From 8f038fe31ef35ea22bf6ddf33bc5b3028b452fec Mon Sep 17 00:00:00 2001 From: John Doe Date: Tue, 21 Dec 2021 17:59:23 -0800 Subject: [PATCH] updated vmprofiler, starting to save register values for each instruction executed.. this way profilers can have access to those register values and extract decrypted imm's... --- .gitmodules | 3 -- cmake.toml | 3 +- deps/CMakeLists.txt | 10 ----- deps/cmake.toml | 3 +- deps/unicorn | 1 - deps/vmprofiler | 2 +- include/vmemu_t.hpp | 12 ++++-- src/main.cpp | 6 +-- src/vmemu_t.cpp | 96 ++++++++++++++++++++++++--------------------- 9 files changed, 66 insertions(+), 70 deletions(-) delete mode 160000 deps/unicorn diff --git a/.gitmodules b/.gitmodules index b7495c3..75f2d0d 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,6 +1,3 @@ [submodule "deps/vmprofiler"] path = deps/vmprofiler url = https://githacks.org/vmp3/vmprofiler.git -[submodule "deps/unicorn"] - path = deps/unicorn - url = https://github.com/unicorn-engine/unicorn.git diff --git a/cmake.toml b/cmake.toml index 1133819..194ae1e 100644 --- a/cmake.toml +++ b/cmake.toml @@ -1,5 +1,4 @@ - -[project] + [project] name = "vmemu" [subdir.deps] diff --git a/deps/CMakeLists.txt b/deps/CMakeLists.txt index 18060f9..8b8e481 100644 --- a/deps/CMakeLists.txt +++ b/deps/CMakeLists.txt @@ -16,13 +16,3 @@ endif() add_subdirectory(vmprofiler) set(CMAKE_FOLDER ${CMKR_CMAKE_FOLDER}) -# unicorn -set(CMKR_CMAKE_FOLDER ${CMAKE_FOLDER}) -if(CMAKE_FOLDER) - set(CMAKE_FOLDER "${CMAKE_FOLDER}/unicorn") -else() - set(CMAKE_FOLDER unicorn) -endif() -add_subdirectory(unicorn) -set(CMAKE_FOLDER ${CMKR_CMAKE_FOLDER}) - diff --git a/deps/cmake.toml b/deps/cmake.toml index 8a1e231..361f79b 100644 --- a/deps/cmake.toml +++ b/deps/cmake.toml @@ -1,2 +1 @@ -[subdir.vmprofiler] -[subdir.unicorn] \ No newline at end of file +[subdir.vmprofiler] \ No newline at end of file diff --git a/deps/unicorn b/deps/unicorn deleted file mode 160000 index 63a445c..0000000 --- a/deps/unicorn +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 63a445cbba18bf1313ac3699b5d25462b5d529f4 diff --git a/deps/vmprofiler b/deps/vmprofiler index 20ad0b5..79c3695 160000 --- a/deps/vmprofiler +++ b/deps/vmprofiler @@ -1 +1 @@ -Subproject commit 20ad0b595078ebf82d977ddfb5999332b2ce0e73 +Subproject commit 79c369582866ed888741b283bd6dca6677bf3a9d diff --git a/include/vmemu_t.hpp b/include/vmemu_t.hpp index 0cc398a..a5cb0d7 100644 --- a/include/vmemu_t.hpp +++ b/include/vmemu_t.hpp @@ -12,16 +12,20 @@ namespace vm { class emu_t { public: - explicit emu_t(vm::vmctx_t* vm_ctx); - ~emu_t(); + explicit emu_t( + vm::vmctx_t* vm_ctx, + std::map* known_hndlrs); + ~emu_t(); bool init(); void emulate(); private: - uc_engine* uc_ctx; - const vm::vmctx_t* m_vm_ctx; + uc_engine* uc; + const vm::vmctx_t* m_vm; zydis_reg_t vip, vsp; + std::map* m_known_hndlrs; + std::unique_ptr cc_trace; uc_hook code_exec_hook, invalid_mem_hook, int_hook; static void int_callback(uc_engine* uc, std::uint32_t intno, emu_t* obj); diff --git a/src/main.cpp b/src/main.cpp index 0b65f1d..dcbe385 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -46,9 +46,7 @@ int __cdecl main(int argc, const char* argv[]) { return 0; } - vm::utils::init(); std::vector module_data, tmp, unpacked_bin; - if (!vm::utils::open_binary_file(parser.get("bin"), module_data)) { std::printf("[!] failed to open binary file...