Added small improvements to the binary class.

jonomango · jonomango · commit 59a801d2e338 · 2023-12-12T00:49:35.000-08:00
diff --git a/.gitignore b/.gitignore
@@ -1,5 +1,6 @@
 # build files
 build/
 
-# visual studio code files
-.vscode/
+# IDE stuff
+.vscode/
+.cache/
diff --git a/chum/source/binary.cpp b/chum/source/binary.cpp
@@ -9,7 +9,6 @@
 
 #include <Windows.h>
 #include <zycore/Format.h>
-#include <pe-builder/pe-builder.h>
 
 namespace chum {
 
@@ -224,7 +223,24 @@ void binary::print(bool const verbose) {
 
 // Create a new PE file from this binary.
 bool binary::create(char const* const path) const {
-  pb::pe_builder pe;
+  pb::pe_builder pe = {};
+  if (!create(pe))
+    return {};
+
+  return pe.write(path);
+}
+
+// Create a new PE file from this binary.
+std::vector<std::uint8_t> binary::create() const {
+  pb::pe_builder pe = {};
+  if (!create(pe))
+    return {};
+
+  return pe.write();
+}
+
+// Create a new PE file from this binary.
+bool binary::create(pb::pe_builder& pe) const {
   pe.file_characteristics(IMAGE_FILE_EXECUTABLE_IMAGE | IMAGE_FILE_DLL);
 
   // We don't want to resize in the middle of adding sections.
@@ -587,7 +603,7 @@ bool binary::create(char const* const path) const {
   if (entrypoint_)
     pe.entrypoint(sym_to_va[entrypoint_->sym_id.value]);
 
-  return pe.write(path);
+  return true;
 }
 
 // Get the entrypoint of this binary, if it exists.
@@ -740,5 +756,10 @@ import_routine* binary::get_or_create_import_routine(
   return create_import_module(module_name)->create_routine(routine_name);
 }
 
+// Get the underlying Zydis decoder.
+ZydisDecoder* binary::decoder() {
+  return &decoder_;
+}
+
 } // namespace chum
 
diff --git a/chum/source/binary.h b/chum/source/binary.h
@@ -7,6 +7,7 @@
 #include <vector>
 #include <tuple>
 
+#include <pe-builder/pe-builder.h>
 #include <Zydis/Zydis.h>
 
 namespace chum {
@@ -37,6 +38,12 @@ class binary {
   // Create a new PE file from this binary.
   bool create(char const* path) const;
 
+  // Create a new PE file from this binary.
+  std::vector<std::uint8_t> create() const;
+
+  // Create a new PE file from this binary.
+  bool create(pb::pe_builder& pe) const;
+
   // Get the entrypoint of this binary, if it exists.
   basic_block* entrypoint() const;
 
@@ -96,6 +103,9 @@ class binary {
   import_routine* get_or_create_import_routine(
     char const* module_name, char const* routine_name);
 
+  // Get the underlying Zydis decoder.
+  ZydisDecoder* decoder();
+
 public:
   // Create a new instruction.
   template <typename... Args>
@@ -112,6 +122,9 @@ class binary {
   template <typename T>
   void instr_push_integer(instruction& instr, T const& value) const;
 
+  // Encode and push a new instruction.
+  void instr_push_enc_req(instruction& instr, ZydisEncoderRequest const* enc_req) const;
+
 private:
   // ---------------
   // Remember to add any new members to the move constructor/assignment operator!
@@ -142,7 +155,7 @@ class binary {
 
 // Create a new instruction.
 template <typename... Args>
-instruction binary::instr(Args&&... args) const {
+inline instruction binary::instr(Args&&... args) const {
   instruction new_instr = { 0 };
   instr_push_item<0>(new_instr, std::make_tuple(std::forward<Args>(args)...));
   return new_instr;
@@ -151,18 +164,20 @@ instruction binary::instr(Args&&... args) const {
 // This is a helper function for instr() that serializes a single item
 // into the instruction that is currently being built.
 template <std::size_t Idx, typename... Args>
-void binary::instr_push_item(instruction& instr,
+inline void binary::instr_push_item(instruction& instr,
     std::tuple<Args...> const& tuple) const {
   if constexpr (Idx < sizeof...(Args)) {
     // The current item that we are pushing to the instruction.
     auto const item = std::get<Idx>(tuple);
     using item_type = std::remove_const_t<decltype(item)>;
 
-    static_assert(std::is_integral_v<item_type>  ||
-      std::is_same_v<item_type, symbol_id>       ||
-      std::is_same_v<item_type, symbol*>         ||
-      std::is_same_v<item_type, basic_block*>    ||
-      std::is_same_v<item_type, import_routine*> ||
+    static_assert(std::is_integral_v<item_type>       ||
+      std::is_same_v<item_type, symbol_id>            ||
+      std::is_same_v<item_type, symbol*>              ||
+      std::is_same_v<item_type, basic_block*>         ||
+      std::is_same_v<item_type, import_routine*>      ||
+      std::is_same_v<item_type, ZydisEncoderRequest*> ||
+      std::is_same_v<item_type, ZydisEncoderRequest>  ||
       std::is_same_v<item_type, char const*>);
 
