Thursday, May 19, 2011

ChapljaVM v2 - Code mutation/virtualization engine (work in progress, pre-alpha)

Previous release: chapljaVM assembler/scripting

Ok, this is not really related to it because this is now a completely different and way more complex project, but the tool I'm working on now will also support a language similar to what I linked above to be inserted into the executable binary or to be executed from memory using an SDK function.

Click here for a small pre-alpha screenshot

I have done quite a lot of research and have done a lot of testing, which I believe is the hardest part of the work. Now I need to implement everything I've done so far in simpler tests. It's not very hard, but it's a lot of work because really many instructions and cases need to be covered.

The goal is to make a codevirtualizer/vmprotect-like application which allows you to select areas of code you'd like to protect within your C/C++ sources - but with the actual obfuscation being priority, the anti-debugging and similar things being less of a priority and will be implemented after everything else is.

It doesn't do much yet, of course not everything is implemented what is seen in the application window, but almost everything has been tested in various console apps and now needs to be implemented into actual obfuscation engine and this gui version.

I've tested relocation of selected code blocks into a new section which the tool generates and it's working fine (though not finished yet - need to take care of relocations so DLLs are supported in case they're loaded at a different address, but it won't be hard to implement).

These are the first important features I'd like to cover:
- Code mutation (one instruction is transformed into multiple instructions which end up having the same result)
- Code virtualization (will come after mutation is fully implemented)
- Junk code insertion between original instructions
- Other 'standard' features such as IAT obfuscation, debug information removal, etc, not really giving much attention to it now, it's not very hard to implement these)

Hopefully I'll have an alpha version for testing or at least a produced binary of some more complex code within some reasonable amount of time.. will post more updates as the development progresses further.

No comments: