All geek questions in one place

Dynamic obfuscation with self-modifying code

Here is what I am trying to do:

Suppose you have two filters

void f1(int *v) { *v = 55; } void f2(int *v) { *v = 44; } char *template; template = allocExecutablePages(...); char *allocExecutablePages (int pages) { template = (char *) valloc (getpagesize () * pages); if (mprotect (template, getpagesize (), PROT_READ|PROT_EXEC|PROT_WRITE) == -1) { perror ("mprotect"); } }

I would like to make a comparison between f1 and f2 (so tell me what is identical and what is not) (so we get the conveyor lines of this function and do a line-by-line comparison) And then put this line in my template.

Is there a way in C to do this?

thanks

Update

Thank you for all that you answered the guys, but maybe I did not correctly explain my need.

Basically I am trying to write a small obfuscation method. The idea is to allow two or more functions to share the same memory location. The memory area (which we will call the template) is configured, containing some of the machine codes of bytes from the functions, or rather, those that they all have in common. Before executing a specific function, editing a script is used to fix the template with the necessary bytes of machine code to create a full version of this function. When another function is assigned to the same template to be executed, the process repeats, this time using another editing script. To illustrate this, suppose you want to confuse which contains two functions f1 and f2. The first (f1) has the following machine byte codes

 Address Machine code 0 10 1 5 2 6 3 20 and the second one (f2) has Address Machine code 0 10 1 9 2 3 3 20 At obfuscation time, one will replace f1 and f2 by the template Address Machine code 0 10 1 ? 2 ? 3 20 and by the two edit scripts e1 = {1 becomes 5, 2 becomes 6} and e2 = {1 becomes 9, 2 becomes 3}. #include <stdlib.h> #include <string.h> typedef unsigned int uint32; typedef char * addr_t; typedef struct { uint32 offset; char value; } EDIT; EDIT script1[200], script2[200]; char *template; int template_len, script_len = 0; typedef void(*FUN)(int *); int val, state = 0; void f1_stub () { if (state != 1) { patch (script1, script_len, template); state = 1; } ((FUN)template)(&val); } void f2_stub () { if (state != 2) { patch (script2, script_len, template); state = 2; } ((FUN)template)(&val); } int new_main (int argc, char **argv) { f1_stub (); f2_stub (); return 0; } void f1 (int *v) { *v = 99; } void f2 (int *v) { *v = 42; } int main (int argc, char **argv) { int f1SIZE, f2SIZE; /* makeCodeWritable (...); */ /* template = allocExecutablePages(...); */ /* Computed at obfuscation time */ diff ((addr_t)f1, f1SIZE, (addr_t)f2, f2SIZE, script1, script2, &script_len, template, &template_len); /* We hide the proper code */ memset (f1, 0, f1SIZE); memset (f2, 0, f2SIZE); return new_main (argc, argv); }

So I need to write a diff function. which will take the addresses of my two functions and will generate a template with an associated script.

That's why I would like to compare bytes by bytes, my two functions

Sorry for my first post, which was not very clear!

thanks

+2
source share
4 answers

Do you want to do this at run time or at the time of authorship?

You can probably instruct your C compiler to output in assembly language, for example, GCC has the -S option, which will output to file.s of your compiler package, it can also have a program like objdump that can decompile an object file or a complete executable file. However, you generally want to leave the optimization to a modern compiler, and not do it yourself.

At run time, the and operator can take the address of the function, and you can read it, although you should be prepared for the possibility of encountering instructions for branching to something interesting, so you really need to programmatically "understand" the smallest subset of the instruction set. What you will come across when reading function pointers, of course, will change throughout the machines, ABI, compiler, optimization flags, etc.

+2
source

Put the functions in t1.c and t2.c with gcc -S to generate the assembly output:

 gcc -S t1.c gcc -S t2.c

Now compare t1.s and t2.s

+1
source

If you are using Visual Studio, go to

 Project Properties -> Configuration -> C/C++ -> Output Files -> Assembler output

or use the compiler switches /FA , /FAc , /FAs , /FAcs . Lowercase c means the output computer code, s is the source code side by side with the assembly code. And don't forget to turn off compiler optimization.

+1
source

After reading some answers and comments there, I'm not sure I fully understand your question, but maybe you're looking for a gcc call, as shown below:
gcc -S -xc - -o -

This tells gcc to enter C code from stdin and build output in stdout.

If you use a vi-like editor, you can highlight the function body in visual mode, and then run the command:
:'<,'>!gcc -S -xc - -o - 2> /dev/null
... and this will replace the body of the function with the assembly ("stderr> / dev / null" is to skip errors in # include).

Otherwise, you could use this gcc call as part of the pipeline in the script.

0
source

Source: https://habr.com/ru/post/1333567/

More articles:


All Articles