     // Integral types should be converted to bytes.
@@ -176,6 +191,10 @@ void binary::instr_push_item(instruction& instr,
       instr_push_integer(instr, item->sym_id.value);
     else if constexpr (std::is_same_v<item_type, import_routine*>)
       instr_push_integer(instr, item->sym_id.value);
+    else if constexpr (std::is_same_v<item_type, ZydisEncoderRequest*>)
+      instr_push_enc_req(instr, item);
+    else if constexpr (std::is_same_v<item_type, ZydisEncoderRequest>)
+      instr_push_enc_req(instr, &item);
     // C-style strings are assumed to be a null-terminated array of bytes.
     else if constexpr (std::is_same_v<item_type, char const*>) {
       for (std::size_t i = 0; item[i]; ++i)
@@ -190,7 +209,7 @@ void binary::instr_push_item(instruction& instr,
 // This is another helper function for serializing integer types, since
 // it is done so often.
 template <typename T>
-void binary::instr_push_integer(instruction& instr, T const& value) const {
+inline void binary::instr_push_integer(instruction& instr, T const& value) const {
   // We need the integer to be unsigned so that we can safely do bitwise
   // operations on it (specifically, right-shift).
   auto unsigned_value = static_cast<std::make_unsigned_t<T>>(value);
@@ -202,5 +221,16 @@ void binary::instr_push_integer(instruction& instr, T const& value) const {
   }
 }
 
+// Encode and push a new instruction.
+inline void binary::instr_push_enc_req(instruction& instr,
+                                ZydisEncoderRequest const* const enc_req) const {
+  std::uint8_t bytes[15] = {};
+  std::size_t length = sizeof(bytes);
+
+  ZydisEncoderEncodeInstruction(enc_req, bytes, &length);
+  std::memcpy(instr.bytes, bytes, length);
+  instr.length = length;
+}
+
 } // namespace chum
 
diff --git a/chum/source/disassembler.cpp b/chum/source/disassembler.cpp
@@ -1019,8 +1019,10 @@ std::optional<disassembled_binary> disassemble(char const* const path) {
   disassembler dasm = {};
 
   // Initialize the disassembler.
-  if (!dasm.initialize(path))
+  if (!dasm.initialize(path)) {
+    printf("Failed to initialize disassembler!\n");
     return {};
+  }
 
   // Create a data block for every data section.
   dasm.create_section_data_blocks();
@@ -1031,13 +1033,14 @@ std::optional<disassembled_binary> disassemble(char const* const path) {
   dasm.parse_exceptions();
   dasm.parse_relocs();
 
-  if (!dasm.disassemble())
+  if (!dasm.disassemble()) {
+    printf("Failed to disassemble binary!\n");
     return {};
+  }
 
   dasm.sort_basic_blocks();
 
   assert(dasm.verify());
-
   return std::move(dasm.bin);
 }
 
diff --git a/chum/source/main.cpp b/chum/source/main.cpp
@@ -35,16 +35,59 @@ void shuffle_blocks(chum::binary& bin) {
   std::shuffle(std::begin(bin.basic_blocks()), std::end(bin.basic_blocks()), rng);
 }
 
-int main() {
-  auto bin = chum::disassemble("hello-world-x64.dll");
-  if (!bin)
+void transform(chum::binary& bin) {
+  for (auto const bb : bin.basic_blocks()) {
+    for (auto i = bb->instructions.size(); i > 0; --i) {
+      auto& instr = bb->instructions[i - 1];
+
+      ZydisDecodedInstruction dinstr = {};
+      ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];
+
+      // Fully decode the current instruction.
+      if (!ZYAN_SUCCESS(ZydisDecoderDecodeFull(bin.decoder(),
+          instr.bytes, instr.length, &dinstr, operands)))
+        continue;
+
+      ZydisEncoderRequest req = {};
+      ZydisEncoderDecodedInstructionToEncoderRequest(&dinstr,
+        operands, dinstr.operand_count_visible, &req);
+
+      // Split a single ADD instruction into 2 ADDs.
+      if (req.mnemonic == ZYDIS_MNEMONIC_ADD && req.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE) {
+        auto const r = rand();
+
+        // First ADD.
+        req.operands[1].imm.s -= r;
+        instr = bin.instr(req);
+
+        // Second ADD.
+        req.operands[1].imm.s = r;
+        bb->insert(bin.instr(req), i);
+      }
+    }
+  }
+}
+
+int main(int const argc, char const* const* argv) {
+  if (argc < 2) {
+    std::printf("Not enough arguments.\n");
     return 0;
+  }
 
-  insert_nops(*bin);
-  instrument(*bin);
+  auto bin = chum::disassemble(argv[1]);
+  if (!bin) {
+    std::printf("Failed to disassemble binary.\n");
+    return 0;
+  }
+
+  // insert_nops(*bin);
+  // instrument(*bin);
   shuffle_blocks(*bin);
+  // transform(*bin);
+
+  for (auto const b : bin->create())
+    std::printf("%.2X", b);
 
-  bin->print();
-  bin->create("output.dll");
+  return 0;
 }
 
