From bdabaca7a39bd908a98fbd331e795f85772422f0 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Wed, 2 Jun 2021 00:41:22 -0700 Subject: [PATCH] updated to newest vmprofiler, upgraded to .vmp2 v2 --- dependencies/vmprofiler | 2 +- .../framelesswindow/framelesswindow.ui | 2 +- src/QVMProfiler.cpp | 308 +++++++----------- src/QVMProfiler.h | 30 +- src/vmctx.cpp | 4 +- src/vmctx.h | 8 +- src/vmprofiler-qt.vcxproj | 5 +- src/vmprofiler-qt.vcxproj.filters | 5 + vmprofiler-qt.sln | 66 ++-- 9 files changed, 188 insertions(+), 242 deletions(-) diff --git a/dependencies/vmprofiler b/dependencies/vmprofiler index 5129d39..4cc0334 160000 --- a/dependencies/vmprofiler +++ b/dependencies/vmprofiler @@ -1 +1 @@ -Subproject commit 5129d39eb726e32a80417165ec37b597357664d4 +Subproject commit 4cc033468e9f3b3583d07f307b9f5e9179db8762 diff --git a/src/DarkStyle/framelesswindow/framelesswindow.ui b/src/DarkStyle/framelesswindow/framelesswindow.ui index d0663da..2f413dc 100644 --- a/src/DarkStyle/framelesswindow/framelesswindow.ui +++ b/src/DarkStyle/framelesswindow/framelesswindow.ui @@ -143,7 +143,7 @@ color:rgb(153,153,153); - VMProtect 2 - Virtual Instruction Trace Inspector + VMProtect 2 - Virtual Instruction Inspector (v1.5) Qt::AlignLeading|Qt::AlignLeft|Qt::AlignVCenter diff --git a/src/QVMProfiler.cpp b/src/QVMProfiler.cpp index 02efe37..e62ad96 100644 --- a/src/QVMProfiler.cpp +++ b/src/QVMProfiler.cpp @@ -1,21 +1,20 @@ #include "QVMProfiler.h" -QVMProfiler::QVMProfiler(QWidget *parent) - : QMainWindow(parent), - TraceFileBlob(nullptr), - VMCtx(nullptr) +QVMProfiler::QVMProfiler( QWidget *parent ) : QMainWindow( parent ), TraceFileBlob( nullptr ), VMCtx( nullptr ) { - ui.setupUi(this); + ui.setupUi( this ); } void QVMProfiler::on_actionCloseProgram_triggered() -{ exit(0); } +{ + exit( 0 ); +} void QVMProfiler::on_actionOpen_VMTrace_triggered() { - if (TraceFileBlob && VMCtx) + if ( TraceFileBlob && VMCtx ) { - free(TraceFileBlob); + free( TraceFileBlob ); TraceFileBlob = nullptr; TraceFileHeader = nullptr; TraceEntryList = nullptr; @@ -30,158 +29,113 @@ void QVMProfiler::on_actionOpen_VMTrace_triggered() delete VMCtx; } - TraceFilePath = QFileDialog::getOpenFileName(this, - tr("Open Trace"), "C:\\", tr("VMTrace Files (*.vmp2)")); - - if (TraceFilePath.isEmpty()) - { - DbgMessage("Invalid Trace File... No File Selected..."); - return; - } - - if (!std::filesystem::exists(TraceFilePath.toStdString().c_str())) - { - DbgMessage("Trace File Doesnt Exist..."); - return; - } - - VMProtectedFilePath = QFileDialog::getOpenFileName(this, - tr("Open VMProtected File"), "C:\\"); + TraceFilePath = QFileDialog::getOpenFileName( this, tr( "Open Trace" ), "C:\\", tr( "VMTrace Files (*.vmp2)" ) ); - if (VMProtectedFilePath.isEmpty()) + if ( TraceFilePath.isEmpty() ) { - DbgMessage("Invalid VMProtected File... No File Selected..."); + DbgMessage( "Invalid Trace File... No File Selected..." ); return; } - if (!std::filesystem::exists(VMProtectedFilePath.toStdString().c_str())) + if ( !std::filesystem::exists( TraceFilePath.toStdString().c_str() ) ) { - DbgMessage("VMProtected File Doesnt Exist..."); + DbgMessage( "Trace File Doesnt Exist..." ); return; } - bool Success = false; - auto VMEntryRvaStr = QInputDialog::getText(0, "Input", - "VMEntry Relative Virtual Address:", QLineEdit::Normal, "", &Success); + const auto TraceFileSize = std::filesystem::file_size( TraceFilePath.toStdString().c_str() ); - if (!Success || VMEntryRvaStr.isEmpty()) + if ( !TraceFileSize ) { - DbgMessage("Invalid VMEntry Relative Virtual Address..."); + DbgMessage( "Invalid Trace File Size..." ); return; } - auto ImageBaseStr = QInputDialog::getText(0, "Input", - "Image