首頁 探索 說明
註冊 登入
Apq
/
obs-studio
镜像来自 https://github.com/obsproject/obs-studio.git
1
0
複刻 0
Files 問題管理 0 Wiki
瀏覽代碼

win-capture: Add obfuscation functions

This adds obfuscation functions primarily for use with GetProcAddress.
This takes an obfuscated string and uses a simple integer key to
de-obfuscate it to the intended function name string, which is then
loaded dynamically using GetProcAddress.

This is typically only used with functions such as OpenProcess,
SetWindowsHookEx, and the like, which can often be misinterpreted the
wrong way by security programs if those strings are found within the
strings segment of a scanned executable.
jp9000 11 年之前
父節點
7bf69e8a0a
當前提交
a49d731df8
共有 3 個文件被更改,包括 55 次插入0 次删除
分割檢視 顯示文件統計
  1. 2 0
      plugins/win-capture/CMakeLists.txt
  2. 38 0
      plugins/win-capture/obfuscate.c
  3. 15 0
      plugins/win-capture/obfuscate.h

+ 2 - 0
plugins/win-capture/CMakeLists.txt
查看文件 

@@ -1,11 +1,13 @@
 
 project(win-capture)
 
 
 set(win-capture_HEADERS
 
+	obfuscate.h
 
 	window-helpers.h
 
 	dc-capture.h)
 
 
 set(win-capture_SOURCES
 
 	dc-capture.c
 
+	obfuscate.c
 
 	window-helpers.c
 
 	monitor-capture.c
 
 	window-capture.c

+ 38 - 0
plugins/win-capture/obfuscate.c
查看文件 

@@ -0,0 +1,38 @@
 
+#define _CRT_SECURE_NO_WARNINGS
 
+#pragma warning(disable : 4152) /* casting func ptr to void */
 
+#include <stdbool.h>
 
+#include <windows.h>
 
+#include "obfuscate.h"
 
+
 
+#define LOWER_HALFBYTE(x) ((x) & 0xF)
 
+#define UPPER_HALFBYTE(x) (((x) >> 4) & 0xF)
 
+
 
+static void deobfuscate_str(char *str, uint64_t val)
 
+{
 
+	uint8_t *dec_val = (uint8_t*)&val;
 
+	int i = 0;
 
+
 
+	while (*str != 0) {
 
+		int pos = i / 2;
 
+		bool bottom = (i % 2) == 0;
 
+		uint8_t *ch = (uint8_t*)str;
 
+		uint8_t xor = bottom ?
 
+			LOWER_HALFBYTE(dec_val[pos]) :
 
+			UPPER_HALFBYTE(dec_val[pos]);
 
+
 
+		*ch ^= xor;
 
+
 
+		if (++i == sizeof(uint64_t) * 2)
 
+			i = 0;
 
+
 
+		str++;
 
+	}
 
+}
 
+
 
+void *get_obfuscated_func(HMODULE module, const char *str, uint64_t val)
 
+{
 
+	char new_name[128];
 
+	strcpy(new_name, str);
 
+	deobfuscate_str(new_name, val);
 
+	return GetProcAddress(module, new_name);
 
+}

+ 15 - 0
plugins/win-capture/obfuscate.h
查看文件 

@@ -0,0 +1,15 @@
 
+#pragma once
 
+
 
+#include <stdint.h>
 
+
 
+#ifdef __cplusplus
 
+extern "C" {
 
+#endif
 
+
 
+/* this is a workaround to A/Vs going crazy whenever certain functions (such as
 
+ * OpenProcess) are used */ 
+extern void *get_obfuscated_func(HMODULE module, const char *str, uint64_t val);
 
+
 
+#ifdef __cplusplus
 
+}
 
+#endif