vmp2
/
vmemu
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

working, producing files...

Browse Source
merge-requests/1/head
_xeroxz 4 years ago
parent 9e65de6100
commit b958093117
3 changed files with 40 additions and 8 deletions
Show Stats Download Patch File Download Diff File

38
src/main.cpp
Unescape View File

@ -1,4 +1,5 @@
#include <iostream> #include <iostream>
#include <fstream>
#include <unicorn/unicorn.h> #include <unicorn/unicorn.h>
#include <cli-parser.hpp> #include <cli-parser.hpp>
#include "vmemu_t.hpp" #include "vmemu_t.hpp"
@ -17,9 +18,13 @@ int __cdecl main(int argc, const char* argv[])
.description("path to unpacked virtualized binary..."); .description("path to unpacked virtualized binary...");
parser.add_argument() parser.add_argument()
.name("--imagebase").required("true") .name("--imagebase").required(true)
.description("image base from optional PE header..."); .description("image base from optional PE header...");
parser.add_argument()
.name("--out").required(true)
.description("output file name for trace file...");
parser.enable_help(); parser.enable_help();
auto result = parser.parse(argc, argv); auto result = parser.parse(argc, argv);
@ -47,6 +52,7 @@ int __cdecl main(int argc, const char* argv[])
LoadLibraryExA(parser.get<std::string>("vmpbin").c_str(), LoadLibraryExA(parser.get<std::string>("vmpbin").c_str(),
NULL, DONT_RESOLVE_DLL_REFERENCES)); NULL, DONT_RESOLVE_DLL_REFERENCES));
std::vector<vmp2::entry_t> entries;
vm::emu_t emu(vm_entry_rva, image_base, module_base); vm::emu_t emu(vm_entry_rva, image_base, module_base);
if (!emu.init()) if (!emu.init())
@ -54,4 +60,34 @@ int __cdecl main(int argc, const char* argv[])
std::printf("[!] failed to init emulator...\n"); std::printf("[!] failed to init emulator...\n");
return -1; return -1;
} }
if (!emu.get_trace(entries))
std::printf("[!] something failed during tracing, review the console for more information...\n");
std::printf("> finished tracing...\n");
std::printf("> creating trace file...\n");
std::ofstream output(parser.get<std::string>("out"),
std::ios::binary);
vmp2::file_header file_header;
memcpy(&file_header.magic, "VMP2", sizeof("VMP2") - 1);
file_header.epoch_time = time(nullptr);
file_header.entry_offset = sizeof file_header;
file_header.advancement = vmp2::exec_type_t::forward;
file_header.version = vmp2::version_t::v1;
file_header.module_base = module_base;
file_header.entry_count = entries.size();
output.write(reinterpret_cast<const char*>(
&file_header), sizeof file_header);
for (auto& entry : entries)
output.write(reinterpret_cast<const char*>(
&entry), sizeof entry);
output.close();
std::printf("> finished writing trace to disk...\n");
std::getchar();
} }

BIN
src/test.vmp2
View File

Binary file not shown.

10
src/vmemu_t.cpp
Unescape View File

@ -199,11 +199,8 @@ namespace vm
ZydisDecoderInit(&decoder, ZydisDecoderInit(&decoder,
ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_ADDRESS_WIDTH_64); }); ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_ADDRESS_WIDTH_64); });
if (address == obj->vm_entry[obj->vm_entry.size()].addr) if (address == obj->vm_entry[obj->vm_entry.size() - 1].addr)
{ {
std::printf("stopped at jmp... addr = 0x%p\n", address);
std::getchar();
vmp2::entry_t new_entry; vmp2::entry_t new_entry;
if (!obj->create_entry(&new_entry)) if (!obj->create_entry(&new_entry))
{ {
@ -242,9 +239,6 @@ namespace vm
vm_handler_check) == obj->vm_handlers.end()) vm_handler_check) == obj->vm_handlers.end())
return; return;
std::printf("stopped at jmp... addr = 0x%p\n", address);
std::getchar();
vmp2::entry_t new_entry; vmp2::entry_t new_entry;
if (!obj->create_entry(&new_entry)) if (!obj->create_entry(&new_entry))
{ {
@ -253,6 +247,8 @@ namespace vm
} }
obj->trace_entries->push_back(new_entry); obj->trace_entries->push_back(new_entry);
} }
else if (instr.mnemonic == ZYDIS_MNEMONIC_RET) // finish tracing...
uc_emu_stop(uc);
} }
bool emu_t::hook_mem_invalid(uc_engine* uc, uc_mem_type type, bool emu_t::hook_mem_invalid(uc_engine* uc, uc_mem_type type,

Write Preview
Loading…
Cancel
Save