From 6db8322edae2312b9bdcec490a90fae7880515cb Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 18:48:26 -0700 Subject: [PATCH] added vmprofiler v1.5, still needs some work --- .clang-format | 18 + .gitmodules | 6 + dependencies/cli-parser | 1 + dependencies/vmprofiler | 2 +- dependencies/xtils | 1 + src/cli-parser.hpp | 580 -------------------------------- src/compiler.cpp | 286 ++++++++-------- src/compiler.h | 74 ++-- src/main.cpp | 76 ++--- src/vmassembler.vcxproj | 7 +- src/vmassembler.vcxproj.filters | 9 +- 11 files changed, 248 insertions(+), 812 deletions(-) create mode 100644 .clang-format create mode 160000 dependencies/cli-parser create mode 160000 dependencies/xtils delete mode 100644 src/cli-parser.hpp diff --git a/.clang-format b/.clang-format new file mode 100644 index 0000000..8063c5e --- /dev/null +++ b/.clang-format @@ -0,0 +1,18 @@ +--- +BasedOnStyle: Microsoft +AlignAfterOpenBracket: Align +AllowAllArgumentsOnNextLine: 'true' +AllowAllParametersOfDeclarationOnNextLine: 'true' +AllowShortIfStatementsOnASingleLine: Never +BreakBeforeBraces: Allman +IndentWidth: '4' +Language: Cpp +NamespaceIndentation: All +SpacesInAngles: 'true' +SpacesInCStyleCastParentheses: 'true' +SpacesInContainerLiterals: 'true' +SpacesInParentheses: 'true' +SpacesInSquareBrackets: 'true' +UseTab: Never + +... diff --git a/.gitmodules b/.gitmodules index 013d5e9..507f5f1 100644 --- a/.gitmodules +++ b/.gitmodules @@ -1,3 +1,9 @@ [submodule "dependencies/vmprofiler"] path = dependencies/vmprofiler url = https://githacks.org/vmp2/vmprofiler.git +[submodule "dependencies/xtils"] + path = dependencies/xtils + url = https://githacks.org/_xeroxz/xtils.git +[submodule "dependencies/cli-parser"] + path = dependencies/cli-parser + url = https://githacks.org/_xeroxz/cli-parser.git diff --git a/dependencies/cli-parser b/dependencies/cli-parser new file mode 160000 index 0000000..1aedaf8 --- /dev/null +++ b/dependencies/cli-parser @@ -0,0 +1 @@ +Subproject commit 1aedaf8bb7f383f54b7cd498767611535526da85 diff --git a/dependencies/vmprofiler b/dependencies/vmprofiler index 05ba2cc..8ffe1ca 160000 --- a/dependencies/vmprofiler +++ b/dependencies/vmprofiler @@ -1 +1 @@ -Subproject commit 05ba2cc84ba94e1d526168ad686fc2e167ad2eab +Subproject commit 8ffe1cac5017b0258a44c1bbe9254621be771147 diff --git a/dependencies/xtils b/dependencies/xtils new file mode 160000 index 0000000..7c32517 --- /dev/null +++ b/dependencies/xtils @@ -0,0 +1 @@ +Subproject commit 7c32517322c29a866cbb1e67fb9051efa2e05553 diff --git a/src/cli-parser.hpp b/src/cli-parser.hpp deleted file mode 100644 index 0b404ee..0000000 --- a/src/cli-parser.hpp +++ /dev/null @@ -1,580 +0,0 @@ -/** - * License: Apache 2.0 with LLVM Exception or GPL v3 - * - * Author: Jesse Laning - */ - -#ifndef ARGPARSE_H -#define ARGPARSE_H - -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include -#include - -namespace argparse { - namespace detail { - static inline bool _not_space(int ch) { return !std::isspace(ch); } - static inline void _ltrim(std::string& s, bool (*f)(int) = _not_space) { - s.erase(s.begin(), std::find_if(s.begin(), s.end(), f)); - } - static inline void _rtrim(std::string& s, bool (*f)(int) = _not_space) { - s.erase(std::find_if(s.rbegin(), s.rend(), f).base(), s.end()); - } - static inline void _trim(std::string& s, bool (*f)(int) = _not_space) { - _ltrim(s, f); - _rtrim(s, f); - } - static inline std::string _ltrim_copy(std::string s, - bool (*f)(int) = _not_space) { - _ltrim(s, f); - return s; - } - static inline std::string _rtrim_copy(std::string s, - bool (*f)(int) = _not_space) { - _rtrim(s, f); - return s; - } - static inline std::string _trim_copy(std::string s, - bool (*f)(int) = _not_space) { - _trim(s, f); - return s; - } - template - static inline std::string _join(InputIt begin, InputIt end, - const std::string& separator = " ") { - std::ostringstream ss; - if (begin != end) { - ss << *begin++; - } - while (begin != end) { - ss << separator; - ss << *begin++; - } - return