added source code

4 years ago · 2130f86ea8
parent 884b3bdf45
commit 2130f86ea8
11 changed files with 1345 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1,388 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+##
+## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
+
+# User-specific files
+*.rsuser
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Mono auto generated files
+mono_crash.*
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+[Ww][Ii][Nn]32/
+[Aa][Rr][Mm]/
+[Aa][Rr][Mm]64/
+bld/
+[Bb]in/
+[Oo]bj/
+[Ll]og/
+[Ll]ogs/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUnit
+*.VisualState.xml
+TestResult.xml
+nunit-*.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# ASP.NET Scaffolding
+ScaffoldingReadMe.txt
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.tlog
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Coverlet is a free, cross platform Code Coverage Tool
+coverage*.json
+coverage*.xml
+coverage*.info
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# NuGet Symbol Packages
+*.snupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Nuget personal access tokens and Credentials
+nuget.config
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+*.appxbundle
+*.appxupload
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!?*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
+
+# SQL Server files
+*.mdf
+*.ldf
+*.ndf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
+*- [Bb]ackup.rdl
+*- [Bb]ackup ([0-9]).rdl
+*- [Bb]ackup ([0-9][0-9]).rdl
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# CodeRush personal settings
+.cr/personal
+
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
+
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
+
+# MFractors (Xamarin productivity tool) working folder
+.mfractor/
+
+# Local History for Visual Studio
+.localhistory/
+
+# BeatPulse healthcheck temp database
+healthchecksdb
+
+# Backup folder for Package Reference Convert tool in Visual Studio 2017
+MigrationBackup/
+
+# Ionide (cross platform F# VS Code tools) working folder
+.ionide/
+
+# Fody - auto-generated XML schema
+FodyWeavers.xsd
+
+# VS Code files for those working on multiple tools
+.vscode/*
+!.vscode/settings.json
+!.vscode/tasks.json
+!.vscode/launch.json
+!.vscode/extensions.json
+*.code-workspace
+
+# Local History for Visual Studio Code
+.history/
+
+# Windows Installer files from build outputs
+*.cab
+*.msi
+*.msix
+*.msm
+*.msp
+
+# JetBrains Rider
+.idea/
+*.sln.iml
--- a/include/vmp2.hpp
+++ b/include/vmp2.hpp
@ -0,0 +1,72 @@
+#pragma once
+#include "vmtracer.hpp"
+
+namespace vmp2
+{
+	enum class exec_type_t
+	{
+		forward,
+		backward
+	};
+
+	enum class version_t
+	{
+		invalid,
+		v1 = 0x101
+	};
+
+	struct file_header
+	{
+		u32 magic; // VMP2!
+		u64 epoch_time;
+		u64 module_base;
+		exec_type_t advancement;
+		version_t version;
+
+		u32 entry_count;
+		u32 entry_offset;
+	};
+
+	struct entry_t
+	{
+		u8 handler_idx;
+		u64 decrypt_key;
+		u64 vip;
+
+		union
+		{
+			struct
+			{
+				u64 r15;
+				u64 r14;
+				u64 r13;
+				u64 r12;
+				u64 r11;
+				u64 r10;
+				u64 r9;
+				u64 r8;
+				u64 rbp;
+				u64 rdi;
+				u64 rsi;
