예제 #1
0
파일: main.cpp 프로젝트: pentestit/WProtect 
void analysistest()
{
  Analysis a;
  CodeBufferInfo o;
  CPEFile file;

  file.LoadPEFile("mfc.exe");
  if (!file.IsPEFile())
  {
    return ;
  }
  o.buf = file.VaToPtr(0x4014a0);
  for (int i = 0; i < 0x21; ++i)
  {
    printf("i = %d,%x\r\n",i,((char*)o.buf)[i]);
  }
  o.addr = 0x4014a0;
  o.size = 0x3a;
  a.disasm(&o);
}
예제 #2
0
파일: main.cpp 프로젝트: pentestit/WProtect 
void buildvmtest(BuildCodeInfo & build_info)
{
  VirtualMachineManage vm;
  CodeBufferInfo info;
 
  CPEFile file;

  char * build_exec_name = build_info.get_filename();
  bool b = file.LoadPEFile(build_exec_name);
  if (!b)
  {
    printf("file is not find\r\n");
    return;
  }
  if (!file.IsPEFile())
  {
    printf("executable file type error\n");
    return;
  }
  CPESection section;
  CPEReloc reloc;
  section = file;
  reloc = file;
  reloc.DeleteReloc();
  reloc.GetBaseReloc();
  for (int i = 0;i<section.GetSectionCount();i++)
  {
      //section.GetRelocations(i);
  }
  //printf ("一共有%d个区段\r\n");
  /*for (int i = 0;i < section.GetSectionCount();i++)
  {

      DWORD size;
      BYTE * data = section.GetSectionData(i,&size);
      printf("第%d个区段,大小%d\n",i,size);

      for (int x = 0;x<size;x++)
      {
          printf("%x ",data[x]);
          if ((x+1)%16==0)
          {
              printf("\n");
          }
      }
   }*/
  get_wprotect_sdk_address(section,build_info,"WProtect Begin","WProtect End");
  unsigned long section_size;

  VMAddressTable table(   section.GetNewSectionBase(),0x512,false);

  bool t_sign = table.get_sign();
  table.set_sign(true);
  long virtualmachine_address = table.assign_address(0x1024);
  table.set_sign(t_sign);
  VirtualMachine *pvm = vm.add_virtual_machine(virtualmachine_address,false);

  table.copy(virtualmachine_address,pvm->vm_info.buf,pvm->vm_info.size);     


  for (BuildCodeInfo::iterator iter = build_info.begin(); iter != build_info.end(); iter++)
  {
    long build_exec_addr = iter->build_exec_addr;
    long build_exec_size = iter->build_exec_size;
    info.buf = file.VaToPtr(build_exec_addr);
    info.addr = build_exec_addr;   
    info.size = 0x40194f - 0x4014a0;
    info.size = build_exec_size;
    if (info.size < 5)
    {
      printf("Protect Size less than 5 Byte\n");
      return;
    }
//#define VM_DEBUG_BUILD
#ifdef VM_DEBUG_BUILD
    Analysis analysis;
    std::vector<CodePiece> code_list;
    analysis.disasm(&info,code_list);
    bool next = true;
    for (std::vector<CodePiece>::iterator iter = code_list.begin();
         iter != code_list.end();iter++)
    {
        bool begin = true;
        //info.addr = 0;
        //info.buf = 0;
        if (iter->get_is_jcc())
         info.size = iter->get_piece().back().insn_offset - iter->get_piece().front().insn_offset;
        else
         info.size = iter->get_piece().back().pc - iter->get_piece().front().insn_offset;
        info.addr = iter->get_piece().front().insn_offset;
        info.buf = section.VaToPtr(info.addr);

        if (info.size < 5 )
        {
            printf("编译的地址不能小于5Byte,这段指令编译失败\n");
            //return;
            continue;
        }
        void * ptr_old_code = info.buf;
        size_t old_code_size = info.size;
        long old_addr = info.addr;
        BuildVMByteCode build(&vm,&info,&table);
        memset(ptr_old_code,0x90,old_code_size);
        add_jmp_addr(file,old_addr,info.addr);
    }
#else
    void * ptr_old_code = info.buf;
    size_t old_code_size = info.size;

    Analysis analysis;
    std::vector<long> addr_table;
    std::vector<long*> addr_entry_point;
    analysis.analysis_address_table(&info,addr_table,section.GetSectionMinAddress(),section.GetSectionMaxAddress());
    get_table_addr(section,addr_table,addr_entry_point);

