diff --git a/CMakeLists.txt b/CMakeLists.txt
index f5eba26..de75d2c 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -59,6 +59,7 @@ list(APPEND vmprofiler_SOURCES
"src/vmprofiles/nand.cpp"
"src/vmprofiles/popvsp.cpp"
"src/vmprofiles/pushvsp.cpp"
+ "src/vmprofiles/rdtsc.cpp"
"src/vmprofiles/read.cpp"
"src/vmprofiles/readcr3.cpp"
"src/vmprofiles/readcr8.cpp"
@@ -69,6 +70,7 @@ list(APPEND vmprofiler_SOURCES
"src/vmprofiles/sreg.cpp"
"src/vmprofiles/vmexit.cpp"
"src/vmprofiles/write.cpp"
+ "src/vmprofiles/writecr3.cpp"
"src/vmutils.cpp"
"include/calc_jmp.hpp"
"include/scn.hpp"
diff --git a/include/vmprofiles.hpp b/include/vmprofiles.hpp
index 1bf33ca..813cbb2 100644
--- a/include/vmprofiles.hpp
+++ b/include/vmprofiles.hpp
@@ -13,6 +13,7 @@ namespace vm::handler
{
INVALID,
LFLAGSQ,
+ RDTSC,
MULQ,
MULDW,
@@ -188,6 +189,7 @@ namespace vm::handler
extern vm::handler::profile_t shlq;
extern vm::handler::profile_t shldw;
extern vm::handler::profile_t shlw;
+ extern vm::handler::profile_t shlb;
extern vm::handler::profile_t shldq;
extern vm::handler::profile_t shlddw;
@@ -211,6 +213,7 @@ namespace vm::handler
extern vm::handler::profile_t shrq;
extern vm::handler::profile_t shrdw;
extern vm::handler::profile_t shrw;
+ extern vm::handler::profile_t shrb;
extern vm::handler::profile_t shrdq;
extern vm::handler::profile_t shrddw;
@@ -222,32 +225,41 @@ namespace vm::handler
extern vm::handler::profile_t call;
extern vm::handler::profile_t mulq;
+ extern vm::handler::profile_t muldw;
+
extern vm::handler::profile_t imulq;
extern vm::handler::profile_t imuldw;
extern vm::handler::profile_t readcr8;
+ extern vm::handler::profile_t readcr3;
+ extern vm::handler::profile_t writecr3;
+
extern vm::handler::profile_t divq;
+ extern vm::handler::profile_t divdw;
+
extern vm::handler::profile_t idivdw;
extern vm::handler::profile_t jmp;
extern vm::handler::profile_t popvsp;
+ extern vm::handler::profile_t rdtsc;
extern vm::handler::profile_t vmexit;
///
/// a vector of pointers to all defined vm handler profiles...
///
inline std::vector< vm::handler::profile_t * > all = {
- &sregq, &sregdw, &sregw, &sregb, &lregq, &lregdw, &lconstq, &lconstbzxw,
- &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq,
- &adddw, &addw, &addb, &popvsp,
+ &sregq, &sregdw, &sregw, &sregb, &lregq, &lregdw, &lconstq,
+ &lconstbzxw, &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw,
+ &lconstw, &addq, &adddw, &addw, &addb, &popvsp,
- &shlq, &shldw, &shlw, &writeq, &writedw, &writew, &writeb, &nandq,
- &nanddw, &nandw, &nandb,
+ &shlq, &shldw, &shlw, &shlb, &writeq, &writedw, &writew,
+ &writeb, &nandq, &nanddw, &nandw, &nandb,
- &shlddw, &shldq,
+ &shlddw, &shldq,
- &shrq, &shrdw, &shrw, &shrdq, &shrddw, &readgsq, &readq, &readdw,
- &readw, &readb, &mulq, &imulq, &imuldw, &pushvsp, &pushvspdw, &readcr8,
- &divq, &idivdw, &jmp, &lflagsq, &vmexit, &call };
+ &shrq, &shrdw, &shrw, &shrb, &shrdq, &shrddw, &readgsq,
+ &readq, &readdw, &readw, &readb, &mulq, &muldw, &imulq,
+ &imuldw, &pushvsp, &pushvspdw, &readcr8, &readcr3, &writecr3, &divq,
+ &divdw, &idivdw, &jmp, &lflagsq, &vmexit, &call, &rdtsc };
} // namespace profile
} // namespace vm::handler
\ No newline at end of file
diff --git a/src/vmprofiles/div.cpp b/src/vmprofiles/div.cpp
index d015824..0ea1184 100644
--- a/src/vmprofiles/div.cpp
+++ b/src/vmprofiles/div.cpp
@@ -57,4 +57,60 @@ namespace vm::handler::profile
return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
} } } };
+
+ vm::handler::profile_t divdw = {
+ // MOV EDX, [RBP]
+ // MOV EAX, [RBP+0x4]
+ // DIV [RBP+0xC]
+ // MOV [RBP+0x8], EDX
+ // MOV [RBP+0xC], EAX
+ // PUSHFQ
+ // POP [RBP]
+ "DIVDW",
+ DIVDW,
+ NULL,
+ { { // MOV EDX, [RBP]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EDX &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
+ },
+ // MOV EAX, [RBP+0x4]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x4;
+ },
+ // DIV [RBP+0xC]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_DIV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 0 ].mem.disp.value == 0xC;
+ },
+ // MOV [RBP+0x8], EDX
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 0 ].mem.disp.value == 0x8 &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EDX;
+ },
+ // MOV [RBP+0xC], EAX
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 0 ].mem.disp.value == 0xC &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX;
+ },
+ // PUSHFQ
+ []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; },
+ // POP [RBP]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
+ } } } };
} // namespace vm::handler::profile
\ No newline at end of file
diff --git a/src/vmprofiles/mul.cpp b/src/vmprofiles/mul.cpp
index f5ebaa1..2dfa95b 100644
--- a/src/vmprofiles/mul.cpp
+++ b/src/vmprofiles/mul.cpp
@@ -58,4 +58,70 @@ namespace vm::handler::profile
return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
} } } };
+
+ vm::handler::profile_t muldw = {
+ // MOV EDX, [RBP]
+ // MOV EAX, [RBP+0x4]
+ // SUB RBP, 0x8
+ // MUL EDX
+ // MOV [RBP+0x8], EDX
+ // MOV [RBP+0xC], EAX
+ // PUSHFQ
+ // POP [RBP]
+ "MULDW",
+ MULDW,
+ NULL,
+ { { // MOV EDX, [RBP]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EDX &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
+ },
+ // MOV EAX, [RBP+0x4]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x4;
+ },
+ // SUB RBP, 0x8
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_SUB &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
+ instr.operands[ 1 ].imm.value.u == 0x8;
+ },
+ // MUL EDX
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MUL &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EDX;
+ },
+ // MOV [RBP+0x8], EDX
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 0 ].mem.disp.value == 0x8 &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EDX;
+ },
+ // MOV [RBP+0xC], EAX
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 0 ].mem.disp.value == 0xC &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX;
+ },
+ // PUSHFQ
+ []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; },
+ // POP [RBP]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
+ } } } };
} // namespace vm::handler::profile
\ No newline at end of file
diff --git a/src/vmprofiles/rdtsc.cpp b/src/vmprofiles/rdtsc.cpp
new file mode 100644
index 0000000..ce51830
--- /dev/null
+++ b/src/vmprofiles/rdtsc.cpp
@@ -0,0 +1,38 @@
+#include
+
+namespace vm::handler::profile
+{
+ vm::handler::profile_t rdtsc = {
+ // RDTSC
+ // SUB RBP, 0x8
+ // MOV [RBP], EDX
+ // MOV [RBP+0x4], EAX
+ "RDTSC",
+ RDTSC,
+ NULL,
+ { { // RDTSC
+ []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_RDTSC; },
+ // SUB RBP, 0x8
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_SUB &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
+ instr.operands[ 1 ].imm.value.u == 0x8;
+ },
+ // MOV [RBP], EDX
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EDX;
+ },
+ // MOV [RBP+0x4], EAX
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 0 ].mem.disp.value == 0x4 &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX;
+ } } } };
+}
\ No newline at end of file
diff --git a/src/vmprofiles/readcr3.cpp b/src/vmprofiles/readcr3.cpp
index e69de29..609ee92 100644
--- a/src/vmprofiles/readcr3.cpp
+++ b/src/vmprofiles/readcr3.cpp
@@ -0,0 +1,35 @@
+#include
+
+namespace vm::handler::profile
+{
+ vm::handler::profile_t readcr3 = {
+ // MOV RAX, CR3
+ // SUB RBP, 0x8
+ // MOV [RBP], RAX
+ "READCR3",
+ READCR3,
+ NULL,
+ { { // MOV RAX, CR3
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_CR3;
+ },
+ // SUB RBP, 0x8
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_SUB &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
+ instr.operands[ 1 ].imm.value.u == 0x8;
+ },
+ // MOV [RBP], RAX
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX;
+ } } } };
+} // namespace vm::handler::profile
\ No newline at end of file
diff --git a/src/vmprofiles/readcr8.cpp b/src/vmprofiles/readcr8.cpp
index 76e5ab4..4853592 100644
--- a/src/vmprofiles/readcr8.cpp
+++ b/src/vmprofiles/readcr8.cpp
@@ -32,4 +32,4 @@ namespace vm::handler::profile
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX;
} } } };
-}
\ No newline at end of file
+} // namespace vm::handler::profile
\ No newline at end of file
diff --git a/src/vmprofiles/shl.cpp b/src/vmprofiles/shl.cpp
index 25bf0ea..a9fdbfb 100644
--- a/src/vmprofiles/shl.cpp
+++ b/src/vmprofiles/shl.cpp
@@ -124,14 +124,14 @@ namespace vm::handler::profile
// MOV AX, [RBP]
// MOV CL, [RBP+0x2]
// SUB RBP, 0x6
- // SHL EAX, CL
+ // SHL AX, CL
// MOV [RBP+0x8], EAX
// PUSHFQ
// POP [RBP]
"SHLW",
SHLW,
NULL,
- { { // MOV EAX, [RBP]
+ { { // MOV AX, [RBP]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
@@ -178,4 +178,63 @@ namespace vm::handler::profile
return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
} } } };
+
+ vm::handler::profile_t shlb = {
+ // MOV AL, [RBP]
+ // MOV CL, [RBP+0x2]
+ // SUB RBP, 0x6
+ // SHL AL, CL
+ // MOV [RBP+0x8], AX
+ // PUSHFQ
+ // POP [RBP]
+ "SHLB",
+ SHLB,
+ NULL,
+ { { // MOV AL, [RBP]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AL &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
+ },
+ // MOV CL, [RBP+0x4]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x2;
+ },
+ // SUB RBP, 0x6
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_SUB &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
+ instr.operands[ 1 ].imm.value.u == 0x6;
+ },
+ // SHL AL, CL
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_SHL &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AL &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_CL;
+ },
+ // MOV [RBP+0x8], AX
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 0 ].mem.disp.value == 0x8 &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX;
+ },
+ // PUSHFQ
+ []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; },
+ // POP [RBP]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
+ } } } };
} // namespace vm::handler::profile
\ No newline at end of file
diff --git a/src/vmprofiles/shr.cpp b/src/vmprofiles/shr.cpp
index fbcc898..bb1e8a1 100644
--- a/src/vmprofiles/shr.cpp
+++ b/src/vmprofiles/shr.cpp
@@ -178,4 +178,63 @@ namespace vm::handler::profile
return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
} } } };
+
+ vm::handler::profile_t shrb = {
+ // MOV AL, [RBP]
+ // MOV CL, [RBP+0x2]
+ // SUB RBP, 0x6
+ // SHR AL, CL
+ // MOV [RBP+0x8], AX
+ // PUSHFQ
+ // POP [RBP]
+ "SHRB",
+ SHRB,
+ NULL,
+ { { // MOV AL, [RBP]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AL &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
+ },
+ // MOV CL, [RBP+0x2]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x2;
+ },
+ // SUB RBP, 0x6
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_SUB &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
+ instr.operands[ 1 ].imm.value.u == 0x6;
+ },
+ // SHR AL, CL
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_SHR &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AL &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_CL;
+ },
+ // MOV [RBP+0x8], AX
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 0 ].mem.disp.value == 0x8 &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX;
+ },
+ // PUSHFQ
+ []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; },
+ // POP [RBP]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
+ } } } };
} // namespace vm::handler::profile
\ No newline at end of file
diff --git a/src/vmprofiles/writecr3.cpp b/src/vmprofiles/writecr3.cpp
new file mode 100644
index 0000000..8fc9315
--- /dev/null
+++ b/src/vmprofiles/writecr3.cpp
@@ -0,0 +1,36 @@
+#include
+
+namespace vm::handler::profile
+{
+ vm::handler::profile_t writecr3 = {
+ // MOV RAX, [RBP]
+ // ADD RBP, 0x8
+ // MOV CR3, RAX
+ "WRITECR3",
+ WRITECR3,
+ NULL,
+ { { // MOV RAX, [RBP]
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+ instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
+ },
+ // ADD RBP, 0x8
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_ADD &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
+ instr.operands[ 1 ].imm.value.u == 0x8;
+ },
+ // MOV CR3, RAX
+ []( const zydis_decoded_instr_t &instr ) -> bool {
+ return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+ instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CR3 &&
+ instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+ instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX;
+ } } } };
+} // namespace vm::handler::profile
\ No newline at end of file