feat: Begin working on AntiDebug + TrollReversers features

- Started working on the initial concept and base implementation for AntiDebug detection. - The goal is to use stealthy techniques (similar to Themida) to detect debugging attempts. - An additional feature is being developed to troll reverse engineers by triggering a forced BSOD upon detection, causing them to lose their analysis progress.
2025-07-04 16:39:43 -03:00
parent 370e855413
commit bc265c6d6b
5 changed files with 57 additions and 1 deletions
--- a/RyujinConsole/RyujinConsole/RyujinConsole.cc
+++ b/RyujinConsole/RyujinConsole/RyujinConsole.cc
@@ -29,7 +29,7 @@ Options:
  --help                    Show this help message

 In Action Usage Example:
-    RyujinConsole.exe --input C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.exe --pdb C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\RyujinConsole.pdb --output C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.ryujin.exe --virtualize --junk --encrypt --procs main,sub,subadd,sum,invoke_main,__scrt_common_main,j___security_init_cookie
+    RyujinConsole.exe --input C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.exe --pdb C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\RyujinConsole.pdb --output C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.ryujin.exe --virtualize --junk --encrypt --AntiDebug --troll --procs main,sub,subadd,sum,invoke_main,__scrt_common_main,j___security_init_cookie

 )";

@@ -84,6 +84,8 @@ auto main(int argc, char* argv[]) -> int {
    config.m_isVirtualized = has_flag(args, "--virtualize");
    config.m_isIatObfuscation = has_flag(args, "--iat");
    config.m_isEncryptObfuscatedCode = has_flag(args, "--encrypt");
+    config.m_isTrollRerversers = has_flag(args, "--troll");
+    config.m_isAntiDebug = has_flag(args, "--AntiDebug");

    std::vector<std::string> procsToObfuscate;
    if (has_flag(args, "--procs")) {
--- a/RyujinConsole/RyujinConsole/RyujinCore.hh
+++ b/RyujinConsole/RyujinConsole/RyujinCore.hh
@@ -12,6 +12,8 @@ public:
    bool m_isJunkCode; // Insert junk code to confuse
    bool m_isIgnoreOriginalCodeRemove; // Do not remove the original code after processing (replace the original instructions with NOPs)
    bool m_isEncryptObfuscatedCode; // The user wants to encrypt all obfuscated code to avoid detection
+	bool m_isAntiDebug; // The user wants to avoid debuggers use while running a binary protected by Ryujin
+	bool m_isTrollRerversers; // The user wants to trick and use a special feature to troll reversers when their debugs be detected making they loose all the progress
    std::vector<std::string> m_strProceduresToObfuscate; // Names of the procedures to obfuscate

    bool RunRyujin(const std::string& strInputFilePath, const std::string& strPdbFilePath, const std::string& strOutputFilePath, RyujinObfuscatorConfig& config) {
--- a/RyujinCore/Ryujin/Models/RyujinObfuscatorConfig.hh
+++ b/RyujinCore/Ryujin/Models/RyujinObfuscatorConfig.hh
@@ -10,6 +10,8 @@ public:
 	bool m_isJunkCode; // Insert junk code to confuse
 	bool m_isIgnoreOriginalCodeRemove; // Do not remove the original code after processing (replace the original instructions with NOPs)
 	bool m_isEncryptObfuscatedCode; // The user wants to encrypt all obfuscated code to avoid detection
+	bool m_isAntiDebug; // The user wants to avoid debuggers use while running a binary protected by Ryujin
+	bool m_isTrollRerversers; // The user wants to trick and use a special feature to troll reversers when their debugs be detected making they loose all the progress
 	std::vector<std::string> m_strProceduresToObfuscate; // Names of the procedures to obfuscate
 	// todo: passes

--- a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc
+++ b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.cc
@@ -838,6 +838,45 @@ void RyujinObfuscationCore::insertVirtualization() {

 }

+void RyujinObfuscationCore::insertAntiDebug() {
+
+	BOOL isInserted{ FALSE };
+
+	for (auto& block : m_proc.basic_blocks) {
+
+		for (auto& instr : block.instructions) {
+
+			if (!isInserted) {
+
+				// 1<> Inserir a stub que vai carregar o shellcode via stack
+				// 2<> usar virtual alloc
+				// 3<> criar uma thread escondida do debugger para executar o shellcode com o antidebug ou antidebug + trollreversers
+				// ACESSAR PEB RECUPERAR ESSES MODULOS MANUALMENTE ? sad. mas <20> parecido como o Themida e suas detec<65><63>es funcionam.
+
+				if (this->m_config.m_isTrollRerversers) {
+
+					// IstrollReversers <20> o antidebug convencional mas com a capacidade de trigar tela azul via hard error
+
+					std::printf("Run m_isAntiDebug + m_isTrollRerversers\n");
+
+				}
+				else {
+
+					// Is Antidebug <20> o antidebug convencional que s<> encerrara a execu<63><75>o completa do bin<69>rio protegido
+				
+					std::printf("Run m_isAntiDebug\n");
+				
+				}
+
+				isInserted = TRUE;
+			}
+
+		}
+	
+	}
+
+}
+
 void RyujinObfuscationCore::updateBasicBlocksContext() {

 	auto new_obfuscated_opcodes = getProcessedProc().getUpdateOpcodes();
@@ -854,6 +893,16 @@ BOOL RyujinObfuscationCore::Run() {
 	//Update basic blocks view based on the new obfuscated 
 	this->updateBasicBlocksContext();

+	if (m_config.m_isAntiDebug) {
+
+		// Insert AntiDebug
+		this->insertAntiDebug();
+
+		// Update our basic blocks context to rela 1-1 for the new obfuscated opcodes.
+		this->updateBasicBlocksContext();
+
+	}
+
 	if (m_config.m_isVirtualized) {

 		// Insert Virtualization
--- a/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh
+++ b/RyujinCore/Ryujin/RyujinCore/RyujinObfuscationCore.hh
@@ -29,6 +29,7 @@ private:
 	void obfuscateIat();
 	void insertJunkCode();
 	void insertVirtualization();
+	void insertAntiDebug();
 	std::vector<uint8_t> fix_branch_near_far_short(uint8_t original_opcode, uint64_t jmp_address, uint64_t target_address);
 	uint32_t findOpcodeOffset(const uint8_t* data, size_t dataSize, const void* opcode, size_t opcodeSize);