added code to determine advancment of VIP

merge-requests/2/head
_xeroxz 4 years ago
parent 804db4a0e6
commit 34af0a1044

@ -48,7 +48,7 @@ int __cdecl main( int argc, const char *argv[] )
const auto image_base = xtils::um_t::get_instance()->image_base( parser.get< std::string >( "bin" ).c_str() ); const auto image_base = xtils::um_t::get_instance()->image_base( parser.get< std::string >( "bin" ).c_str() );
zydis_routine_t vm_entry; zydis_routine_t vm_entry, calc_jmp;
std::printf( "> vm entry start = 0x%p\n", vm_entry_ptr ); std::printf( "> vm entry start = 0x%p\n", vm_entry_ptr );
if ( !vm::util::flatten( vm_entry, vm_entry_ptr ) ) if ( !vm::util::flatten( vm_entry, vm_entry_ptr ) )
@ -63,6 +63,18 @@ int __cdecl main( int argc, const char *argv[] )
std::printf( "==================================================================================\n" ); std::printf( "==================================================================================\n" );
vm::util::print( vm_entry ); vm::util::print( vm_entry );
if ( !vm::calc_jmp::get( vm_entry, calc_jmp ) )
{
std::printf( "> failed to extract calc_jmp from vm_entry...\n" );
return -1;
}
vm::util::deobfuscate( calc_jmp );
std::printf( "> calc_jmp extracted from vm_entry... calc_jmp:\n" );
std::printf( "==================================================================================\n" );
vm::util::print( calc_jmp );
std::printf( "==================================================================================\n" );
const auto vm_handler_table = vm::handler::table::get( vm_entry ); const auto vm_handler_table = vm::handler::table::get( vm_entry );
if ( !vm_handler_table ) if ( !vm_handler_table )
@ -71,7 +83,13 @@ int __cdecl main( int argc, const char *argv[] )
return -1; return -1;
} }
std::printf( "==================================================================================\n" ); auto advancement = vm::calc_jmp::get_advancement( calc_jmp );
if ( advancement.has_value() )
std::printf( "> virtual instruction pointer advancement: %s\n",
advancement == vmp2::exec_type_t::forward ? "forward" : "backward" );
else
std::printf( "> virtual instruction pointer advancement was unable to be parsed!\n" );
std::printf( "> located vm handler table... at = 0x%p, rva = 0x%p\n", vm_handler_table, std::printf( "> located vm handler table... at = 0x%p, rva = 0x%p\n", vm_handler_table,
( reinterpret_cast< std::uintptr_t >( vm_handler_table ) - module_base ) + image_base ); ( reinterpret_cast< std::uintptr_t >( vm_handler_table ) - module_base ) + image_base );
@ -103,6 +121,7 @@ int __cdecl main( int argc, const char *argv[] )
std::printf( "\t" ); std::printf( "\t" );
vm::util::print( transform ); vm::util::print( transform );
} }
std::printf( "==================================================================================\n" );
std::vector< vm::handler::handler_t > vm_handlers; std::vector< vm::handler::handler_t > vm_handlers;
if ( !vm::handler::get_all( module_base, image_base, vm_entry, vm_handler_table, vm_handlers ) ) if ( !vm::handler::get_all( module_base, image_base, vm_entry, vm_handler_table, vm_handlers ) )

Loading…
Cancel
Save