From b1b309d32f0a0ec398d4ca48a7a3a610544f36c4 Mon Sep 17 00:00:00 2001 From: keowu Date: Tue, 10 Jun 2025 20:59:53 -0300 Subject: [PATCH] feat: Base for Simple-Virtualization Feature - Prepare the codebase for the upcoming simple-virtualization feature for Ryujin. --- .../RyujinCore/RyujinObfuscationCore.cc | 24 ++++++++++++++----- .../RyujinCore/RyujinObfuscationCore.hh | 1 + RyujinConsole/RyujinConsole/RyujinConsole.cc | 2 +- 3 files changed, 20 insertions(+), 7 deletions(-) diff --git a/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.cc b/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.cc index 197c7ee..58d8bfb 100644 --- a/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.cc +++ b/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.cc @@ -436,6 +436,12 @@ void RyujinObfuscationCore::insertJunkCode() { } +void RyujinObfuscationCore::insertVirtualization() { + + //TODO + +} + void RyujinObfuscationCore::updateBasicBlocksContext() { auto new_obfuscated_opcodes = getProcessedProc().getUpdateOpcodes(); @@ -455,7 +461,7 @@ BOOL RyujinObfuscationCore::Run() { //Obfuscate IAT for the configured procedures if (m_config.m_isIatObfuscation) { - //First obfuscate IAT + // Obfuscate IAT obfuscateIat(); //Update our basic blocks context to rely 1-1 for the new obfuscated opcodes. @@ -463,9 +469,19 @@ BOOL RyujinObfuscationCore::Run() { } + if (m_config.m_isVirtualized) { + + // Insert Virtualization + insertVirtualization(); + + //Update our basic blocks context to rely 1-1 for the new obfuscated opcodes. + this->updateBasicBlocksContext(); + + } + if (m_config.m_isJunkCode) { - //First let's insert junk code + // Insert junk code insertJunkCode(); //Update our basic blocks context to rely 1-1 for the new obfuscated opcodes. @@ -473,10 +489,6 @@ BOOL RyujinObfuscationCore::Run() { } - /* - if (m_config.m_isVirtualized) todoAction(); - */ - return TRUE; } diff --git a/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.hh b/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.hh index f2ef7ce..da4ef4c 100644 --- a/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.hh +++ b/RyujinConsole/RyujinConsole/Ryujin/RyujinCore/RyujinObfuscationCore.hh @@ -28,6 +28,7 @@ private: void addPaddingSpaces(); void obfuscateIat(); void insertJunkCode(); + void insertVirtualization(); std::vector fix_branch_near_far_short(uint8_t original_opcode, uint64_t jmp_address, uint64_t target_address); uint32_t findOpcodeOffset(const uint8_t* data, size_t dataSize, const void* opcode, size_t opcodeSize); diff --git a/RyujinConsole/RyujinConsole/RyujinConsole.cc b/RyujinConsole/RyujinConsole/RyujinConsole.cc index cccb6ea..d769eec 100644 --- a/RyujinConsole/RyujinConsole/RyujinConsole.cc +++ b/RyujinConsole/RyujinConsole/RyujinConsole.cc @@ -13,7 +13,7 @@ auto main() -> int { config.m_isIgnoreOriginalCodeRemove = FALSE; config.m_isJunkCode = TRUE; config.m_isRandomSection = FALSE; - config.m_isVirtualized = FALSE; + config.m_isVirtualized = TRUE; config.m_isIatObfuscation = TRUE; config.m_isEncryptObfuscatedCode = FALSE; std::vector procsToObfuscate{