vmp2
/
vmprofiler
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added more vmprofiles and also reverted changes to vmlocate.cpp

Browse Source
merge-requests/18/merge
_xeroxz 3 years ago
parent b6862d5218
commit 6e545e452f
10 changed files with 294 additions and 39 deletions
Show Stats Download Patch File Download Diff File

1
CMakeLists.txt
Unescape View File

@ -61,6 +61,7 @@ list(APPEND vmprofiler_SOURCES
"src/vmprofiles/shl.cpp" "src/vmprofiles/shl.cpp"
"src/vmprofiles/shld.cpp" "src/vmprofiles/shld.cpp"
"src/vmprofiles/shr.cpp" "src/vmprofiles/shr.cpp"
"src/vmprofiles/shrd.cpp"
"src/vmprofiles/sreg.cpp" "src/vmprofiles/sreg.cpp"
"src/vmprofiles/vmexit.cpp" "src/vmprofiles/vmexit.cpp"
"src/vmprofiles/write.cpp" "src/vmprofiles/write.cpp"

38
include/vmprofiles.hpp
Unescape View File

@ -20,15 +20,23 @@ namespace vm::handler
VMEXIT, VMEXIT,
POPVSP, POPVSP,
READCR3,
WRITECR3,
READCR8,
WRITECR8,
PUSHVSP, PUSHVSP,
PUSHVSPDW, PUSHVSPDW,
SREGQ, SREGQ,
SREGDW, SREGDW,
SREGW, SREGW,
SREGB,
LREGQ, LREGQ,
LREGDW, LREGDW,
LREGW,
LREGB,
LCONSTQ, LCONSTQ,
LCONSTBZXW, LCONSTBZXW,
@ -47,6 +55,7 @@ namespace vm::handler
READB, READB,
WRITEQ, WRITEQ,
WRITEGSQ,
WRITEDW, WRITEDW,
WRITEW, WRITEW,
WRITEB, WRITEB,
@ -54,9 +63,12 @@ namespace vm::handler
ADDQ, ADDQ,
ADDDW, ADDDW,
ADDW, ADDW,
ADDB,
SHLQ, SHLQ,
SHLDW, SHLDW,
SHLW,
SHLB,
SHLDQ, SHLDQ,
SHLDDW, SHLDDW,
@ -64,7 +76,9 @@ namespace vm::handler
SHLDB, SHLDB,
SHRQ, SHRQ,
SHRDW,
SHRW, SHRW,
SHRB,
NANDQ, NANDQ,
NANDDW, NANDDW,
@ -125,6 +139,7 @@ namespace vm::handler
extern vm::handler::profile_t sregq; extern vm::handler::profile_t sregq;
extern vm::handler::profile_t sregdw; extern vm::handler::profile_t sregdw;
extern vm::handler::profile_t sregw; extern vm::handler::profile_t sregw;
extern vm::handler::profile_t sregb;
extern vm::handler::profile_t lregq; extern vm::handler::profile_t lregq;
extern vm::handler::profile_t lregdw; extern vm::handler::profile_t lregdw;
@ -139,13 +154,17 @@ namespace vm::handler
extern vm::handler::profile_t lconstdwsxq; extern vm::handler::profile_t lconstdwsxq;
extern vm::handler::profile_t lconstwsxq; extern vm::handler::profile_t lconstwsxq;
extern vm::handler::profile_t lconstwsxdw; extern vm::handler::profile_t lconstwsxdw;
extern vm::handler::profile_t addq; extern vm::handler::profile_t addq;
extern vm::handler::profile_t adddw; extern vm::handler::profile_t adddw;
extern vm::handler::profile_t addw; extern vm::handler::profile_t addw;
extern vm::handler::profile_t addb;
extern vm::handler::profile_t shlq; extern vm::handler::profile_t shlq;
extern vm::handler::profile_t shldw; extern vm::handler::profile_t shldw;
extern vm::handler::profile_t shlw;
extern vm::handler::profile_t shldq;
extern vm::handler::profile_t shlddw; extern vm::handler::profile_t shlddw;
extern vm::handler::profile_t nandq; extern vm::handler::profile_t nandq;
@ -164,6 +183,7 @@ namespace vm::handler
extern vm::handler::profile_t readb; extern vm::handler::profile_t readb;
extern vm::handler::profile_t shrq; extern vm::handler::profile_t shrq;
extern vm::handler::profile_t shrdw;
extern vm::handler::profile_t shrw; extern vm::handler::profile_t shrw;
extern vm::handler::profile_t pushvsp; extern vm::handler::profile_t pushvsp;
@ -181,16 +201,16 @@ namespace vm::handler
/// a vector of pointers to all defined vm handler profiles... /// a vector of pointers to all defined vm handler profiles...
/// </summary> /// </summary>
inline std::vector< vm::handler::profile_t * > all = { inline std::vector< vm::handler::profile_t * > all = {
&sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, &sregq, &sregdw, &sregw, &sregb, &lregq, &lregdw, &lconstq, &lconstbzxw,
&lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq, &adddw, &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq,
&addw, &popvsp, &adddw, &addw, &addb, &popvsp,
&shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, &nandw, &shlq, &shldw, &shlw, &writeq, &writedw, &writeb, &nandq, &nanddw,
&nandb, &nandw, &nandb,
&shlddw, &shlddw, &shldq,
&shrq, &shrw, &readgsq, &readq, &readdw, &readw, &readb, &mulq, &shrq, &shrdw, &shrw, &readgsq, &readq, &readdw, &readw, &readb,
&pushvsp, &pushvspdw, &divq, &jmp, &lflagsq, &vmexit, &call }; &mulq, &pushvsp, &pushvspdw, &divq, &jmp, &lflagsq, &vmexit, &call };
} // namespace profile } // namespace profile
} // namespace vm::handler } // namespace vm::handler

34
src/vmlocate.cpp
Unescape View File

@ -186,34 +186,16 @@ namespace vm::locate
if ( !found_valid_jmp ) if ( !found_valid_jmp )
return false; return false;
// find the first PUSH IMM (encrypted RVA to virtual instructions...) // second instruction in the flattened stream should be a push...
auto first_push = std::find_if( instr_stream.begin(), instr_stream.end(), // this is also an optimization so we dont have to hit that 0^2 std::find_if every time...
[ & ]( const zydis_decoded_instr_t &instr ) -> bool { if ( instr_stream[ 1 ].mnemonic != ZYDIS_MNEMONIC_PUSH )
return instr.mnemonic == ZYDIS_MNEMONIC_PUSH &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE;
} );
if ( first_push == instr_stream.end() )
return false; return false;
// find the second PUSH IMM... if ( std::find_if( instr_stream.begin() + 1, instr_stream.end(),
auto second_push = [ & ]( const ZydisDecodedInstruction &instr ) {
std::find_if( first_push + 1, instr_stream.end(), [ & ]( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSH &&
return instr.mnemonic == ZYDIS_MNEMONIC_PUSH && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE;
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE; } ) == instr_stream.end() )
} );
if ( second_push == instr_stream.end() )
return false;
// if there is a third push IMM then we have an invalid instruction stream...
auto third_push =
std::find_if( second_push + 1, instr_stream.end(), [ & ]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_PUSH &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE;
} );
if ( third_push != instr_stream.end() )
return false; return false;
// scan over the instruction stream to see if it contains an lea r12, xxxx which is a known vm handler table // scan over the instruction stream to see if it contains an lea r12, xxxx which is a known vm handler table

41
src/vmprofiles/add.cpp
Unescape View File

@ -115,4 +115,45 @@ namespace vm::handler::profile
return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
} } } }; } } } };
vm::handler::profile_t addb = {
// MOV AL, [RBP]
// SUB RBP, 0x6
// ADD [RBP+8], AL
// PUSHFQ
// POP [RBP]
"ADDB",
ADDB,
NULL,
{ { // MOV AX, [RBP]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AL &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
},
// SUB RBP, 0x6
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SUB &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
instr.operands[ 1 ].imm.value.u == 0x6;
},
// ADD [RBP+8], AX
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_ADD && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
instr.operands[ 0 ].mem.disp.value == 0x8 &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AL;
},
// PUSHFQ
[]( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; },
// POP [RBP]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
} } } };
} // namespace vm::handler::profile } // namespace vm::handler::profile

1
src/vmprofiles/lreg.cpp
Unescape View File

@ -37,7 +37,6 @@ namespace vm::handler::profile
} } } }; } } } };
vm::handler::profile_t lregdw = { vm::handler::profile_t lregdw = {
// MOVZX AL, [RSI]
// MOV RDX, [RAX + RDI] // MOV RDX, [RAX + RDI]
// SUB RBP, 0x4 // SUB RBP, 0x4
// MOV [RBP], EDX // MOV [RBP], EDX

