Manifold
/
vmprofiler
forked from vmp3/vmprofiler
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

essentially added a bunch of shit...

Browse Source
master
John Doe 3 years ago
parent 11650b6d8a
commit 20ad0b5950
10 changed files with 299 additions and 26 deletions
Show Stats Download Patch File Download Diff File

3
CMakeLists.txt
Unescape View File

@ -52,8 +52,11 @@ set(vmprofiler_SOURCES "")
list(APPEND vmprofiler_SOURCES list(APPEND vmprofiler_SOURCES
"src/vmctx.cpp" "src/vmctx.cpp"
"src/vmlocate.cpp" "src/vmlocate.cpp"
"src/vmprofiles/jmp.cpp"
"src/vmprofiles/sreg.cpp"
"src/vmutils.cpp" "src/vmutils.cpp"
"include/vmctx.hpp" "include/vmctx.hpp"
"include/vminstrs.hpp"
"include/vmlocate.hpp" "include/vmlocate.hpp"
"include/vmprofiler.hpp" "include/vmprofiler.hpp"
"include/vmutils.hpp" "include/vmutils.hpp"

10
include/vmctx.hpp
Unescape View File

@ -12,9 +12,9 @@ class vmctx_t {
const std::uintptr_t m_module_base, m_image_base, m_vm_entry_rva, const std::uintptr_t m_module_base, m_image_base, m_vm_entry_rva,
m_image_size; m_image_size;
zydis_register_t get_vip() const { return m_vip; } zydis_reg_t get_vip() const { return m_vip; }
zydis_register_t get_vsp() const { return m_vsp; } zydis_reg_t get_vsp() const { return m_vsp; }
zydis_routine_t get_vm_enter() const { return m_vm_entry; } zydis_rtn_t get_vm_enter() const { return m_vm_entry; }
private: private:
/// <summary> /// <summary>
@ -22,11 +22,11 @@ class vmctx_t {
/// enter... these will change during the execution inside of the vm but these /// enter... these will change during the execution inside of the vm but these
/// values stay the same as the ones used by vm enter... /// values stay the same as the ones used by vm enter...
/// </summary> /// </summary>
zydis_register_t m_vip, m_vsp; zydis_reg_t m_vip, m_vsp;
/// <summary> /// <summary>
/// the virtual machine enter flattened and deobfuscated... /// the virtual machine enter flattened and deobfuscated...
/// </summary> /// </summary>
zydis_routine_t m_vm_entry; zydis_rtn_t m_vm_entry;
}; };
} // namespace vm } // namespace vm

140
include/vminstrs.hpp
Unescape View File

@ -0,0 +1,140 @@
#pragma once
#include <vmutils.hpp>
namespace vm::instrs {
/// <summary>
/// mnemonic representation of supported virtual instructions...
/// </summary>
enum class mnemonic_t {
unknown,
sreg,
lreg,
lconst,
add,
div,
idiv,
mul,
imul,
nand,
read,
write,
shl,
shld,
shr,
shrd,
lvsp,
svsp,
writecr3,
readcr3,
writecr8,
readcr8,
cpuid,
rdtsc,
call,
jmp,
vmexit
};
/// <summary>
/// the main virtual instruction structure which is returned by profilers...
/// </summary>
struct vinstr_t {
/// <summary>
/// mnemonic of the virtual instruction...
/// </summary>
mnemonic_t mnemonic;
/// <summary>
/// size varient of the virtual instruction... I.E SREGQ would have a value of
/// "64" here...where the SREGDW varient would have a "32" here...
/// </summary>
u8 size;
struct {
/// <summary>
/// true if the virtual instruction has an imm false if not...
/// </summary>
bool has_imm;
/// <summary>
/// size in bits of the imm... 8, 16, 32, 64...
/// </summary>
u8 size;
/// <summary>
/// imm value...
/// </summary>
u64 val;
} imm;
};
/// <summary>
/// matcher function which returns true if an instruction matches a desired
/// one...
/// </summary>
using matcher_t = std::function<bool(const zydis_reg_t vip,
const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr)>;
/// <summary>
/// virtual instruction structure generator... this can update the vip and vsp
/// argument... it cannot update the instruction stream (hndlr)...
/// </summary>
using vinstr_gen_t = std::function<std::optional<vinstr_t>(zydis_reg_t& vip,
zydis_reg_t& vsp,
zydis_rtn_t& hndlr)>;
/// <summary>
/// each virtual instruction has its own profiler_t structure which can generate
/// all varients of the virtual instruction for each size...
/// </summary>
struct profiler_t {
/// <summary>
/// string name of the virtual instruction that this profile generates for...
/// </summary>
std::string name;
/// <summary>
/// mnemonic representation of the virtual instruction...
/// </summary>
mnemonic_t mnemonic;
/// <summary>
/// vector of matcher lambda's which return true if a given instruction
/// matches...
/// </summary>
std::vector<matcher_t> matchers;
/// <summary>
/// generates a virtual instruction structure...
/// </summary>
vinstr_gen_t generate;
};
extern profiler_t jmp;
inline std::vector<profiler_t*> profiles = {&jmp};
inline vinstr_t determine(zydis_reg_t& vip,
zydis_reg_t& vsp,
zydis_rtn_t& hndlr) {
const auto profile = std::find_if(
profiles.begin(), profiles.end(), [&](profiler_t* profile) -> bool {
for (auto& matcher : profile->matchers) {
const auto matched = std::find_if(hndlr.begin(), hndlr.end(),
[&](zydis_instr_t& instr) -> bool {
const auto& i = instr.instr;
return matcher(vip, vsp, i);
});
if (matched == hndlr.end())
return false;
}
return true;
});
if (profile == profiles.end())
return vinstr_t{mnemonic_t::unknown};
auto result = (*profile)->generate(vip, vsp, hndlr);
return result.has_value() ? result.value() : vinstr_t{mnemonic_t::unknown};
}
} // namespace vm::instrs

