You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
120 lines
3.2 KiB
120 lines
3.2 KiB
#pragma once
|
|
#include <cstdint>
|
|
#include <xmmintrin.h>
|
|
|
|
using u8 = unsigned char;
|
|
using u16 = unsigned short;
|
|
using u32 = unsigned int;
|
|
using u64 = unsigned long long;
|
|
using u128 = __m128;
|
|
extern "C" void __vtrap( void );
|
|
|
|
namespace vm
|
|
{
|
|
typedef struct _registers
|
|
{
|
|
u128 xmm0;
|
|
u128 xmm1;
|
|
u128 xmm2;
|
|
u128 xmm3;
|
|
u128 xmm4;
|
|
u128 xmm5;
|
|
u128 xmm6;
|
|
u128 xmm7;
|
|
u128 xmm8;
|
|
u128 xmm9;
|
|
u128 xmm10;
|
|
u128 xmm11;
|
|
u128 xmm12;
|
|
u128 xmm13;
|
|
u128 xmm14;
|
|
u128 xmm15;
|
|
|
|
u64 gap0;
|
|
|
|
u64 r15;
|
|
u64 r14;
|
|
u64 r13;
|
|
u64 r12;
|
|
u64 r11;
|
|
u64 r10;
|
|
u64 r9;
|
|
u64 r8;
|
|
u64 rbp;
|
|
u64 rdi;
|
|
u64 rsi;
|
|
u64 rdx;
|
|
u64 rcx;
|
|
u64 rbx;
|
|
u64 rax;
|
|
u64 rflags;
|
|
u64 vm_handler;
|
|
} registers, *pregisters;
|
|
|
|
using decrypt_handler_t = u64 ( * )( u64 );
|
|
using encrypt_handler_t = u64 ( * )( u64 );
|
|
|
|
namespace handler
|
|
{
|
|
// these lambdas handle page protections...
|
|
using edit_entry_t = void ( * )( u64 *, u64 );
|
|
using entry_callback_t = void ( * )( vm::registers *regs, u8 handler_idx );
|
|
|
|
struct entry_t
|
|
{
|
|
u64 virt;
|
|
u64 encrypted;
|
|
u64 decrypted;
|
|
entry_callback_t callback;
|
|
};
|
|
|
|
// main table class focused around containing all of the information
|
|
// for a given virtual machine handler table... condusive for virtual instruction
|
|
// hooking... up to 10 of these can be created and stored in a vm::hook_t class...
|
|
class table_t
|
|
{
|
|
public:
|
|
explicit table_t( u64 module_base, u64 image_base, u32 table_rva, vm::handler::edit_entry_t edit_entry,
|
|
vm::decrypt_handler_t decrypt_handler, vm::encrypt_handler_t encrypt_handler );
|
|
|
|
u64 get_entry( u8 idx ) const;
|
|
entry_t get_meta_data( u8 idx ) const;
|
|
|
|
void set_entry( u8 idx, u64 entry );
|
|
void set_meta_data( u8 idx, const entry_t &entry );
|
|
void set_callback( u8 idx, entry_callback_t callback );
|
|
u64 decrypt( u8 idx );
|
|
u64 encrypt( u64 val );
|
|
|
|
const u32 table_rva;
|
|
const u64 module_base, image_base;
|
|
u64 *table_addr;
|
|
|
|
entry_t handlers[ 256 ];
|
|
edit_entry_t edit_entry;
|
|
vm::decrypt_handler_t decrypt_handler;
|
|
vm::encrypt_handler_t encrypt_handler;
|
|
};
|
|
} // namespace handler
|
|
|
|
// wrapper/container class which is purely for
|
|
// containing up to 10 virtual machine table(s) and
|
|
// doing basic operations on them like "start(ing)" all
|
|
// of the virtual machine hooks and "stop(ing)" all of them...
|
|
class hook_t
|
|
{
|
|
public:
|
|
explicit hook_t( void );
|
|
void add_table( vm::handler::table_t *table );
|
|
|
|
void start( void );
|
|
void stop( void );
|
|
|
|
u8 table_count;
|
|
vm::handler::table_t *handler_tables[ 10 ];
|
|
};
|
|
|
|
inline vm::hook_t *g_vmctx = nullptr;
|
|
} // namespace vm
|
|
|
|
extern "C" void vtrap_wrapper( vm::registers *regs, u8 handler_idx ); |