added READB vm handler...

3 years ago · ae49869fe6
parent 34806590fa
commit ae49869fe6
2 changed files with 87 additions and 10 deletions
--- a/include/vmprofiles.hpp
+++ b/include/vmprofiles.hpp
@ -13,8 +13,6 @@ namespace vm::handler
    {
        INVALID,
        LRFLAGS,
-        PUSHVSP,
-        PUSHVSPDW,
        MULQ,
        DIVQ,
        CALL,
@ -22,6 +20,9 @@ namespace vm::handler
        VMEXIT,
        LVSP,

+        PUSHVSP,
+        PUSHVSPDW,
+
        SREGQ,
        SREGDW,
        SREGW,
@ -42,6 +43,7 @@ namespace vm::handler
        READQ,
        READDW,
        READW,
+        READB,

        WRITEQ,
        WRITEDW,
@ -157,13 +159,17 @@ namespace vm::handler

        extern vm::handler::profile_t readq;
        extern vm::handler::profile_t readdw;
+        extern vm::handler::profile_t readw;
+        extern vm::handler::profile_t readb;

        extern vm::handler::profile_t shrq;
        extern vm::handler::profile_t shrw;

+        extern vm::handler::profile_t pushvsp;
+        extern vm::handler::profile_t pushvspdw;
+
        extern vm::handler::profile_t lrflags;
        extern vm::handler::profile_t call;
-        extern vm::handler::profile_t pushvsp;
        extern vm::handler::profile_t mulq;
        extern vm::handler::profile_t divq;
        extern vm::handler::profile_t jmp;
@ -174,16 +180,16 @@ namespace vm::handler
        /// a vector of pointers to all defined vm handler profiles...
        /// </summary>
        inline std::vector< vm::handler::profile_t * > all = {
-            &sregq,      &sregdw,      &sregw,      &lregq,       &lregdw,     &lconstq,
-            &lconstbzxw, &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw,
-            &lconstdw,   &lconstw,     &addq,       &adddw,       &addw,       &lvsp,
+            &sregq,       &sregdw,     &sregw,       &lregq,      &lregdw,      &lconstq,  &lconstbzxw,
+            &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw,
+            &addq,        &adddw,      &addw,        &lvsp,

-            &shlq,       &shldw,       &writeq,     &writedw,     &writeb,     &nandq,
-            &nanddw,     &nandw,       &nandb,
+            &shlq,        &shldw,      &writeq,      &writedw,    &writeb,      &nandq,    &nanddw,
+            &nandw,       &nandb,

            &shlddw,

-            &shrq,       &shrw,        &readq,      &readdw,      &mulq,       &pushvsp,
-            &divq,       &jmp,         &lrflags,    &vmexit,      &call };
+            &shrq,        &shrw,       &readq,       &readdw,     &readw,       &readb,    &mulq,
+            &pushvsp,     &pushvspdw,  &divq,        &jmp,        &lrflags,     &vmexit,   &call };
    } // namespace profile
 } // namespace vm::handler
--- a/src/vmprofiles/read.cpp
+++ b/src/vmprofiles/read.cpp
@ -54,4 +54,75 @@ namespace vm::handler::profile
                       instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
                       instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX;
            } } } };
+
+    vm::handler::profile_t readw = {
+        // MOV RAX, [RBP]
+        // ADD RBP, 0x6
+        // MOV AX, [RAX]
+        // MOV [RBP], AX
+        "READW",
+        READW,
+        NULL,
+        { { // MOV RAX, [RBP]
+            []( const zydis_decoded_instr_t &instr ) -> bool {
+                return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+                       instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+                       instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX &&
+                       instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+                       instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
+            },
+            // ADD RBP, 0x6
+            []( const zydis_decoded_instr_t &instr ) -> bool {
+                return instr.mnemonic == ZYDIS_MNEMONIC_ADD &&
+                       instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+                       instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
+                       instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
+                       instr.operands[ 1 ].imm.value.u == 0x6;
+            },
+            // MOV AX, [RAX]
+            []( const zydis_decoded_instr_t &instr ) -> bool {
+                return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+                       instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+                       instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AX &&
+                       instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+                       instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RAX;
+            },
+            // MOV [RBP], AX
+            []( const zydis_decoded_instr_t &instr ) -> bool {
+                return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+                       instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
+                       instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+                       instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX;
+            } } } };
+
+    vm::handler::profile_t readb = {
+        // MOV RDX, [RBP]
+        // ADD RBP, 0x6
+        // MOV [RBP], AX
+        "READB",
+        READB,
+        NULL,
+        { { // MOV RDX, [RBP]
+            []( const zydis_decoded_instr_t &instr ) -> bool {
+                return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+                       instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+                       instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RDX &&
+                       instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+                       instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP;
+            },
+            // ADD RBP, 0x6
+            []( const zydis_decoded_instr_t &instr ) -> bool {
+                return instr.mnemonic == ZYDIS_MNEMONIC_ADD &&
+                       instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+                       instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP &&
+                       instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
+                       instr.operands[ 1 ].imm.value.u == 0x6;
+            },
+            // MOV [RBP], AX
+            []( const zydis_decoded_instr_t &instr ) -> bool {
+                return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+                       instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP &&
+                       instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+                       instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX;
+            } } } };
 } // namespace vm::handler::profile