diff --git a/src/main.cpp b/src/main.cpp index dcd5439..a72b7c8 100644 --- a/src/main.cpp +++ b/src/main.cpp @@ -34,15 +34,16 @@ int __cdecl main( int argc, const char *argv[] ) } auto umtils = xtils::um_t::get_instance(); - const auto vm_entry_rva = std::strtoull( parser.get< std::string >( "vmentry" ).c_str(), nullptr, 16 ); - const auto image_base = umtils->image_base( parser.get< std::string >( "vmpbin" ).c_str() ); - const auto image_size = umtils->image_size( parser.get< std::string >( "vmpbin" ).c_str() ); const auto module_base = reinterpret_cast< std::uintptr_t >( LoadLibraryExA( parser.get< std::string >( "vmpbin" ).c_str(), NULL, DONT_RESOLVE_DLL_REFERENCES ) ); + const auto vm_entry_rva = std::strtoull( parser.get< std::string >( "vmentry" ).c_str(), nullptr, 16 ); + const auto image_base = umtils->image_base( parser.get< std::string >( "vmpbin" ).c_str() ); + const auto image_size = NT_HEADER( module_base )->OptionalHeader.SizeOfImage; + std::printf( "> image base = %p, image size = %p, module base = %p\n", image_base, image_size, module_base ); - if (!image_base || !image_size || !module_base) + if ( !image_base || !image_size || !module_base ) { std::printf( "[!] failed to open binary on disk...\n" ); return -1; @@ -81,4 +82,42 @@ int __cdecl main( int argc, const char *argv[] ) std::printf( "> branch 1 = %p, branch 2 = %p\n", code_block.jcc.block_addr[ 0 ], code_block.jcc.block_addr[ 1 ] ); } + + std::printf( "> serializing results....\n" ); + vmp2::v3::file_header file_header; + file_header.magic = VMP_MAGIC; + file_header.epoch_time = std::time( nullptr ); + file_header.version = vmp2::version_t::v3; + file_header.module_base = module_base; + file_header.image_base = image_base; + file_header.vm_entry_rva = vm_entry_rva; + file_header.module_offset = sizeof file_header; + file_header.module_size = image_size; + file_header.code_block_offset = image_size + sizeof file_header; + file_header.code_block_count = code_blocks.size(); + + std::ofstream output( parser.get< std::string >( "out" ), std::ios::binary ); + output.write( reinterpret_cast< const char * >( &file_header ), sizeof file_header ); + output.write( reinterpret_cast< const char * >( module_base ), image_size ); + + for ( const auto &code_block : code_blocks ) + { + const auto _code_block_size = + ( code_block.vinstrs.size() * sizeof vm::instrs::virt_instr_t ) + sizeof vmp2::v3::code_block_t; + + vmp2::v3::code_block_t *_code_block = + reinterpret_cast< vmp2::v3::code_block_t * >( malloc( _code_block_size ) ); + + _code_block->vip_begin = code_block.vip_begin; + _code_block->jcc = code_block.jcc; + _code_block->next_block_offset = _code_block_size; + + for ( auto idx = 0u; idx < code_block.vinstrs.size(); ++idx ) + _code_block->vinstr[ idx ] = code_block.vinstrs[ idx ]; + + output.write( reinterpret_cast< const char * >( _code_block ), _code_block_size ); + } + + output.close(); + std::printf( "> finished..." ); } diff --git a/src/vmemu_t.cpp b/src/vmemu_t.cpp index 146fae1..c6218cf 100644 --- a/src/vmemu_t.cpp +++ b/src/vmemu_t.cpp @@ -12,7 +12,6 @@ namespace vm std::uintptr_t stack_base = 0x1000000; std::uintptr_t stack_addr = ( stack_base + ( 0x1000 * 20 ) ) - 0x6000; const auto rip = vmctx->module_base + vmctx->vm_entry_rva; - const auto image_size = NT_HEADER( vmctx->module_base )->OptionalHeader.SizeOfImage; if ( ( err = uc_open( UC_ARCH_X86, UC_MODE_64, &uc ) ) ) { @@ -21,7 +20,7 @@ namespace vm return false; } - if ( ( err = uc_mem_map( uc, vmctx->module_base, image_size, UC_PROT_ALL ) ) ) + if ( ( err = uc_mem_map( uc, vmctx->module_base, vmctx->image_size, UC_PROT_ALL ) ) ) { std::printf( "failed on uc_mem_map() with error returned %u: %s\n", err, uc_strerror( err ) ); @@ -36,7 +35,7 @@ namespace vm } if ( ( err = uc_mem_write( uc, vmctx->module_base, reinterpret_cast< void * >( vmctx->module_base ), - image_size ) ) ) + vmctx->image_size ) ) ) { std::printf( "failed on uc_mem_write() with error returned %u: %s\n", err, uc_strerror( err ) ); @@ -137,6 +136,8 @@ namespace vm return false; } + + return true; }; while ( !_traced_all_paths( code_blocks ) )