From ac50fe5128f63d0a81132130503dd8a37efd2477 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 16:26:11 -0700 Subject: [PATCH] added LCONSTW virtual instruction --- include/vmprofiler.hpp | 13 +++++--- src/vmprofiles/lconst.cpp | 69 ++++++++++++++++++++++++++------------- 2 files changed, 54 insertions(+), 28 deletions(-) diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index 46ebe24..2e9838d 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -53,6 +53,7 @@ namespace vm LCONSTWSXQ, LCONSTWSXDW, LCONSTDW, + LCONSTW, READQ, READDW, @@ -134,6 +135,7 @@ namespace vm extern vm::handler::profile_t lconstq; extern vm::handler::profile_t lconstdw; + extern vm::handler::profile_t lconstw; extern vm::handler::profile_t lconstbzxw; extern vm::handler::profile_t lconstbsxdw; @@ -170,13 +172,14 @@ namespace vm extern vm::handler::profile_t vmexit; inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, - &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &addq, &adddw, &addw, + &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, + &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, + &addq, &adddw, &addw, - &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, + &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, - &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, - &vmexit, &call }; + &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, + &jmp, &vmexit, &call }; } // namespace profile } // namespace handler } // namespace vm \ No newline at end of file diff --git a/src/vmprofiles/lconst.cpp b/src/vmprofiles/lconst.cpp index fca5536..9b7bbca 100644 --- a/src/vmprofiles/lconst.cpp +++ b/src/vmprofiles/lconst.cpp @@ -30,6 +30,52 @@ namespace vm instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX; } } } }; + vm::handler::profile_t lconstdw = { + // SUB RBP, 4 + // MOV [RBP], EAX + "LCONSTDW", + LCONSTDW, + 32, + { { // SUB RBP, 4 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x4; + }, + // MOV [RBP], EAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; + } } } }; + + vm::handler::profile_t lconstw = { + // SUB RBP, 2 + // MOV [RBP], AX + "LCONSTW", + LCONSTW, + 16, + { { // SUB RBP, 2 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x2; + }, + // MOV [RBP], AX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX; + } } } }; + vm::handler::profile_t lconstbzxw = { // MOV AL, [RSI] // SUB RBP, 2 @@ -188,29 +234,6 @@ namespace vm instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; } } }, vm::handler::extention_t::sign_extend }; - - vm::handler::profile_t lconstdw = { - // SUB RBP, 4 - // MOV [RBP], EAX - "LCONSTDW", - LCONSTDW, - 32, - { { // SUB RBP, 4 - []( const zydis_decoded_instr_t &instr ) -> bool { - return instr.mnemonic == ZYDIS_MNEMONIC_SUB && - instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && - instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && - instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && - instr.operands[ 1 ].imm.value.u == 0x4; - }, - // MOV [RBP], EAX - []( const zydis_decoded_instr_t &instr ) -> bool { - return instr.mnemonic == ZYDIS_MNEMONIC_MOV && - instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && - instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && - instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && - instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; - } } } }; } // namespace profile } // namespace handler } // namespace vm \ No newline at end of file