From 5fb01835d7832ae468438b89e077d9f7ada270d5 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Sun, 23 May 2021 17:24:33 -0700 Subject: [PATCH] added cli-parser to dependencies, renamed vmtracer to vmhook.. --- .gitmodules | 9 +- dependencies/cli-parser | 1 + dependencies/vmhook | 1 + dependencies/vmtracer | 1 - src/{demo.sln => um-hook.sln} | 26 +- src/{um-tracer => um-hook}/lconstbzx.asm | 0 src/{um-tracer => um-hook}/main.cpp | 86 +-- .../um-hook.vcxproj} | 12 +- .../um-hook.vcxproj.filters} | 17 +- src/um-tracer/cli-parser.hpp | 580 ------------------ src/um-tracer/vmp2.hpp | 72 --- src/um-tracer/vmtracer.hpp | 118 ---- 12 files changed, 54 insertions(+), 869 deletions(-) create mode 160000 dependencies/cli-parser create mode 160000 dependencies/vmhook delete mode 160000 dependencies/vmtracer rename src/{demo.sln => um-hook.sln} (57%) rename src/{um-tracer => um-hook}/lconstbzx.asm (100%) rename src/{um-tracer => um-hook}/main.cpp (66%) rename src/{um-tracer/um-tracer.vcxproj => um-hook/um-hook.vcxproj} (88%) rename src/{um-tracer/um-tracer.vcxproj.filters => um-hook/um-hook.vcxproj.filters} (84%) delete mode 100644 src/um-tracer/cli-parser.hpp delete mode 100644 src/um-tracer/vmp2.hpp delete mode 100644 src/um-tracer/vmtracer.hpp diff --git a/.gitmodules b/.gitmodules index 44cdb8c..395c54b 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,6 @@ -[submodule "dependencies/vmtracer"] - path = dependencies/vmtracer - url = https://githacks.org/vmp2/vmtracer.git +[submodule "dependencies/vmhook"] + path = dependencies/vmhook + url = https://githacks.org/vmp2/vmhook.git +[submodule "dependencies/cli-parser"] + path = dependencies/cli-parser + url = https://githacks.org/_xeroxz/cli-parser.git diff --git a/dependencies/cli-parser b/dependencies/cli-parser new file mode 160000 index 0000000..1aedaf8 --- /dev/null +++ b/dependencies/cli-parser @@ -0,0 +1 @@ +Subproject commit 1aedaf8bb7f383f54b7cd498767611535526da85 diff --git a/dependencies/vmhook b/dependencies/vmhook new file mode 160000 index 0000000..38ead0f --- /dev/null +++ b/dependencies/vmhook @@ -0,0 +1 @@ +Subproject commit 38ead0fa5c169151ed511a7e6cbe41332d4d9f3a diff --git a/dependencies/vmtracer b/dependencies/vmtracer deleted file mode 160000 index 2130f86..0000000 --- a/dependencies/vmtracer +++ /dev/null @@ -1 +0,0 @@ -Subproject commit 2130f86ea886b5a8b81d368b3b6a6f2412c37194 diff --git a/src/demo.sln b/src/um-hook.sln similarity index 57% rename from src/demo.sln rename to src/um-hook.sln index 96de370..a3a0e38 100644 --- a/src/demo.sln +++ b/src/um-hook.sln @@ -3,29 +3,43 @@ Microsoft Visual Studio Solution File, Format Version 12.00 # Visual Studio Version 16 VisualStudioVersion = 16.0.30907.101 MinimumVisualStudioVersion = 10.0.40219.1 -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "um-tracer", "um-tracer\um-tracer.vcxproj", "{3F97516B-DC38-4C7F-857B-0B2D4E079208}" -EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vmptest", "vmptest\vmptest.vcxproj", "{F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}" EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vmtracer", "..\dependencies\vmtracer\src\vmtracer.vcxproj", "{D257C9F6-C705-49D5-84ED-64C9C513C419}" +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vmhook", "..