vmp2
/
vmprofiler
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

cleaned the code, removed useless if's, added operand action checks

Browse Source
merge-requests/4/head
_xeroxz 4 years ago
parent 0115f85798
commit 1aba5d017f
3 changed files with 38 additions and 70 deletions
Show Stats Download Patch File Download Diff File

50
src/calc_jmp.cpp
Unescape View File

@ -30,8 +30,9 @@ namespace vm
{ {
auto result = auto result =
std::find_if( calc_jmp.begin(), calc_jmp.end(), []( const zydis_instr_t &instr_data ) -> bool { std::find_if( calc_jmp.begin(), calc_jmp.end(), []( const zydis_instr_t &instr_data ) -> bool {
// look for any instruction with RSI being the first operand... // look for any instruction with RSI being the first operand and its being written too..
return instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && return instr_data.instr.operands[ 0 ].actions & ZYDIS_OPERAND_ACTION_WRITE &&
instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr_data.instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RSI; instr_data.instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RSI;
} ); } );
@ -43,45 +44,22 @@ namespace vm
switch ( instr->mnemonic ) switch ( instr->mnemonic )
{ {
case ZYDIS_MNEMONIC_LEA: case ZYDIS_MNEMONIC_LEA:
{ // if operand type is memory, then return advancement type
// based off of the disposition value... (neg == backward, pos == forward)
if ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY ) if ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY )
{ return instr->operands[ 1 ].mem.disp.value > 0 ? vmp2::exec_type_t::forward
if ( instr->operands[ 1 ].mem.disp.value > 0 ) : vmp2::exec_type_t::backward;
return vmp2::exec_type_t::forward; break;
else
return vmp2::exec_type_t::backward;
}
// else we dont know what we are looking at...
return {};
}
case ZYDIS_MNEMONIC_ADD: case ZYDIS_MNEMONIC_ADD:
{
// ADD RSI, IMM...
if ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE ) if ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE )
{ return instr->operands[ 1 ].imm.value.s > 0 ? vmp2::exec_type_t::forward
// see if IMM is negitive... : vmp2::exec_type_t::backward;
if ( instr->operands[ 1 ].imm.value.s > 0 ) break;
return vmp2::exec_type_t::forward;
else // adding a negitive number is sub...
return vmp2::exec_type_t::backward;
}
// else we dont know what we are looking at...
return {};
}
case ZYDIS_MNEMONIC_SUB: case ZYDIS_MNEMONIC_SUB:
{
// SUB RSI, IMM...
if ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE ) if ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE )
{ return instr->operands[ 1 ].imm.value.s > 0 ? vmp2::exec_type_t::backward
// see if IMM is negitive... : vmp2::exec_type_t::forward;
if ( instr->operands[ 1 ].imm.value.s > 0 ) break;
return vmp2::exec_type_t::backward;
else // subtracting a negitive number means you are adding...
return vmp2::exec_type_t::forward;
}
// else we dont know what we are looking at...
return {};
}
case ZYDIS_MNEMONIC_INC: case ZYDIS_MNEMONIC_INC:
return vmp2::exec_type_t::forward; return vmp2::exec_type_t::forward;
case ZYDIS_MNEMONIC_DEC: case ZYDIS_MNEMONIC_DEC:

56
src/vmhandler.cpp
Unescape View File

@ -19,14 +19,14 @@ namespace vm
return false; return false;
}; };
// find LEA RAX, [RDI+0xE0], else determine if the instruction is inside of calc_jmp...
auto result = std::find_if( vm_handler.begin(), vm_handler.end(), []( const zydis_instr_t &instr ) -> bool { auto result = std::find_if( vm_handler.begin(), vm_handler.end(), []( const zydis_instr_t &instr ) -> bool {
if ( instr.instr.mnemonic == ZYDIS_MNEMONIC_LEA && return instr.instr.mnemonic == ZYDIS_MNEMONIC_LEA &&
instr.instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX && instr.instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX &&
instr.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RDI && instr.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RDI &&
instr.instr.operands[ 1 ].mem.disp.value == 0xE0 ) instr.instr.operands[ 1 ].mem.disp.value == 0xE0
return true; ? true
: calc_jmp_check( instr.addr );
return calc_jmp_check( instr.addr );
} ); } );
// remove calc_jmp from the vm handler vector... // remove calc_jmp from the vm handler vector...
@ -42,16 +42,14 @@ namespace vm
{ {
result = std::find_if( ++result, vm_handler.end(), []( const zydis_instr_t &instr_data ) -> bool { result = std::find_if( ++result, vm_handler.end(), []( const zydis_instr_t &instr_data ) -> bool {
// mov/movsx/movzx rax/eax/ax/al, [rsi] // mov/movsx/movzx rax/eax/ax/al, [rsi]
if ( instr_data.instr.operand_count > 1 && return instr_data.instr.operand_count > 1 &&
( instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV || ( instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV ||
instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVSX || instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVSX ||
instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVZX ) && instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVZX ) &&
instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
util::reg::to64( instr_data.instr.operands[ 0 ].reg.value ) == ZYDIS_REGISTER_RAX && util::reg::to64( instr_data.instr.operands[ 0 ].reg.value ) == ZYDIS_REGISTER_RAX &&
instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI ) instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI;
return true;
return false;
} ); } );
if ( result != vm_handler.end() ) if ( result != vm_handler.end() )
@ -77,17 +75,15 @@ namespace vm
for ( auto idx = 0u; idx < 256; ++idx ) for ( auto idx = 0u; idx < 256; ++idx )
{ {
const auto decrypt_val = vm::handler::table::decrypt( instr, vm_handler_table[ idx ] );
handler_t vm_handler; handler_t vm_handler;
vm::transform::map_t transforms; vm::transform::map_t transforms;
zydis_routine_t vm_handler_instrs; zydis_routine_t vm_handler_instrs;
const auto decrypt_val = vm::handler::table::decrypt( instr, vm_handler_table[ idx ] );
if ( !vm::handler::get( calc_jmp, vm_handler_instrs, ( decrypt_val - image_base ) + module_base ) ) if ( !vm::handler::get( calc_jmp, vm_handler_instrs, ( decrypt_val - image_base ) + module_base ) )
return false; return false;
const auto has_imm = vm::handler::has_imm( vm_handler_instrs ); const auto has_imm = vm::handler::has_imm( vm_handler_instrs );
const auto imm_size = vm::handler::imm_size( vm_handler_instrs ); const auto imm_size = vm::handler::imm_size( vm_handler_instrs );
if ( has_imm && !vm::handler::get_operand_transforms( vm_handler_instrs, transforms ) ) if ( has_imm && !vm::handler::get_operand_transforms( vm_handler_instrs, transforms ) )
@ -109,16 +105,14 @@ namespace vm
const auto result = const auto result =
std::find_if( vm_handler.begin(), vm_handler.end(), []( const zydis_instr_t &instr_data ) -> bool { std::find_if( vm_handler.begin(), vm_handler.end(), []( const zydis_instr_t &instr_data ) -> bool {
// mov/movsx/movzx rax/eax/ax/al, [rsi] // mov/movsx/movzx rax/eax/ax/al, [rsi]
if ( instr_data.instr.operand_count > 1 && return instr_data.instr.operand_count > 1 &&
( instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV || ( instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV ||
instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVSX || instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVSX ||
instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVZX ) && instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVZX ) &&
instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
util::reg::to64( instr_data.instr.operands[ 0 ].reg.value ) == ZYDIS_REGISTER_RAX && util::reg::to64( instr_data.instr.operands[ 0 ].reg.value ) == ZYDIS_REGISTER_RAX &&
instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI ) instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI;
return true;
return false;
} ); } );
return result != vm_handler.end(); return result != vm_handler.end();
@ -129,16 +123,14 @@ namespace vm
const auto result = const auto result =
std::find_if( vm_handler.begin(), vm_handler.end(), []( const zydis_instr_t &instr_data ) -> bool { std::find_if( vm_handler.begin(), vm_handler.end(), []( const zydis_instr_t &instr_data ) -> bool {
// mov/movsx/movzx rax/eax/ax/al, [rsi] // mov/movsx/movzx rax/eax/ax/al, [rsi]
if ( instr_data.instr.operand_count > 1 && return instr_data.instr.operand_count > 1 &&
( instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV || ( instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV ||
instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVSX || instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVSX ||
instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVZX ) && instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVZX ) &&
instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
util::reg::to64( instr_data.instr.operands[ 0 ].reg.value ) == ZYDIS_REGISTER_RAX && util::reg::to64( instr_data.instr.operands[ 0 ].reg.value ) == ZYDIS_REGISTER_RAX &&
instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI ) instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI;
return true;
return false;
} ); } );
if ( result == vm_handler.end() ) if ( result == vm_handler.end() )

2
src/vmutils.cpp
Unescape View File

@ -24,7 +24,6 @@ namespace vm
ZydisFormatter formatter; ZydisFormatter formatter;
ZydisFormatterInit( &formatter, ZYDIS_FORMATTER_STYLE_INTEL ); ZydisFormatterInit( &formatter, ZYDIS_FORMATTER_STYLE_INTEL );
ZydisFormatterFormatInstruction( &formatter, &instr, buffer, sizeof( buffer ), 0u ); ZydisFormatterFormatInstruction( &formatter, &instr, buffer, sizeof( buffer ), 0u );
puts( buffer ); puts( buffer );
} }
@ -38,7 +37,6 @@ namespace vm
{ {
std::printf( "> 0x%p ", addr ); std::printf( "> 0x%p ", addr );
ZydisFormatterFormatInstruction( &formatter, &instr, buffer, sizeof( buffer ), addr ); ZydisFormatterFormatInstruction( &formatter, &instr, buffer, sizeof( buffer ), addr );
puts( buffer ); puts( buffer );
} }
} }

Write Preview
Loading…
Cancel
Save