vmp2
/
vmemu
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge branch 'dev' into 'master'

Browse Source 
applied clang-format

See merge request vmp2/vmemu!2
merge-requests/3/merge
_xeroxz 4 years ago
parent 62c4850d83 4b9e0360e3
commit 21624dd312
2 changed files with 283 additions and 305 deletions
Show Stats Download Patch File Download Diff File

111
src/vmemu_t.cpp
Unescape View File

@ -2,16 +2,11 @@
namespace vm namespace vm
{ {
emu_t::emu_t(std::uint32_t vm_entry_rva, emu_t::emu_t( std::uint32_t vm_entry_rva, std::uintptr_t image_base, std::uintptr_t module_base )
std::uintptr_t image_base, std::uintptr_t module_base) : module_base( module_base ), image_base( image_base ), vm_entry_rva( vm_entry_rva ),
: vm_handler_table( nullptr ), uc( nullptr ), trace_entries( nullptr )
module_base(module_base), {
image_base(image_base), }
vm_entry_rva(vm_entry_rva),
vm_handler_table(nullptr),
uc(nullptr),
trace_entries(nullptr)
{}
bool emu_t::init() bool emu_t::init()
{ {
@ -43,8 +38,7 @@ namespace vm
std::printf( ">>> handler addr = 0x%p\n", vm_handler.address ); std::printf( ">>> handler addr = 0x%p\n", vm_handler.address );
// unicorn init stuff... // unicorn init stuff...
const auto image_size = const auto image_size = NT_HEADER( module_base )->OptionalHeader.SizeOfImage;
NT_HEADER(module_base)->OptionalHeader.SizeOfImage;
std::uintptr_t stack_base = 0x1000000; std::uintptr_t stack_base = 0x1000000;
std::uintptr_t stack_addr = ( stack_base + ( 0x1000 * 20 ) ) - 0x6000; std::uintptr_t stack_addr = ( stack_base + ( 0x1000 * 20 ) ) - 0x6000;
@ -52,57 +46,50 @@ namespace vm
uc_err err; uc_err err;
if ( ( err = uc_open( UC_ARCH_X86, UC_MODE_64, &uc ) ) ) if ( ( err = uc_open( UC_ARCH_X86, UC_MODE_64, &uc ) ) )
{ {
std::printf("failed on uc_mem_map() with error returned %u: %s\n", std::printf( "failed on uc_mem_map() with error returned %u: %s\n", err, uc_strerror( err ) );
err, uc_strerror(err));
return false; return false;
} }
if ( ( err = uc_mem_map( uc, module_base, image_size, UC_PROT_ALL ) ) ) if ( ( err = uc_mem_map( uc, module_base, image_size, UC_PROT_ALL ) ) )
{ {
std::printf("failed on uc_mem_map() with error returned %u: %s\n", std::printf( "failed on uc_mem_map() with error returned %u: %s\n", err, uc_strerror( err ) );
err, uc_strerror(err));
return false; return false;
} }
if ( ( err = uc_mem_map( uc, 0x1000000, 0x1000 * 20, UC_PROT_ALL ) ) ) if ( ( err = uc_mem_map( uc, 0x1000000, 0x1000 * 20, UC_PROT_ALL ) ) )
{ {
std::printf("failed on uc_mem_map() with error returned %u: %s\n", std::printf( "failed on uc_mem_map() with error returned %u: %s\n", err, uc_strerror( err ) );
err, uc_strerror(err));
return false; return false;
} }
if ( ( err = uc_mem_write( uc, module_base, reinterpret_cast< void * >( module_base ), image_size ) ) ) if ( ( err = uc_mem_write( uc, module_base, reinterpret_cast< void * >( module_base ), image_size ) ) )
{ {
std::printf("failed on uc_mem_write() with error returned %u: %s\n", std::printf( "failed on uc_mem_write() with error returned %u: %s\n", err, uc_strerror( err ) );
err, uc_strerror(err));
return false; return false;
} }
if ( ( err = uc_reg_write( uc, UC_X86_REG_RIP, &vm_entry ) ) ) if ( ( err = uc_reg_write( uc, UC_X86_REG_RIP, &vm_entry ) ) )
{ {
