diff --git a/include/vmprofiles.hpp b/include/vmprofiles.hpp index 813cbb2..0233e57 100644 --- a/include/vmprofiles.hpp +++ b/include/vmprofiles.hpp @@ -38,15 +38,20 @@ namespace vm::handler CALL, JMP, VMEXIT, - POPVSP, + POPVSPQ, + POPVSPDW, + POPVSPW, + POPVSPB, READCR3, WRITECR3, READCR8, WRITECR8, - PUSHVSP, + PUSHVSPQ, PUSHVSPDW, + PUSHVSPW, + PUSHVSPB, SREGQ, SREGDW, @@ -218,8 +223,9 @@ namespace vm::handler extern vm::handler::profile_t shrdq; extern vm::handler::profile_t shrddw; - extern vm::handler::profile_t pushvsp; + extern vm::handler::profile_t pushvspq; extern vm::handler::profile_t pushvspdw; + extern vm::handler::profile_t pushvspw; extern vm::handler::profile_t lflagsq; extern vm::handler::profile_t call; @@ -237,10 +243,11 @@ namespace vm::handler extern vm::handler::profile_t divq; extern vm::handler::profile_t divdw; - extern vm::handler::profile_t idivdw; + extern vm::handler::profile_t popvspq; + extern vm::handler::profile_t popvspw; + extern vm::handler::profile_t idivdw; extern vm::handler::profile_t jmp; - extern vm::handler::profile_t popvsp; extern vm::handler::profile_t rdtsc; extern vm::handler::profile_t vmexit; @@ -248,18 +255,13 @@ namespace vm::handler /// a vector of pointers to all defined vm handler profiles... /// inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &sregb, &lregq, &lregdw, &lconstq, - &lconstbzxw, &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, - &lconstw, &addq, &adddw, &addw, &addb, &popvsp, - - &shlq, &shldw, &shlw, &shlb, &writeq, &writedw, &writew, - &writeb, &nandq, &nanddw, &nandw, &nandb, - - &shlddw, &shldq, - - &shrq, &shrdw, &shrw, &shrb, &shrdq, &shrddw, &readgsq, - &readq, &readdw, &readw, &readb, &mulq, &muldw, &imulq, - &imuldw, &pushvsp, &pushvspdw, &readcr8, &readcr3, &writecr3, &divq, - &divdw, &idivdw, &jmp, &lflagsq, &vmexit, &call, &rdtsc }; + &sregq, &sregdw, &sregw, &sregb, &lregq, &lregdw, &lconstq, &lconstbzxw, + &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq, + &adddw, &addw, &addb, &popvspq, &popvspw, &shlq, &shldw, &shlw, + &shlb, &writeq, &writedw, &writew, &writeb, &nandq, &nanddw, &nandw, + &nandb, &shlddw, &shldq, &shrq, &shrdw, &shrw, &shrb, &shrdq, + &shrddw, &readgsq, &readq, &readdw, &readw, &readb, &mulq, &muldw, + &imulq, &imuldw, &pushvspq, &pushvspdw, &pushvspw, &readcr8, &readcr3, &writecr3, + &divq, &divdw, &idivdw, &jmp, &lflagsq, &vmexit, &call, &rdtsc }; } // namespace profile } // namespace vm::handler \ No newline at end of file diff --git a/src/vminstrs.cpp b/src/vminstrs.cpp index c86e486..45d22fc 100644 --- a/src/vminstrs.cpp +++ b/src/vminstrs.cpp @@ -310,7 +310,7 @@ namespace vm::instrs code_block.vinstrs.rbegin(), code_block.vinstrs.rend(), [ & ]( const vm::instrs::virt_instr_t &vinstr ) -> bool { if ( auto profile = vm::handler::get_profile( vinstr.mnemonic_t ); - profile && profile->mnemonic == vm::handler::PUSHVSP ) + profile && profile->mnemonic == vm::handler::PUSHVSPQ ) { const auto possible_block_1 = code_block_addr( vmctx, vinstr.trace_data.vsp.qword[ 0 ] ^ xor_key ), possible_block_2 = code_block_addr( vmctx, vinstr.trace_data.vsp.qword[ 1 ] ^ xor_key ); diff --git a/src/vmprofiles/popvsp.cpp b/src/vmprofiles/popvsp.cpp index 55be274..02873fa 100644 --- a/src/vmprofiles/popvsp.cpp +++ b/src/vmprofiles/popvsp.cpp @@ -2,10 +2,10 @@ namespace vm::handler::profile { - vm::handler::profile_t popvsp = { + vm::handler::profile_t popvspq = { // MOV RBP [RBP] - "POPVSP", - POPVSP, + "POPVSPQ", + POPVSPQ, NULL, { { []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && @@ -13,4 +13,16 @@ namespace vm::handler::profile instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; } } } }; -} \ No newline at end of file + + vm::handler::profile_t popvspw = { + // MOV BP [RBP] + "POPVSPW", + POPVSPW, + NULL, + { { []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_BP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; +} // namespace vm::handler::profile \ No newline at end of file diff --git a/src/vmprofiles/pushvsp.cpp b/src/vmprofiles/pushvsp.cpp index d793530..f4f63f4 100644 --- a/src/vmprofiles/pushvsp.cpp +++ b/src/vmprofiles/pushvsp.cpp @@ -2,12 +2,12 @@ namespace vm::handler::profile { - vm::handler::profile_t pushvsp = { + vm::handler::profile_t pushvspq = { // MOV RAX, RBP // SUB RBP, 8 // MOV [RBP], RAX - "PUSHVSP", - PUSHVSP, + "PUSHVSPQ", + PUSHVSPQ, NULL, { { // MOV RAX, RBP []( const zydis_decoded_instr_t &instr ) -> bool { @@ -63,4 +63,35 @@ namespace vm::handler::profile instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; } } } }; + + vm::handler::profile_t pushvspw = { + // MOV EAX, EBP + // SUB RBP, 0x4 + // MOV [RBP], AX + "PUSHVSPW", + PUSHVSPW, + NULL, + { { // MOV EAX, EBP + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EBP; + }, + // SUB RBP, 0x2 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x2; + }, + // MOV [RBP], AX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX; + } } } }; } // namespace vm::handler::profile \ No newline at end of file