fixed saving flags

3 years ago · 2fc4a80810
parent 7575cf5319
commit 2fc4a80810
4 changed files with 54 additions and 26 deletions
--- a/CodeVirtualizer/Main.cpp
+++ b/CodeVirtualizer/Main.cpp
@ -193,8 +193,9 @@ int main()
 	srand(time(NULL));

 	UINT OutSize = 0;
-	//PUCHAR Output = VmHandlerIRegReg(VM_IREG_3, VM_OPSIZE_16, FALSE, &OutSize); // VmHandlerPrologue(8, &OutSize);
-	PUCHAR Output = VmHandlerEncode2(XED_ICLASS_MOVZX, VM_OPSIZE_32, VM_OPSIZE_16, &OutSize);
+	PUCHAR Output = VmHandlerIRegMem_BISD(VM_IREG_3, VM_OPSIZE_16, FALSE, &OutSize); // VmHandlerPrologue(8, &OutSize);
+	//PUCHAR Output = VmHandlerEncode2(XED_ICLASS_MOVZX, VM_OPSIZE_32, VM_OPSIZE_16, &OutSize);
+	//PUCHAR Output = VmHandlerPrologue(10, &OutSize);
 	if (Output && OutSize)
 	{
 		PrintByteArr(Output, OutSize);
--- a/CodeVirtualizer/VirtualMachine.cpp
+++ b/CodeVirtualizer/VirtualMachine.cpp
@ -58,23 +58,26 @@ PUCHAR VmHandlerPrologue(UINT InstructionSize, PUINT OutSize, XED_REG_ENUM Vip,
 	//	movzx r8,byte ptr[rdx]
 	//	jmp qword ptr[rsi+r8*8h]

-	XED_ENCODER_INSTRUCTION InstList[3];
+	XED_ENCODER_INSTRUCTION InstList[5];
 	InstructionSize += VM_HANDLER_PROLOGUE_SIZE;
-
-	XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(Vip), XedImm0(InstructionSize, 32));
-	XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemB(Vip, 16));
-	XedInst1(&InstList[2], XedGlobalMachineState, XED_ICLASS_JMP, 64, XedMemBISD(HandlerTableReg, XED_REG_R8, 8, XedDisp(0, 0), 64));
-	PUCHAR Ret = XedEncodeInstructions(InstList, 3, OutSize);
+	XedInst0(&InstList[0], XedGlobalMachineState, XED_ICLASS_PUSHFQ, 64);
+	XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(Vip), XedImm0(InstructionSize, 32));
+	XedInst0(&InstList[2], XedGlobalMachineState, XED_ICLASS_POPFQ, 64);
+	XedInst2(&InstList[3], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemB(Vip, 16));
+	XedInst1(&InstList[4], XedGlobalMachineState, XED_ICLASS_JMP, 64, XedMemBISD(HandlerTableReg, XED_REG_R8, 8, XedDisp(0, 0), 64));
+	PUCHAR Ret = XedEncodeInstructions(InstList, 5, OutSize);
 	if (*OutSize == VM_HANDLER_PROLOGUE_SIZE)
 		return Ret;

 	delete[] Ret;
 	InstructionSize -= VM_HANDLER_PROLOGUE_SIZE;
 	InstructionSize += *OutSize;
-	XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(Vip), XedImm0(InstructionSize, 32));
-	XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemB(Vip, 16));
-	XedInst1(&InstList[2], XedGlobalMachineState, XED_ICLASS_JMP, 64, XedMemBISD(HandlerTableReg, XED_REG_R8, 8, XedDisp(0, 0), 64));
-	return XedEncodeInstructions(InstList, 3, OutSize);
+	XedInst0(&InstList[0], XedGlobalMachineState, XED_ICLASS_PUSHFQ, 64);
+	XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(Vip), XedImm0(InstructionSize, 32));
+	XedInst0(&InstList[2], XedGlobalMachineState, XED_ICLASS_POPFQ, 64);
+	XedInst2(&InstList[3], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemB(Vip, 16));
+	XedInst1(&InstList[4], XedGlobalMachineState, XED_ICLASS_JMP, 64, XedMemBISD(HandlerTableReg, XED_REG_R8, 8, XedDisp(0, 0), 64));
+	return XedEncodeInstructions(InstList, 5, OutSize);
 }

