Initial commit

.gitignore

@@ -0,0 +1,41 @@
+*.tlog
+*.obj
+*.log
+*.map
+.vs/
+*.recipe
+*.vcxproj.FileListAbsolute.txt
+*.pdb
+Builds/
+*.tmp
+DvlErrLog.txt
+*.pch
+*raw_store.inl
+*.yaml
+*.suo
+sdk/
+x64/
+enc_temp_folder/
+build/
+*.id0
+*.id1
+*.nam
+*.til
+*.lib
+*.exe
+*.dll
+*.sys
+!resources/drivers/**/*.sys
+*.dmp
+*.id2
+wasm_tmp/
+llvm_tmp/
+*/node_modules/
+*.cpuprofile
+
+*.i64
+
+diana-native/linux/zstd
+apollo-test-app/test.cpp
+apollo-test-app/apollo-test-app.sln
+apollo-test-app/apollo-test-app.vcxproj

README.md

@@ -0,0 +1,43 @@
+# selene
+
+[Hypervisor detection methods](https://github.com/can1357/hvdetecc/) I released yeseterday were dependent on a bunch of parts of this project, as well as my recent Patchguard bypass post, so I just decided to go for the whole thing.
+
+This is a very interesting repository including:
+- Runtime patchguard bypass working for all Windows versions `/selene/misc/nopg`
+- A fully featured GDB and Cheat Engine server, intended to be used in a baremetal OS `/selene/gdb`
+- A paravirtualization engine that can sandbox arbitrary kernel-mode drivers in the **magical Ring 2** as well as processes under Windows `/selene/su`
+- A microkernel with APIC scheduling, memory management mirroring a guest OS, raw TCP/IP hooking into NDIS `/selene`
+- An execution tracing engine that can generate a full call graph containing privileged instructions during the runtime with a < 100ns overhead `/selene/su/xt` & `/xt`
+- A Lua scriptable pattern scanning engine that can JIT codegen from snippets of assembly, as well as emulate basic x86 `/flash`
+- PDB parsing library that can generate C++ headers which can be magically updated during runtime or build time without recompilation `/pdblib` and `/sdkgen`
+- C++ wrapper around the NT kernel APIs (syscalls in User-Mode, reimplementation in Kernel-Mode), with many helpers including an Authenticode implementation `/shared/ntpp`
+- A linker written from scratch that accepts LLVM bitcode and generates PE images w/ full-LTO support, implementing: (`/apollo`)
+  - MBA obfuscation
+  - WASM based virtualization
+  - Basic block splitting
+  - Custom line-information tables
+  - Automatic string encryption
+  - Automatic lifting of imports into lazy-imports
+  - Automatic lifting of Syscall imports into syscall stubs
+  - Profiler instrumentations with Chrome-Flamegraph compatible profiling in Kernel-mode
+  - VS2023 integration!
+- Mtigations against TSX side-channels using a novel method involving PMCs `/selene/su/mitigations`
+- Kernel-mode Sentry-compatible crashdumps as well as networked submission on BSOD `/shared/trace_snapshot` & `/selene/misc/crashdump`
+- And some other stuff I'm completely forgetting about
+
+
+## Notes
+
+Most of this will probably not work out of the box, but I'm working on it as I have free time.
+Kernel-Mode parts will require you to provide a C runtime implementation, which I unfortunately cannot share due to not being the sole legal license holder.
+
+You will need to set the SeleneRoot environment variable to the root of the project, as well as CxxLibraries to where it can find the dependencies:
+- LLVM 18 or greater
+- [xstd](https://github.com/can1357/xstd)
+- [linux-pe](https://github.com/can1357/linux-pe)
+- [xed++](https://github.com/can1357/xedpp)
+- [ulua](https://github.com/can1357/ulua)
+- [rpmalloc](https://github.com/mjansson/rpmalloc) to be used as the kernel-mode allocator
+- [XED](https://github.com/intelxed/xed) for disassembly
+- [LWIP](https://savannah.nongnu.org/projects/lwip) for NDIS-less networking
+- [zstd](https://github.com/facebook/zstd) if you want the custom `zcompressed` attribute