+				u64 rdx;
+				u64 rcx;
+				u64 rbx;
+				u64 rax;
+				u64 rflags;
+			};
+			u64 raw[16];
+		} regs;
+
+		union
+		{
+			u64 qword[0x28];
+			u8 raw[0x140];
+		} vregs;
+
+		union
+		{
+			u64 qword[0x20];
+			u8 raw[0x100];
+		} vsp;
+	};
+}
--- a/include/vmtracer.hpp
+++ b/include/vmtracer.hpp
@ -0,0 +1,118 @@
+#pragma once
+#include <cstdint>
+#include <xmmintrin.h>
+
+using u8 = unsigned char;
+using u16 = unsigned short;
+using u32 = unsigned int;
+using u64 = unsigned long long;
+using u128 = __m128;
+extern "C" void __vtrap(void);
+
+namespace vm
+{
+	typedef struct _registers
+	{
+		u128 xmm0;
+		u128 xmm1;
+		u128 xmm2;
+		u128 xmm3;
+		u128 xmm4;
+		u128 xmm5;
+		u128 xmm6;
+		u128 xmm7;
+		u128 xmm8;
+		u128 xmm9;
+		u128 xmm10;
+		u128 xmm11;
+		u128 xmm12;
+		u128 xmm13;
+		u128 xmm14;
+		u128 xmm15;
+
+		u64 gap0;
+
+		u64 r15;
+		u64 r14;
+		u64 r13;
+		u64 r12;
+		u64 r11;
+		u64 r10;
+		u64 r9;
+		u64 r8;
+		u64 rbp;
+		u64 rdi;
+		u64 rsi;
+		u64 rdx;
+		u64 rcx;
+		u64 rbx;
+		u64 rax;
+		u64 rflags;
+		u64 vm_handler;
+	} registers, * pregisters;
+
+	using decrypt_handler_t = u64(*)(u64);
+	using encrypt_handler_t = u64(*)(u64);
+
+	namespace handler
+	{
+		// these lambdas handle page protections...
+		using edit_entry_t = void (*)(u64*, u64);
+		using entry_callback_t = void (*)(vm::registers* regs, u8 handler_idx);
+
+		struct entry_t
+		{
+			u64 virt;
+			u64 encrypted;
+			u64 decrypted;
+			entry_callback_t callback;
+		};
+
+		class table_t
+		{
+		public:
+			explicit table_t(u64* table_addr, edit_entry_t edit_entry);
+			u64 get_entry(u8 idx) const;
+			entry_t get_meta_data(u8 idx) const;
+
+			void set_entry(u8 idx, u64 entry);
+			void set_meta_data(u8 idx, const entry_t& entry);
+			void set_callback(u8 idx, entry_callback_t callback);
+		private:
+			u64* table_addr;
+			edit_entry_t edit_entry;
+			entry_t handlers[256];
+		};
+	}
+
+	class tracer_t
+	{
+	public:
+		explicit tracer_t(
+			u64 module_base,
+			u64 image_base,
+			decrypt_handler_t decrypt_handler,
+			encrypt_handler_t encrypt_handler,
+			vm::handler::table_t* vm_handler_table
+		);
+
+		u64 encrypt(u64 val) const;
+		u64 decrypt(u64 val) const;
+		void set_trap(u64 val) const;
+
+		void start() const;
+		void stop() const;
+
+		vm::handler::table_t* handler_table;
+	private:
+		const u64 module_base, image_base;
+		u64 vtrap_encrypted;
+
+		const decrypt_handler_t decrypt_handler;
+		const encrypt_handler_t encrypt_handler;
+	};
+
+	inline vm::tracer_t* g_vmctx = nullptr;
+}
+
+extern "C" void vtrap_wrapper(vm::registers * regs, u8 handler_idx);
--- a/src/main.cpp
+++ b/src/main.cpp
@ -0,0 +1,154 @@
+#include <iostream>
+#include <Windows.h>
+#include <fstream>
+#include <filesystem>
+#include "vmtracer.hpp"
+#include "vmp2.hpp"
+
+#define NT_HEADER(x) \
+	reinterpret_cast<PIMAGE_NT_HEADERS64>( \
+		reinterpret_cast<PIMAGE_DOS_HEADER>(x)->e_lfanew + x)
+
+inline std::vector<vmp2::entry_t> traces;
+inline vmp2::file_header trace_header;
+
+int __cdecl main(int argc, char** argv)
+{
+    /*
+        the vm_handlers are encrypted/encoded with a basic
+        math operation... typically a NOT, XOR, NEG, etc...
