Documentation
¶
Index ¶
- Constants
- Variables
- func CipherADFL(data []byte, seed byte) []byte
- func CoinFlip() bool
- func GetRandomByte() byte
- func GetRandomBytes(num int) []byte
- func GetRandomSafeAssembly() string
- func GetSchemaTable(schema SCHEMA) string
- func RandomLabel() string
- func RandomOperand() string
- type Encoder
- func (encoder *Encoder) AddADFLDecoder(payload []byte) ([]byte, error)
- func (encoder Encoder) AddCallOver(payload []byte) ([]byte, error)
- func (encoder Encoder) AddCondJmpOver(payload []byte) ([]byte, error)
- func (encoder Encoder) AddJmpOver(payload []byte) ([]byte, error)
- func (encoder *Encoder) AddSchemaDecoder(payload []byte, schema SCHEMA) ([]byte, error)
- func (encoder Encoder) Assemble(asm string) ([]byte, bool)
- func (encoder *Encoder) CalculateAverageGarbageInstructionSize() (float64, error)
- func (encoder *Encoder) Encode(payload []byte) ([]byte, error)
- func (encoder *Encoder) GenerateGarbageAssembly() string
- func (encoder *Encoder) GenerateGarbageInstructions() ([]byte, error)
- func (encoder Encoder) GenerateGarbageJump() ([]byte, error)
- func (encoder Encoder) GenerateIPToStack() []byte
- func (encoder *Encoder) GetArchitecture() int
- func (encoder Encoder) GetAssemblySize(asm string) int
- func (encoder Encoder) GetBasePointer() string
- func (encoder *Encoder) GetRandomFunctionAssembly() string
- func (encoder *Encoder) GetRandomOperandValue(operandType string) string
- func (encoder Encoder) GetRandomRegister(size int) string
- func (encoder Encoder) GetRandomStackAddress() string
- func (encoder *Encoder) GetRandomUnsafeAssembly(destReg string) string
- func (encoder *Encoder) GetRandomUnsafeMnemonic(opRegSize int) *INSTRUCTION
- func (encoder Encoder) GetSafeRandomRegister(size int, excludes ...string) (string, error)
- func (encoder Encoder) GetStackPointer() string
- func (encoder *Encoder) NewCipherSchema(num int) SCHEMA
- func (encoder *Encoder) NewDecoderAssembly(payloadSize int) (string, error)
- func (encoder *Encoder) SchemaCipher(data []byte, index int, schema SCHEMA) []byte
- func (encoder *Encoder) SetArchitecture(arch int) error
- type INSTRUCTION
- type REG
- type SCHEMA
Constants ¶
const INSTRUCTIONS string = `` /* 41918-byte string literal not displayed */
INSTRUCTIONS contains the ENTIRE x86/x64 instruction set
const X64_DECODER_STUB = `` /* 135-byte string literal not displayed */
x64DecoderStub is base decoder assembly for 64 bit binaries
const X86_DECODER_STUB = `` /* 155-byte string literal not displayed */
x86DecoderStub is base decoder assembly for 32 bit binaries
Variables ¶
var ConditionalJumpMnemonics = []string{
"JAE",
"JA",
"JBE",
"JB",
"JC",
"JE",
"JGE",
"JG",
"JLE",
"JL",
"JNAE",
"JNA",
"JNBE",
"JNB",
"JNC",
"JNE",
"JNGE",
"JNG",
"JNLE",
"JNL",
"JNO",
"JNP",
"JNS",
"JNZ",
"JO",
"JPE",
"JPO",
"JP",
"JS",
"JZ",
}
ConditionalJumpMnemonics contains the conditional branching instruction mnemonics
var OPERANDS = []string{"XOR", "SUB", "ADD", "ROL", "ROR", "NOT"}
OPERANDS string array containing logical & arithmatic operands for encoding the decoder stub
var REGS map[int][]REG
REGS contains 32/64 bit registers
var STUB map[int]string
STUB will contain the decoder stub for the selected architecture Values will be set on init
var SafeGarbageInstructions = []string{
";",
"NOP",
"CLD",
"CLC",
"CMC",
"WAIT",
"FNOP",
"FXAM",
"FTST",
"JMP 2",
"ROL {R},0",
"ROR {R},0",
"SHL {R},0",
"SHR {R},0",
"RCL {R},0",
"RCR {R},0",
"SAL {R},0",
"SAR {R},0",
"XOR {R},0",