Base:", QLineEdit::Normal, "", &Success); + QFile File( TraceFilePath ); + TraceFileBlob = malloc( TraceFileSize ); + DbgMessage( QString( "Loading Trace File %1..." ).arg( TraceFilePath ) ); - if (!Success || ImageBaseStr.isEmpty()) + if(!File.open( QIODevice::ReadOnly )) { - DbgMessage("Invalid Image Base..."); + DbgMessage( "Failed To Open Trace File..." ); return; } - VMEntryRva = VMEntryRvaStr.toULongLong(nullptr, 16); - ImageBase = ImageBaseStr.toULongLong(nullptr, 16); + memcpy( TraceFileBlob, File.readAll().data(), TraceFileSize ); - ModuleBase = reinterpret_cast( - LoadLibraryExA(VMProtectedFilePath.toStdString().c_str(), - NULL, DONT_RESOLVE_DLL_REFERENCES)); - - const auto TraceFileSize = - std::filesystem::file_size( - TraceFilePath.toStdString().c_str()); - - if (!TraceFileSize) + if ( !InitTraceData() ) { - DbgMessage("Invalid Trace File Size..."); - return; - } - - DbgMessage(QString("Loading Trace File %1...").arg(TraceFilePath)); - - // could use a QFile for all of this... - const auto FileSize = - std::filesystem::file_size( - TraceFilePath.toStdString().c_str()); - - // could use a QFile for all of this... - TraceFileBlob = malloc(FileSize); - std::ifstream TFile(TraceFilePath.toStdString().c_str(), std::ios::binary); - TFile.read((char*)TraceFileBlob, FileSize); - TFile.close(); - - if (!InitTraceData()) - { - DbgMessage("Failed To Init Trace Data..."); + DbgMessage( "Failed To Init Trace Data..." ); return; } UpdateUI(); } -void QVMProfiler::DbgPrint(QString DbgOutput) +void QVMProfiler::DbgPrint( QString DbgOutput ) { - ui.DbgOutputWindow->appendPlainText(DbgOutput); + ui.DbgOutputWindow->appendPlainText( DbgOutput ); } -void QVMProfiler::DbgMessage(QString DbgOutput) +void QVMProfiler::DbgMessage( QString DbgOutput ) { QMessageBox MsgBox; - MsgBox.setText(DbgOutput); + MsgBox.setText( DbgOutput ); MsgBox.exec(); - DbgPrint(DbgOutput); + DbgPrint( DbgOutput ); } bool QVMProfiler::InitTraceData() { - TraceFileHeader = - reinterpret_cast(TraceFileBlob); - - TraceEntryList = - reinterpret_cast( - reinterpret_cast( - TraceFileBlob) + TraceFileHeader->entry_offset); + TraceFileHeader = reinterpret_cast< vmp2::v2::file_header * >( TraceFileBlob ); + TraceEntryList = reinterpret_cast< vmp2::v2::entry_t * >( reinterpret_cast< std::uintptr_t >( TraceFileBlob ) + + TraceFileHeader->entry_offset ); const auto TraceMagicBytes = &TraceFileHeader->magic; - if (memcmp(TraceMagicBytes, "VMP2", sizeof "VMP2" - 1) != 0) + if ( memcmp( TraceMagicBytes, "VMP2", sizeof "VMP2" - 1 ) != 0 ) { - DbgMessage("Trace File Magic Bytes Are Invalid...\n"); + DbgMessage( "Trace File Magic Bytes Are Invalid...\n" ); return false; } - DbgPrint("Trace File Magic Bytes Are Valid...."); - if (!vm::util::flatten(VMEntry, VMEntryRva + ModuleBase)) + VMEntryRva = TraceFileHeader->vm_entry_rva; + ImageBase = TraceFileHeader->image_base; + ModuleBase = reinterpret_cast< std::uintptr_t >( TraceFileHeader ) + TraceFileHeader->module_offset; + + DbgPrint( "Trace File Magic Bytes Are Valid...." ); + if ( !vm::util::flatten( VMEntry, VMEntryRva + ModuleBase ) ) { - DbgMessage("Failed To Flatten VMEntry...\n"); + DbgMessage( "Failed To Flatten VMEntry...\n" ); return false; } - vm::util::deobfuscate(VMEntry); - DbgPrint("Flattened VMEntry..."); - DbgPrint("Deobfuscated VMEntry..."); + vm::util::deobfuscate( VMEntry ); + DbgPrint( "Flattened VMEntry..." ); + DbgPrint( "Deobfuscated VMEntry..." ); - char buffer[256]; + char buffer[ 256 ]; ZydisFormatter formatter; - ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL); + ZydisFormatterInit( &formatter, ZYDIS_FORMATTER_STYLE_INTEL ); - for (auto& Instr : VMEntry) + for ( auto &Instr : VMEntry ) { - ZydisFormatterFormatInstruction(&formatter, &Instr.instr, buffer, sizeof(buffer), - (Instr.addr - TraceFileHeader->module_base) + ImageBase); + ZydisFormatterFormatInstruction( &formatter, &Instr.instr, buffer, sizeof( buffer ), + ( Instr.addr - TraceFileHeader->module_base ) + ImageBase ); - DbgPrint(QString("> %1 %2").arg( - QString::number((Instr.addr - TraceFileHeader->module_base) + ImageBase, 16)).arg(buffer)); + DbgPrint( QString( "> %1 %2" ) + .arg( QString::number( ( Instr.addr - TraceFileHeader->module_base ) + ImageBase, 16 ) ) + .arg( buffer ) ); } - VMHandlerTable = vm::handler::table::get(VMEntry); - if (!vm::handler::get_all(ModuleBase, ImageBase, VMEntry, VMHandlerTable, VMHandlers)) + VMHandlerTable = vm::handler::table::get( VMEntry ); + if ( !vm::handler::get_all( ModuleBase, ImageBase, VMEntry, VMHandlerTable, VMHandlers ) ) { - DbgMessage("Failed To Get All VM Handler Meta Data...\n"); + DbgMessage( "Failed To Get All VM Handler Meta Data...\n" ); return false; } - DbgPrint("Located All VM Handlers..."); - VMCtx = new vm::vmctx_t(TraceFileHeader, - TraceEntryList, VMHandlers, ModuleBase, ImageBase); + DbgPrint( "Located All VM Handlers..." ); + VMCtx = new vm::vmctx_t( TraceFileHeader, TraceEntryList, VMHandlers, ModuleBase, ImageBase ); return true; } @@ -189,151 +143,136 @@ bool QVMProfiler::InitTraceData() void QVMProfiler::UpdateUI() { ui.VirtualInstructionTree->clear(); - for (auto [VirtInstr, TraceEntry] = VMCtx->step(); TraceEntry && !VirtInstr.empty(); - std::tie(VirtInstr, TraceEntry) = VMCtx->step()) + for ( auto [ VirtInstr, TraceEntry ] = VMCtx->step(); TraceEntry && !VirtInstr.empty(); + std::tie( VirtInstr, TraceEntry ) = VMCtx->step() ) { auto InstructionTraceData = new QTreeWidgetItem(); - InstructionTraceData->setText(0, QString::number((TraceEntry->vip - TraceFileHeader->module_base) + ImageBase, 16)); + InstructionTraceData->setText( + 0, QString::number( ( TraceEntry->vip - TraceFileHeader->module_base ) + ImageBase, 16 ) ); - if (VMHandlers[TraceEntry->handler_idx].imm_size) + if ( VMHandlers[ TraceEntry->handler_idx ].imm_size ) { QString SecondOperandBytes; - auto numByteOperand = VMHandlers[TraceEntry->handler_idx].imm_size / 8; - auto spaceIdx = VirtInstr.find(" ") + 1; - auto ImmValue = QString(VirtInstr.substr( - spaceIdx, VirtInstr.size() - spaceIdx).c_str()).toULongLong(nullptr, 16); + auto numByteOperand = VMHandlers[ TraceEntry->handler_idx ].imm_size / 8; + auto spaceIdx = VirtInstr.find( " " ) + 1; + auto ImmValue = + QString( VirtInstr.substr( spaceIdx, VirtInstr.size() - spaceIdx ).c_str() ).toULongLong( nullptr, 16 ); - for (auto idx = 0u; idx < numByteOperand; ++idx) + for ( auto idx = 0u; idx < numByteOperand; ++idx ) { - SecondOperandBytes.append(QString::number(*( - reinterpret_cast(&ImmValue) + idx), 16)); + SecondOperandBytes.append( + QString::number( *( reinterpret_cast< std::uint8_t * >( &ImmValue ) + idx ), 16 ) ); - SecondOperandBytes.append(" "); + SecondOperandBytes.append( " " ); } - InstructionTraceData->setText(1, QString::number( - TraceEntry->handler_idx, 16).append(" - ").append(SecondOperandBytes)); + InstructionTraceData->setText( + 1, QString::number( TraceEntry->handler_idx, 16 ).append( " - " ).append( SecondOperandBytes ) ); } else { // else we just put the first operand byte (vm handler index)... - InstructionTraceData->setText(1, QString::number(TraceEntry->handler_idx, 16)); + InstructionTraceData->setText( 1, QString::number( TraceEntry->handler_idx, 16 ) ); } - InstructionTraceData->setText(2, VirtInstr.c_str()); - ui.VirtualInstructionTree->addTopLevelItem(InstructionTraceData); + InstructionTraceData->setText( 