2
include/vmlocate.hpp
Unescape View File

@ -6,7 +6,7 @@
#define PUSH_4B_MASK "x????" #define PUSH_4B_MASK "x????"
namespace vm::locate { namespace vm::locate {
inline bool find(const zydis_routine_t& rtn, inline bool find(const zydis_rtn_t& rtn,
std::function<bool(const zydis_instr_t&)> callback) { std::function<bool(const zydis_instr_t&)> callback) {
auto res = std::find_if(rtn.begin(), rtn.end(), callback); auto res = std::find_if(rtn.begin(), rtn.end(), callback);
return res != rtn.end(); return res != rtn.end();

3
include/vmprofiler.hpp
Unescape View File

@ -1,4 +1,5 @@
#pragma once #pragma once
#include <vmctx.hpp> #include <vmctx.hpp>
#include <vmlocate.hpp> #include <vmlocate.hpp>
#include <vmutils.hpp> #include <vmutils.hpp>
#include <vminstrs.hpp>

15
include/vmutils.hpp
Unescape View File

@ -5,6 +5,7 @@
#include <fstream> #include <fstream>
#include <functional> #include <functional>
#include <nt/image.hpp> #include <nt/image.hpp>
#include <optional>
#include <vector> #include <vector>
using u8 = unsigned char; using u8 = unsigned char;
@ -13,7 +14,7 @@ using u32 = unsigned int;
using u64 = unsigned long long; using u64 = unsigned long long;
using zydis_decoded_instr_t = ZydisDecodedInstruction; using zydis_decoded_instr_t = ZydisDecodedInstruction;
using zydis_register_t = ZydisRegister; using zydis_reg_t = ZydisRegister;
using zydis_mnemonic_t = ZydisMnemonic; using zydis_mnemonic_t = ZydisMnemonic;
using zydis_decoded_operand_t = ZydisDecodedOperand; using zydis_decoded_operand_t = ZydisDecodedOperand;
@ -23,7 +24,7 @@ struct zydis_instr_t {
std::uintptr_t addr; std::uintptr_t addr;
}; };
using zydis_routine_t = std::vector<zydis_instr_t>; using zydis_rtn_t = std::vector<zydis_instr_t>;
namespace vm::utils { namespace vm::utils {
inline thread_local std::shared_ptr<ZydisDecoder> g_decoder = nullptr; inline thread_local std::shared_ptr<ZydisDecoder> g_decoder = nullptr;
@ -72,7 +73,7 @@ bool is_jmp(const zydis_decoded_instr_t& instr);
/// </summary> /// </summary>
/// <param name="routine">reference to a zydis_routine_t to be /// <param name="routine">reference to a zydis_routine_t to be
/// printed...</param> /// printed...</param>
void print(zydis_routine_t& routine); void print(zydis_rtn_t& routine);
/// <summary> /// <summary>
/// prints a single disassembly view of an instruction... /// prints a single disassembly view of an instruction...
@ -90,7 +91,7 @@ namespace reg {
/// <param name="reg">a zydis decoded register value...</param> /// <param name="reg">a zydis decoded register value...</param>
/// <returns>returns the largest width register of the given register... AL /// <returns>returns the largest width register of the given register... AL
/// gives RAX...</returns> /// gives RAX...</returns>
zydis_register_t to64(zydis_register_t reg); zydis_reg_t to64(zydis_reg_t reg);
/// <summary> /// <summary>
/// compares to registers with each other... calls to64 and compares... /// compares to registers with each other... calls to64 and compares...
