vmp2
/
um-hook
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added cli-parser to dependencies, renamed vmtracer to vmhook..

Browse Source
master
_xeroxz 3 years ago
parent aa1616323d
commit 5fb01835d7
12 changed files with 54 additions and 869 deletions
Show Stats Download Patch File Download Diff File

9
.gitmodules vendored
Unescape View File

@ -1,3 +1,6 @@
[submodule "dependencies/vmtracer"]
path = dependencies/vmtracer
url = https://githacks.org/vmp2/vmtracer.git
[submodule "dependencies/vmhook"]
path = dependencies/vmhook
url = https://githacks.org/vmp2/vmhook.git
[submodule "dependencies/cli-parser"]
path = dependencies/cli-parser
url = https://githacks.org/_xeroxz/cli-parser.git

1
dependencies/cli-parser vendored

@ -0,0 +1 @@
Subproject commit 1aedaf8bb7f383f54b7cd498767611535526da85

1
dependencies/vmhook vendored

@ -0,0 +1 @@
Subproject commit 38ead0fa5c169151ed511a7e6cbe41332d4d9f3a

1
dependencies/vmtracer vendored

@ -1 +0,0 @@
Subproject commit 2130f86ea886b5a8b81d368b3b6a6f2412c37194

26
src/demo.sln → src/um-hook.sln
Unescape View File

@ -3,29 +3,43 @@ Microsoft Visual Studio Solution File, Format Version 12.00
# Visual Studio Version 16
VisualStudioVersion = 16.0.30907.101
MinimumVisualStudioVersion = 10.0.40219.1
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "um-tracer", "um-tracer\um-tracer.vcxproj", "{3F97516B-DC38-4C7F-857B-0B2D4E079208}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vmptest", "vmptest\vmptest.vcxproj", "{F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vmtracer", "..\dependencies\vmtracer\src\vmtracer.vcxproj", "{D257C9F6-C705-49D5-84ED-64C9C513C419}"
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vmhook", "..\dependencies\vmhook\src\vmhook.vcxproj", "{D257C9F6-C705-49D5-84ED-64C9C513C419}"
EndProject
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "um-hook", "um-hook\um-hook.vcxproj", "{3F97516B-DC38-4C7F-857B-0B2D4E079208}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|x64 = Debug|x64
Debug|x86 = Debug|x86
Release|x64 = Release|x64
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{3F97516B-DC38-4C7F-857B-0B2D4E079208}.Release|x64.ActiveCfg = Release|x64
{3F97516B-DC38-4C7F-857B-0B2D4E079208}.Release|x64.Build.0 = Release|x64
{3F97516B-DC38-4C7F-857B-0B2D4E079208}.Release|x86.ActiveCfg = Release|x64
{F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Debug|x64.ActiveCfg = Debug|x64
{F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Debug|x64.Build.0 = Debug|x64
{F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Debug|x86.ActiveCfg = Debug|Win32
{F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Debug|x86.Build.0 = Debug|Win32
{F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Release|x64.ActiveCfg = Release|x64
{F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Release|x64.Build.0 = Release|x64
{F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Release|x86.ActiveCfg = Release|Win32
{F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Release|x86.Build.0 = Release|Win32
{D257C9F6-C705-49D5-84ED-64C9C513C419}.Debug|x64.ActiveCfg = Debug|x64
{D257C9F6-C705-49D5-84ED-64C9C513C419}.Debug|x64.Build.0 = Debug|x64
{D257C9F6-C705-49D5-84ED-64C9C513C419}.Debug|x86.ActiveCfg = Debug|Win32
{D257C9F6-C705-49D5-84ED-64C9C513C419}.Debug|x86.Build.0 = Debug|Win32
{D257C9F6-C705-49D5-84ED-64C9C513C419}.Release|x64.ActiveCfg = Release|x64
{D257C9F6-C705-49D5-84ED-64C9C513C419}.Release|x64.Build.0 = Release|x64
{D257C9F6-C705-49D5-84ED-64C9C513C419}.Release|x86.ActiveCfg = Release|Win32
{D257C9F6-C705-49D5-84ED-64C9C513C419}.Release|x86.Build.0 = Release|Win32
{3F97516B-DC38-4C7F-857B-0B2D4E079208}.Debug|x64.ActiveCfg = Release|x64
{3F97516B-DC38-4C7F-857B-0B2D4E079208}.Debug|x64.Build.0 = Release|x64
{3F97516B-DC38-4C7F-857B-0B2D4E079208}.Debug|x86.ActiveCfg = Release|x64
{3F97516B-DC38-4C7F-857B-0B2D4E079208}.Debug|x86.Build.0 = Release|x64
{3F97516B-DC38-4C7F-857B-0B2D4E079208}.Release|x64.ActiveCfg = Release|x64
{3F97516B-DC38-4C7F-857B-0B2D4E079208}.Release|x64.Build.0 = Release|x64
{3F97516B-DC38-4C7F-857B-0B2D4E079208}.Release|x86.ActiveCfg = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE

0
src/um-tracer/lconstbzx.asm → src/um-hook/lconstbzx.asm
Unescape View File

86
src/um-tracer/main.cpp → src/um-hook/main.cpp
Unescape View File

@ -2,9 +2,8 @@
#include <Windows.h>
#include <fstream>
#include <filesystem>
#include "vmtracer.hpp"
#include "vmp2.hpp"
#include "cli-parser.hpp"
#include <vmhook.hpp>
#include <cli-parser.hpp>
extern "C" void __lconstbzx(void);
extern "C" u64 __mbase;
@ -13,13 +12,10 @@ extern "C" u64 __mbase;
reinterpret_cast<PIMAGE_NT_HEADERS64>( \
reinterpret_cast<PIMAGE_DOS_HEADER>(x)->e_lfanew + x)
inline std::vector<vmp2::entry_t> traces;
inline vmp2::file_header trace_header;
int __cdecl main(int argc, const char** argv)
{
argparse::argument_parser_t parser(
"um-tracer", "usermode virtual instruction tracer");
"um-hook", "usermode virtual instruction hook demo");
parser.add_argument()
.names({ "--bin", "--vmpbin" })
@ -36,11 +32,6 @@ int __cdecl main(int argc, const char** argv)
.description("image base from OptionalHeader::ImageBase")
.required(true);
parser.add_argument()
.names({ "--out", "--output" })
.description("name and/or path to output file")
.required(true);
parser.enable_help();
auto err = parser.parse(argc, argv);
@ -138,73 +129,22 @@ int __cdecl main(int argc, const char** argv)
*/
vm::handler::table_t handler_table(handler_table_ptr, _edit_entry);
// set all vm handler callbacks to just
// print the rolling decrypt key and handler idx...
for (auto idx = 0u; idx < 256; ++idx)
{
handler_table.set_callback(idx,
[](vm::registers* regs, u8 handler_idx) -> void
{
vmp2::entry_t entry;
entry.decrypt_key = regs->rbx;
entry.handler_idx = handler_idx;
entry.vip = regs->rsi;
memcpy(&entry.regs, &regs->r15, sizeof entry.regs);
memcpy(&entry.vregs, (void*)regs->rdi, sizeof entry.vregs);
for (auto idx = 0u; idx < sizeof(entry.vsp) / 8; ++idx)
entry.vsp.qword[idx] = reinterpret_cast<u64*>(regs->rbp)[idx];
traces.push_back(entry);
std::printf("> TID = %d, handler idx = %d, decryption key = 0x%p\n",
GetCurrentThreadId(), handler_idx, regs->rbx);
}
);
}
vm::tracer_t tracer(
module_base,
image_base,
_decrypt_handler,
_encrypt_handler,
&handler_table
);
vm::hook_t vmhook(module_base, image_base,
_decrypt_handler, _encrypt_handler, &handler_table);
// change vm handler 0x55 (LCONSTBZX) to our implimentation of it...
auto _meta_data = handler_table.get_meta_data(0x55);
_meta_data.virt = reinterpret_cast<u64>(&__lconstbzx);
handler_table.set_meta_data(0x55, _meta_data);
std::ofstream vmp2_file(parser.get<std::string>("out"), std::ios::binary);
memcpy(&trace_header.magic, "VMP2", sizeof "VMP2" - 1);
trace_header.epoch_time = time(nullptr);
trace_header.entry_offset = sizeof trace_header;
trace_header.advancement = vmp2::exec_type_t::forward;
trace_header.version = vmp2::version_t::v1;
trace_header.module_base = module_base;
// patch vm handler table...
tracer.start();
// call entry point...
auto result = reinterpret_cast<int (*)()>(
NT_HEADER(module_base)->OptionalHeader.AddressOfEntryPoint + module_base)();
std::printf("result = %d\n", result);
// unpatch vm handler table...
tracer.stop();
// write vmp2 file to disk...
trace_header.entry_count = traces.size();
vmp2_file.write((char*)&trace_header, sizeof trace_header);
for (auto& trace : traces)
vmp2_file.write((char*)&trace, sizeof trace);
vmhook.start();
{
// call entry point...
auto result = reinterpret_cast<int (*)()>(
NT_HEADER(module_base)->OptionalHeader.AddressOfEntryPoint + module_base)();
vmp2_file.close();
std::printf("> finished vm trace...\n");
std::getchar();
std::printf("result = %d\n", result);
}
vmhook.stop();
}