2, VirtInstr.c_str() ); + ui.VirtualInstructionTree->addTopLevelItem( InstructionTraceData ); } - ui.VirtualInstructionTree->topLevelItem(0)->setSelected(true); + ui.VirtualInstructionTree->topLevelItem( 0 )->setSelected( true ); } void QVMProfiler::on_VirtualInstructionTree_itemSelectionChanged() { - auto SelectedItem = ui.VirtualInstructionTree->selectedItems()[0]; - auto VIPAddr = SelectedItem->data(0, 0).toString().toULongLong(nullptr, 16); - vmp2::entry_t* Entry = nullptr; + auto SelectedItem = ui.VirtualInstructionTree->selectedItems()[ 0 ]; + auto VIPAddr = SelectedItem->data( 0, 0 ).toString().toULongLong( nullptr, 16 ); + vmp2::v2::entry_t *Entry = nullptr; - for (auto idx = 0u; idx < TraceFileHeader->entry_count; ++idx) + for ( auto idx = 0u; idx < TraceFileHeader->entry_count; ++idx ) { - if ((TraceEntryList[idx].vip - TraceFileHeader->module_base) + ImageBase == VIPAddr) + if ( ( TraceEntryList[ idx ].vip - TraceFileHeader->module_base ) + ImageBase == VIPAddr ) { - Entry = &TraceEntryList[idx]; + Entry = &TraceEntryList[ idx ]; break; } } - ui.VirtualRegisterTree->topLevelItem(0)->setText(1, - QString::number((Entry->vip - TraceFileHeader->module_base) + ImageBase, 16)); + ui.VirtualRegisterTree->topLevelItem( 0 )->setText( + 1, QString::number( ( Entry->vip - TraceFileHeader->module_base ) + ImageBase, 16 ) ); - ui.VirtualRegisterTree->topLevelItem(1)->setText(1, - QString::number(Entry->regs.rbp, 16)); + ui.VirtualRegisterTree->topLevelItem( 1 )->setText( 1, QString::number( Entry->regs.rbp, 16 ) ); - ui.VirtualRegisterTree->topLevelItem(2)->setText(1, - QString::number(Entry->decrypt_key, 16)); + ui.VirtualRegisterTree->topLevelItem( 2 )->setText( 1, QString::number( Entry->decrypt_key, 16 ) ); - for (auto idx = 4; idx < 28; ++idx) - ui.VirtualRegisterTree->topLevelItem(idx)->setText(1, - QString::number(Entry->vregs.qword[idx - 4], 16)); + for ( auto idx = 4; idx < 28; ++idx ) + ui.VirtualRegisterTree->topLevelItem( idx )->setText( 1, QString::number( Entry->vregs.qword[ idx - 4 ], 16 ) ); - for (auto idx = 0u; idx < 15; ++idx) - ui.NativeRegisterTree->topLevelItem(idx)->setText(1, - QString::number(Entry->regs.raw[idx], 16)); + for ( auto idx = 0u; idx < 15; ++idx ) + ui.NativeRegisterTree->topLevelItem( idx )->setText( 1, QString::number( Entry->regs.raw[ idx ], 16 ) ); - ui.NativeRegisterTree->topLevelItem( - 16)->setText(1, QString::number(Entry->regs.rflags, 16)); + ui.NativeRegisterTree->topLevelItem( 16 )->setText( 1, QString::number( Entry->regs.rflags, 16 ) ); rflags flags; flags.flags = Entry->regs.rflags; - ui.NativeRegisterTree->topLevelItem(16)->child(0)->setText( - 1, QString::number(flags.zero_flag)); + ui.NativeRegisterTree->topLevelItem( 16 )->child( 0 )->setText( 1, QString::number( flags.zero_flag ) ); - ui.NativeRegisterTree->topLevelItem(16)->child(1)->setText( - 1, QString::number(flags.parity_flag)); + ui.NativeRegisterTree->topLevelItem( 16 )->child( 1 )->setText( 1, QString::number( flags.parity_flag ) ); - ui.NativeRegisterTree->topLevelItem(16)->child(2)->setText( - 1, QString::number(flags.auxiliary_carry_flag)); + ui.NativeRegisterTree->topLevelItem( 16 )->child( 2 )->setText( 1, QString::number( flags.auxiliary_carry_flag ) ); - ui.NativeRegisterTree->topLevelItem(16)->child(3)->setText( - 1, QString::number(flags.overflow_flag)); + ui.NativeRegisterTree->topLevelItem( 16 )->child( 3 )->setText( 1, QString::number( flags.overflow_flag ) ); - ui.NativeRegisterTree->topLevelItem(16)->child(4)->setText( - 1, QString::number(flags.sign_flag)); + ui.NativeRegisterTree->topLevelItem( 16 )->child( 4 )->setText( 1, QString::number( flags.sign_flag ) ); - ui.NativeRegisterTree->topLevelItem(16)->child(5)->setText( - 1, QString::number(flags.direction_flag)); + ui.NativeRegisterTree->topLevelItem( 16 )->child( 5 )->setText( 1, QString::number( flags.direction_flag ) ); - ui.NativeRegisterTree->topLevelItem(16)->child(6)->setText( - 1, QString::number(flags.carry_flag)); + ui.NativeRegisterTree->topLevelItem( 16 )->child( 6 )->setText( 1, QString::number( flags.carry_flag ) ); - ui.NativeRegisterTree->topLevelItem(16)->child(7)->setText( - 1, QString::number(flags.trap_flag)); + ui.NativeRegisterTree->topLevelItem( 16 )->child( 7 )->setText( 1, QString::number( flags.trap_flag ) ); - ui.NativeRegisterTree->topLevelItem(16)->child(8)->setText( - 1, QString::number(flags.interrupt_enable_flag)); + ui.NativeRegisterTree->topLevelItem( 16 )->child( 8 )->setText( 1, QString::number( flags.interrupt_enable_flag ) ); ui.VirtualStackTree->clear(); - for (auto idx = 0u; idx < sizeof(Entry->vsp) / 8; ++idx) + for ( auto idx = 0u; idx < sizeof( Entry->vsp ) / 8; ++idx ) { auto newEntry = new QTreeWidgetItem(); - newEntry->setText(0, QString::number(Entry->regs.rbp - (idx * 8), 16)); - newEntry->setText(1, QString::number(Entry->vsp.qword[idx], 16)); - ui.VirtualStackTree->addTopLevelItem(newEntry); + newEntry->setText( 0, QString::number( Entry->regs.rbp - ( idx * 8 ), 16 ) ); + newEntry->setText( 1, QString::number( Entry->vsp.qword[ idx ], 16 ) ); + ui.VirtualStackTree->addTopLevelItem( newEntry ); } ui.VMHandlerInstructionsTree->clear(); - auto InstrVec = &VMHandlers[Entry->handler_idx].instrs; + auto InstrVec = &VMHandlers[ Entry->handler_idx ].instrs; - char buffer[256]; + char buffer[ 256 ]; ZydisFormatter formatter; - ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL); + ZydisFormatterInit( &formatter, ZYDIS_FORMATTER_STYLE_INTEL ); - for (auto idx = 0u; idx < InstrVec->size(); ++idx) + for ( auto idx = 0u; idx < InstrVec->size(); ++idx ) { auto newEntry = new QTreeWidgetItem(); - newEntry->setText(0, QString::number( - (InstrVec->at(idx).addr - ModuleBase) + ImageBase, 16)); + newEntry->setText( 0, QString::number( ( InstrVec->at( idx ).addr - ModuleBase ) + ImageBase, 16 ) ); - ZydisFormatterFormatInstruction(&formatter, &InstrVec->at(idx).instr, - buffer, sizeof(buffer), (InstrVec->at(idx).addr - ModuleBase) + ImageBase); + ZydisFormatterFormatInstruction( &formatter, &InstrVec->at( idx ).instr, buffer, sizeof( buffer ), + ( InstrVec->at( idx ).addr - ModuleBase ) + ImageBase ); - newEntry->setText(1, buffer); - ui.VMHandlerInstructionsTree->addTopLevelItem(newEntry); + newEntry->setText( 1, buffer ); + ui.VMHandlerInstructionsTree->addTopLevelItem( newEntry ); } ui.VMHandlerTransformationsTree->clear(); - auto HandlerTransforms = &VMHandlers[Entry->handler_idx].transforms; + auto HandlerTransforms = &VMHandlers[ Entry->handler_idx ].transforms; - for (auto [TransformType, TransformInstr] : *HandlerTransforms) + for ( auto [ TransformType, TransformInstr ] : *HandlerTransforms ) { - if (TransformType == vm::transform::type::generic0 && - TransformInstr.mnemonic == ZYDIS_MNEMONIC_INVALID) + if ( TransformType == vm::transform::type::generic0 && TransformInstr.mnemonic == ZYDIS_MNEMONIC_INVALID ) continue; auto newEntry = new QTreeWidgetItem(); - switch (TransformType) + switch ( TransformType ) { case vm::transform::type::rolling_key: { - newEntry->setText(0, "Key Transform"); + newEntry->setText( 0, "Key Transform" ); break; } case vm::transform::type::generic0: @@ -341,22 +280,21 @@ void QVMProfiler::on_VirtualInstructionTree_itemSelectionChanged() case vm::transform::type::generic2: case vm::transform::type::generic3: { - newEntry->setText(0, "Generic"); + newEntry->setText( 0, "Generic" ); break; } case vm::transform::type::update_key: { - newEntry->setText(0, "Update Key"); + newEntry->setText( 0, "Update Key" ); break; } default: - throw std::invalid_argument("invalid transformation type..."); + throw std::invalid_argument( "invalid transformation type..." ); } - ZydisFormatterFormatInstruction(&formatter, &TransformInstr, - buffer, sizeof(buffer), NULL); + ZydisFormatterFormatInstruction( &formatter, &TransformInstr, buffer, sizeof( buffer ), NULL ); - newEntry->setText(1, buffer); - ui.VMHandlerTransformationsTree->addTopLevelItem(newEntry); + newEntry->setText( 1, buffer ); + ui.VMHandlerTransformationsTree->addTopLevelItem( newEntry ); } } \ No newline at end of file diff --git a/src/QVMProfiler.h b/src/QVMProfiler.h index 0ab2500..61f7085 100644 --- a/src/QVMProfiler.h +++ b/src/QVMProfiler.h @@ -1,33 +1,33 @@ #pragma once #include +#include #include #include -#include #include #include #include #include +#include "ia32.hpp" #include "ui_QVMProfiler.h" -#include "vmp2.hpp" #include "vmctx.h" -#include "ia32.hpp" +#include "vmp2.hpp" class QVMProfiler : public QMainWindow { Q_OBJECT -public: - QVMProfiler(QWidget *parent = Q_NULLPTR); + public: + QVMProfiler( QWidget *parent = Q_NULLPTR ); -private slots: + private slots: void on_actionOpen_VMTrace_triggered(); void on_actionCloseProgram_triggered(); void on_VirtualInstructionTree_itemSelectionChanged(); -private: - void DbgPrint(QString DbgOutput); - void DbgMessage(QString DbgOutput); + private: + void DbgPrint( QString DbgOutput ); + void DbgMessage( QString DbgOutput ); void UpdateUI(); bool InitTraceData(); @@ -36,13 +36,13 @@ private: QString VMProtectedFilePath; std::uint64_t ImageBase, VMEntryRva, ModuleBase; - std::vector VMHandlers; + std::vector< vm::handler::handler_t > VMHandlers; zydis_routine_t VMEntry; - std::uintptr_t* VMHandlerTable; - vm::vmctx_t* VMCtx; + std::uintptr_t *VMHandlerTable; + vm::vmctx_t *VMCtx; - void* TraceFileBlob; - vmp2::file_header* TraceFileHeader; - vmp2::entry_t* TraceEntryList; + void *TraceFileBlob; + vmp2::v2::file_header *TraceFileHeader; + vmp2::v2::entry_t *TraceEntryList; }; diff --git a/src/vmctx.cpp b/src/vmctx.cpp index 4eed1ea..3fae6f1 100644 --- a/src/vmctx.cpp +++ b/src/vmctx.cpp @@ -2,13 +2,13 @@ namespace vm { - vmctx_t::vmctx_t( vmp2::file_header *file_header, vmp2::entry_t *entry_list, + vmctx_t::vmctx_t( vmp2::v2::file_header *file_header, vmp2::v2::entry_t *entry_list, std::vector< vm::handler::handler_t > &vm_handlers, std::uintptr_t module_base, std::uintptr_t image_base ) : module_base( module_base ), image_base( image_base ), entry_list( entry_list ), file_header( file_header ), vm_handlers( vm_handlers ), idx( 0 ) {} - std::pair< std::string, const vmp2::entry_t * > vmctx_t::step() const + std::pair< std::string, const vmp2::v2::entry_t * > vmctx_t::step() const { if ( idx >= file_header->entry_count ) return {}; diff --git a/src/vmctx.h b/src/vmctx.h index 5dca2ab..58cd9b6 100644 --- a/src/vmctx.h +++ b/src/vmctx.h @@ -6,19 +6,19 @@ namespace vm class vmctx_t { public: - explicit vmctx_t( vmp2::file_header *file_header, vmp2::entry_t *entry_list, + explicit vmctx_t( vmp2::v2::file_header *file_header, vmp2::v2::entry_t *entry_list, std::vector< vm::handler::handler_t > &vm_handlers, std::uintptr_t module_base, std::uintptr_t image_base ); - std::pair< std::string, const vmp2::entry_t * > step() const; + std::pair< std::string, const vmp2::v2::entry_t * > step() const; private: std::uintptr_t get_imm( vmp2::exec_type_t exec_type_t, std::uint32_t vip_offset, std::uint8_t imm_size ) const; mutable std::uint32_t idx; const std::uintptr_t image_base, module_base; - const