    BuildVMByteCode build(&vm,&info,&table,addr_entry_point);
    memset(ptr_old_code,0,old_code_size);
    add_jmp_addr(file,build_exec_addr,info.addr);    
#endif
  }


  FILE *pfile;

  //  VirtualMachine *pvm = vm.rand_virtual_machine();


  //t_sign = table.get_sign();
  //table.set_sign(true);
  //  long virtualmachine_address = table.assign_address(pvm->vm_info.size);
  //table.set_sign(t_sign);

  //  table.copy(virtualmachine_address,pvm->vm_info.buf,pvm->vm_info.size);

  section_size = (unsigned long)( table.buffer_size);
  section.AddSection(".WProtect",section_size,0xE0000020);
  section.WriteSectionData(file.GetSectionCount()-1,0,
      (unsigned char*)table.buffer,(unsigned long *)&table.buffer_size);
  char new_file_name[256];
  memset(new_file_name,0,256);
  memcpy(new_file_name,build_exec_name,strlen(build_exec_name)-3); 
  strcat(new_file_name,"wp.exe");
  file.SavePEFile(new_file_name);
  printf("Out File:%s\n",new_file_name);
  //pfile = fopen( "virtualmachine","wb" );
  //fwrite( pvm->vm_info.buf,1,pvm->vm_info.size,pfile );
  //fclose( file );

  //delete [  ] buf;
}
예제 #3
0
파일: main.cpp 프로젝트: pentestit/WProtect 
void buildvmtest_elf(BuildCodeInfo & build_info)
{
  VirtualMachineManage vm;
  CodeBufferInfo info;

  CELFFile file;

  char * build_exec_name = build_info.get_filename();
  bool b = file.LoadELFFile(build_exec_name);
  if (!b)
  {
    printf("file is not find\r\n");
    return;
  }
  get_wprotect_sdk_address_elf(file,build_info,"WProtect Begin","WProtect End");
  unsigned long section_size;

  VMAddressTable table(   file.GetNewSegmentSectionBase(),0x512,false);

  bool t_sign = table.get_sign();
  table.set_sign(true);
  long virtualmachine_address = table.assign_address(0x1024);
  table.set_sign(t_sign);
  VirtualMachine *pvm = vm.add_virtual_machine(virtualmachine_address,false);

  table.copy(virtualmachine_address,pvm->vm_info.buf,pvm->vm_info.size);


  for (BuildCodeInfo::iterator iter = build_info.begin(); iter != build_info.end(); iter++)
  {
    long build_exec_addr = iter->build_exec_addr;
    long build_exec_size = iter->build_exec_size;
    info.buf = file.VaToPtr(build_exec_addr);
    info.addr = build_exec_addr;
    info.size = 0x40194f - 0x4014a0;
    info.size = build_exec_size;
    if (info.size < 5)
    {
      printf("Protect Size less than 5 Byte\n");
      return;
    }
//#define VM_DEBUG_BUILD
#ifdef VM_DEBUG_BUILD
    Analysis analysis;
    std::vector<CodePiece> code_list;
    analysis.disasm(&info,code_list);
    bool next = true;
    for (std::vector<CodePiece>::iterator iter = code_list.begin();
         iter != code_list.end();iter++)
    {
        bool begin = true;
        //info.addr = 0;
        //info.buf = 0;
        if (iter->get_is_jcc())
         info.size = iter->get_piece().back().insn_offset - iter->get_piece().front().insn_offset;
        else
         info.size = iter->get_piece().back().pc - iter->get_piece().front().insn_offset;
        info.addr = iter->get_piece().front().insn_offset;
        info.buf = section.VaToPtr(info.addr);

        if (info.size < 5 )
        {
            printf("编译的地址不能小于5Byte,这段指令编译失败\n");
            //return;
            continue;
        }
        void * ptr_old_code = info.buf;
        size_t old_code_size = info.size;
        long old_addr = info.addr;
        BuildVMByteCode build(&vm,&info,&table);
        memset(ptr_old_code,0x90,old_code_size);
        add_jmp_addr(file,old_addr,info.addr);
    }
#else
    void * ptr_old_code = info.buf;
    size_t old_code_size = info.size;

    Analysis analysis;
    std::vector<long> addr_table;
    std::vector<long*> addr_entry_point;
    analysis.analysis_address_table(&info,addr_table,file.GetSectionMinAddress(),file.GetSectionMaxAddress());
    get_table_addr_elf(file,addr_table,addr_entry_point);

    BuildVMByteCode build(&vm,&info,&table,addr_entry_point);
    memset(ptr_old_code,0,old_code_size);
    add_jmp_addr_elf(file,build_exec_addr,info.addr);
#endif
  }


  FILE *pfile;

  //  VirtualMachine *pvm = vm.rand_virtual_machine();


  //t_sign = table.get_sign();
  //table.set_sign(true);
  //  long virtualmachine_address = table.assign_address(pvm->vm_info.size);
  //table.set_sign(t_sign);

  //  table.copy(virtualmachine_address,pvm->vm_info.buf,pvm->vm_info.size);

  section_size = (unsigned long)( table.buffer_size);
  file.AddSegmentSection(".WProtect",section_size,PF_X|PF_R|PF_W);
  file.WriteSegmentSectionData(file.GetProgramCount()-1,0,
      (unsigned char*)table.buffer,(unsigned long *)&table.buffer_size);
  char new_file_name[256];
  //memset(new_file_name,0,256);
  //memcpy(new_file_name,build_exec_name,strlen(build_exec_name)-3);
  strcpy(new_file_name,build_exec_name);
  strcat(new_file_name,"_WP");
  file.SavePEFile(new_file_name);
  printf("Out File:%s\n",new_file_name);
  //pfile = fopen( "virtualmachine","wb" );
  //fwrite( pvm->vm_info.buf,1,pvm->vm_info.size,pfile );
  //fclose( file );

  //delete [  ] buf;
}
예제 #4
0
  /*
pCodeBufferInfo BuildVMCode::BuildPCode(
                                        VirtualMachineManage *vmmanage,
                                        pCodeBufferInfo pinfo,
                                        VMAddressTable * address_table
                                          )
{
  Analysis analysis;
  std::vector<CodePiece> code_piece_list;
  analysis.disasm(pinfo,code_piece_list);
  VirtualMachine *vm = vmmanage->rand_virtual_machine();
  vector <VMCodeBufferManage*>vcodebufs;
  long first_pcode_addr = alloc_address(vm,address_table,&analysis,&vcodebufs);
  
   SeniorVMHandle *sfirst = &vcodebufs[ 0 ]->get_generator(  );
   //sfirst->upset_register_array(sfirst->pcode->register_store_in);
   //sfirst->start();
  
  long key = vcodebufs[ 0 ]->code.get_original_key(  );

  VTable t_v;

  memset(&t_v,0,sizeof(t_v));
  bool t_sign = address_table->get_sign();
  address_table->set_sign(true);
  //printf("1111%d\n",address_table->get_size());
  //__asm__ ("int3");
  long head_address = address_table->assign_address(0x70);
  address_table->set_sign(t_sign);

#ifdef DEBUG
  printf("vm入口地址:%x\r\n",head_address);
#endif
  ppcode_block_info info =  vm->create_function_head(head_address,first_pcode_addr,sfirst->pcode,pinfo->addr + pinfo->size,123456,key); //pcode位置有问题

  address_table->copy(head_address,info->buf,info->size);
  

  for (int i = 0; i < analysis.block_count; ++i)
  {
    ud_t ud;
    pAssemblerTree nowtree = analysis.get_tree(i);
    SeniorVMHandle *senior = &(vcodebufs)[i]->get_generator();
    vcodebufs[ i ]->code.set_key( nowtree->key ); //设置key
    senior->save_vm_context();
      bool b_j = false;    
    for (std::vector<ud_t>::iterator iter = nowtree->asmpiece.begin();
         iter != nowtree->asmpiece.end(); ++iter)
    {
      ud = *iter;
      if (nowtree->LeftChild)
      ud.vm_jcc_addr1 = nowtree->LeftChild->reloc_address;
      switch ( ud.mnemonic)
      {
      case UD_Ijnz:
        b_j = true;
        ud.vm_jcc_addr2 = nowtree->RightChild->reloc_address;//nowtree->jcc_addr;
        asm_to_vm( &vcodebufs[ i ]->get_generator(  ),&ud );        
        break;
      case UD_Ijz:
        b_j = true;
        ud.vm_jcc_addr2 = nowtree->jcc_addr;
        asm_to_vm( &vcodebufs[ i ]->get_generator(  ),&ud );        
        break;
      default:
        asm_to_vm( &vcodebufs[ i ]->get_generator(  ),&ud );
      }
    }
    printf("当前key:%x\r\n",nowtree->key);
    if (i+1 < analysis.block_count    )
    {
      senior->recover_vm_context();
      if (!b_j) 
        senior->push(nowtree->LeftChild->reloc_address);
      else
        senior->push(T_JCC_REGISTER);
      //senior->set_key(vcodebufs[i]->code.get_original_key());
      senior->set_key(nowtree->key); //handle设置key
    }
        
