EagleProtect

Playground for generating virtual machine protected x64 assembly.

EagleVM

Main protection application that virtualizes code.

EagleVMSandbox

Project for future testing on full binaries.

EagleVMStub

This is a DLL which is used in a project that needs to be protected. The EagleVM protector application searches for the usages of the stub imports to hollow the marked code sections and create virtualized code.

How it Works

Imports

Todo

Code Sections

Todo

PE VM Section

Todo

Wishlist

If you're looking to contribute to the project here are some ideas of what I would like to add.

• Implement encryption for entering VM
• Potential project refactor
• Implement code obfuscation options
• For chunks of virtualized instructions, a VM enter could decrypt them using some kind of algorithm at runtime.
• Potential CMKR implementation instead of normal vanilla CMake
• Use of smart pointers over C-style pointers since code_labels will never be deallocated properly until the program closes
• Unit tests starting with MBA generation
• For each virtualized code section: instead of assuming there is no stack trickery going on, jump to a function in VM section which allocates stack space and then pushes an address (easy)
• Create proper way of determining what VM handler an instruction should call based on its operands

Thank You To:

• r0da - Inspiring this project with VMP3 Virtulization analysis.
• _xeroxz - Great analysis of VMP2 Virtualization and clarification of VMP routines.
• Iizerd - Help with general understanding of code virtualization when starting the project.
• hasherezade - Creator of tool PE-Bear used for this project.

Resources:

Todo