|
|
@ -117,17 +117,6 @@ std::vector<vm_enter_t> get_vm_entries(std::uintptr_t module_base,
|
|
|
|
*/
|
|
|
|
*/
|
|
|
|
if (!push_regs(rtn)) continue;
|
|
|
|
if (!push_regs(rtn)) continue;
|
|
|
|
|
|
|
|
|
|
|
|
// check for a mov rax, 0ull
|
|
|
|
|
|
|
|
if (!vm::locate::find(rtn, [&](const zydis_instr_t& instr) -> bool {
|
|
|
|
|
|
|
|
return instr.instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
|
|
|
|
|
|
|
|
instr.instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
|
|
|
|
|
|
instr.instr.operands[0].reg.value == ZYDIS_REGISTER_RAX &&
|
|
|
|
|
|
|
|
instr.instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
|
|
|
|
|
|
|
|
instr.instr.operands[1].size == 64 &&
|
|
|
|
|
|
|
|
instr.instr.operands[1].imm.value.u == 0ull;
|
|
|
|
|
|
|
|
}))
|
|
|
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// check for a mov r13, rax...
|
|
|
|
// check for a mov r13, rax...
|
|
|
|
if (!vm::locate::find(rtn, [&](const zydis_instr_t& instr) -> bool {
|
|
|
|
if (!vm::locate::find(rtn, [&](const zydis_instr_t& instr) -> bool {
|
|
|
|
return instr.instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
|
|
|
|
return instr.instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
|
|
|
|