+
+        You can determine what type of encryption your binary
+        is using by first finding where the LEA r12, vm_handlers
+        is located, then follow the usage of r12 until you see
+        MOV GP, [r12 + rax * 8], then follow the usage of the GP...
+
+        For example:
+        .vmp1:00000001401D1015                 lea     r12, vm_handlers
+        .vmp1:00000001401D0C0A                 mov     rdx, [r12+rax*8]
+        .vmp1:00000001401D0C10                 ror     rdx, 25h
+
+        Note:
+        R12 and RAX always seem to be used for this vm handler index...
+        You could signature scan for LEA r12, ? ? ? ? and find the vm handler
+        table really easily by manually inspecting each result...
+    */
+
+    vm::decrypt_handler_t _decrypt_handler = 
+        [](u64 val) -> u64
+    {
+        return val ^ 0x7F3D2149;
+    };
+
+    vm::encrypt_handler_t _encrypt_handler = 
+        [](u64 val) -> u64
+    {
+        return val ^ 0x7F3D2149;
+    };
+
+    vm::handler::edit_entry_t _edit_entry =
+        [](u64* entry_ptr, u64 val) -> void
+    {
+        DWORD old_prot;
+        VirtualProtect(entry_ptr, sizeof val, 
+            PAGE_EXECUTE_READWRITE, &old_prot);
+
+        *entry_ptr = val;
+        VirtualProtect(entry_ptr, sizeof val,
+            old_prot, &old_prot);
+    };
+    
+    const auto handler_table_rva = std::strtoull(argv[3], nullptr, 16);
+    const auto image_base = std::strtoull(argv[2], nullptr, 16);
+
+    const auto module_base = 
+        reinterpret_cast<std::uintptr_t>(
+            LoadLibraryExA(argv[1], NULL, DONT_RESOLVE_DLL_REFERENCES));
+
+    const auto handler_table_ptr = 
+        reinterpret_cast<std::uintptr_t*>(
+            module_base + handler_table_rva);
+
+    /*
+        the VM handler table is an array of 256 QWORD's... each encrypted differently per-binary...
+        each one of these is an encrypted RVA to a virtual instruction...
+
+        .vmp1:00000001401D25D3 vm_handlers     dq 3A28FA000000028h, 3A40E4000000028h, 3A2F5C000000028h
+        .vmp1:00000001401D25D3                 dq 3A1096000000028h, 3A3DBC000000028h, 3A1DDA000000028h
+        .vmp1:00000001401D25D3                 dq 3A6032000000028h, 2 dup(3A40E4000000028h), 3A2B5A000000028h
+        .vmp1:00000001401D25D3                 dq 3A4004000000028h, 3A2810000000028h, 3A446A000000028h
+        .vmp1:00000001401D25D3                 dq 3A39B6000000028h, 3A6728000000028h, 3A6032000000028h
+        .vmp1:00000001401D25D3                 dq 3A34F0000000028h, 3A46F2000000028h, 3A0170000000028h
+        .vmp1:00000001401D25D3                 dq 3A0952000000028h, 3A4004000000028h, 3A494E000000028h
+        .vmp1:00000001401D25D3                 dq 3A35C2000000028h, 3A4A1E000000028h, 3A37D8000000028h
+        .vmp1:00000001401D25D3                 dq 3A1482000000028h, 3A6492000000028h, 3A2948000000028h
+        .vmp1:00000001401D25D3                 dq 3A2D1C000000028h, 2 dup(3A6ABE000000028h), 3A068A000000028h
+        .vmp1:00000001401D25D3                 dq 3A3F52000000028h, 3A118E000000028h, 3A27BE000000028h
+
+        // .... many more ...
+    */
+
+    vm::handler::table_t handler_table(handler_table_ptr, _edit_entry);
+
+    // set all vm handler callbacks to just 
+    // print the rolling decrypt key and handler idx...
