vmp2
/
vmprofiler
3
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

added more handlers...

Browse Source
merge-requests/18/merge
_xeroxz 3 years ago
parent 051140175d
commit 8a42821357
4 changed files with 71 additions and 26 deletions
Show Stats Download Patch File Download Diff File

38
include/vmprofiles.hpp
Unescape View File

@ -38,15 +38,20 @@ namespace vm::handler
CALL,
JMP,
VMEXIT,
POPVSP,
POPVSPQ,
POPVSPDW,
POPVSPW,
POPVSPB,
READCR3,
WRITECR3,
READCR8,
WRITECR8,
PUSHVSP,
PUSHVSPQ,
PUSHVSPDW,
PUSHVSPW,
PUSHVSPB,
SREGQ,
SREGDW,
@ -218,8 +223,9 @@ namespace vm::handler
extern vm::handler::profile_t shrdq;
extern vm::handler::profile_t shrddw;
extern vm::handler::profile_t pushvsp;
extern vm::handler::profile_t pushvspq;
extern vm::handler::profile_t pushvspdw;
extern vm::handler::profile_t pushvspw;
extern vm::handler::profile_t lflagsq;
extern vm::handler::profile_t call;
@ -237,10 +243,11 @@ namespace vm::handler
extern vm::handler::profile_t divq;
extern vm::handler::profile_t divdw;
extern vm::handler::profile_t idivdw;
extern vm::handler::profile_t popvspq;
extern vm::handler::profile_t popvspw;
extern vm::handler::profile_t idivdw;
extern vm::handler::profile_t jmp;
extern vm::handler::profile_t popvsp;
extern vm::handler::profile_t rdtsc;
extern vm::handler::profile_t vmexit;
@ -248,18 +255,13 @@ namespace vm::handler
/// a vector of pointers to all defined vm handler profiles...
/// </summary>
inline std::vector< vm::handler::profile_t * > all = {
&sregq, &sregdw, &sregw, &sregb, &lregq, &lregdw, &lconstq,
&lconstbzxw, &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw,
&lconstw, &addq, &adddw, &addw, &addb, &popvsp,
&shlq, &shldw, &shlw, &shlb, &writeq, &writedw, &writew,
&writeb, &nandq, &nanddw, &nandw, &nandb,
&shlddw, &shldq,
&shrq, &shrdw, &shrw, &shrb, &shrdq, &shrddw, &readgsq,
&readq, &readdw, &readw, &readb, &mulq, &muldw, &imulq,
&imuldw, &pushvsp, &pushvspdw, &readcr8, &readcr3, &writecr3, &divq,
&divdw, &idivdw, &jmp, &lflagsq, &vmexit, &call, &rdtsc };
&sregq, &sregdw, &sregw, &sregb, &lregq, &lregdw, &lconstq, &lconstbzxw,
&lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq,
&adddw, &addw, &addb, &popvspq, &popvspw, &shlq, &shldw, &shlw,
&shlb, &writeq, &writedw, &writew, &writeb, &nandq, &nanddw, &nandw,
&nandb, &shlddw, &shldq, &shrq, &shrdw, &shrw, &shrb, &shrdq,
&shrddw, &readgsq, &readq, &readdw, &readw, &readb, &mulq, &muldw,
&imulq, &imuldw, &pushvspq, &pushvspdw, &pushvspw, &readcr8, &readcr3, &writecr3,
&divq, &divdw, &idivdw, &jmp, &lflagsq, &vmexit, &call, &rdtsc };
} // namespace profile
} // namespace vm::handler

2
src/vminstrs.cpp
Unescape View File

@ -310,7 +310,7 @@ namespace vm::instrs
code_block.vinstrs.rbegin(), code_block.vinstrs.rend(),
[ & ]( const vm::instrs::virt_instr_t &vinstr ) -> bool {
if ( auto profile = vm::handler::get_profile( vinstr.mnemonic_t );
profile && profile->mnemonic == vm::handler::PUSHVSP )
profile && profile->mnemonic == vm::handler::PUSHVSPQ )
{
const auto possible_block_1 = code_block_addr( vmctx, vinstr.trace_data.vsp.qword[ 0 ] ^ xor_key ),
possible_block_2 = code_block_addr( vmctx, vinstr.trace_data.vsp.qword[ 1 ] ^ xor_key );

20
src/vmprofiles/popvsp.cpp
Unescape View File

@ -2,10 +2,10 @@
namespace vm::handler::profile
{
vm::handler::profile_t popvsp = {
vm::handler::profile_t popvspq = {
// MOV RBP [RBP]
"POPVSP",
POPVSP,
"POPVSPQ",
POPVSPQ,
NULL,
{ { []( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
@ -13,4 +13,16 @@ namespace vm::handler::profile
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
} } } };
}
vm::handler::profile_t popvspw = {
// MOV BP [RBP]
"POPVSPW",
POPVSPW,
NULL,
{ { []( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_BP &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
} } } };
} // namespace vm::handler::profile

37
src/vmprofiles/pushvsp.cpp
Unescape View File

@ -2,12 +2,12 @@
namespace vm::handler::profile
{
vm::handler::profile_t pushvsp = {
vm::handler::profile_t pushvspq = {
// MOV RAX, RBP
// SUB RBP, 8
// MOV [RBP], RAX
"PUSHVSP",
PUSHVSP,
"PUSHVSPQ",
PUSHVSPQ,
NULL,
{ { // MOV RAX, RBP
[]( const zydis_decoded_instr_t &instr ) -> bool {
@ -63,4 +63,35 @@ namespace vm::handler::profile
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX;
} } } };
vm::handler::profile_t pushvspw = {
// MOV EAX, EBP
// SUB RBP, 0x4
// MOV [RBP], AX
"PUSHVSPW",
PUSHVSPW,
NULL,
{ { // MOV EAX, EBP
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EBP;
},
// SUB RBP, 0x2
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_SUB &&
instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
instr.operands[ 1 ].imm.value.u == 0x2;
},
// MOV [RBP], AX
[]( const zydis_decoded_instr_t &instr ) -> bool {
return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX;
} } } };
} // namespace vm::handler::profile
Write Preview
Loading…
Cancel
Save