|
|
@ -17,4 +17,96 @@ Options:
|
|
|
|
--vmentry, --entry rva to push prior to a vm_entry (Required)
|
|
|
|
--vmentry, --entry rva to push prior to a vm_entry (Required)
|
|
|
|
--showhandlers show all vm handlers...
|
|
|
|
--showhandlers show all vm handlers...
|
|
|
|
-h, --help Shows this page
|
|
|
|
-h, --help Shows this page
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# output - information example
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
```
|
|
|
|
|
|
|
|
vmprofiler-cli.exe --vmpbin vmptest.vmp.exe --vmentry 0x1000
|
|
|
|
|
|
|
|
> vm entry start = 0x00007FF61C8B1000
|
|
|
|
|
|
|
|
> flattened vm entry...
|
|
|
|
|
|
|
|
> deobfuscated vm entry...
|
|
|
|
|
|
|
|
==================================================================================
|
|
|
|
|
|
|
|
> 0x00007FF61C8B822C push 0xFFFFFFFF890001FA
|
|
|
|
|
|
|
|
> 0x00007FF61C8B7FC9 push 0x45D3BF1F
|
|
|
|
|
|
|
|
> 0x00007FF61C8B48E4 push r13
|
|
|
|
|
|
|
|
> 0x00007FF61C8B4690 push rsi
|
|
|
|
|
|
|
|
> 0x00007FF61C8B4E53 push r14
|
|
|
|
|
|
|
|
> 0x00007FF61C8B74FB push rcx
|
|
|
|
|
|
|
|
> 0x00007FF61C8B607C push rsp
|
|
|
|
|
|
|
|
> 0x00007FF61C8B4926 pushfq
|
|
|
|
|
|
|
|
> 0x00007FF61C8B4DC2 push rbp
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5C8C push r12
|
|
|
|
|
|
|
|
> 0x00007FF61C8B52AC push r10
|
|
|
|
|
|
|
|
> 0x00007FF61C8B51A5 push r9
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5189 push rdx
|
|
|
|
|
|
|
|
> 0x00007FF61C8B7D5F push r8
|
|
|
|
|
|
|
|
> 0x00007FF61C8B4505 push rdi
|
|
|
|
|
|
|
|
> 0x00007FF61C8B4745 push r11
|
|
|
|
|
|
|
|
> 0x00007FF61C8B478B push rax
|
|
|
|
|
|
|
|
> 0x00007FF61C8B7A53 push rbx
|
|
|
|
|
|
|
|
> 0x00007FF61C8B500D push r15
|
|
|
|
|
|
|
|
> 0x00007FF61C8B6030 push [0x00007FF61C8B7912]
|
|
|
|
|
|
|
|
> 0x00007FF61C8B593A mov rax, 0x7FF4DC8B0000
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5955 mov r13, rax
|
|
|
|
|
|
|
|
> 0x00007FF61C8B595F test dl, al
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5965 push rax
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5969 btr si, bx
|
|
|
|
|
|
|
|
> 0x00007FF61C8B596F mov esi, [rsp+0xA0]
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5979 not esi
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5985 neg esi
|
|
|
|
|
|
|
|
> 0x00007FF61C8B598D ror esi, 0x1A
|
|
|
|
|
|
|
|
> 0x00007FF61C8B599E mov rbp, rsp
|
|
|
|
|
|
|
|
> 0x00007FF61C8B59A8 sub rsp, 0x140
|
|
|
|
|
|
|
|
> 0x00007FF61C8B59B5 and rsp, 0xFFFFFFFFFFFFFFF0
|
|
|
|
|
|
|
|
> 0x00007FF61C8B59BE inc ax
|
|
|
|
|
|
|
|
> 0x00007FF61C8B59C1 mov rdi, rsp
|
|
|
|
|
|
|
|
> 0x00007FF61C8B59C7 bsr r12, rax
|
|
|
|
|
|
|
|
> 0x00007FF61C8B59CB lea r12, [0x00007FF61C8B6473]
|
|
|
|
|
|
|
|
> 0x00007FF61C8B59DF mov rax, 0x100000000
|
|
|
|
|
|
|
|
> 0x00007FF61C8B59EC add rsi, rax
|
|
|
|
|
|
|
|
> 0x00007FF61C8B59F3 mov rbx, rsi
|
|
|
|
|
|
|
|
> 0x00007FF61C8B59FA add rsi, [rbp]
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A03 rcr dl, cl
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A05 mov al, [rsi]
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A0A xor al, bl
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A11 neg al
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A19 rol al, 0x05
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A26 inc al
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A2F xor bl, al
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A34 movzx rax, al
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A41 mov rdx, [r12+rax*8]
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A49 xor rdx, 0x7F3D2149
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5507 inc rsi
|
|
|
|
|
|
|
|
> 0x00007FF61C8B7951 add rdx, r13
|
|
|
|
|
|
|
|
> 0x00007FF61C8B7954 jmp rdx
|
|
|
|
|
|
|
|
> calc_jmp extracted from vm_entry... calc_jmp:
|
|
|
|
|
|
|
|
==================================================================================
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A05 mov al, [rsi]
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A0A xor al, bl
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A11 neg al
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A19 rol al, 0x05
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A26 inc al
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A2F xor bl, al
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A34 movzx rax, al
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A41 mov rdx, [r12+rax*8]
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5A49 xor rdx, 0x7F3D2149
|
|
|
|
|
|
|
|
> 0x00007FF61C8B5507 inc rsi
|
|
|
|
|
|
|
|
> 0x00007FF61C8B7951 add rdx, r13
|
|
|
|
|
|
|
|
> 0x00007FF61C8B7954 jmp rdx
|
|
|
|
|
|
|
|
==================================================================================
|
|
|
|
|
|
|
|
> virtual instruction pointer advancement: forward
|
|
|
|
|
|
|
|
> located vm handler table... at = 0x00007FF61C8B6473, rva = 0x0000000140006473
|
|
|
|
|
|
|
|
> vm handler table entries decrypted with = xor rdx, 0x7F3D2149
|
|
|
|
|
|
|
|
> vm handler table entries encrypted with = xor rdx, 0x7F3D2149
|
|
|
|
|
|
|
|
==================================================================================
|
|
|
|
|
|
|
|
> virtual instruction rva decryption instructions:
|
|
|
|
|
|
|
|
not esi
|
|
|
|
|
|
|
|
neg esi
|
|
|
|
|
|
|
|
ror esi, 0x1A
|
|
|
|
|
|
|
|
> virtual instruction rva encryption instructions:
|
|
|
|
|
|
|
|
rol esi, 0x1A
|
|
|
|
|
|
|
|
neg esi
|
|
|
|
|
|
|
|
not esi
|
|
|
|
|
|
|
|
==================================================================================
|
|
|
|
```
|
|
|
|
```
|