ss.str(); - } - static inline bool _is_number(const std::string& arg) { - std::istringstream iss(arg); - float f; - iss >> std::noskipws >> f; - return iss.eof() && !iss.fail(); - } - - static inline int _find_equal(const std::string& s) { - for (size_t i = 0; i < s.length(); ++i) { - // if find graph symbol before equal, end search - // i.e. don't accept --asd)f=0 arguments - // but allow --asd_f and --asd-f arguments - if (std::ispunct(static_cast(s[i]))) { - if (s[i] == '=') { - return static_cast(i); - } - else if (s[i] == '_' || s[i] == '-') { - continue; - } - return -1; - } - } - return -1; - } - - static inline size_t _find_name_end(const std::string& s) { - size_t i; - for (i = 0; i < s.length(); ++i) { - if (std::ispunct(static_cast(s[i]))) { - break; - } - } - return i; - } - - namespace is_vector_impl { - template - struct is_vector : std::false_type {}; - template - struct is_vector> : std::true_type {}; - } // namespace is_vector_impl - - // type trait to utilize the implementation type traits as well as decay the - // type - template - struct is_vector { - static constexpr bool const value = - is_vector_impl::is_vector::type>::value; - }; - } // namespace detail - - class argument_parser_t { - private: - public: - class Argument; - - class Result { - public: - Result() {} - Result(std::string err) noexcept : _error(true), _what(err) {} - - operator bool() const { return _error; } - - friend std::ostream& operator<<(std::ostream& os, const Result& dt); - - const std::string& what() const { return _what; } - - private: - bool _error{ false }; - std::string _what{}; - }; - - class Argument { - public: - enum Position : int { LAST = -1, DONT_CARE = -2 }; - enum Count : int { ANY = -1 }; - - Argument& name(const std::string& name) { - _names.push_back(name); - return *this; - } - - Argument& names(std::vector names) { - _names.insert(_names.end(), names.begin(), names.end()); - return *this; - } - - Argument& description(const std::string& description) { - _desc = description; - return *this; - } - - Argument& required(bool req) { - _required = req; - return *this; - } - - Argument& position(int position) { - if (position != Position::LAST) { - // position + 1 because technically argument zero is the name of the - // executable - _position = position + 1; - } - else { - _position = position; - } - return *this; - } - - Argument& count(int count) { - _count = count; - return *this; - } - - bool found() const { return _found; } - - template - typename std::enable_if::value, T>::type get() { - T t = T(); - typename T::value_type vt; - for (auto& s : _values) { - std::istringstream in(s); - in >> vt; - t.push_back(vt); - } - return t; - } - - template - typename std::enable_if::value, T>::type get() { - std::istringstream in(get()); - T t = T(); - in >> t >> std::ws; - return t; - } - - private: - Argument(const std::string& name, const std::string& desc, - bool required = false) - : _desc(desc), _required(required) { - _names.push_back(name); - } - - Argument() {} - - friend class argument_parser_t; - int _position{ Position::DONT_CARE }; - int _count{ Count::ANY }; - std::vector _names{}; - std::string _desc{}; - bool _found{ false }; - bool _required{ false }; - int _index{ -1 }; - - std::vector _values{}; - }; - - argument_parser_t(std::string bin, std::string desc) - : _bin(bin), _desc(desc) {} - - Argument& add_argument() { - _arguments.push_back({}); - _arguments.back()._index = static_cast(_arguments.size()) - 1; - return _arguments.back(); - } - - Argument& add_argument(const std::string& name, const std::string& long_name, - const std::string& desc, const bool required = false) { - _arguments.push_back(Argument(name, desc, required)); - _arguments.back()._names.push_back(long_name); - _arguments.back()._index = static_cast(_arguments.size()) - 1; - return _arguments.back(); - } - - Argument& add_argument(const std::string& name, const std::string& desc, - const bool required = false) { - _arguments.push_back(Argument(name, desc, required)); - _arguments.back()._index = static_cast(_arguments.size()) - 1; - return _arguments.back(); - } - - void print_help(size_t count = 0, size_t page = 0) { - if (page * count > _arguments.size()) { - return; - } - if (page == 0) { - std::cout << "Usage: " << _bin; - if (_positional_arguments.empty()) { - std::cout << " [options...]" << std::endl; - } - else { - int current = 1; - for (auto& v : _positional_arguments) { - if (v.first != Argument::Position::LAST) { - for (; current < v.first; current++) { - std::cout << " [" << current << "]"; - } - std::cout - << " [" - << detail::_ltrim_copy( - _arguments[static_cast(v.second)]._names[0], - [](int c) -> bool { return c != static_cast('-'); }) - << "]"; - } - } - auto it = _positional_arguments.find(Argument::Position::LAST); - if (it == _positional_arguments.end()) { - std::cout << " [options...]"; - } - else { - std::cout - << " [options...] [" - << detail::_ltrim_copy( - _arguments[static_cast(it->second)]._names[0], - [](int c) -> bool { return c != static_cast('-'); }) - << "]"; - } - std::cout << std::endl; - } - std::cout << "Options:" << std::endl; - } - if (count == 0) { - page = 0; - count = _arguments.size(); - } - for (size_t i = page * count; - i < std::min(page * count + count, _arguments.size()); i++) { - Argument& a = _arguments[i]; - std::string name = a._names[0]; - for (size_t n = 1; n < a._names.size(); ++n) { - name.append(", " + a._names[n]); - } - std::cout << " " << std::setw(23) << std::left << name << std::setw(23) - << a._desc; - if (a._required) { - std::cout << " (Required)"; - } - std::cout << std::endl; - } - } - - Result parse(int argc, const char* argv[]) { - Result err; - if (argc > 1) { - // build name map - for (auto& a : _arguments) { - for (auto& n : a._names) { - std::string name = detail::_ltrim_copy( - n, [](int c) -> bool { return c != static_cast('-'); }); - if (_name_map.find(name) != _name_map.end()) { - return Result("Duplicate of argument name: " + n); - } - _name_map[name] = a._index; - } - if (a._position >= 0 || a._position == Argument::Position::LAST) { - _positional_arguments[a._position] = a._index; - } - } - if (err) { - return err; - } - - // parse - std::string current_arg; - size_t arg_len; - for (int argv_index = 1; argv_index < argc; ++argv_index) { - current_arg = std::string(argv[argv_index]); - arg_len = current_arg.length(); - if (arg_len == 0) { - continue; - } - if (_help_enabled && (current_arg == "-h" || current_arg == "--help")) { - _arguments[static_cast(_name_map["help"])]._found = true; - } - else if (argv_index == argc - 1 && - _positional_arguments.find(Argument::Position::LAST) != - _positional_arguments.end()) { - err = _end_argument(); - Result b = err; - err = _add_value(current_arg, Argument::Position::LAST); - if (b) { - return b; - } - if (err) { - return err; - } - } - else if (arg_len >= 2 && - !detail::_is_number(current_arg)) { // ignores the case if - // the arg is just a - - // look for -a (short) or --arg (long) args - if (current_arg[0] == '-') { - err = _end_argument(); - if (err) { - return err; - } - // look for --arg (long) args - if (current_arg[1] == '-') { - err = _begin_argument(current_arg.substr(2), true, argv_index); - if (err) { - return err; - } - } - else { // short args - err = _begin_argument(current_arg.substr(1), false, argv_index); - if (err) { - return err; - } - } - } - else { // argument value - err = _add_value(current_arg, argv_index); - if (err) { - return err; - } - } - } - else { // argument value - err = _add_value(current_arg, argv_index); - if (err) { - return err; - } - } - } - } - if (_help_enabled && exists("help")) { - return Result(); - } - err = _end_argument(); - if (err) { - return err; - } - for (auto& p : _positional_arguments) { - Argument& a = _arguments[static_cast(p.second)]; - if (a._values.size() > 0 && a._values[0][0] == '-') { - std::string name = detail::_ltrim_copy(a._values[0], [](int c) -> bool { - return c != static_cast('-'); - }); - if (_name_map.find(name) != _name_map.end()) { - if (a._position == Argument::Position::LAST) { - return Result( - "Poisitional argument expected at the end, but argument " + - a._values[0] + " found instead"); - } - else { - return Result("Poisitional argument expected in position " + - std::to_string(a._position) + ", but argument " + - a._values[0] + " found instead"); - } - } - } - } - for (auto& a : _arguments) { - if (a._required && !a._found) { - return Result("Required argument not found: " + a._names[0]); - } - if (a._position >= 0 && argc >= a._position && !a._found) { - return Result("Argument " + a._names[0] + " expected in position " + - std::to_string(a._position)); - } - } - return Result(); - } - - void enable_help() { - add_argument("-h", "--help", "Shows this page", false); - _help_enabled = true; - } - - bool exists(const std::string& name) const { - std::string n = detail::_ltrim_copy( - name, [](int c) -> bool { return c != static_cast('-'); }); - auto it = _name_map.find(n); - if (it != _name_map.end()) { - return _arguments[static_cast(it->second)]._found; - } - return false; - } - - template - T get(const std::string& name) { - auto t = _name_map.find(name); - if (t != _name_map.end()) { - return _arguments[static_cast(t->second)].get(); - } - return T(); - } - - private: - Result _begin_argument(const std::string& arg, bool longarg, int position) { - auto it = _positional_arguments.find(position); - if (it != _positional_arguments.end()) { - Result err = _end_argument(); - Argument& a = _arguments[static_cast(it->second)]; - a._values.push_back((longarg ? "--" : "-") + arg); - a._found = true; - return err; - } - if (_current != -1) { - return Result("Current argument left open"); - } - size_t name_end = detail::_find_name_end(arg); - std::string arg_name = arg.substr(0, name_end); - if (longarg) { - int equal_pos = detail::_find_equal(arg); - auto nmf = _name_map.find(arg_name); - if (nmf == _name_map.end()) { - return Result("Unrecognized command line option '" + arg_name + "'"); - } - _current = nmf->second; - _arguments[static_cast(nmf->second)]._found = true; - if (equal_pos == 0 || - (equal_pos < 0 && - arg_name.length() < arg.length())) { // malformed argument - return Result("Malformed argument: " + arg); - } - else if (equal_pos > 0) { - std::string arg_value = arg.substr(name_end + 1); - _add_value(arg_value, position); - } - } - else { - Result r; - if (arg_name.length() == 1) { - return _begin_argument(arg, true, position); - } - else { - for (char& c : arg_name) { - r = _begin_argument(std::string(1, c), true, position); - if (r) { - return r; - } - r = _end_argument(); - if (r) { - return r; - } - } - } - } - return Result(); - } - - Result _add_value(const std::string& value, int location) { - if (_current >= 0) { - Result err; - Argument& a = _arguments[static_cast(_current)]; - if (a._count >= 0 && static_cast(a._values.size()) >= a._count) { - err = _end_argument(); - if (err) { - return err; - } - goto unnamed; - } - a._values.push_back(value); - if (a._count >= 0 && static_cast(a._values.size()) >= a._count) { - err = _end_argument(); - if (err) { - return err; - } - } - return Result(); - } - else { - unnamed: - auto it = _positional_arguments.find(location); - if (it != _positional_arguments.end()) { - Argument& a = _arguments[static_cast(it->second)]; - a._values.push_back(value); - a._found = true; - } - // TODO - return Result(); - } - } - - Result _end_argument() { - if (_current >= 0) { - Argument& a = _arguments[static_cast(_current)]; - _current = -1; - if (static_cast(a._values.size()) < a._count) { - return Result("Too few arguments given for " + a._names[0]); - } - if (a._count >= 0) { - if (static_cast(a._values.size()) > a._count) { - return Result("Too many arguments given for " + a._names[0]); - } - } - } - return Result(); - } - - bool _help_enabled{ false }; - int _current{ -1 }; - std::string _bin{}; - std::string _desc{}; - std::vector _arguments{}; - std::map _positional_arguments{}; - std::map _name_map{}; - }; - - std::ostream& operator<<(std::ostream& os, const argument_parser_t::Result& r) { - os << r.what(); - return os; - } - template <> - inline std::string argument_parser_t::Argument::get() { - return detail::_join(_values.begin(), _values.end()); - } - template <> - inline std::vector - argument_parser_t::Argument::get>() { - return _values; - } - -} // namespace argparse -#endif \ No newline at end of file diff --git a/src/compiler.cpp b/src/compiler.cpp index 948708d..245a3c9 100644 --- a/src/compiler.cpp +++ b/src/compiler.cpp @@ -2,143 +2,149 @@ namespace vm { - compiler_t::compiler_t( - base_data_t base_data, - vmp2::exec_type_t exec_type, - std::vector* vm_handlers, - zydis_routine_t* calc_jmp - ) - : module_base(base_data.module_base), - image_base(base_data.image_base), - exec_type(exec_type), - vm_handlers(vm_handlers), - calc_jmp(calc_jmp) - { - if (!parse_t::get_instance()->for_each( - [&](_vinstr_meta* vinstr) -> bool - { - std::printf("> vinstr name = %s, has imm = %d, imm = 0x%p\n", - vinstr->name.c_str(), vinstr->has_imm, vinstr->imm); - - for (auto& vm_handler : *vm_handlers) - if (vm_handler.profile && vm_handler.profile->name == vinstr->name) - return true; - - std::printf("> this vm protected file does not have the vm handler for: %s...\n", - vinstr->name.c_str()); - - return false; - } - )) - { - std::printf("[!] binary does not have the required vm handlers...\n"); - exit(-1); - } - - if(!vm::handler::get_operand_transforms(*calc_jmp, calc_jmp_transforms)) - { - std::printf("[!] failed to extract calc_jmp transformations...\n"); - exit(-1); - } - } - - std::pair*> compiler_t::encode() - { - parse_t::get_instance()->for_each( - [&](_vinstr_meta* vinstr) -> bool - { - for (auto itr = vm_handlers->begin(); itr != vm_handlers->end(); ++itr) - { - if (itr->profile && itr->profile->name == vinstr->name) - { - vinstrs.push_back({ (std::uint8_t)(itr - vm_handlers->begin()), - vinstr->imm, itr->profile->imm_size }); - break; - } - } - return true; - } - ); - - return { true, &vinstrs }; - } - - std::pair*> compiler_t::encrypt() - { - const auto end_of_module = - NT_HEADER(module_base)->OptionalHeader.SizeOfImage + image_base; - - // - // init decryption key... - // - - // decryption key starts off as the image - // base address of the virtual instructions... - std::uintptr_t decrypt_key = end_of_module, start_addr; - if (exec_type == vmp2::exec_type_t::backward) - { - std::for_each(vinstrs.begin(), vinstrs.end(), - [&](const vinstr_data& vinstr) - { - (++decrypt_key) += - vinstr.imm_size ? vinstr.imm_size / 8 : 0; - } - ); - } - start_addr = decrypt_key; - - // - // invert the encoded virtual instructions operands if vip advances backward... - // - - if (exec_type == vmp2::exec_type_t::backward) - std::reverse(vinstrs.begin(), vinstrs.end()); - - // - // loop over the instructions and encrypt them... - // - - for (auto& vinstr : vinstrs) - { - std::printf("> decrypt key = 0x%p\n", decrypt_key); - - auto vm_handler_idx = vinstr.vm_handler; - std::tie(vinstr.vm_handler, decrypt_key) = - vm::encrypt_operand(calc_jmp_transforms, - vinstr.vm_handler, decrypt_key); - - if (!vinstr.imm_size) - { - result_buffer.push_back(vinstr.vm_handler); - continue; - } - - auto transforms = vm_handlers->at(vm_handler_idx).transforms; - std::tie(vinstr.operand, decrypt_key) = - vm::encrypt_operand(transforms, vinstr.operand, decrypt_key); - - // - // operands must be backwards if VIP advances backward... - // - - if (exec_type == vmp2::exec_type_t::backward) - { - for (auto idx = 0u; idx < vinstr.imm_size / 8; ++idx) - result_buffer.push_back( - reinterpret_cast(&vinstr.operand)[idx]); - - result_buffer.push_back(vinstr.vm_handler); - } - else - { - result_buffer.push_back(vinstr.vm_handler); - - for (auto idx = 0u; idx < vinstr.imm_size / 8; ++idx) - result_buffer.push_back( - reinterpret_cast(&vinstr.operand)[idx]); - } - } - - return { start_addr, &result_buffer }; - } -} \ No newline at end of file + compiler_t::compiler_t( base_data_t base_data, vmp2::exec_type_t exec_type, + std::vector< vm::handler::handler_t > *vm_handlers, zydis_routine_t *calc_jmp, + zydis_routine_t *vm_entry ) + : module_base( base_data.module_base ), image_base( base_data.image_base ), exec_type( exec_type ), + vm_handlers( vm_handlers ), calc_jmp( calc_jmp ), vm_entry( vm_entry ) + { + if ( !parse_t::get_instance()->for_each( [ & ]( _vinstr_meta *vinstr ) -> bool { + std::printf( "> vinstr name = %s, has imm = %d, imm = 0x%p\n", vinstr->name.c_str(), vinstr->has_imm, + vinstr->imm ); + + for ( auto &vm_handler : *vm_handlers ) + if ( vm_handler.profile && vm_handler.profile->name == vinstr->name ) + return true; + + std::printf( "[!] this vm protected file does not have the vm handler for: %s...\n", + vinstr->name.c_str() ); + + return false; + } ) ) + { + std::printf( "[!] binary does not have the required vm handlers...\n" ); + exit( -1 ); + } + + if ( !vm::handler::get_operand_transforms( *calc_jmp, calc_jmp_transforms ) ) + { + std::printf( "[!] failed to extract calc_jmp transformations...\n" ); + exit( -1 ); + } + + if ( !vm::instrs::get_rva_decrypt( *vm_entry, encrypt_vinstrs_rva ) ) + { + std::printf( "[!] failed to extract virtual instruction rva decryption instructions...\n" ); + exit( -1 ); + } + + if (!vm::transform::inverse_transforms( encrypt_vinstrs_rva )) + { + std::printf( "[!] failed to inverse virtual instruction rva decrypt instructions...\n" ); + exit( -1 ); + } + } + + std::pair< bool, std::vector< vinstr_data > * > compiler_t::encode() + { + parse_t::get_instance()->for_each( [ & ]( _vinstr_meta *vinstr ) -> bool { + for ( auto itr = vm_handlers->begin(); itr != vm_handlers->end(); ++itr ) + { + if ( itr->profile && itr->profile->name == vinstr->name ) + { + vinstrs.push_back( + { ( std::uint8_t )( itr - vm_handlers->begin() ), vinstr->imm, itr->profile->imm_size } ); + break; + } + } + return true; + } ); + + return { true, &vinstrs }; + } + + std::pair< std::uint64_t, std::vector< std::uint8_t > * > compiler_t::encrypt() + { + const auto end_of_module = NT_HEADER( module_base )->OptionalHeader.SizeOfImage + image_base; + + // + // init decryption key... + // + + // decryption key starts off as the image + // base address of the virtual instructions... + std::uintptr_t decrypt_key = end_of_module, start_addr; + if ( exec_type == vmp2::exec_type_t::backward ) + { + std::for_each( vinstrs.begin(), vinstrs.end(), [ & ]( const vinstr_data &vinstr ) { + ( ++decrypt_key ) += vinstr.imm_size ? vinstr.imm_size / 8 : 0; + } ); + } + start_addr = decrypt_key; + + // + // invert the encoded virtual instructions operands if vip advances backward... + // + + if ( exec_type == vmp2::exec_type_t::backward ) + std::reverse( vinstrs.begin(), vinstrs.end() ); + + // + // loop over the instructions and encrypt them... + // + + for ( auto &vinstr : vinstrs ) + { + std::printf( "> decrypt key = 0x%p\n", decrypt_key ); + + auto vm_handler_idx = vinstr.vm_handler; + std::tie( vinstr.vm_handler, decrypt_key ) = + vm::instrs::encrypt_operand( calc_jmp_transforms, vinstr.vm_handler, decrypt_key ); + + if ( !vinstr.imm_size ) + { + result_buffer.push_back( vinstr.vm_handler ); + continue; + } + + auto transforms = vm_handlers->at( vm_handler_idx ).transforms; + std::tie( vinstr.operand, decrypt_key ) = + vm::instrs::encrypt_operand( transforms, vinstr.operand, decrypt_key ); + + // + // operands must be backwards if VIP advances backward... + // + + if ( exec_type == vmp2::exec_type_t::backward ) + { + for ( auto idx = 0u; idx < vinstr.imm_size / 8; ++idx ) + result_buffer.push_back( reinterpret_cast< std::uint8_t * >( &vinstr.operand )[ idx ] ); + + result_buffer.push_back( vinstr.vm_handler ); + } + else + { + result_buffer.push_back( vinstr.vm_handler ); + + for ( auto idx = 0u; idx < vinstr.imm_size / 8; ++idx ) + result_buffer.push_back( reinterpret_cast< std::uint8_t * >( &vinstr.operand )[ idx ] ); + } + } + + return { start_addr, &result_buffer }; + } + + std::uint64_t