+    for (auto idx = 0u; idx < 256; ++idx)
+    {
+        handler_table.set_callback(idx,
+            [](vm::registers* regs, u8 handler_idx) -> void
+            {
+                vmp2::entry_t entry;
+                entry.decrypt_key = regs->rbx;
+                entry.handler_idx = handler_idx;
+                entry.vip = regs->rsi;
+                entry.regs = *reinterpret_cast<decltype(&entry.regs)>(&regs->r15);
+                entry.vregs = *reinterpret_cast<decltype(&entry.vregs)>(regs->rdi);
+
+                // stack grows down... so we gotta load the values in reverse...
+                for (auto idx = 0u; idx < sizeof(entry.vsp) / 8; ++idx)
+                    entry.vsp.qword[idx] = *(reinterpret_cast<u64*>(regs->rbp) - idx);
+
+                traces.push_back(entry);
+                std::printf("> TID = %d, handler idx = %d, decryption key = 0x%p\n", 
+                    GetCurrentThreadId(), handler_idx, regs->rbx);
+            }
+        );
+    }
+
+    vm::tracer_t tracer(
+        module_base, 
+        image_base, 
+        _decrypt_handler,
+        _encrypt_handler,
+        &handler_table
+    );
+
+    std::ofstream vmp2_file("output.vmp2", std::ios::binary);
+    memcpy(&trace_header.magic, "VMP2!", sizeof "VMP2!" - 1);
+    trace_header.epoch_time = time(nullptr);
+    trace_header.entry_offset = sizeof trace_header;
+    trace_header.advancement = vmp2::exec_type_t::forward;
+    trace_header.version = vmp2::version_t::v1;
+    trace_header.module_base = module_base;
+
+    // patch vm handler table...
+    tracer.start();
+
+    // call entry point...
+    reinterpret_cast<void (*)()>(
+        NT_HEADER(module_base)->OptionalHeader.AddressOfEntryPoint + module_base)();
+
+    // unpatch vm handler table...
+    tracer.stop();
+
+    // write vmp2 file to disk...
+    trace_header.entry_count = traces.size();
+    vmp2_file.write((char*)&trace_header, sizeof trace_header);
+
+    for (auto& trace : traces)
+        vmp2_file.write((char*)&trace, sizeof trace);
+
+    vmp2_file.close();
+    std::printf("> finished vm trace...\n");
+    std::getchar();
+}
--- a/src/vmp2.hpp
+++ b/src/vmp2.hpp
@ -0,0 +1,72 @@
+#pragma once
+#include "vmtracer.hpp"
+
+namespace vmp2
+{
+	enum class exec_type_t
+	{
+		forward,
+		backward
+	};
+
+	enum class version_t
+	{
+		invalid,
+		v1 = 0x101
+	};
+
+	struct file_header
+	{
+		u32 magic; // VMP2!
+		u64 epoch_time;
+		u64 module_base;
+		exec_type_t advancement;
+		version_t version;
+
+		u32 entry_count;
+		u32 entry_offset;
+	};
+
+	struct entry_t
+	{
+		u8 handler_idx;
+		u64 decrypt_key;
+		u64 vip;
+
+		union
+		{
+			struct
+			{
+				u64 r15;
+				u64 r14;
+				u64 r13;
+				u64 r12;
+				u64 r11;
+				u64 r10;
+				u64 r9;
+				u64 r8;
+				u64 rbp;
+				u64 rdi;
