Manifold
/
vmprofiler
forked from vmp3/vmprofiler
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: Manifold:f65c84050d39210c8057ab741b8cbaf9f1e2e17d
Branches Tags
Manifold:master
vmp3:main
...
compare: Manifold:343c7b95a4a18f119167a4f371a29cfa1624d404
Branches Tags
Manifold:master
vmp3:main

29 Commits
f65c84050d ... 343c7b95a4

Author SHA1 Message Date
xtremegamer1 343c7b95a4 fixed this fucking bullshit
2 years ago
xtremegamer1 f35a70749f changed deobfuscation to keep register jumps
2 years ago
xtremegamer1 e62c872fbe fixed svsp.cpp
2 years ago
xtremegamer1 adff58848c basically added a bool and stuff
2 years ago
xtremegamer1 09b4e52f3a ok so basicallt i
2 years ago
xtremegamer1 b6aaaaeef4 added pragma once
2 years ago
xtremegamer1 0c1b62b2ca minor fixes
2 years ago
xtremegamer1 8d124ec828 Corrected typos
2 years ago
xtremegamer1 c8695100e6 Fixed typo and fixed nor vs nand fuckup
2 years ago
xtremegamer1 1d685efa0c deleted a single line 😐
2 years ago
xtremegamer1 f40579dc0c Check for 64 bit GP
2 years ago
xtremegamer1 462157b22c Added load delta and push order
2 years ago
xtremegamer1 e74f291d56 Added or virtual instruction
2 years ago
xtremegamer1 885f987d04 Fixed vmenter location
2 years ago
xtremegamer1 dd3aeabbb0 Added a function to determine if a register is 32-bit general purpose
2 years ago
xtremegamer1 ff1790ae22 removed prints now that the memory leaks are gone
2 years ago
xtremegamer1 25c3008dc2 added my new instructions
2 years ago
xtremegamer1 512b19292c Fixed the awful generator
2 years ago
xtremegamer1 10c39981cc Hi besties 😐
2 years ago
xtremegamer1 da7292eb31 Added handlers
2 years ago
xtremegamer1 88c167bb67 FIxed handlers
2 years ago
xtremegamer1 b0126f6f48 Fixed handlers, added writedr7, fixed names
2 years ago
xtremegamer1 f253e88ec1 Added allocation tracker
2 years ago
xtremegamer1 70d797420c updated source files
2 years ago
xtremegamer1 7b13df4bf6 Added writedr7 instruction
2 years ago
xtremegamer1 0be31ec977 Added an extremely simple memory leak tracker
2 years ago
xtremegamer1 ddd58c2a98 Added some vmprofiles
2 years ago
xtremegamer1 0a8964d3ab Added some new vmprofiles
2 years ago
xtremegamer1 c39b783af8 removed profanity from commit message
2 years ago
26 changed files with 593 additions and 32 deletions
Show Stats

9
CMakeLists.txt
Unescape View File

@ -66,11 +66,20 @@ list(APPEND vmprofiler_SOURCES
"src/vmprofiles/nor.cpp"
"src/vmprofiles/read.cpp"
"src/vmprofiles/shr.cpp"
"src/vmprofiles/shrd.cpp"
"src/vmprofiles/shl.cpp"
"src/vmprofiles/shld.cpp"
"src/vmprofiles/sreg.cpp"
"src/vmprofiles/svsp.cpp"
"src/vmprofiles/vmexit.cpp"
"src/vmprofiles/write.cpp"
"src/vmprofiles/lcr0.cpp"
"src/vmprofiles/and.cpp"
"src/vmprofiles/or.cpp"
"src/vmprofiles/writedr7.cpp"
"src/vmutils.cpp"
"include/uc_allocation_tracker.hpp"
"src/uc_allocation_tracker.cpp"
"include/vmctx.hpp"
"include/vminstrs.hpp"
"include/vmlocate.hpp"

2
deps/zydis vendored

@ -1 +1 @@
Subproject commit 2a9f9c66775a4ac3d56bb163c85563df3cea7547
Subproject commit ce4a42ffaffe4a5ff615665e05177c4c69eb4683

