From 6d0a033122fd95f0a01e597842fca144596452ff Mon Sep 17 00:00:00 2001 From: wesmar Date: Thu, 2 Oct 2025 12:44:45 +0200 Subject: [PATCH] Aktualizacja: 2025-10-02 12:44:45 --- kvc/Kvc.vcxproj | 10 +++++--- kvc/RuntimeStr.asm | 58 ++++++++++++++++++++++++++++++++++++++++++++++ kvc/common.cpp | 8 ++++--- kvc/common.h | 3 ++- 4 files changed, 72 insertions(+), 7 deletions(-) create mode 100644 kvc/RuntimeStr.asm diff --git a/kvc/Kvc.vcxproj b/kvc/Kvc.vcxproj index 18bfea1..d042969 100644 --- a/kvc/Kvc.vcxproj +++ b/kvc/Kvc.vcxproj @@ -27,9 +27,10 @@ false false - - + + + @@ -143,7 +144,9 @@ - + + + @@ -154,5 +157,6 @@ + \ No newline at end of file diff --git a/kvc/RuntimeStr.asm b/kvc/RuntimeStr.asm new file mode 100644 index 0000000..75563b4 --- /dev/null +++ b/kvc/RuntimeStr.asm @@ -0,0 +1,58 @@ +; RuntimeStr.asm - Runtime string configuration provider by WESMAR +; Provides configuration strings for kernel operations +; Uses XOR encoding to avoid static string detection in binary analysis + +.data +ALIGN 8 +; XOR-encoded wide string data (key: 0ABh) +; Decoded at runtime to prevent static analysis detection +g_EncodedData dw 00F9h, 00FFh, 00E8h, 00C4h, 00D9h, 00CEh, 009Dh, 009Fh, 00ABh + +; XOR decoding key for runtime string reconstruction +g_XorKey dw 00ABh + +; Static buffer for decoded wide string (thread-safe for read-only service name) +g_DecodedBuffer dw 9 dup(0) + +.code +ALIGN 16 +PUBLIC GetServiceNameRaw + +; Runtime string decoder for kernel driver service configuration +; Decodes XOR-obfuscated wide string to prevent static string analysis +; Returns: Pointer to decoded null-terminated wide string (const wchar_t*) +; Thread-safety: Safe for concurrent reads after first decode +GetServiceNameRaw PROC + push rbx + push rdi + push rsi + sub rsp, 20h ; Allocate shadow space for x64 calling convention + + ; Setup decode parameters + lea rsi, g_EncodedData ; Source: encoded data + lea rdi, g_DecodedBuffer ; Destination: decoded buffer + mov rcx, 9 ; String length including null terminator (FIXED: full 64-bit register) + movzx ebx, word ptr g_XorKey ; Load XOR key into register + +decode_loop: + ; XOR decode: encoded_char XOR key = original_char + movzx eax, word ptr [rsi] ; Load encoded wide character + xor ax, bx ; Apply XOR decoding + mov word ptr [rdi], ax ; Store decoded character + + ; Advance pointers + add rsi, 2 ; Next wide char (2 bytes) + add rdi, 2 + loop decode_loop ; Decrement RCX and loop + + ; Return pointer to decoded string + lea rax, g_DecodedBuffer + + ; Restore stack and non-volatile registers + add rsp, 20h + pop rsi + pop rdi + pop rbx + ret +GetServiceNameRaw ENDP +END \ No newline at end of file diff --git a/kvc/common.cpp b/kvc/common.cpp index 8dce31c..7d61a12 100644 --- a/kvc/common.cpp +++ b/kvc/common.cpp @@ -227,13 +227,15 @@ std::wstring GetCurrentExecutablePath() noexcept return std::wstring(path); } -// Get kernel driver service name for RTCore64 operations +// External assembly function that returns raw pointer to service name +extern "C" const wchar_t* GetServiceNameRaw(); + +// C++ wrapper converting ASM raw pointer to std::wstring // Returns: Wide string containing driver service identifier std::wstring GetServiceName() noexcept { - return L"RTCore64"; + return std::wstring(GetServiceNameRaw()); } - // Get kernel driver filename for file operations // Returns: Wide string containing driver file name std::wstring GetDriverFileName() noexcept diff --git a/kvc/common.h b/kvc/common.h index 8edd4f2..1ba2255 100644 --- a/kvc/common.h +++ b/kvc/common.h @@ -197,7 +197,8 @@ extern volatile bool g_interrupted; // Core driver functions bool InitDynamicAPIs() noexcept; -std::wstring GetServiceName() noexcept; +extern "C" const wchar_t* GetServiceNameRaw(); // ASM function +std::wstring GetServiceName() noexcept; // C++ wrapper std::wstring GetDriverFileName() noexcept; void GenerateFakeActivity() noexcept; std::wstring GetSystemTempPath() noexcept;