added CALL virtual instruction

4 years ago · 2a934fd61f
parent 145251c09a
commit 2a934fd61f
2 changed files with 47 additions and 4 deletions
--- a/include/vmprofiler.hpp
+++ b/include/vmprofiler.hpp
@ -35,6 +35,7 @@ namespace vm
            SHRQ,
            MULQ,
            DIVQ,
+            CALL,
            JMP,
            VMEXIT,

@ -149,6 +150,7 @@ namespace vm
            extern vm::handler::profile_t readq;
            extern vm::handler::profile_t readdw;

+            extern vm::handler::profile_t call;
            extern vm::handler::profile_t shrq;
            extern vm::handler::profile_t pushvsp;
            extern vm::handler::profile_t mulq;
@ -158,11 +160,12 @@ namespace vm
            extern vm::handler::profile_t vmexit;

            inline std::vector< vm::handler::profile_t * > all = {
-                &sregq,      &sregdw,      &sregw,      &lregq,    &lregdw,  &lconstq, &lconstbzxw, &lconstbsxdw,
-                &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq,    &adddw,   &shlq,       &shldw,
-                &writeq,     &writedw,     &nandq,      &nanddw,
+                &sregq,       &sregdw,     &sregw,       &lregq,      &lregdw,   &lconstq, &lconstbzxw,
+                &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq,    &adddw,
+                &shlq,        &shldw,      &writeq,      &writedw,    &nandq,    &nanddw,

-                &shrq,       &readq,       &readdw,     &mulq,     &pushvsp, &divq,    &jmp,        &vmexit };
+                &shrq,        &readq,      &readdw,      &mulq,       &pushvsp,  &divq,    &jmp,
+                &vmexit,      &call };
        } // namespace profile
    }     // namespace handler
 } // namespace vm
--- a/src/vmprofiles/call.cpp
+++ b/src/vmprofiles/call.cpp
@ -0,0 +1,40 @@
+#include "../../include/vmprofiler.hpp"
+
+namespace vm
+{
+    namespace handler
+    {
+        namespace profile
+        {
+            vm::handler::profile_t call = {
+                // MOV RDX, [RBP]
+                // ADD RBP, 0x8
+                // CALL RDX
+                "CALL",
+                CALL,
+                NULL,
+                { { // MOV RDX, [RBP]
+                    []( const zydis_decoded_instr_t &instr ) -> bool {
+                        return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+                               instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+                               instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RDX &&
+                               instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+                               instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
+                    },
+                    // ADD RBP, 0x8
+                    []( const zydis_decoded_instr_t &instr ) -> bool {
+                        return instr.mnemonic == ZYDIS_MNEMONIC_ADD &&
+                               instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+                               instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
+                               instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
+                               instr.operands[ 1 ].imm.value.u == 0x8;
+                    },
+                    // CALL RDX
+                    []( const zydis_decoded_instr_t &instr ) -> bool {
+                        return instr.mnemonic == ZYDIS_MNEMONIC_CALL &&
+                               instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+                               instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RDX;
+                    } } } };
+        }
+    } // namespace handler
+} // namespace vm