compiler_t::encrypt_rva( std::uint64_t rva ) + { + std::printf( "> encrypt virtual instruction rva transformations:\n" ); + for ( auto &transform : encrypt_vinstrs_rva ) + vm::util::print( transform ); + + for ( auto &instr : encrypt_vinstrs_rva ) + rva = vm::transform::apply( instr.operands[ 0 ].size, instr.mnemonic, rva, + transform::has_imm( &instr ) ? instr.operands[ 1 ].imm.value.u : 0 ); + + std::printf( "> encrypted rva = 0x%p\n", rva ); + return rva; + } +} // namespace vm \ No newline at end of file diff --git a/src/compiler.h b/src/compiler.h index ede5a91..d36bf40 100644 --- a/src/compiler.h +++ b/src/compiler.h @@ -1,49 +1,47 @@ #pragma once #include -#include -#include -#include #include +#include + #include "parser.h" -#define NT_HEADER(x) \ - reinterpret_cast( \ - reinterpret_cast(x)->e_lfanew + x) +#define NT_HEADER( x ) \ + reinterpret_cast< PIMAGE_NT_HEADERS64 >( reinterpret_cast< PIMAGE_DOS_HEADER >( x )->e_lfanew + x ) namespace vm { - struct base_data_t - { - std::uintptr_t module_base; - std::uintptr_t image_base; - }; + struct base_data_t + { + std::uintptr_t module_base; + std::uintptr_t image_base; + }; + + struct vinstr_data + { + std::uint8_t vm_handler; + std::uint64_t operand; + std::uint8_t imm_size; // size in bits... + }; - struct vinstr_data - { - std::uint8_t vm_handler; - std::uint64_t operand; - std::uint8_t imm_size; // size in bits... - }; + class compiler_t + { + public: + explicit compiler_t( base_data_t base_data, vmp2::exec_type_t exec_type, + std::vector< vm::handler::handler_t > *vm_handlers, zydis_routine_t *calc_jmp, + zydis_routine_t *vm_entry ); - class compiler_t - { - public: - explicit compiler_t( - base_data_t base_data, - vmp2::exec_type_t exec_type, - std::vector* vm_handlers, - zydis_routine_t* calc_jmp - ); + std::pair< bool, std::vector< vinstr_data > * > encode(); + std::pair< std::uint64_t, std::vector< std::uint8_t > * > encrypt(); + std::uint64_t encrypt_rva( std::uint64_t rva ); - std::pair*> encode(); - std::pair* > encrypt(); - private: - transform::map_t calc_jmp_transforms; - zydis_routine_t* calc_jmp; - std::vector* vm_handlers; - vmp2::exec_type_t exec_type; - std::vector vinstrs; - std::vector result_buffer; - std::uintptr_t image_base, module_base; - }; -} \ No newline at end of file + private: + transform::map_t calc_jmp_transforms; + zydis_routine_t *calc_jmp, *vm_entry; + std::vector< vm::handler::handler_t > *vm_handlers; + vmp2::exec_type_t exec_type; + std::vector< vinstr_data > vinstrs; + std::vector< std::uint8_t > result_buffer; + std::vector< zydis_decoded_instr_t > encrypt_vinstrs_rva; + std::uintptr_t image_base, module_base; + }; +} // namespace vm \ No newline at end of file diff --git a/src/main.cpp b/src/main.cpp index ac8e52e..dc09b48 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -1,13 +1,14 @@ -#include -#include #include +#include #include +#include +#include #include +#include #include "compiler.h" #include "parser.tab.h" #include "parser.h" -#include "cli-parser.hpp" #include "vmasm.hpp" extern FILE* yyin; @@ -19,14 +20,9 @@ void yyerror(char* msg) int __cdecl main(int argc, const char* argv[]) { - // - // handle arguments from the commandline... - // + argparse::argument_parser_t argp( "vmassembler", "virtual instruction assembler" ); - argparse::argument_parser_t argp( - "vmassembler", "virtual instruction assembler for VMProtect 2"); - - argp.add_argument() + argp.add_argument() .names({ "--input", "--in" }) .description("path to a vasm file to be assembled...") .required(true); @@ -41,16 +37,6 @@ int __cdecl main(int argc, const char* argv[]) .description("rva to vm entry...") .required(true); - argp.add_argument() - .names({ "--imagebase", "--base" }) - .description("optional header image base field value...") - .required(true); - - argp.add_argument() - .name({ "--advancement" }) - .description("which direction vip advances... the options are 'forward' and 'backward'") - .required(true); - argp.add_argument() .name({ "--output" }) .description("output file name and path...") @@ -100,17 +86,12 @@ int __cdecl main(int argc, const char* argv[]) const auto vm_entry_rva = std::strtoull( argp.get("vmentry").c_str(), nullptr, 16); - const auto image_base = std::strtoull( - argp.get("imagebase").c_str(), nullptr, 16); - - vmp2::exec_type_t advancement = - argp.get("advancement") == "backward" ? - vmp2::exec_type_t::backward : vmp2::exec_type_t::forward; + const auto image_base = + xtils::um_t::get_instance()->image_base( argp.get< std::string >( "vmpbin" ).c_str() ); - zydis_routine_t vm_entry, calc_jmp; - std::vector vm_handlers; - std::uintptr_t* vm_handler_table; - ZydisDecodedInstruction encrypt_rva; + zydis_routine_t vm_entry, calc_jmp; + std::vector< vm::handler::handler_t > vm_handlers; + std::uintptr_t* vm_handler_table; if (!vm::util::flatten(vm_entry, module_base + vm_entry_rva)) { @@ -135,21 +116,27 @@ int __cdecl main(int argc, const char* argv[]) return -1; } - if (!vm::get_calc_jmp(vm_entry, calc_jmp)) - { + if ( !vm::calc_jmp::get( vm_entry, calc_jmp ) ) + { std::printf("[!] failed to get calc_jmp...\n"); return -1; } - if (!vm::get_vinstr_rva_transform(vm_entry, &encrypt_rva)) - { - std::printf("[!] failed to get virtual instruction rva encryption transform...\n"); - return -1; - } + const auto advancement = vm::calc_jmp::get_advancement( calc_jmp ); - vm::compiler_t compiler({ module_base, image_base }, advancement, &vm_handlers, &calc_jmp); + if ( !advancement.has_value() ) + { + std::printf( "[!] failed to determine advancement direction...\n" ); + return -1; + } - // + std::printf( "> virtual instruction pointer advances %s...\n", + advancement.value() == vmp2::exec_type_t::forward ? "forward" : "backward" ); + + vm::compiler_t compiler( { module_base, image_base }, + advancement.value(), &vm_handlers, &calc_jmp, &vm_entry ); + + // // encode virtual instructions... // @@ -209,14 +196,9 @@ int __cdecl main(int argc, const char* argv[]) file_header.vasm_size = result_buffer->size(); file_header.alloc_rva = (entry_rva - image_base); file_header.vasm_offset = sizeof vmasm::file_header_t; - file_header.encrypted_rva = vm::transform::apply( - encrypt_rva.operands[0].size, - encrypt_rva.mnemonic, entry_rva, - // check to see if this instruction has an IMM... - vm::transform::has_imm(&encrypt_rva) ? - encrypt_rva.operands[1].imm.value.u : 0); - - std::ofstream output(argp.get("output"), std::ios::binary); + file_header.encrypted_rva = compiler.encrypt_rva( entry_rva ); + + std::ofstream output(argp.get("output"), std::ios::binary); output.write(reinterpret_cast(&file_header), sizeof file_header); output.write(reinterpret_cast(result_buffer->data()), result_buffer->size()); output.close(); diff --git a/src/vmassembler.vcxproj b/src/vmassembler.vcxproj index f98eb03..9a894a3 100644 --- a/src/vmassembler.vcxproj +++ b/src/vmassembler.vcxproj @@ -19,7 +19,7 @@ false v142 true - MultiByte + Unicode @@ -33,7 +33,7 @@ false - $(ProjectDir)..\dependencies\vmprofiler\include\;$(ProjectDir)..\dependencies\vmprofiler\dependencies\zydis\include;$(ProjectDir)..\dependencies\vmprofiler\dependencies\zydis\msvc;$(ProjectDir)..\dependencies\vmprofiler\dependencies\zydis\dependencies\zycore\include;$(ProjectDir)..\dependencies\cli-parser\;$(IncludePath) + $(ProjectDir)..\dependencies\vmprofiler\include\;$(ProjectDir)..\dependencies\vmprofiler\dependencies\zydis\include;$(ProjectDir)..\dependencies\vmprofiler\dependencies\zydis\msvc;$(ProjectDir)..\dependencies\vmprofiler\dependencies\zydis\dependencies\zycore\include;$(ProjectDir)..\dependencies\cli-parser\;$(ProjectDir)..\dependencies\xtils\;$(IncludePath) @@ -75,6 +75,7 @@ + @@ -125,7 +126,7 @@ - + diff --git a/src/vmassembler.vcxproj.filters b/src/vmassembler.vcxproj.filters index 36bdfe7..f88099b 100644 --- a/src/vmassembler.vcxproj.filters +++ b/src/vmassembler.vcxproj.filters @@ -69,9 +69,6 @@ Header Files - - Header Files - Header Files @@ -228,6 +225,12 @@ Header Files\vmprofiler + + Header Files + + + Header Files +