|
|
@ -181,7 +181,10 @@ namespace vm
|
|
|
|
zydis_routine_t vm_entry, calc_jmp;
|
|
|
|
zydis_routine_t vm_entry, calc_jmp;
|
|
|
|
std::vector< vm::handler::handler_t > vm_handlers;
|
|
|
|
std::vector< vm::handler::handler_t > vm_handlers;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
} // namespace vm
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
namespace vm
|
|
|
|
|
|
|
|
{
|
|
|
|
namespace instrs
|
|
|
|
namespace instrs
|
|
|
|
{
|
|
|
|
{
|
|
|
|
struct virt_instr_t
|
|
|
|
struct virt_instr_t
|
|
|
@ -224,10 +227,50 @@ namespace vm
|
|
|
|
struct code_block_t
|
|
|
|
struct code_block_t
|
|
|
|
{
|
|
|
|
{
|
|
|
|
std::uintptr_t vip_begin;
|
|
|
|
std::uintptr_t vip_begin;
|
|
|
|
std::vector< virt_instr_t > vinstrs;
|
|
|
|
|
|
|
|
jcc_data jcc;
|
|
|
|
jcc_data jcc;
|
|
|
|
|
|
|
|
std::vector< virt_instr_t > vinstrs;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
} // namespace instrs
|
|
|
|
|
|
|
|
} // namespace vm
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
namespace vmp2
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
namespace v3
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
struct file_header
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
u32 magic; // VMP2
|
|
|
|
|
|
|
|
u64 epoch_time;
|
|
|
|
|
|
|
|
version_t version;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
u64 module_base;
|
|
|
|
|
|
|
|
u64 image_base;
|
|
|
|
|
|
|
|
u64 vm_entry_rva;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
u32 module_offset;
|
|
|
|
|
|
|
|
u32 module_size;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
u32 code_block_offset;
|
|
|
|
|
|
|
|
u32 code_block_count;
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
struct code_block_t
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
std::uintptr_t vip_begin;
|
|
|
|
|
|
|
|
std::uintptr_t next_block_offset;
|
|
|
|
|
|
|
|
vm::instrs::jcc_data jcc;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// serialized from std::vector<virt_instr_t>...
|
|
|
|
|
|
|
|
std::uint32_t vinstr_count;
|
|
|
|
|
|
|
|
vm::instrs::virt_instr_t vinstr[];
|
|
|
|
|
|
|
|
};
|
|
|
|
|
|
|
|
} // namespace v3
|
|
|
|
|
|
|
|
} // namespace vmp2
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
namespace vm
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
namespace instrs
|
|
|
|
|
|
|
|
{
|
|
|
|
// decrypt transformations for encrypted virtual instruction rva...
|
|
|
|
// decrypt transformations for encrypted virtual instruction rva...
|
|
|
|
bool get_rva_decrypt( const zydis_routine_t &vm_entry, std::vector< zydis_decoded_instr_t > &transform_instrs );
|
|
|
|
bool get_rva_decrypt( const zydis_routine_t &vm_entry, std::vector< zydis_decoded_instr_t > &transform_instrs );
|
|
|
|
|
|
|
|
|
|
|
|