12
src/um-tracer/um-tracer.vcxproj → src/um-hook/um-hook.vcxproj
Unescape View File

@ -12,7 +12,7 @@
<ProjectGuid>{3f97516b-dc38-4c7f-857b-0b2d4e079208}</ProjectGuid>
<RootNamespace>vmtracer</RootNamespace>
<WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
<ProjectName>um-tracer</ProjectName>
<ProjectName>um-hook</ProjectName>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
@ -34,6 +34,7 @@
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<IncludePath>$(ProjectDir)..\..\dependencies\cli-parser\;$(ProjectDir)..\..\dependencies\vmhook\include;$(IncludePath)</IncludePath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
@ -57,15 +58,14 @@
<ClCompile Include="main.cpp" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="cli-parser.hpp" />
<ClInclude Include="vmp2.hpp" />
<ClInclude Include="vmtracer.hpp" />
<MASM Include="lconstbzx.asm" />
</ItemGroup>
<ItemGroup>
<MASM Include="lconstbzx.asm" />
<ClInclude Include="..\..\dependencies\cli-parser\cli-parser.hpp" />
<ClInclude Include="..\..\dependencies\vmhook\include\vmhook.hpp" />
</ItemGroup>
<ItemGroup>
<ProjectReference Include="..\..\dependencies\vmtracer\src\vmtracer.vcxproj">
<ProjectReference Include="..\..\dependencies\vmhook\src\vmhook.vcxproj">
<Project>{d257c9f6-c705-49d5-84ed-64c9c513c419}</Project>
</ProjectReference>
</ItemGroup>

17
src/um-tracer/um-tracer.vcxproj.filters → src/um-hook/um-hook.vcxproj.filters
Unescape View File

@ -16,19 +16,16 @@
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="vmtracer.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="vmp2.hpp">
<MASM Include="lconstbzx.asm">
<Filter>Source Files</Filter>
</MASM>
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\..\dependencies\cli-parser\cli-parser.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="cli-parser.hpp">
<ClInclude Include="..\..\dependencies\vmhook\include\vmhook.hpp">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<MASM Include="lconstbzx.asm">
<Filter>Source Files</Filter>
</MASM>
</ItemGroup>
</Project>