vmp2::entry_t *entry_list; - const vmp2::file_header *file_header; + const vmp2::v2::entry_t *entry_list; + const vmp2::v2::file_header *file_header; std::vector< vm::handler::handler_t > vm_handlers; }; } // namespace vm \ No newline at end of file diff --git a/src/vmprofiler-qt.vcxproj b/src/vmprofiler-qt.vcxproj index 69d425e..b797c36 100644 --- a/src/vmprofiler-qt.vcxproj +++ b/src/vmprofiler-qt.vcxproj @@ -182,10 +182,13 @@ {88a23124-5640-35a0-b890-311d7a67a7d2} - + {d0b6092a-9944-4f24-9486-4b7dae372619} + + + diff --git a/src/vmprofiler-qt.vcxproj.filters b/src/vmprofiler-qt.vcxproj.filters index 117d426..dda7c68 100644 --- a/src/vmprofiler-qt.vcxproj.filters +++ b/src/vmprofiler-qt.vcxproj.filters @@ -259,4 +259,9 @@ Resource Files + + + Resource Files + + \ No newline at end of file diff --git a/vmprofiler-qt.sln b/vmprofiler-qt.sln index ca079c3..d93b0fd 100644 --- a/vmprofiler-qt.sln +++ b/vmprofiler-qt.sln @@ -7,7 +7,7 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vmprofiler-qt", "src\vmprof EndProject Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Zydis", "dependencies\vmprofiler\dependencies\zydis\msvc\zydis\Zydis.vcxproj", "{88A23124-5640-35A0-B890-311D7A67A7D2}" EndProject -Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vmprofiler", "dependencies\vmprofiler\src\vmprofiler.vcxproj", "{D0B6092A-9944-4F24-9486-4B7DAE372619}" +Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vmprofiler", "dependencies\vmprofiler\vmprofiler.vcxproj", "{D0B6092A-9944-4F24-9486-4B7DAE372619}" EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution @@ -148,50 +148,50 @@ Global {D0B6092A-9944-4F24-9486-4B7DAE372619}.DBG|x64.ActiveCfg = DBG|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.DBG|x64.Build.0 = DBG|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.DBG|x86.ActiveCfg = DBG|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug Kernel|x64.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug Kernel|x64.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug Kernel|x86.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug Kernel|x86.Build.0 = Release|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug Kernel|x64.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug Kernel|x64.Build.0 = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug Kernel|x86.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug Kernel|x86.Build.0 = DBG|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD DLL|x64.ActiveCfg = DBG|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD DLL|x64.Build.0 = DBG|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD DLL|x86.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD DLL|x86.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD|x64.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD|x64.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD|x86.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD|x86.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT DLL|x64.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT DLL|x64.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT DLL|x86.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT DLL|x86.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT|x64.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT|x64.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT|x86.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT|x86.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug|x64.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug|x64.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug|x86.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug|x86.Build.0 = Release|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD DLL|x86.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD DLL|x86.Build.0 = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD|x64.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD|x64.Build.0 = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD|x86.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MD|x86.Build.0 = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT DLL|x64.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT DLL|x64.Build.0 = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT DLL|x86.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT DLL|x86.Build.0 = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT|x64.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT|x64.Build.0 = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT|x86.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug MT|x86.Build.0 = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug|x64.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug|x64.Build.0 = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug|x86.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Debug|x86.Build.0 = DBG|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release Kernel|x64.ActiveCfg = Release|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release Kernel|x64.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release Kernel|x86.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release Kernel|x86.Build.0 = Release|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release Kernel|x86.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release Kernel|x86.Build.0 = DBG|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MD DLL|x64.ActiveCfg = Release|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MD DLL|x64.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MD DLL|x86.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MD DLL|x86.Build.0 = Release|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MD DLL|x86.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MD DLL|x86.Build.0 = DBG|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MD|x64.ActiveCfg = Release|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MD|x64.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MD|x86.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MD|x86.Build.0 = Release|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MD|x86.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MD|x86.Build.0 = DBG|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MT DLL|x64.ActiveCfg = Release|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MT DLL|x64.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MT DLL|x86.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MT DLL|x86.Build.0 = Release|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MT DLL|x86.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MT DLL|x86.Build.0 = DBG|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MT|x64.ActiveCfg = Release|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MT|x64.Build.0 = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MT|x86.ActiveCfg = Release|x64 - {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MT|x86.Build.0 = Release|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MT|x86.ActiveCfg = DBG|x64 + {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release MT|x86.Build.0 = DBG|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release|x64.ActiveCfg = Release|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release|x64.Build.0 = Release|x64 {D0B6092A-9944-4F24-9486-4B7DAE372619}.Release|x86.ActiveCfg = Release|x64