Skip to content

KiFilterFiberContext/microsoft-warbird

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
clipc
clipc
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
clipc.sln
clipc.sln
 
 

Repository files navigation

Warbird Runtime

Reverse engineered code for Microsoft's WARBIRD obfuscator

Microsoft developed Warbird to obfuscate different system components, mostly relating to DRM and licensing.
Warbird code has even been integrated into the kernel to obfuscate components (ci, peauth, clipsp, etc).

Overview

Warbird can support different forms of code obfuscation like:

  • virtual machine obfuscation
  • section encryption/packing (labeled PAGEwx sections which are excluded from PatchGuard)
  • constant obfuscation
  • runtime code execution on the heap (SystemControlFlowTransition info class for NtQuerySystemInformation system call)

Some system images that are publicly known to use Warbird are:

  • ci.dll
  • clipsp.sys
  • peauth.sys
  • ntoskrnl.exe
  • ClipSVC.dll
  • ClipUp.exe
  • Windows.Media.Protection.PlayReady.dll
  • GenValObj.exe
  • ManageCI.dll

There are other images that make calls to NtQuerySystemInformation passing the SystemPolicyInformation info class that rely on the Warbird Feistel cipher to encrypt/decrypt parameters.

The call stack of those calls generally look like: nt!SpCall2ServerInternal -> nt!g_kernelCallbacks -> clipsp.sys!ClipSp*.

More information can be found on that here.

TODO: Classes to Implement

  • WarbirdRuntime::CTermination
  • WarbirdRuntime::CMemoryAllocator::CBlock
  • WarbirdRuntime::CEncryption
  • WarbirdRuntime::CPrivateRelocationsTable
  • WarbirdRuntime::CHeapExecution
  • WarbirdRuntime::AutoEnableDynamicCodeGen
  • WarbirdRuntime::CUtil
  • WarbirdRuntime::CRWLock
  • WarbirdRuntime::CMemoryProtectionChangeHelper
  • WarbirdRuntime::WarbirdRuntime__HEAP_EXECUTION_CALL_ARGUMENTS
  • WarbirdRuntime::WarbirdRuntime__HEAP_EXECUTION_CONDITIONAL_BRANCH_ARGUMENTS
  • WarbirdRuntime::ENCRYPTED_SEGMENT_DATA_CONST
  • WarbirdRuntime::ENCRYPTED_SEGMENT_DATA_READ_WRITE
  • WarbirdRuntime::RuntimeInit
  • WarbirdRuntime::NewEntryMain

Disclaimer

The project cannot be used as-is and is merely intended to be used for educational purposes to further public understanding.
Warbird cannot be integrated into personal projects since the actual runtime dlls are not present.

A custom Warbird obfuscator toolset could be partially integrated by passing the /wbrddll: MSVC compiler flag and exporting the GetObfuscator and CreateObfuscator2 routines.

UPDATE: As of 6/11/24, it is possible to integrate the leaked warbird.dll to build applications.

The project could be loosely modified to support calls to NtQuerySystemInformation with the SystemPolicyInformation class but you would have to reimplement the cipher, get the encryption/decryption keys, etc... :)

Related

About

Reimplementation of Microsoft's Warbird obuscator

Topics

microsoft drm code-obfuscation microsoft-warbird

Resources

Readme
Activity

Stars

96 stars

Watchers

4 watching

Forks

8 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages