vmp2
/
vmassembler
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added vmprofiler v1.5, still needs some work

Browse Source
merge-requests/1/head
_xeroxz 4 years ago
parent 0725ec062e
commit 6db8322eda
11 changed files with 248 additions and 812 deletions
Show Stats Download Patch File Download Diff File

18
.clang-format
Unescape View File

@ -0,0 +1,18 @@
---
BasedOnStyle: Microsoft
AlignAfterOpenBracket: Align
AllowAllArgumentsOnNextLine: 'true'
AllowAllParametersOfDeclarationOnNextLine: 'true'
AllowShortIfStatementsOnASingleLine: Never
BreakBeforeBraces: Allman
IndentWidth: '4'
Language: Cpp
NamespaceIndentation: All
SpacesInAngles: 'true'
SpacesInCStyleCastParentheses: 'true'
SpacesInContainerLiterals: 'true'
SpacesInParentheses: 'true'
SpacesInSquareBrackets: 'true'
UseTab: Never
...

6
.gitmodules vendored
Unescape View File

@ -1,3 +1,9 @@
[submodule "dependencies/vmprofiler"]
path = dependencies/vmprofiler
url = https://githacks.org/vmp2/vmprofiler.git
[submodule "dependencies/xtils"]
path = dependencies/xtils
url = https://githacks.org/_xeroxz/xtils.git
[submodule "dependencies/cli-parser"]
path = dependencies/cli-parser
url = https://githacks.org/_xeroxz/cli-parser.git

1
dependencies/cli-parser vendored

@ -0,0 +1 @@
Subproject commit 1aedaf8bb7f383f54b7cd498767611535526da85

2
dependencies/vmprofiler vendored

@ -1 +1 @@
Subproject commit 05ba2cc84ba94e1d526168ad686fc2e167ad2eab
Subproject commit 8ffe1cac5017b0258a44c1bbe9254621be771147

1
dependencies/xtils vendored

@ -0,0 +1 @@
Subproject commit 7c32517322c29a866cbb1e67fb9051efa2e05553

580
src/cli-parser.hpp
Unescape View File

@ -1,580 +0,0 @@
/**
* License: Apache 2.0 with LLVM Exception or GPL v3
*
* Author: Jesse Laning
*/
#ifndef ARGPARSE_H
#define ARGPARSE_H
#include <algorithm>
#include <cctype>
#include <cstring>
#include <iomanip>
#include <iostream>
#include <locale>
#include <map>
#include <numeric>
#include <sstream>
#include <stdexcept>
#include <string>
#include <unordered_map>
#include <vector>
namespace argparse {
namespace detail {
static inline bool _not_space(int ch) { return !std::isspace(ch); }
static inline void _ltrim(std::string& s, bool (*f)(int) = _not_space) {
s.erase(s.begin(), std::find_if(s.begin(), s.end(), f));
}
static inline void _rtrim(std::string& s, bool (*f)(int) = _not_space) {
s.erase(std::find_if(s.rbegin(), s.rend(), f).base(), s.end());
}
static inline void _trim(std::string& s, bool (*f)(int) = _not_space) {
_ltrim(s, f);
_rtrim(s, f);
}
static inline std::string _ltrim_copy(std::string s,
bool (*f)(int) = _not_space) {
_ltrim(s, f);
return s;
}
static inline std::string _rtrim_copy(std::string s,
bool (*f)(int) = _not_space) {
_rtrim(s, f);
return s;
}
static inline std::string _trim_copy(std::string s,
bool (*f)(int) = _not_space) {
_trim(s, f);
return s;
}
template <typename InputIt>
static inline std::string _join(InputIt begin, InputIt end,
const std::string& separator = " ") {
std::ostringstream ss;
if (begin != end) {
ss << *begin++;
}
while (begin != end) {
ss << separator;
ss << *begin++;
}
return ss.str();
}
static inline bool _is_number(const std::string& arg) {
std::istringstream iss(arg);
float f;
iss >> std::noskipws >> f;
return iss.eof() && !iss.fail();
}
static inline int _find_equal(const std::string& s) {
for (size_t i = 0; i < s.length(); ++i) {
// if find graph symbol before equal, end search
// i.e. don't accept --asd)f=0 arguments
// but allow --asd_f and --asd-f arguments
if (std::ispunct(static_cast<int>(s[i]))) {
if (s[i] == '=') {
return static_cast<int>(i);
}
else if (s[i] == '_' || s[i] == '-') {
continue;
}
return -1;
}
}
return -1;
}
static inline size_t _find_name_end(const std::string& s) {
size_t i;
for (i = 0; i < s.length(); ++i) {
if (std::ispunct(static_cast<int>(s[i]))) {
break;
}
}
return i;
}
namespace is_vector_impl {
template <typename T>
struct is_vector : std::false_type {};
template <typename... Args>
struct is_vector<std::vector<Args...>> : std::true_type {};
} // namespace is_vector_impl
// type trait to utilize the implementation type traits as well as decay the
// type
template <typename T>
struct is_vector {
static constexpr bool const value =
is_vector_impl::is_vector<typename std::decay<T>::type>::value;
};
} // namespace detail
class argument_parser_t {
private:
public:
class Argument;
class Result {
public:
Result() {}
Result(std::string err) noexcept : _error(true), _what(err) {}
operator bool() const { return _error; }
friend std::ostream& operator<<(std::ostream& os, const Result& dt);
const std::string& what() const { return _what; }
private:
bool _error{ false };
std::string _what{};
};
class Argument {
public:
enum Position : int { LAST = -1, DONT_CARE = -2 };
enum Count : int { ANY = -1 };
Argument& name(const std::string& name) {
_names.push_back(name);
return *this;
}
Argument& names(std::vector<std::string> names) {
_names.insert(_names.end(), names.begin(), names.end());
return *this;
}
Argument& description(const std::string& description) {
_desc = description;
return *this;
}
Argument& required(bool req) {
_required = req;
return *this;
}
Argument& position(int position) {
if (position != Position::LAST) {
// position + 1 because technically argument zero is the name of the
// executable
_position = position + 1;
}
else {
_position = position;
}
return *this;
}
Argument& count(int count) {
_count = count;
return *this;
}
bool found() const { return _found; }
template <typename T>
typename std::enable_if<detail::is_vector<T>::value, T>::type get() {
T t = T();
typename T::value_type vt;
for (auto& s : _values) {
std::istringstream in(s);
in >> vt;
t.push_back(vt);
}
return t;
}
template <typename T>
typename std::enable_if<!detail::is_vector<T>::value, T>::type get() {
std::istringstream in(get<std::string>());
T t = T();
in >> t >> std::ws;
return t;
}
private:
Argument(const std::string& name, const std::string& desc,
bool required = false)
: _desc(desc), _required(required) {
_names.push_back(name);
