From 1f748ab668ed8706444272229116b9edab6d2f72 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 22:12:08 -0700 Subject: [PATCH] added NANDW virtual instruction --- include/vmprofiler.hpp | 16 ++++++------ src/vmprofiles/nand.cpp | 56 +++++++++++++++++++++++++++++++++++++++-- 2 files changed, 63 insertions(+), 9 deletions(-) diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index 2e9838d..ff058b5 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -75,7 +75,8 @@ namespace vm SHRW, NANDQ, - NANDDW + NANDDW, + NANDW }; enum extention_t @@ -153,6 +154,7 @@ namespace vm extern vm::handler::profile_t nandq; extern vm::handler::profile_t nanddw; + extern vm::handler::profile_t nandw; extern vm::handler::profile_t writeq; extern vm::handler::profile_t writedw; @@ -172,14 +174,14 @@ namespace vm extern vm::handler::profile_t vmexit; inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, - &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, - &addq, &adddw, &addw, + &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, + &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq, &adddw, + &addw, - &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, + &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, &nandw, - &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, - &jmp, &vmexit, &call }; + &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, + &vmexit, &call }; } // namespace profile } // namespace handler } // namespace vm \ No newline at end of file diff --git a/src/vmprofiles/nand.cpp b/src/vmprofiles/nand.cpp index fcbf681..0fbcec0 100644 --- a/src/vmprofiles/nand.cpp +++ b/src/vmprofiles/nand.cpp @@ -75,14 +75,66 @@ namespace vm } } } }; vm::handler::profile_t nanddw = { + // NOT QWORD PTR [RBP] + // MOV EAX, [RBP] + // SUB RBP, 0x4 + // AND [RBP+0x8], EAX + // PUSHFQ + // POP [RBP] + "NANDDW", + NANDDW, + NULL, + { { // NOT QWORD PTR [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_NOT && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].size == 64 && instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // MOV EAX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // SUB RBP, 0x4 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x4; + }, + // AND [RBP+0x8], EAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_AND && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; + }, + // PUSHFQ + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; + }, + // POP [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; + + vm::handler::profile_t nandw = { // NOT DWORD PTR [RBP] // MOV AX, [RBP] // SUB RBP, 0x6 // AND [RBP+0x8], AX // PUSHFQ // POP [RBP] - "NANDDW", - NANDDW, + "NANDW", + NANDW, NULL, { { // NOT DWORD PTR [RBP] []( const zydis_decoded_instr_t &instr ) -> bool {