From b25559f30711e9a95d50c7ac07d61ede0cc8b9cb Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Thu, 20 May 2021 22:02:33 -0700 Subject: [PATCH] removed header files from the src dir --- src/main.cpp | 154 ----------------------------------- src/vmp2.hpp | 72 ---------------- src/vmtracer.hpp | 118 --------------------------- src/vmtracer.vcxproj | 9 +- src/vmtracer.vcxproj.filters | 14 ++-- 5 files changed, 12 insertions(+), 355 deletions(-) delete mode 100644 src/main.cpp delete mode 100644 src/vmp2.hpp delete mode 100644 src/vmtracer.hpp diff --git a/src/main.cpp b/src/main.cpp deleted file mode 100644 index 4c4b681..0000000 --- a/src/main.cpp +++ /dev/null @@ -1,154 +0,0 @@ -#include -#include -#include -#include -#include "vmtracer.hpp" -#include "vmp2.hpp" - -#define NT_HEADER(x) \ - reinterpret_cast( \ - reinterpret_cast(x)->e_lfanew + x) - -inline std::vector traces; -inline vmp2::file_header trace_header; - -int __cdecl main(int argc, char** argv) -{ - /* - the vm_handlers are encrypted/encoded with a basic - math operation... typically a NOT, XOR, NEG, etc... - - You can determine what type of encryption your binary - is using by first finding where the LEA r12, vm_handlers - is located, then follow the usage of r12 until you see - MOV GP, [r12 + rax * 8], then follow the usage of the GP... - - For example: - .vmp1:00000001401D1015 lea r12, vm_handlers - .vmp1:00000001401D0C0A mov rdx, [r12+rax*8] - .vmp1:00000001401D0C10 ror rdx, 25h - - Note: - R12 and RAX always seem to be used for this vm handler index... - You could signature scan for LEA r12, ? ? ? ? and find the vm handler - table really easily by manually inspecting each result... - */ - - vm::decrypt_handler_t _decrypt_handler = - [](u64 val) -> u64 - { - return val ^ 0x7F3D2149; - }; - - vm::encrypt_handler_t _encrypt_handler = - [](u64 val) -> u64 - { - return val ^ 0x7F3D2149; - }; - - vm::handler::edit_entry_t _edit_entry = - [](u64* entry_ptr, u64 val) -> void - { - DWORD old_prot; - VirtualProtect(entry_ptr, sizeof val, - PAGE_EXECUTE_READWRITE, &old_prot); - - *entry_ptr = val; - VirtualProtect(entry_ptr, sizeof val, - old_prot, &old_prot); - }; - - const auto handler_table_rva = std::strtoull(argv[3], nullptr, 16); - const auto image_base = std::strtoull(argv[2], nullptr, 16); - - const auto module_base = - reinterpret_cast( - LoadLibraryExA(argv[1], NULL, DONT_RESOLVE_DLL_REFERENCES)); - - const auto handler_table_ptr = - reinterpret_cast( - module_base + handler_table_rva); - - /* - the VM handler table is an array of 256 QWORD's... each encrypted differently per-binary... - each one of these is an encrypted RVA to a virtual instruction... - - .vmp1:00000001401D25D3 vm_handlers dq 3A28FA000000028h, 3A40E4000000028h, 3A2F5C000000028h - .vmp1:00000001401D25D3 dq 3A1096000000028h, 3A3DBC000000028h, 3A1DDA000000028h - .vmp1:00000001401D25D3 dq 3A6032000000028h, 2 dup(3A40E4000000028h), 3A2B5A000000028h - .vmp1:00000001401D25D3 dq 3A4004000000028h, 3A2810000000028h, 3A446A000000028h - .vmp1:00000001401D25D3 dq 3A39B6000000028h, 3A6728000000028h, 3A6032000000028h - .vmp1:00000001401D25D3 dq 