# VMProfiler - Library To Profile VMProtect 2 Virtual Machines
### VMProfiler - Library To Profile VMProtect 2 Virtual Machines
vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu. This is the base project for all other VMProtect 2 projects inside of this group on githacks.
### Credit & Contributors
* [VTIL](https://github.com/vtil-project/VTIL-Core) - Virtual-machine Translation Intermediate Language
* [Zydis](https://github.com/zyantific/zydis) - Fast and lightweight x86/x86-64 disassembler library
* [irql0](https://github.com/irql0) - helped with the first version of vm handler pattern matching
### Basic Usage - Creating a vm::ctx_t Object
The `vm::ctx_t` class is a small container-like class which is simply used to contain all information for a given vm entry. This class contains the following useful information:
* all vm handlers for a given vm entry
* the linear virtual address of the module base in memory
* the image base address
* the image size in virtual memory
* which way VIP advances (exec_type)
* vm entry relative virtual address
* vm entry deobfuscated and flattened
* calc jmp deobfuscated and flattened
All of the above information is generated by executing the `vm::ctx_t::init` member function. Below is a C++ example of how to create a `vm::ctx_t` object.
```cpp
const auto module_base = reinterpret_cast<std::uintptr_t>(
std::printf( "[!] failed to init vm::ctx_t... make sure all cli arguments are correct!\n" );
return -1;
}
```
### Using vm::ctx_t Object
Once you have instantiated `vm::ctx_t` and called `vm::ctx_t::init` with success, you now can directly access the data members of `vm::ctx_t`. Most importantly, `vm::ctx_t::calc_jmp`, `vm::ctx_t::vm_entry`, and `vm::ctx_t::vm_handlers`. An example usage of this data could be dumping the native x86_64 instructions which make up `vm::ctx_t::vm_entry`. Example c++ code for this is displayed below.
VMProfiler - Library To Profile VMProtect 2 Virtual Machines</h1>
<p>vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu. This is the base project for all other VMProtect 2 projects inside of this group on githacks. </p>
VMProfiler - Library To Profile VMProtect 2 Virtual Machines</h3>
<p>vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu. This is the base project for all other VMProtect 2 projects inside of this group on githacks.</p>
<li><ahref="https://github.com/zyantific/zydis">Zydis</a> - Fast and lightweight x86/x86-64 disassembler library</li>
<li><ahref="https://github.com/irql0">irql0</a> - helped with the first version of vm handler pattern matching</li>
</ul>
<h3><aclass="anchor"id="autotoc_md2"></a>
Basic Usage - Creating a vm::ctx_t Object</h3>
<p>The <code><aclass="el"href="classvm_1_1ctx__t.html"title="vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....">vm::ctx_t</a></code> class is a small container-like class which is simply used to contain all information for a given vm entry. This class contains the following useful information:</p>
<ul>
<li>all vm handlers for a given vm entry</li>
<li>the linear virtual address of the module base in memory</li>
<li>the image base address</li>
<li>the image size in virtual memory</li>
<li>which way VIP advances (exec_type)</li>
<li>vm entry relative virtual address</li>
<li>vm entry deobfuscated and flattened</li>
<li>calc jmp deobfuscated and flattened</li>
</ul>
<p>All of the above information is generated by executing the <code><aclass="el"href="classvm_1_1ctx__t.html#a7f24e3ed32d1cca86c296dd8dae4b6d2"title="init all per-vm entry data such as vm_entry, calc_jmp, and vm handlers...">vm::ctx_t::init</a></code> member function. Below is a C++ example of how to create a <code><aclass="el"href="classvm_1_1ctx__t.html"title="vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....">vm::ctx_t</a></code> object.</p>
<divclass="line"> std::printf( <spanclass="stringliteral">"[!] failed to init vm::ctx_t... make sure all cli arguments are correct!\n"</span> );</div>
<divclass="ttc"id="aclassvm_1_1ctx__t_html"><divclass="ttname"><ahref="classvm_1_1ctx__t.html">vm::ctx_t</a></div><divclass="ttdoc">vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....</div><divclass="ttdef"><b>Definition:</b> vmctx.hpp:13</div></div>
</div><!-- fragment --><h3><aclass="anchor"id="autotoc_md3"></a>
Using vm::ctx_t Object</h3>
<p>Once you have instantiated <code><aclass="el"href="classvm_1_1ctx__t.html"title="vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....">vm::ctx_t</a></code> and called <code><aclass="el"href="classvm_1_1ctx__t.html#a7f24e3ed32d1cca86c296dd8dae4b6d2"title="init all per-vm entry data such as vm_entry, calc_jmp, and vm handlers...">vm::ctx_t::init</a></code> with success, you now can directly access the data members of <code><aclass="el"href="classvm_1_1ctx__t.html"title="vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....">vm::ctx_t</a></code>. Most importantly, <code><aclass="el"href="classvm_1_1ctx__t.html#aed0dfa1748035f48bda0f59f76643d8d">vm::ctx_t::calc_jmp</a></code>, <code><aclass="el"href="classvm_1_1ctx__t.html#a40f0524813578bcddf9ded1e74443793">vm::ctx_t::vm_entry</a></code>, and <code><aclass="el"href="classvm_1_1ctx__t.html#a0fa31b5bd78861dbd2c5cf04af81aa4d"title="all the vm handlers for the given vm entry...">vm::ctx_t::vm_handlers</a></code>. An example usage of this data could be dumping the native x86_64 instructions which make up <code><aclass="el"href="classvm_1_1ctx__t.html#a40f0524813578bcddf9ded1e74443793">vm::ctx_t::vm_entry</a></code>. Example c++ code for this is displayed below.</p>
<divclass="ttc"id="anamespacevm_1_1util_html_abcfe75a7d22f907a6187579373679204"><divclass="ttname"><ahref="namespacevm_1_1util.html#abcfe75a7d22f907a6187579373679204">vm::util::print</a></div><divclass="ttdeci">void print(zydis_routine_t &routine)</div><divclass="ttdoc">prints a disassembly view of a routine...</div><divclass="ttdef"><b>Definition:</b> vmutils.cpp:69</div></div>
</div><!-- fragment --><p><em><b>Output</b></em></p>