diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index 4337b76..46ebe24 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -51,6 +51,7 @@ namespace vm LCONSTBSXDW, LCONSTDWSXQ, LCONSTWSXQ, + LCONSTWSXDW, LCONSTDW, READQ, @@ -132,12 +133,14 @@ namespace vm extern vm::handler::profile_t lregdw; extern vm::handler::profile_t lconstq; + extern vm::handler::profile_t lconstdw; + extern vm::handler::profile_t lconstbzxw; extern vm::handler::profile_t lconstbsxdw; extern vm::handler::profile_t lconstbsxq; extern vm::handler::profile_t lconstdwsxq; extern vm::handler::profile_t lconstwsxq; - extern vm::handler::profile_t lconstdw; + extern vm::handler::profile_t lconstwsxdw; extern vm::handler::profile_t addq; extern vm::handler::profile_t adddw; @@ -164,16 +167,15 @@ namespace vm extern vm::handler::profile_t mulq; extern vm::handler::profile_t divq; extern vm::handler::profile_t jmp; - extern vm::handler::profile_t vmexit; inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, - &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, &addw, + &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, + &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &addq, &adddw, &addw, - &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, + &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, - &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, + &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, &vmexit, &call }; } // namespace profile } // namespace handler diff --git a/src/vmprofiles/lconst.cpp b/src/vmprofiles/lconst.cpp index cbf950d..fca5536 100644 --- a/src/vmprofiles/lconst.cpp +++ b/src/vmprofiles/lconst.cpp @@ -162,6 +162,33 @@ namespace vm } } }, vm::handler::extention_t::sign_extend }; + vm::handler::profile_t lconstwsxdw = { + // CWDE + // SUB RBP, 4 + // MOV [RBP], EAX + "LCONSTWSXDW", + LCONSTWSXDW, + 16, + { { // CWDE + []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_CWDE; }, + // SUB RBP, 4 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x4; + }, + // MOV [RBP], EAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; + } } }, + vm::handler::extention_t::sign_extend }; + vm::handler::profile_t lconstdw = { // SUB RBP, 4 // MOV [RBP], EAX