+				u64 rsi;
+				u64 rdx;
+				u64 rcx;
+				u64 rbx;
+				u64 rax;
+				u64 rflags;
+			};
+			u64 raw[16];
+		} regs;
+
+		union
+		{
+			u64 qword[0x28];
+			u8 raw[0x140];
+		} vregs;
+
+		union
+		{
+			u64 qword[0x20];
+			u8 raw[0x100];
+		} vsp;
+	};
+}
--- a/src/vmtracer.cpp
+++ b/src/vmtracer.cpp
@ -0,0 +1,114 @@
+#include "vmtracer.hpp"
+
+namespace vm
+{
+	namespace handler
+	{
+		table_t::table_t(u64* table_addr, edit_entry_t edit_entry)
+			: 
+			table_addr(table_addr),
+			edit_entry(edit_entry)
+		{}
+
+		u64 table_t::get_entry(u8 idx) const
+		{
+			return table_addr[idx];
+		}
+
+		entry_t table_t::get_meta_data(u8 idx) const
+		{
+			return handlers[idx];
+		}
+
+		void table_t::set_entry(u8 idx, u64 entry)
+		{
+			edit_entry(table_addr + idx, entry);
+		}
+
+		void table_t::set_meta_data(u8 idx, const entry_t& entry)
+		{
+			handlers[idx] = entry;
+		}
+
+		void table_t::set_callback(u8 idx, entry_callback_t callback)
+		{
+			handlers[idx].callback = callback;
+		}
+	}
+
+	tracer_t::tracer_t(
+		u64 module_base,
+		u64 image_base,
+		decrypt_handler_t decrypt_handler, 
+		encrypt_handler_t encrypt_handler,
+		vm::handler::table_t* vm_handler_table
+	)
+		: 
+		decrypt_handler(decrypt_handler),
+		encrypt_handler(encrypt_handler),
+		handler_table(vm_handler_table),
+		module_base(module_base),
+		image_base(image_base)
+	{
+		for (auto idx = 0u; idx < 256; ++idx)
+		{
+			vm::handler::entry_t entry = 
+				vm_handler_table->get_meta_data(idx);
+
+			entry.encrypted = vm_handler_table->get_entry(idx);
+			entry.decrypted = decrypt(entry.encrypted);
+			entry.virt = (entry.decrypted - image_base) + module_base;
+			vm_handler_table->set_meta_data(idx, entry);
+		}
+		
+		vm::g_vmctx = this;
+		vtrap_encrypted = encrypt(
+			(reinterpret_cast<std::uintptr_t>(
+				&__vtrap) - module_base) + image_base);
+	}
+
+	u64 tracer_t::encrypt(u64 val) const
+	{
+		return encrypt_handler(val);
+	}
+
+	u64 tracer_t::decrypt(u64 val) const
+	{
+		return decrypt_handler(val);
+	}
+
+	void tracer_t::set_trap(u64 val) const
+	{
+		for (auto idx = 0u; idx < 256; ++idx)
+			handler_table->set_entry(idx, val);
+	}
+
+	void tracer_t::start() const
+	{
+		for (auto idx = 0u; idx < 256; ++idx)
+			handler_table->set_entry(idx, vtrap_encrypted);
+	}
+
+	void tracer_t::stop() const
+	{
+		for (auto idx = 0u; idx < 256; ++idx)
+		{
+			const auto handler_entry = 
+				handler_table->get_meta_data(idx).encrypted;
+
+			handler_table->set_entry(idx, handler_entry);
+		}
+	}
+}
+
+void vtrap_wrapper(vm::registers* regs, u8 handler_idx)
+{
+	regs->vm_handler = vm::g_vmctx->
+		handler_table->get_meta_data(handler_idx).virt;
+
+	const auto callback = vm::g_vmctx->
+		handler_table->get_meta_data(handler_idx).callback;
+
+	// per-virtual instruction callbacks...
+	if (callback) callback(regs, handler_idx);
+}
--- a/src/vmtracer.hpp
+++ b/src/vmtracer.hpp
@ -0,0 +1,118 @@
+#pragma once
+#include <cstdint>
+#include <xmmintrin.h>
+
+using u8 = unsigned char;
+using u16 = unsigned short;
+using u32 = unsigned int;
+using u64 = unsigned long long;
+using u128 = __m128;
+extern "C" void __vtrap(void);
+
+namespace vm
+{
+	typedef struct _registers
+	{
+		u128 xmm0;
+		u128 xmm1;
+		u128 xmm2;
+		u128 xmm3;
+		u128 xmm4;
+		u128 xmm5;
+		u128 xmm6;
+		u128 xmm7;
+		u128 xmm8;
+		u128 xmm9;
+		u128 xmm10;
+		u128 xmm11;
+		u128 xmm12;
+		u128 xmm13;
+		u128 xmm14;
+		u128 xmm15;
+
+		u64 gap0;
+
+		u64 r15;
+		u64 r14;
+		u64 r13;
+		u64 r12;
+		u64 r11;
+		u64 r10;
+		u64 r9;
+		u64 r8;
+		u64 rbp;
+		u64 rdi;
+		u64 rsi;
+		u64 rdx;
+		u64 rcx;
+		u64 rbx;
+		u64 rax;
+		u64 rflags;
+		u64 vm_handler;
+	} registers, * pregisters;
+
+	using decrypt_handler_t = u64(*)(u64);
+	using encrypt_handler_t = u64(*)(u64);
+
+	namespace handler
+	{
+		// these lambdas handle page protections...
+		using edit_entry_t = void (*)(u64*, u64);
+		using entry_callback_t = void (*)(vm::registers* regs, u8 handler_idx);
+
+		struct entry_t
+		{
+			u64 virt;
+			u64 encrypted;
+			u64 decrypted;
+			entry_callback_t callback;
+		};
+
+		class table_t
+		{
+		public:
+			explicit table_t(u64* table_addr, edit_entry_t edit_entry);
+			u64 get_entry(u8 idx) const;
+			entry_t get_meta_data(u8 idx) const;
+
+			void set_entry(u8 idx, u64 entry);
+			void set_meta_data(u8 idx, const entry_t& entry);
+			void set_callback(u8 idx, entry_callback_t callback);
+		private:
+			u64* table_addr;
+			edit_entry_t edit_entry;
+			entry_t handlers[256];
+		};
+	}
+
+	class tracer_t
+	{
+	public:
+		explicit tracer_t(
+			u64 module_base,
+			u64 image_base,
+			decrypt_handler_t decrypt_handler,
+			encrypt_handler_t encrypt_handler,
+			vm::handler::table_t* vm_handler_table
+		);
+
+		u64 encrypt(u64 val) const;
+		u64 decrypt(u64 val) const;
+		void set_trap(u64 val) const;
+
+		void start() const;
+		void stop() const;
+
+		vm::handler::table_t* handler_table;
+	private:
+		const u64 module_base, image_base;
+		u64 vtrap_encrypted;
+
+		const decrypt_handler_t decrypt_handler;
+		const encrypt_handler_t encrypt_handler;
+	};
+
+	inline vm::tracer_t* g_vmctx = nullptr;
+}
+
+extern "C" void vtrap_wrapper(vm::registers * regs, u8 handler_idx);
--- a/src/vmtracer.vcxproj
+++ b/src/vmtracer.vcxproj
@ -0,0 +1,160 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{D257C9F6-C705-49D5-84ED-64C9C513C419}</ProjectGuid>
+    <RootNamespace>vmtracer</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0</WindowsTargetPlatformVersion>
+    <ProjectName>vmtracer</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v142</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <LanguageStandard>stdcpp17</LanguageStandard>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="vmtracer.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="vmp2.hpp" />
+    <ClInclude Include="vmtracer.hpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="vtrap.asm">
+      <FileType>Document</FileType>
+    </MASM>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
+  </ImportGroup>
+</Project>
--- a/src/vmtracer.vcxproj.filters
+++ b/src/vmtracer.vcxproj.filters
@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="vmtracer.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="vmtracer.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+    <ClInclude Include="vmp2.hpp">
+      <Filter>Header Files</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="vtrap.asm">
+      <Filter>Source Files</Filter>
+    </MASM>
+  </ItemGroup>
+</Project>
--- a/src/vtrap.asm
+++ b/src/vtrap.asm
@ -0,0 +1,87 @@
+extern vtrap_wrapper : proc
+
+.code
+__vtrap proc
+	sub rsp, 8 ; make room for return address...
+	pushfq
+	push rax
+	push rbx
+	push rcx
+	push rdx
+	push rsi
+	push rdi
+	push rbp
+	push r8
+	push r9
+	push r10
+	push r11
+	push r12
+	push r13
+	push r14
+	push r15
+
+	sub rsp, 0108h ; 16 xmm registers...
+	movaps [rsp], xmm0
+	movaps [rsp + 010h], xmm1
+	movaps [rsp + 020h], xmm2
+	movaps [rsp + 030h], xmm3
+	movaps [rsp + 040h], xmm4
+	movaps [rsp + 050h], xmm5
+	movaps [rsp + 060h], xmm6
+	movaps [rsp + 070h], xmm7
+	movaps [rsp + 080h], xmm8
+	movaps [rsp + 090h], xmm9
+	movaps [rsp + 0A0h], xmm10
+	movaps [rsp + 0B0h], xmm11
+	movaps [rsp + 0C0h], xmm12
+	movaps [rsp + 0D0h], xmm13
+	movaps [rsp + 0E0h], xmm14
+	movaps [rsp + 0F0h], xmm15
+
+	; vm::registers* regs
+	; u8 handler_idx
+	mov rcx, rsp
+	mov rdx, rax
+
+	sub rsp, 20h
+	call vtrap_wrapper
+	add rsp, 20h
+
+	movups xmm0, [rsp]
+	movups xmm1, [rsp + 010h]
+	movups xmm2, [rsp + 020h]
+	movups xmm3, [rsp + 030h]
+	movups xmm4, [rsp + 040h]
+	movups xmm5, [rsp + 050h]
+	movups xmm6, [rsp + 060h]
+	movups xmm7, [rsp + 070h]
+	movups xmm8, [rsp + 080h]
+	movups xmm9, [rsp + 090h]
+	movups xmm10, [rsp + 0A0h]
+	movups xmm11, [rsp + 0B0h]
+	movups xmm12, [rsp + 0C0h]
+	movups xmm13, [rsp + 0D0h]
+	movups xmm14, [rsp + 0E0h]
+	movups xmm15, [rsp + 0F0h]
+	add rsp, 0108h ; 16 xmm registers...
+
+	pop r15
+	pop r14
+	pop r13
+	pop r12
+	pop r11
+	pop r10
+	pop r9
+	pop r8
+	pop rbp 
+	pop rdi
+	pop rsi
+	pop rdx
+	pop rcx
+	pop rbx
+	pop rax
+	popfq
+	; note that the original VM handler will be on the stack here...
+	ret
+__vtrap endp
+end
--- a/vmtracer.sln
+++ b/vmtracer.sln
@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.30907.101
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vmtracer", "src\vmtracer.vcxproj", "{D257C9F6-C705-49D5-84ED-64C9C513C419}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{D257C9F6-C705-49D5-84ED-64C9C513C419}.Debug|x64.ActiveCfg = Debug|x64
+		{D257C9F6-C705-49D5-84ED-64C9C513C419}.Debug|x64.Build.0 = Debug|x64
+		{D257C9F6-C705-49D5-84ED-64C9C513C419}.Debug|x86.ActiveCfg = Debug|Win32
+		{D257C9F6-C705-49D5-84ED-64C9C513C419}.Debug|x86.Build.0 = Debug|Win32
+		{D257C9F6-C705-49D5-84ED-64C9C513C419}.Release|x64.ActiveCfg = Release|x64
+		{D257C9F6-C705-49D5-84ED-64C9C513C419}.Release|x64.Build.0 = Release|x64
+		{D257C9F6-C705-49D5-84ED-64C9C513C419}.Release|x86.ActiveCfg = Release|Win32
+		{D257C9F6-C705-49D5-84ED-64C9C513C419}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {CC700881-2AAD-4B71-BC5B-4870C480C75E}
+	EndGlobalSection
+EndGlobal