe any 216 | patents or other property right claims or to contest validity of any 217 | such claims; this section has the sole purpose of protecting the 218 | integrity of the free software distribution system, which is 219 | implemented by public license practices. Many people have made 220 | generous contributions to the wide range of software distributed 221 | through that system in reliance on consistent application of that 222 | system; it is up to the author/donor to decide if he or she is willing 223 | to distribute software through any other system and a licensee cannot 224 | impose that choice. 225 | 226 | This section is intended to make thoroughly clear what is believed to 227 | be a consequence of the rest of this License. 228 | 229 | 8. If the distribution and/or use of the Program is restricted in 230 | certain countries either by patents or by copyrighted interfaces, the 231 | original copyright holder who places the Program under this License 232 | may add an explicit geographical distribution limitation excluding 233 | those countries, so that distribution is permitted only in or among 234 | countries not thus excluded. In such case, this License incorporates 235 | the limitation as if written in the body of this License. 236 | 237 | 9. The Free Software Foundation may publish revised and/or new versions 238 | of the General Public License from time to time. Such new versions will 239 | be similar in spirit to the present version, but may differ in detail to 240 | address new problems or concerns. 241 | 242 | Each version is given a distinguishing version number. If the Program 243 | specifies a version number of this License which applies to it and "any 244 | later version", you have the option of following the terms and conditions 245 | either of that version or of any later version published by the Free 246 | Software Foundation. If the Program does not specify a version number of 247 | this License, you may choose any version ever published by the Free Software 248 | Foundation. 249 | 250 | 10. If you wish to incorporate parts of the Program into other free 251 | programs whose distribution conditions are different, write to the author 252 | to ask for permission. For software which is copyrighted by the Free 253 | Software Foundation, write to the Free Software Foundation; we sometimes 254 | make exceptions for this. Our decision will be guided by the two goals 255 | of preserving the free status of all derivatives of our free software and 256 | of promoting the sharing and reuse of software generally. 257 | 258 | NO WARRANTY 259 | 260 | 11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY 261 | FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN 262 | OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES 263 | PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED 264 | OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 265 | MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS 266 | TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE 267 | PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, 268 | REPAIR OR CORRECTION. 269 | 270 | 12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 271 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR 272 | REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, 273 | INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING 274 | OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED 275 | TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY 276 | YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER 277 | PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE 278 | POSSIBILITY OF SUCH DAMAGES. 