@ -98,7 +99,7 @@ zydis_register_t to64(zydis_register_t reg);
/// <param name="a">register a...</param> /// <param name="a">register a...</param>
/// <param name="b">register b...</param> /// <param name="b">register b...</param>
/// <returns>returns true if register to64(a) == to64(b)...</returns> /// <returns>returns true if register to64(a) == to64(b)...</returns>
bool compare(zydis_register_t a, zydis_register_t b); bool compare(zydis_reg_t a, zydis_reg_t b);
} // namespace reg } // namespace reg
/// <summary> /// <summary>
@ -109,7 +110,7 @@ bool compare(zydis_register_t a, zydis_register_t b);
/// from...</param> <param name="keep_jmps">keep JCC's in the flattened /// from...</param> <param name="keep_jmps">keep JCC's in the flattened
/// instruction stream...</param> <returns>returns true if flattened was /// instruction stream...</param> <returns>returns true if flattened was
/// successful...</returns> /// successful...</returns>
bool flatten(zydis_routine_t& routine, bool flatten(zydis_rtn_t& routine,
std::uintptr_t routine_addr, std::uintptr_t routine_addr,
bool keep_jmps = false, bool keep_jmps = false,
std::uint32_t max_instrs = 500, std::uint32_t max_instrs = 500,
@ -119,7 +120,7 @@ bool flatten(zydis_routine_t& routine,
/// deadstore deobfuscation of a flattened routine... /// deadstore deobfuscation of a flattened routine...
/// </summary> /// </summary>
/// <param name="routine">reference to a flattened instruction vector...</param> /// <param name="routine">reference to a flattened instruction vector...</param>
void deobfuscate(zydis_routine_t& routine); void deobfuscate(zydis_rtn_t& routine);
/// <summary> /// <summary>
/// small namespace that contains function wrappers to determine the validity of /// small namespace that contains function wrappers to determine the validity of

4
src/vmlocate.cpp
Unescape View File

@ -28,7 +28,7 @@ std::vector<vm_enter_t> get_vm_entries(std::uintptr_t module_base,
std::uintptr_t result = module_base; std::uintptr_t result = module_base;
std::vector<vm_enter_t> entries; std::vector<vm_enter_t> entries;
static const auto push_regs = [&](const zydis_routine_t& rtn) -> bool { static const auto push_regs = [&](const zydis_rtn_t& rtn) -> bool {
for (unsigned reg = ZYDIS_REGISTER_RAX; reg < ZYDIS_REGISTER_R15; ++reg) { for (unsigned reg = ZYDIS_REGISTER_RAX; reg < ZYDIS_REGISTER_R15; ++reg) {
auto res = std::find_if( auto res = std::find_if(
rtn.begin(), rtn.end(), [&](const zydis_instr_t& instr) -> bool { rtn.begin(), rtn.end(), [&](const zydis_instr_t& instr) -> bool {
@ -49,7 +49,7 @@ std::vector<vm_enter_t> get_vm_entries(std::uintptr_t module_base,
result = sigscan((void*)++result, module_size - (result - module_base), result = sigscan((void*)++result, module_size - (result - module_base),
PUSH_4B_IMM, PUSH_4B_MASK); PUSH_4B_IMM, PUSH_4B_MASK);
zydis_routine_t rtn; zydis_rtn_t rtn;
if (!vm::utils::scn::executable(module_base, result)) if (!vm::utils::scn::executable(module_base, result))
continue; continue;

