Manifold
/
vmprofiler
forked from vmp3/vmprofiler
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: Manifold:f65c84050d39210c8057ab741b8cbaf9f1e2e17d
Branches Tags
Manifold:master
vmp3:main
..
compare: Manifold:9ae338e7d1c1b54ecb5cb2a5dc010a1801e1ccec
Branches Tags
Manifold:master
vmp3:main

No commits in common. 'f65c84050d39210c8057ab741b8cbaf9f1e2e17d' and '9ae338e7d1c1b54ecb5cb2a5dc010a1801e1ccec' have entirely different histories.
f65c84050d ... 9ae338e7d1

14 changed files with 22 additions and 29 deletions
Show Stats

1
include/uc_allocation_tracker.hpp
Unescape View File

@ -1,4 +1,3 @@
#pragma once
#include <unicorn\unicorn.h> #include <unicorn\unicorn.h>
extern int g_allocation_tracker; extern int g_allocation_tracker;

2
include/vminstrs.hpp
Unescape View File

@ -109,8 +109,6 @@ enum class vbranch_type {
/// virtual code block /// virtual code block
/// </summary> /// </summary>
struct vblk_t { struct vblk_t {
bool is_branch;
/// <summary> /// <summary>
/// start address VIP of this basic block... /// start address VIP of this basic block...
/// </summary> /// </summary>

2
src/uc_allocation_tracker.cpp
Unescape View File

@ -11,7 +11,7 @@ uc_err uct_context_alloc(uc_engine *uc, uc_context **context)
} }
uc_err uct_context_free(uc_context *context) uc_err uct_context_free(uc_context *context)
{ {
--g_allocation_tracker; +g_allocation_tracker--;
//std::printf("Allocations: %p\n", g_allocation_tracker); //std::printf("Allocations: %p\n", g_allocation_tracker);
return uc_context_free(context); return uc_context_free(context);
} }

2
src/vminstrs.cpp
Unescape View File

@ -69,7 +69,7 @@ void deobfuscate(hndlr_trace_t& trace) {
break; break;
} }
if (vm::utils::is_jmp(itr->m_instr) && itr->m_instr.operands[0].type != ZYDIS_OPERAND_TYPE_REGISTER) { if (vm::utils::is_jmp(itr->m_instr)) {
uct_context_free(itr->m_cpu); uct_context_free(itr->m_cpu);
trace.m_instrs.erase(itr); trace.m_instrs.erase(itr);
break; break;

2
src/vmprofiles/add.cpp
Unescape View File

@ -46,7 +46,6 @@ profiler_t add = {
[](zydis_reg_t& vip, zydis_reg_t& vsp, [](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> { hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::add}; vinstr_t res{mnemonic_t::add};
res.imm.has_imm = false;
// MOV REG, [VSP] // MOV REG, [VSP]
const auto mov_reg_vsp = std::find_if( const auto mov_reg_vsp = std::find_if(
@ -72,6 +71,7 @@ profiler_t add = {
}); });
res.stack_size = mov_vsp_offset->m_instr.operands[1].size; res.stack_size = mov_vsp_offset->m_instr.operands[1].size;
res.imm.size = mov_reg_vsp->m_instr.operands[1].size;
return res; return res;
}}; }};
} }

8
src/vmprofiles/and.cpp
Unescape View File

@ -1,21 +1,19 @@
#include <vminstrs.hpp> #include <vminstrs.hpp>
// Loads an address and value from the stack, ands the derefed address with the value
namespace vm::instrs { namespace vm::instrs {
profiler_t _and = { profiler_t _and = {
"AND", "AND",
mnemonic_t::_and, mnemonic_t::_and,
{{// MOV REG, [VSP] This is the address {{// MOV REG, [VSP]
LOAD_VALUE, LOAD_VALUE,
// MOV REG, [VSP+8] // MOV REG, [VSP+OFFSET]
[](const zydis_reg_t vip, const zydis_reg_t vsp, [](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool { const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV && return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[1].mem.base == vsp && instr.operands[1].mem.base == vsp &&
instr.operands[1].mem.disp.has_displacement, instr.operands[1].mem.disp.has_displacement;
instr.operands[1].mem.disp.value == 8;
}, },
// AND [REG], REG // AND [REG], REG
[](const zydis_reg_t vip, const zydis_reg_t vsp, [](const zydis_reg_t vip, const zydis_reg_t vsp,

1
src/vmprofiles/jmp.cpp
Unescape View File

@ -142,7 +142,6 @@ profiler_t jmp = {
vinstr_t res; vinstr_t res;
res.mnemonic = mnemonic_t::jmp; res.mnemonic = mnemonic_t::jmp;
res.imm.has_imm = false; res.imm.has_imm = false;
res.stack_size = 64;
return res; return res;
}}; }};
} }

2
src/vmprofiles/lvsp.cpp
Unescape View File

@ -15,7 +15,7 @@ profiler_t lvsp = {
}}}, }}},
[](zydis_reg_t& vip, zydis_reg_t& vsp, [](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> { hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::lvsp}; vinstr_t res{mnemonic_t::svsp};
res.imm.has_imm = false; res.imm.has_imm = false;
const auto load_vsp = std::find_if( const auto load_vsp = std::find_if(

4
src/vmprofiles/nand.cpp
Unescape View File

@ -21,10 +21,10 @@ profiler_t nand = {
return instr.mnemonic == ZYDIS_MNEMONIC_NOT && return instr.mnemonic == ZYDIS_MNEMONIC_NOT &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER; instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER;
}, },
// OR REG, REG // AND REG, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp, [](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool { const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_OR && return instr.mnemonic == ZYDIS_MNEMONIC_AND &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
}, },

6
src/vmprofiles/nor.cpp
Unescape View File

@ -21,10 +21,10 @@ profiler_t nor = {
return instr.mnemonic == ZYDIS_MNEMONIC_NOT && return instr.mnemonic == ZYDIS_MNEMONIC_NOT &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER; instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER;
}, },
// AND REG, REG // OR REG, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp, [](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool { const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_AND && return instr.mnemonic == ZYDIS_MNEMONIC_OR &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
}, },
@ -51,7 +51,7 @@ profiler_t nor = {
}}}, }}},
[](zydis_reg_t& vip, zydis_reg_t& vsp, [](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> { hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::nor}; vinstr_t res{mnemonic_t::nand};
res.imm.has_imm = false; res.imm.has_imm = false;
// MOV [VSP+OFFSET], REG // MOV [VSP+OFFSET], REG

2
src/vmprofiles/shld.cpp
Unescape View File

@ -24,7 +24,7 @@ profiler_t shld = {
instr.operands[1].mem.base == vsp && instr.operands[1].mem.base == vsp &&
instr.operands[1].mem.disp.has_displacement; instr.operands[1].mem.disp.has_displacement;
}, },
// SHLD REG, REG // SHL REG, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp, [](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool { const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SHLD && return instr.mnemonic == ZYDIS_MNEMONIC_SHLD &&

2
src/vmprofiles/shr.cpp
Unescape View File

@ -2,7 +2,7 @@
namespace vm::instrs { namespace vm::instrs {
profiler_t shr = { profiler_t shr = {
"SHR", "SHRD",
mnemonic_t::shr, mnemonic_t::shr,
{{// MOV REG, [VSP] {{// MOV REG, [VSP]
LOAD_VALUE, LOAD_VALUE,

2
src/vmprofiles/shrd.cpp
Unescape View File

@ -24,7 +24,7 @@ profiler_t shrd = {
instr.operands[1].mem.base == vsp && instr.operands[1].mem.base == vsp &&
instr.operands[1].mem.disp.has_displacement; instr.operands[1].mem.disp.has_displacement;
}, },
// SHRD REG, REG // SHR REG, REG
[](const zydis_reg_t vip, const zydis_reg_t vsp, [](const zydis_reg_t vip, const zydis_reg_t vsp,
const zydis_decoded_instr_t& instr) -> bool { const zydis_decoded_instr_t& instr) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SHRD && return instr.mnemonic == ZYDIS_MNEMONIC_SHRD &&

15
src/vmprofiles/svsp.cpp
Unescape View File

@ -31,20 +31,19 @@ profiler_t svsp = {
}}}, }}},
[](zydis_reg_t& vip, zydis_reg_t& vsp, [](zydis_reg_t& vip, zydis_reg_t& vsp,
hndlr_trace_t& hndlr) -> std::optional<vinstr_t> { hndlr_trace_t& hndlr) -> std::optional<vinstr_t> {
vinstr_t res{mnemonic_t::svsp}; vinstr_t res{mnemonic_t::lvsp};
const auto mov_vsp_reg = std::find_if( const auto sub_vsp = std::find_if(
hndlr.m_instrs.begin(), hndlr.m_instrs.end(), hndlr.m_instrs.begin(), hndlr.m_instrs.end(),
[&](emu_instr_t& instr) -> bool { [&](emu_instr_t& instr) -> bool {
const auto& i = instr.m_instr; const auto& i = instr.m_instr;
return i.mnemonic == ZYDIS_MNEMONIC_MOV && return i.mnemonic == ZYDIS_MNEMONIC_SUB &&
i.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && i.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
i.operands[0].mem.base == vsp && i.operands[0].reg.value == vsp &&
i.operands[0].mem.disp.has_displacement == false && i.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE;
i.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER;
}); });
res.imm.has_imm = false; res.imm.has_imm = false;
res.stack_size = mov_vsp_reg->m_instr.operands[1].size; res.stack_size = sub_vsp->m_instr.operands[1].imm.value.u;
return res; return res;
}}; }};
} }
Write Preview
Loading…
Cancel
Save