279 | 280 | END OF TERMS AND CONDITIONS 281 | 282 | How to Apply These Terms to Your New Programs 283 | 284 | If you develop a new program, and you want it to be of the greatest 285 | possible use to the public, the best way to achieve this is to make it 286 | free software which everyone can redistribute and change under these terms. 287 | 288 | To do so, attach the following notices to the program. It is safest 289 | to attach them to the start of each source file to most effectively 290 | convey the exclusion of warranty; and each file should have at least 291 | the "copyright" line and a pointer to where the full notice is found. 292 | 293 | 294 | Copyright (C) 295 | 296 | This program is free software; you can redistribute it and/or modify 297 | it under the terms of the GNU General Public License as published by 298 | the Free Software Foundation; either version 2 of the License, or 299 | (at your option) any later version. 300 | 301 | This program is distributed in the hope that it will be useful, 302 | but WITHOUT ANY WARRANTY; without even the implied warranty of 303 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 304 | GNU General Public License for more details. 305 | 306 | You should have received a copy of the GNU General Public License along 307 | with this program; if not, write to the Free Software Foundation, Inc., 308 | 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. 309 | 310 | Also add information on how to contact you by electronic and paper mail. 311 | 312 | If the program is interactive, make it output a short notice like this 313 | when it starts in an interactive mode: 314 | 315 | Gnomovision version 69, Copyright (C) year name of author 316 | Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'. 317 | This is free software, and you are welcome to redistribute it 318 | under certain conditions; type `show c' for details. 319 | 320 | The hypothetical commands `show w' and `show c' should show the appropriate 321 | parts of the General Public License. Of course, the commands you use may 322 | be called something other than `show w' and `show c'; they could even be 323 | mouse-clicks or menu items--whatever suits your program. 324 | 325 | You should also get your employer (if you work as a programmer) or your 326 | school, if any, to sign a "copyright disclaimer" for the program, if 327 | necessary. Here is a sample; alter the names: 328 | 329 | Yoyodyne, Inc., hereby disclaims all copyright interest in the program 330 | `Gnomovision' (which makes passes at compilers) written by James Hacker. 331 | 332 | , 1 April 1989 333 | Ty Coon, President of Vice 334 | 335 | This General Public License does not permit incorporating your program into 336 | proprietary programs. If your program is a subroutine library, you may 337 | consider it more useful to permit linking proprietary applications with the 338 | library. If this is what you want to do, use the GNU Lesser General 339 | Public License instead of this License. 