}
Argument() {}
friend class argument_parser_t;
int _position{ Position::DONT_CARE };
int _count{ Count::ANY };
std::vector<std::string> _names{};
std::string _desc{};
bool _found{ false };
bool _required{ false };
int _index{ -1 };
std::vector<std::string> _values{};
};
argument_parser_t(std::string bin, std::string desc)
: _bin(bin), _desc(desc) {}
Argument& add_argument() {
_arguments.push_back({});
_arguments.back()._index = static_cast<int>(_arguments.size()) - 1;
return _arguments.back();
}
Argument& add_argument(const std::string& name, const std::string& long_name,
const std::string& desc, const bool required = false) {
_arguments.push_back(Argument(name, desc, required));
_arguments.back()._names.push_back(long_name);
_arguments.back()._index = static_cast<int>(_arguments.size()) - 1;
return _arguments.back();
}
Argument& add_argument(const std::string& name, const std::string& desc,
const bool required = false) {
_arguments.push_back(Argument(name, desc, required));
_arguments.back()._index = static_cast<int>(_arguments.size()) - 1;
return _arguments.back();
}
void print_help(size_t count = 0, size_t page = 0) {
if (page * count > _arguments.size()) {
return;
}
if (page == 0) {
std::cout << "Usage: " << _bin;
if (_positional_arguments.empty()) {
std::cout << " [options...]" << std::endl;
}
else {
int current = 1;
for (auto& v : _positional_arguments) {
if (v.first != Argument::Position::LAST) {
for (; current < v.first; current++) {
std::cout << " [" << current << "]";
}
std::cout
<< " ["
<< detail::_ltrim_copy(
_arguments[static_cast<size_t>(v.second)]._names[0],
[](int c) -> bool { return c != static_cast<int>('-'); })
<< "]";
}
}
auto it = _positional_arguments.find(Argument::Position::LAST);
if (it == _positional_arguments.end()) {
std::cout << " [options...]";
}
else {
std::cout
<< " [options...] ["
<< detail::_ltrim_copy(
_arguments[static_cast<size_t>(it->second)]._names[0],
[](int c) -> bool { return c != static_cast<int>('-'); })
<< "]";
}
std::cout << std::endl;
}
std::cout << "Options:" << std::endl;
}
if (count == 0) {
page = 0;
count = _arguments.size();
}
for (size_t i = page * count;
i < std::min<size_t>(page * count + count, _arguments.size()); i++) {
Argument& a = _arguments[i];
std::string name = a._names[0];
for (size_t n = 1; n < a._names.size(); ++n) {
name.append(", " + a._names[n]);
}
std::cout << " " << std::setw(23) << std::left << name << std::setw(23)
<< a._desc;
if (a._required) {
std::cout << " (Required)";
}
std::cout << std::endl;
}
}
Result parse(int argc, const char* argv[]) {
Result err;
if (argc > 1) {
// build name map
for (auto& a : _arguments) {
for (auto& n : a._names) {
std::string name = detail::_ltrim_copy(
n, [](int c) -> bool { return c != static_cast<int>('-'); });
if (_name_map.find(name) != _name_map.end()) {
return Result("Duplicate of argument name: " + n);
}
_name_map[name] = a._index;
}
if (a._position >= 0 || a._position == Argument::Position::LAST) {
_positional_arguments[a._position] = a._index;
}
}
if (err) {
return err;
}
// parse
std::string current_arg;
size_t arg_len;
for (int argv_index = 1; argv_index < argc; ++argv_index) {
current_arg = std::string(argv[argv_index]);
arg_len = current_arg.length();
if (arg_len == 0) {
continue;
}
if (_help_enabled && (current_arg == "-h" || current_arg == "--help")) {
_arguments[static_cast<size_t>(_name_map["help"])]._found = true;
}
else if (argv_index == argc - 1 &&
_positional_arguments.find(Argument::Position::LAST) !=
_positional_arguments.end()) {
err = _end_argument();
Result b = err;
err = _add_value(current_arg, Argument::Position::LAST);
if (b) {
return b;
}
if (err) {
return err;
}
}
else if (arg_len >= 2 &&
!detail::_is_number(current_arg)) { // ignores the case if
// the arg is just a -
// look for -a (short) or --arg (long) args
if (current_arg[0] == '-') {
err = _end_argument();
if (err) {
return err;
}
// look for --arg (long) args
if (current_arg[1] == '-') {
err = _begin_argument(current_arg.substr(2), true, argv_index);
if (err) {
return err;
}
}
else { // short args
err = _begin_argument(current_arg.substr(1), false, argv_index);
if (err) {
return err;
}
}
}
else { // argument value
err = _add_value(current_arg, argv_index);
if (err) {
return err;
}
}
}
else { // argument value
err = _add_value(current_arg, argv_index);
if (err) {
return err;
}
}
}
}
if (_help_enabled && exists("help")) {
return Result();
}
err = _end_argument();
if (err) {
return err;
}
for (auto& p : _positional_arguments) {
Argument& a = _arguments[static_cast<size_t>(p.second)];
if (a._values.size() > 0 && a._values[0][0] == '-') {
std::string name = detail::_ltrim_copy(a._values[0], [](int c) -> bool {
return c != static_cast<int>('-');
});
if (_name_map.find(name) != _name_map.end()) {
if (a._position == Argument::Position::LAST) {
return Result(
"Poisitional argument expected at the end, but argument " +
a._values[0] + " found instead");
}
else {
return Result("Poisitional argument expected in position " +
std::to_string(a._position) + ", but argument " +
a._values[0] + " found instead");
}
}
}
}
for (auto& a : _arguments) {
if (a._required && !a._found) {
return Result("Required argument not found: " + a._names[0]);
}
if (a._position >= 0 && argc >= a._position && !a._found) {
return Result("Argument " + a._names[0] + " expected in position " +
std::to_string(a._position));
}
}
return Result();
}
void enable_help() {
add_argument("-h", "--help", "Shows this page", false);
_help_enabled = true;
}
bool exists(const std::string& name) const {
std::string n = detail::_ltrim_copy(
name, [](int c) -> bool { return c != static_cast<int>('-'); });
auto it = _name_map.find(n);
if (it != _name_map.end()) {
return _arguments[static_cast<size_t>(it->second)]._found;
}
return false;
}
template <typename T>
T get(const std::string& name) {
auto t = _name_map.find(name);
if (t != _name_map.end()) {
return _arguments[static_cast<size_t>(t->second)].get<T>();
}
return T();
}
private:
Result _begin_argument(const std::string& arg, bool longarg, int position) {
auto it = _positional_arguments.find(position);
if (it != _positional_arguments.end()) {
Result err = _end_argument();
Argument& a = _arguments[static_cast<size_t>(it->second)];
a._values.push_back((longarg ? "--" : "-") + arg);
a._found = true;
return err;
}
if (_current != -1) {
return Result("Current argument left open");
}
size_t name_end = detail::_find_name_end(arg);
std::string arg_name = arg.substr(0, name_end);
if (longarg) {
int equal_pos = detail::_find_equal(arg);
auto nmf = _name_map.find(arg_name);
if (nmf == _name_map.end()) {
return Result("Unrecognized command line option '" + arg_name + "'");
}
_current = nmf->second;
_arguments[static_cast<size_t>(nmf->second)]._found = true;
if (equal_pos == 0 ||
(equal_pos < 0 &&
arg_name.length() < arg.length())) { // malformed argument
return Result("Malformed argument: " + arg);
}
else if (equal_pos > 0) {
std::string arg_value = arg.substr(name_end + 1);
_add_value(arg_value, position);
}
}
else {
Result r;
if (arg_name.length() == 1) {
return _begin_argument(arg, true, position);
}
else {
for (char& c : arg_name) {
r = _begin_argument(std::string(1, c), true, position);
if (r) {
return r;
}
r = _end_argument();
if (r) {
return r;
}
}
}
}
return Result();
}
Result _add_value(const std::string& value, int location) {
if (_current >= 0) {
Result err;
Argument& a = _arguments[static_cast<size_t>(_current)];
if (a._count >= 0 && static_cast<int>(a._values.size()) >= a._count) {
err = _end_argument();
if (err) {
return err;
}
goto unnamed;
}
a._values.push_back(value);
if (a._count >= 0 && static_cast<int>(a._values.size()) >= a._count) {
err = _end_argument();
if (err) {
return err;
}
}
return Result();
}
else {
unnamed:
auto it = _positional_arguments.find(location);
if (it != _positional_arguments.end()) {
Argument& a = _arguments[static_cast<size_t>(it->second)];
a._values.push_back(value);
a._found = true;
}
// TODO
return Result();
}
}
Result _end_argument() {
if (_current >= 0) {
Argument& a = _arguments[static_cast<size_t>(_current)];
_current = -1;
if (static_cast<int>(a._values.size()) < a._count) {
return Result("Too few arguments given for " + a._names[0]);
}
if (a._count >= 0) {
if (static_cast<int>(a._values.size()) > a._count) {
return Result("Too many arguments given for " + a._names[0]);
}
}
}
return Result();
}
bool _help_enabled{ false };
int _current{ -1 };
std::string _bin{};
std::string _desc{};
std::vector<Argument> _arguments{};
std::map<int, int> _positional_arguments{};
std::map<std::string, int> _name_map{};
};
std::ostream& operator<<(std::ostream& os, const argument_parser_t::Result& r) {
os << r.what();
return os;
}
template <>
inline std::string argument_parser_t::Argument::get<std::string>() {
return detail::_join(_values.begin(), _values.end());
}
template <>
inline std::vector<std::string>
argument_parser_t::Argument::get<std::vector<std::string>>() {
return _values;
}
} // namespace argparse
#endif

286
src/compiler.cpp
Unescape View File

@ -2,143 +2,149 @@
namespace vm
{
compiler_t::compiler_t(
base_data_t base_data,
vmp2::exec_type_t exec_type,
std::vector<vm::handler_t>* vm_handlers,
zydis_routine_t* calc_jmp
)
: module_base(base_data.module_base),
image_base(base_data.image_base),
exec_type(exec_type),
vm_handlers(vm_handlers),
calc_jmp(calc_jmp)
{
if (!parse_t::get_instance()->for_each(
[&](_vinstr_meta* vinstr) -> bool
{
std::printf("> vinstr name = %s, has imm = %d, imm = 0x%p\n",
vinstr->name.c_str(), vinstr->has_imm, vinstr->imm);
for (auto& vm_handler : *vm_handlers)
if (vm_handler.profile && vm_handler.profile->name == vinstr->name)
return true;
std::printf("> this vm protected file does not have the vm handler for: %s...\n",
vinstr->name.c_str());
return false;
}
))
{
std::printf("[!] binary does not have the required vm handlers...\n");
exit(-1);
}
if(!vm::handler::get_operand_transforms(*calc_jmp, calc_jmp_transforms))
{
std::printf("[!] failed to extract calc_jmp transformations...\n");
exit(-1);
}
}
std::pair<bool, std::vector<vinstr_data>*> compiler_t::encode()
{
parse_t::get_instance()->for_each(
[&](_vinstr_meta* vinstr) -> bool
{
for (auto itr = vm_handlers->begin(); itr != vm_handlers->end(); ++itr)
{
if (itr->profile && itr->profile->name == vinstr->name)
{
vinstrs.push_back({ (std::uint8_t)(itr - vm_handlers->begin()),
vinstr->imm, itr->profile->imm_size });
break;
}
}
return true;
}
);
return { true, &vinstrs };
}
std::pair<std::uint64_t, std::vector<std::uint8_t>*> compiler_t::encrypt()
{
const auto end_of_module =
NT_HEADER(module_base)->OptionalHeader.SizeOfImage + image_base;
//
// init decryption key...
//
// decryption key starts off as the image
// base address of the virtual instructions...
std::uintptr_t decrypt_key = end_of_module, start_addr;
if (exec_type == vmp2::exec_type_t::backward)
{
std::for_each(vinstrs.begin(), vinstrs.end(),
[&](const vinstr_data& vinstr)
{
(++decrypt_key) +=
vinstr.imm_size ? vinstr.imm_size / 8 : 0;
}
);
}
start_addr = decrypt_key;
//
// invert the encoded virtual instructions operands if vip advances backward...
//
if (exec_type == vmp2::exec_type_t::backward)
std::reverse(vinstrs.begin(), vinstrs.end());
//
// loop over the instructions and encrypt them...
//
for (auto& vinstr : vinstrs)
{
std::printf("> decrypt key = 0x%p\n", decrypt_key);
auto vm_handler_idx = vinstr.vm_handler;
std::tie(vinstr.vm_handler, decrypt_key) =
vm::encrypt_operand(calc_jmp_transforms,
vinstr.vm_handler, decrypt_key);
if (!vinstr.imm_size)
{
result_buffer.push_back(vinstr.vm_handler);
continue;
}
auto transforms = vm_handlers->at(vm_handler_idx).transforms;
std::tie(vinstr.operand, decrypt_key) =
vm::encrypt_operand(transforms, vinstr.operand, decrypt_key);
//
// operands must be backwards if VIP advances backward...
//
if (exec_type == vmp2::exec_type_t::backward)
{
for (auto idx = 0u; idx < vinstr.imm_size / 8; ++idx)
result_buffer.push_back(
reinterpret_cast<std::uint8_t*>(&vinstr.operand)[idx]);
result_buffer.push_back(vinstr.vm_handler);
}
else
{
result_buffer.push_back(vinstr.vm_handler);
for (auto idx = 0u; idx < vinstr.imm_size / 8; ++idx)
result_buffer.push_back(
reinterpret_cast<std::uint8_t*>(&vinstr.operand)[idx]);
}
}
return { start_addr, &result_buffer };
}
}
compiler_t::compiler_t( base_data_t base_data, vmp2::exec_type_t exec_type,
std::vector< vm::handler::handler_t > *vm_handlers, zydis_routine_t *calc_jmp,
zydis_routine_t *vm_entry )
: module_base( base_data.module_base ), image_base( base_data.image_base ), exec_type( exec_type ),
vm_handlers( vm_handlers ), calc_jmp( calc_jmp ), vm_entry( vm_entry )
{
if ( !parse_t::get_instance()->for_each( [ & ]( _vinstr_meta *vinstr ) -> bool {
std::printf( "> vinstr name = %s, has imm = %d, imm = 0x%p\n", vinstr->name.c_str(), vinstr->has_imm,
vinstr->imm );
for ( auto &vm_handler : *vm_handlers )
if ( vm_handler.profile && vm_handler.profile->name == vinstr->name )
return true;
std::printf( "[!] this vm protected file does not have the vm handler for: %s...\n",
vinstr->name.c_str() );
return false;
} ) )
{
std::printf( "[!] binary does not have the required vm handlers...\n" );
exit( -1 );
}
if ( !vm::handler::get_operand_transforms( *calc_jmp, calc_jmp_transforms ) )
{
std::printf( "[!] failed to extract calc_jmp transformations...\n" );
exit( -1 );
}
if ( !vm::instrs::get_rva_decrypt( *vm_entry, encrypt_vinstrs_rva ) )
{
std::printf( "[!] failed to extract virtual instruction rva decryption instructions...\n" );
exit( -1 );
}
if (!vm::transform::inverse_transforms( encrypt_vinstrs_rva ))
{
std::printf( "[!] failed to inverse virtual instruction rva decrypt instructions...\n" );
exit( -1 );
}
}
std::pair< bool, std::vector< vinstr_data > * > compiler_t::encode()
{
parse_t::get_instance()->for_each( [ & ]( _vinstr_meta *vinstr ) -> bool {
for ( auto itr = vm_handlers->begin(); itr != vm_handlers->end(); ++itr )
{
if ( itr->profile && itr->profile->name == vinstr->name )
{
vinstrs.push_back(
{ ( std::uint8_t )( itr - vm_handlers->begin() ), vinstr->imm, itr->profile->imm_size } );
break;
}
}
return true;
} );
return { true, &vinstrs };
}
std::pair< std::uint64_t, std::vector< std::uint8_t > * > compiler_t::encrypt()
{
const auto end_of_module = NT_HEADER( module_base )->OptionalHeader.SizeOfImage + image_base;
//
// init decryption key...
//
// decryption key starts off as the image
// base address of the virtual instructions...
std::uintptr_t decrypt_key = end_of_module, start_addr;
if ( exec_type == vmp2::exec_type_t::backward )
{
std::for_each( vinstrs.begin(), vinstrs.end(), [ & ]( const vinstr_data &vinstr ) {
( ++decrypt_key ) += vinstr.imm_size ? vinstr.imm_size / 8 : 0;
} );
}
start_addr = decrypt_key;
//
// invert the encoded virtual instructions operands if vip advances backward...
//
if ( exec_type == vmp2::exec_type_t::backward )
std::reverse( vinstrs.begin(), vinstrs.end() );
//
// loop over the instructions and encrypt them...
//
for ( auto &vinstr : vinstrs )
{
std::printf( "> decrypt key = 0x%p\n", decrypt_key );
auto vm_handler_idx = vinstr.vm_handler;
std::tie( vinstr.vm_handler, decrypt_key ) =
vm::instrs::encrypt_operand( calc_jmp_transforms, vinstr.vm_handler, decrypt_key );
if ( !vinstr.imm_size )
{
result_buffer.push_back( vinstr.vm_handler );
continue;
}
auto transforms = vm_handlers->at( vm_handler_idx ).transforms;
std::tie( vinstr.operand, decrypt_key ) =
vm::instrs::encrypt_operand( transforms, vinstr.operand, decrypt_key );
//
// operands must be backwards if VIP advances backward...
//
if ( exec_type == vmp2::exec_type_t::backward )
{
for ( auto idx = 0u; idx < vinstr.imm_size / 8; ++idx )
result_buffer.push_back( reinterpret_cast< std::uint8_t * >( &vinstr.operand )[ idx ] );
result_buffer.push_back( vinstr.vm_handler );
}
else
{
result_buffer.push_back( vinstr.vm_handler );
for ( auto idx = 0u; idx < vinstr.imm_size / 8; ++idx )
result_buffer.push_back( reinterpret_cast< std::uint8_t * >( &vinstr.operand )[ idx ] );
}
}
return { start_addr, &result_buffer };
}
std::uint64_t compiler_t::encrypt_rva( std::uint64_t rva )
{
std::printf( "> encrypt virtual instruction rva transformations:\n" );
for ( auto &transform : encrypt_vinstrs_rva )
vm::util::print( transform );
for ( auto &instr : encrypt_vinstrs_rva )
rva = vm::transform::apply( instr.operands[ 0 ].size, instr.mnemonic, rva,
transform::has_imm( &instr ) ? instr.operands[ 1 ].imm.value.u : 0 );
std::printf( "> encrypted rva = 0x%p\n", rva );
return rva;
}
} // namespace vm