apollo-crt/apollo-crt.cpp

@@ -0,0 +1,122 @@
+// Disable CRT version broadcasting.
+//
+#ifndef MUST_MATCH
+	#define MUST_MATCH(x) 
+#endif
+
+#include <stdint.h>
+#include <xstd/intrinsics.hpp>
+#include <xstd/random.hpp>
+
+static constexpr uint64_t __crt_build_key = 0x79509e971613c549;
+
+extern "C"
+{
+#ifdef _IN_LINKER_
+	#define __crt_linkage__ static
+#else
+	#define __crt_linkage__ 
+#endif
+
+	// Pointer and string encryption logic.
+	//
+	NO_DEBUG FORCE_INLINE __crt_linkage__ void __cdecl __crt_assert( bool b, uint64_t str )
+	{
+		if ( !b ) [[unlikely]]
+			__trap();
+	}
+	NO_DEBUG RINLINE __crt_linkage__ uint64_t __cdecl __crt_decrypt_single( uint64_t value, uint64_t key )
+	{
+		const uint64_t options_key = __crt_build_key * key;
+
+		if ( options_key & 8 )
+			value = rotrq( value, ( ( 16 | options_key ) >> 3 ) % 41 );
+
+		if ( options_key & 1 )      value += ( __crt_build_key * key );
+		else                        value ^= ( __crt_build_key * key );
+
+		if ( options_key & 16 )
+		{
+			if ( ( options_key & 32 ) || ( options_key & 64 ) )
+				value &= ~3;
+			else
+				value ^= 1;
+		}
+		else if ( !( options_key & 8 ) && ( options_key & 4 ) )
+			value = int64_t( value ) >> ( ( ( 8 | options_key ) >> 3 ) % 7 );
+
+		return value;
+	}
+	NO_DEBUG RINLINE __crt_linkage__ uint64_t __cdecl __crt_encrypt_single( uint64_t value, uint64_t key )
+	{
+		const uint64_t options_key = __crt_build_key * key;
+
+		if ( options_key & 16 )
+			value |= ( options_key & 32 ) ? 3 : 1;
+		else if ( !( options_key & 8 ) && ( options_key & 4 ) )
+			value = value << ( ( ( 8 | options_key ) >> 3 ) % 7 );
+
+		if ( options_key & 1 )      value -= ( __crt_build_key * key );
+		else                        value ^= ( __crt_build_key * key );
+
+		if ( options_key & 8 )
+			value = rotlq( value, ( ( 16 | options_key ) >> 3 ) % 41 );
+		return value;
+	}
+	NO_DEBUG RINLINE __crt_linkage__ uint64_t __cdecl __crt_decrypt( const uint64_t* _ptr, size_t n, uint64_t key )
+	{
+		const uint64_t* volatile __ptr = _ptr;
+		const uint64_t* ptr = __ptr;
+
+		uint64_t* result = new uint64_t[ n ];
+		for ( size_t i = 0; i != n; i++ )
+		{
+			result[ i ] = ptr[ i ];
+
+			switch ( n % 3 )
+			{
+				case 0: result[ i ] ^= xstd::lce_64( key ); break;
+				case 1: result[ i ] -= xstd::lce_64( key ); break;
+				case 2: result[ i ] += xstd::lce_64( key ); break;
+			}
+			if ( n % 2 ) result[ i ] = rotrq( result[ i ], n % 64 );
+		}
+		return ( uint64_t ) result;
+	}
+	NO_DEBUG RINLINE __crt_linkage__ uint64_t __cdecl __crt_encrypt( const uint64_t* _ptr, size_t n, uint64_t key )
+	{
+		const uint64_t* volatile __ptr = _ptr;
+		const uint64_t* ptr = __ptr;
+
+		uint64_t* result = new uint64_t[ n ];
+		for ( size_t i = 0; i != n; i++ )
+		{
+			result[ i ] = ptr[ i ];
+
+			if ( n % 2 ) result[ i ] = rotlq( result[ i ], n % 64 );
+			switch ( n % 3 )
+			{
+				case 0: result[ i ] ^= xstd::lce_64( key ); break;
+				case 1: result[ i ] += xstd::lce_64( key ); break;
+				case 2: result[ i ] -= xstd::lce_64( key ); break;
+			}
+		}
+		return ( uint64_t ) result;
+	}
+
+#ifdef __clang__
+	NO_DEBUG RINLINE __crt_linkage__ uint64_t __cdecl __crt_translate_gs( uint64_t ptr )
+	{
+		uint64_t base;
+		asm( "rdgsbase %0" : "=r" ( base ) );
+		return base + ptr;
+	}
+
+	NO_DEBUG RINLINE __crt_linkage__ uint64_t __cdecl __crt_translate_fs( uint64_t ptr )
+	{
+		uint64_t base;
+		asm( "rdfsbase %0" : "=r" ( base ) );
+		return base + ptr;
+	}
+#endif
+};