63
src/vmprofiles/shl.cpp
Unescape View File

@ -69,8 +69,8 @@ namespace vm::handler::profile
// MOV [RBP+0x8], EAX // MOV [RBP+0x8], EAX
// PUSHFQ // PUSHFQ
// POP [RBP] // POP [RBP]
"SHLQ", "SHLDW",
SHLQ, SHLDW,
NULL, NULL,
{ { // MOV EAX, [RBP] { { // MOV EAX, [RBP]
[]( const zydis_decoded_instr_t &instr ) -> bool { []( const zydis_decoded_instr_t &instr ) -> bool {
@ -119,4 +119,63 @@ namespace vm::handler::profile
return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
} } } }; } } } };
vm::handler::profile_t shlw = {
// MOV AX, [RBP]
// MOV CL, [RBP+0x2]
// SUB RBP, 0x6
// SHL EAX, CL
// MOV [RBP+0x8], EAX
// PUSHFQ
// POP [RBP]
"SHLW",
SHLW,
NULL,
{ { // MOV EAX, [RBP]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AX &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
},
// MOV CL, [RBP+0x4]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x2;
},
// SUB RBP, 0x6
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SUB &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
instr.operands[ 1 ].imm.value.u == 0x6;
},
// SHL AX, CL
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SHL &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AX &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_CL;
},
// MOV [RBP+0x8], AX
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
instr.operands[ 0 ].mem.disp.value == 0x8 &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX;
},
// PUSHFQ
[]( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; },
// POP [RBP]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
} } } };
} // namespace vm::handler::profile } // namespace vm::handler::profile

62
src/vmprofiles/shld.cpp
Unescape View File

@ -2,6 +2,66 @@
namespace vm::handler::profile namespace vm::handler::profile
{ {
vm::handler::profile_t shldq = {
// MOV RAX, [RBP]
// MOV RDX, [RBP+0x8]
// MOV CL, [RBP+0x10]
// SHLD RAX, RDX, CL
// MOV [RBP+0x8], RAX
// PUSHFQ
// POP [RBP]
"SHLDQ",
SHLDQ,
NULL,
{ { // MOV RAX, [RBP]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
},
// MOV RDX, [RBP+0x8]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RDX &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x8;
},
// MOV CL, [RBP+0x10]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x10;
},
// SHLD RAX, RDX, CL
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SHLD &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RDX &&
instr.operands[ 2 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 2 ].reg.value == ZYDIS_REGISTER_CL;
},
// MOV [RBP+0x8], RAX
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
instr.operands[ 0 ].mem.disp.value == 0x8 &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX;
}, // PUSHFQ
[]( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; },
// POP [RBP]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
} } } };
vm::handler::profile_t shlddw = { vm::handler::profile_t shlddw = {
// MOV EAX, [RBP] // MOV EAX, [RBP]
// MOV RDX, [RBP+0x4] // MOV RDX, [RBP+0x4]
@ -61,4 +121,4 @@ namespace vm::handler::profile
return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
} } } }; } } } };
} } // namespace vm::handler::profile

59
src/vmprofiles/shr.cpp
Unescape View File

@ -61,6 +61,65 @@ namespace vm::handler::profile
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
} } } }; } } } };
vm::handler::profile_t shrdw = {
// MOV EAX, [RBP]
// MOV CL, [RBP+0x4]
// SUB RBP, 0x6
// SHR EAX, CL
// MOV [RBP+0x8], EAX
// PUSHFQ
// POP [RBP]
"SHRDW",
SHRDW,
NULL,
{ { // MOV EAX, [RBP]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
},
// MOV CL, [RBP+0x4]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && instr.operands[ 1 ].mem.disp.value == 0x4;
},
// SUB RBP, 0x6
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SUB &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
instr.operands[ 1 ].imm.value.u == 0x6;
},
// SHR EAX, CL
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SHR &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_CL;
},
// MOV [RBP+0x8], EAX
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
instr.operands[ 0 ].mem.disp.value == 0x8 &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX;
},
// PUSHFQ
[]( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; },
// POP [RBP]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_POP && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
} } } };
vm::handler::profile_t shrw = { vm::handler::profile_t shrw = {
// MOV AX, [RBP] // MOV AX, [RBP]
// MOV CL, [RBP+0x2] // MOV CL, [RBP+0x2]

0
src/vmprofiles/shrd.cpp
Unescape View File

34
src/vmprofiles/sreg.cpp
Unescape View File

@ -102,4 +102,38 @@ namespace vm::handler::profile
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_DX; instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_DX;
} } } }; } } } };
vm::handler::profile_t sregb = {
// MOV DX, [RBP]
// ADD RBP, 0x2
// MOV [RAX+RDI], DL
"SREGB",
SREGB,
8,
{ { // MOV DX, [RBP]
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_DX &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
},
// ADD RBP, 0x2
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_ADD &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
instr.operands[ 1 ].imm.value.u == 0x2;
},
// MOV [RAX+RDI], DL or MOV [RDI+RAX], DL
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
( instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RAX ||
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RDI ) &&
( instr.operands[ 0 ].mem.index == ZYDIS_REGISTER_RDI ||
instr.operands[ 0 ].mem.index == ZYDIS_REGISTER_RAX ) &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_DL;
} } } };
} // namespace vm::handler::profile } // namespace vm::handler::profile
Write Preview
Loading…
Cancel
Save