 PUCHAR VmHandlerIRegMem_B(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, BOOL Load, PUINT OutSize)
@ -121,22 +124,27 @@ PUCHAR VmHandlerIRegMem_BIS(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize,
 	* mov r8, qword ptr[rbp+r8*8] 
 	* movzx r9, byte ptr[rdx+3]
 	* movzx r10, byte ptr[rdx+4]	;load scale value(unsigned)
+	* pushfq
 	* imul r10, qword ptr[rbp+r9*8]
+	* popfq
 	* mov (ireg), (size) ptr[r8+r10]
 	*/

 	UINT OpSizeBits = VmOpSizeToBits(OperandSize);
-	XED_ENCODER_INSTRUCTION InstList[6];
+	XED_ENCODER_INSTRUCTION InstList[8];
 	XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemBD(XED_REG_RDX, XedDisp(2, 8), 8));
 	XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOV, 64, XedReg(XED_REG_R8), XedMemBISD(XED_REG_RBP, XED_REG_R8, 8, XedDisp(0, 0), 64));
 	XedInst2(&InstList[2], XedGlobalMachineState, XED_ICLASS_MOVSX, 64, XedReg(XED_REG_R9), XedMemBD(XED_REG_RDX, XedDisp(3, 8), 8));
 	XedInst2(&InstList[3], XedGlobalMachineState, XED_ICLASS_MOVSX, 64, XedReg(XED_REG_R10), XedMemBD(XED_REG_RDX, XedDisp(4, 8), 8));
-	XedInst2(&InstList[4], XedGlobalMachineState, XED_ICLASS_IMUL, 64, XedReg(XED_REG_R10), XedMemBISD(XED_REG_RBP, XED_REG_R9, 8, XedDisp(0, 0), 64));
+	XedInst0(&InstList[4], XedGlobalMachineState, XED_ICLASS_PUSHFQ, 64);
+	XedInst2(&InstList[5], XedGlobalMachineState, XED_ICLASS_IMUL, 64, XedReg(XED_REG_R10), XedMemBISD(XED_REG_RBP, XED_REG_R9, 8, XedDisp(0, 0), 64));
+	XedInst0(&InstList[6], XedGlobalMachineState, XED_ICLASS_POPFQ, 64);
+
 	if (Load)
-		XedInst2(&InstList[5], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits));
+		XedInst2(&InstList[7], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits));
 	else
-		XedInst2(&InstList[5], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits), XedReg(VmIRegToXReg(IReg, OperandSize)));
-	return XedEncodeInstructions(InstList, 6, OutSize);
+		XedInst2(&InstList[7], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits), XedReg(VmIRegToXReg(IReg, OperandSize)));
+	return XedEncodeInstructions(InstList, 8, OutSize);
 }
 PUCHAR VmHandlerIRegMem_BISD(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, BOOL Load, PUINT OutSize)
 {
@ -145,27 +153,31 @@ PUCHAR VmHandlerIRegMem_BISD(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize
 	* mov r8, qword ptr[rbp+r8*8]
 	* movzx r9, byte ptr[rdx+3]
 	* movzx r10, byte ptr[rdx+4]	;load scale value(unsigned)
+	* pushfq
 	* imul r10, qword ptr[rbp+r9*8]
 	* movsxd r9, dword ptr[rdx+5]	;load immediate displacement
 	* add r10, r9					;add immediate displacement
+	* popfq
 	* mov (ireg), (size) ptr[r8+r10]
 	*/

