added a new vmctx which removes calc_jmp and such

3 years ago · 2e7281f900
parent 5e0e7ab06b
commit 2e7281f900
4 changed files with 65 additions and 1 deletions
--- a/.gitignore
+++ b/.gitignore
@ -4,4 +4,5 @@ build*/
 out/
 .vs/
 .cache/
-*.exe
+*.exe
+*.o
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@ -78,7 +78,9 @@ list(APPEND vmprofiler_SOURCES
 	"dependencies/vmprofiler/include/vmprofiles.hpp"
 	"dependencies/vmprofiler/include/vmutils.hpp"
 	"dependencies/vmprofiler/include/scn.hpp"
+	"src/vmctx.cpp"
 	"src/vmlocate.cpp"
+	"include/vmctx.hpp"
 	"include/vmlocate.hpp"
 	"include/vmprofiler.hpp"
 )
--- a/include/vmctx.hpp
+++ b/include/vmctx.hpp
@ -0,0 +1,42 @@
+#pragma once
+#include <transform.hpp>
+#include <vmp2.hpp>
+
+namespace vm {
+/// <summary>
+/// vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other
+/// per-vm entry information... creating a vm::ctx_t object can make it easier
+/// to pass around information pertaining to a given vm entry...
+/// </summary>
+class ctx_t {
+ public:
+  /// <summary>
+  /// default constructor for vm::ctx_t... all information for a given vm entry
+  /// must be provided...
+  /// </summary>
+  /// <param name="module_base">the linear virtual address of the module
+  /// base...</param> <param name="image_base">image base from optional nt
+  /// header... <a
+  /// href="https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_optional_header64">IMAGE_OPTIONAL_HEADER64</a>...</param>
+  /// <param name="image_size">image size from optional nt header... <a
+  /// href="https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_optional_header64">IMAGE_OPTIONAL_HEADER64</a>...</param>
+  /// <param name="vm_entry_rva">relative virtual address from the module base
+  /// address to the first push prior to a vm entry...</param>
+  explicit ctx_t(std::uintptr_t module_base, std::uintptr_t image_base,
+                 std::uintptr_t image_size, std::uintptr_t vm_entry_rva);
+
+  /// <summary>
+  /// init all per-vm entry data such as vm_entry, calc_jmp, and vm handlers...
+  /// </summary>
+  /// <returns>returns true if no errors...</returns>
+  bool init();
+
+  const std::uintptr_t module_base, image_base, vm_entry_rva, image_size;
+
+  /// <summary>
+  /// the order in which VIP advances...
+  /// </summary>
+  vmp2::exec_type_t exec_type;
+  zydis_routine_t vm_entry;
+};
+}  // namespace vm
--- a/src/vmctx.cpp
+++ b/src/vmctx.cpp
@ -0,0 +1,19 @@
+#include <vmctx.hpp>
+
+namespace vm
+{
+    ctx_t::ctx_t( std::uintptr_t module_base, std::uintptr_t image_base, std::uintptr_t image_size,
+                  std::uintptr_t vm_entry_rva )
+        : module_base( module_base ), image_base( image_base ), image_size( image_size ), vm_entry_rva( vm_entry_rva )
+    {
+    }
+
+    bool ctx_t::init()
+    {
+        if ( !vm::util::flatten( vm_entry, vm_entry_rva + module_base ) )
+            return false;
+
+        vm::util::deobfuscate( vm_entry );
+        return true;
+    }
+} // namespace vm