\n"); @@ -127,7 +125,9 @@ int __cdecl main(int argc, const char* argv[]) { return -1; } - vm::emu_t emu(&vmctx); + std::map known_hndlrs; + vm::emu_t emu(&vmctx, &known_hndlrs); + if (!emu.init()) { std::printf( "[!] failed to init vm::emu_t... read above in the console for the " diff --git a/src/vmemu_t.cpp b/src/vmemu_t.cpp index 8d3eadb..8fa68fb 100644 --- a/src/vmemu_t.cpp +++ b/src/vmemu_t.cpp @@ -1,55 +1,60 @@ #include namespace vm { -emu_t::emu_t(vm::vmctx_t* vm_ctx) - : m_vm_ctx(vm_ctx), vip(vm_ctx->get_vip()), vsp(vm_ctx->get_vsp()) {} +emu_t::emu_t(vm::vmctx_t* vm_ctx, + std::map* known_hndlrs) + : m_vm(vm_ctx), + vip(vm_ctx->get_vip()), + vsp(vm_ctx->get_vsp()), + cc_trace(nullptr), + m_known_hndlrs(known_hndlrs) {} emu_t::~emu_t() { - if (uc_ctx) - uc_close(uc_ctx); + if (uc) + uc_close(uc); } bool emu_t::init() { uc_err err; - if ((err = uc_open(UC_ARCH_X86, UC_MODE_64, &uc_ctx))) { + if ((err = uc_open(UC_ARCH_X86, UC_MODE_64, &uc))) { std::printf("> uc_open err = %d\n", err); return false; } - if ((err = uc_mem_map(uc_ctx, STACK_BASE, STACK_SIZE, UC_PROT_ALL))) { + if ((err = uc_mem_map(uc, STACK_BASE, STACK_SIZE, UC_PROT_ALL))) { std::printf("> uc_mem_map stack err, reason = %d\n", err); return false; } - if ((err = uc_mem_map(uc_ctx, m_vm_ctx->m_module_base, m_vm_ctx->m_image_size, + if ((err = uc_mem_map(uc, m_vm->m_module_base, m_vm->m_image_size, UC_PROT_ALL))) { std::printf("> map memory failed, reason = %d\n", err); return false; } - if ((err = uc_mem_write(uc_ctx, m_vm_ctx->m_module_base, - reinterpret_cast(m_vm_ctx->m_module_base), - m_vm_ctx->m_image_size))) { + if ((err = uc_mem_write(uc, m_vm->m_module_base, + reinterpret_cast(m_vm->m_module_base), + m_vm->m_image_size))) { std::printf("> failed to write memory... reason = %d\n", err); return false; } - if ((err = uc_hook_add(uc_ctx, &code_exec_hook, UC_HOOK_CODE, + if ((err = uc_hook_add(uc, &code_exec_hook, UC_HOOK_CODE, (void*)&vm::emu_t::code_exec_callback, this, - m_vm_ctx->m_module_base, - m_vm_ctx->m_module_base + m_vm_ctx->m_image_size))) { + m_vm->m_module_base, + m_vm->m_module_base + m_vm->m_image_size))) { std::printf("> uc_hook_add error, reason = %d\n", err); return false; } - if ((err = uc_hook_add(uc_ctx, &int_hook, UC_HOOK_INTR, + if ((err = uc_hook_add(uc, &int_hook, UC_HOOK_INTR, (void*)&vm::emu_t::int_callback, this, 0ull, 0ull))) { std::printf("> uc_hook_add error, reason = %d\n", err); return false; } if ((err = - uc_hook_add(uc_ctx, &invalid_mem_hook, + uc_hook_add(uc, &invalid_mem_hook, UC_HOOK_MEM_READ_UNMAPPED | UC_HOOK_MEM_WRITE_UNMAPPED | UC_HOOK_MEM_FETCH_UNMAPPED, (void*)&vm::emu_t::invalid_mem, this, true, false))) { @@ -61,21 +66,25 @@ bool emu_t::init() { void emu_t::emulate() { uc_err err; - std::uintptr_t rip = m_vm_ctx->m_vm_entry_rva + m_vm_ctx->m_module_base, + std::uintptr_t