74
src/compiler.h
Unescape View File

@ -1,49 +1,47 @@
#pragma once
#include <Windows.h>
#include <vmprofiler.hpp>
#include <vmctx.h>
#include <vm.h>
#include <algorithm>
#include <vmprofiler.hpp>
#include "parser.h"
#define NT_HEADER(x) \
reinterpret_cast<PIMAGE_NT_HEADERS64>( \
reinterpret_cast<PIMAGE_DOS_HEADER>(x)->e_lfanew + x)
#define NT_HEADER( x ) \
reinterpret_cast< PIMAGE_NT_HEADERS64 >( reinterpret_cast< PIMAGE_DOS_HEADER >( x )->e_lfanew + x )
namespace vm
{
struct base_data_t
{
std::uintptr_t module_base;
std::uintptr_t image_base;
};
struct base_data_t
{
std::uintptr_t module_base;
std::uintptr_t image_base;
};
struct vinstr_data
{
std::uint8_t vm_handler;
std::uint64_t operand;
std::uint8_t imm_size; // size in bits...
};
struct vinstr_data
{
std::uint8_t vm_handler;
std::uint64_t operand;
std::uint8_t imm_size; // size in bits...
};
class compiler_t
{
public:
explicit compiler_t( base_data_t base_data, vmp2::exec_type_t exec_type,
std::vector< vm::handler::handler_t > *vm_handlers, zydis_routine_t *calc_jmp,
zydis_routine_t *vm_entry );
class compiler_t
{
public:
explicit compiler_t(
base_data_t base_data,
vmp2::exec_type_t exec_type,
std::vector<vm::handler_t>* vm_handlers,
zydis_routine_t* calc_jmp
);
std::pair< bool, std::vector< vinstr_data > * > encode();
std::pair< std::uint64_t, std::vector< std::uint8_t > * > encrypt();
std::uint64_t encrypt_rva( std::uint64_t rva );
std::pair<bool, std::vector<vinstr_data>*> encode();
std::pair<std::uint64_t, std::vector<std::uint8_t>* > encrypt();
private:
transform::map_t calc_jmp_transforms;
zydis_routine_t* calc_jmp;
std::vector<vm::handler_t>* vm_handlers;
vmp2::exec_type_t exec_type;
std::vector<vinstr_data> vinstrs;
std::vector<std::uint8_t> result_buffer;
std::uintptr_t image_base, module_base;
};
}
private:
transform::map_t calc_jmp_transforms;
zydis_routine_t *calc_jmp, *vm_entry;
std::vector< vm::handler::handler_t > *vm_handlers;
vmp2::exec_type_t exec_type;
std::vector< vinstr_data > vinstrs;
std::vector< std::uint8_t > result_buffer;
std::vector< zydis_decoded_instr_t > encrypt_vinstrs_rva;
std::uintptr_t image_base, module_base;
};
} // namespace vm