340 | -------------------------------------------------------------------------------- /src/loader/loader.asm: -------------------------------------------------------------------------------- 1 | ; * x86.Virtualizer 2 | ; * Copyright 2007 ReWolf 3 | ; * Contact: 4 | ; * rewolf@rewolf.pl 5 | ; * http://rewolf.pl 6 | ; * 7 | ; * This program is free software; you can redistribute it and/or modify 8 | ; * it under the terms of the GNU General Public License as published by 9 | ; * the Free Software Foundation; either version 2 of the License, or 10 | ; * (at your option) any later version. 11 | ; * 12 | ; * This program is distributed in the hope that it will be useful, 13 | ; * but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | ; * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | ; * GNU General Public License for more details. 16 | ; * 17 | ; * You should have received a copy of the GNU General Public License 18 | ; * along with this program; if not, write to the Free Software 19 | ; * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 20 | ; * 21 | 22 | 23 | .386 24 | .model flat, stdcall 25 | option casemap:none 26 | 27 | include \masm32\include\windows.inc 28 | include \masm32\include\kernel32.inc 29 | include \masm32\include\user32.inc 30 | includelib \masm32\lib\kernel32 31 | includelib \masm32\lib\user32 32 | 33 | 34 | CF equ 00000001h 35 | PF equ 00000004h 36 | AF equ 00000010h 37 | ZF equ 00000040h 38 | SF equ 00000080h 39 | OF equ 00000800h 40 | 41 | storeESP macro where, corr 42 | push eax 43 | call $+5 44 | pop eax 45 | mov dword ptr [eax - ($ - offset where - 1)], esp 46 | add dword ptr [eax - ($ - offset where - 4) + corr], 4 47 | pop eax 48 | endm 49 | 50 | storeRealESP macro _dt 51 | push eax 52 | getVar eax, vm_esp 53 | lea eax, dword ptr [eax + _dt + 2Ch] 54 | mov dword ptr [eax], esp 55 | add dword ptr [eax], 4 56 | pop eax 57 | endm 58 | 59 | reStoreRealESP macro _dt 60 | mov esp, dword ptr [esp + _dt + 28h] 61 | endm 62 | 63 | reStoreESP macro _from 64 | call $+5 65 | pop esp 66 | mov esp, dword ptr [esp - ($ - offset _from - 1)] 67 | endm 68 | 69 | setVar macro var, val 70 | push eax 71 | call $+5 72 | pop eax 73 | mov dword ptr [eax - ($ - offset var - 1)], val 74 | pop eax 75 | endm 76 | 77 | getVar macro reg, var 78 | call $+5 79 | pop reg 80 | mov reg, dword ptr [reg - ($ - offset var - 1)] 81 | endm 82 | 83 | getVarAddr macro reg, var 84 | call $+5 85 | pop reg 86 | lea reg, dword ptr [reg - ($ - offset var - 1)] 87 | endm 88 | 89 | .data 90 | temp dd 0 91 | vm_stack dd 0 92 | .code 93 | start: 94 | dd vm_end_label - _vm_jump ;vm_size 95 | dd _vm_jump - 401000h ;vm code start (not entry) 96 | dd _vm_init - 401000h 97 | dd _vm_start - 401000h 98 | dd poly - 401000h 99 | dd offset vm_prefix - 401000h 100 | dd offset vm_opcode_tab - 401000h 101 | dd 8 ;data counter ;p 102 | 103 | dd 22 ;_prot_rec_cnt 104 | ;dd _vm_jump, _vm_call 105 | dd _vm_call, _call_003 106 | dd _vm_init, _vm_init_end 107 | dd _mark_000, _next_instr 108 | dd _next_instr, _mark_001 109 | dd _mark_002, _mark_003 110 | ;dd _mark_003, _mark_004 111 | ;dd _mark_005, _mark_006 112 | dd _vm_instr, _mark_007 113 | dd _01_COND_JMP, _mark_008 114 | dd _03_CALL_REL, _mark_009 115 | dd _02_JECX, _mark_010 116 | dd _06_LOOPcc, _mark_011 117 | dd _04_VM_END, _mark_012 118 | dd _05_RET, _mark_013 119 | dd _08_VM_MOV_REG, _mark_014 120 | 121 | dd _20_CALL, _mark_022 122 | dd _21_JMP, _mark_021 123 | dd _22_PUSH, _mark_020 124 | dd _25_FAKE_CALL, _mark_019 125 | dd _23_POP, _mark_018 126 | dd _24_RELOC, _mark_017 127 | dd _0C_VM_REAL, _mark_016 128 | dd _real_tramp, _mark_015 129 | 130 | ;dd poly, _vm_init 131 | 132 | dd _memmov, vm_end_label 133 | 134 | ;--------------------------------------------------------------------------- 135 | ;in edx = jump number 136 | ;out edx = 0 - jump not taken; 1 - jump taken 137 | _vm_jump: 138 | 139 | push eax 140 | pushfd 141 | pop eax 142 | 143 | 144 | push ebx 145 | call $+5 146 | pop ebx 147 | 148 | lea edx, dword ptr [ebx + edx*2 + 8] 149 | pop ebx 150 | jmp edx 151 | 152 | jmp _0x70 153 | jmp _0x71 154 | jmp _0x72 155 | jmp _0x73 156 | jmp _0x74 157 | jmp _0x75 158 | jmp _0x76 159 | jmp _0x77 160 | jmp _0x78 161 | jmp __0x79 162 | jmp __0x7A 163 | jmp __0x7B 164 | jmp __0x7C 165 | jmp __0x7D 166 | jmp __0x7E 167 | jmp __0x7F 168 | 169 | 170 | _0x70: 171 | test eax, OF ;A9 00080000 172 | jz __no_jump 173 | jmp _jump75 174 | 175 | _0x71: 176 | test eax, OF ;A9 00080000 177 | jnz __no_jump 178 | jmp _jump75 179 | 180 | _0x72: 181 | test eax, CF ;A9 01000000 182 | jz __no_jump 183 | jmp _jump75 184 | 185 | __0x79: jmp _0x79 186 | 187 | _0x73: 188 | test eax, CF ;A9 01000000 189 | jnz __no_jump 190 | jmp _jump75 191 | 192 | __0x7A: jmp _0x7A 193 | 194 | _0x74: 195 | test eax, ZF ;A9 40000000 196 | jz __no_jump 197 | jmp _jump75 198 | 199 | __0x7B: jmp _0x7B 200 | __0x70: jmp _0x70 201 | __0x71: jmp _0x71 202 | 203 | _0x75: 204 | test eax, ZF ;A9 40000000 205 | jnz __no_jump 206 | _jump75: 207 | jmp _jump79 208 | 209 | __0x7C: jmp _0x7C 210 | __0x7F: jmp ___0x7F 211 | 212 | _0x76: 213 | test eax, CF ;A9 01000000 214 | jz _0x74 215 | jmp _jump79 216 | 217 | __0x7D: jmp _0x7D 218 | 219 | _0x77: 220 | test eax, CF ;A9 01000000 221 | jnz __no_jump 222 | jmp _0x75 223 | 224 | __0x7E: jmp _0x7E 225 | __no_jump: jmp _no_jump 226 | 227 | _0x78: 228 | test eax, SF ;A9 80000000 229 | jz _no_jump 230 | jmp _jump79 231 | 232 | ___0x7F: jmp _0x7F 233 | 234 | _0x79: 235 | test eax, SF ;A9 80000000 236 | jnz _no_jump 237 | _jump79: 238 | jmp _jump7E 239 | 240 | _0x7A: 241 | test eax, PF ;A9 04000000 242 | jz _no_jump 243 | jmp _jump7E 244 | 245 | _0x7B: 246 | test eax, PF ;A9 04000000 247 | jnz _no_jump 248 | jmp _jump7E 249 | 250 | _0x7C: 251 | test eax, SF or OF ;A9 80080000 252 | jz _no_jump 253 | test eax, SF 254 | jz __0x70 255 | jmp __0x71 256 | 257 | _0x7D: 258 | test eax, SF 259 | jnz __0x70 260 | jmp __0x71 261 | 262 | _0x7E: 263 | test eax, ZF 264 | jz _0x7C 265 | _jump7E: 266 | jmp _jump 267 | 268 | _0x7F: 269 | test eax, ZF 270 | jnz _no_jump 271 | jmp _0x7D 272 | 273 | _jump: 274 | xor edx, edx 275 | jmp _jump_real 276 | _no_jump: 277 | xor edx, edx 278 | jmp _no_jump_real 279 | 280 | _jump_real: 281 | inc edx 282 | 283 | _no_jump_real: 284 | push eax 285 | popfd 286 | pop eax 287 | ret 288 | 289 | 290 | ;--------------------------------------------------------------------------- 291 | ;call variants ([esp+4] address) 292 | ;--------------------------------------- 293 | _vm_call: 294 | ;push eax 295 | call $+5 296 | _call_000 equ $ 297 | pop eax 298 | push dword ptr [esp+4] 299 | pop dword ptr [eax+(_call_001 - _call_000 + 1)] 300 | sub dword ptr [eax+(_call_001 - _call_000 + 1)], eax 301 | sub dword ptr [eax+(_call_001 - _call_000 + 1)], (_call_001 - _call_000 + 5) 302 | 303 | mov eax, dword ptr [esp] 304 | ;mov dword ptr [esp+8], eax 305 | 306 | ;pop eax 307 | add esp, 8 308 | 309 | 310 | pushad 311 | _call_003 equ $ 312 | storeESP vm_esp, 3 ;switching to original application 313 | ;reStoreESP r_esp ;context 314 | reStoreRealESP 10*4 315 | mov dword ptr [esp + 28h], eax 316 | popfd 317 | popad 318 | mov dword ptr [esp], eax 319 | pop eax 320 | 321 | 322 | _call_001 equ $ 323 | db 0E9h 324 | dd 0 325 | 326 | 327 | ;poly enc/dec skeleton 328 | ;[esp+4] address 329 | ;[esp+8] size 330 | ;[esp+C] pos 331 | ;--------------------------------------------------------------------------- 332 | poly: 333 | push esi 334 | push eax 335 | push ecx 336 | mov esi, dword ptr [esp + 10h] 337 | xor ecx, ecx 338 | _loop: 339 | mov al, byte ptr [esi] 340 | 341 | 342 | ;... 