"SUB {R},0",
"ADD {R},0",
"AND {R},{R}",
"OR {R},{R}",
"BT {R},{R}",
"CMP {R},{R}",
"MOV {R},{R}",
"XCHG {R},{R}",
"TEST {R},{R}",
"CMOVA {R},{R}",
"CMOVB {R},{R}",
"CMOVC {R},{R}",
"CMOVE {R},{R}",
"CMOVG {R},{R}",
"CMOVL {R},{R}",
"CMOVO {R},{R}",
"CMOVP {R},{R}",
"CMOVS {R},{R}",
"CMOVZ {R},{R}",
"CMOVAE {R},{R}",
"CMOVGE {R},{R}",
"CMOVLE {R},{R}",
"CMOVNA {R},{R}",
"CMOVNB {R},{R}",
"CMOVNC {R},{R}",
"CMOVNE {R},{R}",
"CMOVNG {R},{R}",
"CMOVNL {R},{R}",
"CMOVNO {R},{R}",
"CMOVNP {R},{R}",
"CMOVNS {R},{R}",
"CMOVNZ {R},{R}",
"CMOVPE {R},{R}",
"CMOVPO {R},{R}",
"CMOVBE {R},{R}",
"CMOVNAE {R},{R}",
"CMOVNBE {R},{R}",
"CMOVNLE {R},{R}",
"CMOVNGE {R},{R}",
"JMP {L};{G};{L}:",
"NOT {R};{G};NOT {R}",
"NEG {R};{G};NEG {R}",
"INC {R};{G};DEC {R}",
"DEC {R};{G};INC {R}",
"ADD {R},{K};{G};SUB {R},{K}",
"SUB {R},{K};{G};ADD {R},{K}",
"ROR {R},{K};{G};ROL {R},{K}",
"ROL {R},{K};{G};ROR {R},{K}",
}
SafeGarbageInstructions array containing safe garbage instructions that does not munipulate registers or stack (do not affect the overall execution of the program) !!! These instructions must not clobber registers or stack flags may be affected !!!
var SafeRegisterPrefix map[int]([]byte)
SafeRegisterPrefix contains the instructions for saving registers to stack
var SafeRegisterSuffix map[int]([]byte)
SafeRegisterSuffix contains the instructions for restoring registers from stack
var SupportedOperandTypes = []string{
"imm8",
"imm16",
"imm32",
"imm64",
"r8",
"r16",
"r32",
"r64",
"r/m8",
"r/m16",
"r/m32",
"r/m64",
"m",
"m8",
"m16",
"m32",
"m64",
"RAX",
"RCX",
"RDX",
"RBX",
"RSP",
"RBP",
"RSI",
"RDI",
"EAX",
"ECX",
"EDX",
"EBX",
"ESP",
"EBP",
"ESI",
"EDI",
"AX",
"CX",
"DX",
"BX",
"SP",
"BP",
"SI",
"DI",
"AH",
"AL",
"CH",
"CL",
"DH",
"DL",
"BH",
"BL",
"SPL",
"BPL",
"SIL",
"DIL",
}
SupportedOperandTypes contains all operand types supported by SGN
var X64_REG_SAVE_PREFIX = []byte{
0x50, 0x53, 0x51, 0x52,
0x56, 0x57, 0x55, 0x54,
0x41, 0x50, 0x41, 0x51,
0x41, 0x52, 0x41, 0x53,
0x41, 0x54, 0x41, 0x55,
0x41, 0x56, 0x41, 0x57,
}
X64_REG_SAVE_PREFIX instructions for saving registers to stack
var X64_REG_SAVE_SUFFIX = []byte{
0x41, 0x5f, 0x41, 0x5e,
0x41, 0x5d, 0x41, 0x5c,
0x41, 0x5b, 0x41, 0x5a,
0x41, 0x59, 0x41, 0x58,
0x5c, 0x5d, 0x5f, 0x5e,
0x5a, 0x59, 0x5b, 0x58,
}
X64_REG_SAVE_SUFFIX instructions for saving registers to stack
var X86_REG_SAVE_PREFIX = []byte{0x60, 0x9c} // PUSHAD, PUSHFD
X86_REG_SAVE_PREFIX instructions for saving registers to stack
var X86_REG_SAVE_SUFFIX = []byte{0x9d, 0x61} // POPFD, POPAD
X86_REG_SAVE_SUFFIX instructions for saving registers to stack
Functions ¶
func CipherADFL ¶
CipherADFL (Additive Feedback Loop) performs a additive feedback xor operation similar to LFSR (Linear-feedback shift register) IN REVERSE ORDER !! with the supplied seed
func GetRandomBytes ¶
GetRandomBytes generates a random byte slice with given size
func GetRandomSafeAssembly ¶
func GetRandomSafeAssembly() string
GetRandomSafeAssembly return a safe garbage instruction assembly
func GetSchemaTable ¶
GetSchemaTable returns the printable encoder schema table
Types ¶
type Encoder ¶
type Encoder struct {
ObfuscationLimit int
PlainDecoder bool
Seed byte
EncodingCount int
SaveRegisters bool
// contains filtered or unexported fields
}
Encoder struct for keeping encoder specs
func NewEncoder ¶
NewEncoder for creating new encoder structures
func (*Encoder) AddADFLDecoder ¶
AddADFLDecoder creates decoder stub for binaries that are ciphered with CipherADFL function.
