forked from vmp3/vmprofiler
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
143 lines
5.8 KiB
143 lines
5.8 KiB
#include <vminstrs.hpp>
|
|
|
|
namespace vm::instrs {
|
|
profiler_t vmexit = {
|
|
"VMEXIT",
|
|
mnemonic_t::vmexit,
|
|
{{// MOV RSP, VSP
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_RSP &&
|
|
instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[1].reg.value == vsp;
|
|
},
|
|
// POP R13
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_R13;
|
|
},
|
|
// POP RCX
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_RCX;
|
|
},
|
|
// POP RBP
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_RBP;
|
|
},
|
|
// POP R8
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_R8;
|
|
},
|
|
// POP R15
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_R15;
|
|
},
|
|
// POP RDX
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_RDX;
|
|
},
|
|
// POP RDI
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_RDI;
|
|
},
|
|
// POP R11
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_R11;
|
|
},
|
|
// POP RAX
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_RAX;
|
|
},
|
|
// POP R9
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_R9;
|
|
},
|
|
// POP RSI
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_RSI;
|
|
},
|
|
// POP R14
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_R14;
|
|
},
|
|
// POP R12
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_R12;
|
|
},
|
|
// POP R11
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
|
|
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
instr.operands[0].reg.value == ZYDIS_REGISTER_R11;
|
|
},
|
|
// POPFQ
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_POPFQ;
|
|
},
|
|
// RET
|
|
[&](const zydis_reg_t vip,
|
|
const zydis_reg_t vsp,
|
|
const zydis_decoded_instr_t& instr) -> bool {
|
|
return instr.mnemonic == ZYDIS_MNEMONIC_RET;
|
|
}}},
|
|
[&](zydis_reg_t& vip, zydis_reg_t& vsp, hndlr_trace_t& hndlr)
|
|
-> std::optional<vinstr_t> { return vinstr_t{mnemonic_t::vmexit}; }};
|
|
} |