-
Notifications
You must be signed in to change notification settings - Fork 62
/
AntiHook.cpp
96 lines (75 loc) · 2.38 KB
/
AntiHook.cpp
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
#include "omvll/passes/anti-hook/AntiHook.hpp"
#include "omvll/log.hpp"
#include "omvll/utils.hpp"
#include "omvll/PyConfig.hpp"
#include "omvll/passes/Metadata.hpp"
#include "omvll/ObfuscationConfig.hpp"
#include "omvll/Jitter.hpp"
#include <llvm/Demangle/Demangle.h>
#include <llvm/IR/Constants.h>
#include <clang/Frontend/CompilerInstance.h>
#include <clang/Basic/DiagnosticOptions.h>
#include <clang/Basic/Diagnostic.h>
#include <clang/Basic/FileManager.h>
#include <clang/Driver/Driver.h>
#include <clang/Frontend/CompilerInstance.h>
using namespace llvm;
namespace omvll {
/*
* The current versions of Frida (as of 16.0.2) fail to hook functions
* that begin with instructions using x16/x17 registers.
*
* These stubs are using these registers and are injected in the prologue of the
* function to protect
*/
struct PrologueInfoTy {
std::string Asm;
size_t size;
};
static const std::vector<PrologueInfoTy> ANTI_FRIDA_PROLOGUES = {
{R"delim(
mov x17, x17;
mov x16, x16;
)delim", 2},
{R"delim(
mov x16, x16;
mov x17, x17;
)delim", 2}
};
bool AntiHook::runOnFunction(llvm::Function &F) {
if (F.getInstructionCount() == 0) {
return false;
}
PyConfig& config = PyConfig::instance();
if (!config.getUserConfig()->anti_hooking(F.getParent(), &F)) {
return false;
}
if (F.hasPrologueData()) {
fatalError("Can't inject a hooking prologue in the function '" + demangle(F.getName().str()) + "' "
"since there is one.");
}
std::uniform_int_distribution<size_t> Dist(0, ANTI_FRIDA_PROLOGUES.size() - 1);
size_t idx = Dist(*RNG_);
const PrologueInfoTy& P = ANTI_FRIDA_PROLOGUES[idx];
std::unique_ptr<MemoryBuffer> insts = jitter_->jitAsm(P.Asm, P.size);
if (insts == nullptr) {
fatalError("Can't JIT Anti-Frida prologue: \n" + P.Asm);
}
auto* Int8Ty = Type::getInt8Ty(F.getContext());
auto* Prologue = ConstantDataVector::getRaw(insts->getBuffer(), insts->getBufferSize(), Int8Ty);
F.setPrologueData(Prologue);
return true;
}
PreservedAnalyses AntiHook::run(Module &M,
ModuleAnalysisManager &FAM) {
bool Changed = false;
jitter_ = Jitter::Create(M.getTargetTriple());
RNG_ = M.createRNG(name());
for (Function& F : M) {
Changed |= runOnFunction(F);
}
SINFO("[{}] Done!", name());
return Changed ? PreservedAnalyses::none() :
PreservedAnalyses::all();
}
}