diff --git a/include/vmprofiles.hpp b/include/vmprofiles.hpp index 959386f..57717ea 100644 --- a/include/vmprofiles.hpp +++ b/include/vmprofiles.hpp @@ -75,6 +75,11 @@ namespace vm::handler SHLD_W, SHLDB, + SHRDQ, + SHRDW, + SHRD_W, + SHRDB, + SHRQ, SHRDW, SHRW, @@ -162,10 +167,15 @@ namespace vm::handler extern vm::handler::profile_t shlq; extern vm::handler::profile_t shldw; +<<<<<<< HEAD extern vm::handler::profile_t shlw; extern vm::handler::profile_t shldq; +======= + +>>>>>>> 573cc04fc1804ac328b555bb1136d132d858a6fe extern vm::handler::profile_t shlddw; + extern vm::handler::profile_t shrddw; extern vm::handler::profile_t nandq; extern vm::handler::profile_t nanddw; @@ -174,6 +184,7 @@ namespace vm::handler extern vm::handler::profile_t writeq; extern vm::handler::profile_t writedw; + extern vm::handler::profile_t writew; extern vm::handler::profile_t writeb; extern vm::handler::profile_t readq; @@ -205,8 +216,13 @@ namespace vm::handler &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq, &adddw, &addw, &addb, &popvsp, +<<<<<<< HEAD &shlq, &shldw, &shlw, &writeq, &writedw, &writeb, &nandq, &nanddw, &nandw, &nandb, +======= + &shlq, &shldw, &writeq, &writedw, &writew, &writeb, &nandq, &nanddw, + &nandw, &nandb, +>>>>>>> 573cc04fc1804ac328b555bb1136d132d858a6fe &shlddw, &shldq, diff --git a/src/vmprofiles/shld.cpp b/src/vmprofiles/shld.cpp index 621bc55..e0e97d0 100644 --- a/src/vmprofiles/shld.cpp +++ b/src/vmprofiles/shld.cpp @@ -81,11 +81,11 @@ namespace vm::handler::profile instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; }, - // MOV RDX, [RBP+0x4] + // MOV EDX, [RBP+0x4] []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && - instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RDX && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EDX && instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x4; }, diff --git a/src/vmprofiles/shrd.cpp b/src/vmprofiles/shrd.cpp index e69de29..6ef87fc 100644 --- a/src/vmprofiles/shrd.cpp +++ b/src/vmprofiles/shrd.cpp @@ -0,0 +1,74 @@ +#include + +namespace vm::handler::profile +{ + vm::handler::profile_t shrddw = { + // MOV EAX, [RBP] + // MOV EDX, [RBP+0x4] + // MOV CL, [RBP+0x8] + // SUB RBP, 0x2 + // SHRD EAX, EDX, CL + // MOV [RBP+0x8], EAX + // PUSHFQ + // POP [RBP] + "SHRDDW", + SHRDW, + NULL, + { { // MOV EAX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // MOV EDX, [RBP+0x4] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EDX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x4; + }, + // MOV CL, [RBP+0x8] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x8; + }, + // MOV CL, [RBP+0x8] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x8; + }, + // SHRD EAX, EDX, CL + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SHRD && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EDX && + instr.operands[ 2 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 2 ].reg.value == ZYDIS_REGISTER_CL; + }, + // MOV [RBP+0x8], EAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; + }, + // PUSHFQ + []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, + // POP [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; +} \ No newline at end of file diff --git a/src/vmprofiles/write.cpp b/src/vmprofiles/write.cpp index 3ebae73..ca6b139 100644 --- a/src/vmprofiles/write.cpp +++ b/src/vmprofiles/write.cpp @@ -87,8 +87,8 @@ namespace vm::handler::profile // MOV DX, [RBP+0x8] // ADD RBP, 0xA // MOV [RAX], DX - "WRITEB", - WRITEB, + "WRITEBW", + WRITEDW, NULL, { { // MOV RAX, [RBP] []( const zydis_decoded_instr_t &instr ) -> bool {