diff --git a/include/vminstrs.hpp b/include/vminstrs.hpp index 40de027..8eaa05c 100644 --- a/include/vminstrs.hpp +++ b/include/vminstrs.hpp @@ -1,5 +1,6 @@ #pragma once #include + #include #define VIRTUAL_REGISTER_COUNT 24 @@ -239,18 +240,16 @@ struct hndlr_trace_t { /// matcher function which returns true if an instruction matches a desired /// one... /// -using matcher_t = std::function; +using matcher_t = + std::function; /// /// virtual instruction structure generator... this can update the vip and vsp /// argument... it cannot update the instruction stream (hndlr)... /// -using vinstr_gen_t = - std::function(zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr)>; +using vinstr_gen_t = std::function( + zydis_reg_t& vip, zydis_reg_t& vsp, hndlr_trace_t& hndlr)>; /// /// each virtual instruction has its own profiler_t structure which can generate @@ -412,8 +411,8 @@ profiler_t* get_profile(mnemonic_t mnemonic); // MOV REG, [VIP] #define IMM_FETCH \ - [&](const zydis_reg_t vip, const zydis_reg_t vsp, \ - const zydis_decoded_instr_t& instr) -> bool { \ + [](const zydis_reg_t vip, const zydis_reg_t vsp, \ + const zydis_decoded_instr_t& instr) -> bool { \ return vm::utils::is_mov(instr) && \ instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && \ instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && \ @@ -422,8 +421,8 @@ profiler_t* get_profile(mnemonic_t mnemonic); // MOV [VSP], REG #define STR_VALUE \ - [&](const zydis_reg_t vip, const zydis_reg_t vsp, \ - const zydis_decoded_instr_t& instr) -> bool { \ + [](const zydis_reg_t vip, const zydis_reg_t vsp, \ + const zydis_decoded_instr_t& instr) -> bool { \ return instr.mnemonic == ZYDIS_MNEMONIC_MOV && \ instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && \ instr.operands[0].mem.base == vsp && \ @@ -432,8 +431,8 @@ profiler_t* get_profile(mnemonic_t mnemonic); // MOV REG, [VSP] #define LOAD_VALUE \ - [&](const zydis_reg_t vip, const zydis_reg_t vsp, \ - const zydis_decoded_instr_t& instr) -> bool { \ + [](const zydis_reg_t vip, const zydis_reg_t vsp, \ + const zydis_decoded_instr_t& instr) -> bool { \ return instr.mnemonic == ZYDIS_MNEMONIC_MOV && \ instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && \ instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && \ @@ -442,8 +441,8 @@ profiler_t* get_profile(mnemonic_t mnemonic); // SUB VSP, OFFSET #define SUB_VSP \ - [&](const zydis_reg_t vip, const zydis_reg_t vsp, \ - const zydis_decoded_instr_t& instr) -> bool { \ + [](const zydis_reg_t vip, const zydis_reg_t vsp, \ + const zydis_decoded_instr_t& instr) -> bool { \ return instr.mnemonic == ZYDIS_MNEMONIC_SUB && \ instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && \ instr.operands[0].reg.value == vsp && \ diff --git a/include/vmlocate.hpp b/include/vmlocate.hpp index f07e8da..dcb9fee 100644 --- a/include/vmlocate.hpp +++ b/include/vmlocate.hpp @@ -17,9 +17,7 @@ struct vm_enter_t { std::uint32_t encrypted_rva; }; -std::uintptr_t sigscan(void* base, - std::uint32_t size, - const char* pattern, +std::uintptr_t sigscan(void* base, std::uint32_t size, const char* pattern, const char* mask); std::vector get_vm_entries(std::uintptr_t module_base, diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index db78b39..9ec68aa 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -1,5 +1,7 @@ #pragma once +#include + #include +#include #include -#include -#include \ No newline at end of file +#include \ No newline at end of file diff --git a/include/vmutils.hpp b/include/vmutils.hpp index 7c8835f..14af5ab 100644 --- a/include/vmutils.hpp +++ b/include/vmutils.hpp @@ -1,9 +1,12 @@ #pragma once #include + #include +#include #include #include #include +#include #include #include #include @@ -46,8 +49,7 @@ inline void init() { inline bool open_binary_file(const std::string& file, std::vector& data) { std::ifstream fstr(file, std::ios::binary); - if (!fstr.is_open()) - return false; + if (!fstr.is_open()) return false; fstr.unsetf(std::ios::skipws); fstr.seekg(0, std::ios::end); @@ -117,10 +119,8 @@ bool compare(zydis_reg_t a, zydis_reg_t b); /// from... keep JCC's in the flattened /// instruction stream... returns true if flattened was /// successful... -bool flatten(zydis_rtn_t& routine, - std::uintptr_t routine_addr, - bool keep_jmps = false, - std::uint32_t max_instrs = 500, +bool flatten(zydis_rtn_t& routine, std::uintptr_t routine_addr, + bool keep_jmps = false, std::uint32_t max_instrs = 500, std::uintptr_t module_base = 0ull); /// diff --git a/src/vmlocate.cpp b/src/vmlocate.cpp index b0ceab1..49e3ff8 100644 --- a/src/vmlocate.cpp +++ b/src/vmlocate.cpp @@ -1,15 +1,13 @@ +#include #include namespace vm::locate { -std::uintptr_t sigscan(void* base, - std::uint32_t size, - const char* pattern, +std::uintptr_t sigscan(void* base, std::uint32_t size, const char* pattern, const char* mask) { static const auto check_mask = [&](const char* base, const char* pattern, const char* mask) -> bool { for (; *mask; ++base, ++pattern, ++mask) - if (*mask == 'x' && *base != *pattern) - return false; + if (*mask == 'x' && *base != *pattern) return false; return true; }; @@ -39,8 +37,7 @@ std::vector get_vm_entries(std::uintptr_t module_base, }); // skip RSP push... - if (res == rtn.end() && reg != ZYDIS_REGISTER_RSP) - return false; + if (res == rtn.end() && reg != ZYDIS_REGISTER_RSP) return false; } return true; }; @@ -50,11 +47,9 @@ std::vector get_vm_entries(std::uintptr_t module_base, PUSH_4B_IMM, PUSH_4B_MASK); zydis_rtn_t rtn; - if (!vm::utils::scn::executable(module_base, result)) - continue; + if (!vm::utils::scn::executable(module_base, result)) continue; - if (!vm::utils::flatten(rtn, result, false, 500, module_base)) - continue; + if (!vm::utils::flatten(rtn, result, false, 500, module_base)) continue; // the last instruction in the stream should be a JMP to a register or a // return instruction... @@ -93,8 +88,7 @@ std::vector get_vm_entries(std::uintptr_t module_base, > 0x7a53 : push rbx > 0x500d : push r15 */ - if (num_pushs != 1) - continue; + if (num_pushs != 1) continue; // check for a pushfq... // > 0x4926 : pushfq <--- @@ -123,8 +117,7 @@ std::vector get_vm_entries(std::uintptr_t module_base, > 0x7a53 : push rbx > 0x500d : push r15 */ - if (!push_regs(rtn)) - continue; + if (!push_regs(rtn)) continue; // check for a mov reg, rsp if (!vm::locate::find(rtn, [&](const zydis_instr_t& instr) -> bool { diff --git a/src/vmprofiles/add.cpp b/src/vmprofiles/add.cpp index fcf344f..e02e66c 100644 --- a/src/vmprofiles/add.cpp +++ b/src/vmprofiles/add.cpp @@ -7,9 +7,8 @@ profiler_t add = { {{// MOV REG, [VSP] LOAD_VALUE, // MOV REG, [VSP+OFFSET] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && @@ -17,17 +16,15 @@ profiler_t add = { instr.operands[1].mem.disp.has_displacement; }, // ADD REG, REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_ADD && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; }, // MOV [VSP+OFFSET], REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[0].mem.base == vsp && @@ -35,22 +32,19 @@ profiler_t add = { instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; }, // PUSHFQ - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, // POP [VSP] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[0].mem.base == vsp; }}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { vinstr_t res{mnemonic_t::add}; // MOV REG, [VSP] diff --git a/src/vmprofiles/imul.cpp b/src/vmprofiles/imul.cpp index acf28e4..ae85155 100644 --- a/src/vmprofiles/imul.cpp +++ b/src/vmprofiles/imul.cpp @@ -7,9 +7,8 @@ profiler_t imul = { {{// MOV REG, [VSP] LOAD_VALUE, // MOV REG, [VSP+OFFSET] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && @@ -17,16 +16,14 @@ profiler_t imul = { instr.operands[1].mem.disp.has_displacement; }, // IMUL REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_IMUL && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER; }, // MOV [VSP+OFFSET], REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[0].mem.base == vsp && @@ -34,22 +31,19 @@ profiler_t imul = { instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; }, // PUSHFQ - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, // POP [VSP] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[0].mem.base == vsp; }}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { vinstr_t res{mnemonic_t::imul}; res.imm.has_imm = false; diff --git a/src/vmprofiles/jmp.cpp b/src/vmprofiles/jmp.cpp index 331eb53..e5385fb 100644 --- a/src/vmprofiles/jmp.cpp +++ b/src/vmprofiles/jmp.cpp @@ -7,9 +7,8 @@ profiler_t jmp = { {{// MOV REG, [VSP] LOAD_VALUE, // ADD VSP, 8 - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_ADD && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == vsp && @@ -17,27 +16,24 @@ profiler_t jmp = { instr.operands[1].imm.value.u == 8; }, // MOV REG, IMM_64 - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && instr.operands[1].size == 64; }, // LEA REG, [0x0] ; disp is -7... - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_LEA && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[1].mem.disp.has_displacement && instr.operands[1].mem.disp.value == -7; }}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { const auto& instrs = hndlr.m_instrs; const auto xchg = std::find_if( instrs.begin(), instrs.end(), [&](const emu_instr_t& instr) -> bool { @@ -76,8 +72,7 @@ profiler_t jmp = { i.operands[1].reg.value == write_dep; }); - if (mov_reg_write_dep == instrs.end()) - return {}; + if (mov_reg_write_dep == instrs.end()) return {}; vsp = mov_reg_write_dep->m_instr.operands[0].reg.value; } else { @@ -92,8 +87,7 @@ profiler_t jmp = { i.operands[1].mem.base == vsp; }); - if (mov_reg_deref_vsp == instrs.end()) - return {}; + if (mov_reg_deref_vsp == instrs.end()) return {}; // find the MOV REG, mov_reg_deref_vsp->operands[0].reg.value const auto mov_vip_reg = std::find_if( @@ -107,8 +101,7 @@ profiler_t jmp = { mov_reg_deref_vsp->m_instr.operands[0].reg.value; }); - if (mov_vip_reg == instrs.end()) - return {}; + if (mov_vip_reg == instrs.end()) return {}; vip = mov_vip_reg->m_instr.operands[0].reg.value; @@ -128,8 +121,8 @@ profiler_t jmp = { } vinstr_t res; - memset(&res, NULL, sizeof vinstr_t); res.mnemonic = mnemonic_t::jmp; + res.imm.has_imm = false; return res; }}; } \ No newline at end of file diff --git a/src/vmprofiles/lconst.cpp b/src/vmprofiles/lconst.cpp index e5532a5..8a0a9c8 100644 --- a/src/vmprofiles/lconst.cpp +++ b/src/vmprofiles/lconst.cpp @@ -10,9 +10,8 @@ profiler_t lconst = { SUB_VSP, // MOV [VSP], REG STR_VALUE}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { vinstr_t res; res.mnemonic = mnemonic_t::lconst; res.imm.has_imm = true; diff --git a/src/vmprofiles/lreg.cpp b/src/vmprofiles/lreg.cpp index c86c50b..16ff59d 100644 --- a/src/vmprofiles/lreg.cpp +++ b/src/vmprofiles/lreg.cpp @@ -7,9 +7,8 @@ profiler_t lreg = { {{// MOV REG, [VIP] IMM_FETCH, // MOV REG, [RSP+REG] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && @@ -20,11 +19,9 @@ profiler_t lreg = { SUB_VSP, // MOV [VSP], REG STR_VALUE}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { vinstr_t res; - memset(&res, NULL, sizeof res); res.mnemonic = mnemonic_t::lreg; res.imm.has_imm = true; res.imm.size = 8; diff --git a/src/vmprofiles/lvsp.cpp b/src/vmprofiles/lvsp.cpp index 206227b..5beece4 100644 --- a/src/vmprofiles/lvsp.cpp +++ b/src/vmprofiles/lvsp.cpp @@ -5,18 +5,16 @@ profiler_t lvsp = { "LVSP", mnemonic_t::lvsp, {{// MOV VSP, [VSP] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == vsp && instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[1].mem.base == vsp; }}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { vinstr_t res{mnemonic_t::svsp}; res.imm.has_imm = false; diff --git a/src/vmprofiles/nand.cpp b/src/vmprofiles/nand.cpp index abe08cf..0638a5a 100644 --- a/src/vmprofiles/nand.cpp +++ b/src/vmprofiles/nand.cpp @@ -7,9 +7,8 @@ profiler_t nand = { {{// MOV REG, [VSP] LOAD_VALUE, // MOV REG, [VSP+OFFSET] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && @@ -17,24 +16,21 @@ profiler_t nand = { instr.operands[1].mem.disp.has_displacement; }, // NOT REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_NOT && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER; }, // AND REG, REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_AND && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; }, // MOV [VSP+OFFSET], REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[0].mem.base == vsp && @@ -42,22 +38,19 @@ profiler_t nand = { instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; }, // PUSHFQ - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, // POP [VSP] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[0].mem.base == vsp; }}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { vinstr_t res{mnemonic_t::nand}; res.imm.has_imm = false; diff --git a/src/vmprofiles/nop.cpp b/src/vmprofiles/nop.cpp index 5adaab2..b842836 100644 --- a/src/vmprofiles/nop.cpp +++ b/src/vmprofiles/nop.cpp @@ -5,18 +5,16 @@ profiler_t nop = { "NOP", mnemonic_t::nop, {{// LEA REG, [0x0] ; disp is -7... - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_LEA && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[1].mem.disp.has_displacement && instr.operands[1].mem.disp.value == -7; }}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { vinstr_t res; res.mnemonic = mnemonic_t::nop; res.imm.has_imm = false; diff --git a/src/vmprofiles/nor.cpp b/src/vmprofiles/nor.cpp index b9db467..53bedbb 100644 --- a/src/vmprofiles/nor.cpp +++ b/src/vmprofiles/nor.cpp @@ -7,9 +7,8 @@ profiler_t nor = { {{// MOV REG, [VSP] LOAD_VALUE, // MOV REG, [VSP+OFFSET] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && @@ -17,24 +16,21 @@ profiler_t nor = { instr.operands[1].mem.disp.has_displacement; }, // NOT REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_NOT && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER; }, // OR REG, REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_OR && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; }, // MOV [VSP+OFFSET], REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[0].mem.base == vsp && @@ -42,22 +38,19 @@ profiler_t nor = { instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; }, // PUSHFQ - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, // POP [VSP] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[0].mem.base == vsp; }}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { vinstr_t res{mnemonic_t::nand}; res.imm.has_imm = false; diff --git a/src/vmprofiles/read.cpp b/src/vmprofiles/read.cpp index 5bbd100..3bf26dc 100644 --- a/src/vmprofiles/read.cpp +++ b/src/vmprofiles/read.cpp @@ -7,9 +7,8 @@ profiler_t read = { {{// MOV REG, [VSP] LOAD_VALUE, // MOV REG, [REG] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && @@ -17,9 +16,8 @@ profiler_t read = { }, // MOV [VSP], REG STR_VALUE}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { vinstr_t res{mnemonic_t::read}; res.imm.has_imm = false; diff --git