127
src/vmprofiles/jmp.cpp
Unescape View File

@ -0,0 +1,127 @@
#include <vminstrs.hpp>
namespace vm::instrs {
profiler_t jmp = {
"JMP",
mnemonic_t::jmp,
// MOV REG, [VSP]
{{[&](const zydis_reg_t vip,
const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[1].mem.base == vsp;
},
// ADD VSP, 8
[&](const zydis_reg_t vip,
const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_ADD &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[0].reg.value == vsp &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
instr.operands[1].imm.value.u == 8;
},
// MOV VIP, REG
[&](const zydis_reg_t vip,
const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[0].reg.value == vip &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
}}},
[&](zydis_reg_t& vip,
zydis_reg_t& vsp,
zydis_rtn_t& hndlr) -> std::optional<vinstr_t> {
const auto xchg = std::find_if(
hndlr.begin(), hndlr.end(), [&](const zydis_instr_t& instr) -> bool {
const auto& i = instr.instr;
return i.mnemonic == ZYDIS_MNEMONIC_XCHG &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER &&
// exclusive or... operand 1 or operand 2 can be VSP but they
// both cannot be...
((i.operands[1].reg.value == vsp ||
i.operands[0].reg.value == vsp) &&
!((i.operands[1].reg.value == vsp) &&
(i.operands[0].reg.value == vsp)));
});
// this JMP virtual instruction changes VSP as well as VIP...
if (xchg != hndlr.end()) {
// grab the register that isnt VSP in the XCHG...
// xchg reg, vsp or xchg vsp, reg...
zydis_reg_t write_dep = xchg->instr.operands[0].reg.value != vsp
? xchg->instr.operands[0].reg.value
: xchg->instr.operands[1].reg.value;
// update VIP... VSP becomes VIP... with the XCHG...
vip = xchg->instr.operands[0].reg.value != vsp
? xchg->instr.operands[1].reg.value
: xchg->instr.operands[0].reg.value;
// find the next MOV REG, write_dep... this REG will be VSP...
const auto mov_reg_write_dep = std::find_if(
xchg, hndlr.end(), [&](const zydis_instr_t& instr) -> bool {
const auto& i = instr.instr;
return i.mnemonic == ZYDIS_MNEMONIC_MOV &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].reg.value == write_dep;
});
if (mov_reg_write_dep == hndlr.end())
return {};
vsp = mov_reg_write_dep->instr.operands[0].reg.value;
} else {
// find the MOV REG, [VSP] instruction...
const auto mov_reg_deref_vsp = std::find_if(
hndlr.begin(), hndlr.end(),
[&](const zydis_instr_t& instr) -> bool {
const auto& i = instr.instr;
return i.mnemonic == ZYDIS_MNEMONIC_MOV &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
i.operands[1].mem.base == vsp;
});
if (mov_reg_deref_vsp == hndlr.end())
return {};
// find the MOV REG, mov_reg_deref_vsp->operands[0].reg.value
const auto mov_vip_reg = std::find_if(
mov_reg_deref_vsp, hndlr.end(),
[&](const zydis_instr_t& instr) -> bool {
const auto& i = instr.instr;
return i.mnemonic == ZYDIS_MNEMONIC_MOV &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].reg.value ==
mov_reg_deref_vsp->instr.operands[0].reg.value;
});
if (mov_vip_reg == hndlr.end())
return {};
vip = mov_vip_reg->instr.operands[0].reg.value;
// see if VSP gets updated as well...
const auto mov_reg_vsp = std::find_if(
mov_reg_deref_vsp, hndlr.end(),
[&](const zydis_instr_t& instr) -> bool {
const auto& i = instr.instr;
return i.mnemonic == ZYDIS_MNEMONIC_MOV &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].reg.value == vsp;
});
if (mov_reg_vsp != hndlr.end())
vsp = mov_reg_vsp->instr.operands[0].reg.value;
}
return vinstr_t{mnemonic_t::jmp};
}};
}