3A34F0000000028h, 3A46F2000000028h, 3A0170000000028h - .vmp1:00000001401D25D3 dq 3A0952000000028h, 3A4004000000028h, 3A494E000000028h - .vmp1:00000001401D25D3 dq 3A35C2000000028h, 3A4A1E000000028h, 3A37D8000000028h - .vmp1:00000001401D25D3 dq 3A1482000000028h, 3A6492000000028h, 3A2948000000028h - .vmp1:00000001401D25D3 dq 3A2D1C000000028h, 2 dup(3A6ABE000000028h), 3A068A000000028h - .vmp1:00000001401D25D3 dq 3A3F52000000028h, 3A118E000000028h, 3A27BE000000028h - - // .... many more ... - */ - - vm::handler::table_t handler_table(handler_table_ptr, _edit_entry); - - // set all vm handler callbacks to just - // print the rolling decrypt key and handler idx... - for (auto idx = 0u; idx < 256; ++idx) - { - handler_table.set_callback(idx, - [](vm::registers* regs, u8 handler_idx) -> void - { - vmp2::entry_t entry; - entry.decrypt_key = regs->rbx; - entry.handler_idx = handler_idx; - entry.vip = regs->rsi; - entry.regs = *reinterpret_cast(®s->r15); - entry.vregs = *reinterpret_cast(regs->rdi); - - // stack grows down... so we gotta load the values in reverse... - for (auto idx = 0u; idx < sizeof(entry.vsp) / 8; ++idx) - entry.vsp.qword[idx] = *(reinterpret_cast(regs->rbp) - idx); - - traces.push_back(entry); - std::printf("> TID = %d, handler idx = %d, decryption key = 0x%p\n", - GetCurrentThreadId(), handler_idx, regs->rbx); - } - ); - } - - vm::tracer_t tracer( - module_base, - image_base, - _decrypt_handler, - _encrypt_handler, - &handler_table - ); - - std::ofstream vmp2_file("output.vmp2", std::ios::binary); - memcpy(&trace_header.magic, "VMP2!", sizeof "VMP2!" - 1); - trace_header.epoch_time = time(nullptr); - trace_header.entry_offset = sizeof trace_header; - trace_header.advancement = vmp2::exec_type_t::forward; - trace_header.version = vmp2::version_t::v1; - trace_header.module_base = module_base; - - // patch vm handler table... - tracer.start(); - - // call entry point... - reinterpret_cast( - NT_HEADER(module_base)->OptionalHeader.AddressOfEntryPoint + module_base)(); - - // unpatch vm handler table... - tracer.stop(); - - // write vmp2 file to disk... - trace_header.entry_count = traces.size(); - vmp2_file.write((char*)&trace_header, sizeof trace_header); - - for (auto& trace : traces) - vmp2_file.write((char*)&trace, sizeof trace); - - vmp2_file.close(); - std::printf("> finished vm trace...\n"); - std::getchar(); -} \ No newline at end of file diff --git a/src/vmp2.hpp b/src/vmp2.hpp deleted file mode 100644 index 5bc3bff..0000000 --- a/src/vmp2.hpp +++ /dev/null @@ -1,72 +0,0 @@ -#pragma once -#include "vmtracer.hpp" - -namespace vmp2 -{ - enum class exec_type_t - { - forward, - backward - }; - - enum class version_t - { - invalid, - v1 = 0x101 - }; - - struct file_header - { - u32 magic; // VMP2! - u64 epoch_time; - u64 module_base; - exec_type_t advancement; - version_t version; - - u32 entry_count; - u32 entry_offset; - }; - - struct entry_t - { - u8 handler_idx; - u64 decrypt_key; - u64 vip; - - union - { - struct - { - u64 r15; - u64 r14; - u64 r13; - u64 r12; - u64 r11; - u64 r10; - u64 r9; - u64 r8; - u64 rbp; - u64 rdi; - u64 rsi; - u64 rdx; - u64 rcx; - u64 rbx; - u64 rax; - u64 rflags; - }; - u64 raw[16]; - } regs; - - union - { - u64 qword[0x28]; - u8 raw[0x140]; - } vregs; - - union - { - u64 qword[0x20]; - u8 raw[0x100]; - } vsp; - }; -} \ No newline at end of file diff --git a/src/vmtracer.hpp b/src/vmtracer.hpp deleted file mode 100644 index a78d262..0000000 --- a/src/vmtracer.hpp +++ /dev/null @@ -1,118 +0,0 @@ -#pragma once -#include -#include - -using u8 = unsigned char; -using u16 = unsigned short; -using u32 = unsigned int; -using u64 = unsigned long long; -using u128 = __m128; -extern "C" void __vtrap(void); - -namespace vm -{ - typedef struct _registers - { - u128 xmm0; - u128 xmm1; - u128 xmm2; - u128 xmm3; - u128 xmm4; - u128 xmm5; - u128 xmm6; - u128 xmm7; - u128 xmm8; - u128 xmm9; - u128 xmm10; - u128 xmm11; - u128 xmm12; - u128 xmm13; - u128 xmm14; - u128 xmm15; - - u64 gap0; - - u64 r15; - u64 r14; - u64 r13; - u64 r12; - u64 r11; - u64 r10; - u64 r9; - u64 r8; - u64 rbp; - u64 rdi; - u64 rsi; - u64 rdx; - u64 rcx; - u64 rbx; - u64 rax; - u64 rflags; - u64 vm_handler; - } registers, * pregisters; - - using decrypt_handler_t = u64(*)(u64); - using encrypt_handler_t = u64(*)(u64); - - namespace handler - { - // these lambdas handle page protections... - using edit_entry_t = void (*)(u64*, u64); - using entry_callback_t = void (*)(vm::registers* regs, u8 handler_idx); - - struct entry_t - { - u64 virt; - u64 encrypted; - u64 decrypted; - entry_callback_t callback; - }; - - class table_t - { - public: - explicit table_t(u64* table_addr, edit_entry_t edit_entry); - u64 get_entry(u8 idx) const; - entry_t get_meta_data(u8 idx) const; - - void set_entry(u8 idx, u64 entry); - void set_meta_data(u8 idx, const entry_t& entry); - void set_callback(u8 idx, entry_callback_t callback); - private: - u64* table_addr; - edit_entry_t edit_entry; - entry_t handlers[256]; - }; - } - - class tracer_t - { - public: - explicit tracer_t( - u64 module_base, - u64 image_base, - decrypt_handler_t decrypt_handler, - encrypt_handler_t encrypt_handler, - vm::handler::table_t* vm_handler_table - ); - - u64 encrypt(u64 val) const; - u64 decrypt(u64 val) const; - void set_trap(u64 val) const; - - void start() const; - void stop() const; - - vm::handler::table_t* handler_table; - private: - const u64 module_base, image_base; - u64 vtrap_encrypted; - - const decrypt_handler_t decrypt_handler; - const encrypt_handler_t encrypt_handler; - }; - - inline vm::tracer_t* g_vmctx = nullptr; -} - -extern "C" void vtrap_wrapper(vm::registers * regs, u8 handler_idx); \ No newline at end of file diff --git a/src/vmtracer.vcxproj b/src/vmtracer.vcxproj index 3bfbce2..836694c 100644 --- a/src/vmtracer.vcxproj +++ b/src/vmtracer.vcxproj @@ -83,6 +83,7 @@ false + $(ProjectDir)..\include;$(IncludePath) @@ -144,15 +145,15 @@ - - - - Document + + + + diff --git a/src/vmtracer.vcxproj.filters b/src/vmtracer.vcxproj.filters index e037119..66cded4 100644 --- a/src/vmtracer.vcxproj.filters +++ b/src/vmtracer.vcxproj.filters @@ -16,16 +16,16 @@ - + + Source Files + + + + Header Files - + Header Files - - - Source Files - - \ No newline at end of file