added vmp2 file format v3

merge-requests/4/head
_xeroxz 4 years ago
parent 1444abb76f
commit b399a61c55

@ -34,15 +34,16 @@ int __cdecl main( int argc, const char *argv[] )
} }
auto umtils = xtils::um_t::get_instance(); auto umtils = xtils::um_t::get_instance();
const auto vm_entry_rva = std::strtoull( parser.get< std::string >( "vmentry" ).c_str(), nullptr, 16 );
const auto image_base = umtils->image_base( parser.get< std::string >( "vmpbin" ).c_str() );
const auto image_size = umtils->image_size( parser.get< std::string >( "vmpbin" ).c_str() );
const auto module_base = reinterpret_cast< std::uintptr_t >( const auto module_base = reinterpret_cast< std::uintptr_t >(
LoadLibraryExA( parser.get< std::string >( "vmpbin" ).c_str(), NULL, DONT_RESOLVE_DLL_REFERENCES ) ); LoadLibraryExA( parser.get< std::string >( "vmpbin" ).c_str(), NULL, DONT_RESOLVE_DLL_REFERENCES ) );
const auto vm_entry_rva = std::strtoull( parser.get< std::string >( "vmentry" ).c_str(), nullptr, 16 );
const auto image_base = umtils->image_base( parser.get< std::string >( "vmpbin" ).c_str() );
const auto image_size = NT_HEADER( module_base )->OptionalHeader.SizeOfImage;
std::printf( "> image base = %p, image size = %p, module base = %p\n", image_base, image_size, module_base ); std::printf( "> image base = %p, image size = %p, module base = %p\n", image_base, image_size, module_base );
if (!image_base || !image_size || !module_base) if ( !image_base || !image_size || !module_base )
{ {
std::printf( "[!] failed to open binary on disk...\n" ); std::printf( "[!] failed to open binary on disk...\n" );
return -1; return -1;
@ -81,4 +82,42 @@ int __cdecl main( int argc, const char *argv[] )
std::printf( "> branch 1 = %p, branch 2 = %p\n", code_block.jcc.block_addr[ 0 ], std::printf( "> branch 1 = %p, branch 2 = %p\n", code_block.jcc.block_addr[ 0 ],
code_block.jcc.block_addr[ 1 ] ); code_block.jcc.block_addr[ 1 ] );
} }
std::printf( "> serializing results....\n" );
vmp2::v3::file_header file_header;
file_header.magic = VMP_MAGIC;
file_header.epoch_time = std::time( nullptr );
file_header.version = vmp2::version_t::v3;
file_header.module_base = module_base;
file_header.image_base = image_base;
file_header.vm_entry_rva = vm_entry_rva;
file_header.module_offset = sizeof file_header;
file_header.module_size = image_size;
file_header.code_block_offset = image_size + sizeof file_header;
file_header.code_block_count = code_blocks.size();
std::ofstream output( parser.get< std::string >( "out" ), std::ios::binary );
output.write( reinterpret_cast< const char * >( &file_header ), sizeof file_header );
output.write( reinterpret_cast< const char * >( module_base ), image_size );
for ( const auto &code_block : code_blocks )
{
const auto _code_block_size =
( code_block.vinstrs.size() * sizeof vm::instrs::virt_instr_t ) + sizeof vmp2::v3::code_block_t;
vmp2::v3::code_block_t *_code_block =
reinterpret_cast< vmp2::v3::code_block_t * >( malloc( _code_block_size ) );
_code_block->vip_begin = code_block.vip_begin;
_code_block->jcc = code_block.jcc;
_code_block->next_block_offset = _code_block_size;
for ( auto idx = 0u; idx < code_block.vinstrs.size(); ++idx )
_code_block->vinstr[ idx ] = code_block.vinstrs[ idx ];
output.write( reinterpret_cast< const char * >( _code_block ), _code_block_size );
}
output.close();
std::printf( "> finished..." );
} }

@ -12,7 +12,6 @@ namespace vm
std::uintptr_t stack_base = 0x1000000; std::uintptr_t stack_base = 0x1000000;
std::uintptr_t stack_addr = ( stack_base + ( 0x1000 * 20 ) ) - 0x6000; std::uintptr_t stack_addr = ( stack_base + ( 0x1000 * 20 ) ) - 0x6000;
const auto rip = vmctx->module_base + vmctx->vm_entry_rva; const auto rip = vmctx->module_base + vmctx->vm_entry_rva;
const auto image_size = NT_HEADER( vmctx->module_base )->OptionalHeader.SizeOfImage;
if ( ( err = uc_open( UC_ARCH_X86, UC_MODE_64, &uc ) ) ) if ( ( err = uc_open( UC_ARCH_X86, UC_MODE_64, &uc ) ) )
{ {
@ -21,7 +20,7 @@ namespace vm
return false; return false;
} }
if ( ( err = uc_mem_map( uc, vmctx->module_base, image_size, UC_PROT_ALL ) ) ) if ( ( err = uc_mem_map( uc, vmctx->module_base, vmctx->image_size, UC_PROT_ALL ) ) )
{ {
std::printf( "failed on uc_mem_map() with error returned %u: %s\n", err, uc_strerror( err ) ); std::printf( "failed on uc_mem_map() with error returned %u: %s\n", err, uc_strerror( err ) );
@ -36,7 +35,7 @@ namespace vm
} }
if ( ( err = uc_mem_write( uc, vmctx->module_base, reinterpret_cast< void * >( vmctx->module_base ), if ( ( err = uc_mem_write( uc, vmctx->module_base, reinterpret_cast< void * >( vmctx->module_base ),
image_size ) ) ) vmctx->image_size ) ) )
{ {
std::printf( "failed on uc_mem_write() with error returned %u: %s\n", err, uc_strerror( err ) ); std::printf( "failed on uc_mem_write() with error returned %u: %s\n", err, uc_strerror( err ) );
@ -137,6 +136,8 @@ namespace vm
return false; return false;
} }
return true;
}; };
while ( !_traced_all_paths( code_blocks ) ) while ( !_traced_all_paths( code_blocks ) )

Loading…
Cancel
Save