0
src/vmprofiles/sreg.cpp
Unescape View File

21
src/vmutils.cpp
Unescape View File

@ -8,7 +8,7 @@ void print(const zydis_decoded_instr_t& instr) {
std::puts(buffer); std::puts(buffer);
} }
void print(zydis_routine_t& routine) { void print(zydis_rtn_t& routine) {
char buffer[256]; char buffer[256];
for (auto [instr, raw, addr] : routine) { for (auto [instr, raw, addr] : routine) {
ZydisFormatterFormatInstruction(vm::utils::g_formatter.get(), &instr, ZydisFormatterFormatInstruction(vm::utils::g_formatter.get(), &instr,
@ -22,7 +22,7 @@ bool is_jmp(const zydis_decoded_instr_t& instr) {
instr.mnemonic <= ZYDIS_MNEMONIC_JZ; instr.mnemonic <= ZYDIS_MNEMONIC_JZ;
} }
bool flatten(zydis_routine_t& routine, bool flatten(zydis_rtn_t& routine,
std::uintptr_t routine_addr, std::uintptr_t routine_addr,
bool keep_jmps, bool keep_jmps,
std::uint32_t max_instrs, std::uint32_t max_instrs,
@ -74,9 +74,9 @@ bool flatten(zydis_routine_t& routine,
return false; return false;
} }
void deobfuscate(zydis_routine_t& routine) { void deobfuscate(zydis_rtn_t& routine) {
static const auto _uses_reg = [](zydis_decoded_operand_t& op, static const auto _uses_reg = [](zydis_decoded_operand_t& op,
zydis_register_t reg) -> bool { zydis_reg_t reg) -> bool {
switch (op.type) { switch (op.type) {
case ZYDIS_OPERAND_TYPE_MEMORY: { case ZYDIS_OPERAND_TYPE_MEMORY: {
return vm::utils::reg::compare(op.mem.base, reg) || return vm::utils::reg::compare(op.mem.base, reg) ||
@ -92,7 +92,7 @@ void deobfuscate(zydis_routine_t& routine) {
}; };
static const auto _reads = [](zydis_decoded_instr_t& instr, static const auto _reads = [](zydis_decoded_instr_t& instr,
zydis_register_t reg) -> bool { zydis_reg_t reg) -> bool {
if (instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && if (instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
vm::utils::reg::compare(instr.operands[0].mem.base, reg)) vm::utils::reg::compare(instr.operands[0].mem.base, reg))
return true; return true;
@ -105,7 +105,7 @@ void deobfuscate(zydis_routine_t& routine) {
}; };
static const auto _writes = [](zydis_decoded_instr_t& instr, static const auto _writes = [](zydis_decoded_instr_t& instr,
zydis_register_t reg) -> bool { zydis_reg_t reg) -> bool {
for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx) for (auto op_idx = 0u; op_idx < instr.operand_count; ++op_idx)
// if instruction writes to the specific register... // if instruction writes to the specific register...
if (instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_REGISTER && if (instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_REGISTER &&
@ -119,7 +119,8 @@ void deobfuscate(zydis_routine_t& routine) {
std::uint32_t last_size = 0u; std::uint32_t last_size = 0u;
static const std::vector<ZydisMnemonic> blacklist = { static const std::vector<ZydisMnemonic> blacklist = {
ZYDIS_MNEMONIC_CLC, ZYDIS_MNEMONIC_BT, ZYDIS_MNEMONIC_TEST, ZYDIS_MNEMONIC_CLC, ZYDIS_MNEMONIC_BT, ZYDIS_MNEMONIC_TEST,
ZYDIS_MNEMONIC_CMP, ZYDIS_MNEMONIC_CMC, ZYDIS_MNEMONIC_STC}; ZYDIS_MNEMONIC_CMP, ZYDIS_MNEMONIC_CMC, ZYDIS_MNEMONIC_STC,
ZYDIS_MNEMONIC_JMP};
static const std::vector<ZydisMnemonic> whitelist = { static const std::vector<ZydisMnemonic> whitelist = {
ZYDIS_MNEMONIC_PUSH, ZYDIS_MNEMONIC_POP, ZYDIS_MNEMONIC_CALL, ZYDIS_MNEMONIC_PUSH, ZYDIS_MNEMONIC_POP, ZYDIS_MNEMONIC_CALL,
@ -138,7 +139,7 @@ void deobfuscate(zydis_routine_t& routine) {
break; break;
} }
zydis_register_t reg = ZYDIS_REGISTER_NONE; zydis_reg_t reg = ZYDIS_REGISTER_NONE;
// look for operands with writes to a register... // look for operands with writes to a register...
for (auto op_idx = 0u; op_idx < itr->instr.operand_count; ++op_idx) for (auto op_idx = 0u; op_idx < itr->instr.operand_count; ++op_idx)
if (itr->instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_REGISTER && if (itr->instr.operands[op_idx].type == ZYDIS_OPERAND_TYPE_REGISTER &&
@ -183,11 +184,11 @@ void deobfuscate(zydis_routine_t& routine) {
} }
namespace reg { namespace reg {
zydis_register_t to64(zydis_register_t reg) { zydis_reg_t to64(zydis_reg_t reg) {
return ZydisRegisterGetLargestEnclosing(ZYDIS_MACHINE_MODE_LONG_64, reg); return ZydisRegisterGetLargestEnclosing(ZYDIS_MACHINE_MODE_LONG_64, reg);
} }
bool compare(zydis_register_t a, zydis_register_t b) { bool compare(zydis_reg_t a, zydis_reg_t b) {
return to64(a) == to64(b); return to64(a) == to64(b);
} }
} // namespace reg } // namespace reg

Write Preview
Loading…
Cancel
Save