From a9bdbb1bdd32199ad952f6bccf1fff21ea0d9af2 Mon Sep 17 00:00:00 2001 From: keowu Date: Sat, 12 Jul 2025 21:26:12 -0300 Subject: [PATCH] feat: Start implementing the base for the "AntiDump" feature MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Begin work on the foundational structure for the "AntiDump" feature - Introduced a new capability in Ryujin called "RyujinRunOncePass", which runs only on the first obfuscated function — ideal for volatile features - Updated "RyujinCoreConfiguration" structures - Updated "RyujinGUI" to include the "AntiDump" option - Updated "RyujinConsole" to display the "AntiDump" feature - Updated "README.md" accordingly --- README.md | 6 +-- RyujinConsole/RyujinConsole/RyujinConsole.cc | 3 +- RyujinConsole/RyujinConsole/RyujinCore.hh | 1 + .../Ryujin/Models/RyujinObfuscatorConfig.hh | 1 + RyujinCore/Ryujin/Ryujin.cc | 4 +- .../RyujinCore/RyujinObfuscationCore.cc | 41 ++++++++++++++++++- .../RyujinCore/RyujinObfuscationCore.hh | 3 +- RyujinGUI/RyujinApp.cc | 13 ++++++ RyujinGUI/RyujinApp.hh | 1 + RyujinGUI/RyujinCore.hh | 1 + 10 files changed, 66 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index c540379..8aeddaf 100644 --- a/README.md +++ b/README.md @@ -13,10 +13,10 @@ - Random Section naming(Default name: Ryujin) - Mathematical Operators Virtualization(aka: Ryūjin MiniVM) - Obfuscated code Encryption(Using TeaDelKew Algorithm) -- Anti-Debug User + Kernel(Planned) -- Anti-Dump(Planned) +- Anti-Debug User + Kernel +- Anti-Dump - Anti-Disassembly(Planned) -- Troll Reversers(Exclusive Planned) +- Troll Reversers(Exclusive) --- diff --git a/RyujinConsole/RyujinConsole/RyujinConsole.cc b/RyujinConsole/RyujinConsole/RyujinConsole.cc index 3fa5b36..aa429e8 100644 --- a/RyujinConsole/RyujinConsole/RyujinConsole.cc +++ b/RyujinConsole/RyujinConsole/RyujinConsole.cc @@ -29,7 +29,7 @@ Options: --help Show this help message In Action Usage Example: - RyujinConsole.exe --input C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.exe --pdb C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\RyujinConsole.pdb --output C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.ryujin.exe --virtualize --junk --encrypt --AntiDebug --troll --procs main,sub,subadd,sum,invoke_main,__scrt_common_main,j___security_init_cookie + RyujinConsole.exe --input C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.exe --pdb C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\RyujinConsole.pdb --output C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.ryujin.exe --virtualize --junk --encrypt --AntiDebug --troll --AntiDump --procs main,sub,subadd,sum,invoke_main,__scrt_common_main,j___security_init_cookie )"; @@ -86,6 +86,7 @@ auto main(int argc, char* argv[]) -> int { config.m_isEncryptObfuscatedCode = has_flag(args, "--encrypt"); config.m_isTrollRerversers = has_flag(args, "--troll"); config.m_isAntiDebug = has_flag(args, "--AntiDebug"); + config.m_isAntiDump = has_flag(args, "--AntiDump"); if (has_flag(args, "--procs")) { auto rawList = args["--procs"]; diff --git a/RyujinConsole/RyujinConsole/RyujinCore.hh b/RyujinConsole/RyujinConsole/RyujinCore.hh index d3e28fd..75fd67f 100644 --- a/RyujinConsole/RyujinConsole/RyujinCore.hh +++ b/RyujinConsole/RyujinConsole/RyujinCore.hh @@ -22,6 +22,7 @@ public: bool m_isEncryptObfuscatedCode; // The user wants to encrypt all obfuscated code to avoid detection bool