std::printf("failed on uc_reg_write() with error returned %u: %s\n", std::printf( "failed on uc_reg_write() with error returned %u: %s\n", err, uc_strerror( err ) );
err, uc_strerror(err));
return false; return false;
} }
if ( ( err = uc_reg_write( uc, UC_X86_REG_RSP, &stack_addr ) ) ) if ( ( err = uc_reg_write( uc, UC_X86_REG_RSP, &stack_addr ) ) )
{ {
std::printf("failed on uc_reg_write() with error returned %u: %s\n", std::printf( "failed on uc_reg_write() with error returned %u: %s\n", err, uc_strerror( err ) );
err, uc_strerror(err));
return false; return false;
} }
if ((err = uc_hook_add(uc, &trace, UC_HOOK_CODE, &vm::emu_t::hook_code, if ( ( err = uc_hook_add( uc, &trace, UC_HOOK_CODE, &vm::emu_t::hook_code, this, module_base,
this, module_base, module_base + image_size))) module_base + image_size ) ) )
{ {
std::printf("failed on uc_hook_add() with error returned %u: %s\n", std::printf( "failed on uc_hook_add() with error returned %u: %s\n", err, uc_strerror( err ) );
err, uc_strerror(err));
return false; return false;
} }
@ -110,8 +97,7 @@ namespace vm
if ( ( err = uc_hook_add( uc, &trace1, UC_HOOK_MEM_READ_UNMAPPED | UC_HOOK_MEM_WRITE_UNMAPPED, if ( ( err = uc_hook_add( uc, &trace1, UC_HOOK_MEM_READ_UNMAPPED | UC_HOOK_MEM_WRITE_UNMAPPED,
vm::emu_t::hook_mem_invalid, this, 1, 0 ) ) ) vm::emu_t::hook_mem_invalid, this, 1, 0 ) ) )
{ {
std::printf("failed on uc_hook_add() with error returned %u: %s\n", std::printf( "failed on uc_hook_add() with error returned %u: %s\n", err, uc_strerror( err ) );
err, uc_strerror(err));
return false; return false;
} }
@ -120,7 +106,8 @@ namespace vm
emu_t::~emu_t() emu_t::~emu_t()
{ {
if (uc) uc_close(uc); if ( uc )
uc_close( uc );
} }
bool emu_t::get_trace( std::vector< vmp2::v2::entry_t > &entries ) bool emu_t::get_trace( std::vector< vmp2::v2::entry_t > &entries )
@ -131,8 +118,7 @@ namespace vm
if ( ( err = uc_emu_start( uc, vm_entry_rva + module_base, NULL, NULL, NULL ) ) ) if ( ( err = uc_emu_start( uc, vm_entry_rva + module_base, NULL, NULL, NULL ) ) )
{ {
std::printf("failed on uc_emu_start() with error returned %u: %s\n", std::printf( "failed on uc_emu_start() with error returned %u: %s\n", err, uc_strerror( err ) );
err, uc_strerror(err));
return false; return false;
} }
@ -163,14 +149,13 @@ namespace vm
entry->decrypt_key = entry->regs.rbx; entry->decrypt_key = entry->regs.rbx;
uc_err err; uc_err err;
if ((err = uc_mem_read(uc, entry->regs.rdi, if ( ( err = uc_mem_read( uc, entry->regs.rdi, entry->vregs.raw, sizeof entry->vregs.raw ) ) )
entry->vregs.raw, sizeof entry->vregs.raw)))
return err; return err;
// copy virtual stack values... // copy virtual stack values...
for ( auto idx = 0u; idx < sizeof( entry->vsp ) / 8; ++idx ) for ( auto idx = 0u; idx < sizeof( entry->vsp ) / 8; ++idx )
if ((err = uc_mem_read(uc, entry->regs.rbp + (idx * 8), if ( ( err = uc_mem_read( uc, entry->regs.rbp + ( idx * 8 ), &entry->vsp.qword[ idx ],
&entry->vsp.qword[idx], sizeof entry->vsp.qword[idx]))) sizeof entry->vsp.qword[ idx ] ) ) )
return err; return err;
return UC_ERR_OK; return UC_ERR_OK;
@ -181,10 +166,7 @@ namespace vm
std::printf( ">>> Tracing instruction at 0x%p, instruction size = 0x%x\n", address, size ); std::printf( ">>> Tracing instruction at 0x%p, instruction size = 0x%x\n", address, size );
// grab JMP RDX/RCX <-- this register... // grab JMP RDX/RCX <-- this register...
