updated vmprofiles and vminstrs to add PUSHVSPDW

merge-requests/15/head
_xeroxz 4 years ago
parent b52a4eacbf
commit 34806590fa

@ -14,6 +14,7 @@ namespace vm::handler
INVALID,
LRFLAGS,
PUSHVSP,
PUSHVSPDW,
MULQ,
DIVQ,
CALL,

@ -201,7 +201,7 @@ namespace vm::instrs
{
// there is no branch for this as this is a vmexit...
if ( code_block.vinstrs.back().mnemonic_t == vm::handler::VMEXIT )
return {};
return jcc_data{ false, jcc_type::none };
// find the last LCONSTDW... the imm value is the JMP xor decrypt key...
// we loop backwards here (using rbegin and rend)...
@ -211,6 +211,9 @@ namespace vm::instrs
return profile && profile->mnemonic == vm::handler::LCONSTDW;
} );
if ( result == code_block.vinstrs.rend() )
return jcc_data{ false, jcc_type::none };
jcc_data jcc;
const auto xor_key = static_cast< std::uint32_t >( result->operand.imm.u );
const auto &last_trace = code_block.vinstrs.back().trace_data;

@ -31,4 +31,35 @@ namespace vm::handler::profile
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX;
} } } };
vm::handler::profile_t pushvspdw = {
// MOV EAX, EBP
// SUB RBP, 0x4
// MOV [RBP], EAX
"PUSHVSPDW",
PUSHVSPDW,
NULL,
{ { // MOV EAX, EBP
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EBP;
},
// SUB RBP, 0x4
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SUB &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
instr.operands[ 1 ].imm.value.u == 0x4;
},
// MOV [RBP], EAX
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX;
} } } };
} // namespace vm::handler::profile
Loading…
Cancel
Save