8
include/uc_allocation_tracker.hpp
Unescape View File

@ -0,0 +1,8 @@
#pragma once
#include <unicorn\unicorn.h>
extern int g_allocation_tracker;
uc_err uct_context_alloc(uc_engine *uc, uc_context **context);
uc_err uct_context_free(uc_context *context);
void print_allocation_number();

7
include/vmctx.hpp
Unescape View File

@ -1,6 +1,7 @@
#pragma once
#include <vminstrs.hpp>
#include <vmutils.hpp>
#include <array>
namespace vm {
class vmctx_t {
@ -11,12 +12,13 @@ class vmctx_t {
std::uintptr_t vm_entry_rva);
bool init();
const std::uintptr_t m_module_base, m_image_base, m_vm_entry_rva,
m_image_size;
m_image_size, m_image_load_delta;
zydis_reg_t get_vip() const { return m_vip; }
zydis_reg_t get_vsp() const { return m_vsp; }
zydis_rtn_t get_vm_enter() const { return m_vm_entry; }
const std::array<ZydisRegister, 16>& get_vmentry_push_order() const;
private:
/// <summary>
/// m_vip and m_vsp are set to the native registers used for them by the vm
@ -29,5 +31,8 @@ class vmctx_t {
/// the virtual machine enter flattened and deobfuscated...
/// </summary>
zydis_rtn_t m_vm_entry;
//using array container instead of c-style array in order to pass by reference.
std::array<ZydisRegister, 16> vmentry_push_order;
};
} // namespace vm

22
include/vminstrs.hpp
Unescape View File

@ -16,6 +16,8 @@ enum class mnemonic_t : uint8_t {
lreg,
lconst,
add,
_or,
_and, //The fucking idiots who wrote the standard thought reserving the word "and" was appropriate
div,
idiv,
mul,
@ -31,6 +33,7 @@ enum class mnemonic_t : uint8_t {
shrd,
lvsp,
svsp,
lcr0,
writecr3,
readcr3,
writecr8,
@ -39,7 +42,8 @@ enum class mnemonic_t : uint8_t {
rdtsc,
call,
jmp,
vmexit
vmexit,
writedr7
};
/// <summary>
@ -105,6 +109,8 @@ enum class vbranch_type {
/// virtual code block
/// </summary>
struct vblk_t {
bool is_branch;
/// <summary>
/// start address VIP of this basic block...
/// </summary>
@ -286,6 +292,8 @@ extern profiler_t sreg;
extern profiler_t lreg;
extern profiler_t lconst;
extern profiler_t add;
extern profiler_t _or;
extern profiler_t _and;
extern profiler_t lvsp;
extern profiler_t svsp;
extern profiler_t nand;
@ -293,18 +301,24 @@ extern profiler_t nop;
extern profiler_t nor;
extern profiler_t read;
extern profiler_t write;
extern profiler_t lcr0;
extern profiler_t writedr7;
extern profiler_t imul;
extern profiler_t shl;
extern profiler_t shld;
extern profiler_t shr;
extern profiler_t shrd;
extern profiler_t shrd;
extern profiler_t vmexit;
/// <summary>
/// unsorted vector of profiles... they get sorted once at runtime...
/// </summary>
inline std::vector<profiler_t*> profiles = {
&vmexit, &shr, &imul, &nor, &write, &svsp, &read, &nand,
&lvsp, &add, &jmp, &sreg, &lreg, &lconst, &nop};
&vmexit, &shl, &shld, &shr, &shrd, &imul, &nor, &write, &svsp, &read,
&nand, &lvsp, &add, &jmp, &_or, &_and, &sreg, &lreg, &lcr0, &lconst, &nop, &writedr7};
/// <summary>
/// <summary>
/// no i did not make this by hand, you cannot clown upon me!
/// </summary>
inline std::map<zydis_reg_t, uc_x86_reg> reg_map = {

3
include/vmprofiler.hpp
Unescape View File

@ -4,4 +4,5 @@
#include <vmctx.hpp>
#include <vminstrs.hpp>
#include <vmlocate.hpp>
#include <vmutils.hpp>
#include <vmutils.hpp>
#include <uc_allocation_tracker.hpp>

4
include/vmutils.hpp
Unescape View File

@ -70,6 +70,10 @@ inline bool open_binary_file(const std::string& file,
/// <returns></returns>
bool is_jmp(const zydis_decoded_instr_t& instr);
bool is_32_bit_gp(const ZydisRegister reg);
bool is_64_bit_gp(const ZydisRegister reg);
/// <summary>
/// used by profiles to see if an instruction is a MOV/SX/ZX...
/// </summary>

22
src/uc_allocation_tracker.cpp
Unescape View File

@ -0,0 +1,22 @@
#include <uc_allocation_tracker.hpp>
#include <cstdio>
int g_allocation_tracker;
uc_err uct_context_alloc(uc_engine *uc, uc_context **context)
{
++g_allocation_tracker;
//std::printf("Allocations: %p\n", g_allocation_tracker);
return uc_context_alloc(uc, context);
}
uc_err uct_context_free(uc_context *context)
{
--g_allocation_tracker;
//std::printf("Allocations: %p\n", g_allocation_tracker);
return uc_context_free(context);
}
void print_allocation_number()
{
std::printf("uc_context allocations: %p\n", g_allocation_tracker);
}

41
src/vmctx.cpp
Unescape View File

@ -8,7 +8,8 @@ vmctx_t::vmctx_t(std::uintptr_t module_base,
: m_module_base(module_base),
m_image_base(image_base),
m_vm_entry_rva(vm_entry_rva),
m_image_size(image_size) {}
m_image_size(image_size),
m_image_load_delta(m_module_base - m_image_base) {}
bool vmctx_t::init() {
vm::utils::init();
@ -20,6 +21,40 @@ bool vmctx_t::init() {
vm::utils::deobfuscate(m_vm_entry);
//Get the order in which native registers are pushed
int push_index = 0;
for (const auto& instr : m_vm_entry)
{
if (instr.instr.mnemonic == ZYDIS_MNEMONIC_PUSH &&
instr.instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
vm::utils::is_64_bit_gp(instr.instr.operands[0].reg.value))
{
if (std::find(vmentry_push_order.begin(), vmentry_push_order.begin() + push_index,
instr.instr.operands[0].reg.value) != vmentry_push_order.begin() + push_index)
{
//Every register should only be pushed once
std::printf("Error initializing vmctx_t: vmenter pushes could not be parsed.\n");
vm::utils::print(m_vm_entry);
return false;
}
vmentry_push_order[push_index++] = instr.instr.operands[0].reg.value;
}
else if (instr.instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ)
{
if (std::find(vmentry_push_order.begin(), vmentry_push_order.begin() + push_index,
instr.instr.operands[0].reg.value) != vmentry_push_order.begin() + push_index)
{
// Same shit
std::printf("Error initializing vmctx_t: vmenter pushes could not be parsed.\n");
vm::utils::print(m_vm_entry);
return false;
}
vmentry_push_order[push_index++] = ZYDIS_REGISTER_RFLAGS;
}
if (push_index == 16)
break;
}
// find mov reg, [rsp+0x90]. this register will be VIP...
const auto vip_fetch = std::find_if(
m_vm_entry.begin(), m_vm_entry.end(),
@ -53,4 +88,8 @@ bool vmctx_t::init() {
m_vsp = vsp_fetch->instr.operands[0].reg.value;
return true;
}
const std::array<ZydisRegister, 16>& vm::vmctx_t::get_vmentry_push_order() const
{
return vmentry_push_order;
}
} // namespace vm

7
src/vminstrs.cpp
Unescape View File

@ -1,5 +1,5 @@
#include <vminstrs.hpp>
#include <uc_allocation_tracker.hpp>
namespace vm::instrs {
void deobfuscate(hndlr_trace_t& trace) {
static const auto _uses_reg = [](zydis_decoded_operand_t& op,
@ -64,11 +64,13 @@ void deobfuscate(hndlr_trace_t& trace) {
if (std::find(blacklist.begin(), blacklist.end(),
itr->m_instr.mnemonic) != blacklist.end()) {
uct_context_free(itr->m_cpu);
trace.m_instrs.erase(itr);
break;
}
if (vm::utils::is_jmp(itr->m_instr)) {
if (vm::utils::is_jmp(itr->m_instr) && itr->m_instr.operands[0].type != ZYDIS_OPERAND_TYPE_REGISTER) {
uct_context_free(itr->m_cpu);
trace.m_instrs.erase(itr);
break;
}
@ -111,6 +113,7 @@ void deobfuscate(hndlr_trace_t& trace) {
_writes(read_result->m_instr, reg))
continue;
uct_context_free(itr->m_cpu);
trace.m_instrs.erase(itr);
break;
}

12
src/vmlocate.cpp
Unescape View File

@ -49,6 +49,18 @@ std::vector<vm_enter_t> get_vm_entries(std::uintptr_t module_base,
zydis_rtn_t rtn;
if (!vm::utils::scn::executable(module_base, result)) continue;
// Make sure that the form of the vmenter is a jmp immediately followed by a call imm
ZydisDecodedInstruction after_push;
if (ZYAN_SUCCESS(ZydisDecoderDecodeBuffer(vm::utils::g_decoder.get(),
(void*)(result + 5), 5, &after_push)))
{
if (after_push.mnemonic != ZYDIS_MNEMONIC_CALL ||
after_push.operands[0].type != ZYDIS_OPERAND_TYPE_IMMEDIATE)
continue;
}
else
continue;
if (!vm::utils::flatten(rtn, result, false, 500, module_base)) continue;
// the last instruction in the stream should be a JMP to a register or a

2
src/vmprofiles/add.cpp
Unescape View File

@ -46,6 +46,7 @@ profiler_t add = {
[](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::add};
res.imm.has_imm = false;
// MOV REG, [VSP]
const auto mov_reg_vsp = std::find_if(
@ -71,7 +72,6 @@ profiler_t add = {
});
res.stack_size = mov_vsp_offset->m_instr.operands[1].size;
res.imm.size = mov_reg_vsp->m_instr.operands[1].size;
return res;
}};
}

63
src/vmprofiles/and.cpp
Unescape View File

@ -0,0 +1,63 @@
#include <vminstrs.hpp>
// Loads an address and value from the stack, ands the derefed address with the value
namespace vm::instrs {
profiler_t _and = {
"AND",
mnemonic_t::_and,
{{// MOV REG, [VSP] This is the address
LOAD_VALUE,
// MOV REG, [VSP+8]
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[1].mem.base == vsp &&
instr.operands[1].mem.disp.has_displacement,
instr.operands[1].mem.disp.value == 8;
},
// AND [REG], REG
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_AND &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[0].mem.base != ZYDIS_REGISTER_NONE &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
},
// PUSHFQ
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ;
},
// POP [VSP]
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[0].mem.base == vsp;
}}},
[](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::_and};
res.imm.has_imm = false;
// MOV REG [VSP+OFFSET]
const auto mov_vsp_offset = std::find_if(
hndlr.m_instrs.begin(), hndlr.m_instrs.end(),
[&](emu_instr_t& instr) -> bool {
const auto& i = instr.m_instr;
return
i.mnemonic == ZYDIS_MNEMONIC_MOV &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
i.operands[1].mem.base == vsp &&
i.operands[1].mem.disp.has_displacement;
});
if (mov_vsp_offset == hndlr.m_instrs.end())
return std::nullopt;
res.stack_size = mov_vsp_offset->m_instr.operands[0].size;
return res;
}};
}

32
src/vmprofiles/jmp.cpp
Unescape View File

@ -72,9 +72,10 @@ profiler_t jmp = {
i.operands[1].reg.value == write_dep;
});
if (mov_reg_write_dep == instrs.end()) return {};
vsp = mov_reg_write_dep->m_instr.operands[0].reg.value;
if (mov_reg_write_dep == instrs.end())
vsp = write_dep;
else
vsp = mov_reg_write_dep->m_instr.operands[0].reg.value;
} else {
// find the MOV REG, [VSP] instruction...
const auto mov_reg_deref_vsp = std::find_if(
@ -87,7 +88,8 @@ profiler_t jmp = {
i.operands[1].mem.base == vsp;
});
if (mov_reg_deref_vsp == instrs.end()) return {};
if (mov_reg_deref_vsp == instrs.end())
return {};
// find the MOV REG, mov_reg_deref_vsp->operands[0].reg.value
const auto mov_vip_reg = std::find_if(
@ -100,10 +102,27 @@ profiler_t jmp = {
i.operands[1].reg.value ==
mov_reg_deref_vsp->m_instr.operands[0].reg.value;
});
//It is possible that mov_vip_reg is actually updating the rolling key, if so use original vip
const auto load_handler_rva = std::find_if(
mov_vip_reg, instrs.end(),
[&](const emu_instr_t& instr) -> bool {
const auto& i = instr.m_instr;
return i.mnemonic == ZYDIS_MNEMONIC_MOV &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
vm::utils::is_32_bit_gp(i.operands[0].reg.value) &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
i.operands[1].mem.base ==
mov_vip_reg->m_instr.operands[0].reg.value;
});
if (mov_vip_reg == instrs.end()) return {};
if (mov_vip_reg == instrs.end())
return {};
vip = mov_vip_reg->m_instr.operands[0].reg.value;
vip = (load_handler_rva != instrs.end()) ?
mov_vip_reg->m_instr.operands[0].reg.value :
mov_vip_reg->m_instr.operands[1].reg.value;
//Ok so basically mov_vip_reg, despite its name, isn't guaranteed to be
//mov vip, reg, and can in fact be mov rkey, vip.
// see if VSP gets updated as well...
const auto mov_reg_vsp = std::find_if(
@ -123,6 +142,7 @@ profiler_t jmp = {
vinstr_t res;
res.mnemonic = mnemonic_t::jmp;
res.imm.has_imm = false;
res.stack_size = 64;
return res;
}};
}

44
src/vmprofiles/lcr0.cpp
Unescape View File

@ -0,0 +1,44 @@
#include <vminstrs.hpp>
//Loads CR0 onto the stack
namespace vm::instrs {
profiler_t lcr0 = {
"LCR0",
mnemonic_t::lcr0,
{
// MOV REG, CR0
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].reg.value == ZYDIS_REGISTER_CR0;
},
// SUB VSP, OFFSET
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SUB &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[0].reg.value == vsp &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE;
},
// MOV [VSP], REG
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[0].mem.base == vsp &&
instr.operands[0].mem.index == ZYDIS_REGISTER_NONE &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].reg.value != vsp;
}
},
[](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::lcr0};
res.imm.has_imm = false;
res.stack_size = 64;
return res;
}
};
}

2
src/vmprofiles/lvsp.cpp
Unescape View File

@ -15,7 +15,7 @@ profiler_t lvsp = {
}}},
[](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::svsp};
vinstr_t res{mnemonic_t::lvsp};
res.imm.has_imm = false;
const auto load_vsp = std::find_if(

4
src/vmprofiles/nand.cpp
Unescape View File

@ -21,10 +21,10 @@ profiler_t nand = {
return instr.mnemonic == ZYDIS_MNEMONIC_NOT &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER;
},
// AND REG, REG
// OR REG, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_AND &&
return instr.mnemonic == ZYDIS_MNEMONIC_OR &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
},

6
src/vmprofiles/nor.cpp
Unescape View File

@ -21,10 +21,10 @@ profiler_t nor = {
return instr.mnemonic == ZYDIS_MNEMONIC_NOT &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER;
},
// OR REG, REG
// AND REG, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_OR &&
return instr.mnemonic == ZYDIS_MNEMONIC_AND &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
},
@ -51,7 +51,7 @@ profiler_t nor = {
}}},
[](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::nand};
vinstr_t res{mnemonic_t::nor};
res.imm.has_imm = false;
// MOV [VSP+OFFSET], REG

60
src/vmprofiles/or.cpp
Unescape View File

@ -0,0 +1,60 @@
#include <vminstrs.hpp>
namespace vm::instrs {
profiler_t _or = {
"OR",
mnemonic_t::_or,
{{// MOV REG, [VSP]
LOAD_VALUE,
// MOV REG, [VSP+OFFSET]
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[1].mem.base == vsp &&
instr.operands[1].mem.disp.has_displacement;
},
// OR [REG], REG
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_OR &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[0].mem.base != ZYDIS_REGISTER_NONE &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
},
// PUSHFQ
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ;
},
// POP [VSP]
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[0].mem.base == vsp;
}}},
[](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::_or};
res.imm.has_imm = false;
// MOV REG [VSP+OFFSET]
const auto reg_vsp_offset = std::find_if(
hndlr.m_instrs.begin(), hndlr.m_instrs.end(),
[&](emu_instr_t& instr) -> bool {
const auto& i = instr.m_instr;
return
i.mnemonic == ZYDIS_MNEMONIC_MOV &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
i.operands[1].mem.base == vsp &&
i.operands[1].mem.disp.has_displacement;
});
if (reg_vsp_offset == hndlr.m_instrs.end())
return std::nullopt;
res.stack_size = reg_vsp_offset->m_instr.operands[0].size;
return res;
}};
}

4
src/vmprofiles/read.cpp
Unescape View File

@ -26,13 +26,13 @@ profiler_t read = {
hndlr.m_instrs.begin(), hndlr.m_instrs.end(),
[&](emu_instr_t& instr) -> bool {
const auto& i = instr.m_instr;
return i.mnemonic == ZYDIS_MNEMONIC_MOV &&
return i.mnemonic == ZYDIS_MNEMONIC_MOV || i.mnemonic == ZYDIS_MNEMONIC_MOVZX &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
i.operands[1].mem.base != vsp;
});
res.stack_size = mov_reg_reg->m_instr.operands[0].size;
res.stack_size = mov_reg_reg->m_instr.operands[1].size;
return res;
}};
}

63
src/vmprofiles/shl.cpp
Unescape View File

@ -0,0 +1,63 @@
#include <vminstrs.hpp>
namespace vm::instrs {
profiler_t shl = {
"SHL",
mnemonic_t::shl,
{{// MOV REG, [VSP]
LOAD_VALUE,
// MOV REG, [VSP+OFFSET]
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[1].mem.base == vsp &&
instr.operands[1].mem.disp.has_displacement;
},
// SHL REG, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SHL &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
},
// MOV [VSP+OFFSET], REG
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[0].mem.base == vsp &&
instr.operands[0].mem.disp.has_displacement &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
},
// PUSHFQ
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ;
},
// POP [VSP]
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[0].mem.base == vsp;
}}},
[](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::shl};
res.imm.has_imm = false;
const auto shl_reg = std::find_if(
hndlr.m_instrs.begin(), hndlr.m_instrs.end(),
[&](emu_instr_t& instr) -> bool {
const auto& i = instr.m_instr;
return i.mnemonic == ZYDIS_MNEMONIC_SHL &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
});
res.stack_size = shl_reg->m_instr.operands[0].size;
return res;
}};
}

73
src/vmprofiles/shld.cpp
Unescape View File

@ -0,0 +1,73 @@
#include <vminstrs.hpp>
namespace vm::instrs {
profiler_t shld = {
"SHLD",
mnemonic_t::shld,
{{// MOV REG, [VSP]
LOAD_VALUE,
// MOV REG, [VSP+OFFSET]
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[1].mem.base == vsp &&
instr.operands[1].mem.disp.has_displacement;
},
// MOV REG, [VSP+OFFSET]
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[1].mem.base == vsp &&
instr.operands[1].mem.disp.has_displacement;
},
// SHLD REG, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SHLD &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
},
// MOV [VSP+OFFSET], REG
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[0].mem.base == vsp &&
instr.operands[0].mem.disp.has_displacement &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
},
// PUSHFQ
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ;
},
// POP [VSP]
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[0].mem.base == vsp;
}}},
[](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::shld};
res.imm.has_imm = false;
const auto shld_reg = std::find_if(
hndlr.m_instrs.begin(), hndlr.m_instrs.end(),
[&](emu_instr_t& instr) -> bool {
const auto& i = instr.m_instr;
return i.mnemonic == ZYDIS_MNEMONIC_SHLD &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
});
res.stack_size = shld_reg->m_instr.operands[0].size;
return res;
}};
}

73
src/vmprofiles/shrd.cpp
Unescape View File

@ -0,0 +1,73 @@
#include <vminstrs.hpp>
namespace vm::instrs {
profiler_t shrd = {
"SHRD",
mnemonic_t::shrd,
{{// MOV REG, [VSP]
LOAD_VALUE,
// MOV REG, [VSP+OFFSET]
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[1].mem.base == vsp &&
instr.operands[1].mem.disp.has_displacement;
},
// MOV REG, [VSP+OFFSET]
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[1].mem.base == vsp &&
instr.operands[1].mem.disp.has_displacement;
},
// SHRD REG, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SHRD &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
},
// MOV [VSP+OFFSET], REG
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[0].mem.base == vsp &&
instr.operands[0].mem.disp.has_displacement &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
},
// PUSHFQ
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ;
},
// POP [VSP]
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[0].mem.base == vsp;
}}},
[](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::shrd};
res.imm.has_imm = false;
const auto shrd_reg = std::find_if(
hndlr.m_instrs.begin(), hndlr.m_instrs.end(),
[&](emu_instr_t& instr) -> bool {
const auto& i = instr.m_instr;
return i.mnemonic == ZYDIS_MNEMONIC_SHRD &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
});
res.stack_size = shrd_reg->m_instr.operands[0].size;
return res;
}};
}

15
src/vmprofiles/svsp.cpp
Unescape View File

@ -31,19 +31,20 @@ profiler_t svsp = {
}}},
[](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::lvsp};
const auto sub_vsp = std::find_if(
vinstr_t res{mnemonic_t::svsp};
const auto mov_vsp_reg = std::find_if(
hndlr.m_instrs.begin(), hndlr.m_instrs.end(),
[&](emu_instr_t& instr) -> bool {
const auto& i = instr.m_instr;
return i.mnemonic == ZYDIS_MNEMONIC_SUB &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[0].reg.value == vsp &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE;
return i.mnemonic == ZYDIS_MNEMONIC_MOV &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
i.operands[0].mem.base == vsp &&
i.operands[0].mem.disp.has_displacement == false &&
i.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
});
res.imm.has_imm = false;
res.stack_size = sub_vsp->m_instr.operands[1].imm.value.u;
res.stack_size = mov_vsp_reg->m_instr.operands[1].size;
return res;
}};
}

37
src/vmprofiles/writedr7.cpp
Unescape View File

@ -0,0 +1,37 @@
#include <vminstrs.hpp>
//Write value on top of stack to dr7
namespace vm::instrs {
profiler_t writedr7 = {
"WRITEDR7",
mnemonic_t::writedr7,
{
// MOV REG, [VSP+OFFSET]
LOAD_VALUE,
// ADD VSP, OFFSET
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_ADD &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[0].reg.value == vsp &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE;
},
// MOV DR7, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[0].reg.value == ZYDIS_REGISTER_DR7 &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].reg.value != vsp;
}
},
[](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::writedr7};
res.stack_size == 64;
res.imm.has_imm = false;
return res;
}
};
}

10
src/vmutils.cpp
Unescape View File

@ -28,6 +28,16 @@ bool is_mov(const zydis_decoded_instr_t& instr) {
instr.mnemonic == ZYDIS_MNEMONIC_MOVZX;
}
bool is_32_bit_gp(const ZydisRegister reg)
{
return reg >= ZYDIS_REGISTER_EAX && reg <= ZYDIS_REGISTER_R15D;
}
bool is_64_bit_gp(const ZydisRegister reg)
{
return reg >= ZYDIS_REGISTER_RAX && reg <= ZYDIS_REGISTER_R15;
}
bool flatten(zydis_rtn_t& routine,
std::uintptr_t routine_addr,
bool keep_jmps,

Write Preview
Loading…
Cancel
Save