|
|
|
#pragma once
|
|
|
|
#include <vector>
|
|
|
|
#include <Zydis/Zydis.h>
|
|
|
|
#include <Zydis/Utils.h>
|
|
|
|
#include <xmmintrin.h>
|
|
|
|
|
|
|
|
using u8 = unsigned char;
|
|
|
|
using u16 = unsigned short;
|
|
|
|
using u32 = unsigned int;
|
|
|
|
using u64 = unsigned long long;
|
|
|
|
using u128 = __m128;
|
|
|
|
|
|
|
|
using zydis_decoded_instr_t = ZydisDecodedInstruction;
|
|
|
|
using zydis_register_t = ZydisRegister;
|
|
|
|
|
|
|
|
struct zydis_instr_t
|
|
|
|
{
|
|
|
|
zydis_decoded_instr_t instr;
|
|
|
|
std::vector<u8> raw;
|
|
|
|
std::uintptr_t addr;
|
|
|
|
};
|
|
|
|
|
|
|
|
using zydis_routine_t = std::vector<zydis_instr_t>;
|
|
|
|
|
|
|
|
namespace vm
|
|
|
|
{
|
|
|
|
namespace util
|
|
|
|
{
|
|
|
|
namespace reg
|
|
|
|
{
|
|
|
|
// converts say... AL to RAX...
|
|
|
|
zydis_register_t to64(zydis_register_t reg);
|
|
|
|
bool compare(zydis_register_t a, zydis_register_t b);
|
|
|
|
}
|
|
|
|
|
|
|
|
void print(zydis_routine_t& routine);
|
|
|
|
void print(const zydis_decoded_instr_t& instr);
|
|
|
|
bool is_jmp(const zydis_decoded_instr_t& instr);
|
|
|
|
|
|
|
|
bool flatten(zydis_routine_t& routine, std::uintptr_t routine_addr, bool keep_jmps = false);
|
|
|
|
void deobfuscate(zydis_routine_t& routine);
|
|
|
|
}
|
|
|
|
}
|