343 | db 60 DUP (90h) ;commands 2-bytes 344 | db 30 DUP (90h) ;junks 3-bytes 345 | ;... 346 | 347 | xor eax, dword ptr [esp + 18h] ;!!! temp. disabled (only for tests) 348 | mov byte ptr [esi], al 349 | inc ecx 350 | inc esi 351 | cmp ecx, dword ptr [esp + 14h] 352 | jnz _loop 353 | pop ecx 354 | pop eax 355 | pop esi 356 | ret 0Ch 357 | 358 | ;--------------------------------------------------------------------------- 359 | ;vm init 360 | ;[esp] ret addr 361 | ;[esp+4] vm stack buffer (rwx) 362 | ;[esp+8] module handle 363 | 364 | 365 | _vm_init: 366 | corr equ 3 367 | 368 | push ebx 369 | getVar ebx, vm_esp 370 | test ebx, ebx 371 | jne _ss 372 | mov ebx, dword ptr [esp+8] 373 | setVar vm_esp, ebx 374 | mov ebx, dword ptr [esp+0Ch] 375 | setVar module_handle, ebx 376 | _ss: pop ebx 377 | ret 8 378 | _vm_init_end equ $ 379 | ;--------------------------------------------------------------------------- 380 | r_esp dd 0 381 | vm_esp dd 0 382 | vm_prefix dd 0FFFFh 383 | module_handle dd 0 384 | vm_opcode_tab db 3, 4, 254 DUP (0) 385 | ;--------------------------------------------------------------------------- 386 | ;vm run 387 | ;[esp] ret addr 388 | ;[esp+4] vm'ed code 389 | ;--------------------------------------------------------------------------- 390 | 391 | _vm_start: 392 | pushad 393 | pushfd 394 | pushfd 395 | pop ecx 396 | ;storeESP r_esp, 3 397 | 398 | delta equ 24h 399 | mov eax, esp 400 | 401 | mov ebx, dword ptr [esp + delta] ;ret addr 402 | mov edx, dword ptr [esp + delta + 4];data addr 403 | 404 | reStoreESP vm_esp 405 | 406 | ;DWORD orig eflags 407 | ;BYTE 20h DUP execution buffer 408 | ;DWORD vm_reg 409 | ;DWORD original esp ??? 410 | _mark_000 equ $ 411 | push ebp 412 | mov ebp, esp 413 | sub esp, 2Ch ;24h 414 | 415 | mov dword ptr [esp + 28h], eax ;setting original esp 416 | 417 | 418 | ;ebx ret address (from vm) (const) 419 | ;esi vm instr pointer (*) 420 | ;ecx instr pos relative to vm'ed code begin (*) 421 | ;edi execution buffer poninter (const) 422 | ;eax current instr length (*) 423 | ;edx current vm instr address (*) 424 | 425 | mov dword ptr [esp], ecx ;ecx == original eflags 426 | xor ecx, ecx 427 | lea edi, dword ptr [esp + 4] 428 | 429 | _next_instr: 430 | mov esi, edx 431 | inc esi 432 | mov al, byte ptr [edx] 433 | xor al, byte ptr [edx + 1] 434 | movzx eax, al 435 | 436 | 437 | push eax 438 | push esi 439 | push edi 440 | call _memmov 441 | 442 | push ecx ;position 443 | push eax ;size 444 | push edi ;address 445 | call poly 446 | 447 | 448 | push ecx 449 | getVar ecx, vm_prefix 450 | cmp word ptr [edi], cx 451 | _mark_001 equ $ 452 | je _vm_instr ;VM instr -> 453 | _mark_002 equ $ 454 | pop ecx 455 | ;else original x86 instr 456 | 457 | ;generateing ret jmp (push ret): 458 | push ecx 459 | mov byte ptr [edi + eax], 68h 460 | call $+5 461 | pop ecx 462 | add ecx, vm_ret - $ + 1 463 | mov dword ptr [edi + eax + 1], ecx 464 | mov byte ptr [edi + eax + 5], 0C3h 465 | pop ecx 466 | _mark_003 equ $ 467 | 468 | _real_call: 469 | ;vm_call correcting 