You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
vmprofiler/doxygen/html/namespacevm_1_1util.html

337 lines
18 KiB

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.9.1"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>VMProfiler: vm::util Namespace Reference</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="search/searchdata.js"></script>
<script type="text/javascript" src="search/search.js"></script>
<link href="doxygen.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
<tbody>
<tr style="height: 56px;">
<td id="projectlogo"><img alt="Logo" src="icon.png"/></td>
<td id="projectalign" style="padding-left: 0.5em;">
<div id="projectname">VMProfiler
&#160;<span id="projectnumber">v1.8</span>
</div>
<div id="projectbrief">vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu.</div>
</td>
</tr>
</tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.9.1 -->
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
var searchBox = new SearchBox("searchBox", "search",false,'Search','.html');
/* @license-end */
</script>
<script type="text/javascript" src="menudata.js"></script>
<script type="text/javascript" src="menu.js"></script>
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
$(function() {
initMenu('',true,false,'search.php','Search');
$(document).ready(function() { init_search(); });
});
/* @license-end */</script>
<div id="main-nav"></div>
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
onmouseover="return searchBox.OnSearchSelectShow()"
onmouseout="return searchBox.OnSearchSelectHide()"
onkeydown="return searchBox.OnSearchSelectKey(event)">
</div>
<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0"
name="MSearchResults" id="MSearchResults">
</iframe>
</div>
<div id="nav-path" class="navpath">
<ul>
<li class="navelem"><a class="el" href="namespacevm.html">vm</a></li><li class="navelem"><a class="el" href="namespacevm_1_1util.html">util</a></li> </ul>
</div>
</div><!-- top -->
<div class="header">
<div class="summary">
<a href="#namespaces">Namespaces</a> &#124;
<a href="#func-members">Functions</a> </div>
<div class="headertitle">
<div class="title">vm::util Namespace Reference</div> </div>
</div><!--header-->
<div class="contents">
<p>utils used by the other cpp files... misc things that get used a lot...
<a href="namespacevm_1_1util.html#details">More...</a></p>
<table class="memberdecls">
<tr class="heading"><td colspan="2"><h2 class="groupheader"><a name="namespaces"></a>
Namespaces</h2></td></tr>
<tr class="memitem:namespacevm_1_1util_1_1reg"><td class="memItemLeft" align="right" valign="top"> &#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1util_1_1reg.html">reg</a></td></tr>
<tr class="memdesc:namespacevm_1_1util_1_1reg"><td class="mdescLeft">&#160;</td><td class="mdescRight">utils pertaining to native registers... <br /></td></tr>
<tr class="separator:"><td class="memSeparator" colspan="2">&#160;</td></tr>
</table><table class="memberdecls">
<tr class="heading"><td colspan="2"><h2 class="groupheader"><a name="func-members"></a>
Functions</h2></td></tr>
<tr class="memitem:a6ef2ebfb858878e2e06d3c96ef5b275b"><td class="memItemLeft" align="right" valign="top">bool&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1util.html#a6ef2ebfb858878e2e06d3c96ef5b275b">get_fetch_operand</a> (const <a class="el" href="vmutils_8hpp.html#a5fdde6e9d3e6c6eca28ecadf2e837d3c">zydis_routine_t</a> &amp;routine, <a class="el" href="structzydis__instr__t.html">zydis_instr_t</a> &amp;fetch_instr)</td></tr>
<tr class="memdesc:a6ef2ebfb858878e2e06d3c96ef5b275b"><td class="mdescLeft">&#160;</td><td class="mdescRight">get the instruction that fetches an operand out of VIP... <a href="namespacevm_1_1util.html#a6ef2ebfb858878e2e06d3c96ef5b275b">More...</a><br /></td></tr>
<tr class="separator:a6ef2ebfb858878e2e06d3c96ef5b275b"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:ae2d46e089059f00dc56790216c5cc234"><td class="memItemLeft" align="right" valign="top">std::optional&lt; zydis_routine_t::iterator &gt;&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1util.html#ae2d46e089059f00dc56790216c5cc234">get_fetch_operand</a> (<a class="el" href="vmutils_8hpp.html#a5fdde6e9d3e6c6eca28ecadf2e837d3c">zydis_routine_t</a> &amp;routine)</td></tr>
<tr class="memdesc:ae2d46e089059f00dc56790216c5cc234"><td class="mdescLeft">&#160;</td><td class="mdescRight">gets the instruction that fetches an operand out of VIP and returns an iterator to it... <a href="namespacevm_1_1util.html#ae2d46e089059f00dc56790216c5cc234">More...</a><br /></td></tr>
<tr class="separator:ae2d46e089059f00dc56790216c5cc234"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:abcfe75a7d22f907a6187579373679204"><td class="memItemLeft" align="right" valign="top">void&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1util.html#abcfe75a7d22f907a6187579373679204">print</a> (<a class="el" href="vmutils_8hpp.html#a5fdde6e9d3e6c6eca28ecadf2e837d3c">zydis_routine_t</a> &amp;routine)</td></tr>
<tr class="memdesc:abcfe75a7d22f907a6187579373679204"><td class="mdescLeft">&#160;</td><td class="mdescRight">prints a disassembly view of a routine... <a href="namespacevm_1_1util.html#abcfe75a7d22f907a6187579373679204">More...</a><br /></td></tr>
<tr class="separator:abcfe75a7d22f907a6187579373679204"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:a9e29bef639bd3c9f94669b0acdc8f2b0"><td class="memItemLeft" align="right" valign="top">void&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1util.html#a9e29bef639bd3c9f94669b0acdc8f2b0">print</a> (const <a class="el" href="vmutils_8hpp.html#ad180fbf8cef52662febedec0f54b6188">zydis_decoded_instr_t</a> &amp;instr)</td></tr>
<tr class="memdesc:a9e29bef639bd3c9f94669b0acdc8f2b0"><td class="mdescLeft">&#160;</td><td class="mdescRight">prints a single disassembly view of an instruction... <a href="namespacevm_1_1util.html#a9e29bef639bd3c9f94669b0acdc8f2b0">More...</a><br /></td></tr>
<tr class="separator:a9e29bef639bd3c9f94669b0acdc8f2b0"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:a3bb957b17b2bd94bb66c94b2407799c8"><td class="memItemLeft" align="right" valign="top">bool&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1util.html#a3bb957b17b2bd94bb66c94b2407799c8">is_jmp</a> (const <a class="el" href="vmutils_8hpp.html#ad180fbf8cef52662febedec0f54b6188">zydis_decoded_instr_t</a> &amp;instr)</td></tr>
<tr class="memdesc:a3bb957b17b2bd94bb66c94b2407799c8"><td class="mdescLeft">&#160;</td><td class="mdescRight">determines if a given decoded native instruction is a JCC... <a href="namespacevm_1_1util.html#a3bb957b17b2bd94bb66c94b2407799c8">More...</a><br /></td></tr>
<tr class="separator:a3bb957b17b2bd94bb66c94b2407799c8"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:a86a98ad0643716aef1ef80b3cd58d0e9"><td class="memItemLeft" align="right" valign="top">bool&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1util.html#a86a98ad0643716aef1ef80b3cd58d0e9">flatten</a> (<a class="el" href="vmutils_8hpp.html#a5fdde6e9d3e6c6eca28ecadf2e837d3c">zydis_routine_t</a> &amp;routine, std::uintptr_t routine_addr, bool keep_jmps=false)</td></tr>
<tr class="memdesc:a86a98ad0643716aef1ef80b3cd58d0e9"><td class="mdescLeft">&#160;</td><td class="mdescRight">flatten native instruction stream, takes every JCC (follows the branch)... <a href="namespacevm_1_1util.html#a86a98ad0643716aef1ef80b3cd58d0e9">More...</a><br /></td></tr>
<tr class="separator:a86a98ad0643716aef1ef80b3cd58d0e9"><td class="memSeparator" colspan="2">&#160;</td></tr>
<tr class="memitem:afb0bd6aeba990fd37a612d6d318cebb5"><td class="memItemLeft" align="right" valign="top">void&#160;</td><td class="memItemRight" valign="bottom"><a class="el" href="namespacevm_1_1util.html#afb0bd6aeba990fd37a612d6d318cebb5">deobfuscate</a> (<a class="el" href="vmutils_8hpp.html#a5fdde6e9d3e6c6eca28ecadf2e837d3c">zydis_routine_t</a> &amp;routine)</td></tr>
<tr class="memdesc:afb0bd6aeba990fd37a612d6d318cebb5"><td class="mdescLeft">&#160;</td><td class="mdescRight">deadstore deobfuscation of a flattened routine... <a href="namespacevm_1_1util.html#afb0bd6aeba990fd37a612d6d318cebb5">More...</a><br /></td></tr>