static const auto jmp_reg = obj->vm_entry[obj->vm_entry.size()] static const auto jmp_reg = obj->vm_entry[ obj->vm_entry.size() ].instr.operands[ 0 ].reg.value;
.instr.operands[0]
.reg
.value;
static ZydisDecoder decoder; static ZydisDecoder decoder;
static std::once_flag once; static std::once_flag once;
@ -193,8 +175,8 @@ namespace vm
// init zydis decoder just a single time... // init zydis decoder just a single time...
std::call_once( once, [ & ]() -> void { std::call_once( once, [ & ]() -> void {
ZydisDecoderInit(&decoder, ZydisDecoderInit( &decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_ADDRESS_WIDTH_64 );
ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_ADDRESS_WIDTH_64); }); } );
// last instruction in vm_entry is jmp rcx/rdx... // last instruction in vm_entry is jmp rcx/rdx...
if ( address == obj->vm_entry[ obj->vm_entry.size() - 1 ].addr ) if ( address == obj->vm_entry[ obj->vm_entry.size() - 1 ].addr )
@ -203,18 +185,16 @@ namespace vm
vmp2::v2::entry_t new_entry; vmp2::v2::entry_t new_entry;
if ( ( err = obj->create_entry( &new_entry ) ) ) if ( ( err = obj->create_entry( &new_entry ) ) )
{ {
std::printf("[!] failed to create new entry... reason = %u, %s\n", std::printf( "[!] failed to create new entry... reason = %u, %s\n", err, uc_strerror( err ) );
err, uc_strerror(err));
exit( 0 ); exit( 0 );
} }
obj->trace_entries->push_back( new_entry ); obj->trace_entries->push_back( new_entry );
} }
// if we are getting a callback for a JMP RCX/RDX instruction... // if we are getting a callback for a JMP RCX/RDX instruction...
else if (ZYAN_SUCCESS(ZydisDecoderDecodeBuffer( else if ( ZYAN_SUCCESS(
&decoder, reinterpret_cast<void*>(address), size, &instr)) && ZydisDecoderDecodeBuffer( &decoder, reinterpret_cast< void * >( address ), size, &instr ) ) &&
instr.mnemonic == ZYDIS_MNEMONIC_JMP && instr.mnemonic == ZYDIS_MNEMONIC_JMP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == jmp_reg ) instr.operands[ 0 ].reg.value == jmp_reg )
{ {
switch ( jmp_reg ) switch ( jmp_reg )
@ -232,20 +212,19 @@ namespace vm
// checks to see if the address // checks to see if the address
// in JMP RDX/RCX is a vm handler address... // in JMP RDX/RCX is a vm handler address...
static const auto vm_handler_check = static const auto vm_handler_check = [ & ]( const vm::handler::handler_t &vm_handler ) -> bool {
[&](const vm::handler::handler_t& vm_handler) -> bool return vm_handler.address == reg_val;
{ return vm_handler.address == reg_val; }; };
if (std::find_if(obj->vm_handlers.begin(), obj->vm_handlers.end(), if ( std::find_if( obj->vm_handlers.begin(), obj->vm_handlers.end(), vm_handler_check ) ==
vm_handler_check) == obj->vm_handlers.end()) obj->vm_handlers.end() )
return; return;
uc_err err; uc_err err;
vmp2::v2::entry_t new_entry; vmp2::v2::entry_t new_entry;
if ( ( err = obj->create_entry( &new_entry ) ) ) if ( ( err = obj->create_entry( &new_entry ) ) )
{ {
std::printf("[!] failed to create new entry... reason = %u, %s\n", std::printf( "[!] failed to create new entry... reason = %u, %s\n", err, uc_strerror( err ) );
err, uc_strerror(err));
exit( 0 ); exit( 0 );
} }
@ -255,28 +234,26 @@ namespace vm
uc_emu_stop( uc ); uc_emu_stop( uc );
} }
bool emu_t::hook_mem_invalid(uc_engine* uc, uc_mem_type type, bool emu_t::hook_mem_invalid( uc_engine *uc, uc_mem_type type, uint64_t address, int size, int64_t value,