580
src/um-tracer/cli-parser.hpp
Unescape View File

@ -1,580 +0,0 @@
/**
* License: Apache 2.0 with LLVM Exception or GPL v3
*
* Author: Jesse Laning
*/
#ifndef ARGPARSE_H
#define ARGPARSE_H
#include <algorithm>
#include <cctype>
#include <cstring>
#include <iomanip>
#include <iostream>
#include <locale>
#include <map>
#include <numeric>
#include <sstream>
#include <stdexcept>
#include <string>
#include <unordered_map>
#include <vector>
namespace argparse {
namespace detail {
static inline bool _not_space(int ch) { return !std::isspace(ch); }
static inline void _ltrim(std::string& s, bool (*f)(int) = _not_space) {
s.erase(s.begin(), std::find_if(s.begin(), s.end(), f));
}
static inline void _rtrim(std::string& s, bool (*f)(int) = _not_space) {
s.erase(std::find_if(s.rbegin(), s.rend(), f).base(), s.end());
}
static inline void _trim(std::string& s, bool (*f)(int) = _not_space) {
_ltrim(s, f);
_rtrim(s, f);
}
static inline std::string _ltrim_copy(std::string s,
bool (*f)(int) = _not_space) {
_ltrim(s, f);
return s;
}
static inline std::string _rtrim_copy(std::string s,
bool (*f)(int) = _not_space) {
_rtrim(s, f);
return s;
}
static inline std::string _trim_copy(std::string s,
bool (*f)(int) = _not_space) {
_trim(s, f);
return s;
}
template <typename InputIt>
static inline std::string _join(InputIt begin, InputIt end,
const std::string& separator = " ") {
std::ostringstream ss;
if (begin != end) {
ss << *begin++;
}
while (begin != end) {
ss << separator;
ss << *begin++;
}
return ss.str();
}
static inline bool _is_number(const std::string& arg) {
std::istringstream iss(arg);
float f;
iss >> std::noskipws >> f;
return iss.eof() && !iss.fail();
}
static inline int _find_equal(const std::string& s) {
for (size_t i = 0; i < s.length(); ++i) {
// if find graph symbol before equal, end search
// i.e. don't accept --asd)f=0 arguments
// but allow --asd_f and --asd-f arguments
if (std::ispunct(static_cast<int>(s[i]))) {
if (s[i] == '=') {
return static_cast<int>(i);
}
else if (s[i] == '_' || s[i] == '-') {
continue;
}
return -1;
}
}
return -1;
}
static inline size_t _find_name_end(const std::string& s) {
size_t i;
for (i = 0; i < s.length(); ++i) {
if (std::ispunct(static_cast<int>(s[i]))) {
break;
}
}
return i;
}
namespace is_vector_impl {
template <typename T>
struct is_vector : std::false_type {};
template <typename... Args>
struct is_vector<std::vector<Args...>> : std::true_type {};
} // namespace is_vector_impl
// type trait to utilize the implementation type traits as well as decay the
// type
template <typename T>
struct is_vector {
static constexpr bool const value =
is_vector_impl::is_vector<typename std::decay<T>::type>::value;
};
} // namespace detail
class argument_parser_t {
private:
public:
class Argument;
class Result {
public:
Result() {}
Result(std::string err) noexcept : _error(true), _what(err) {}
operator bool() const { return _error; }
friend std::ostream& operator<<(std::ostream& os, const Result& dt);
const std::string& what() const { return _what; }
private:
bool _error{ false };
std::string _what{};
};
class Argument {
public:
enum Position : int { LAST = -1, DONT_CARE = -2 };
enum Count : int { ANY = -1 };
Argument& name(const std::string& name) {
_names.push_back(name);
return *this;
}
Argument& names(std::vector<std::string> names) {
_names.insert(_names.end(), names.begin(), names.end());
return *this;
}
Argument& description(const std::string& description) {
_desc = description;
return *this;
}
Argument& required(bool req) {
_required = req;
return *this;
}
Argument& position(int position) {
if (position != Position::LAST) {
// position + 1 because technically argument zero is the name of the
// executable
_position = position + 1;
}
else {
_position = position;
}
return *this;
}
Argument& count(int count) {
_count = count;
return *this;
}
bool found() const { return _found; }
template <typename T>
typename std::enable_if<detail::is_vector<T>::value, T>::type get() {
T t = T();
typename T::value_type vt;
for (auto& s : _values) {
std::istringstream in(s);
in >> vt;
t.push_back(vt);
}
return t;
}
template <typename T>
typename std::enable_if<!detail::is_vector<T>::value, T>::type get() {
std::istringstream in(get<std::string>());
T t = T();
in >> t >> std::ws;
return t;
}
private:
Argument(const std::string& name, const std::string& desc,
bool required = false)
: _desc(desc), _required(required) {
_names.push_back(name);
}
Argument() {}
friend class argument_parser_t;