76
src/main.cpp
Unescape View File

@ -1,13 +1,14 @@
#include <iostream>
#include <sstream>
#include <Windows.h>
#include <cli-parser.hpp>
#include <fstream>
#include <iostream>
#include <sstream>
#include <transform.hpp>
#include <xtils.hpp>
#include "compiler.h"
#include "parser.tab.h"
#include "parser.h"
#include "cli-parser.hpp"
#include "vmasm.hpp"
extern FILE* yyin;
@ -19,14 +20,9 @@ void yyerror(char* msg)
int __cdecl main(int argc, const char* argv[])
{
//
// handle arguments from the commandline...
//
argparse::argument_parser_t argp( "vmassembler", "virtual instruction assembler" );
argparse::argument_parser_t argp(
"vmassembler", "virtual instruction assembler for VMProtect 2");
argp.add_argument()
argp.add_argument()
.names({ "--input", "--in" })
.description("path to a vasm file to be assembled...")
.required(true);
@ -41,16 +37,6 @@ int __cdecl main(int argc, const char* argv[])
.description("rva to vm entry...")
.required(true);
argp.add_argument()
.names({ "--imagebase", "--base" })
.description("optional header image base field value...")
.required(true);
argp.add_argument()
.name({ "--advancement" })
.description("which direction vip advances... the options are 'forward' and 'backward'")
.required(true);
argp.add_argument()
.name({ "--output" })
.description("output file name and path...")
@ -100,17 +86,12 @@ int __cdecl main(int argc, const char* argv[])
const auto vm_entry_rva = std::strtoull(
argp.get<std::string>("vmentry").c_str(), nullptr, 16);
const auto image_base = std::strtoull(
argp.get<std::string>("imagebase").c_str(), nullptr, 16);
vmp2::exec_type_t advancement =
argp.get<std::string>("advancement") == "backward" ?
vmp2::exec_type_t::backward : vmp2::exec_type_t::forward;
const auto image_base =
xtils::um_t::get_instance()->image_base( argp.get< std::string >( "vmpbin" ).c_str() );
zydis_routine_t vm_entry, calc_jmp;
std::vector<vm::handler_t> vm_handlers;
std::uintptr_t* vm_handler_table;
ZydisDecodedInstruction encrypt_rva;
zydis_routine_t vm_entry, calc_jmp;
std::vector< vm::handler::handler_t > vm_handlers;
std::uintptr_t* vm_handler_table;
if (!vm::util::flatten(vm_entry, module_base + vm_entry_rva))
{
@ -135,21 +116,27 @@ int __cdecl main(int argc, const char* argv[])
return -1;
}
if (!vm::get_calc_jmp(vm_entry, calc_jmp))
{
if ( !vm::calc_jmp::get( vm_entry, calc_jmp ) )
{
std::printf("[!] failed to get calc_jmp...\n");
return -1;
}
if (!vm::get_vinstr_rva_transform(vm_entry, &encrypt_rva))
{
std::printf("[!] failed to get virtual instruction rva encryption transform...\n");
return -1;
}
const auto advancement = vm::calc_jmp::get_advancement( calc_jmp );
vm::compiler_t compiler({ module_base, image_base }, advancement, &vm_handlers, &calc_jmp);
if ( !advancement.has_value() )
{
std::printf( "[!] failed to determine advancement direction...\n" );
return -1;
}
//
std::printf( "> virtual instruction pointer advances %s...\n",
advancement.value() == vmp2::exec_type_t::forward ? "forward" : "backward" );
vm::compiler_t compiler( { module_base, image_base },
advancement.value(), &vm_handlers, &calc_jmp, &vm_entry );
//
// encode virtual instructions...
//
@ -209,14 +196,9 @@ int __cdecl main(int argc, const char* argv[])
file_header.vasm_size = result_buffer->size();
file_header.alloc_rva = (entry_rva - image_base);
file_header.vasm_offset = sizeof vmasm::file_header_t;
file_header.encrypted_rva = vm::transform::apply(
encrypt_rva.operands[0].size,
encrypt_rva.mnemonic, entry_rva,
// check to see if this instruction has an IMM...
vm::transform::has_imm(&encrypt_rva) ?
encrypt_rva.operands[1].imm.value.u : 0);
std::ofstream output(argp.get<std::string>("output"), std::ios::binary);
file_header.encrypted_rva = compiler.encrypt_rva( entry_rva );
std::ofstream output(argp.get<std::string>("output"), std::ios::binary);
output.write(reinterpret_cast<char*>(&file_header), sizeof file_header);
output.write(reinterpret_cast<char*>(result_buffer->data()), result_buffer->size());
output.close();