m_isAntiDebug; // The user wants to avoid debuggers use while running a binary protected by Ryujin bool m_isTrollRerversers; // The user wants to trick and use a special feature to troll reversers when their debugs be detected making they loose all the progress + bool m_isAntiDump; // Enable Anti Dump technic for Ryujin protected binary RyujinObfuscatorProcs m_strProceduresToObfuscate; // Names of the procedures to obfuscate std::vector m_strdProceduresToObfuscate; // Names of the procedures to obfuscate diff --git a/RyujinCore/Ryujin/Models/RyujinObfuscatorConfig.hh b/RyujinCore/Ryujin/Models/RyujinObfuscatorConfig.hh index a303bad..dc525a2 100644 --- a/RyujinCore/Ryujin/Models/RyujinObfuscatorConfig.hh +++ b/RyujinCore/Ryujin/Models/RyujinObfuscatorConfig.hh @@ -20,6 +20,7 @@ public: bool m_isEncryptObfuscatedCode; // The user wants to encrypt all obfuscated code to avoid detection bool m_isAntiDebug; // The user wants to avoid debuggers use while running a binary protected by Ryujin bool m_isTrollRerversers; // The user wants to trick and use a special feature to troll reversers when their debugs be detected making they loose all the progress + bool m_isAntiDump; // Enable Anti Dump technic for Ryujin protected binary RyujinObfuscatorProcs m_strProceduresToObfuscate; // Names of the procedures to obfuscate - FFI std::vector m_strdProceduresToObfuscate; // Names of the procedures to obfuscate // todo: passes diff --git a/RyujinCore/Ryujin/Ryujin.cc b/RyujinCore/Ryujin/Ryujin.cc index 5cb8d1a..25e8b7f 100644 --- a/RyujinCore/Ryujin/Ryujin.cc +++ b/RyujinCore/Ryujin/Ryujin.cc @@ -94,8 +94,8 @@ bool Ryujin::run(const RyujinObfuscatorConfig& config) { return FALSE; } + bool RyujinRunOncePass{ TRUE }; std::vector processed_procs; - for (auto& proc : m_ryujinProcedures) { auto it = std::find(config.m_strdProceduresToObfuscate.begin(), config.m_strdProceduresToObfuscate.end(), proc.name); @@ -137,7 +137,7 @@ bool Ryujin::run(const RyujinObfuscatorConfig& config) { //Is time to obfuscate ? RyujinObfuscationCore obc(config, proc, reinterpret_cast(m_mappedPE.get())); - obc.Run(); + obc.Run(RyujinRunOncePass); //TODO: Custom passes support diff --git a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc index 7c51205..10522ca 100644 --- a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc +++ b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc @@ -1602,6 +1602,34 @@ void RyujinObfuscationCore::insertAntiDebug() { } +void RyujinObfuscationCore::insertAntiDump() { + + BOOL isInserted{ FALSE }; + + for (auto& block : m_proc.basic_blocks) { + + for (auto& instr : block.instructions) { + + if (isInserted) break; + + if (!isInserted) { + + auto block_info = findBlockId(instr.instruction.info.opcode, instr.instruction.operands[1].imm.value.u, 2, sizeof(unsigned char)); + + if (block_info.first == -1 || block_info.second == -1) continue; + + auto& data = m_proc.basic_blocks[block_info.first].opcodes[block_info.second]; + + std::printf("RyujinObfuscationCore::insertAntiDump\n"); + + isInserted = TRUE; + + } + } + } + +} + void RyujinObfuscationCore::updateBasicBlocksContext() { auto new_obfuscated_opcodes = getProcessedProc().getUpdateOpcodes(); @@ -1610,11 +1638,22 @@ void RyujinObfuscationCore::updateBasicBlocksContext() { } -BOOL RyujinObfuscationCore::Run() { +BOOL RyujinObfuscationCore::Run(bool& RyujinRunOncePass) { //Add padding spaces