    //senior->recover_vm_context();      
  }
  address_table->copy();
  
  for (vector <VMCodeBufferManage*>::iterator iter = vcodebufs.begin(); iter != vcodebufs.end(); ++iter)
  {
    delete *iter;
  }
  pinfo->addr = head_address;
  return pinfo;
}*/
pCodeBufferInfo BuildVMCode::BuildPCode(
                                        VirtualMachineManage *vmmanage,
                                        pCodeBufferInfo pinfo,
                                        VMAddressTable * address_table
                                          )
{
  Analysis analysis;
  analysis.disasm(pinfo);
  VirtualMachine *vm = vmmanage->rand_virtual_machine();
  vector <VMCodeBufferManage*>vcodebufs;
  long first_pcode_addr = alloc_address(vm,address_table,&analysis,&vcodebufs);
  
   SeniorVMHandle *sfirst = &vcodebufs[ 0 ]->get_generator(  );
   //sfirst->upset_register_array(sfirst->pcode->register_store_in);
   //sfirst->start();
  
  long key = vcodebufs[ 0 ]->code.get_original_key(  );

  VTable t_v;

  memset(&t_v,0,sizeof(t_v));
  bool t_sign = address_table->get_sign();
  address_table->set_sign(true);
  //printf("1111%d\n",address_table->get_size());
  //__asm__ ("int3");
  long head_address = address_table->assign_address(0x70);
  address_table->set_sign(t_sign);

#ifdef DEBUG
  printf("vm入口地址:%x\r\n",head_address);
#endif
  ppcode_block_info info =  vm->create_function_head(head_address,first_pcode_addr,sfirst->pcode,pinfo->addr + pinfo->size,123456,key); //pcode位置有问题

  address_table->copy(head_address,info->buf,info->size);
  
  /*FILE *file;
  file = fopen( "head","wb" );
  fwrite( info->buf,1,info->size,file );
  fclose( file );  */
  for (int i = 0; i < analysis.block_count; ++i)
  {
    ud_t ud;
    pAssemblerTree nowtree = analysis.get_tree(i);
    SeniorVMHandle *senior = &(vcodebufs)[i]->get_generator();
    vcodebufs[ i ]->code.set_key( nowtree->key ); //设置key
    senior->save_vm_context();
      bool b_j = false;    
    for (std::vector<ud_t>::iterator iter = nowtree->asmpiece.begin();
         iter != nowtree->asmpiece.end(); ++iter)
    {
      ud = *iter;
      if (nowtree->LeftChild)
      ud.vm_jcc_addr1 = nowtree->LeftChild->reloc_address;
      switch ( ud.mnemonic)
      {
      case UD_Ijnz:
        b_j = true;
        ud.vm_jcc_addr2 = nowtree->RightChild->reloc_address;//nowtree->jcc_addr;
        asm_to_vm( &vcodebufs[ i ]->get_generator(  ),&ud );        
        break;
      case UD_Ijz:
        b_j = true;
        ud.vm_jcc_addr2 = nowtree->jcc_addr;
        asm_to_vm( &vcodebufs[ i ]->get_generator(  ),&ud );        
        break;
      default:
        asm_to_vm( &vcodebufs[ i ]->get_generator(  ),&ud );
      }
    }
    printf("当前key:%x\r\n",nowtree->key);
    if (i+1 < analysis.block_count    )
    {
      senior->recover_vm_context();
      if (!b_j) 
        senior->push(nowtree->LeftChild->reloc_address);
      else
        senior->push(T_JCC_REGISTER);
      //senior->set_key(vcodebufs[i]->code.get_original_key());
      senior->set_key(nowtree->key); //handle设置key
    }
        
    //senior->recover_vm_context();      
  }
  address_table->copy();
  
  for (vector <VMCodeBufferManage*>::iterator iter = vcodebufs.begin(); iter != vcodebufs.end(); ++iter)
  {
    delete *iter;
  }
  pinfo->addr = head_address;
  return pinfo;
}