<tr class="separator:afb0bd6aeba990fd37a612d6d318cebb5"><td class="memSeparator" colspan="2">&#160;</td></tr>
</table>
<a name="details" id="details"></a><h2 class="groupheader">Detailed Description</h2>
<div class="textblock"><p>utils used by the other cpp files... misc things that get used a lot... </p>
</div><h2 class="groupheader">Function Documentation</h2>
<a id="afb0bd6aeba990fd37a612d6d318cebb5"></a>
<h2 class="memtitle"><span class="permalink"><a href="#afb0bd6aeba990fd37a612d6d318cebb5">&#9670;&nbsp;</a></span>deobfuscate()</h2>
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">void vm::util::deobfuscate </td>
<td>(</td>
<td class="paramtype"><a class="el" href="vmutils_8hpp.html#a5fdde6e9d3e6c6eca28ecadf2e837d3c">zydis_routine_t</a> &amp;&#160;</td>
<td class="paramname"><em>routine</em></td><td>)</td>
<td></td>
</tr>
</table>
</div><div class="memdoc">
<p>deadstore deobfuscation of a flattened routine... </p>
<dl class="params"><dt>Parameters</dt><dd>
<table class="params">
<tr><td class="paramname">routine</td><td>reference to a flattened instruction vector...</td></tr>
</table>
</dd>
</dl>
</div>
</div>
<a id="a86a98ad0643716aef1ef80b3cd58d0e9"></a>
<h2 class="memtitle"><span class="permalink"><a href="#a86a98ad0643716aef1ef80b3cd58d0e9">&#9670;&nbsp;</a></span>flatten()</h2>
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">bool vm::util::flatten </td>
<td>(</td>
<td class="paramtype"><a class="el" href="vmutils_8hpp.html#a5fdde6e9d3e6c6eca28ecadf2e837d3c">zydis_routine_t</a> &amp;&#160;</td>
<td class="paramname"><em>routine</em>, </td>
</tr>
<tr>
<td class="paramkey"></td>
<td></td>
<td class="paramtype">std::uintptr_t&#160;</td>
<td class="paramname"><em>routine_addr</em>, </td>
</tr>
<tr>
<td class="paramkey"></td>
<td></td>
<td class="paramtype">bool&#160;</td>
<td class="paramname"><em>keep_jmps</em> = <code>false</code>&#160;</td>
</tr>
<tr>
<td></td>
<td>)</td>
<td></td><td></td>
</tr>
</table>
</div><div class="memdoc">
<p>flatten native instruction stream, takes every JCC (follows the branch)... </p>
<dl class="params"><dt>Parameters</dt><dd>
<table class="params">
<tr><td class="paramname">routine</td><td>filled with decoded instructions...</td></tr>
<tr><td class="paramname">routine_addr</td><td>linear virtual address to start flattening from...</td></tr>
<tr><td class="paramname">keep_jmps</td><td>keep JCC's in the flattened instruction stream...</td></tr>
</table>
</dd>
</dl>
<dl class="section return"><dt>Returns</dt><dd>returns true if flattened was successful...</dd></dl>
</div>
</div>
<a id="a6ef2ebfb858878e2e06d3c96ef5b275b"></a>
<h2 class="memtitle"><span class="permalink"><a href="#a6ef2ebfb858878e2e06d3c96ef5b275b">&#9670;&nbsp;</a></span>get_fetch_operand() <span class="overload">[1/2]</span></h2>
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">bool vm::util::get_fetch_operand </td>
<td>(</td>
<td class="paramtype">const <a class="el" href="vmutils_8hpp.html#a5fdde6e9d3e6c6eca28ecadf2e837d3c">zydis_routine_t</a> &amp;&#160;</td>
<td class="paramname"><em>routine</em>, </td>
</tr>
<tr>
<td class="paramkey"></td>
<td></td>
<td class="paramtype"><a class="el" href="structzydis__instr__t.html">zydis_instr_t</a> &amp;&#160;</td>
<td class="paramname"><em>fetch_instr</em>&#160;</td>
</tr>
<tr>
<td></td>
<td>)</td>
<td></td><td></td>
</tr>
</table>
</div><div class="memdoc">
<p>get the instruction that fetches an operand out of VIP... </p>
<dl class="params"><dt>Parameters</dt><dd>
<table class="params">
<tr><td class="paramname">routine</td><td>this is a deobfuscated, flattened, view of any set of native instructions that read an operand out of VIP... can be <a class="el" href="namespacevm_1_1calc__jmp.html">calc_jmp</a>, vm_entry, or vm handlers...</td></tr>
<tr><td class="paramname">fetch_instr</td><td></td></tr>
</table>
</dd>
</dl>
<dl class="section return"><dt>Returns</dt><dd>returns true of the fetch operand native instruction is found...</dd></dl>
</div>
</div>
<a id="ae2d46e089059f00dc56790216c5cc234"></a>
<h2 class="memtitle"><span class="permalink"><a href="#ae2d46e089059f00dc56790216c5cc234">&#9670;&nbsp;</a></span>get_fetch_operand() <span class="overload">[2/2]</span></h2>
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">std::optional&lt; zydis_routine_t::iterator &gt; vm::util::get_fetch_operand </td>
<td>(</td>
<td class="paramtype"><a class="el" href="vmutils_8hpp.html#a5fdde6e9d3e6c6eca28ecadf2e837d3c">zydis_routine_t</a> &amp;&#160;</td>
<td class="paramname"><em>routine</em></td><td>)</td>
<td></td>
</tr>
</table>
</div><div class="memdoc">
<p>gets the instruction that fetches an operand out of VIP and returns an iterator to it... </p>
<dl class="params"><dt>Parameters</dt><dd>
<table class="params">
<tr><td class="paramname">routine</td><td>this is a deobfuscated, flattened, view of any set of native instructions that read an operand out of VIP... can be <a class="el" href="namespacevm_1_1calc__jmp.html">calc_jmp</a>, vm_entry, or vm handlers...</td></tr>
</table>
</dd>
</dl>
<dl class="section return"><dt>Returns</dt><dd>returns the iterator of the native instruction, else an empty std::optional...</dd></dl>
</div>
</div>
<a id="a3bb957b17b2bd94bb66c94b2407799c8"></a>
<h2 class="memtitle"><span class="permalink"><a href="#a3bb957b17b2bd94bb66c94b2407799c8">&#9670;&nbsp;</a></span>is_jmp()</h2>
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">bool vm::util::is_jmp </td>
<td>(</td>
<td class="paramtype">const <a class="el" href="vmutils_8hpp.html#ad180fbf8cef52662febedec0f54b6188">zydis_decoded_instr_t</a> &amp;&#160;</td>
<td class="paramname"><em>instr</em></td><td>)</td>
<td></td>
</tr>
</table>
</div><div class="memdoc">
<p>determines if a given decoded native instruction is a JCC... </p>
<dl class="params"><dt>Parameters</dt><dd>
<table class="params">
<tr><td class="paramname">instr</td><td></td></tr>
</table>
</dd>
</dl>
<dl class="section return"><dt>Returns</dt><dd></dd></dl>
</div>
</div>
<a id="a9e29bef639bd3c9f94669b0acdc8f2b0"></a>
<h2 class="memtitle"><span class="permalink"><a href="#a9e29bef639bd3c9f94669b0acdc8f2b0">&#9670;&nbsp;</a></span>print() <span class="overload">[1/2]</span></h2>
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">void vm::util::print </td>
<td>(</td>
<td class="paramtype">const <a class="el" href="vmutils_8hpp.html#ad180fbf8cef52662febedec0f54b6188">zydis_decoded_instr_t</a> &amp;&#160;</td>
<td class="paramname"><em>instr</em></td><td>)</td>
<td></td>
</tr>
</table>
</div><div class="memdoc">
<p>prints a single disassembly view of an instruction... </p>
<dl class="params"><dt>Parameters</dt><dd>
<table class="params">
<tr><td class="paramname">instr</td><td>instruction to print...</td></tr>
</table>
</dd>
</dl>
</div>
</div>
<a id="abcfe75a7d22f907a6187579373679204"></a>
<h2 class="memtitle"><span class="permalink"><a href="#abcfe75a7d22f907a6187579373679204">&#9670;&nbsp;</a></span>print() <span class="overload">[2/2]</span></h2>
<div class="memitem">
<div class="memproto">
<table class="memname">
<tr>
<td class="memname">void vm::util::print </td>
<td>(</td>
<td class="paramtype"><a class="el" href="vmutils_8hpp.html#a5fdde6e9d3e6c6eca28ecadf2e837d3c">zydis_routine_t</a> &amp;&#160;</td>
<td class="paramname"><em>routine</em></td><td>)</td>
<td></td>
</tr>
</table>
</div><div class="memdoc">
<p>prints a disassembly view of a routine... </p>
<dl class="params"><dt>Parameters</dt><dd>
<table class="params">
<tr><td class="paramname">routine</td><td>reference to a zydis_routine_t to be printed...</td></tr>
</table>
</dd>
</dl>
</div>
</div>
</div><!-- contents -->
<!-- start footer part -->
<hr class="footer"/><address class="footer"><small>
Generated by&#160;<a href="https://www.doxygen.org/index.html"><img class="footer" src="doxygen.svg" width="104" height="31" alt="doxygen"/></a> 1.9.1
</small></address>
</body>
</html>