\dependencies\vmhook\src\vmhook.vcxproj", "{D257C9F6-C705-49D5-84ED-64C9C513C419}" +EndProject +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "um-hook", "um-hook\um-hook.vcxproj", "{3F97516B-DC38-4C7F-857B-0B2D4E079208}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution + Debug|x64 = Debug|x64 + Debug|x86 = Debug|x86 Release|x64 = Release|x64 Release|x86 = Release|x86 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution - {3F97516B-DC38-4C7F-857B-0B2D4E079208}.Release|x64.ActiveCfg = Release|x64 - {3F97516B-DC38-4C7F-857B-0B2D4E079208}.Release|x64.Build.0 = Release|x64 - {3F97516B-DC38-4C7F-857B-0B2D4E079208}.Release|x86.ActiveCfg = Release|x64 + {F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Debug|x64.ActiveCfg = Debug|x64 + {F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Debug|x64.Build.0 = Debug|x64 + {F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Debug|x86.ActiveCfg = Debug|Win32 + {F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Debug|x86.Build.0 = Debug|Win32 {F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Release|x64.ActiveCfg = Release|x64 {F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Release|x64.Build.0 = Release|x64 {F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Release|x86.ActiveCfg = Release|Win32 {F98AAFDC-AA2D-4AC2-924A-9BC9895E34D5}.Release|x86.Build.0 = Release|Win32 + {D257C9F6-C705-49D5-84ED-64C9C513C419}.Debug|x64.ActiveCfg = Debug|x64 + {D257C9F6-C705-49D5-84ED-64C9C513C419}.Debug|x64.Build.0 = Debug|x64 + {D257C9F6-C705-49D5-84ED-64C9C513C419}.Debug|x86.ActiveCfg = Debug|Win32 + {D257C9F6-C705-49D5-84ED-64C9C513C419}.Debug|x86.Build.0 = Debug|Win32 {D257C9F6-C705-49D5-84ED-64C9C513C419}.Release|x64.ActiveCfg = Release|x64 {D257C9F6-C705-49D5-84ED-64C9C513C419}.Release|x64.Build.0 = Release|x64 {D257C9F6-C705-49D5-84ED-64C9C513C419}.Release|x86.ActiveCfg = Release|Win32 {D257C9F6-C705-49D5-84ED-64C9C513C419}.Release|x86.Build.0 = Release|Win32 + {3F97516B-DC38-4C7F-857B-0B2D4E079208}.Debug|x64.ActiveCfg = Release|x64 + {3F97516B-DC38-4C7F-857B-0B2D4E079208}.Debug|x64.Build.0 = Release|x64 + {3F97516B-DC38-4C7F-857B-0B2D4E079208}.Debug|x86.ActiveCfg = Release|x64 + {3F97516B-DC38-4C7F-857B-0B2D4E079208}.Debug|x86.Build.0 = Release|x64 + {3F97516B-DC38-4C7F-857B-0B2D4E079208}.Release|x64.ActiveCfg = Release|x64 + {3F97516B-DC38-4C7F-857B-0B2D4E079208}.Release|x64.Build.0 = Release|x64 + {3F97516B-DC38-4C7F-857B-0B2D4E079208}.Release|x86.ActiveCfg = Release|x64 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE diff --git a/src/um-tracer/lconstbzx.asm b/src/um-hook/lconstbzx.asm similarity index 100% rename from src/um-tracer/lconstbzx.asm rename to src/um-hook/lconstbzx.asm diff --git a/src/um-tracer/main.cpp b/src/um-hook/main.cpp similarity index 66% rename from src/um-tracer/main.cpp rename to src/um-hook/main.cpp index bb236c7..7f25d3b 100644 --- a/src/um-tracer/main.cpp +++ b/src/um-hook/main.cpp @@ -2,9 +2,8 @@ #include #include #include -#include "vmtracer.hpp" -#include "vmp2.hpp" -#include "cli-parser.hpp" +#include +#include extern "C" void __lconstbzx(void); extern "C" u64 __mbase; @@ -13,13 +12,10 @@ extern "C" u64 __mbase; reinterpret_cast( \ reinterpret_cast(x)->e_lfanew + x) -inline std::vector traces; -inline vmp2::file_header trace_header; - int __cdecl main(int argc, const char** argv) { argparse::argument_parser_t parser( - "um-tracer", "usermode virtual instruction tracer"); + "um-hook", "usermode virtual instruction hook demo"); parser.add_argument() .names({ "--bin", "--vmpbin" }) @@ -36,11 +32,6 @@ int __cdecl main(int argc, const char** argv) .description("image base from OptionalHeader::ImageBase") .required(true); - parser.add_argument() - .names({ "--out", "--output" }) - .description("name and/or path to output file") - .required(true); - parser.enable_help(); auto err = parser.parse(argc, argv); @@ -138,73 +129,22 @@ int __cdecl main(int argc, const char** argv) */ vm::handler::table_t handler_table(handler_table_ptr, _edit_entry); - - // set all vm handler callbacks to just - // print the rolling decrypt key and handler idx... - for (auto idx = 0u; idx < 256; ++idx) - { - handler_table.set_callback(idx, - [](vm::registers* regs, u8 handler_idx) -> void - { - vmp2::entry_t entry; - entry.decrypt_key = regs->rbx; - entry.handler_idx = handler_idx; - entry.vip = regs->rsi; - - memcpy(&entry.regs, ®s->r15, sizeof entry.regs); - memcpy(&entry.vregs, (void*)regs->rdi, sizeof entry.vregs); - - for (auto idx = 0u; idx < sizeof(entry.vsp) / 8; ++idx) - entry.vsp.qword[idx] = reinterpret_cast(regs->rbp)[idx]; - - traces.push_back(entry); - std::printf("> TID = %d, handler idx = %d, decryption key = 0x%p\n", - GetCurrentThreadId(), handler_idx, regs->rbx); - } - ); - } - - vm::tracer_t tracer( - module_base, - image_base, - _decrypt_handler, - _encrypt_handler, - &handler_table - ); + vm::hook_t vmhook(module_base, image_base, + _decrypt_handler, _encrypt_handler, &handler_table); // change vm handler 0x55 (LCONSTBZX) to our implimentation of it... auto _meta_data = handler_table.get_meta_data(0x55); _meta_data.virt = reinterpret_cast(&__lconstbzx); handler_table.set_meta_data(0x55, _meta_data); - std::ofstream vmp2_file(parser.get("out"), std::ios::binary); - memcpy(&trace_header.magic, "VMP2", sizeof "VMP2" - 1); - trace_header.epoch_time = time(nullptr); - trace_header.entry_offset = sizeof trace_header; - trace_header.advancement = vmp2::exec_type_t::forward; - trace_header.version = vmp2::version_t::v1; - trace_header.module_base = module_base; - // patch vm handler table... - tracer.start(); - - // call entry point... - auto result = reinterpret_cast( - NT_HEADER(module_base)->OptionalHeader.AddressOfEntryPoint + module_base)(); - - std::printf("result = %d\n", result); - - // unpatch vm handler table... - tracer.stop(); - - // write vmp2 file to disk... - trace_header.entry_count = traces.size(); - vmp2_file.write((char*)&trace_header, sizeof trace_header); - - for (auto& trace : traces) - vmp2_file.write((char*)&trace, sizeof trace); + vmhook.start(); + { + // call entry point... + auto result = reinterpret_cast( + NT_HEADER(module_base)->OptionalHeader.AddressOfEntryPoint + module_base)(); - vmp2_file.close(); - std::printf("> finished vm trace...\n"); - std::getchar(); + std::printf("result = %d\n", result); + } + vmhook.stop(); } \ No newline at end of file diff --git a/src/um-tracer/um-tracer.vcxproj b/src/um-hook/um-hook.vcxproj similarity index 88% rename from src/um-tracer/um-tracer.vcxproj rename to src/um-hook/um-hook.vcxproj index cb84948..b08b07e 100644 --- a/src/um-tracer/um-tracer.vcxproj +++ b/src/um-hook/um-hook.vcxproj @@ -12,7 +12,7 @@ {3f97516b-dc38-4c7f-857b-0b2d4e079208} vmtracer 10.0 - um-tracer + um-hook @@ -34,6 +34,7 @@ false + $(ProjectDir)..\..\dependencies\cli-parser\;$(ProjectDir)..\..