diff --git a/src/calc_jmp.cpp b/src/calc_jmp.cpp index cf0a41e..e612da1 100644 --- a/src/calc_jmp.cpp +++ b/src/calc_jmp.cpp @@ -30,8 +30,9 @@ namespace vm { auto result = std::find_if( calc_jmp.begin(), calc_jmp.end(), []( const zydis_instr_t &instr_data ) -> bool { - // look for any instruction with RSI being the first operand... - return instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + // look for any instruction with RSI being the first operand and its being written too.. + return instr_data.instr.operands[ 0 ].actions & ZYDIS_OPERAND_ACTION_WRITE && + instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr_data.instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RSI; } ); @@ -43,45 +44,22 @@ namespace vm switch ( instr->mnemonic ) { case ZYDIS_MNEMONIC_LEA: - { + // if operand type is memory, then return advancement type + // based off of the disposition value... (neg == backward, pos == forward) if ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY ) - { - if ( instr->operands[ 1 ].mem.disp.value > 0 ) - return vmp2::exec_type_t::forward; - else - return vmp2::exec_type_t::backward; - } - // else we dont know what we are looking at... - return {}; - } + return instr->operands[ 1 ].mem.disp.value > 0 ? vmp2::exec_type_t::forward + : vmp2::exec_type_t::backward; + break; case ZYDIS_MNEMONIC_ADD: - { - // ADD RSI, IMM... if ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE ) - { - // see if IMM is negitive... - if ( instr->operands[ 1 ].imm.value.s > 0 ) - return vmp2::exec_type_t::forward; - else // adding a negitive number is sub... - return vmp2::exec_type_t::backward; - } - // else we dont know what we are looking at... - return {}; - } + return instr->operands[ 1 ].imm.value.s > 0 ? vmp2::exec_type_t::forward + : vmp2::exec_type_t::backward; + break; case ZYDIS_MNEMONIC_SUB: - { - // SUB RSI, IMM... if ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE ) - { - // see if IMM is negitive... - if ( instr->operands[ 1 ].imm.value.s > 0 ) - return vmp2::exec_type_t::backward; - else // subtracting a negitive number means you are adding... - return vmp2::exec_type_t::forward; - } - // else we dont know what we are looking at... - return {}; - } + return instr->operands[ 1 ].imm.value.s > 0 ? vmp2::exec_type_t::backward + : vmp2::exec_type_t::forward; + break; case ZYDIS_MNEMONIC_INC: return vmp2::exec_type_t::forward; case ZYDIS_MNEMONIC_DEC: diff --git a/src/vmhandler.cpp b/src/vmhandler.cpp index f84f109..0fec67c 100644 --- a/src/vmhandler.cpp +++ b/src/vmhandler.cpp @@ -19,14 +19,14 @@ namespace vm return false; }; + // find LEA RAX, [RDI+0xE0], else determine if the instruction is inside of calc_jmp... auto result = std::find_if( vm_handler.begin(), vm_handler.end(), []( const zydis_instr_t &instr ) -> bool { - if ( instr.instr.mnemonic == ZYDIS_MNEMONIC_LEA && + return instr.instr.mnemonic == ZYDIS_MNEMONIC_LEA && instr.instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX && instr.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RDI && - instr.instr.operands[ 1 ].mem.disp.value == 0xE0 ) - return true; - - return calc_jmp_check( instr.addr ); + instr.instr.operands[ 1 ].mem.disp.value == 0xE0 + ? true + : calc_jmp_check( instr.addr ); } ); // remove calc_jmp from the vm handler vector... @@ -42,16 +42,14 @@ namespace vm { result = std::find_if( ++result, vm_handler.end(), []( const zydis_instr_t &instr_data ) -> bool { // mov/movsx/movzx rax/eax/ax/al, [rsi] - if ( instr_data.instr.operand_count > 1 && - ( instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV || - instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVSX || - instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVZX ) && - instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && - util::reg::to64( instr_data.instr.operands[ 0 ].reg.value ) == ZYDIS_REGISTER_RAX && - instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && - instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI ) - return true; - return false; + return instr_data.instr.operand_count > 1 && + ( instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV || + instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVSX || + instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVZX ) && + instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + util::reg::to64( instr_data.instr.operands[ 0 ].reg.value ) == ZYDIS_REGISTER_RAX && + instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI; } ); if ( result != vm_handler.end() ) @@ -77,17 +75,15 @@ namespace vm for ( auto idx = 0u; idx < 256; ++idx ) { - const auto decrypt_val = vm::handler::table::decrypt( instr, vm_handler_table[ idx ] ); - handler_t vm_handler; vm::transform::map_t transforms; zydis_routine_t vm_handler_instrs; + const auto decrypt_val = vm::handler::table::decrypt( instr, vm_handler_table[ idx ] ); if ( !vm::handler::get( calc_jmp, vm_handler_instrs, ( decrypt_val - image_base ) + module_base ) ) return false; const auto has_imm = vm::handler::has_imm( vm_handler_instrs ); - const auto imm_size = vm::handler::imm_size( vm_handler_instrs ); if ( has_imm && !vm::handler::get_operand_transforms( vm_handler_instrs, transforms ) ) @@ -109,16 +105,14 @@ namespace vm const auto result = std::find_if( vm_handler.begin(), vm_handler.end(), []( const zydis_instr_t &instr_data ) -> bool { // mov/movsx/movzx rax/eax/ax/al, [rsi] - if ( instr_data.instr.operand_count > 1 && - ( instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV || - instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVSX || - instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVZX ) && - instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && - util::reg::to64( instr_data.instr.operands[ 0 ].reg.value ) == ZYDIS_REGISTER_RAX && - instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && - instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI ) - return true; - return false; + return instr_data.instr.operand_count > 1 && + ( instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV || + instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVSX || + instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVZX ) && + instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + util::reg::to64( instr_data.instr.operands[ 0 ].reg.value ) == ZYDIS_REGISTER_RAX && + instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI; } ); return result != vm_handler.end(); @@ -129,16 +123,14 @@ namespace vm const auto result = std::find_if( vm_handler.begin(), vm_handler.end(), []( const zydis_instr_t &instr_data ) -> bool { // mov/movsx/movzx rax/eax/ax/al, [rsi] - if ( instr_data.instr.operand_count > 1 && + return instr_data.instr.operand_count > 1 && ( instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV || instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVSX || instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVZX ) && instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && util::reg::to64( instr_data.instr.operands[ 0 ].reg.value ) == ZYDIS_REGISTER_RAX && instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && - instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI ) - return true; - return false; + instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI; } ); if ( result == vm_handler.end() ) diff --git a/src/vmutils.cpp b/src/vmutils.cpp index cb8d53f..147b5f4 100644 --- a/src/vmutils.cpp +++ b/src/vmutils.cpp @@ -24,7 +24,6 @@ namespace vm ZydisFormatter formatter; ZydisFormatterInit( &formatter, ZYDIS_FORMATTER_STYLE_INTEL ); ZydisFormatterFormatInstruction( &formatter, &instr, buffer, sizeof( buffer ), 0u ); - puts( buffer ); } @@ -38,7 +37,6 @@ namespace vm { std::printf( "> 0x%p ", addr ); ZydisFormatterFormatInstruction( &formatter, &instr, buffer, sizeof( buffer ), addr ); - puts( buffer ); } }