From a2b532cfffd9f23a35d625c596629abe46eef33a Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Sat, 28 Aug 2021 13:42:04 -0700 Subject: [PATCH 1/2] updated vmexit handler, updated vmprofiler dep... updated main.cpp --- dependencies/vmprofiler | 2 +- src/devirt_t.cpp | 17 ----------------- src/devirt_utils.cpp | 2 +- src/lifters/vmexit.cpp | 4 ++-- src/main.cpp | 1 + 5 files changed, 5 insertions(+), 21 deletions(-) diff --git a/dependencies/vmprofiler b/dependencies/vmprofiler index 90106b0..0511401 160000 --- a/dependencies/vmprofiler +++ b/dependencies/vmprofiler @@ -1 +1 @@ -Subproject commit 90106b0f5e748f1e67e108800ee0463bae5755e3 +Subproject commit 051140175db16b38acee882cfca714b4a1000a41 diff --git a/src/devirt_t.cpp b/src/devirt_t.cpp index 169536f..478f3e5 100644 --- a/src/devirt_t.cpp +++ b/src/devirt_t.cpp @@ -85,23 +85,6 @@ namespace vm bool devirt_t::compile( std::vector< std::uint8_t > &obj ) { - llvm::legacy::FunctionPassManager pass_mgr( llvm_module ); - pass_mgr.add( llvm::createPromoteMemoryToRegisterPass() ); - pass_mgr.add( llvm::createCFGSimplificationPass() ); - pass_mgr.add( llvm::createSROAPass() ); - pass_mgr.add( llvm::createLoopSimplifyCFGPass() ); - pass_mgr.add( llvm::createNewGVNPass() ); - pass_mgr.add( llvm::createReassociatePass() ); - pass_mgr.add( llvm::createPartiallyInlineLibCallsPass() ); - pass_mgr.add( llvm::createDeadCodeEliminationPass() ); - pass_mgr.add( llvm::createCFGSimplificationPass() ); - pass_mgr.add( llvm::createInstructionCombiningPass() ); - pass_mgr.add( llvm::createFlattenCFGPass() ); - - for ( auto vmp_rtn : vmp_rtns ) - pass_mgr.run( *vmp_rtn->llvm_fptr ); - - // compile to native x86_64.... llvm::TargetOptions opt; llvm::SmallVector< char, 128 > buff; llvm::raw_svector_ostream dest( buff ); diff --git a/src/devirt_utils.cpp b/src/devirt_utils.cpp index 8e7a62f..ff8d310 100644 --- a/src/devirt_utils.cpp +++ b/src/devirt_utils.cpp @@ -12,7 +12,7 @@ namespace devirt if ( file_header->version != vmp2::version_t::v4 ) { - std::printf( "[!] invalid vmp2 file version... this build uses v3...\n" ); + std::printf( "[!] invalid vmp2 file version... this build uses v4...\n" ); return false; } diff --git a/src/lifters/vmexit.cpp b/src/lifters/vmexit.cpp index 1d60373..795ad26 100644 --- a/src/lifters/vmexit.cpp +++ b/src/lifters/vmexit.cpp @@ -8,8 +8,8 @@ namespace vm llvm::IRBuilder<> *ir_builder ) { std::stringstream rtn_name; llvm::Function *exit_func = nullptr; - rtn_name << "vmexit_" << std::hex << vinstr.trace_data.vm_handler_rva + rtn->vmp2_file->image_base; + if ( !( exit_func = rtn->llvm_module->getFunction( rtn_name.str() ) ) ) { auto vmexit_func_type = llvm::FunctionType::get( @@ -58,4 +58,4 @@ namespace vm ir_builder->CreateCall( exit_func, stack_ptr ); ir_builder->CreateRet( stack_ptr ); }; -} +} // namespace vm diff --git a/src/main.cpp b/src/main.cpp index d7a4a7e..89f8f81 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -64,6 +64,7 @@ int main( int argc, const char *argv[] ) { std::printf( "[!] failed to lift rtn_0x%p, please review the console...