uint64_t address, int size, int64_t value, vm::emu_t* obj) vm::emu_t *obj )
{ {
uc_err err; uc_err err;
if ( ( err = uc_mem_map( obj->uc, address & ~0xFFFull, 0x1000, UC_PROT_ALL ) ) ) if ( ( err = uc_mem_map( obj->uc, address & ~0xFFFull, 0x1000, UC_PROT_ALL ) ) )
std::printf("failed on uc_mem_map() with error returned %u: %s\n", std::printf( "failed on uc_mem_map() with error returned %u: %s\n", err, uc_strerror( err ) );
err, uc_strerror(err));
switch ( type ) switch ( type )
{ {
case UC_MEM_WRITE_UNMAPPED: case UC_MEM_WRITE_UNMAPPED:
printf(">>> Missing memory is being WRITE at 0x%p, data size = %u, data value = 0x%p\n", printf( ">>> Missing memory is being WRITE at 0x%p, data size = %u, data value = 0x%p\n", address, size,
address, size, value); value );
return true; return true;
case UC_MEM_READ_UNMAPPED: case UC_MEM_READ_UNMAPPED:
printf(">>> Missing memory is being READ at 0x%p, data size = %u, data value = 0x%p\n", printf( ">>> Missing memory is being READ at 0x%p, data size = %u, data value = 0x%p\n", address, size,
address, size, value); value );
return true; return true;
default: default:
printf(">>> Missing memory at 0x%p, data size = %u, data value = 0x%p\n", printf( ">>> Missing memory at 0x%p, data size = %u, data value = 0x%p\n", address, size, value );
address, size, value);
return true; return true;
} }
} }
} } // namespace vm

21
src/vmemu_t.hpp
Unescape View File

@ -1,31 +1,32 @@
#pragma once #pragma once
#include <exception> #include <Zydis/Zydis.h>
#include <cstdint> #include <cstdint>
#include <unicorn/unicorn.h> #include <exception>
#include <xtils.hpp>
#include <vmprofiler.hpp>
#include <functional> #include <functional>
#include <mutex> #include <mutex>
#include <unicorn/unicorn.h>
#include <vmp2.hpp> #include <vmp2.hpp>
#include <Zydis/Zydis.h> #include <vmprofiler.hpp>
#include <xtils.hpp>
namespace vm namespace vm
{ {
class emu_t class emu_t
{ {
using callback_t = std::function< void( uc_engine *, uint64_t, uint32_t, void * ) >; using callback_t = std::function< void( uc_engine *, uint64_t, uint32_t, void * ) >;
public: public:
explicit emu_t(std::uint32_t vm_entry_rva, explicit emu_t( std::uint32_t vm_entry_rva, std::uintptr_t image_base, std::uintptr_t module_base );
std::uintptr_t image_base, std::uintptr_t module_base);
~emu_t(); ~emu_t();
bool init(); bool init();
bool get_trace( std::vector< vmp2::v2::entry_t > &entries ); bool get_trace( std::vector< vmp2::v2::entry_t > &entries );
private: private:
uc_err create_entry( vmp2::v2::entry_t *entry ); uc_err create_entry( vmp2::v2::entry_t *entry );
static void hook_code( uc_engine *uc, uint64_t address, uint32_t size, vm::emu_t *obj ); static void hook_code( uc_engine *uc, uint64_t address, uint32_t size, vm::emu_t *obj );
static bool hook_mem_invalid(uc_engine* uc, uc_mem_type type, static bool hook_mem_invalid( uc_engine *uc, uc_mem_type type, uint64_t address, int size, int64_t value,
uint64_t address, int size, int64_t value, vm::emu_t* obj); vm::emu_t *obj );
uc_engine *uc; uc_engine *uc;
uc_hook trace, trace1; uc_hook trace, trace1;
@ -38,4 +39,4 @@ namespace vm
std::vector< vm::handler::handler_t > vm_handlers; std::vector< vm::handler::handler_t > vm_handlers;
std::vector< vmp2::v2::entry_t > *trace_entries; std::vector< vmp2::v2::entry_t > *trace_entries;
}; };
} } // namespace vm
Write Preview
Loading…
Cancel
Save