a/src/vmprofiles/shr.cpp b/src/vmprofiles/shr.cpp index 330f48d..5b54a8e 100644 --- a/src/vmprofiles/shr.cpp +++ b/src/vmprofiles/shr.cpp @@ -7,9 +7,8 @@ profiler_t shr = { {{// MOV REG, [VSP] LOAD_VALUE, // MOV REG, [VSP+OFFSET] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && @@ -17,17 +16,15 @@ profiler_t shr = { instr.operands[1].mem.disp.has_displacement; }, // SHR REG, REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_SHR && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; }, // MOV [VSP+OFFSET], REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[0].mem.base == vsp && @@ -35,22 +32,19 @@ profiler_t shr = { instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; }, // PUSHFQ - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, // POP [VSP] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[0].mem.base == vsp; }}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { vinstr_t res{mnemonic_t::shr}; res.imm.has_imm = false; diff --git a/src/vmprofiles/sreg.cpp b/src/vmprofiles/sreg.cpp index 5c3171f..09f2078 100644 --- a/src/vmprofiles/sreg.cpp +++ b/src/vmprofiles/sreg.cpp @@ -7,9 +7,8 @@ profiler_t sreg = { {{// MOV REG, [VSP] LOAD_VALUE, // ADD VSP, OFFSET - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_ADD && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == vsp && @@ -18,20 +17,17 @@ profiler_t sreg = { // MOV REG, [VIP] IMM_FETCH, // MOV [RSP+REG], REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[0].mem.base == ZYDIS_REGISTER_RSP && instr.operands[0].mem.index != ZYDIS_REGISTER_NONE && instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; }}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { vinstr_t res; - memset(&res, NULL, sizeof res); res.mnemonic = mnemonic_t::sreg; res.imm.has_imm = true; res.imm.size = 8; diff --git a/src/vmprofiles/svsp.cpp b/src/vmprofiles/svsp.cpp index cc2d958..7175fcf 100644 --- a/src/vmprofiles/svsp.cpp +++ b/src/vmprofiles/svsp.cpp @@ -5,36 +5,32 @@ profiler_t svsp = { "SVSP", mnemonic_t::svsp, {{// MOV REG, VSP - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].reg.value == vsp; }, // SUB VSP, OFFSET - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_SUB && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == vsp && instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE; }, // MOV [VSP], REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[0].mem.base == vsp && instr.operands[0].mem.disp.has_displacement == false && instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER; }}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { vinstr_t res{mnemonic_t::lvsp}; const auto sub_vsp = std::find_if( hndlr.m_instrs.begin(), hndlr.m_instrs.end(), diff --git a/src/vmprofiles/vmexit.cpp b/src/vmprofiles/vmexit.cpp index 744f28b..05406b0 100644 --- a/src/vmprofiles/vmexit.cpp +++ b/src/vmprofiles/vmexit.cpp @@ -5,9 +5,8 @@ profiler_t vmexit = { "VMEXIT", mnemonic_t::vmexit, {{// MOV RSP, VSP - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_RSP && @@ -15,129 +14,113 @@ profiler_t vmexit = { instr.operands[1].reg.value == vsp; }, // POP R13 - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_R13; }, // POP RCX - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_RCX; }, // POP RBP - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_RBP; }, // POP R8 - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_R8; }, // POP R15 - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_R15; }, // POP RDX - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_RDX; }, // POP RDI - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_RDI; }, // POP R11 - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_R11; }, // POP RAX - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_RAX; }, // POP