From b0126f6f48d19646f47ef4acf0058d58fb9b2a15 Mon Sep 17 00:00:00 2001 From: xtremegamer1 Date: Thu, 13 Oct 2022 19:07:05 -0600 Subject: [PATCH] Fixed handlers, added writedr7, fixed names --- src/vmprofiles/jmp.cpp | 13 ++++++++----- src/vmprofiles/shl.cpp | 2 +- src/vmprofiles/shld.cpp | 2 +- src/vmprofiles/shr.cpp | 2 +- src/vmprofiles/shrd.cpp | 2 +- src/vmprofiles/writedr7.cpp | 35 +++++++++++++++++++++++++++++++++++ 6 files changed, 47 insertions(+), 9 deletions(-) create mode 100644 src/vmprofiles/writedr7.cpp diff --git a/src/vmprofiles/jmp.cpp b/src/vmprofiles/jmp.cpp index e5385fb..07c399f 100644 --- a/src/vmprofiles/jmp.cpp +++ b/src/vmprofiles/jmp.cpp @@ -72,9 +72,10 @@ profiler_t jmp = { i.operands[1].reg.value == write_dep; }); - if (mov_reg_write_dep == instrs.end()) return {}; - - vsp = mov_reg_write_dep->m_instr.operands[0].reg.value; + if (mov_reg_write_dep == instrs.end()) + vsp = write_dep; + else + vsp = mov_reg_write_dep->m_instr.operands[0].reg.value; } else { // find the MOV REG, [VSP] instruction... const auto mov_reg_deref_vsp = std::find_if( @@ -87,7 +88,8 @@ profiler_t jmp = { i.operands[1].mem.base == vsp; }); - if (mov_reg_deref_vsp == instrs.end()) return {}; + if (mov_reg_deref_vsp == instrs.end()) + return {}; // find the MOV REG, mov_reg_deref_vsp->operands[0].reg.value const auto mov_vip_reg = std::find_if( @@ -101,7 +103,8 @@ profiler_t jmp = { mov_reg_deref_vsp->m_instr.operands[0].reg.value; }); - if (mov_vip_reg == instrs.end()) return {}; + if (mov_vip_reg == instrs.end()) + return {}; vip = mov_vip_reg->m_instr.operands[0].reg.value; diff --git a/src/vmprofiles/shl.cpp b/src/vmprofiles/shl.cpp index d5ae9b1..25b8c41 100644 --- a/src/vmprofiles/shl.cpp +++ b/src/vmprofiles/shl.cpp @@ -2,7 +2,7 @@ namespace vm::instrs { profiler_t shl = { - "SHR", + "SHL", mnemonic_t::shl, {{// MOV REG, [VSP] LOAD_VALUE, diff --git a/src/vmprofiles/shld.cpp b/src/vmprofiles/shld.cpp index 14a01e9..2e30622 100644 --- a/src/vmprofiles/shld.cpp +++ b/src/vmprofiles/shld.cpp @@ -2,7 +2,7 @@ namespace vm::instrs { profiler_t shld = { - "SHR", + "SHLD", mnemonic_t::shld, {{// MOV REG, [VSP] LOAD_VALUE, diff --git a/src/vmprofiles/shr.cpp b/src/vmprofiles/shr.cpp index 5b54a8e..4a456c5 100644 --- a/src/vmprofiles/shr.cpp +++ b/src/vmprofiles/shr.cpp @@ -2,7 +2,7 @@ namespace vm::instrs { profiler_t shr = { - "SHR", + "SHRD", mnemonic_t::shr, {{// MOV REG, [VSP] LOAD_VALUE, diff --git a/src/vmprofiles/shrd.cpp b/src/vmprofiles/shrd.cpp index 73d4aad..14204c4 100644 --- a/src/vmprofiles/shrd.cpp +++ b/src/vmprofiles/shrd.cpp @@ -2,7 +2,7 @@ namespace vm::instrs { profiler_t shrd = { - "SHR", + "SHRD", mnemonic_t::shrd, {{// MOV REG, [VSP] LOAD_VALUE, diff --git a/src/vmprofiles/writedr7.cpp b/src/vmprofiles/writedr7.cpp new file mode 100644 index 0000000..2bdddd1 --- /dev/null +++ b/src/vmprofiles/writedr7.cpp @@ -0,0 +1,35 @@ +#include + +namespace vm::instrs { +profiler_t writedr7 = { + "WRITEDR7", + mnemonic_t::writedr7, + { + // MOV REG, [VSP+OFFSET] + LOAD_VALUE, + // ADD VSP, OFFSET + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_ADD && + instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[0].reg.value == vsp && + instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE; + }, + // MOV DR7, REG + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[0].reg.value == ZYDIS_REGISTER_DR7 && + instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[1].reg.value != vsp; + } + }, + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { + vinstr_t res{mnemonic_t::write}; + res.imm.has_imm = false; + return res; + } +}; +}