diff --git a/dependencies/vtil b/dependencies/vtil index e9dc43b..46220b2 160000 --- a/dependencies/vtil +++ b/dependencies/vtil @@ -1 +1 @@ -Subproject commit e9dc43bd7da388c5f8304407fd076f802bd97a7f +Subproject commit 46220b2d054f7c250d9eef27879a2f05b7c9d9fa diff --git a/include/vmlifters.hpp b/include/vmlifters.hpp index 029f4f5..e0ec8b1 100644 --- a/include/vmlifters.hpp +++ b/include/vmlifters.hpp @@ -24,34 +24,47 @@ namespace vm::lifters extern vm::lifters::lifter_t nandq, nanddw, nandw; extern vm::lifters::lifter_t readq, readdw, readw; extern vm::lifters::lifter_t shrq, shrw; + + extern vm::lifters::lifter_t jmp; extern vm::lifters::lifter_t vmexit; extern vm::lifters::lifter_t pushvsp; + extern vm::lifters::lifter_t lrflags; + extern vm::lifters::lifter_t lvsp; - inline std::map< vm::handler::mnemonic_t, lifter_callback_t > all = { + inline std::vector< vm::lifters::lifter_t * > all = { // lreg lifters... - lregq, lregdw, + &lregq, &lregdw, // add lifters... - addq, adddw, addw, + &addq, &adddw, &addw, // sreg lifters... - sregq, sregdw, sregw, + &sregq, &sregdw, &sregw, // lconst lifters... - lconstq, lconstdw, lconstw, lconstbzxw, lconstbsxdw, lconstbsxq, lconstdwsxq, lconstwsxq, lconstwsxdw, + &lconstq, &lconstdw, &lconstw, &lconstbzxw, &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, // nand lifters... - nandq, nanddw, nandw, + &nandq, &nanddw, &nandw, // read lifters.... - readq, readdw, readw, + &readq, &readdw, &readw, // shr lifters... - shrq, shrw, + &shrq, &shrw, // pushvsp lifter... - pushvsp, + &pushvsp, + + // jmp lifter... + &jmp, + + // lflags lifter... + &lrflags, + + // lvsp lifter... + &lvsp, // vmexit lifter... - vmexit }; + &vmexit }; } // namespace vm::lifters \ No newline at end of file diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index 976d76f..8b40e7c 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -6,4 +6,5 @@ #include #include #include -#include \ No newline at end of file +#include +#include \ No newline at end of file diff --git a/include/vmprofiles.hpp b/include/vmprofiles.hpp index 19b6aa2..f338fda 100644 --- a/include/vmprofiles.hpp +++ b/include/vmprofiles.hpp @@ -19,6 +19,7 @@ namespace vm::handler CALL, JMP, VMEXIT, + LVSP, SREGQ, SREGDW, @@ -223,6 +224,11 @@ namespace vm::handler /// add rsi, [rbp] ; add module base address /// extern vm::handler::profile_t jmp; + + /// + /// mov rbp [rbp+0] + /// + extern vm::handler::profile_t lvsp; extern vm::handler::profile_t vmexit; /// @@ -231,7 +237,7 @@ namespace vm::handler inline std::vector< vm::handler::profile_t * > all = { &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq, &adddw, - &addw, + &addw, &lvsp, &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, &nandw, diff --git a/src/vmlifters/jmp.cpp b/src/vmlifters/jmp.cpp new file mode 100644 index 0000000..538346c --- /dev/null +++ b/src/vmlifters/jmp.cpp @@ -0,0 +1,10 @@ +#include + +namespace vm::lifters +{ + vm::lifters::lifter_t jmp = { + // jmp + vm::handler::JMP, []( vtil::basic_block *blk, vm::instrs::virt_instr_t *vinstr ) { + blk->jmp( vinstr->trace_data.vsp.qword[ 0 ] ); + } }; +} \ No newline at end of file diff --git a/src/vmlifters/lflags.cpp b/src/vmlifters/lflags.cpp new file mode 100644 index 0000000..30b6c51 --- /dev/null +++ b/src/vmlifters/lflags.cpp @@ -0,0 +1,9 @@ +#include + +namespace vm::lifters +{ + vm::lifters::lifter_t lrflags = { + // push flags + vm::handler::LRFLAGS, + []( vtil::basic_block *blk, vm::instrs::virt_instr_t *vinstr ) { blk->push( vtil::REG_FLAGS ); } }; +} \ No newline at end of file diff --git a/src/vmlifters/lvsp.cpp b/src/vmlifters/lvsp.cpp new file mode 100644 index 0000000..3bc49b7 --- /dev/null +++ b/src/vmlifters/lvsp.cpp @@ -0,0 +1,9 @@ +#include + +namespace vm::lifters +{ + vm::lifters::lifter_t lvsp = { + // vsp = vsp[0] + vm::handler::LVSP, + []( vtil::basic_block *blk, vm::instrs::virt_instr_t *vinstr ) { blk->pop( vtil::REG_SP ); } }; +} \ No newline at end of file diff --git a/src/vmlifters/read.cpp b/src/vmlifters/read.cpp index db3420e..171d1d8 100644 --- a/src/vmlifters/read.cpp +++ b/src/vmlifters/read.cpp @@ -7,10 +7,10 @@ namespace vm::lifters // ldd vregX, vregX, 0 // push vregX vm::handler::READQ, []( vtil::basic_block *blk, vm::instrs::virt_instr_t *vinstr ) { - auto t0 = blk->tmp( 64 ); + auto [ t0, t1 ] = blk->tmp( 64, 64 ); blk->pop( t0 ); - blk->ldd( t0, t0, 0 ); - blk->push( t0 ); + blk->ldd( t1, t0, vtil::make_imm( 0ull ) ); + blk->push( t1 ); } }; vm::lifters::lifter_t readdw = { @@ -18,10 +18,10 @@ namespace vm::lifters // ldd vregX, vregX, 0 // push vregX vm::handler::READDW, []( vtil::basic_block *blk, vm::instrs::virt_instr_t *vinstr ) { - auto t0 = blk->tmp( 32 ); + auto [ t0, t1 ] = blk->tmp( 64, 32 ); blk->pop( t0 ); - blk->ldd( t0, t0, 0 ); - blk->push( t0 ); + blk->ldd( t1, t0, vtil::make_imm( 0ull ) ); + blk->push( t1 ); } }; vm::lifters::lifter_t readw = { @@ -29,9 +29,9 @@ namespace vm::lifters // ldd vregX, vregX, 0 // push vregX vm::handler::READW, []( vtil::basic_block *blk, vm::instrs::virt_instr_t *vinstr ) { - auto t0 = blk->tmp( 16 ); + auto [ t0, t1 ] = blk->tmp( 64, 16 ); blk->pop( t0 ); - blk->ldd( t0, t0, 0 ); - blk->push( t0 ); + blk->ldd( t1, t0, vtil::make_imm( 0ull ) ); + blk->push( t1 ); } }; } // namespace vm::lifters \ No newline at end of file diff --git a/src/vmlifters/vmexit.cpp b/src/vmlifters/vmexit.cpp index 254e17b..b3eb4a3 100644 --- a/src/vmlifters/vmexit.cpp +++ b/src/vmlifters/vmexit.cpp @@ -4,5 +4,7 @@ namespace vm::lifters { vm::lifters::lifter_t vmexit = { // ret - vm::handler::VMEXIT, []( vtil::basic_block *blk, vm::instrs::virt_instr_t *vinstr ) { blk->vexit(); } }; + vm::handler::VMEXIT, []( vtil::basic_block *blk, vm::instrs::virt_instr_t *vinstr ) { + blk->vexit( vinstr->trace_data.vsp.qword[ 12 ] ); + } }; } \ No newline at end of file diff --git a/src/vmprofiles/lvsp.cpp b/src/vmprofiles/lvsp.cpp new file mode 100644 index 0000000..5bed39e --- /dev/null +++ b/src/vmprofiles/lvsp.cpp @@ -0,0 +1,16 @@ +#include + +namespace vm::handler::profile +{ + vm::handler::profile_t lvsp = { + // MOV RBP [RBP] + "LVSP", + LVSP, + NULL, + { { []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; +} \ No newline at end of file diff --git a/vmprofiler.vcxproj b/vmprofiler.vcxproj index dd0c3c4..62d20e5 100644 --- a/vmprofiler.vcxproj +++ b/vmprofiler.vcxproj @@ -168,8 +168,11 @@ + + + @@ -183,6 +186,7 @@ + diff --git a/vmprofiler.vcxproj.filters b/vmprofiler.vcxproj.filters index 242966a..d72e456 100644 --- a/vmprofiler.vcxproj.filters +++ b/vmprofiler.vcxproj.filters @@ -285,5 +285,17 @@ Source Files\vmlifters + + Source Files\vmlifters + + + Source Files\vmlifters + + + Source Files\vmlifters + + + Source Files\vmprofiles + \ No newline at end of file