func (Encoder) AddCallOver ¶
AddCallOver function adds a call instruction over the end of the given payload address of the payload will be pushed to the stack and execution will continiou after the end of payload
func (Encoder) AddCondJmpOver ¶
AddCondJmpOver function adds a jmp instruction over the end of the given payload execution will continiou after the end of payload
func (Encoder) AddJmpOver ¶
AddJmpOver function adds a jmp instruction over the end of the given payload execution will continiou after the end of payload
func (*Encoder) AddSchemaDecoder ¶
AddSchemaDecoder creates decoder stub for binaries that are ciphered with SchemaCipher function. The schema array that is used on the given payload, architecture of the payload and obfuscation level is required.
func (Encoder) Assemble ¶
Assemble assembes the given instructions and return a byte array with a boolean value indicating wether the operation is successful or not
func (*Encoder) CalculateAverageGarbageInstructionSize ¶
CalculateAverageGarbageInstructionSize calculate the avarage size of generated random garbage instructions
func (*Encoder) Encode ¶
Encode function is the primary encode method for SGN all nessary options and parameters are contained inside the encodder struct
func (*Encoder) GenerateGarbageAssembly ¶
GenerateGarbageAssembly generates random garbage instruction(s) assemblies based on the subject encoder architecture
func (*Encoder) GenerateGarbageInstructions ¶
GenerateGarbageInstructions generates random garbage instruction(s) with the specified architecture and returns the assembled bytes
func (Encoder) GenerateGarbageJump ¶
GenerateGarbageJump generates a JMP instruction over random bytes
func (Encoder) GenerateIPToStack ¶
GenerateIPToStack function generates instructions series that pushes the instruction pointer to stack
func (*Encoder) GetArchitecture ¶
GetArchitecture returns the encoder architecture
func (Encoder) GetAssemblySize ¶
GetAssemblySize assembes the given instructions and returns the total instruction size if assembly fails return value is -1
func (Encoder) GetBasePointer ¶
GetBasePointer returns the base pointer register string based on the encoder architecture
func (*Encoder) GetRandomFunctionAssembly ¶
GetRandomFunctionAssembly generates a function frame assembly with garbage instructions inside
func (*Encoder) GetRandomOperandValue ¶
GetRandomOperandValue generates a instruction parameter value based on given operand type Only some operand types are considered because SGN only uses 32-64 bit registers
func (Encoder) GetRandomRegister ¶
GetRandomRegister returns a random register name based on given size and architecture
func (Encoder) GetRandomStackAddress ¶
GetRandomStackAddress returns a stack address assembly referance based on the encoder architecture Ex: [esp+10] (address range is 1 byte)
func (*Encoder) GetRandomUnsafeAssembly ¶
GetRandomUnsafeAssembly return a safe garbage instruction assembly
func (*Encoder) GetRandomUnsafeMnemonic ¶
func (encoder *Encoder) GetRandomUnsafeMnemonic(opRegSize int) *INSTRUCTION
GetRandomUnsafeMnemonic returns a random unsafe instruction based on the encoder architecture and operand number/type Currently SGN only supports instructions with 2 parameter
func (Encoder) GetSafeRandomRegister ¶
GetSafeRandomRegister returns a random register among all (registers-excluded parameters) based on given size
func (Encoder) GetStackPointer ¶
GetStackPointer returns the stack pointer register string based on the encoder architecture
func (*Encoder) NewCipherSchema ¶
NewCipherSchema generates random schema for using int the SchemaCipher function. Generated schema contains random operands and keys.
func (*Encoder) NewDecoderAssembly ¶
NewDecoderAssembly creates a unobfuscated decoder stub to the given encoded payload with the given architecture and seed value
func (*Encoder) SchemaCipher ¶
SchemaCipher encodes a part of the given binary starting from the given index. Encoding done without using any loop conditions based on the schema values. Function performs logical/arithmetic operations given in the schema array. If invalid operand supplied function returns nil
func (*Encoder) SetArchitecture ¶
SetArchitecture sets the encoder architecture
type INSTRUCTION ¶
type INSTRUCTION struct {
Mnemonic string `json:"Mnemonic"`
V64 bool `json:"V64"`
V32 bool `json:"V32"`
Operands []struct {
Types []string `json:"Types"`
} `json:"Operands"`
}
INSTRUCTION contains instruction information Intel syntax mandates "When two operands are present in an arithmetic or logical instruction, the right operand is the source and the left operand is the destination." for our case first operand will allways will be considered destination operand
func (*INSTRUCTION) GetRandomMatchingOperandType ¶
func (ins *INSTRUCTION) GetRandomMatchingOperandType(srcRegSize int) string
GetRandomMatchingOperandType randomly selects a operand type for subject instruction
Source Files