\n", vm_enter_offset + file_header->image_base ); + return -1; } } From 661bc3bc165011385e177387aa0c7237b1c21f6b Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Sat, 28 Aug 2021 23:22:23 -0700 Subject: [PATCH 2/2] added more lifters - there are many more to add... --- CMakeLists.txt | 1 + dependencies/vmprofiler | 2 +- include/vm_lifters.hpp | 8 ++++++-- src/lifters/nand.cpp | 34 ++++++++++++++++++++++++++++------ src/lifters/sreg.cpp | 11 +++++++++++ src/lifters/write.cpp | 13 +++++++++++++ 6 files changed, 60 insertions(+), 9 deletions(-) create mode 100644 src/lifters/write.cpp diff --git a/CMakeLists.txt b/CMakeLists.txt index fd248be..ac51295 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -58,6 +58,7 @@ list(APPEND vmdevirt_SOURCES "src/lifters/shr.cpp" "src/lifters/sreg.cpp" "src/lifters/vmexit.cpp" + "src/lifters/write.cpp" "src/main.cpp" "src/vmp_rtn_t.cpp" "include/devirt_t.hpp" diff --git a/dependencies/vmprofiler b/dependencies/vmprofiler index 0511401..7b1f815 160000 --- a/dependencies/vmprofiler +++ b/dependencies/vmprofiler @@ -1 +1 @@ -Subproject commit 051140175db16b38acee882cfca714b4a1000a41 +Subproject commit 7b1f815a73096ac33f41133b63d991019622de49 diff --git a/include/vm_lifters.hpp b/include/vm_lifters.hpp index 8c4e606..cb6dc90 100644 --- a/include/vm_lifters.hpp +++ b/include/vm_lifters.hpp @@ -32,13 +32,14 @@ namespace vm lconstbsxdw; static lifter_callback_t addq, adddw, addw; - static lifter_callback_t sregq, sregdw; + static lifter_callback_t sregq, sregdw, sregb; static lifter_callback_t lregq, lregdw; static lifter_callback_t pushvsp; static lifter_callback_t popvsp; + static lifter_callback_t writeq; static lifter_callback_t readq, readdw; - static lifter_callback_t nandq, nanddw; + static lifter_callback_t nandq, nanddw, nandb; static lifter_callback_t shrq; static lifter_callback_t jmp; static lifter_callback_t lflagsq; @@ -60,12 +61,15 @@ namespace vm { vm::handler::POPVSP, &popvsp }, { vm::handler::SREGQ, &sregq }, { vm::handler::SREGDW, &sregdw }, + { vm::handler::SREGB, &sregb }, { vm::handler::LREGQ, &lregq }, { vm::handler::LREGDW, &lregdw }, { vm::handler::READQ, &readq }, { vm::handler::READDW, &readdw }, + { vm::handler::WRITEQ, &writeq }, { vm::handler::NANDQ, &nandq }, { vm::handler::NANDDW, &nanddw }, + { vm::handler::NANDB, &nandb }, { vm::handler::LFLAGSQ, &lflagsq }, { vm::handler::JMP, &jmp }, { vm::handler::VMEXIT, &vmexit } }; diff --git a/src/lifters/nand.cpp b/src/lifters/nand.cpp index f2ca24e..58d1a6f 100644 --- a/src/lifters/nand.cpp +++ b/src/lifters/nand.cpp @@ -11,13 +11,13 @@ namespace vm auto zf = rtn->zf( byte_size, result ); auto pf = llvm::ConstantInt::get( llvm::IntegerType::get( *rtn->llvm_ctx, 64 ), 0 ); - return rtn->flags( cf, pf, llvm::ConstantInt::get( llvm::IntegerType::get( *rtn->llvm_ctx, 64 ), 0 ), - zf, sf, of ); + return rtn->flags( cf, pf, llvm::ConstantInt::get( llvm::IntegerType::get( *rtn->llvm_ctx, 64 ), 0 ), zf, sf, + of ); } lifters_t::lifter_callback_t lifters_t::nandq = - [ & ]( vm::devirt_t *rtn, const vm::instrs::code_block_t &vm_code_block, - const vm::instrs::virt_instr_t &vinstr, llvm::IRBuilder<> *ir_builder ) { + [ & ]( vm::devirt_t *rtn, const vm::instrs::code_block_t &vm_code_block, const vm::instrs::virt_instr_t &vinstr, + llvm::IRBuilder<> *ir_builder ) { auto t1 = rtn->pop( 8 ); auto t2 = rtn->pop( 8 ); @@ -34,8 +34,8 @@ namespace vm }; lifters_t::lifter_callback_t lifters_t::nanddw = - [ & ]( vm::devirt_t *rtn, const vm::instrs::code_block_t &vm_code_block, - const vm::instrs::virt_instr_t &vinstr, llvm::IRBuilder<> *ir_builder ) { + [ & ]( vm::devirt_t *rtn, const vm::instrs::code_block_t &vm_code_block, const vm::instrs::virt_instr_t &vinstr, + llvm::IRBuilder<> *ir_builder ) { auto t1 = rtn->pop( 4 ); auto t2 = rtn->pop( 4 ); @@ -51,4 +51,26 @@ namespace vm rtn->push( 8, rtn->load_value( 8, vmp_rtn->flags ) ); }; + lifters_t::lifter_callback_t lifters_t::nandb = + [ & ]( vm::devirt_t *rtn, const vm::instrs::code_block_t &vm_code_block, const vm::instrs::virt_instr_t &vinstr, + llvm::IRBuilder<> *ir_builder ) { + auto t1 = rtn->pop( 2 ); + auto t2 = rtn->pop( 2 ); + + auto t1_b = ir_builder->CreateIntCast( t1, ir_builder->getInt8Ty(), false ); + auto t2_b = ir_builder->CreateIntCast( t2, ir_builder->getInt8Ty(), false ); + + auto t1_not = ir_builder->CreateNot( t1_b ); + auto t2_not = ir_builder->CreateNot( t2_b ); + + auto t3 = ir_builder->CreateAnd( { t1_not, t2_not } ); + auto t3_w = ir_builder->CreateIntCast( t3, ir_builder->getInt16Ty(), false ); + + rtn->push( 2, t3_w ); + auto &vmp_rtn = rtn->vmp_rtns.back(); + auto flags = and_flags( rtn, 1, t3 ); + ir_builder->CreateStore( flags, vmp_rtn->flags ); + rtn->push( 8, rtn->load_value( 8, vmp_rtn->flags ) ); + }; + } // namespace vm \ No newline at end of file diff --git a/src/lifters/sreg.cpp b/src/lifters/sreg.cpp index a101b8d..97e6c9e 100644 --- a/src/lifters/sreg.cpp +++ b/src/lifters/sreg.cpp @@ -19,4 +19,15 @@ namespace vm auto vreg = vmp_rtn->virtual_registers[ vinstr.operand.imm.u ? vinstr.operand.imm.u / 8 : 0 ]; ir_builder->CreateStore( ir_builder->CreateIntCast( t1, ir_builder->getInt64Ty(), false ), vreg ); }; + + lifters_t::lifter_callback_t lifters_t::sregb = + [ & ]( vm::devirt_t *rtn, const vm::instrs::code_block_t &vm_code_block, const vm::instrs::virt_instr_t &vinstr, + llvm::IRBuilder<> *ir_builder ) { + auto t1 = rtn->pop( 2 ); + auto &vmp_rtn = rtn->vmp_rtns.back(); + auto vreg = vmp_rtn->virtual_registers[ vinstr.operand.imm.u ? vinstr.operand.imm.u / 8 : 0 ]; + ir_builder->CreateStore( + ir_builder->CreateIntCast( t1, ir_builder->getInt8Ty(), false ), + ir_builder->CreatePointerCast( vreg, llvm::PointerType::get( ir_builder->getInt8Ty(), 0ull ) ) ); + }; } // namespace vm \ No newline at end of file diff --git a/src/lifters/write.cpp b/src/lifters/write.cpp new file mode 100644 index 0000000..d2e00f7 --- /dev/null +++ b/src/lifters/write.cpp @@ -0,0 +1,13 @@ +#include + +namespace vm +{ + lifters_t::lifter_callback_t lifters_t::writeq = + [ & ]( vm::devirt_t *rtn, const vm::instrs::code_block_t &vm_code_block, const vm::instrs::virt_instr_t &vinstr, + llvm::IRBuilder<> *ir_builder ) { + auto t1 = rtn->pop( 8 ); + auto t2 = rtn->pop( 8 ); + auto t3 = ir_builder->CreateIntToPtr( t1, llvm::PointerType::get( ir_builder->getInt64Ty(), 0ull ) ); + ir_builder->CreateStore( t2, t3 ); + }; +} // namespace vm \ No newline at end of file