7
src/vmassembler.vcxproj
Unescape View File

@ -19,7 +19,7 @@
<UseDebugLibraries>false</UseDebugLibraries>
<PlatformToolset>v142</PlatformToolset>
<WholeProgramOptimization>true</WholeProgramOptimization>
<CharacterSet>MultiByte</CharacterSet>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
<ImportGroup Label="ExtensionSettings">
@ -33,7 +33,7 @@
<PropertyGroup Label="UserMacros" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<LinkIncremental>false</LinkIncremental>
<IncludePath>$(ProjectDir)..\dependencies\vmprofiler\include\;$(ProjectDir)..\dependencies\vmprofiler\dependencies\zydis\include;$(ProjectDir)..\dependencies\vmprofiler\dependencies\zydis\msvc;$(ProjectDir)..\dependencies\vmprofiler\dependencies\zydis\dependencies\zycore\include;$(ProjectDir)..\dependencies\cli-parser\;$(IncludePath)</IncludePath>
<IncludePath>$(ProjectDir)..\dependencies\vmprofiler\include\;$(ProjectDir)..\dependencies\vmprofiler\dependencies\zydis\include;$(ProjectDir)..\dependencies\vmprofiler\dependencies\zydis\msvc;$(ProjectDir)..\dependencies\vmprofiler\dependencies\zydis\dependencies\zycore\include;$(ProjectDir)..\dependencies\cli-parser\;$(ProjectDir)..\dependencies\xtils\;$(IncludePath)</IncludePath>
</PropertyGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
<ClCompile>
@ -75,6 +75,7 @@
<Bison Include="parser.y" />
</ItemGroup>
<ItemGroup>
<ClInclude Include="..\dependencies\cli-parser\cli-parser.hpp" />
<ClInclude Include="..\dependencies\vmprofiler\include\transform.hpp" />
<ClInclude Include="..\dependencies\vmprofiler\include\vm.h" />
<ClInclude Include="..\dependencies\vmprofiler\include\vmctx.h" />
@ -125,7 +126,7 @@
<ClInclude Include="..\dependencies\vmprofiler\include\Zydis\Status.h" />
<ClInclude Include="..\dependencies\vmprofiler\include\Zydis\Utils.h" />
<ClInclude Include="..\dependencies\vmprofiler\include\Zydis\Zydis.h" />
<ClInclude Include="cli-parser.hpp" />
<ClInclude Include="..\dependencies\xtils\xtils.hpp" />
<ClInclude Include="compiler.h" />
<ClInclude Include="parser.h" />
<ClInclude Include="parser.tab.h" />

9
src/vmassembler.vcxproj.filters
Unescape View File

@ -69,9 +69,6 @@
<ClInclude Include="parser.h">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="cli-parser.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="compiler.h">
<Filter>Header Files</Filter>
</ClInclude>
@ -228,6 +225,12 @@
<ClInclude Include="..\dependencies\vmprofiler\include\ZydisExportConfig.h">
<Filter>Header Files\vmprofiler</Filter>
</ClInclude>
<ClInclude Include="..\dependencies\xtils\xtils.hpp">
<Filter>Header Files</Filter>
</ClInclude>
<ClInclude Include="..\dependencies\cli-parser\cli-parser.hpp">
<Filter>Header Files</Filter>
</ClInclude>
</ItemGroup>
<ItemGroup>
<ResourceCompile Include="icon.rc">

Write Preview
Loading…
Cancel
Save