Bugfix + new anti-disassembly technique

[Yp3rion]

The pull request deals with the following:

• After building and executing al-khaser on a Win 10 VM with VS 2017 Community version I encountered a bug which consisted in the GetProcAddress() function, invoked as part of the Wine detection checks, crashing with an illegal access error (0xC0000005) in the x86 version. As revealed by a run-time check when testing the Debug version of the software, this seemed to be caused indirectly by an error in the VectoredHandler defined for the TrapFlag anti-debug trick; more precisely, increasing the EIP value stored in the exception context by 1 was apparently what was causing the error, since after returning from the exception execution would proceed from an erroneous instruction.
• Included the "Structured Exception Handler misuse" anti-disassembly technique for the x86 architecture, which consists in adding a custom exception handler pointing to an arbitrary function on top of the SEH stack at runtime and then triggering an exception in order to perform a covert function invocation; a more in-depth explanation of the technique can be found here.

[ayoubfaouzi]

Hey @Yp3rion

Thanks for your first contribution :)

I will review this one today.

[ayoubfaouzi]

That was a good catch ! I was wondering how did you track the problem back to the trap flag issue and I started debugging from there and I figured out that in the VEH handler, when we increase the instruction pointer, we end up returning right after the RemoveVectoredExceptionHandler, so the VEH never get deleted, and it keps catching exceptions and somehow failed in the the wine check.

As a matter of fact, I also checked the x64 version and it does not need to advance RIP as well, you should get rid of it as it as well.

I will look into the anti disassm tomorrow.

Thank you.

[Yp3rion]

Perfect! I am happy to help and I was curious about the underlying issue since I have to admit I did not go much into detail after finding the bug, so thank you for explaining; I will make sure to fix the x64 version too then, should I do it after this pull request is approved or is it possible to edit a pull request on the fly? (I am a bit of a noob, I know)

[ayoubfaouzi]

No worries, just modify the code, make a commit and push, it should appear here.

[ayoubfaouzi]

Looks awesome ! Thank you again.