From 573cc04fc1804ac328b555bb1136d132d858a6fe Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Sun, 22 Aug 2021 02:41:25 -0700 Subject: [PATCH] added/fixed some vmprofiles... --- CMakeLists.txt | 1 + include/vmprofiles.hpp | 14 ++++++-- src/vmprofiles/shld.cpp | 4 +-- src/vmprofiles/shrd.cpp | 74 ++++++++++++++++++++++++++++++++++++++++ src/vmprofiles/write.cpp | 4 +-- 5 files changed, 90 insertions(+), 7 deletions(-) create mode 100644 src/vmprofiles/shrd.cpp diff --git a/CMakeLists.txt b/CMakeLists.txt index 0089bda..8fe3e49 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -61,6 +61,7 @@ list(APPEND vmprofiler_SOURCES "src/vmprofiles/shl.cpp" "src/vmprofiles/shld.cpp" "src/vmprofiles/shr.cpp" + "src/vmprofiles/shrd.cpp" "src/vmprofiles/sreg.cpp" "src/vmprofiles/vmexit.cpp" "src/vmprofiles/write.cpp" diff --git a/include/vmprofiles.hpp b/include/vmprofiles.hpp index ce0d664..984e093 100644 --- a/include/vmprofiles.hpp +++ b/include/vmprofiles.hpp @@ -63,6 +63,11 @@ namespace vm::handler SHLD_W, SHLDB, + SHRDQ, + SHRDW, + SHRD_W, + SHRDB, + SHRQ, SHRW, @@ -139,14 +144,16 @@ namespace vm::handler extern vm::handler::profile_t lconstdwsxq; extern vm::handler::profile_t lconstwsxq; extern vm::handler::profile_t lconstwsxdw; - + extern vm::handler::profile_t addq; extern vm::handler::profile_t adddw; extern vm::handler::profile_t addw; extern vm::handler::profile_t shlq; extern vm::handler::profile_t shldw; + extern vm::handler::profile_t shlddw; + extern vm::handler::profile_t shrddw; extern vm::handler::profile_t nandq; extern vm::handler::profile_t nanddw; @@ -155,6 +162,7 @@ namespace vm::handler extern vm::handler::profile_t writeq; extern vm::handler::profile_t writedw; + extern vm::handler::profile_t writew; extern vm::handler::profile_t writeb; extern vm::handler::profile_t readq; @@ -185,8 +193,8 @@ namespace vm::handler &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq, &adddw, &addw, &popvsp, - &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, &nandw, - &nandb, + &shlq, &shldw, &writeq, &writedw, &writew, &writeb, &nandq, &nanddw, + &nandw, &nandb, &shlddw, diff --git a/src/vmprofiles/shld.cpp b/src/vmprofiles/shld.cpp index 96f1f4c..005f6a6 100644 --- a/src/vmprofiles/shld.cpp +++ b/src/vmprofiles/shld.cpp @@ -21,11 +21,11 @@ namespace vm::handler::profile instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; }, - // MOV RDX, [RBP+0x4] + // MOV EDX, [RBP+0x4] []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && - instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RDX && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EDX && instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x4; }, diff --git a/src/vmprofiles/shrd.cpp b/src/vmprofiles/shrd.cpp new file mode 100644 index 0000000..6ef87fc --- /dev/null +++ b/src/vmprofiles/shrd.cpp @@ -0,0 +1,74 @@ +#include + +namespace vm::handler::profile +{ + vm::handler::profile_t shrddw = { + // MOV EAX, [RBP] + // MOV EDX, [RBP+0x4] + // MOV CL, [RBP+0x8] + // SUB RBP, 0x2 + // SHRD EAX, EDX, CL + // MOV [RBP+0x8], EAX + // PUSHFQ + // POP [RBP] + "SHRDDW", + SHRDW, + NULL, + { { // MOV EAX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // MOV EDX, [RBP+0x4] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EDX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x4; + }, + // MOV CL, [RBP+0x8] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x8; + }, + // MOV CL, [RBP+0x8] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x8; + }, + // SHRD EAX, EDX, CL + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SHRD && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EDX && + instr.operands[ 2 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 2 ].reg.value == ZYDIS_REGISTER_CL; + }, + // MOV [RBP+0x8], EAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; + }, + // PUSHFQ + []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, + // POP [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; +} \ No newline at end of file diff --git a/src/vmprofiles/write.cpp b/src/vmprofiles/write.cpp index 3ebae73..ca6b139 100644 --- a/src/vmprofiles/write.cpp +++ b/src/vmprofiles/write.cpp @@ -87,8 +87,8 @@ namespace vm::handler::profile // MOV DX, [RBP+0x8] // ADD RBP, 0xA // MOV [RAX], DX - "WRITEB", - WRITEB, + "WRITEBW", + WRITEDW, NULL, { { // MOV RAX, [RBP] []( const zydis_decoded_instr_t &instr ) -> bool {