From 1b35119de4d5edd74622a282bd4fbdde492d7787 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Fri, 27 Aug 2021 19:12:43 -0700 Subject: [PATCH] added more handlers & fixed some... --- CMakeLists.txt | 4 ++ include/vmprofiles.hpp | 48 +++++++++++-- src/vmprofiles/div.cpp | 10 +-- src/vmprofiles/idiv.cpp | 69 +++++++++++++++++++ src/vmprofiles/imul.cpp | 136 +++++++++++++++++++++++++++++++++++++ src/vmprofiles/nand.cpp | 8 +-- src/vmprofiles/readcr3.cpp | 0 src/vmprofiles/readcr8.cpp | 35 ++++++++++ src/vmprofiles/shrd.cpp | 83 +++++++++++++++++++--- src/vmprofiles/write.cpp | 4 +- 10 files changed, 370 insertions(+), 27 deletions(-) create mode 100644 src/vmprofiles/idiv.cpp create mode 100644 src/vmprofiles/imul.cpp create mode 100644 src/vmprofiles/readcr3.cpp create mode 100644 src/vmprofiles/readcr8.cpp diff --git a/CMakeLists.txt b/CMakeLists.txt index 8fe3e49..f5eba26 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -49,6 +49,8 @@ list(APPEND vmprofiler_SOURCES "src/vmprofiles/add.cpp" "src/vmprofiles/call.cpp" "src/vmprofiles/div.cpp" + "src/vmprofiles/idiv.cpp" + "src/vmprofiles/imul.cpp" "src/vmprofiles/jmp.cpp" "src/vmprofiles/lconst.cpp" "src/vmprofiles/lflags.cpp" @@ -58,6 +60,8 @@ list(APPEND vmprofiler_SOURCES "src/vmprofiles/popvsp.cpp" "src/vmprofiles/pushvsp.cpp" "src/vmprofiles/read.cpp" + "src/vmprofiles/readcr3.cpp" + "src/vmprofiles/readcr8.cpp" "src/vmprofiles/shl.cpp" "src/vmprofiles/shld.cpp" "src/vmprofiles/shr.cpp" diff --git a/include/vmprofiles.hpp b/include/vmprofiles.hpp index 6a23a2f..1bf33ca 100644 --- a/include/vmprofiles.hpp +++ b/include/vmprofiles.hpp @@ -13,8 +13,27 @@ namespace vm::handler { INVALID, LFLAGSQ, + MULQ, + MULDW, + MULW, + MULB, + + IMULQ, + IMULDW, + IMULW, + IMULB, + DIVQ, + DIVDW, + DIVW, + DIVB, + + IDIVQ, + IDIVDW, + IDIVW, + IDIVB, + CALL, JMP, VMEXIT, @@ -80,6 +99,11 @@ namespace vm::handler SHRW, SHRB, + SHRDQ, + SHRDDW, + SHRD_W, + SHRDB, + NANDQ, NANDDW, NANDW, @@ -175,6 +199,7 @@ namespace vm::handler extern vm::handler::profile_t writeq; extern vm::handler::profile_t writedw; + extern vm::handler::profile_t writew; extern vm::handler::profile_t writeb; extern vm::handler::profile_t readq; @@ -187,13 +212,23 @@ namespace vm::handler extern vm::handler::profile_t shrdw; extern vm::handler::profile_t shrw; + extern vm::handler::profile_t shrdq; + extern vm::handler::profile_t shrddw; + extern vm::handler::profile_t pushvsp; extern vm::handler::profile_t pushvspdw; extern vm::handler::profile_t lflagsq; extern vm::handler::profile_t call; + extern vm::handler::profile_t mulq; + extern vm::handler::profile_t imulq; + extern vm::handler::profile_t imuldw; + + extern vm::handler::profile_t readcr8; extern vm::handler::profile_t divq; + extern vm::handler::profile_t idivdw; + extern vm::handler::profile_t jmp; extern vm::handler::profile_t popvsp; extern vm::handler::profile_t vmexit; @@ -202,16 +237,17 @@ namespace vm::handler /// a vector of pointers to all defined vm handler profiles... /// inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &sregb, &lregq, &lregdw, &lconstq, &lconstbzxw, - &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq, + &sregq, &sregdw, &sregw, &sregb, &lregq, &lregdw, &lconstq, &lconstbzxw, + &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq, &adddw, &addw, &addb, &popvsp, - &shlq, &shldw, &shlw, &writeq, &writedw, &writeb, &nandq, &nanddw, - &nandw, &nandb, + &shlq, &shldw, &shlw, &writeq, &writedw, &writew, &writeb, &nandq, + &nanddw, &nandw, &nandb, &shlddw, &shldq, - &shrq, &shrdw, &shrw, &readgsq, &readq, &readdw, &readw, &readb, - &mulq, &pushvsp, &pushvspdw, &divq, &jmp, &lflagsq, &vmexit, &call }; + &shrq, &shrdw, &shrw, &shrdq, &shrddw, &readgsq, &readq, &readdw, + &readw, &readb, &mulq, &imulq, &imuldw, &pushvsp, &pushvspdw, &readcr8, + &divq, &idivdw, &jmp, &lflagsq, &vmexit, &call }; } // namespace profile } // namespace vm::handler \ No newline at end of file diff --git a/src/vmprofiles/div.cpp b/src/vmprofiles/div.cpp index e23f25f..d015824 100644 --- a/src/vmprofiles/div.cpp +++ b/src/vmprofiles/div.cpp @@ -27,24 +27,26 @@ namespace vm::handler::profile instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX && instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && - instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.index == 0x8; + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x8; }, // DIV [RBP+0x10] []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_DIV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && - instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 0 ].mem.index == 0x10; + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 0 ].mem.disp.value == 0x10; }, // MOV [RBP+0x8], RDX []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && - instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 0 ].mem.index == 0x8 && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RDX; }, // MOV [RBP+0x10], RAX []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && - instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 0 ].mem.index == 0x10 && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x10 && instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX; }, diff --git a/src/vmprofiles/idiv.cpp b/src/vmprofiles/idiv.cpp new file mode 100644 index 0000000..eb2bccb --- /dev/null +++ b/src/vmprofiles/idiv.cpp @@ -0,0 +1,69 @@ +#include + +namespace vm::handler::profile +{ + vm::handler::profile_t idivdw = { + // MOV EDX, [RBP] + // MOV EAX, [RBP+0x4] + // SUB RBP, 0x4 + // IDIV [RBP+0xC] + // MOV [RBP+0x8], EDX + // MOV [RBP+0xC], EAX + // PUSHFQ + // POP [RBP] + "IDIVDW", + IDIVDW, + NULL, + { { // MOV EDX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EDX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // MOV EAX, [RBP+0x4] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x4; + }, + // SUB RBP, 0x4 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x4; + }, + // IDIV [RBP+0xC] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_IDIV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 0 ].mem.disp.value == 0xC; + }, + // MOV [RBP+0x8], EDX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EDX; + }, + // MOV [RBP+0xC], EAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0xC && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; + }, + // PUSHFQ + []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, + // POP [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; +} // namespace vm::handler::profile \ No newline at end of file diff --git a/src/vmprofiles/imul.cpp b/src/vmprofiles/imul.cpp new file mode 100644 index 0000000..71a2cc9 --- /dev/null +++ b/src/vmprofiles/imul.cpp @@ -0,0 +1,136 @@ +#include + +namespace vm::handler::profile +{ + vm::handler::profile_t imulq = { + // MOV RDX, [RBP] + // MOV RAX, [RBP+0x8] + // SUB RBP, 0x8 + // IMUL RDX + // MOV [RBP+0x8], RDX + // MOV [RBP+0x10], RAX + // PUSHFQ + // POP [RBP] + "IMULQ", + IMULQ, + NULL, + { { // MOV RDX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RDX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // MOV RAX, [RBP+0x8] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x8; + }, + // SUB RBP, 0x8 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x8; + }, + // IMUL RDX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_IMUL && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RDX; + }, + // MOV [RBP+0x8], RDX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RDX; + }, + // MOV [RBP+0x10], RAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x10 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX; + }, + // PUSHFQ + []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, + // POP [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; + + vm::handler::profile_t imuldw = { + // MOV EDX, [RBP] + // MOV EAX, [RBP+0x4] + // SUB RBP, 0x8 + // IMUL EDX + // MOV [RBP+0x8], EDX + // MOV [RBP+0xC], EAX + // PUSHFQ + // POP [RBP] + "IMULDW", + IMULDW, + NULL, + { { // MOV RDX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EDX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // MOV RAX, [RBP+0x4] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x4; + }, + // SUB RBP, 0x8 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x8; + }, + // IMUL EDX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_IMUL && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EDX; + }, + // MOV [RBP+0x8], EDX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EDX; + }, + // MOV [RBP+0xC], EAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0xC && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; + }, + // PUSHFQ + []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, + // POP [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; +} // namespace vm::handler::profile \ No newline at end of file diff --git a/src/vmprofiles/nand.cpp b/src/vmprofiles/nand.cpp index bc39733..8a42f81 100644 --- a/src/vmprofiles/nand.cpp +++ b/src/vmprofiles/nand.cpp @@ -167,8 +167,8 @@ namespace vm::handler::profile // MOV [RBP+0x8], AX // PUSHFQ // POP [RBP] - "NANDQ", - NANDQ, + "NANDB", + NANDB, NULL, { { // MOV AX, [RBP] []( const zydis_decoded_instr_t &instr ) -> bool { @@ -178,13 +178,13 @@ namespace vm::handler::profile instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; }, - // MOV DX, [RBP+8] + // MOV DX, [RBP+2] []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_DX && instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && - instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x8; + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x2; }, // SUB RBP, 0x6 []( const zydis_decoded_instr_t &instr ) -> bool { diff --git a/src/vmprofiles/readcr3.cpp b/src/vmprofiles/readcr3.cpp new file mode 100644 index 0000000..e69de29 diff --git a/src/vmprofiles/readcr8.cpp b/src/vmprofiles/readcr8.cpp new file mode 100644 index 0000000..76e5ab4 --- /dev/null +++ b/src/vmprofiles/readcr8.cpp @@ -0,0 +1,35 @@ +#include + +namespace vm::handler::profile +{ + vm::handler::profile_t readcr8 = { + // MOV RAX, CR8 + // SUB RBP, 0x8 + // MOV [RBP], RAX + "READCR8", + READCR8, + NULL, + { { // MOV RAX, CR8 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_CR8; + }, + // SUB RBP, 0x8 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x8; + }, + // MOV [RBP], RAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX; + } } } }; +} \ No newline at end of file diff --git a/src/vmprofiles/shrd.cpp b/src/vmprofiles/shrd.cpp index 6ef87fc..18ad4c9 100644 --- a/src/vmprofiles/shrd.cpp +++ b/src/vmprofiles/shrd.cpp @@ -2,17 +2,86 @@ namespace vm::handler::profile { + vm::handler::profile_t shrdq = { + // MOV RAX, [RBP] + // MOV RDX, [RBP+0x8] + // MOV CL, [RBP+0x8] + // ADD RBP, 0x2 + // SHRD RAX, RDX, CL + // MOV [RBP+0x8], RAX + // PUSHFQ + // POP [RBP] + "SHRDQ", + SHRDQ, + NULL, + { { // MOV RAX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // MOV RDX, [RBP+0x8] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RDX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x8; + }, + // MOV CL, [RBP+0x10] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x10; + }, + // ADD RBP, 0x2 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_ADD && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x2; + }, + // SHRD RAX, RDX, CL + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SHRD && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RDX && + instr.operands[ 2 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 2 ].reg.value == ZYDIS_REGISTER_CL; + }, + // MOV [RBP+0x8], RAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX; + }, + // PUSHFQ + []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, + // POP [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; + vm::handler::profile_t shrddw = { // MOV EAX, [RBP] // MOV EDX, [RBP+0x4] // MOV CL, [RBP+0x8] - // SUB RBP, 0x2 // SHRD EAX, EDX, CL // MOV [RBP+0x8], EAX // PUSHFQ // POP [RBP] "SHRDDW", - SHRDW, + SHRDDW, NULL, { { // MOV EAX, [RBP] []( const zydis_decoded_instr_t &instr ) -> bool { @@ -38,14 +107,6 @@ namespace vm::handler::profile instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x8; }, - // MOV CL, [RBP+0x8] - []( const zydis_decoded_instr_t &instr ) -> bool { - return instr.mnemonic == ZYDIS_MNEMONIC_MOV && - instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && - instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL && - instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && - instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x8; - }, // SHRD EAX, EDX, CL []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_SHRD && @@ -71,4 +132,4 @@ namespace vm::handler::profile return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; } } } }; -} \ No newline at end of file +} // namespace vm::handler::profile \ No newline at end of file diff --git a/src/vmprofiles/write.cpp b/src/vmprofiles/write.cpp index ca6b139..1e619f3 100644 --- a/src/vmprofiles/write.cpp +++ b/src/vmprofiles/write.cpp @@ -87,8 +87,8 @@ namespace vm::handler::profile // MOV DX, [RBP+0x8] // ADD RBP, 0xA // MOV [RAX], DX - "WRITEBW", - WRITEDW, + "WRITEW", + WRITEW, NULL, { { // MOV RAX, [RBP] []( const zydis_decoded_instr_t &instr ) -> bool {