admin/Ryujin
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add stub code comments for "AntiDump" feature and enhance README.md

Browse Source 
- Added the shellcode generation code as comments within the "AntiDump" stub for better context and understanding.
- Enhanced README.md with more detailed descriptions and an outline of planned future features.
This commit is contained in:
keowu
2025-07-13 20:05:55 -03:00
parent f647c39590
commit 508a204d21
4 changed files with 115 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
README.md
View File

@@ -2,7 +2,9 @@
**Ryūjin Protector** is an open-source **Bin2Bin** obfuscation, protection, and DRM tool for **Windows PE** binaries targeting the **Intel x64 architecture(Only)**.
![Ryūjin Protector Banner](imgs/ryujinreadme.png)
<p align="center">
<img src="imgs/ryujinreadme.png" alt="Ryūjin Protector Banner" width="80%">
</p>
---
@@ -14,13 +16,14 @@
- Mathematical Operators Virtualization(aka: Ryūjin MiniVM)
- Obfuscated code Encryption(Using TeaDelKew Algorithm)
- Anti-Debug User + Kernel
- Anti-Dump
- Anti-Disassembly(Planned)
- Troll Reversers(Exclusive)
- Anti-Dump
- Anti-Disassembly(Planned - **TODO**)
- Custom Passes(Planned - **TODO**)
---
## Goals
## Demos and Presentations
Ryūjin was designed and developed for the study of obfuscators with Bin2Bin capabilities, making it a viable project for use by third parties as well as serious information security students. This includes: Commercial Developers, Indie Developers/Cheat Developers, Anti-Cheat Developers, Malware Developers, Malware Analysts, and Security Researchers.
@@ -30,6 +33,18 @@ Ryūjin was designed and developed for the study of obfuscators with Bin2Bin cap
This is only a small demo with only one Ryūjin feature, others feature together produce a better result.
**Really Easy to Use:**
**Ryūjin** is extremely easy to use — you can choose between the GUI mode or the CLI mode. Both will produce the same result in a precise, functional, and stable way.
GUI Mode Demonstration:
![Ryūjin Protector Demo GUI](imgs/demo1.png)
CLI Mode Demonstration:
![Ryūjin Protector Demo Console](imgs/demo2.png)
For both options, you will need exclusively a PE file (Apanas, executable, for now) along with a PDB file containing the symbols for that PE file, so that you can protect and generate a new binary. Additionally, you can consult the WIKI at any time to discover other options and possibilities, such as custom passes.
---
## Getting Started

96
RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc
View File

@@ -1648,6 +1648,102 @@ void RyujinObfuscationCore::insertAntiDump() {
// Add the AntiDump stub
std::vector<unsigned char> antiDumpShellcode = {
/*
#pragma optimize("", off)
__declspec(noinline) __declspec(safebuffers) void AntiDumpShell() {
#ifdef _M_X64
auto* peb = reinterpret_cast<PEB*>(__readgsqword(0x60));
#else
auto* peb = reinterpret_cast<PEB*>(__readfsdword(0x30));
#endif
if (!peb || !peb->Ldr) return;
wchar_t ntdllStr[] { 'n','t','d','l','l','.','d','l','l', 0 };
char ntprotStr[] { 'N','t','P','r','o','t','e','c','t','V','i','r','t','u','a','l','M','e','m','o','r','y', 0 };
NtProtectVirtualMemory_t pNtProtect = nullptr;
auto* head = &peb->Ldr->InMemoryOrderModuleList;
for (auto* link = head->Flink; link != head; link = link->Flink) {
auto* entry = CONTAINING_RECORD(link, LDR_DATA_TABLE_ENTRY, InMemoryOrderLinks);
if (!entry->BaseDllName.Buffer) continue;
auto* modName = entry->BaseDllName.Buffer;
auto* target = ntdllStr;
bool matched = true;
for (; *target && *modName; ++target, ++modName) {
auto ca = (*modName >= 'A' && *modName <= 'Z') ? *modName + 0x20 : *modName;
auto cb = (*target >= 'A' && *target <= 'Z') ? *target + 0x20 : *target;
if (ca != cb) { matched = false; break; }
}
if (!matched || *target || *modName) continue;
auto* base = reinterpret_cast<BYTE*>(entry->DllBase);
auto* dos = reinterpret_cast<IMAGE_DOS_HEADER*>(base);
auto* nt = reinterpret_cast<IMAGE_NT_HEADERS*>(base + dos->e_lfanew);
auto& ed = nt->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
if (!ed.VirtualAddress) return;
auto* exp = reinterpret_cast<IMAGE_EXPORT_DIRECTORY*>(base + ed.VirtualAddress);
auto* names = reinterpret_cast<DWORD*>(base + exp->AddressOfNames);
auto* ords = reinterpret_cast<WORD*>(base + exp->AddressOfNameOrdinals);
auto* funcs = reinterpret_cast<DWORD*>(base + exp->AddressOfFunctions);
for (auto i = 0; i < exp->NumberOfNames; i++) {
auto* fn = reinterpret_cast<char*>(base + names[i]);
bool match = true;
for (auto j = 0; ntprotStr[j] || fn[j]; ++j)
if (ntprotStr[j] != fn[j]) { match = false; break; }
if (match) {
pNtProtect = reinterpret_cast<NtProtectVirtualMemory_t>(base + funcs[ords[i]]);
break;
}
}
break;
}
if (!pNtProtect) return;
auto* imgDos = reinterpret_cast<IMAGE_DOS_HEADER*>(peb->ImageBaseAddress);
auto* ntHeaders = reinterpret_cast<IMAGE_NT_HEADERS*>(reinterpret_cast<uint8_t*>(imgDos) + imgDos->e_lfanew);
auto* sectionHeaders = IMAGE_FIRST_SECTION(ntHeaders);
auto headerSize = sizeof(IMAGE_DOS_HEADER);
ULONG oldProtect;
PVOID baseAddr = imgDos;
if (pNtProtect(reinterpret_cast<HANDLE>(-1), &baseAddr, &headerSize, PAGE_READWRITE, &oldProtect) == 0) {
for (auto i = 0; i < ntHeaders->FileHeader.NumberOfSections; ++i) {
auto* ptr = reinterpret_cast<uint8_t*>(&sectionHeaders[i]);
for (auto j = 0; j < sizeof(IMAGE_SECTION_HEADER); ++j)
*ptr++ = 0;
}
pNtProtect(reinterpret_cast<HANDLE>(-1), &baseAddr, &headerSize, oldProtect, &oldProtect);
}
}
#pragma optimize("", on)
*/
0x48, 0x81, 0xEC, 0x48, 0x01, 0x00, 0x00, 0x65, 0x48, 0x8B, 0x04, 0x25,
0x60, 0x00, 0x00, 0x00, 0x48, 0x89, 0x84, 0x24, 0x98, 0x00, 0x00, 0x00,
0x48, 0x83, 0xBC, 0x24, 0x98, 0x00, 0x00, 0x00, 0x00, 0x74, 0x0F, 0x48,

BIN
imgs/demo1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 170 KiB

BIN
imgs/demo2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB