diff --git a/CodeVirtualizer/Main.cpp b/CodeVirtualizer/Main.cpp index 3f6a005..3a3ebab 100644 --- a/CodeVirtualizer/Main.cpp +++ b/CodeVirtualizer/Main.cpp @@ -193,8 +193,9 @@ int main() srand(time(NULL)); UINT OutSize = 0; - //PUCHAR Output = VmHandlerIRegReg(VM_IREG_3, VM_OPSIZE_16, FALSE, &OutSize); // VmHandlerPrologue(8, &OutSize); - PUCHAR Output = VmHandlerEncode2(XED_ICLASS_MOVZX, VM_OPSIZE_32, VM_OPSIZE_16, &OutSize); + PUCHAR Output = VmHandlerIRegMem_BISD(VM_IREG_3, VM_OPSIZE_16, FALSE, &OutSize); // VmHandlerPrologue(8, &OutSize); + //PUCHAR Output = VmHandlerEncode2(XED_ICLASS_MOVZX, VM_OPSIZE_32, VM_OPSIZE_16, &OutSize); + //PUCHAR Output = VmHandlerPrologue(10, &OutSize); if (Output && OutSize) { PrintByteArr(Output, OutSize); diff --git a/CodeVirtualizer/VirtualMachine.cpp b/CodeVirtualizer/VirtualMachine.cpp index 1b2390a..47db8eb 100644 --- a/CodeVirtualizer/VirtualMachine.cpp +++ b/CodeVirtualizer/VirtualMachine.cpp @@ -58,23 +58,26 @@ PUCHAR VmHandlerPrologue(UINT InstructionSize, PUINT OutSize, XED_REG_ENUM Vip, // movzx r8,byte ptr[rdx] // jmp qword ptr[rsi+r8*8h] - XED_ENCODER_INSTRUCTION InstList[3]; + XED_ENCODER_INSTRUCTION InstList[5]; InstructionSize += VM_HANDLER_PROLOGUE_SIZE; - - XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(Vip), XedImm0(InstructionSize, 32)); - XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemB(Vip, 16)); - XedInst1(&InstList[2], XedGlobalMachineState, XED_ICLASS_JMP, 64, XedMemBISD(HandlerTableReg, XED_REG_R8, 8, XedDisp(0, 0), 64)); - PUCHAR Ret = XedEncodeInstructions(InstList, 3, OutSize); + XedInst0(&InstList[0], XedGlobalMachineState, XED_ICLASS_PUSHFQ, 64); + XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(Vip), XedImm0(InstructionSize, 32)); + XedInst0(&InstList[2], XedGlobalMachineState, XED_ICLASS_POPFQ, 64); + XedInst2(&InstList[3], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemB(Vip, 16)); + XedInst1(&InstList[4], XedGlobalMachineState, XED_ICLASS_JMP, 64, XedMemBISD(HandlerTableReg, XED_REG_R8, 8, XedDisp(0, 0), 64)); + PUCHAR Ret = XedEncodeInstructions(InstList, 5, OutSize); if (*OutSize == VM_HANDLER_PROLOGUE_SIZE) return Ret; delete[] Ret; InstructionSize -= VM_HANDLER_PROLOGUE_SIZE; InstructionSize += *OutSize; - XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(Vip), XedImm0(InstructionSize, 32)); - XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemB(Vip, 16)); - XedInst1(&InstList[2], XedGlobalMachineState, XED_ICLASS_JMP, 64, XedMemBISD(HandlerTableReg, XED_REG_R8, 8, XedDisp(0, 0), 64)); - return XedEncodeInstructions(InstList, 3, OutSize); + XedInst0(&InstList[0], XedGlobalMachineState, XED_ICLASS_PUSHFQ, 64); + XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(Vip), XedImm0(InstructionSize, 32)); + XedInst0(&InstList[2], XedGlobalMachineState, XED_ICLASS_POPFQ, 64); + XedInst2(&InstList[3], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemB(Vip, 16)); + XedInst1(&InstList[4], XedGlobalMachineState, XED_ICLASS_JMP, 64, XedMemBISD(HandlerTableReg, XED_REG_R8, 8, XedDisp(0, 0), 64)); + return XedEncodeInstructions(InstList, 5, OutSize); } PUCHAR VmHandlerIRegMem_B(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, BOOL Load, PUINT OutSize) @@ -121,22 +124,27 @@ PUCHAR VmHandlerIRegMem_BIS(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, * mov r8, qword ptr[rbp+r8*8] * movzx r9, byte ptr[rdx+3] * movzx r10, byte ptr[rdx+4] ;load scale value(unsigned) + * pushfq * imul r10, qword ptr[rbp+r9*8] + * popfq * mov (ireg), (size) ptr[r8+r10] */ UINT OpSizeBits = VmOpSizeToBits(OperandSize); - XED_ENCODER_INSTRUCTION InstList[6]; + XED_ENCODER_INSTRUCTION InstList[8]; XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemBD(XED_REG_RDX, XedDisp(2, 8), 8)); XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOV, 64, XedReg(XED_REG_R8), XedMemBISD(XED_REG_RBP, XED_REG_R8, 8, XedDisp(0, 0), 64)); XedInst2(&InstList[2], XedGlobalMachineState, XED_ICLASS_MOVSX, 64, XedReg(XED_REG_R9), XedMemBD(XED_REG_RDX, XedDisp(3, 8), 8)); XedInst2(&InstList[3], XedGlobalMachineState, XED_ICLASS_MOVSX, 64, XedReg(XED_REG_R10), XedMemBD(XED_REG_RDX, XedDisp(4, 8), 8)); - XedInst2(&InstList[4], XedGlobalMachineState, XED_ICLASS_IMUL, 64, XedReg(XED_REG_R10), XedMemBISD(XED_REG_RBP, XED_REG_R9, 8, XedDisp(0, 0), 64)); + XedInst0(&InstList[4], XedGlobalMachineState, XED_ICLASS_PUSHFQ, 64); + XedInst2(&InstList[5], XedGlobalMachineState, XED_ICLASS_IMUL, 64, XedReg(XED_REG_R10), XedMemBISD(XED_REG_RBP, XED_REG_R9, 8, XedDisp(0, 0), 64)); + XedInst0(&InstList[6], XedGlobalMachineState, XED_ICLASS_POPFQ, 64); + if (Load) - XedInst2(&InstList[5], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits)); + XedInst2(&InstList[7], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits)); else - XedInst2(&InstList[5], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits), XedReg(VmIRegToXReg(IReg, OperandSize))); - return XedEncodeInstructions(InstList, 6, OutSize); + XedInst2(&InstList[7], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits), XedReg(VmIRegToXReg(IReg, OperandSize))); + return XedEncodeInstructions(InstList, 8, OutSize); } PUCHAR VmHandlerIRegMem_BISD(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, BOOL Load, PUINT OutSize) { @@ -145,27 +153,31 @@ PUCHAR VmHandlerIRegMem_BISD(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize * mov r8, qword ptr[rbp+r8*8] * movzx r9, byte ptr[rdx+3] * movzx r10, byte ptr[rdx+4] ;load scale value(unsigned) + * pushfq * imul r10, qword ptr[rbp+r9*8] * movsxd r9, dword ptr[rdx+5] ;load immediate displacement * add r10, r9 ;add immediate displacement + * popfq * mov (ireg), (size) ptr[r8+r10] */ UINT OpSizeBits = VmOpSizeToBits(OperandSize); - XED_ENCODER_INSTRUCTION InstList[8]; + XED_ENCODER_INSTRUCTION InstList[10]; XedInst2(&InstList[0], XedGlobalMachineState, XED_ICLASS_MOVZX, 64, XedReg(XED_REG_R8), XedMemBD(XED_REG_RDX, XedDisp(2, 8), 8)); XedInst2(&InstList[1], XedGlobalMachineState, XED_ICLASS_MOV, 64, XedReg(XED_REG_R8), XedMemBISD(XED_REG_RBP, XED_REG_R8, 8, XedDisp(0, 0), 64)); XedInst2(&InstList[2], XedGlobalMachineState, XED_ICLASS_MOVSX, 64, XedReg(XED_REG_R9), XedMemBD(XED_REG_RDX, XedDisp(3, 8), 8)); XedInst2(&InstList[3], XedGlobalMachineState, XED_ICLASS_MOVSX, 64, XedReg(XED_REG_R10), XedMemBD(XED_REG_RDX, XedDisp(4, 8), 8)); - XedInst2(&InstList[4], XedGlobalMachineState, XED_ICLASS_IMUL, 64, XedReg(XED_REG_R10), XedMemBISD(XED_REG_RBP, XED_REG_R9, 8, XedDisp(0, 0), 64)); - XedInst2(&InstList[5], XedGlobalMachineState, XED_ICLASS_MOVSXD, 64, XedReg(XED_REG_R9), XedMemBD(XED_REG_RDX, XedDisp(5, 8), 32)); - XedInst2(&InstList[6], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(XED_REG_R10), XedReg(XED_REG_R9)); + XedInst0(&InstList[4], XedGlobalMachineState, XED_ICLASS_PUSHFQ, 64); + XedInst2(&InstList[5], XedGlobalMachineState, XED_ICLASS_IMUL, 64, XedReg(XED_REG_R10), XedMemBISD(XED_REG_RBP, XED_REG_R9, 8, XedDisp(0, 0), 64)); + XedInst2(&InstList[6], XedGlobalMachineState, XED_ICLASS_MOVSXD, 64, XedReg(XED_REG_R9), XedMemBD(XED_REG_RDX, XedDisp(5, 8), 32)); + XedInst2(&InstList[7], XedGlobalMachineState, XED_ICLASS_ADD, 64, XedReg(XED_REG_R10), XedReg(XED_REG_R9)); + XedInst0(&InstList[8], XedGlobalMachineState, XED_ICLASS_POPFQ, 64); if (Load) - XedInst2(&InstList[7], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits)); + XedInst2(&InstList[9], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedReg(VmIRegToXReg(IReg, OperandSize)), XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits)); else - XedInst2(&InstList[7], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits), XedReg(VmIRegToXReg(IReg, OperandSize))); + XedInst2(&InstList[9], XedGlobalMachineState, XED_ICLASS_MOV, OpSizeBits, XedMemBISD(XED_REG_R8, XED_REG_R10, 1, XedDisp(0, 0), OpSizeBits), XedReg(VmIRegToXReg(IReg, OperandSize))); - return XedEncodeInstructions(InstList, 8, OutSize); + return XedEncodeInstructions(InstList, 10, OutSize); } PUCHAR VmHandlerIRegReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize, BOOL Load, PUINT OutSize) { diff --git a/CodeVirtualizer/VirtualMachine.h b/CodeVirtualizer/VirtualMachine.h index 21b5ea4..03ee23d 100644 --- a/CodeVirtualizer/VirtualMachine.h +++ b/CodeVirtualizer/VirtualMachine.h @@ -40,7 +40,7 @@ XED_REG_ENUM VmGetRegOfSize(XED_REG_ENUM Reg, VM_OPERAND_SIZE_ENUM OperandSize); XED_REG_ENUM VmIRegToXReg(VM_IREG_ENUM IReg, VM_OPERAND_SIZE_ENUM OperandSize); -#define VM_HANDLER_PROLOGUE_SIZE 15 +#define VM_HANDLER_PROLOGUE_SIZE 17 PUCHAR VmHandlerPrologue(UINT InstructionSize, PUINT OutSize, XED_REG_ENUM Vip = XED_REG_RDX, XED_REG_ENUM HandlerTableReg = XED_REG_RSI); //Internal register(IReg) store/load diff --git a/CodeVirtualizer/Virtualizer.cpp b/CodeVirtualizer/Virtualizer.cpp index d739b7d..1b2c6ce 100644 --- a/CodeVirtualizer/Virtualizer.cpp +++ b/CodeVirtualizer/Virtualizer.cpp @@ -4,7 +4,9 @@ BOOL ViCanHandleInst(PNATIVE_CODE_LINK Link) { switch (XedDecodedInstGetIClass(&Link->XedInstruction)) { - case XED_ICLASS_MOV: return TRUE; + case XED_ICLASS_MOV: + + return TRUE; } return FALSE; } @@ -30,3 +32,16 @@ BOOL ViValidateNativeCodeBlock(PVIRTUALIZER Vm, PNATIVE_CODE_BLOCK Block) } return TRUE; } +BOOL ViVirtualizeInst(PNATIVE_CODE_LINK Inst, PNATIVE_CODE_BLOCK) +{ + XED_ICLASS_ENUM IClass = XedDecodedInstGetIClass(&Inst->XedInstruction); + switch (IClass) + { + case XED_ICLASS_MOV: + { + + return TRUE; + } + } + return FALSE; +} \ No newline at end of file