From 6e545e452f4dd3d4caf2445b48de213cca85cc00 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Thu, 26 Aug 2021 16:43:14 -0700 Subject: [PATCH] added more vmprofiles and also reverted changes to vmlocate.cpp --- CMakeLists.txt | 1 + include/vmprofiles.hpp | 38 +++++++++++++++++++------ src/vmlocate.cpp | 34 ++++++---------------- src/vmprofiles/add.cpp | 41 +++++++++++++++++++++++++++ src/vmprofiles/lreg.cpp | 1 - src/vmprofiles/shl.cpp | 63 +++++++++++++++++++++++++++++++++++++++-- src/vmprofiles/shld.cpp | 62 +++++++++++++++++++++++++++++++++++++++- src/vmprofiles/shr.cpp | 59 ++++++++++++++++++++++++++++++++++++++ src/vmprofiles/shrd.cpp | 0 src/vmprofiles/sreg.cpp | 34 ++++++++++++++++++++++ 10 files changed, 294 insertions(+), 39 deletions(-) create mode 100644 src/vmprofiles/shrd.cpp diff --git a/CMakeLists.txt b/CMakeLists.txt index 0089bda..8fe3e49 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -61,6 +61,7 @@ list(APPEND vmprofiler_SOURCES "src/vmprofiles/shl.cpp" "src/vmprofiles/shld.cpp" "src/vmprofiles/shr.cpp" + "src/vmprofiles/shrd.cpp" "src/vmprofiles/sreg.cpp" "src/vmprofiles/vmexit.cpp" "src/vmprofiles/write.cpp" diff --git a/include/vmprofiles.hpp b/include/vmprofiles.hpp index ce0d664..959386f 100644 --- a/include/vmprofiles.hpp +++ b/include/vmprofiles.hpp @@ -20,15 +20,23 @@ namespace vm::handler VMEXIT, POPVSP, + READCR3, + WRITECR3, + READCR8, + WRITECR8, + PUSHVSP, PUSHVSPDW, SREGQ, SREGDW, SREGW, + SREGB, LREGQ, LREGDW, + LREGW, + LREGB, LCONSTQ, LCONSTBZXW, @@ -47,6 +55,7 @@ namespace vm::handler READB, WRITEQ, + WRITEGSQ, WRITEDW, WRITEW, WRITEB, @@ -54,9 +63,12 @@ namespace vm::handler ADDQ, ADDDW, ADDW, + ADDB, SHLQ, SHLDW, + SHLW, + SHLB, SHLDQ, SHLDDW, @@ -64,7 +76,9 @@ namespace vm::handler SHLDB, SHRQ, + SHRDW, SHRW, + SHRB, NANDQ, NANDDW, @@ -125,6 +139,7 @@ namespace vm::handler extern vm::handler::profile_t sregq; extern vm::handler::profile_t sregdw; extern vm::handler::profile_t sregw; + extern vm::handler::profile_t sregb; extern vm::handler::profile_t lregq; extern vm::handler::profile_t lregdw; @@ -139,13 +154,17 @@ namespace vm::handler extern vm::handler::profile_t lconstdwsxq; extern vm::handler::profile_t lconstwsxq; extern vm::handler::profile_t lconstwsxdw; - + extern vm::handler::profile_t addq; extern vm::handler::profile_t adddw; extern vm::handler::profile_t addw; + extern vm::handler::profile_t addb; extern vm::handler::profile_t shlq; extern vm::handler::profile_t shldw; + extern vm::handler::profile_t shlw; + + extern vm::handler::profile_t shldq; extern vm::handler::profile_t shlddw; extern vm::handler::profile_t nandq; @@ -164,6 +183,7 @@ namespace vm::handler extern vm::handler::profile_t readb; extern vm::handler::profile_t shrq; + extern vm::handler::profile_t shrdw; extern vm::handler::profile_t shrw; extern vm::handler::profile_t pushvsp; @@ -181,16 +201,16 @@ namespace vm::handler /// a vector of pointers to all defined vm handler profiles... /// inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, - &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq, &adddw, - &addw, &popvsp, + &sregq, &sregdw, &sregw, &sregb, &lregq, &lregdw, &lconstq, &lconstbzxw, + &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq, + &adddw, &addw, &addb, &popvsp, - &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, &nandw, - &nandb, + &shlq, &shldw, &shlw, &writeq, &writedw, &writeb, &nandq, &nanddw, + &nandw, &nandb, - &shlddw, + &shlddw, &shldq, - &shrq, &shrw, &readgsq, &readq, &readdw, &readw, &readb, &mulq, - &pushvsp, &pushvspdw, &divq, &jmp, &lflagsq, &vmexit, &call }; + &shrq, &shrdw, &shrw, &readgsq, &readq, &readdw, &readw, &readb, + &mulq, &pushvsp, &pushvspdw, &divq, &jmp, &lflagsq, &vmexit, &call }; } // namespace profile } // namespace vm::handler \ No newline at end of file diff --git a/src/vmlocate.cpp b/src/vmlocate.cpp index 9e6f3f7..7a64720 100644 --- a/src/vmlocate.cpp +++ b/src/vmlocate.cpp @@ -186,34 +186,16 @@ namespace vm::locate if ( !found_valid_jmp ) return false; - // find the first PUSH IMM (encrypted RVA to virtual instructions...) - auto first_push = std::find_if( instr_stream.begin(), instr_stream.end(), - [ & ]( const zydis_decoded_instr_t &instr ) -> bool { - return instr.mnemonic == ZYDIS_MNEMONIC_PUSH && - instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE; - } ); - - if ( first_push == instr_stream.end() ) + // second instruction in the flattened stream should be a push... + // this is also an optimization so we dont have to hit that 0^2 std::find_if every time... + if ( instr_stream[ 1 ].mnemonic != ZYDIS_MNEMONIC_PUSH ) return false; - // find the second PUSH IMM... - auto second_push = - std::find_if( first_push + 1, instr_stream.end(), [ & ]( const zydis_decoded_instr_t &instr ) -> bool { - return instr.mnemonic == ZYDIS_MNEMONIC_PUSH && - instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE; - } ); - - if ( second_push == instr_stream.end() ) - return false; - - // if there is a third push IMM then we have an invalid instruction stream... - auto third_push = - std::find_if( second_push + 1, instr_stream.end(), [ & ]( const zydis_decoded_instr_t &instr ) -> bool { - return instr.mnemonic == ZYDIS_MNEMONIC_PUSH && - instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE; - } ); - - if ( third_push != instr_stream.end() ) + if ( std::find_if( instr_stream.begin() + 1, instr_stream.end(), + [ & ]( const ZydisDecodedInstruction &instr ) { + return instr.mnemonic == ZYDIS_MNEMONIC_PUSH && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE; + } ) == instr_stream.end() ) return false; // scan over the instruction stream to see if it contains an lea r12, xxxx which is a known vm handler table diff --git a/src/vmprofiles/add.cpp b/src/vmprofiles/add.cpp index 06e35a9..064426c 100644 --- a/src/vmprofiles/add.cpp +++ b/src/vmprofiles/add.cpp @@ -115,4 +115,45 @@ namespace vm::handler::profile return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; } } } }; + + vm::handler::profile_t addb = { + // MOV AL, [RBP] + // SUB RBP, 0x6 + // ADD [RBP+8], AL + // PUSHFQ + // POP [RBP] + "ADDB", + ADDB, + NULL, + { { // MOV AX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AL && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // SUB RBP, 0x6 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x6; + }, + // ADD [RBP+8], AX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_ADD && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AL; + }, + // PUSHFQ + []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, + // POP [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; } // namespace vm::handler::profile \ No newline at end of file diff --git a/src/vmprofiles/lreg.cpp b/src/vmprofiles/lreg.cpp index eb9ed7c..8bec0f1 100644 --- a/src/vmprofiles/lreg.cpp +++ b/src/vmprofiles/lreg.cpp @@ -37,7 +37,6 @@ namespace vm::handler::profile } } } }; vm::handler::profile_t lregdw = { - // MOVZX AL, [RSI] // MOV RDX, [RAX + RDI] // SUB RBP, 0x4 // MOV [RBP], EDX diff --git a/src/vmprofiles/shl.cpp b/src/vmprofiles/shl.cpp index fd8ad94..25bf0ea 100644 --- a/src/vmprofiles/shl.cpp +++ b/src/vmprofiles/shl.cpp @@ -69,8 +69,8 @@ namespace vm::handler::profile // MOV [RBP+0x8], EAX // PUSHFQ // POP [RBP] - "SHLQ", - SHLQ, + "SHLDW", + SHLDW, NULL, { { // MOV EAX, [RBP] []( const zydis_decoded_instr_t &instr ) -> bool { @@ -119,4 +119,63 @@ namespace vm::handler::profile return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; } } } }; + + vm::handler::profile_t shlw = { + // MOV AX, [RBP] + // MOV CL, [RBP+0x2] + // SUB RBP, 0x6 + // SHL EAX, CL + // MOV [RBP+0x8], EAX + // PUSHFQ + // POP [RBP] + "SHLW", + SHLW, + NULL, + { { // MOV EAX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // MOV CL, [RBP+0x4] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x2; + }, + // SUB RBP, 0x6 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x6; + }, + // SHL AX, CL + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SHL && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_CL; + }, + // MOV [RBP+0x8], AX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX; + }, + // PUSHFQ + []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, + // POP [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; } // namespace vm::handler::profile \ No newline at end of file diff --git a/src/vmprofiles/shld.cpp b/src/vmprofiles/shld.cpp index 96f1f4c..621bc55 100644 --- a/src/vmprofiles/shld.cpp +++ b/src/vmprofiles/shld.cpp @@ -2,6 +2,66 @@ namespace vm::handler::profile { + vm::handler::profile_t shldq = { + // MOV RAX, [RBP] + // MOV RDX, [RBP+0x8] + // MOV CL, [RBP+0x10] + // SHLD RAX, RDX, CL + // MOV [RBP+0x8], RAX + // PUSHFQ + // POP [RBP] + "SHLDQ", + SHLDQ, + NULL, + { { // MOV RAX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // MOV RDX, [RBP+0x8] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RDX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x8; + }, + // MOV CL, [RBP+0x10] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x10; + }, + // SHLD RAX, RDX, CL + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SHLD && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RDX && + instr.operands[ 2 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 2 ].reg.value == ZYDIS_REGISTER_CL; + }, + // MOV [RBP+0x8], RAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX; + }, // PUSHFQ + []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, + // POP [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; + vm::handler::profile_t shlddw = { // MOV EAX, [RBP] // MOV RDX, [RBP+0x4] @@ -61,4 +121,4 @@ namespace vm::handler::profile return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; } } } }; -} \ No newline at end of file +} // namespace vm::handler::profile \ No newline at end of file diff --git a/src/vmprofiles/shr.cpp b/src/vmprofiles/shr.cpp index f728fe4..fbcc898 100644 --- a/src/vmprofiles/shr.cpp +++ b/src/vmprofiles/shr.cpp @@ -61,6 +61,65 @@ namespace vm::handler::profile instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; } } } }; + vm::handler::profile_t shrdw = { + // MOV EAX, [RBP] + // MOV CL, [RBP+0x4] + // SUB RBP, 0x6 + // SHR EAX, CL + // MOV [RBP+0x8], EAX + // PUSHFQ + // POP [RBP] + "SHRDW", + SHRDW, + NULL, + { { // MOV EAX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // MOV CL, [RBP+0x4] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x4; + }, + // SUB RBP, 0x6 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x6; + }, + // SHR EAX, CL + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SHR && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_CL; + }, + // MOV [RBP+0x8], EAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; + }, + // PUSHFQ + []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; }, + // POP [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; + vm::handler::profile_t shrw = { // MOV AX, [RBP] // MOV CL, [RBP+0x2] diff --git a/src/vmprofiles/shrd.cpp b/src/vmprofiles/shrd.cpp new file mode 100644 index 0000000..e69de29 diff --git a/src/vmprofiles/sreg.cpp b/src/vmprofiles/sreg.cpp index 8883226..60db3ea 100644 --- a/src/vmprofiles/sreg.cpp +++ b/src/vmprofiles/sreg.cpp @@ -102,4 +102,38 @@ namespace vm::handler::profile instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_DX; } } } }; + + vm::handler::profile_t sregb = { + // MOV DX, [RBP] + // ADD RBP, 0x2 + // MOV [RAX+RDI], DL + "SREGB", + SREGB, + 8, + { { // MOV DX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_DX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // ADD RBP, 0x2 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_ADD && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x2; + }, + // MOV [RAX+RDI], DL or MOV [RDI+RAX], DL + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + ( instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RAX || + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RDI ) && + ( instr.operands[ 0 ].mem.index == ZYDIS_REGISTER_RDI || + instr.operands[ 0 ].mem.index == ZYDIS_REGISTER_RAX ) && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_DL; + } } } }; } // namespace vm::handler::profile \ No newline at end of file