\dependencies\vmhook\include;$(IncludePath) @@ -57,15 +58,14 @@ - - - + - + + - + {d257c9f6-c705-49d5-84ed-64c9c513c419} diff --git a/src/um-tracer/um-tracer.vcxproj.filters b/src/um-hook/um-hook.vcxproj.filters similarity index 84% rename from src/um-tracer/um-tracer.vcxproj.filters rename to src/um-hook/um-hook.vcxproj.filters index d86317a..e87f34a 100644 --- a/src/um-tracer/um-tracer.vcxproj.filters +++ b/src/um-hook/um-hook.vcxproj.filters @@ -16,19 +16,16 @@ - - Header Files - - + + Source Files + + + + Header Files - + Header Files - - - Source Files - - \ No newline at end of file diff --git a/src/um-tracer/cli-parser.hpp b/src/um-tracer/cli-parser.hpp deleted file mode 100644 index 0b404ee..0000000 --- a/src/um-tracer/cli-parser.hpp +++ /dev/null @@ -1,580 +0,0 @@ -/** - * License: Apache 2.0 with LLVM Exception or GPL v3 - * - * Author: Jesse Laning - */ - -#ifndef ARGPARSE_H -#define ARGPARSE_H - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -namespace argparse { - namespace detail { - static inline bool _not_space(int ch) { return !std::isspace(ch); } - static inline void _ltrim(std::string& s, bool (*f)(int) = _not_space) { - s.erase(s.begin(), std::find_if(s.begin(), s.end(), f)); - } - static inline void _rtrim(std::string& s, bool (*f)(int) = _not_space) { - s.erase(std::find_if(s.rbegin(), s.rend(), f).base(), s.end()); - } - static inline void _trim(std::string& s, bool (*f)(int) = _not_space) { - _ltrim(s, f); - _rtrim(s, f); - } - static inline std::string _ltrim_copy(std::string s, - bool (*f)(int) = _not_space) { - _ltrim(s, f); - return s; - } - static inline std::string _rtrim_copy(std::string s, - bool (*f)(int) = _not_space) { - _rtrim(s, f); - return s; - } - static inline std::string _trim_copy(std::string s, - bool (*f)(int) = _not_space) { - _trim(s, f); - return s; - } - template - static inline std::string _join(InputIt begin, InputIt end, - const std::string& separator = " ") { - std::ostringstream ss; - if (begin != end) { - ss << *begin++; - } - while (begin != end) { - ss << separator; - ss << *begin++; - } - return ss.str(); - } - static inline bool _is_number(const std::string& arg) { - std::istringstream iss(arg); - float f; - iss >> std::noskipws >> f; - return iss.eof() && !iss.fail(); - } - - static inline int _find_equal(const std::string& s) { - for (size_t i = 0; i < s.length(); ++i) { - // if find graph symbol before equal, end search - // i.e. don't accept --asd)f=0 arguments - // but allow --asd_f and --asd-f arguments - if (std::ispunct(static_cast(s[i]))) { - if (s[i] == '=') { - return static_cast(i); - } - else if (s[i] == '_' || s[i] == '-') { - continue; - } - return -1; - } - } - return -1; - } - - static inline size_t _find_name_end(const std::string& s) { - size_t i; - for (i = 0; i < s.length(); ++i) { - if (std::ispunct(static_cast(s[i]))) { - break; - } - } - return i; - } - - namespace is_vector_impl { - template - struct is_vector : std::false_type {}; - template - struct is_vector> : std::true_type {}; - } // namespace is_vector_impl - - // type trait to utilize the implementation type traits as well as decay the - // type - template - struct is_vector { - static constexpr bool const value = - is_vector_impl::is_vector::type>::value; - }; - } // namespace detail - - class argument_parser_t { - private: - public: - class Argument; - - class Result { - public: - Result() {} - Result(std::string err) noexcept : _error(true), _what(err) {} - - operator bool() const { return _error; } - - friend std::ostream& operator<<(std::ostream& os, const Result& dt); - - const std::string& what() const { return _what; } - - private: - bool _error{ false }; - std::string _what{}; - }; - - class Argument { - public: - enum Position : int { LAST = -1, DONT_CARE = -2 }; - enum Count : int { ANY = -1 }; - - Argument& name(const std::string& name) { - _names.push_back(name); - return *this; - } - - Argument& names(std::vector names) { - _names.insert(_names.end(), names.begin(), names.end()); - return *this; - } - - Argument& description(const std::string& description) { - _desc = description; - return *this; - } - - Argument& required(bool req) { - _required = req; - return *this; - } - - Argument& position(int position) { - if (position != Position::LAST) { - // position + 1 because technically argument zero is the name of the - // executable - _position = position + 1; - } - else { - _position = position; - } - return *this; - } - - Argument& count(int count) { - _count = count; - return *this; - } - - bool found() const { return _found; } - - template - typename std::enable_if::value, T>::type get() { - T t = T(); - typename T::value_type vt; - for (auto& s : _values) { - std::istringstream in(s); - in >> vt; - t.push_back(vt); - } - return t; - } - - template - typename std::enable_if::value, T>::type get() { - std::istringstream in(get()); - T t = T(); - in >> t >> std::ws; - return t; - } - - private: - Argument(const std::string& name, const std::string& desc, - bool required = false) - : _desc(desc), _required(required) { - _names.push_back(name); - } - - Argument() {} - - friend class argument_parser_t; - int _position{ Position::DONT_CARE }; - int _count{ Count::ANY }; - std::vector _names{}; - std::string _desc{}; - bool _found{ false }; - bool _required{ false }; - int _index{ -1 }; - - std::vector _values{}; - }; - - argument_parser_t(std::string bin, std::string desc) - : _bin(bin), _desc(desc) {} - - Argument& add_argument() { - _arguments.push_back({}); - _arguments.back()._index = static_cast(_arguments.size()) - 1; - return _arguments.back(); - } - - Argument& add_argument(const std::string& name, const std::string& long_name, - const std::string& desc, const bool required = false) { - _arguments.push_back(Argument(name, desc, required)); - _arguments.back()._names.push_back(long_name); - _arguments.back()._index = static_cast(_arguments.size()) - 1; - return _arguments.back(); - } - - Argument& add_argument(const std::string& name, const std::string& desc, - const bool required = false) { - _arguments.push_back(Argument(name, desc, required)); - _arguments.back()._index = static_cast(_arguments.size()) - 1; - return _arguments.back(); - } - - void print_help(size_t count = 0, size_t page = 0) { - if (page * count > _arguments.size()) { - return; - } - if (page == 0) { - std::cout << "Usage: " << _bin; - if (_positional_arguments.empty()) { - std::cout << " [options...]" << std::endl; - } - else { - int current = 1; - for (auto& v : _positional_arguments) { - if (v.first != Argument::Position::LAST) { - for (; current < v.first; current++) { - std::cout << " [" << current << "]"; - } - std::cout - << " [" - << detail::_ltrim_copy( - _arguments[static_cast(v.second)]._names[0], - [](int c) -> bool { return c != static_cast('-'); }) - << "]"; - } - } - auto it = _positional_arguments.find(Argument::Position::LAST); - if (it == _positional_arguments.end()) { - std::cout << " [options...]"; - } - else { - std::cout - << " [options...] [" - << detail::_ltrim_copy( - _arguments[static_cast(it->second)]._names[0], - [](int c) -> bool { return c != static_cast('-'); }) - << "]"; - } - std::cout << std::endl; - } - std::cout << "Options:" << std::endl; - } - if (count == 0) { - page = 0; - count = _arguments.size(); - } - for (size_t i = page * count; - i < std::min(page * count + count, _arguments.size()); i++) { - Argument& a = _arguments[i]; - std::string name = a._names[0]; - for (size_t n = 1; n < a._names.size(); ++n) { - name.append(", " + a._names[n]); - } - std::cout << " " << std::setw(23) << std::left << name << std::setw(23) - << a._desc; - if (a._required) { - std::cout << " (Required)"; - } - std::cout << std::endl; - } - } - - Result parse(int argc, const char* argv[]) { - Result err; - if (argc > 1) { - // build name map - for (auto& a : _arguments) { - for (auto& n : a._names) { - std::string name = detail::_ltrim_copy( - n, [](int c) -> bool { return c != static_cast('-'); }); - if (_name_map.find(name) != _name_map.end()) { - return Result("Duplicate of argument name: " + n); - } - _name_map[name] = a._index; - } - if (a._position >= 0 || a._position == Argument::Position::LAST) { - _positional_arguments[a._position] = a._index; - } - } - if (err) { - return err; - } - - // parse - std::string current_arg; - size_t arg_len; - for (int argv_index = 1; argv_index < argc; ++argv_index) { - current_arg = std::string(argv[argv_index]); - arg_len = current_arg.length(); - if (arg_len == 0) { - continue; - } - if (_help_enabled && (current_arg == "-h" || current_arg == "--help")) { - _arguments[static_cast(_name_map["help"])]._found = true; - } - else if (argv_index == argc - 1 && - _positional_arguments.find(Argument::Position::LAST) != - _positional_arguments.end()) { - err = _end_argument(); - Result b = err; - err = _add_value(current_arg, Argument::Position::LAST); - if (b) { - return b; - } - if (err) { - return err; - } - } - else if (arg_len >= 2 && - !detail::_is_number(current_arg)) { // ignores the case if - // the arg is just a - - // look for -a (short) or --arg (long) args - if (current_arg[0] == '-') { - err = _end_argument(); - if (err) { - return err; - } - // look for --arg (long) args - if (current_arg[1] == '-') { - err = _begin_argument(current_arg.substr(2), true, argv_index); - if (err) { - return err; - } - } - else { // short args - err = _begin_argument(current_arg.substr(1), false, argv_index); - if (err) { - return err; - } - } - } - else { // argument value - err = _add_value(current_arg, argv_index); - if (err) { - return err; - } - } - } - else { // argument value - err = _add_value(current_arg, argv_index); - if (err) { - return err; - } - } - } - } - if (_help_enabled && exists("help")) { - return Result(); - } - err = _end_argument(); - if (err) { - return err; - } - for (auto& p : _positional_arguments) { - Argument& a = _arguments[static_cast(p.second)]; - if (a._values.size() > 0 && a._values[0][0] == '-') { - std::string name = detail::_ltrim_copy(a._values[0], [](int c) -> bool { - return c != static_cast('-'); - }); - if (_name_map.find(name) != _name_map.end()) { - if (a._position == Argument::Position::LAST) { - return Result( - "Poisitional argument expected at the end, but argument " + - a._values[0] + " found instead"); - } - else { - return Result("Poisitional argument expected in position " + - std::to_string(a._position) + ", but argument " + - a._values[0] + " found instead"); - } - } - } - } - for (auto& a : _arguments) { - if (a._required && !a._found) { - return Result("Required argument not found: " + a._names[0]); - } - if (a._position >= 0 && argc >= a._position && !a._found) { - return Result("Argument " + a._names[0] + " expected in position " + - std::to_string(a._position)); - } - } - return Result(); - } - - void enable_help() { - add_argument("-h", "--help", "Shows this