diff --git a/include/vmprofiles.hpp b/include/vmprofiles.hpp index 40872d8..7e2643d 100644 --- a/include/vmprofiles.hpp +++ b/include/vmprofiles.hpp @@ -13,8 +13,6 @@ namespace vm::handler { INVALID, LRFLAGS, - PUSHVSP, - PUSHVSPDW, MULQ, DIVQ, CALL, @@ -22,6 +20,9 @@ namespace vm::handler VMEXIT, LVSP, + PUSHVSP, + PUSHVSPDW, + SREGQ, SREGDW, SREGW, @@ -42,6 +43,7 @@ namespace vm::handler READQ, READDW, READW, + READB, WRITEQ, WRITEDW, @@ -157,13 +159,17 @@ namespace vm::handler extern vm::handler::profile_t readq; extern vm::handler::profile_t readdw; + extern vm::handler::profile_t readw; + extern vm::handler::profile_t readb; extern vm::handler::profile_t shrq; extern vm::handler::profile_t shrw; + extern vm::handler::profile_t pushvsp; + extern vm::handler::profile_t pushvspdw; + extern vm::handler::profile_t lrflags; extern vm::handler::profile_t call; - extern vm::handler::profile_t pushvsp; extern vm::handler::profile_t mulq; extern vm::handler::profile_t divq; extern vm::handler::profile_t jmp; @@ -174,16 +180,16 @@ namespace vm::handler /// a vector of pointers to all defined vm handler profiles... /// inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, - &lconstbzxw, &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, - &lconstdw, &lconstw, &addq, &adddw, &addw, &lvsp, + &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, + &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, + &addq, &adddw, &addw, &lvsp, - &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, - &nanddw, &nandw, &nandb, + &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, + &nandw, &nandb, &shlddw, - &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, - &divq, &jmp, &lrflags, &vmexit, &call }; + &shrq, &shrw, &readq, &readdw, &readw, &readb, &mulq, + &pushvsp, &pushvspdw, &divq, &jmp, &lrflags, &vmexit, &call }; } // namespace profile } // namespace vm::handler \ No newline at end of file diff --git a/src/vmprofiles/read.cpp b/src/vmprofiles/read.cpp index 048855b..9d06d41 100644 --- a/src/vmprofiles/read.cpp +++ b/src/vmprofiles/read.cpp @@ -54,4 +54,75 @@ namespace vm::handler::profile instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; } } } }; + + vm::handler::profile_t readw = { + // MOV RAX, [RBP] + // ADD RBP, 0x6 + // MOV AX, [RAX] + // MOV [RBP], AX + "READW", + READW, + NULL, + { { // MOV RAX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // ADD RBP, 0x6 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_ADD && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x6; + }, + // MOV AX, [RAX] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RAX; + }, + // MOV [RBP], AX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX; + } } } }; + + vm::handler::profile_t readb = { + // MOV RDX, [RBP] + // ADD RBP, 0x6 + // MOV [RBP], AX + "READB", + READB, + NULL, + { { // MOV RDX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RDX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // ADD RBP, 0x6 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_ADD && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x6; + }, + // MOV [RBP], AX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX; + } } } }; } // namespace vm::handler::profile \ No newline at end of file