feat: New HVPass (extension for code obfuscation) + MiniVM code mutation (for HVPass and standard MiniVM); Bug fixes for extracted unused registers (with future XMM support); Bug fixes for junk/mutation overwriting the RAX register unexpectedly; Improvements and added support for fixing relocation offsets in memory mov instructions; articles/projects diagrams and more.

- New HVPass feature – This feature allows the code VM to run through Microsoft’s Hypervisor API, adding an extra layer of analysis difficulty.
- MiniVM (normal) or MiniVM + HVPass – Now support junk/mutation in the stub, making the logic and instructions randomized at each interaction, further protecting the stub’s code.
- Bug fix – Fixed an issue in the extraction of unused registers from candidate procedures, where some registers were not being handled correctly.
- Bug fix – Fixed an issue in the extraction of XMM registers to enable junk/mutation support for multimedia registers.
- Bug fix – Fixed a problem in the junk/mutation logic for the instructions cdqe and cbw, which were incorrectly overwriting the RAX register, breaking results even when the registers were in use.
- Bug fix – Some instructions were not having relocations properly fixed by the RIP-relative relocation algorithm; this has now been corrected.
- Articles + Project Diagrams as well.

Some of these issues, as well as feature suggestions like HVPass, were discovered or suggested by the reviewers of Ryujin’s article.

RyujinConsole/RyujinConsole/RyujinConsole.cc

@@ -67,12 +67,13 @@ Options:
   --Troll                   Crashes the entire OS if a debugger is detected (requires --AntiDebug).
   --AntiDump                Inserts anti-dump mechanisms that break the binary in memory, making dumps harder to analyze.
   --MemoryProtection        Protects obfuscated code against in-memory or on-disk patching.
+  --HVPass                  Protect some parts of Ryujin using Microsoft Hypervisor APIs
   --procs <comma,separated,names>  Procedures to obfuscate (default: main, invoke_main, ...)
 
   --help                    Show this help message
 
 In Action Usage Example:
-    RyujinConsole.exe --input C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.exe --pdb C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\RyujinConsole.pdb --output C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.ryujin.exe --virtualize --junk --encrypt --AntiDebug --troll --AntiDump --procs main,sub,subadd,sum,invoke_main,__scrt_common_main,j___security_init_cookie
+    RyujinConsole.exe --input C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.exe --pdb C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\RyujinConsole.pdb --output C:\\Users\\Keowu\\Documents\\GitHub\\Ryujin\\compiled\\release\\DemoObfuscation.ryujin.exe --virtualize --junk --encrypt --AntiDebug --troll --AntiDump --iat --HVPass --procs main,sub,subadd,sum,invoke_main,__scrt_common_main,j___security_init_cookie
 
 )";
 
@@ -131,6 +132,7 @@ auto main(int argc, char* argv[]) -> int {
     config.m_isAntiDebug = has_flag(args, "--AntiDebug");
     config.m_isAntiDump = has_flag(args, "--AntiDump");
     config.m_isMemoryProtection = has_flag(args, "--MemoryProtection");
+    config.m_isHVPass = has_flag(args, "--HVPass");
 
     // Registering a new custom pass for invocation via callback
     config.RegisterCallback(RyujinCustomPassDemo);

RyujinConsole/RyujinConsole/RyujinCore.hh

@@ -35,6 +35,7 @@ public:
     bool m_isTrollRerversers; // The user wants to trick and use a special feature to troll reversers when their debugs be detected making they loose all the progress
     bool m_isAntiDump; // Enable Anti Dump technic for Ryujin protected binary
     bool m_isMemoryProtection; // Memory CRC32 protection
+    bool m_isHVPass; // Run some features of ryujin using Microsoft Hypervisor Framework API
     RyujinObfuscatorProcs m_strProceduresToObfuscate; // Names of the procedures to obfuscate
     RyujinCallbacks m_callbacks;  // Ryujin Custom Pass Callbacks