Problem with making a self modifying app in c++

[skylark]

Hello, I have been trying to make different self modifying programs in c++, but there have been some problems I am facing due to my less knowledge and experiences. I would be grateful if anyone helps me about these 2 question.

1. how to make the exe's code section writable programmatically? normally, after compiling the program, I use cff explorer and change the "is writable" flag of that program to allow it modify itself. But what code can I write inside the main() function to make it compile with the write allowed?

2. So, far, to make some certain lines self modifying, I am doing it this way :
 

asm("nop");

asm("nop");

asm("nop");

asm("nop");

asm("nop");

asm("nop");

cout << "hello world;

asm("nop");

asm("nop");

asm("nop");

asm("nop");

asm("nop");

asm("nop");

after freeing space like that with nopes, I then manually put the assembly instructions in olly to encode and decode that cout line's assembly instructions. But how do I do this entire thing programmatically, most importantly, how do I get the starting and ending va of the certain function that I want to make self modified in runtime? an efficient way that would still work even if i turn on the aslr later.

 

Edited July 1, 2017 by skylark

[sever]

Maybe this example can help you

 

#include <stdio.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <sys/mman.h>

void foo(void);
int change_page_permissions_of_address(void *addr);

int main(void) {
    void *foo_addr = (void*)foo;

    // Change the permissions of the page that contains foo() to read, write, and execute
    // This assumes that foo() is fully contained by a single page
    if(change_page_permissions_of_address(foo_addr) == -1) {
        fprintf(stderr, "Error while changing page permissions of foo(): %s\n", strerror(errno));
        return 1;
    }

    // Call the unmodified foo()
    puts("Calling foo...");
    foo();

    // Change the immediate value in the addl instruction in foo() to 42
    unsigned char *instruction = (unsigned char*)foo_addr + 18;
    *instruction = 0x2A;

    // Call the modified foo()
    puts("Calling foo...");
    foo();

    return 0;
}

void foo(void) {
    int i=0;
    i++;
    printf("i: %d\n", i);
}

int change_page_permissions_of_address(void *addr) {
    // Move the pointer to the page boundary
    int page_size = getpagesize();
    addr -= (unsigned long)addr % page_size;

    if(mprotect(addr, page_size, PROT_READ | PROT_WRITE | PROT_EXEC) == -1) {
        return -1;
    }

    return 0;
}

 

[skylark]

@sever thank you for posting it. I will try your code.

[Downpour]

For the last part my suggestion would be to safe the address of that function as a constant or using something like bytes and have a search algorithm to look for the start and end. Afterwards you remove those bytes and call your mutation function.

As example:

"MUTATE_START" // < Hardcoded string
  nop
  nop
  nop
  nop
  nop
  call xyz
  nop
  nop
  nop
"MUTATE_END" // < Hardcoded string 

Guess you're goal is to write metamorphic/polymoprhic code, I recommend reading those wiki-articles:

https://en.wikipedia.org/wiki/Metamorphic_code

https://en.wikipedia.org/wiki/Polymorphic_code

Also there are plenty engines you can use as reference in the web you just have to look for them.

[atom0s]

A fairly common way of doing this is using a static function after the function you want the size of. You can use the base address of the function you want then the base address of the following static function to determine a "best-guess-size". An example of doing this with a little more tweaking to try to get a better size can be found here on StackOverflow:

https://stackoverflow.com/a/10071330/1080150

[skylark]

Thank you for your opinions. Well, what I mainly want to achieve, is writing an entire function in free store. After allocating space using malloc, so far, I have been acquiring all the bytes from "push ebp" to "ret" of the routine, then write assembly "mov dword ptr [address], xxxxxx" like instructions in ollydbg myself, or using writeprocessmemory function, then nop out the routine's bytes and put a call in allocated address. but this is pretty analog way, so I have been thinking if there was some way to make my compiler write the function in free store in the first place. Is there a way to do this?

 

[rhythm]

Another JMP trick.

.

Spoiler

 

#include<Windows.h>
#include "resource.h"
#include<stdio.h>
#include <stdlib.h>
#include <string.h>
#include<memory.h>
HWND hWnd;
LRESULT CALLBACK DlgProc(HWND hWnd, UINT Msg, WPARAM wParam, LPARAM lParam);

void encryptDecrypt(char *input, char *output) {
    int i;
    for (i = 0; i < strlen(input); i++) {
        output = input ^ 0x31;
    }
}

int  _demo_()
{
    char str[] = "^Ew^D_Uphw}pveCHpVPX_";  // 
    char str1[] = "sPUTFB";
    char Decrypted1[100] = "";
    char Decrypted2[100] = "";
    encryptDecrypt(str, Decrypted1);
    encryptDecrypt(str1, Decrypted2);
    MessageBoxA(NULL, (LPCSTR)Decrypted1, (LPCSTR)Decrypted2, 0);
    return 0;
}

int  _self_()
{
    char str[] = "w]PVXBv^^UrCPRZTC";  
    char encrypted[100] = "";
    encryptDecrypt(str, encrypted);
    SetDlgItemTextA(hWnd, IDC_EDIT, (LPCSTR)encrypted);
    return 0;
}

    int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow)
    {
        DialogBoxParam(hInstance, MAKEINTRESOURCE(IDD_DIALOG), hWnd, reinterpret_cast<DLGPROC>(DlgProc), NULL);
        return FALSE;
    }

    LRESULT CALLBACK DlgProc(HWND hWndDlg, UINT Msg, WPARAM wParam, LPARAM lParam)
    {
        hWnd = hWndDlg;
        switch (Msg)
        {
        case WM_INITDIALOG:
            return TRUE;
        case WM_CLOSE:
            DestroyWindow(hWndDlg);
        case WM_COMMAND:
            switch (wParam)
            {
                char msg[1000];
                case IDOK:
                {

                   GetDlgItemTextA(hWndDlg, IDC_EDIT, (LPSTR)&msg, 1000);

                    /* This code is ripped from Hacker Debugging Uncovered by Kris Kaspersky*/
                    // Self-Modifying Start
                      BYTE* Destination; DWORD old;
                    Destination = (BYTE*)_self_;
                    VirtualProtect(Destination, 0x1000, PAGE_EXECUTE_READWRITE, &old);
                    #define _JMP_ "\xB8xxxx\xFF\xE0"
                    memcpy(Destination, _JMP_, sizeof(_JMP_)); 
                    *((DWORD*)(Destination + 1)) = (DWORD)    _demo_;
                    VirtualProtect(Destination, 0x1000, old, &old);
                    _self_();
                    // Self-Modifying End
                    return TRUE;
                } 
            }
            break;
        }

        return FALSE;
    }