parent
099a7e9c58
commit
08635457a7
@ -1,20 +1,47 @@
|
||||
#pragma once
|
||||
#include <transform.hpp>
|
||||
#include <vmp2.hpp>
|
||||
#include <vmhandlers.hpp>
|
||||
#include <vmp2.hpp>
|
||||
|
||||
namespace vm
|
||||
{
|
||||
/// <summary>
|
||||
/// vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information...
|
||||
/// creating a vm::ctx_t object can make it easier to pass around information pertaining to a given vm entry...
|
||||
/// </summary>
|
||||
class ctx_t
|
||||
{
|
||||
public:
|
||||
/// <summary>
|
||||
/// default constructor for vm::ctx_t... all information for a given vm entry must be provided...
|
||||
/// </summary>
|
||||
/// <param name="module_base">the linear virtual address of the module base...</param>
|
||||
/// <param name="image_base">image base from optional nt header... <a
|
||||
/// href="https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_optional_header64">IMAGE_OPTIONAL_HEADER64</a>...</param>
|
||||
/// <param name="image_size">image size from optional nt header... <a
|
||||
/// href="https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-image_optional_header64">IMAGE_OPTIONAL_HEADER64</a>...</param>
|
||||
/// <param name="vm_entry_rva">relative virtual address from the module base address to the first push prior to
|
||||
/// a vm entry...</param>
|
||||
explicit ctx_t( std::uintptr_t module_base, std::uintptr_t image_base, std::uintptr_t image_size,
|
||||
std::uintptr_t vm_entry_rva );
|
||||
|
||||
/// <summary>
|
||||
/// init all per-vm entry data such as vm_entry, calc_jmp, and vm handlers...
|
||||
/// </summary>
|
||||
/// <returns>returns true if no errors...</returns>
|
||||
bool init();
|
||||
|
||||
const std::uintptr_t module_base, image_base, vm_entry_rva, image_size;
|
||||
|
||||
/// <summary>
|
||||
/// the order in which VIP advances...
|
||||
/// </summary>
|
||||
vmp2::exec_type_t exec_type;
|
||||
zydis_routine_t vm_entry, calc_jmp;
|
||||
|
||||
/// <summary>
|
||||
/// all the vm handlers for the given vm entry...
|
||||
/// </summary>
|
||||
std::vector< vm::handler::handler_t > vm_handlers;
|
||||
};
|
||||
} // namespace vm
|
@ -1,138 +1,175 @@
|
||||
#pragma once
|
||||
#include <transform.hpp>
|
||||
|
||||
namespace vm
|
||||
/// <summary>
|
||||
/// contains all information pertaining to vm handler identification...
|
||||
/// </summary>
|
||||
namespace vm::handler
|
||||
{
|
||||
namespace handler
|
||||
/// <summary>
|
||||
/// vm handler mnemonic... so you dont need to compare strings!
|
||||
/// </summary>
|
||||
enum mnemonic_t
|
||||
{
|
||||
enum mnemonic_t
|
||||
{
|
||||
INVALID,
|
||||
LRFLAGS,
|
||||
PUSHVSP,
|
||||
MULQ,
|
||||
DIVQ,
|
||||
CALL,
|
||||
JMP,
|
||||
VMEXIT,
|
||||
|
||||
SREGQ,
|
||||
SREGDW,
|
||||
SREGW,
|
||||
|
||||
LREGQ,
|
||||
LREGDW,
|
||||
|
||||
LCONSTQ,
|
||||
LCONSTBZXW,
|
||||
LCONSTBSXQ,
|
||||
LCONSTBSXDW,
|
||||
LCONSTDWSXQ,
|
||||
LCONSTWSXQ,
|
||||
LCONSTWSXDW,
|
||||
LCONSTDW,
|
||||
LCONSTW,
|
||||
|
||||
READQ,
|
||||
READDW,
|
||||
READW,
|
||||
|
||||
WRITEQ,
|
||||
WRITEDW,
|
||||
WRITEW,
|
||||
WRITEB,
|
||||
|
||||
ADDQ,
|
||||
ADDDW,
|
||||
ADDW,
|
||||
|
||||
SHLQ,
|
||||
SHLDW,
|
||||
|
||||
SHRQ,
|
||||
SHRW,
|
||||
|
||||
NANDQ,
|
||||
NANDDW,
|
||||
NANDW
|
||||
};
|
||||
|
||||
using zydis_callback_t = std::function<bool( const zydis_decoded_instr_t &instr )>;
|
||||
|
||||
enum extention_t
|
||||
{
|
||||
none,
|
||||
sign_extend,
|
||||
zero_extend
|
||||
};
|
||||
|
||||
struct profile_t
|
||||
{
|
||||
const char *name;
|
||||
mnemonic_t mnemonic;
|
||||
u8 imm_size;
|
||||
std::vector< zydis_callback_t > signature;
|
||||
extention_t extention;
|
||||
};
|
||||
|
||||
namespace profile
|
||||
{
|
||||
extern vm::handler::profile_t sregq;
|
||||
extern vm::handler::profile_t sregdw;
|
||||
extern vm::handler::profile_t sregw;
|
||||
|
||||
extern vm::handler::profile_t lregq;
|
||||
extern vm::handler::profile_t lregdw;
|
||||
|
||||
extern vm::handler::profile_t lconstq;
|
||||
extern vm::handler::profile_t lconstdw;
|
||||
extern vm::handler::profile_t lconstw;
|
||||
|
||||
extern vm::handler::profile_t lconstbzxw;
|
||||
extern vm::handler::profile_t lconstbsxdw;
|
||||
extern vm::handler::profile_t lconstbsxq;
|
||||
extern vm::handler::profile_t lconstdwsxq;
|
||||
extern vm::handler::profile_t lconstwsxq;
|
||||
extern vm::handler::profile_t lconstwsxdw;
|
||||
|
||||
extern vm::handler::profile_t addq;
|
||||
extern vm::handler::profile_t adddw;
|
||||
extern vm::handler::profile_t addw;
|
||||
|
||||
extern vm::handler::profile_t shlq;
|
||||
extern vm::handler::profile_t shldw;
|
||||
|
||||
extern vm::handler::profile_t nandq;
|
||||
extern vm::handler::profile_t nanddw;
|
||||
extern vm::handler::profile_t nandw;
|
||||
|
||||
extern vm::handler::profile_t writeq;
|
||||
extern vm::handler::profile_t writedw;
|
||||
extern vm::handler::profile_t writeb;
|
||||
|
||||
extern vm::handler::profile_t readq;
|
||||
extern vm::handler::profile_t readdw;
|
||||
|
||||
extern vm::handler::profile_t shrq;
|
||||
extern vm::handler::profile_t shrw;
|
||||
|
||||
extern vm::handler::profile_t lrflags;
|
||||
extern vm::handler::profile_t call;
|
||||
extern vm::handler::profile_t pushvsp;
|
||||
extern vm::handler::profile_t mulq;
|
||||
extern vm::handler::profile_t divq;
|
||||
extern vm::handler::profile_t jmp;
|
||||
extern vm::handler::profile_t vmexit;
|
||||
|
||||
inline std::vector< vm::handler::profile_t * > all = {
|
||||
&sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw,
|
||||
&lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq, &adddw,
|
||||
&addw,
|
||||
|
||||
&shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, &nandw,
|
||||
|
||||
&shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp,
|
||||
&lrflags, &vmexit, &call };
|
||||
} // namespace profile
|
||||
} // namespace handler
|
||||
} // namespace vm
|
||||
INVALID,
|
||||
LRFLAGS,
|
||||
PUSHVSP,
|
||||
MULQ,
|
||||
DIVQ,
|
||||
CALL,
|
||||
JMP,
|
||||
VMEXIT,
|
||||
|
||||
SREGQ,
|
||||
SREGDW,
|
||||
SREGW,
|
||||
|
||||
LREGQ,
|
||||
LREGDW,
|
||||
|
||||
LCONSTQ,
|
||||
LCONSTBZXW,
|
||||
LCONSTBSXQ,
|
||||
LCONSTBSXDW,
|
||||
LCONSTDWSXQ,
|
||||
LCONSTWSXQ,
|
||||
LCONSTWSXDW,
|
||||
LCONSTDW,
|
||||
LCONSTW,
|
||||
|
||||
READQ,
|
||||
READDW,
|
||||
READW,
|
||||
|
||||
WRITEQ,
|
||||
WRITEDW,
|
||||
WRITEW,
|
||||
WRITEB,
|
||||
|
||||
ADDQ,
|
||||
ADDDW,
|
||||
ADDW,
|
||||
|
||||
SHLQ,
|
||||
SHLDW,
|
||||
|
||||
SHRQ,
|
||||
SHRW,
|
||||
|
||||
NANDQ,
|
||||
NANDDW,
|
||||
NANDW
|
||||
};
|
||||
|
||||
/// <summary>
|
||||
/// zydis callback lambda used to pattern match native instructions...
|
||||
/// </summary>
|
||||
using zydis_callback_t = std::function< bool( const zydis_decoded_instr_t &instr ) >;
|
||||
|
||||
/// <summary>
|
||||
/// how sign extention is handled...
|
||||
/// </summary>
|
||||
enum extention_t
|
||||
{
|
||||
none,
|
||||
sign_extend,
|
||||
zero_extend
|
||||
};
|
||||
|
||||
/// <summary>
|
||||
/// pre defined vm handler profile containing all compiled time known information about a vm handler...
|
||||
/// </summary>
|
||||
struct profile_t
|
||||
{
|
||||
/// <summary>
|
||||
/// name of the vm handler, such as JMP or LCONST...
|
||||
/// </summary>
|
||||
const char *name;
|
||||
|
||||
/// <summary>
|
||||
/// the mnemonic of the vm handler... so you dont need to compare strings...
|
||||
/// </summary>
|
||||
mnemonic_t mnemonic;
|
||||
|
||||
/// <summary>
|
||||
/// size, in bits, of the operand (imm)... if there is none then this will be zero...
|
||||
/// </summary>
|
||||
u8 imm_size;
|
||||
|
||||
/// <summary>
|
||||
/// a vector of signatures used to compare native instructions against zydis aided signatures...
|
||||
/// </summary>
|
||||
std::vector< zydis_callback_t > signature;
|
||||
|
||||
/// <summary>
|
||||
/// how sign extention of operands are handled...
|
||||
/// </summary>
|
||||
extention_t extention;
|
||||
};
|
||||
|
||||
/// <summary>
|
||||
/// contains all profiles defined, as well as a vector of all of the defined profiles...
|
||||
/// </summary>
|
||||
namespace profile
|
||||
{
|
||||
extern vm::handler::profile_t sregq;
|
||||
extern vm::handler::profile_t sregdw;
|
||||
extern vm::handler::profile_t sregw;
|
||||
|
||||
extern vm::handler::profile_t lregq;
|
||||
extern vm::handler::profile_t lregdw;
|
||||
|
||||
extern vm::handler::profile_t lconstq;
|
||||
extern vm::handler::profile_t lconstdw;
|
||||
extern vm::handler::profile_t lconstw;
|
||||
|
||||
extern vm::handler::profile_t lconstbzxw;
|
||||
extern vm::handler::profile_t lconstbsxdw;
|
||||
extern vm::handler::profile_t lconstbsxq;
|
||||
extern vm::handler::profile_t lconstdwsxq;
|
||||
extern vm::handler::profile_t lconstwsxq;
|
||||
extern vm::handler::profile_t lconstwsxdw;
|
||||
|
||||
extern vm::handler::profile_t addq;
|
||||
extern vm::handler::profile_t adddw;
|
||||
extern vm::handler::profile_t addw;
|
||||
|
||||
extern vm::handler::profile_t shlq;
|
||||
extern vm::handler::profile_t shldw;
|
||||
|
||||
extern vm::handler::profile_t nandq;
|
||||
extern vm::handler::profile_t nanddw;
|
||||
extern vm::handler::profile_t nandw;
|
||||
|
||||
extern vm::handler::profile_t writeq;
|
||||
extern vm::handler::profile_t writedw;
|
||||
extern vm::handler::profile_t writeb;
|
||||
|
||||
extern vm::handler::profile_t readq;
|
||||
extern vm::handler::profile_t readdw;
|
||||
|
||||
extern vm::handler::profile_t shrq;
|
||||
extern vm::handler::profile_t shrw;
|
||||
|
||||
extern vm::handler::profile_t lrflags;
|
||||
extern vm::handler::profile_t call;
|
||||
extern vm::handler::profile_t pushvsp;
|
||||
extern vm::handler::profile_t mulq;
|
||||
extern vm::handler::profile_t divq;
|
||||
extern vm::handler::profile_t jmp;
|
||||
extern vm::handler::profile_t vmexit;
|
||||
|
||||
/// <summary>
|
||||
/// a vector of pointers to all defined vm handler profiles...
|
||||
/// </summary>
|
||||
inline std::vector< vm::handler::profile_t * > all = {
|
||||
&sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw,
|
||||
&lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq, &adddw,
|
||||
&addw,
|
||||
|
||||
&shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, &nandw,
|
||||
|
||||
&shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp,
|
||||
&lrflags, &vmexit, &call };
|
||||
} // namespace profile
|
||||
} // namespace vm::handler
|
@ -1,279 +1,274 @@
|
||||
#include <vmprofiler.hpp>
|
||||
|
||||
namespace vm
|
||||
namespace vm::instrs
|
||||
{
|
||||
namespace instrs
|
||||
std::pair< std::uint64_t, std::uint64_t > decrypt_operand( transform::map_t &transforms, std::uint64_t operand,
|
||||
std::uint64_t rolling_key )
|
||||
{
|
||||
std::pair< std::uint64_t, std::uint64_t > decrypt_operand( transform::map_t &transforms, std::uint64_t operand,
|
||||
std::uint64_t rolling_key )
|
||||
const auto &generic_decrypt_0 = transforms[ transform::type::generic0 ];
|
||||
const auto &key_decrypt = transforms[ transform::type::rolling_key ];
|
||||
const auto &generic_decrypt_1 = transforms[ transform::type::generic1 ];
|
||||
const auto &generic_decrypt_2 = transforms[ transform::type::generic2 ];
|
||||
const auto &generic_decrypt_3 = transforms[ transform::type::generic3 ];
|
||||
const auto &update_key = transforms[ transform::type::update_key ];
|
||||
|
||||
if ( generic_decrypt_0.mnemonic != ZYDIS_MNEMONIC_INVALID )
|
||||
{
|
||||
const auto &generic_decrypt_0 = transforms[ transform::type::generic0 ];
|
||||
const auto &key_decrypt = transforms[ transform::type::rolling_key ];
|
||||
const auto &generic_decrypt_1 = transforms[ transform::type::generic1 ];
|
||||
const auto &generic_decrypt_2 = transforms[ transform::type::generic2 ];
|
||||
const auto &generic_decrypt_3 = transforms[ transform::type::generic3 ];
|
||||
const auto &update_key = transforms[ transform::type::update_key ];
|
||||
|
||||
if ( generic_decrypt_0.mnemonic != ZYDIS_MNEMONIC_INVALID )
|
||||
{
|
||||
operand = transform::apply(
|
||||
generic_decrypt_0.operands[ 0 ].size, generic_decrypt_0.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_0 ) ? generic_decrypt_0.operands[ 1 ].imm.value.u : 0 );
|
||||
}
|
||||
|
||||
// apply transformation with rolling decrypt key...
|
||||
operand = transform::apply( key_decrypt.operands[ 0 ].size, key_decrypt.mnemonic, operand, rolling_key );
|
||||
|
||||
// apply three generic transformations...
|
||||
{
|
||||
operand = transform::apply(
|
||||
generic_decrypt_1.operands[ 0 ].size, generic_decrypt_1.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_1 ) ? generic_decrypt_1.operands[ 1 ].imm.value.u : 0 );
|
||||
|
||||
operand = transform::apply(
|
||||
generic_decrypt_2.operands[ 0 ].size, generic_decrypt_2.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_2 ) ? generic_decrypt_2.operands[ 1 ].imm.value.u : 0 );
|
||||
|
||||
operand = transform::apply(
|
||||
generic_decrypt_3.operands[ 0 ].size, generic_decrypt_3.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_3 ) ? generic_decrypt_3.operands[ 1 ].imm.value.u : 0 );
|
||||
}
|
||||
|
||||
// update rolling key...
|
||||
auto result = transform::apply( update_key.operands[ 0 ].size, update_key.mnemonic, rolling_key, operand );
|
||||
|
||||
// update decryption key correctly...
|
||||
switch ( update_key.operands[ 0 ].size )
|
||||
{
|
||||
case 8:
|
||||
rolling_key = ( rolling_key & ~std::numeric_limits< u8 >::max() ) + result;
|
||||
break;
|
||||
case 16:
|
||||
rolling_key = ( rolling_key & ~std::numeric_limits< u16 >::max() ) + result;
|
||||
break;
|
||||
default:
|
||||
rolling_key = result;
|
||||
break;
|
||||
}
|
||||
|
||||
return { operand, rolling_key };
|
||||
operand = transform::apply(
|
||||
generic_decrypt_0.operands[ 0 ].size, generic_decrypt_0.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_0 ) ? generic_decrypt_0.operands[ 1 ].imm.value.u : 0 );
|
||||
}
|
||||
|
||||
std::pair< std::uint64_t, std::uint64_t > encrypt_operand( transform::map_t &transforms, std::uint64_t operand,
|
||||
std::uint64_t rolling_key )
|
||||
// apply transformation with rolling decrypt key...
|
||||
operand = transform::apply( key_decrypt.operands[ 0 ].size, key_decrypt.mnemonic, operand, rolling_key );
|
||||
|
||||
// apply three generic transformations...
|
||||
{
|
||||
transform::map_t inverse;
|
||||
inverse_transforms( transforms, inverse );
|
||||
const auto apply_key = rolling_key;
|
||||
|
||||
const auto &generic_decrypt_0 = inverse[ transform::type::generic0 ];
|
||||
const auto &key_decrypt = inverse[ transform::type::rolling_key ];
|
||||
const auto &generic_decrypt_1 = inverse[ transform::type::generic1 ];
|
||||
const auto &generic_decrypt_2 = inverse[ transform::type::generic2 ];
|
||||
const auto &generic_decrypt_3 = inverse[ transform::type::generic3 ];
|
||||
const auto &update_key = transforms[ transform::type::update_key ];
|
||||
|
||||
auto result = transform::apply( update_key.operands[ 0 ].size, update_key.mnemonic, rolling_key, operand );
|
||||
|
||||
// mov rax, al does not clear the top bits...
|
||||
// mov rax, ax does not clear the top bits...
|
||||
// mov rax, eax does clear the top bits...
|
||||
switch ( update_key.operands[ 0 ].size )
|
||||
{
|
||||
case 8:
|
||||
rolling_key = ( rolling_key & ~std::numeric_limits< u8 >::max() ) + result;
|
||||
break;
|
||||
case 16:
|
||||
rolling_key = ( rolling_key & ~std::numeric_limits< u16 >::max() ) + result;
|
||||
break;
|
||||
default:
|
||||
rolling_key = result;
|
||||
break;
|
||||
}
|
||||
|
||||
{
|
||||
operand = transform::apply(
|
||||
generic_decrypt_3.operands[ 0 ].size, generic_decrypt_3.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_3 ) ? generic_decrypt_3.operands[ 1 ].imm.value.u : 0 );
|
||||
|
||||
operand = transform::apply(
|
||||
generic_decrypt_2.operands[ 0 ].size, generic_decrypt_2.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_2 ) ? generic_decrypt_2.operands[ 1 ].imm.value.u : 0 );
|
||||
|
||||
operand = transform::apply(
|
||||
generic_decrypt_1.operands[ 0 ].size, generic_decrypt_1.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_1 ) ? generic_decrypt_1.operands[ 1 ].imm.value.u : 0 );
|
||||
}
|
||||
|
||||
operand = transform::apply( key_decrypt.operands[ 0 ].size, key_decrypt.mnemonic, operand, apply_key );
|
||||
|
||||
if ( generic_decrypt_0.mnemonic != ZYDIS_MNEMONIC_INVALID )
|
||||
{
|
||||
operand = transform::apply(
|
||||
generic_decrypt_0.operands[ 0 ].size, generic_decrypt_0.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_0 ) ? generic_decrypt_0.operands[ 1 ].imm.value.u : 0 );
|
||||
}
|
||||
|
||||
return { operand, rolling_key };
|
||||
operand = transform::apply(
|
||||
generic_decrypt_1.operands[ 0 ].size, generic_decrypt_1.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_1 ) ? generic_decrypt_1.operands[ 1 ].imm.value.u : 0 );
|
||||
|
||||
operand = transform::apply(
|
||||
generic_decrypt_2.operands[ 0 ].size, generic_decrypt_2.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_2 ) ? generic_decrypt_2.operands[ 1 ].imm.value.u : 0 );
|
||||
|
||||
operand = transform::apply(
|
||||
generic_decrypt_3.operands[ 0 ].size, generic_decrypt_3.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_3 ) ? generic_decrypt_3.operands[ 1 ].imm.value.u : 0 );
|
||||
}
|
||||
|
||||
bool get_rva_decrypt( const zydis_routine_t &vm_entry, std::vector< zydis_decoded_instr_t > &transform_instrs )
|
||||
// update rolling key...
|
||||
auto result = transform::apply( update_key.operands[ 0 ].size, update_key.mnemonic, rolling_key, operand );
|
||||
|
||||
// update decryption key correctly...
|
||||
switch ( update_key.operands[ 0 ].size )
|
||||
{
|
||||
// find mov esi, [rsp+0xA0]
|
||||
auto result =
|
||||
std::find_if( vm_entry.begin(), vm_entry.end(), []( const zydis_instr_t &instr_data ) -> bool {
|
||||
return instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
|
||||
instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
||||
instr_data.instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_ESI &&
|
||||
instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
|
||||
instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSP &&
|
||||
instr_data.instr.operands[ 1 ].mem.disp.value == 0xA0;
|
||||
} );
|
||||
case 8:
|
||||
rolling_key = ( rolling_key & ~std::numeric_limits< u8 >::max() ) + result;
|
||||
break;
|
||||
case 16:
|
||||
rolling_key = ( rolling_key & ~std::numeric_limits< u16 >::max() ) + result;
|
||||
break;
|
||||
default:
|
||||
rolling_key = result;
|
||||
break;
|
||||
}
|
||||
|
||||
if ( result == vm_entry.end() )
|
||||
return false;
|
||||
return { operand, rolling_key };
|
||||
}
|
||||
|
||||
// find the next three instructions with ESI as
|
||||
// the first operand... and make sure actions & writes...
|
||||
for ( auto idx = 0u; idx < 3; ++idx )
|
||||
{
|
||||
result = std::find_if( ++result, vm_entry.end(), []( const zydis_instr_t &instr_data ) -> bool {
|
||||
return vm::transform::valid( instr_data.instr.mnemonic ) &&
|
||||
instr_data.instr.operands[ 0 ].actions & ZYDIS_OPERAND_ACTION_WRITE &&
|
||||
instr_data.instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_ESI;
|
||||
} );
|
||||
std::pair< std::uint64_t, std::uint64_t > encrypt_operand( transform::map_t &transforms, std::uint64_t operand,
|
||||
std::uint64_t rolling_key )
|
||||
{
|
||||
transform::map_t inverse;
|
||||
inverse_transforms( transforms, inverse );
|
||||
const auto apply_key = rolling_key;
|
||||
|
||||
const auto &generic_decrypt_0 = inverse[ transform::type::generic0 ];
|
||||
const auto &key_decrypt = inverse[ transform::type::rolling_key ];
|
||||
const auto &generic_decrypt_1 = inverse[ transform::type::generic1 ];
|
||||
const auto &generic_decrypt_2 = inverse[ transform::type::generic2 ];
|
||||
const auto &generic_decrypt_3 = inverse[ transform::type::generic3 ];
|
||||
const auto &update_key = transforms[ transform::type::update_key ];
|
||||
|
||||
auto result = transform::apply( update_key.operands[ 0 ].size, update_key.mnemonic, rolling_key, operand );
|
||||
|
||||
// mov rax, al does not clear the top bits...
|
||||
// mov rax, ax does not clear the top bits...
|
||||
// mov rax, eax does clear the top bits...
|
||||
switch ( update_key.operands[ 0 ].size )
|
||||
{
|
||||
case 8:
|
||||
rolling_key = ( rolling_key & ~std::numeric_limits< u8 >::max() ) + result;
|
||||
break;
|
||||
case 16:
|
||||
rolling_key = ( rolling_key & ~std::numeric_limits< u16 >::max() ) + result;
|
||||
break;
|
||||
default:
|
||||
rolling_key = result;
|
||||
break;
|
||||
}
|
||||
|
||||
if ( result == vm_entry.end() )
|
||||
return false;
|
||||
{
|
||||
operand = transform::apply(
|
||||
generic_decrypt_3.operands[ 0 ].size, generic_decrypt_3.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_3 ) ? generic_decrypt_3.operands[ 1 ].imm.value.u : 0 );
|
||||
|
||||
operand = transform::apply(
|
||||
generic_decrypt_2.operands[ 0 ].size, generic_decrypt_2.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_2 ) ? generic_decrypt_2.operands[ 1 ].imm.value.u : 0 );
|
||||
|
||||
operand = transform::apply(
|
||||
generic_decrypt_1.operands[ 0 ].size, generic_decrypt_1.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_1 ) ? generic_decrypt_1.operands[ 1 ].imm.value.u : 0 );
|
||||
}
|
||||
|
||||
transform_instrs.push_back( result->instr );
|
||||
}
|
||||
operand = transform::apply( key_decrypt.operands[ 0 ].size, key_decrypt.mnemonic, operand, apply_key );
|
||||
|
||||
return true;
|
||||
if ( generic_decrypt_0.mnemonic != ZYDIS_MNEMONIC_INVALID )
|
||||
{
|
||||
operand = transform::apply(
|
||||
generic_decrypt_0.operands[ 0 ].size, generic_decrypt_0.mnemonic, operand,
|
||||
// check to see if this instruction has an IMM...
|
||||
transform::has_imm( &generic_decrypt_0 ) ? generic_decrypt_0.operands[ 1 ].imm.value.u : 0 );
|
||||
}
|
||||
|
||||
std::optional< std::uint64_t > get_imm( vm::ctx_t &ctx, std::uint8_t imm_size, std::uintptr_t vip )
|
||||
return { operand, rolling_key };
|
||||
}
|
||||
|
||||
bool get_rva_decrypt( const zydis_routine_t &vm_entry, std::vector< zydis_decoded_instr_t > &transform_instrs )
|
||||
{
|
||||
// find mov esi, [rsp+0xA0]
|
||||
auto result = std::find_if( vm_entry.begin(), vm_entry.end(), []( const zydis_instr_t &instr_data ) -> bool {
|
||||
return instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
|
||||
instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
||||
instr_data.instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_ESI &&
|
||||
instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
|
||||
instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSP &&
|
||||
instr_data.instr.operands[ 1 ].mem.disp.value == 0xA0;
|
||||
} );
|
||||
|
||||
if ( result == vm_entry.end() )
|
||||
return false;
|
||||
|
||||
// find the next three instructions with ESI as
|
||||
// the first operand... and make sure actions & writes...
|
||||
for ( auto idx = 0u; idx < 3; ++idx )
|
||||
{
|
||||
if ( !imm_size )
|
||||
return {};
|
||||
result = std::find_if( ++result, vm_entry.end(), []( const zydis_instr_t &instr_data ) -> bool {
|
||||
return vm::transform::valid( instr_data.instr.mnemonic ) &&
|
||||
instr_data.instr.operands[ 0 ].actions & ZYDIS_OPERAND_ACTION_WRITE &&
|
||||
instr_data.instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_ESI;
|
||||
} );
|
||||
|
||||
auto result = 0ull;
|
||||
ctx.exec_type == vmp2::exec_type_t::forward
|
||||
? std::memcpy( &result, reinterpret_cast< void * >( vip ), imm_size / 8 )
|
||||
: std::memcpy( &result, reinterpret_cast< void * >( vip - ( imm_size / 8 ) ), imm_size / 8 );
|
||||
if ( result == vm_entry.end() )
|
||||
return false;
|
||||
|
||||
return result;
|
||||
transform_instrs.push_back( result->instr );
|
||||
}
|
||||
|
||||
std::optional< virt_instr_t > get( vm::ctx_t &ctx, vmp2::v2::entry_t &entry )
|
||||
{
|
||||
virt_instr_t result;
|
||||
auto &vm_handler = ctx.vm_handlers[ entry.handler_idx ];
|
||||
const auto profile = vm_handler.profile;
|
||||
return true;
|
||||
}
|
||||
|
||||
result.mnemonic_t = profile ? profile->mnemonic : vm::handler::INVALID;
|
||||
result.opcode = entry.handler_idx;
|
||||
result.trace_data = entry;
|
||||
result.operand.has_imm = false;
|
||||
std::optional< std::uint64_t > get_imm( vm::ctx_t &ctx, std::uint8_t imm_size, std::uintptr_t vip )
|
||||
{
|
||||
if ( !imm_size )
|
||||
return {};
|
||||
|
||||
if ( vm_handler.imm_size )
|
||||
{
|
||||
result.operand.has_imm = true;
|
||||
result.operand.imm.imm_size = vm_handler.imm_size;
|
||||
const auto imm_val = get_imm( ctx, vm_handler.imm_size, entry.vip );
|
||||
auto result = 0ull;
|
||||
ctx.exec_type == vmp2::exec_type_t::forward
|
||||
? std::memcpy( &result, reinterpret_cast< void * >( vip ), imm_size / 8 )
|
||||
: std::memcpy( &result, reinterpret_cast< void * >( vip - ( imm_size / 8 ) ), imm_size / 8 );
|
||||
|
||||
if ( !imm_val.has_value() )
|
||||
return {};
|
||||
return result;
|
||||
}
|
||||
|
||||
result.operand.imm.u =
|
||||
vm::instrs::decrypt_operand( vm_handler.transforms, imm_val.value(), entry.decrypt_key ).first;
|
||||
}
|
||||
std::optional< virt_instr_t > get( vm::ctx_t &ctx, vmp2::v2::entry_t &entry )
|
||||
{
|
||||
virt_instr_t result;
|
||||
auto &vm_handler = ctx.vm_handlers[ entry.handler_idx ];
|
||||
const auto profile = vm_handler.profile;
|
||||
|
||||
return result;
|
||||
}
|
||||
result.mnemonic_t = profile ? profile->mnemonic : vm::handler::INVALID;
|
||||
result.opcode = entry.handler_idx;
|
||||
result.trace_data = entry;
|
||||
result.operand.has_imm = false;
|
||||
|
||||
std::optional< jcc_data > get_jcc_data( vm::ctx_t &vmctx, code_block_t &code_block )
|
||||
if ( vm_handler.imm_size )
|
||||
{
|
||||
// there is no branch for this as this is a vmexit...
|
||||
if ( code_block.vinstrs.back().mnemonic_t == vm::handler::VMEXIT )
|
||||
result.operand.has_imm = true;
|
||||
result.operand.imm.imm_size = vm_handler.imm_size;
|
||||
const auto imm_val = get_imm( ctx, vm_handler.imm_size, entry.vip );
|
||||
|
||||
if ( !imm_val.has_value() )
|
||||
return {};
|
||||
|
||||
// find the last LCONSTDW... the imm value is the JMP xor decrypt key...
|
||||
// we loop backwards here (using rbegin and rend)...
|
||||
auto result = std::find_if( code_block.vinstrs.rbegin(), code_block.vinstrs.rend(),
|
||||
[]( const vm::instrs::virt_instr_t &vinstr ) -> bool {
|
||||
auto profile = vm::handler::get_profile( vinstr.mnemonic_t );
|
||||
return profile && profile->mnemonic == vm::handler::LCONSTDW;
|
||||
} );
|
||||
|
||||
jcc_data jcc;
|
||||
const auto xor_key = static_cast< std::uint32_t >( result->operand.imm.u );
|
||||
const auto &last_trace = code_block.vinstrs.back().trace_data;
|
||||
|
||||
// since result is already a variable and is a reverse itr
|
||||
// im going to be using rbegin and rend here again...
|
||||
//
|
||||
// look for PUSHVSP virtual instructions with two encrypted virtual
|
||||
// instruction rva's ontop of the virtual stack...
|
||||
result = std::find_if( code_block.vinstrs.rbegin(), code_block.vinstrs.rend(),
|
||||
[ & ]( const vm::instrs::virt_instr_t &vinstr ) -> bool {
|
||||
if ( auto profile = vm::handler::get_profile( vinstr.mnemonic_t );
|
||||
profile && profile->mnemonic == vm::handler::PUSHVSP )
|
||||
{
|
||||
const auto possible_block_1 = code_block_addr(
|
||||
vmctx, vinstr.trace_data.vsp.qword[ 0 ] ^ xor_key ),
|
||||
possible_block_2 = code_block_addr(
|
||||
vmctx, vinstr.trace_data.vsp.qword[ 1 ] ^ xor_key );
|
||||
|
||||
// if this returns too many false positives we might have to get
|
||||
// our hands dirty and look into trying to emulate each branch
|
||||
// to see if the first instruction is an SREGQ...
|
||||
return possible_block_1 > vmctx.module_base &&
|
||||
possible_block_1 < vmctx.module_base + vmctx.image_size &&
|
||||
possible_block_2 > vmctx.module_base &&
|
||||
possible_block_2 < vmctx.module_base + vmctx.image_size;
|
||||
}
|
||||
return false;
|
||||
} );
|
||||
|
||||
// if there is not two branches...
|
||||
if ( result == code_block.vinstrs.rend() )
|
||||
{
|
||||
jcc.block_addr[ 0 ] = code_block_addr( vmctx, last_trace );
|
||||
jcc.has_jcc = false;
|
||||
jcc.type = jcc_type::absolute;
|
||||
}
|
||||
// else there are two branches...
|
||||
else
|
||||
{
|
||||
jcc.block_addr[ 0 ] = code_block_addr( vmctx, result->trace_data.vsp.qword[ 0 ] ^ xor_key );
|
||||
jcc.block_addr[ 1 ] = code_block_addr( vmctx, result->trace_data.vsp.qword[ 1 ] ^ xor_key );
|
||||
|
||||
jcc.has_jcc = true;
|
||||
jcc.type = jcc_type::branching;
|
||||
}
|
||||
|
||||
return jcc;
|
||||
result.operand.imm.u =
|
||||
vm::instrs::decrypt_operand( vm_handler.transforms, imm_val.value(), entry.decrypt_key ).first;
|
||||
}
|
||||
|
||||
std::uintptr_t code_block_addr( const vm::ctx_t &ctx, const vmp2::v2::entry_t &entry )
|
||||
return result;
|
||||
}
|
||||
|
||||
std::optional< jcc_data > get_jcc_data( vm::ctx_t &vmctx, code_block_t &code_block )
|
||||
{
|
||||
// there is no branch for this as this is a vmexit...
|
||||
if ( code_block.vinstrs.back().mnemonic_t == vm::handler::VMEXIT )
|
||||
return {};
|
||||
|
||||
// find the last LCONSTDW... the imm value is the JMP xor decrypt key...
|
||||
// we loop backwards here (using rbegin and rend)...
|
||||
auto result = std::find_if( code_block.vinstrs.rbegin(), code_block.vinstrs.rend(),
|
||||
[]( const vm::instrs::virt_instr_t &vinstr ) -> bool {
|
||||
auto profile = vm::handler::get_profile( vinstr.mnemonic_t );
|
||||
return profile && profile->mnemonic == vm::handler::LCONSTDW;
|
||||
} );
|
||||
|
||||
jcc_data jcc;
|
||||
const auto xor_key = static_cast< std::uint32_t >( result->operand.imm.u );
|
||||
const auto &last_trace = code_block.vinstrs.back().trace_data;
|
||||
|
||||
// since result is already a variable and is a reverse itr
|
||||
// im going to be using rbegin and rend here again...
|
||||
//
|
||||
// look for PUSHVSP virtual instructions with two encrypted virtual
|
||||
// instruction rva's ontop of the virtual stack...
|
||||
result = std::find_if(
|
||||
code_block.vinstrs.rbegin(), code_block.vinstrs.rend(),
|
||||
[ & ]( const vm::instrs::virt_instr_t &vinstr ) -> bool {
|
||||
if ( auto profile = vm::handler::get_profile( vinstr.mnemonic_t );
|
||||
profile && profile->mnemonic == vm::handler::PUSHVSP )
|
||||
{
|
||||
const auto possible_block_1 = code_block_addr( vmctx, vinstr.trace_data.vsp.qword[ 0 ] ^ xor_key ),
|
||||
possible_block_2 = code_block_addr( vmctx, vinstr.trace_data.vsp.qword[ 1 ] ^ xor_key );
|
||||
|
||||
// if this returns too many false positives we might have to get
|
||||
// our hands dirty and look into trying to emulate each branch
|
||||
// to see if the first instruction is an SREGQ...
|
||||
return possible_block_1 > vmctx.module_base &&
|
||||
possible_block_1 < vmctx.module_base + vmctx.image_size &&
|
||||
possible_block_2 > vmctx.module_base &&
|
||||
possible_block_2 < vmctx.module_base + vmctx.image_size;
|
||||
}
|
||||
return false;
|
||||
} );
|
||||
|
||||
// if there is not two branches...
|
||||
if ( result == code_block.vinstrs.rend() )
|
||||
{
|
||||
return ( ( entry.vsp.qword[ 0 ] & std::numeric_limits< u32 >::max() ) -
|
||||
( ctx.image_base & std::numeric_limits< u32 >::max() ) ) +
|
||||
ctx.module_base;
|
||||
jcc.block_addr[ 0 ] = code_block_addr( vmctx, last_trace );
|
||||
jcc.has_jcc = false;
|
||||
jcc.type = jcc_type::absolute;
|
||||
}
|
||||
|
||||
std::uintptr_t code_block_addr( const vm::ctx_t &ctx, const std::uint32_t lower_32bits )
|
||||
// else there are two branches...
|
||||
else
|
||||
{
|
||||
return ( lower_32bits - ( ctx.image_base & std::numeric_limits< u32 >::max() ) ) + ctx.module_base;
|
||||
jcc.block_addr[ 0 ] = code_block_addr( vmctx, result->trace_data.vsp.qword[ 0 ] ^ xor_key );
|
||||
jcc.block_addr[ 1 ] = code_block_addr( vmctx, result->trace_data.vsp.qword[ 1 ] ^ xor_key );
|
||||
|
||||
jcc.has_jcc = true;
|
||||
jcc.type = jcc_type::branching;
|
||||
}
|
||||
} // namespace instrs
|
||||
} // namespace vm
|
||||
|
||||
return jcc;
|
||||
}
|
||||
|
||||
std::uintptr_t code_block_addr( const vm::ctx_t &ctx, const vmp2::v2::entry_t &entry )
|
||||
{
|
||||
return ( ( entry.vsp.qword[ 0 ] & std::numeric_limits< u32 >::max() ) -
|
||||
( ctx.image_base & std::numeric_limits< u32 >::max() ) ) +
|
||||
ctx.module_base;
|
||||
}
|
||||
|
||||
std::uintptr_t code_block_addr( const vm::ctx_t &ctx, const std::uint32_t lower_32bits )
|
||||
{
|
||||
return ( lower_32bits - ( ctx.image_base & std::numeric_limits< u32 >::max() ) ) + ctx.module_base;
|
||||
}
|
||||
} // namespace vm::instrs
|
Loading…
Reference in new issue