SEH based VM Engine by Yattering

[Yattering]

This is simple VM engine for Win32 x86 code virtualize, what can replace some machine command by own equal VM commands, so protected code can't run without external VM Engine. This project is only proof of concept, it be written for educational purposes. So, you can use it for fornication AV`s, reversers or FBI
Example of use:
Assembly litsing:
 

; SEH based VM Engine by Yattering, 2016
; e-mail: yattering (at) sigaint (d0t) org
; jabber: yattering (at) xmpp (d0t) jp

format MS COFF

include 'sehvm.inc'

extrn '__imp__MessageBoxA@16' as MessageBoxA:dword

extrn '_exception_handler' as _exception_handler

public _main

section '.text' code readable executable
_main:
        ; Register exception handler
        lea     eax, [_exception_handler]
        xor     ecx, ecx
        push    eax
        push    DWord [fs:ecx]
        mov     DWord [fs:ecx], esp
        ; Run unprotected code
        call _unprotected_code_function
        ; Run protecred code
        SEHVM_CALL_REL_C32 _protected_code_function
        ; Unregister exception handler
        xor     ecx, ecx
        pop     DWord [fs:ecx]
        pop     eax
        ret

_protected_code_function:
    SEHVM_PUSH_C32 0
        SEHVM_PUSH_C32 _caption
        SEHVM_PUSH_C32 _messageP
        SEHVM_PUSH_C32 0
        call DWord [MessageBoxA]
        SEHVM_RET_C8 0

_unprotected_code_function:
    push 0
        push _caption
        push _messageUP
        push 0
        call DWord [MessageBoxA]
    ret

section '.data' data readable writeable

 _caption   db 'Win32 assembly',0
 _messageUP db 'MessageBox from unprotected code',0
 _messageP  db 'MessageBox from protected code',0

 

OllyDbg listing (from demo_fasm.exe file):
 

00401000 >/$ 8D05 60104000  LEA EAX,DWORD PTR DS:[401060]
00401006  |. 31C9           XOR ECX,ECX
00401008  |. 50             PUSH EAX
00401009  |. 64:FF31        PUSH DWORD PTR FS:[ECX]
0040100C  |. 64:8921        MOV DWORD PTR FS:[ECX],ESP
0040100F  |. E8 2E000000    CALL demo_fas.00401042
00401014  |. CC             INT3
00401015  |. 05 0D000000    ADD EAX,0D
0040101A  |. 31C9           XOR ECX,ECX
0040101C  |. 64:8F01        POP DWORD PTR FS:[ECX]
0040101F  |. 58             POP EAX
00401020  \. C3             RETN
00401021     CC             INT3
00401022     01             DB 01
00401023     00             DB 00
00401024     00             DB 00
00401025     00             DB 00
00401026     00             DB 00
00401027     CC             INT3
00401028     01             DB 01
00401029     00304000       DD demo_fas.00403000                     ;  ASCII "Win32 assembly"
0040102D     CC             INT3
0040102E     01             DB 01
0040102F     30304000       DD demo_fas.00403030                     ;  ASCII "MessageBox from protected code"
00401033     CC             INT3
00401034     01             DB 01
00401035     00             DB 00
00401036     00             DB 00
00401037     00             DB 00
00401038     00             DB 00
00401039     FF             DB FF
0040103A     15             DB 15
0040103B     80304000       DD <&USER32.MessageBoxA>
0040103F     CC             INT3
00401040     00             DB 00
00401041     00             DB 00
00401042  /$ 6A 00          PUSH 0                                   ; /Style = MB_OK|MB_APPLMODAL
00401044  |. 68 00304000    PUSH demo_fas.00403000                   ; |Title = "Win32 assembly"
00401049  |. 68 0F304000    PUSH demo_fas.0040300F                   ; |Text = "MessageBox from unprotected code"
0040104E  |. 6A 00          PUSH 0                                   ; |hOwner = NULL
00401050  |. FF15 80304000  CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
00401056  \. C3             RETN

 

You can find more about it here - repo

 

SEH_based_VM.zip

Edited November 16, 2016 by Yattering