rip = m_vm->m_vm_entry_rva + m_vm->m_module_base, rsp = STACK_BASE + STACK_SIZE - PAGE_4KB; - if ((err = uc_reg_write(uc_ctx, UC_X86_REG_RSP, &rsp))) { + if ((err = uc_reg_write(uc, UC_X86_REG_RSP, &rsp))) { std::printf("> uc_reg_write error, reason = %d\n", err); return; } - if ((err = uc_reg_write(uc_ctx, UC_X86_REG_RIP, &rip))) { + if ((err = uc_reg_write(uc, UC_X86_REG_RIP, &rip))) { std::printf("> uc_reg_write error, reason = %d\n", err); return; } + cc_trace = std::make_unique(); + cc_trace->m_vip = vip; + cc_trace->m_vsp = vsp; + std::printf("> beginning execution at = %p\n", rip); - if ((err = uc_emu_start(uc_ctx, rip, 0ull, 0ull, 0ull))) { + if ((err = uc_emu_start(uc, rip, 0ull, 0ull, 0ull))) { std::printf("> error starting emu... reason = %d\n", err); return; } @@ -118,8 +127,6 @@ bool emu_t::code_exec_callback(uc_engine* uc, emu_t* obj) { uc_err err; static thread_local zydis_decoded_instr_t instr; - static thread_local zydis_rtn_t instr_stream; - if (!ZYAN_SUCCESS(ZydisDecoderDecodeBuffer(vm::utils::g_decoder.get(), reinterpret_cast(address), PAGE_4KB, &instr))) { @@ -134,35 +141,36 @@ bool emu_t::code_exec_callback(uc_engine* uc, if (instr.mnemonic == ZYDIS_MNEMONIC_INVALID) return false; - instr_stream.push_back({instr}); + uc_context* cpu_ctx; + uc_context_alloc(obj->uc, &cpu_ctx); + vm::instrs::emu_instr_t emu_instr{instr, cpu_ctx}; + obj->cc_trace->m_instrs.push_back(emu_instr); + if (instr.mnemonic == ZYDIS_MNEMONIC_RET || (instr.mnemonic == ZYDIS_MNEMONIC_JMP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER)) { - // find the last mov reg, [vip] - auto fetch_offset = std::find_if( - instr_stream.rbegin(), instr_stream.rend(), - [&](const zydis_instr_t& instr) -> bool { - return instr.instr.mnemonic == ZYDIS_MNEMONIC_MOV && - instr.instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && - instr.instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && - instr.instr.operands[1].mem.base == obj->m_vm_ctx->get_vip(); - }); - - // cut off the extra stuff... - if (fetch_offset != instr_stream.rend()) - instr_stream.erase((fetch_offset + 1).base(), instr_stream.end()); - - vm::utils::deobfuscate(instr_stream); - vm::utils::print(instr_stream); - - auto vinstr = vm::instrs::determine(obj->vip, obj->vsp, instr_stream); - if (vinstr.mnemonic == vm::instrs::mnemonic_t::jmp) { - std::printf("> found jmp...\n"); + const auto vinstr = + vm::instrs::determine(obj->vip, obj->vsp, *obj->cc_trace); + + if (vinstr.mnemonic != vm::instrs::mnemonic_t::unknown) { + std::printf("> %s\n", + vm::instrs::get_profile(vinstr.mnemonic)->name.c_str()); std::getchar(); } - instr_stream.clear(); - std::printf("============\n"); + if (vinstr.mnemonic == vm::instrs::mnemonic_t::jmp) { + obj->cc_trace->m_vip = obj->vip; + obj->cc_trace->m_vsp = obj->vsp; + } + + // free the trace since we will start a new one... + std::for_each(obj->cc_trace->m_instrs.begin(), + obj->cc_trace->m_instrs.end(), + [&](const vm::instrs::emu_instr_t& instr) { + uc_context_free(instr.m_cpu); + }); + + obj->cc_trace->m_instrs.clear(); } return true; }