 	UINT OpSizeBits = VmOpSizeToBits(OperandSize);
-	XED_ENCODER_INSTRUCTION InstList[8];
+	XED_ENCODER_INSTRUCTION InstList[10];
 	XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemBD(XED_REG_RDX, XedDisp(2, 8), 8));
 	XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOV, 64, XedReg(XED_REG_R8), XedMemBISD(XED_REG_RBP, XED_REG_R8, 8, XedDisp(0, 0), 64));
 	XedInst2(&InstList[2], XedGlobalMachineState, XED_ICLASS_MOVSX, 64, XedReg(XED_REG_R9), XedMemBD(XED_REG_RDX, XedDisp(3, 8), 8));
 	XedInst2(&InstList[3], XedGlobalMachineState, XED_ICLASS_MOVSX, 64, XedReg(XED_REG_R10), XedMemBD(XED_REG_RDX, XedDisp(4, 8), 8));
-	XedInst2(&InstList[4], XedGlobalMachineState, XED_ICLASS_IMUL, 64, XedReg(XED_REG_R10), XedMemBISD(XED_REG_RBP, XED_REG_R9, 8, XedDisp(0, 0), 64));
-	XedInst2(&InstList[5], XedGlobalMachineState, XED_ICLASS_MOVSXD, 64, XedReg(XED_REG_R9), XedMemBD(XED_REG_RDX, XedDisp(5, 8), 32));
-	XedInst2(&InstList[6], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(XED_REG_R10), XedReg(XED_REG_R9));
+	XedInst0(&InstList[4], XedGlobalMachineState, XED_ICLASS_PUSHFQ, 64);
+	XedInst2(&InstList[5], XedGlobalMachineState, XED_ICLASS_IMUL, 64, XedReg(XED_REG_R10), XedMemBISD(XED_REG_RBP, XED_REG_R9, 8, XedDisp(0, 0), 64));
+	XedInst2(&InstList[6], XedGlobalMachineState, XED_ICLASS_MOVSXD, 64, XedReg(XED_REG_R9), XedMemBD(XED_REG_RDX, XedDisp(5, 8), 32));
+	XedInst2(&InstList[7], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(XED_REG_R10), XedReg(XED_REG_R9));
+	XedInst0(&InstList[8], XedGlobalMachineState, XED_ICLASS_POPFQ, 64);
 	if (Load)
-		XedInst2(&InstList[7], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits));
+		XedInst2(&InstList[9], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits));
 	else
-		XedInst2(&InstList[7], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits), XedReg(VmIRegToXReg(IReg, OperandSize)));
+		XedInst2(&InstList[9], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits), XedReg(VmIRegToXReg(IReg, OperandSize)));

-	return XedEncodeInstructions(InstList, 8, OutSize);
+	return XedEncodeInstructions(InstList, 10, OutSize);
 }
 PUCHAR VmHandlerIRegReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, BOOL Load, PUINT OutSize)
 {
--- a/CodeVirtualizer/VirtualMachine.h
+++ b/CodeVirtualizer/VirtualMachine.h
@ -40,7 +40,7 @@ XED_REG_ENUM VmGetRegOfSize(XED_REG_ENUM Reg, VM_OPERAND_SIZE_ENUM OperandSize);
 XED_REG_ENUM VmIRegToXReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize);


-#define VM_HANDLER_PROLOGUE_SIZE 15
+#define VM_HANDLER_PROLOGUE_SIZE 17
 PUCHAR VmHandlerPrologue(UINT InstructionSize, PUINT OutSize, XED_REG_ENUM Vip = XED_REG_RDX, XED_REG_ENUM HandlerTableReg = XED_REG_RSI);

 //Internal register(IReg) store/load
--- a/CodeVirtualizer/Virtualizer.cpp
+++ b/CodeVirtualizer/Virtualizer.cpp
@ -4,7 +4,9 @@ BOOL ViCanHandleInst(PNATIVE_CODE_LINK Link)
 {
 	switch (XedDecodedInstGetIClass(&Link->XedInstruction))
 	{
-	case XED_ICLASS_MOV: return TRUE;
+	case XED_ICLASS_MOV: 
+		
+		return TRUE;
 	}
 	return FALSE;
 }
@ -30,3 +32,16 @@ BOOL ViValidateNativeCodeBlock(PVIRTUALIZER Vm, PNATIVE_CODE_BLOCK Block)
 	}
 	return TRUE;
 }
+BOOL ViVirtualizeInst(PNATIVE_CODE_LINK Inst, PNATIVE_CODE_BLOCK)
+{
+	XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&Inst->XedInstruction);
+	switch (IClass)
+	{
+	case XED_ICLASS_MOV:
+	{
+
+		return TRUE;
+	}
+	}
+	return FALSE;
+}