addPaddingSpaces(); + /* + RyujinRunOncePass only run once for the first function candidate to obfuscation. + this is the better place to put unique logic code that is high volatily. + */ + if (RyujinRunOncePass) { + + this->insertAntiDump(); + + RyujinRunOncePass = FALSE; + } + //Update basic blocks view based on the new obfuscated this->updateBasicBlocksContext(); diff --git a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh index bf3b85a..86bb376 100644 --- a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh +++ b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh @@ -30,6 +30,7 @@ private: void insertJunkCode(); void insertVirtualization(); void insertAntiDebug(); + void insertAntiDump(); std::vector fix_branch_near_far_short(uint8_t original_opcode, uint64_t jmp_address, uint64_t target_address); uint32_t findOpcodeOffset(const uint8_t* data, size_t dataSize, const void* opcode, size_t opcodeSize); @@ -69,7 +70,7 @@ public: void applyRelocationFixupsToInstructions(uintptr_t imageBase, DWORD virtualAddress, std::vector& new_opcodes); void removeOldOpcodeRedirect(uintptr_t newMappedPE, std::size_t szMapped, uintptr_t newObfuscatedAddress, bool isIgnoreOriginalCodeRemove = false); void InsertMiniVmEnterProcedureAddress(uintptr_t imageBase, uintptr_t virtualAddress, std::vector& new_opcodes); - BOOL Run(); + BOOL Run(bool& RyujinRunOncePass); RyujinProcedure getProcessedProc(); ~RyujinObfuscationCore(); diff --git a/RyujinGUI/RyujinApp.cc b/RyujinGUI/RyujinApp.cc index d6ec10b..e369e45 100644 --- a/RyujinGUI/RyujinApp.cc +++ b/RyujinGUI/RyujinApp.cc @@ -199,6 +199,13 @@ bool RyujinApp::OnInit() { ); + m_isAntiDump = DrawnStyledCheckbox( + + panel, + "AntiDump" + + ); + optionsSizer->Add( m_virtualize @@ -238,6 +245,11 @@ bool RyujinApp::OnInit() { m_isAntiDebugNormal + ); + optionsSizer->Add( + + m_isAntiDump + ); optionsBox->Add( @@ -684,6 +696,7 @@ auto RyujinApp::BindRunEvent(wxFrame* frame) -> void { core.m_isJunkCode = m_junk->IsChecked(); core.m_isRandomSection = m_randomSection->IsChecked(); core.m_isVirtualized = m_virtualize->IsChecked(); + core.m_isAntiDump = m_isAntiDump->IsChecked(); if (m_isAntiDebugWithTroll->IsChecked()) { diff --git a/RyujinGUI/RyujinApp.hh b/RyujinGUI/RyujinApp.hh index 337b936..6ae2547 100644 --- a/RyujinGUI/RyujinApp.hh +++ b/RyujinGUI/RyujinApp.hh @@ -22,6 +22,7 @@ private: wxCheckBox* m_ignoreOriginalCodeRemove = nullptr; wxCheckBox* m_isAntiDebugWithTroll = nullptr; wxCheckBox* m_isAntiDebugNormal = nullptr; + wxCheckBox* m_isAntiDump = nullptr; wxListBox* m_procList = nullptr; wxGauge* m_progress = nullptr; diff --git a/RyujinGUI/RyujinCore.hh b/RyujinGUI/RyujinCore.hh index 05be5af..68611b3 100644 --- a/RyujinGUI/RyujinCore.hh +++ b/RyujinGUI/RyujinCore.hh @@ -22,6 +22,7 @@ public: bool m_isEncryptObfuscatedCode; // The user wants to encrypt all obfuscated code to avoid detection bool m_isAntiDebug; // The user wants to avoid debuggers use while running a binary protected by Ryujin bool m_isTrollRerversers; // The user wants to trick and use a special feature to troll reversers when their debugs be detected making they loose all the progress + bool m_isAntiDump; // Enable Anti Dump technic for Ryujin protected binary RyujinObfuscatorProcs m_strProceduresToObfuscate; // Names of the procedures to obfuscate - FFI std::vector m_strdProceduresToObfuscate; // Names of the procedures to obfuscate