page", false); - _help_enabled = true; - } - - bool exists(const std::string& name) const { - std::string n = detail::_ltrim_copy( - name, [](int c) -> bool { return c != static_cast('-'); }); - auto it = _name_map.find(n); - if (it != _name_map.end()) { - return _arguments[static_cast(it->second)]._found; - } - return false; - } - - template - T get(const std::string& name) { - auto t = _name_map.find(name); - if (t != _name_map.end()) { - return _arguments[static_cast(t->second)].get(); - } - return T(); - } - - private: - Result _begin_argument(const std::string& arg, bool longarg, int position) { - auto it = _positional_arguments.find(position); - if (it != _positional_arguments.end()) { - Result err = _end_argument(); - Argument& a = _arguments[static_cast(it->second)]; - a._values.push_back((longarg ? "--" : "-") + arg); - a._found = true; - return err; - } - if (_current != -1) { - return Result("Current argument left open"); - } - size_t name_end = detail::_find_name_end(arg); - std::string arg_name = arg.substr(0, name_end); - if (longarg) { - int equal_pos = detail::_find_equal(arg); - auto nmf = _name_map.find(arg_name); - if (nmf == _name_map.end()) { - return Result("Unrecognized command line option '" + arg_name + "'"); - } - _current = nmf->second; - _arguments[static_cast(nmf->second)]._found = true; - if (equal_pos == 0 || - (equal_pos < 0 && - arg_name.length() < arg.length())) { // malformed argument - return Result("Malformed argument: " + arg); - } - else if (equal_pos > 0) { - std::string arg_value = arg.substr(name_end + 1); - _add_value(arg_value, position); - } - } - else { - Result r; - if (arg_name.length() == 1) { - return _begin_argument(arg, true, position); - } - else { - for (char& c : arg_name) { - r = _begin_argument(std::string(1, c), true, position); - if (r) { - return r; - } - r = _end_argument(); - if (r) { - return r; - } - } - } - } - return Result(); - } - - Result _add_value(const std::string& value, int location) { - if (_current >= 0) { - Result err; - Argument& a = _arguments[static_cast(_current)]; - if (a._count >= 0 && static_cast(a._values.size()) >= a._count) { - err = _end_argument(); - if (err) { - return err; - } - goto unnamed; - } - a._values.push_back(value); - if (a._count >= 0 && static_cast(a._values.size()) >= a._count) { - err = _end_argument(); - if (err) { - return err; - } - } - return Result(); - } - else { - unnamed: - auto it = _positional_arguments.find(location); - if (it != _positional_arguments.end()) { - Argument& a = _arguments[static_cast(it->second)]; - a._values.push_back(value); - a._found = true; - } - // TODO - return Result(); - } - } - - Result _end_argument() { - if (_current >= 0) { - Argument& a = _arguments[static_cast(_current)]; - _current = -1; - if (static_cast(a._values.size()) < a._count) { - return Result("Too few arguments given for " + a._names[0]); - } - if (a._count >= 0) { - if (static_cast(a._values.size()) > a._count) { - return Result("Too many arguments given for " + a._names[0]); - } - } - } - return Result(); - } - - bool _help_enabled{ false }; - int _current{ -1 }; - std::string _bin{}; - std::string _desc{}; - std::vector _arguments{}; - std::map _positional_arguments{}; - std::map _name_map{}; - }; - - std::ostream& operator<<(std::ostream& os, const argument_parser_t::Result& r) { - os << r.what(); - return os; - } - template <> - inline std::string argument_parser_t::Argument::get() { - return detail::_join(_values.begin(), _values.end()); - } - template <> - inline std::vector - argument_parser_t::Argument::get>() { - return _values; - } - -} // namespace argparse -#endif \ No newline at end of file diff --git a/src/um-tracer/vmp2.hpp b/src/um-tracer/vmp2.hpp deleted file mode 100644 index 5bc3bff..0000000 --- a/src/um-tracer/vmp2.hpp +++ /dev/null @@ -1,72 +0,0 @@ -#pragma once -#include "vmtracer.hpp" - -namespace vmp2 -{ - enum class exec_type_t - { - forward, - backward - }; - - enum class version_t - { - invalid, - v1 = 0x101 - }; - - struct file_header - { - u32 magic; // VMP2! - u64 epoch_time; - u64 module_base; - exec_type_t advancement; - version_t version; - - u32 entry_count; - u32 entry_offset; - }; - - struct entry_t - { - u8 handler_idx; - u64 decrypt_key; - u64 vip; - - union - { - struct - { - u64 r15; - u64 r14; - u64 r13; - u64 r12; - u64 r11; - u64 r10; - u64 r9; - u64 r8; - u64 rbp; - u64 rdi; - u64 rsi; - u64 rdx; - u64 rcx; - u64 rbx; - u64 rax; - u64 rflags; - }; - u64 raw[16]; - } regs; - - union - { - u64 qword[0x28]; - u8 raw[0x140]; - } vregs; - - union - { - u64 qword[0x20]; - u8 raw[0x100]; - } vsp; - }; -} \ No newline at end of file diff --git a/src/um-tracer/vmtracer.hpp b/src/um-tracer/vmtracer.hpp deleted file mode 100644 index a78d262..0000000 --- a/src/um-tracer/vmtracer.hpp +++ /dev/null @@ -1,118 +0,0 @@ -#pragma once -#include -#include - -using u8 = unsigned char; -using u16 = unsigned short; -using u32 = unsigned int; -using u64 = unsigned long long; -using u128 = __m128; -extern "C" void __vtrap(void); - -namespace vm -{ - typedef struct _registers - { - u128 xmm0; - u128 xmm1; - u128 xmm2; - u128 xmm3; - u128 xmm4; - u128 xmm5; - u128 xmm6; - u128 xmm7; - u128 xmm8; - u128 xmm9; - u128 xmm10; - u128 xmm11; - u128 xmm12; - u128 xmm13; - u128 xmm14; - u128 xmm15; - - u64 gap0; - - u64 r15; - u64 r14; - u64 r13; - u64 r12; - u64 r11; - u64 r10; - u64 r9; - u64 r8; - u64 rbp; - u64 rdi; - u64 rsi; - u64 rdx; - u64 rcx; - u64 rbx; - u64 rax; - u64 rflags; - u64 vm_handler; - } registers, * pregisters; - - using decrypt_handler_t = u64(*)(u64); - using encrypt_handler_t = u64(*)(u64); - - namespace handler - { - // these lambdas handle page protections... - using edit_entry_t = void (*)(u64*, u64); - using entry_callback_t = void (*)(vm::registers* regs, u8 handler_idx); - - struct entry_t - { - u64 virt; - u64 encrypted; - u64 decrypted; - entry_callback_t callback; - }; - - class table_t - { - public: - explicit table_t(u64* table_addr, edit_entry_t edit_entry); - u64 get_entry(u8 idx) const; - entry_t get_meta_data(u8 idx) const; - - void set_entry(u8 idx, u64 entry); - void set_meta_data(u8 idx, const entry_t& entry); - void set_callback(u8 idx, entry_callback_t callback); - private: - u64* table_addr; - edit_entry_t edit_entry; - entry_t handlers[256]; - }; - } - - class tracer_t - { - public: - explicit tracer_t( - u64 module_base, - u64 image_base, - decrypt_handler_t decrypt_handler, - encrypt_handler_t encrypt_handler, - vm::handler::table_t* vm_handler_table - ); - - u64 encrypt(u64 val) const; - u64 decrypt(u64 val) const; - void set_trap(u64 val) const; - - void start() const; - void stop() const; - - vm::handler::table_t* handler_table; - private: - const u64 module_base, image_base; - u64 vtrap_encrypted; - - const decrypt_handler_t decrypt_handler; - const encrypt_handler_t encrypt_handler; - }; - - inline vm::tracer_t* g_vmctx = nullptr; -} - -extern "C" void vtrap_wrapper(vm::registers * regs, u8 handler_idx); \ No newline at end of file