working, producing files...

3 years ago · b958093117
parent 9e65de6100
commit b958093117
3 changed files with 40 additions and 8 deletions
--- a/src/main.cpp
+++ b/src/main.cpp
@ -1,4 +1,5 @@
 #include <iostream>
+#include <fstream>
 #include <unicorn/unicorn.h>
 #include <cli-parser.hpp>
 #include "vmemu_t.hpp"
@ -17,9 +18,13 @@ int __cdecl main(int argc, const char* argv[])
 		.description("path to unpacked virtualized binary...");

 	parser.add_argument()
-		.name("--imagebase").required("true")
+		.name("--imagebase").required(true)
 		.description("image base from optional PE header...");

+	parser.add_argument()
+		.name("--out").required(true)
+		.description("output file name for trace file...");
+
 	parser.enable_help();
 	auto result = parser.parse(argc, argv);

@ -47,6 +52,7 @@ int __cdecl main(int argc, const char* argv[])
 		LoadLibraryExA(parser.get<std::string>("vmpbin").c_str(), 
 			NULL, DONT_RESOLVE_DLL_REFERENCES));

+	std::vector<vmp2::entry_t> entries;
 	vm::emu_t emu(vm_entry_rva, image_base, module_base);

 	if (!emu.init()) 
@ -54,4 +60,34 @@ int __cdecl main(int argc, const char* argv[])
 		std::printf("[!] failed to init emulator...\n");
 		return -1; 
 	}
+
+	if (!emu.get_trace(entries))
+		std::printf("[!] something failed during tracing, review the console for more information...\n");
+
+	std::printf("> finished tracing...\n");
+	std::printf("> creating trace file...\n");
+
+	std::ofstream output(parser.get<std::string>("out"), 
+		std::ios::binary);
+
+	vmp2::file_header file_header;
+	memcpy(&file_header.magic, "VMP2", sizeof("VMP2") - 1);
+
+	file_header.epoch_time = time(nullptr);
+	file_header.entry_offset = sizeof file_header;
+	file_header.advancement = vmp2::exec_type_t::forward;
+	file_header.version = vmp2::version_t::v1;
+	file_header.module_base = module_base;
+	file_header.entry_count = entries.size();
+
+	output.write(reinterpret_cast<const char*>(
+		&file_header), sizeof file_header);
+
+	for (auto& entry : entries)
+		output.write(reinterpret_cast<const char*>(
+			&entry), sizeof entry);
+
+	output.close();
+	std::printf("> finished writing trace to disk...\n");
+	std::getchar();
 }
--- a/src/test.vmp2
+++ b/src/test.vmp2
--- a/src/vmemu_t.cpp
+++ b/src/vmemu_t.cpp
@ -199,11 +199,8 @@ namespace vm
 			ZydisDecoderInit(&decoder,
 				ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_ADDRESS_WIDTH_64); });

-		if (address == obj->vm_entry[obj->vm_entry.size()].addr)
+		if (address == obj->vm_entry[obj->vm_entry.size() - 1].addr)
 		{
-			std::printf("stopped at jmp... addr = 0x%p\n", address);
-			std::getchar();
-
 			vmp2::entry_t new_entry;
 			if (!obj->create_entry(&new_entry))
 			{
@ -242,9 +239,6 @@ namespace vm
 				vm_handler_check) == obj->vm_handlers.end())
 				return;

-			std::printf("stopped at jmp... addr = 0x%p\n", address);
-			std::getchar();
-
 			vmp2::entry_t new_entry;
 			if (!obj->create_entry(&new_entry))
 			{
@ -253,6 +247,8 @@ namespace vm
 			}
 			obj->trace_entries->push_back(new_entry);
 		}
+		else if (instr.mnemonic == ZYDIS_MNEMONIC_RET) // finish tracing...
+			uc_emu_stop(uc);
 	}

 	bool emu_t::hook_mem_invalid(uc_engine* uc, uc_mem_type type,