diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index 63cf5d4..6bcbfa9 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -1,7 +1,7 @@ #pragma once -#include -#include #include +#include +#include namespace vm { @@ -10,7 +10,7 @@ namespace vm bool get( const zydis_routine_t &vm_entry, zydis_routine_t &calc_jmp ); std::optional< vmp2::exec_type_t > get_advancement( const zydis_routine_t &calc_jmp ); - } + } // namespace calc_jmp namespace instrs { @@ -144,20 +144,23 @@ namespace vm extern vm::handler::profile_t writeq; extern vm::handler::profile_t writedw; + extern vm::handler::profile_t readq; + extern vm::handler::profile_t readdw; + extern vm::handler::profile_t shrq; extern vm::handler::profile_t pushvsp; extern vm::handler::profile_t mulq; extern vm::handler::profile_t divq; extern vm::handler::profile_t jmp; - extern vm::handler::profile_t readq; + extern vm::handler::profile_t vmexit; inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, - &lconstbsxdw, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, &shlq, - &shldw, &writeq, &writedw, &nandq, &nanddw, + &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, + &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, &shlq, &shldw, &writeq, + &writedw, &nandq, &nanddw, - &shrq, &readq, &mulq, &pushvsp, &divq, &jmp, &vmexit }; + &shrq, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, &vmexit }; } // namespace profile } // namespace handler } // namespace vm \ No newline at end of file diff --git a/src/vmprofiles/read.cpp b/src/vmprofiles/read.cpp index 6a2ee42..31fc822 100644 --- a/src/vmprofiles/read.cpp +++ b/src/vmprofiles/read.cpp @@ -29,6 +29,38 @@ namespace vm instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX; } } } }; + + vm::handler::profile_t readdw = { + // ADD RBP, 0x4 + // MOV EAX, [RAX] + // MOV [RBP], EAX + "READDW", + READDW, + NULL, + { { // ADD RBP, 0x4 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_ADD && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x4; + }, + // MOV EAX, [RAX] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RAX; + }, + // MOV [RBP], EAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; + } } } }; } } // namespace handler } // namespace vm \ No newline at end of file