-
Notifications
You must be signed in to change notification settings - Fork 55
/
xor.h
126 lines (86 loc) · 3.64 KB
/
xor.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <time.h>
#include <Psapi.h>
#include <tlhelp32.h>
#include <inttypes.h>
#include <stdbool.h>
#include "include/capstone/capstone.h"
#include "include/keystone/keystone.h"
#ifndef XOR_H
#define XOR_H
#define REG_NAME(x) cs_reg_name(csHandle, x)
typedef struct _function{
DWORD startAddr;
DWORD size;
struct _function *next;
}FUNCTION, *PFUNCTION;
//holds the info of jumps/calls that go to oustide the function
typedef struct _outsideinstruction{
uint32_t id;//id of instruction
uint32_t type;//jump or call opcode
uint32_t destinationAddress;//where the call/jmp lands
//this will hold the fixed instruction
struct{
size_t fixedOISize;
uint8_t *fixedOI;
};
struct _outsideinstruction *next;
}OutsideInstruction;
//holds the modified instruction info
typedef struct _modInsn{
uint32_t id;//cs_insn id
struct {
uint8_t *moddedInsn;
uint32_t moddedSize;
};
struct _modInsn *next;
}ModifiedInstruction;
typedef struct _jmpInstruction{
uint32_t id;
uint8_t *jmpInsn;
uint32_t jmpSize;
struct _jmpInstruction *next;
}JmpInstruction;
typedef struct _trashInstruction{
uint32_t id;//trash is added after the id
uint8_t *trashInsn;
uint32_t trashSize;
struct _trashInstruction *next;
}TrashInstruction;
typedef enum{
POLY_OK,
POLY_FAIL,
POLY_UNIMPLEMENTED
}PolyFunc;
uint8_t *createNewFunction(cs_insn *insn, OutsideInstruction *OIList, ModifiedInstruction *MIList, TrashInstruction *TIList, JmpInstruction *JIList, uint32_t numInstructions,uint32_t *sizeOfFixedFunction);
uint32_t getNewFunctionSize(cs_insn *insn, OutsideInstruction *OIList, ModifiedInstruction *MIList, TrashInstruction *TIList, JmpInstruction *JIList,uint32_t numInstructions);
bool generateAsm(uint8_t **encoding, size_t *encodingSize, const uint8_t *asmString, ...);
bool generateAsm2(uint8_t **encoding, size_t *encodingSize, const uint8_t *asmString, ...);
//outsideInstruction.c
OutsideInstruction *createOustideInstruction();
bool fixOutisdeInstructionList(OutsideInstruction *list);
bool addToOutisdeInstructionList(OutsideInstruction *list, cs_insn *insn, uint32_t insnId);
//modifiedInstruction.c
PolyFunc movPolymorphic(ModifiedInstruction *modInsn, cs_insn *insn);
PolyFunc pushPolymorphic(ModifiedInstruction *modInsn, cs_insn *insn);
PolyFunc orPolymorphic(ModifiedInstruction *modInsn, cs_insn *insn);
PolyFunc retPolymorphic(ModifiedInstruction *modInsn, cs_insn *insn);
//trashInstruction.c
TrashInstruction *createTrashInstruction();
bool addToTrashInstructionList(TrashInstruction *list, uint32_t insnId);
bool generateTrashInstruction(TrashInstruction *curTI);
//jmpInstruction.c
JmpInstruction *createJmpInstruction();
bool addToJmpInstructionList(JmpInstruction *list, uint32_t insnId);
uint32_t getOriginalJmpResult(cs_insn *insn);
uint32_t getNewJmpOffset(uint32_t jmpId, uint32_t destIdOff, cs_insn *insn, OutsideInstruction *OIList, ModifiedInstruction *MIList, TrashInstruction *TIList);
bool fixAffectedRelativeJmps(cs_insn *insn, JmpInstruction *JIList, OutsideInstruction *OIList, ModifiedInstruction *MIList, TrashInstruction *TIList);
bool addToModifiedInstructionList(ModifiedInstruction *list, cs_insn *insn, uint32_t insnId);
ModifiedInstruction *createModifiedInstruction();
void removeLastEntry(void **entry, uint32_t sizeOfEntry);
BOOL getModuleHandle(DWORD processId, const char* name, DWORD* baseAddr, DWORD* moduleSize);
void freeLinkedList(void **entry, DWORD sizeOfEntry);
bool interptFunction(HANDLE hProcess, FUNCTION function);
#endif