int _position{ Position::DONT_CARE };
int _count{ Count::ANY };
std::vector<std::string> _names{};
std::string _desc{};
bool _found{ false };
bool _required{ false };
int _index{ -1 };
std::vector<std::string> _values{};
};
argument_parser_t(std::string bin, std::string desc)
: _bin(bin), _desc(desc) {}
Argument& add_argument() {
_arguments.push_back({});
_arguments.back()._index = static_cast<int>(_arguments.size()) - 1;
return _arguments.back();
}
Argument& add_argument(const std::string& name, const std::string& long_name,
const std::string& desc, const bool required = false) {
_arguments.push_back(Argument(name, desc, required));
_arguments.back()._names.push_back(long_name);
_arguments.back()._index = static_cast<int>(_arguments.size()) - 1;
return _arguments.back();
}
Argument& add_argument(const std::string& name, const std::string& desc,
const bool required = false) {
_arguments.push_back(Argument(name, desc, required));
_arguments.back()._index = static_cast<int>(_arguments.size()) - 1;
return _arguments.back();
}
void print_help(size_t count = 0, size_t page = 0) {
if (page * count > _arguments.size()) {
return;
}
if (page == 0) {
std::cout << "Usage: " << _bin;
if (_positional_arguments.empty()) {
std::cout << " [options...]" << std::endl;
}
else {
int current = 1;
for (auto& v : _positional_arguments) {
if (v.first != Argument::Position::LAST) {
for (; current < v.first; current++) {
std::cout << " [" << current << "]";
}
std::cout
<< " ["
<< detail::_ltrim_copy(
_arguments[static_cast<size_t>(v.second)]._names[0],
[](int c) -> bool { return c != static_cast<int>('-'); })
<< "]";
}
}
auto it = _positional_arguments.find(Argument::Position::LAST);
if (it == _positional_arguments.end()) {
std::cout << " [options...]";
}
else {
std::cout
<< " [options...] ["
<< detail::_ltrim_copy(
_arguments[static_cast<size_t>(it->second)]._names[0],
[](int c) -> bool { return c != static_cast<int>('-'); })
<< "]";
}
std::cout << std::endl;
}
std::cout << "Options:" << std::endl;
}
if (count == 0) {
page = 0;
count = _arguments.size();
}
for (size_t i = page * count;
i < std::min<size_t>(page * count + count, _arguments.size()); i++) {
Argument& a = _arguments[i];
std::string name = a._names[0];
for (size_t n = 1; n < a._names.size(); ++n) {
name.append(", " + a._names[n]);
}
std::cout << " " << std::setw(23) << std::left << name << std::setw(23)
<< a._desc;
if (a._required) {
std::cout << " (Required)";
}
std::cout << std::endl;
}
}
Result parse(int argc, const char* argv[]) {
Result err;
if (argc > 1) {
// build name map
for (auto& a : _arguments) {
for (auto& n : a._names) {
std::string name = detail::_ltrim_copy(
n, [](int c) -> bool { return c != static_cast<int>('-'); });
if (_name_map.find(name) != _name_map.end()) {
return Result("Duplicate of argument name: " + n);
}
_name_map[name] = a._index;
}
if (a._position >= 0 || a._position == Argument::Position::LAST) {
_positional_arguments[a._position] = a._index;
}
}
if (err) {
return err;
}
// parse
std::string current_arg;
size_t arg_len;
for (int argv_index = 1; argv_index < argc; ++argv_index) {
current_arg = std::string(argv[argv_index]);
arg_len = current_arg.length();
if (arg_len == 0) {
continue;
}
if (_help_enabled && (current_arg == "-h" || current_arg == "--help")) {
_arguments[static_cast<size_t>(_name_map["help"])]._found = true;
}
else if (argv_index == argc - 1 &&
_positional_arguments.find(Argument::Position::LAST) !=
_positional_arguments.end()) {
err = _end_argument();
Result b = err;
err = _add_value(current_arg, Argument::Position::LAST);
if (b) {
return b;
}
if (err) {
return err;
}
}
else if (arg_len >= 2 &&
!detail::_is_number(current_arg)) { // ignores the case if
// the arg is just a -
// look for -a (short) or --arg (long) args
if (current_arg[0] == '-') {
err = _end_argument();
if (err) {
return err;
}
// look for --arg (long) args
if (current_arg[1] == '-') {
err = _begin_argument(current_arg.substr(2), true, argv_index);
if (err) {
return err;
}
}
else { // short args
err = _begin_argument(current_arg.substr(1), false, argv_index);
if (err) {
return err;
}
}
}
else { // argument value
err = _add_value(current_arg, argv_index);
if (err) {
return err;
}
}
}
else { // argument value
err = _add_value(current_arg, argv_index);
if (err) {
return err;
}
}
}
}
if (_help_enabled && exists("help")) {
return Result();
}
err = _end_argument();
if (err) {
return err;
}
for (auto& p : _positional_arguments) {
Argument& a = _arguments[static_cast<size_t>(p.second)];
if (a._values.size() > 0 && a._values[0][0] == '-') {
std::string name = detail::_ltrim_copy(a._values[0], [](int c) -> bool {
return c != static_cast<int>('-');
});
if (_name_map.find(name) != _name_map.end()) {
if (a._position == Argument::Position::LAST) {
return Result(
"Poisitional argument expected at the end, but argument " +
a._values[0] + " found instead");
}
else {
return Result("Poisitional argument expected in position " +
std::to_string(a._position) + ", but argument " +
a._values[0] + " found instead");
}
}
}
}
for (auto& a : _arguments) {
if (a._required && !a._found) {
return Result("Required argument not found: " + a._names[0]);
}
if (a._position >= 0 && argc >= a._position && !a._found) {
return Result("Argument " + a._names[0] + " expected in position " +
std::to_string(a._position));
}
}
return Result();
}
void enable_help() {
add_argument("-h", "--help", "Shows this page", false);
_help_enabled = true;
}
bool exists(const std::string& name) const {
std::string n = detail::_ltrim_copy(
name, [](int c) -> bool { return c != static_cast<int>('-'); });
auto it = _name_map.find(n);
if (it != _name_map.end()) {
return _arguments[static_cast<size_t>(it->second)]._found;
}
return false;
}
template <typename T>
T get(const std::string& name) {
auto t = _name_map.find(name);
if (t != _name_map.end()) {
return _arguments[static_cast<size_t>(t->second)].get<T>();
}
return T();
}
private:
Result _begin_argument(const std::string& arg, bool longarg, int position) {
auto it = _positional_arguments.find(position);
if (it != _positional_arguments.end()) {
Result err = _end_argument();
Argument& a = _arguments[static_cast<size_t>(it->second)];
a._values.push_back((longarg ? "--" : "-") + arg);
a._found = true;
return err;
}
if (_current != -1) {
return Result("Current argument left open");
}
size_t name_end = detail::_find_name_end(arg);
std::string arg_name = arg.substr(0, name_end);
if (longarg) {
int equal_pos = detail::_find_equal(arg);
auto nmf = _name_map.find(arg_name);
if (nmf == _name_map.end()) {
return Result("Unrecognized command line option '" + arg_name + "'");
}
_current = nmf->second;
_arguments[static_cast<size_t>(nmf->second)]._found = true;
if (equal_pos == 0 ||
(equal_pos < 0 &&
arg_name.length() < arg.length())) { // malformed argument
return Result("Malformed argument: " + arg);
}
else if (equal_pos > 0) {
std::string arg_value = arg.substr(name_end + 1);
_add_value(arg_value, position);
}
}
else {
Result r;
if (arg_name.length() == 1) {
return _begin_argument(arg, true, position);
}
else {
for (char& c : arg_name) {
r = _begin_argument(std::string(1, c), true, position);
if (r) {
return r;
}
r = _end_argument();
if (r) {
return r;
}
}
}
}
return Result();
}
Result _add_value(const std::string& value, int location) {
if (_current >= 0) {
Result err;
Argument& a = _arguments[static_cast<size_t>(_current)];
if (a._count >= 0 && static_cast<int>(a._values.size()) >= a._count) {
err = _end_argument();
if (err) {
return err;
}
goto unnamed;
}
a._values.push_back(value);
if (a._count >= 0 && static_cast<int>(a._values.size()) >= a._count) {
err = _end_argument();
if (err) {
return err;
}
}
return Result();
}
else {
unnamed:
auto it = _positional_arguments.find(location);
if (it != _positional_arguments.end()) {
Argument& a = _arguments[static_cast<size_t>(it->second)];
a._values.push_back(value);
a._found = true;
}
// TODO
return Result();
}
}
Result _end_argument() {
if (_current >= 0) {
Argument& a = _arguments[static_cast<size_t>(_current)];
_current = -1;
if (static_cast<int>(a._values.size()) < a._count) {
return Result("Too few arguments given for " + a._names[0]);
}
if (a._count >= 0) {
if (static_cast<int>(a._values.size()) > a._count) {
return Result("Too many arguments given for " + a._names[0]);
}
}
}
return Result();
}
bool _help_enabled{ false };
int _current{ -1 };
std::string _bin{};
std::string _desc{};
std::vector<Argument> _arguments{};
std::map<int, int> _positional_arguments{};
std::map<std::string, int> _name_map{};
};
std::ostream& operator<<(std::ostream& os, const argument_parser_t::Result& r) {
os << r.what();
return os;
}
template <>
inline std::string argument_parser_t::Argument::get<std::string>() {
return detail::_join(_values.begin(), _values.end());
}
template <>
inline std::vector<std::string>
argument_parser_t::Argument::get<std::vector<std::string>>() {
return _values;
}
} // namespace argparse
#endif