R9 - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_R9; }, // POP RSI - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_RSI; }, // POP R14 - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_R14; }, // POP R12 - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_R12; }, // POP R11 - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == ZYDIS_REGISTER_R11; }, // POPFQ - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_POPFQ; }, // RET - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_RET; }}}, - [&](zydis_reg_t& vip, zydis_reg_t& vsp, hndlr_trace_t& hndlr) + [](zydis_reg_t& vip, zydis_reg_t& vsp, hndlr_trace_t& hndlr) -> std::optional { return vinstr_t{mnemonic_t::vmexit}; }}; } \ No newline at end of file diff --git a/src/vmprofiles/write.cpp b/src/vmprofiles/write.cpp index 64ab737..8a6a686 100644 --- a/src/vmprofiles/write.cpp +++ b/src/vmprofiles/write.cpp @@ -7,9 +7,8 @@ profiler_t write = { {{// MOV REG, [VSP] LOAD_VALUE, // MOV REG, [VSP+OFFSET] - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && @@ -17,27 +16,24 @@ profiler_t write = { instr.operands[1].mem.disp.has_displacement; }, // ADD VSP, OFFSET - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_ADD && instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[0].reg.value == vsp && instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE; }, // MOV [REG], REG - [&](const zydis_reg_t vip, - const zydis_reg_t vsp, - const zydis_decoded_instr_t& instr) -> bool { + [](const zydis_reg_t vip, const zydis_reg_t vsp, + const zydis_decoded_instr_t& instr) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[0].mem.base != vsp && instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[1].reg.value != vsp; }}}, - [&](zydis_reg_t& vip, - zydis_reg_t& vsp, - hndlr_trace_t& hndlr) -> std::optional { + [](zydis_reg_t& vip, zydis_reg_t& vsp, + hndlr_trace_t& hndlr) -> std::optional { vinstr_t res{mnemonic_t::write}; res.imm.has_imm = false; diff --git a/tests/vm_entry_test/README.md b/tests/vm_entry_test/README.md new file mode 100644 index 0000000..c900447 --- /dev/null +++ b/tests/vm_entry_test/README.md @@ -0,0 +1,54 @@ + +# Example Output + +``` +> 0x7f4bd5fc8f8d push 0x6CBB0520 +> 0x7f4bd5ed96a3 push r8 +> 0x7f4bd5ed96ad push r9 +> 0x7f4bd5f22602 push rdx +> 0x7f4bd5f22605 push r12 +> 0x7f4bd5f2260c push r11 +> 0x7f4bd5f22610 push rcx +> 0x7f4bd5f22619 push r10 +> 0x7f4bd5fa22d2 push rsi +> 0x7f4bd5fa22d6 push r15 +> 0x7f4bd5fa22de push rbp +> 0x7f4bd5fa22e8 push r13 +> 0x7f4bd5fa22f2 push rdi +> 0x7f4bd5fa22f3 push rbx +> 0x7f4bd5f17ade push r14 +> 0x7f4bd5f17ae6 push rax +> 0x7f4bd5f17aea pushfq +> 0x7f4bd5f786f3 mov r11, 0x7F4A95C90000 +> 0x7f4bd5f786fd push r11 +> 0x7f4bd5f78707 mov r8, [rsp+0x90] +> 0x7f4bd5f7870f not r8d +> 0x7f4bd5f78719 rol r8d, 0x01 +> 0x7f4bd5f78722 bswap r8d +> 0x7f4bd5f78725 not r8d +> 0x7f4bd5f7872f lea r8, [r8+r11*1] +> 0x7f4bd5f78733 mov r11, 0x100000000 +> 0x7f4bd5f7873f add r8, r11 +> 0x7f4bd5f7874d mov r9, rsp +> 0x7f4bd5f78753 sub rsp, 0x180 +> 0x7f4bd5f78763 and rsp, 0xFFFFFFFFFFFFFFF0 +> 0x7f4bd5f7876c mov rbx, r8 +> 0x7f4bd5f78775 mov rdx, 0x7F4A95C90000 +> 0x7f4bd5f7877f sub rbx, rdx +> 0x7f4bd5f78782 lea rbp, [0x00007F4BD5F78782] +> 0x7f4bd5f7878e sub r8, 0x04 +> 0x7f4bd5f7879a mov edx, [r8] +> 0x7f4bd5f787a1 xor edx, ebx +> 0x7f4bd5f50bcd inc edx +> 0x7f4bd5f50bd0 rol edx, 0x01 +> 0x7f4bd5f50bda add edx, 0x50DE102C +> 0x7f4bd5f50be0 rol edx, 0x03 +> 0x7f4bd5f50be4 push rbx +> 0x7f4bd5f50bee xor [rsp], edx +> 0x7f4bd5f50bf4 pop rbx +> 0x7f4bd5f50bf9 movsxd rdx, edx +> 0x7f4bd5f50c00 add rbp, rdx +> 0x7f4bd5ebab8f jmp rbp +> Starting Virtual Instruction Pointer Register: r8 +> Starting Virtual Stack Pointer Register: r9 +```