apollo-crt/apollo-crt.sln

@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30717.126
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{0D289551-2DF2-417F-9F2E-6B17473F945E}") = "apollo-crt", "apollo-crt.vcxproj", "{C0D3D10E-C5AD-4FDC-97F9-A32459289E60}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{C0D3D10E-C5AD-4FDC-97F9-A32459289E60}.Release|x64.ActiveCfg = Release|x64
+		{C0D3D10E-C5AD-4FDC-97F9-A32459289E60}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {9599AC87-F66E-4CA1-98AE-3E727AFCF74E}
+	EndGlobalSection
+EndGlobal

apollo-crt/apollo-crt.vcxproj

@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{C0D3D10E-C5AD-4FDC-97F9-A32459289E60}</ProjectGuid>
+    <RootNamespace>apollovm</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>ClangCL</PlatformToolset>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+    <Import Project="..\shared\shared.vcxitems" Label="Shared" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+    <IncludePath>$(CxxLibraries)wasm-parser\includes;$(CxxLibraries)xstd\includes;$(LLVM_PATH)\lib\clang\12.0.0\include;$(VC_IncludePath);$(WindowsSDK_IncludePath);$(CxxLibraries)linux-pe\includes</IncludePath>
+    <ExecutablePath>$(LLVM_PATH)\bin;$(ExecutablePath)</ExecutablePath>
+    <OutDir>$(SeleneRoot)resources\libs\</OutDir>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NO_NTPP;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <PrecompiledHeader>NotUsing</PrecompiledHeader>
+      <PrecompiledHeaderFile>
+      </PrecompiledHeaderFile>
+      <LanguageStandard>stdcpplatest</LanguageStandard>
+      <DebugInformationFormat>OldStyle</DebugInformationFormat>
+      <InlineFunctionExpansion>AnySuitable</InlineFunctionExpansion>
+      <FavorSizeOrSpeed>Speed</FavorSizeOrSpeed>
+      <ExceptionHandling>false</ExceptionHandling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <ControlFlowGuard>false</ControlFlowGuard>
+      <EnableEnhancedInstructionSet>AdvancedVectorExtensions2</EnableEnhancedInstructionSet>
+      <ForcedIncludeFiles>$(SolutionDir)..\shared\xstd_options.hpp</ForcedIncludeFiles>
+      <OmitDefaultLibName>true</OmitDefaultLibName>
+      <AdditionalOptions>-flto /Zc:threadSafeInit- /Gw /Gy -Xclang -fno-rtti-data -fwhole-program-vtables -gline-tables-only -mbmi2 %(AdditionalOptions)</AdditionalOptions>
+      <FloatingPointModel>Fast</FloatingPointModel>
+      <BuildStlModules>false</BuildStlModules>
+    </ClCompile>
+    <Link>
+      <SubSystem>
+      </SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="apollo-crt.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>

apollo-crt/apollo-crt.vcxproj.user

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup />
+</Project>