diff --git a/RyujinConsole/RyujinConsole/RyujinConsole.cc b/RyujinConsole/RyujinConsole/RyujinConsole.cc index 65a54c4..fe9763c 100644 --- a/RyujinConsole/RyujinConsole/RyujinConsole.cc +++ b/RyujinConsole/RyujinConsole/RyujinConsole.cc @@ -29,7 +29,7 @@ Options: --help Show this help message In Action Usage Example: - RyujinConsole.exe --input C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.exe --pdb C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\RyujinConsole.pdb --output C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.ryujin.exe --virtualize --junk --encrypt --procs main,sub,subadd,sum,invoke_main,__scrt_common_main,j___security_init_cookie + RyujinConsole.exe --input C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.exe --pdb C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\RyujinConsole.pdb --output C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.ryujin.exe --virtualize --junk --encrypt --AntiDebug --troll --procs main,sub,subadd,sum,invoke_main,__scrt_common_main,j___security_init_cookie )"; @@ -84,6 +84,8 @@ auto main(int argc, char* argv[]) -> int { config.m_isVirtualized = has_flag(args, "--virtualize"); config.m_isIatObfuscation = has_flag(args, "--iat"); config.m_isEncryptObfuscatedCode = has_flag(args, "--encrypt"); + config.m_isTrollRerversers = has_flag(args, "--troll"); + config.m_isAntiDebug = has_flag(args, "--AntiDebug"); std::vector procsToObfuscate; if (has_flag(args, "--procs")) { diff --git a/RyujinConsole/RyujinConsole/RyujinCore.hh b/RyujinConsole/RyujinConsole/RyujinCore.hh index ba70975..d136790 100644 --- a/RyujinConsole/RyujinConsole/RyujinCore.hh +++ b/RyujinConsole/RyujinConsole/RyujinCore.hh @@ -12,6 +12,8 @@ public: bool m_isJunkCode; // Insert junk code to confuse bool m_isIgnoreOriginalCodeRemove; // Do not remove the original code after processing (replace the original instructions with NOPs) bool m_isEncryptObfuscatedCode; // The user wants to encrypt all obfuscated code to avoid detection + bool m_isAntiDebug; // The user wants to avoid debuggers use while running a binary protected by Ryujin + bool m_isTrollRerversers; // The user wants to trick and use a special feature to troll reversers when their debugs be detected making they loose all the progress std::vector m_strProceduresToObfuscate; // Names of the procedures to obfuscate bool RunRyujin(const std::string& strInputFilePath, const std::string& strPdbFilePath, const std::string& strOutputFilePath, RyujinObfuscatorConfig& config) { diff --git a/RyujinCore/Ryujin/Models/RyujinObfuscatorConfig.hh b/RyujinCore/Ryujin/Models/RyujinObfuscatorConfig.hh index 0fc3d7b..75cf1f5 100644 --- a/RyujinCore/Ryujin/Models/RyujinObfuscatorConfig.hh +++ b/RyujinCore/Ryujin/Models/RyujinObfuscatorConfig.hh @@ -10,6 +10,8 @@ public: bool m_isJunkCode; // Insert junk code to confuse bool m_isIgnoreOriginalCodeRemove; // Do not remove the original code after processing (replace the original instructions with NOPs) bool m_isEncryptObfuscatedCode; // The user wants to encrypt all obfuscated code to avoid detection + bool m_isAntiDebug; // The user wants to avoid debuggers use while running a binary protected by Ryujin + bool m_isTrollRerversers; // The user wants to trick and use a special feature to troll reversers when their debugs be detected making they loose all the progress std::vector m_strProceduresToObfuscate; // Names of the procedures to obfuscate // todo: passes diff --git a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc index d1332e3..d715cd0 100644 --- a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc +++ b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc @@ -838,6 +838,45 @@ void RyujinObfuscationCore::insertVirtualization() { } +void RyujinObfuscationCore::insertAntiDebug() { + + BOOL isInserted{ FALSE }; + + for (auto& block : m_proc.basic_blocks) { + + for (auto& instr : block.instructions) { + + if (!isInserted) { + + // 1º Inserir a stub que vai carregar o shellcode via stack + // 2º usar virtual alloc + // 3º criar uma thread escondida do debugger para executar o shellcode com o antidebug ou antidebug + trollreversers + // ACESSAR PEB RECUPERAR ESSES MODULOS MANUALMENTE ? sad. mas é parecido como o Themida e suas detecções funcionam. + + if (this->m_config.m_isTrollRerversers) { + + // IstrollReversers é o antidebug convencional mas com a capacidade de trigar tela azul via hard error + + std::printf("Run m_isAntiDebug + m_isTrollRerversers\n"); + + } + else { + + // Is Antidebug é o antidebug convencional que só encerrara a execução completa do binário protegido + + std::printf("Run m_isAntiDebug\n"); + + } + + isInserted = TRUE; + } + + } + + } + +} + void RyujinObfuscationCore::updateBasicBlocksContext() { auto new_obfuscated_opcodes = getProcessedProc().getUpdateOpcodes(); @@ -854,6 +893,16 @@ BOOL RyujinObfuscationCore::Run() { //Update basic blocks view based on the new obfuscated this->updateBasicBlocksContext(); + if (m_config.m_isAntiDebug) { + + // Insert AntiDebug + this->insertAntiDebug(); + + // Update our basic blocks context to rela 1-1 for the new obfuscated opcodes. + this->updateBasicBlocksContext(); + + } + if (m_config.m_isVirtualized) { // Insert Virtualization diff --git a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh index a7c5021..da2a0a7 100644 --- a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh +++ b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh @@ -29,6 +29,7 @@ private: void obfuscateIat(); void insertJunkCode(); void insertVirtualization(); + void insertAntiDebug(); std::vector fix_branch_near_far_short(uint8_t original_opcode, uint64_t jmp_address, uint64_t target_address); uint32_t findOpcodeOffset(const uint8_t* data, size_t dataSize, const void* opcode, size_t opcodeSize);