72
src/um-tracer/vmp2.hpp
Unescape View File

@ -1,72 +0,0 @@
#pragma once
#include "vmtracer.hpp"
namespace vmp2
{
enum class exec_type_t
{
forward,
backward
};
enum class version_t
{
invalid,
v1 = 0x101
};
struct file_header
{
u32 magic; // VMP2!
u64 epoch_time;
u64 module_base;
exec_type_t advancement;
version_t version;
u32 entry_count;
u32 entry_offset;
};
struct entry_t
{
u8 handler_idx;
u64 decrypt_key;
u64 vip;
union
{
struct
{
u64 r15;
u64 r14;
u64 r13;
u64 r12;
u64 r11;
u64 r10;
u64 r9;
u64 r8;
u64 rbp;
u64 rdi;
u64 rsi;
u64 rdx;
u64 rcx;
u64 rbx;
u64 rax;
u64 rflags;
};
u64 raw[16];
} regs;
union
{
u64 qword[0x28];
u8 raw[0x140];
} vregs;
union
{
u64 qword[0x20];
u8 raw[0x100];
} vsp;
};
}

118
src/um-tracer/vmtracer.hpp
Unescape View File

@ -1,118 +0,0 @@
#pragma once
#include <cstdint>
#include <xmmintrin.h>
using u8 = unsigned char;
using u16 = unsigned short;
using u32 = unsigned int;
using u64 = unsigned long long;
using u128 = __m128;
extern "C" void __vtrap(void);
namespace vm
{
typedef struct _registers
{
u128 xmm0;
u128 xmm1;
u128 xmm2;
u128 xmm3;
u128 xmm4;
u128 xmm5;
u128 xmm6;
u128 xmm7;
u128 xmm8;
u128 xmm9;
u128 xmm10;
u128 xmm11;
u128 xmm12;
u128 xmm13;
u128 xmm14;
u128 xmm15;
u64 gap0;
u64 r15;
u64 r14;
u64 r13;
u64 r12;
u64 r11;
u64 r10;
u64 r9;
u64 r8;
u64 rbp;
u64 rdi;
u64 rsi;
u64 rdx;
u64 rcx;
u64 rbx;
u64 rax;
u64 rflags;
u64 vm_handler;
} registers, * pregisters;
using decrypt_handler_t = u64(*)(u64);
using encrypt_handler_t = u64(*)(u64);
namespace handler
{
// these lambdas handle page protections...
using edit_entry_t = void (*)(u64*, u64);
using entry_callback_t = void (*)(vm::registers* regs, u8 handler_idx);
struct entry_t
{
u64 virt;
u64 encrypted;
u64 decrypted;
entry_callback_t callback;
};
class table_t
{
public:
explicit table_t(u64* table_addr, edit_entry_t edit_entry);
u64 get_entry(u8 idx) const;
entry_t get_meta_data(u8 idx) const;
void set_entry(u8 idx, u64 entry);
void set_meta_data(u8 idx, const entry_t& entry);
void set_callback(u8 idx, entry_callback_t callback);
private:
u64* table_addr;
edit_entry_t edit_entry;
entry_t handlers[256];
};
}
class tracer_t
{
public:
explicit tracer_t(
u64 module_base,
u64 image_base,
decrypt_handler_t decrypt_handler,
encrypt_handler_t encrypt_handler,
vm::handler::table_t* vm_handler_table
);
u64 encrypt(u64 val) const;
u64 decrypt(u64 val) const;
void set_trap(u64 val) const;
void start() const;
void stop() const;
vm::handler::table_t* handler_table;
private:
const u64 module_base, image_base;
u64 vtrap_encrypted;
const decrypt_handler_t decrypt_handler;
const encrypt_handler_t encrypt_handler;
};
inline vm::tracer_t* g_vmctx = nullptr;
}
extern "C" void vtrap_wrapper(vm::registers * regs, u8 handler_idx);
Write Preview
Loading…
Cancel
Save