470 | setVar (vm_call + 1), edi ;corr += 3 471 | 472 | pushad 473 | storeESP vm_esp, 3 ;switching to original application 474 | ;reStoreESP r_esp ;context 475 | reStoreRealESP 20h 476 | popfd 477 | popad 478 | 479 | mov dword ptr [esp + 4], eax 480 | pop eax 481 | pop eax 482 | ;pushfd 483 | ;add esp, 8 484 | ;popfd 485 | _mark_004 equ $ 486 | 487 | vm_call equ $ ;calling not supported instruction 488 | ;call edi 489 | db 68h 490 | dd 0 491 | ret 492 | vm_ret equ $ 493 | _mark_005 equ $ 494 | push 0 ;stack correction 495 | push 0 496 | pushad 497 | pushfd 498 | pushfd ;\ preserve eflags 499 | pop eax ;/ 500 | ;storeESP r_esp, 3 ;restoring vm context 501 | storeRealESP 1Ch ;!!! 502 | reStoreESP vm_esp 503 | mov dword ptr [esp + 20h], eax ;storing new eflags 504 | popad 505 | _mark_006 equ $ 506 | 507 | _pre_next_instr: 508 | add ecx, eax 509 | add edx, eax 510 | inc edx 511 | inc ecx 512 | jmp _next_instr 513 | 514 | 515 | _vm_instr: 516 | pop ecx 517 | 518 | push eax 519 | push edx 520 | 521 | getVarAddr eax, vm_opcode_tab 522 | movzx edx, byte ptr [edi + 2] 523 | movzx edx, byte ptr [eax + edx] 524 | 525 | ; 526 | call $+5 527 | pop eax ;1 528 | add eax, dword ptr [eax + 4*edx + 10] ;4 529 | add eax, 10 530 | _mark_007 equ $ 531 | jmp eax 532 | _vm_dispatch equ $ 533 | dd _01_COND_JMP - _vm_dispatch 534 | dd _01_COND_JMP - _vm_dispatch 535 | dd _02_JECX - _vm_dispatch 536 | dd _03_CALL_REL - _vm_dispatch 537 | dd _04_VM_END - _vm_dispatch 538 | dd _05_RET - _vm_dispatch 539 | dd _06_LOOPcc - _vm_dispatch 540 | dd _07_VM_MOV_IMM - _vm_dispatch 541 | dd _08_VM_MOV_REG - _vm_dispatch 542 | dd _09_VM_ADD_IMM - _vm_dispatch 543 | dd _0A_VM_ADD_REG - _vm_dispatch 544 | dd _0B_VM_SHL_REG - _vm_dispatch 545 | dd _0C_VM_REAL - _vm_dispatch 546 | dd _0D_JMP - _vm_dispatch 547 | dd _0D_JMP - _vm_dispatch 548 | dd _0F_ROL - _vm_dispatch 549 | dd _10_ROR - _vm_dispatch 550 | dd _11_RCL - _vm_dispatch 551 | dd _12_RCR - _vm_dispatch 552 | dd _13_SHL - _vm_dispatch 553 | dd _14_SHR - _vm_dispatch 554 | dd _15_SAR - _vm_dispatch 555 | dd _16_SAL - _vm_dispatch 556 | dd _17_ADD - _vm_dispatch 557 | dd _18_OR - _vm_dispatch 558 | dd _19_ADC - _vm_dispatch 559 | dd _1A_SBB - _vm_dispatch 560 | dd _1B_AND - _vm_dispatch 561 | dd _1C_SUB - _vm_dispatch 562 | dd _1D_XOR - _vm_dispatch 563 | dd _1E_CMP - _vm_dispatch 564 | dd _1F_MOV - _vm_dispatch 565 | dd _20_CALL - _vm_dispatch 566 | dd _21_JMP - _vm_dispatch 567 | dd _22_PUSH - _vm_dispatch 568 | dd _23_POP - _vm_dispatch 569 | dd _24_RELOC - _vm_dispatch 570 | dd _25_FAKE_CALL - _vm_dispatch 571 | dd _26_VM_NOP - _vm_dispatch 572 | 573 | 574 | _26_VM_NOP: 575 | _vm_instr_end: 576 | pop edx 577 | pop eax 578 | 579 | jmp _pre_next_instr 580 | 581 | 582 | 583 | 584 | _01_COND_JMP: 585 | movzx edx, byte ptr [edi + 3] 586 | push dword ptr [esp + 8] 587 | popfd ;temp restoring original eflags 588 | call _vm_jump 589 | test edx, edx 590 | _mark_008 equ $ 591 | je _vm_instr_end 592 | pop edx 593 | add edx, dword ptr [edi + 4] 594 | add ecx, dword ptr [edi + 4] 595 | pop eax 596 | jmp _next_instr 597 | 598 | _0D_JMP: 599 | pop edx 600 | add edx, dword ptr [edi + 3] 601 | add ecx, dword ptr [edi + 3] 602 | pop eax 603 | jmp _next_instr 604 | 605 | _03_CALL_REL: 606 | mov edx, dword ptr [edi + 3] 607 | push edx 608 | getVar edx, module_handle 609 | add dword ptr [esp], edx 610 | call _vm_call 611 | push 0 612 | push 0 613 | pushad 614 | pushfd 615 | pushfd 616 | pop eax 617 | ;storeESP r_esp, 3 ;restoring vm context 618 | storeRealESP 24h 619 | _mark_009 equ $ 620 | reStoreESP vm_esp 621 | mov dword ptr [esp + 28h], eax 622 | popad 623 | ;_mark_009 equ $ 624 | jmp _vm_instr_end 625 | 626 | _02_JECX: ;TO TEST 627 | getVar edx, r_esp 628 | mov edx, dword ptr [edx + 1Ch] 629 | test edx, edx 630 | _mark_010 equ $ 631 | jnz _vm_instr_end 632 | pop edx 633 | add edx, dword ptr [edi + 3] 634 | add ecx, dword ptr [edi + 3] 635 | pop eax 636 | jmp _next_instr 637 | 638 | 639 | _06_LOOPcc: ;TO TEST 640 | ;movzx edx, byte ptr [edi + 3] 641 | ;cmp edx, 2 642 | ;jne _loopcc_n 643 | ;LOOP 644 | getVar eax, r_esp 645 | mov edx, dword ptr [eax + 1Ch] 646 | test edx, edx 647 | _mark_011 equ $ 648 | jnz _vm_instr_end 649 | movzx edx, byte ptr [edi + 3] 650 | cmp edx, 2 651 | jne _loopcc_n 652 | _loop_ok: 653 | pop edx 654 | add edx, dword ptr [edi + 4] 655 | add ecx, dword ptr [edi + 4] 656 | pop eax 657 | jmp _next_instr 658 | _loopcc_n: ;loopz/loopnz 659 | mov eax, dword ptr [eax] ;flags 660 | test edx, edx 661 | je _loopnz 662 | test eax, ZF 663 | jnz _loop_ok 664 | jmp _vm_instr_end 665 | _loopnz: 666 | test eax, ZF 667 | jz _loop_ok 668 | jmp _vm_instr_end 669 | 670 | _04_VM_END: 671 | pop edx 672 | pop eax 673 | mov eax, dword ptr [esp + 28h] 674 | leave 675 | storeESP vm_esp, 3 676 | ;reStoreESP r_esp 677 | mov esp, eax 678 | mov dword ptr [esp + 24h], ebx 679 | popfd 680 | popad 681 | ret 4 682 | _mark_012 equ $ 683 | 684 | _05_RET: 685 | pop edx 686 | pop eax 687 | mov eax, dword ptr [esp + 28h] 688 | movzx edx, word ptr [edi + 3] 689 | setVar retret, edx 690 | leave 691 | storeESP vm_esp, 3 692 | ;reStoreESP r_esp 693 | mov esp, eax 694 | ;mov dword ptr [esp + 24h], ebx 695 | mov ebx, dword ptr [esp + 24h + 8] 696 | mov dword ptr [esp + 24h + 8 + edx], ebx 697 | popfd 698 | popad 699 | mov dword ptr [esp + 4], eax 700 | pop eax 701 | pop eax 702 | _mark_013 equ $ 703 | ;ret 4 704 | db 0C2h 705 | retret dd 0 706 | 707 | _07_VM_MOV_IMM: 708 | mov eax, dword ptr [edi + 3] 709 | mov dword ptr [esp + 24h + 8], eax 710 | jmp _vm_instr_end 711 | _08_VM_MOV_REG: 712 | movzx eax, byte ptr [edi + 3] 713 | mov edx, dword ptr [esp + 28h + 8] ;get real esp 714 | shl eax, 2 715 | sub eax, 20h 716 | neg eax 717 | mov edx, dword ptr [edx + eax] 718 | ; 719 | cmp eax, 10h ;ESP 720 | jnz _08_n 721 | add edx, 8 722 | _08_n: 723 | ; 724 | mov dword ptr [esp + 24h + 8], edx 725 | _mark_014 equ $ 726 | jmp _vm_instr_end 727 | _09_VM_ADD_IMM: 728 | mov eax, dword ptr [edi + 3] 729 | add dword ptr [esp + 24h + 8], eax 730 | jmp _vm_instr_end 731 | _0A_VM_ADD_REG: 732 | movzx eax, byte ptr [edi + 3] 733 | mov edx, dword ptr [esp + 28h + 8] ;get real esp 734 | shl eax, 2 735 | sub eax, 20h 736 | neg eax 737 | mov edx, dword ptr [edx + eax] 738 | ; 739 | cmp eax, 10h ;ESP 740 | jnz _0A_n 741 | add edx, 8 742 | _0A_n: 743 | ; 744 | add dword ptr [esp + 24h + 8], edx 745 | jmp _vm_instr_end 746 | _0B_VM_SHL_REG: 747 | mov eax, ecx 748 | movzx ecx, byte ptr [edi + 3] 749 | shl dword ptr [esp + 24h + 8], cl 750 | mov ecx, eax 751 | jmp _vm_instr_end 752 | 753 | SHIFTS macro itr 754 | mov eax, ecx 755 | movzx ecx, byte ptr [edi + 3] 756 | mov edx, dword ptr [esp + 24h + 8] ;address from vm_reg 757 | pushfd 758 | push dword ptr [edi - 4] ;eflags 759 | popfd 760 | itr dword ptr [edx], cl 761 | pushfd 762 | pop dword ptr [edi - 4] ;eflags 763 | popfd 764 | mov ecx, eax 765 | jmp _vm_instr_end 766 | endm 767 | 768 | _0F_ROL: SHIFTS rol 769 | _10_ROR: SHIFTS ror 770 | _11_RCL: SHIFTS rcl 771 | _12_RCR: SHIFTS rcr 772 | _13_SHL: SHIFTS shl 773 | _14_SHR: SHIFTS shr 774 | _15_SAR: SHIFTS sar 775 | _16_SAL: SHIFTS sal 776 | 777 | IMM32 macro itr 778 | ;mov eax, ecx 779 | mov eax, dword ptr [edi + 3] 780 | mov edx, dword ptr [esp + 24h + 8] ;address from vm_reg 781 | pushfd 782 | push dword ptr [edi - 4] ;eflags 783 | popfd 784 | itr dword ptr [edx], eax 785 | pushfd 786 | pop dword ptr [edi - 4] ;eflags 787 | popfd 788 | ;mov ecx, eax 789 | jmp _vm_instr_end 790 | endm 791 | 792 | _17_ADD: IMM32 add 793 | _18_OR: IMM32 or 794 | _19_ADC: IMM32 adc 795 | _1A_SBB: IMM32 sbb 796 | _1B_AND: IMM32 and 797 | _1C_SUB: IMM32 sub 798 | _1D_XOR: IMM32 xor 799 | _1E_CMP: IMM32 cmp 800 | _1F_MOV: IMM32 mov 801 | 802 | _20_CALL: 803 | mov edx, dword ptr [esp + 24h + 8] 804 | mov byte ptr [edi], 68h 805 | lea eax, dword ptr [edi + 0Bh] 806 | mov dword ptr [edi + 1], eax 807 | mov byte ptr [edi + 5], 68h 808 | mov edx, dword ptr [edx] 809 | mov dword ptr [edi + 6], edx 810 | mov byte ptr [edi + 0Ah], 0C3h 811 | mov eax, 0Bh 812 | _mark_022 equ $ 813 | jmp _real_tramp 814 | 815 | _21_JMP: 816 | mov edx, dword ptr [esp + 24h + 8] 817 | mov byte ptr [edi], 68h 818 | mov edx, dword ptr [edx] 819 | mov dword ptr [edi + 1], edx 820 | mov byte ptr [edi + 5], 0C3h 821 | _mark_021 equ $ 822 | jmp _real_tramp 823 | 824 | 825 | _22_PUSH: 826 | mov edx, dword ptr [esp + 24h + 8] 827 | mov byte ptr [edi], 68h 828 | mov edx, dword ptr [edx] 829 | mov dword ptr [edi + 1], edx 830 | mov eax, 5 831 | _mark_020 equ $ 832 | jmp _real_tramp 833 | 834 | _25_FAKE_CALL: 835 | mov edx, dword ptr [edi + 3] 836 | mov byte ptr [edi], 68h 837 | getVar eax, module_handle 838 | add edx, eax 839 | mov dword ptr [edi + 1], edx 840 | mov eax, 5 841 | _mark_019 equ $ 842 | jmp _real_tramp 843 | 844 | _23_POP: 845 | mov edx, dword ptr [esp + 24h + 8] 846 | mov word ptr [edi], 058Fh 847 | mov dword ptr [edi + 2], edx 848 | mov eax, 6 849 | _mark_018 equ $ 850 | jmp _real_tramp 851 | 852 | _24_RELOC: 853 | movzx eax, byte ptr [edi + 4] 854 | push eax 855 | lea edx, dword ptr [edi + 5] 856 | push edx 857 | movzx edx, byte ptr [edi + 3] 858 | push edi 859 | call _memmov 860 | push eax 861 | mov eax, edx 862 | getVar edx, module_handle 863 | add dword ptr [edi + eax], edx 864 | pop eax 865 | _mark_017 equ $ 866 | jmp _real_tramp 867 | 868 | 869 | _0C_VM_REAL: 870 | mov al, byte ptr [edi + 3] ;real opcode 871 | mov ah, byte ptr [edi + 4] ;register 872 | shl ah, 3 873 | or ah, 5 874 | 875 | mov word ptr [edi], ax 876 | push dword ptr [esp + 24h + 8] 877 | pop dword ptr [edi + 2] 878 | mov eax, 6 879 | _mark_016 equ $ 880 | 881 | _real_tramp: 882 | ;generateing ret jmp (push ret): 883 | push ecx 884 | mov byte ptr [edi + eax], 68h 885 | call $+5 886 | pop ecx 887 | add ecx, vm_ret - $ + 1 888 | mov dword ptr [edi + eax + 1], ecx 889 | mov byte ptr [edi + eax + 5], 0C3h 890 | pop ecx 891 | 892 | pop edx 893 | pop eax 894 | _mark_015 equ $ 895 | jmp _real_call 896 | 897 | 898 | ;push length 899 | ;push offset Source 900 | ;push offset Destination 901 | ;call _memmov 902 | _memmov: 903 | pushad 904 | mov ecx,dword ptr [esp+11*4] 905 | mov esi,dword ptr [esp+10*4] 906 | mov edi,dword ptr [esp+9*4] 907 | rep movsb 908 | popad 909 | ret 0Ch 910 | vm_end_label equ $ 911 | end start 912 | 913 | 914 | --------------------------------------------------------------------------------