added shrq

4 years ago · b9dc2520fe
parent abda23f07a
commit b9dc2520fe
4 changed files with 110 additions and 32 deletions
--- a/include/vmprofiler.hpp
+++ b/include/vmprofiler.hpp
@ -10,6 +10,12 @@ namespace vm
 		enum mnemonic_t
 		{
 			INVALID,
+			PUSHVSP,
+			SHRQ,
+			MULQ,
+			DIVQ,
+			JMP,
+			VMEXIT,

 			SREGQ,
 			SREGDW,
@ -33,24 +39,14 @@ namespace vm
 			WRITEDW,
 			WRITEW,

-			PUSHVSP,
-
 			ADDQ,
 			ADDDW,

 			SHLQ,
 			SHLDW,

-			MULQ,
-
-			DIVQ,
-
 			NANDQ,
-			NANDDW,
-
-			JMP,
-
-			VMEXIT
+			NANDDW
 		};

        enum extention_t
@ -85,8 +81,6 @@ namespace vm
 			extern vm::handler::profile_t lconstwsxq;
 			extern vm::handler::profile_t lconstdw;

-			extern vm::handler::profile_t pushvsp;
-
 			extern vm::handler::profile_t addq;
 			extern vm::handler::profile_t adddw;

@ -96,42 +90,33 @@ namespace vm
 			extern vm::handler::profile_t nandq;
 			extern vm::handler::profile_t nanddw;

-			extern vm::handler::profile_t mulq;
-			extern vm::handler::profile_t divq;
-			extern vm::handler::profile_t jmp;
-
 			extern vm::handler::profile_t writeq;
 			extern vm::handler::profile_t writedw;

+			extern vm::handler::profile_t shrq;
+			extern vm::handler::profile_t pushvsp;
+			extern vm::handler::profile_t mulq;
+			extern vm::handler::profile_t divq;
+			extern vm::handler::profile_t jmp;
 			extern vm::handler::profile_t readq;
 			extern vm::handler::profile_t vmexit;

 			inline std::vector<vm::handler::profile_t*> all =
 			{
 				&sregq, &sregdw, &sregw,
-
 				&lregq, &lregdw,
-
 				&lconstq, &lconstbzxw, &lconstbsxdw, &lconstdwsxq, &lconstwsxq, &lconstdw,
-
-				&pushvsp,
-
 				&addq, &adddw,
-
-				&mulq,
-
-				&divq,
-
 				&shlq, &shldw,
-
 				&writeq, &writedw,
-
-				&readq,
-
 				&nandq, &nanddw,

+				&shrq,
+				&readq,
+				&mulq,
+				&pushvsp,
+				&divq,
 				&jmp,
-
 				&vmexit
 			};
 		}
--- a/src/vmprofiler.vcxproj
+++ b/src/vmprofiler.vcxproj
@ -111,6 +111,8 @@
    <ClCompile Include="vmprofiles\nand.cpp" />
    <ClCompile Include="vmprofiles\pushvsp.cpp" />
    <ClCompile Include="vmprofiles\read.cpp" />
+    <ClCompile Include="vmprofiles\shl.cpp" />
+    <ClCompile Include="vmprofiles\shr.cpp" />
    <ClCompile Include="vmprofiles\sreg.cpp" />
    <ClCompile Include="vmprofiles\vmexit.cpp" />
    <ClCompile Include="vmprofiles\write.cpp" />
--- a/src/vmprofiler.vcxproj.filters
+++ b/src/vmprofiler.vcxproj.filters
@ -74,6 +74,12 @@
    <ClCompile Include="vmprofiles\write.cpp">
      <Filter>Source Files\vmprofiles</Filter>
    </ClCompile>
+    <ClCompile Include="vmprofiles\shl.cpp">
+      <Filter>Source Files\vmprofiles</Filter>
+    </ClCompile>
+    <ClCompile Include="vmprofiles\shr.cpp">
+      <Filter>Source Files\vmprofiles</Filter>
+    </ClCompile>
  </ItemGroup>
  <ItemGroup>
    <ClInclude Include="..\include\transform.hpp">
--- a/src/vmprofiles/shr.cpp
+++ b/src/vmprofiles/shr.cpp
@ -0,0 +1,85 @@
+#include "../../include/vmprofiler.hpp"
+
+namespace vm
+{
+	namespace handler
+	{
+		namespace profile
+		{
+			vm::handler::profile_t shrq =
+			{
+				// MOV RAX, [RBP]
+				// MOV CL, [RBP+0x8]
+				// SUB RBP, 0x6
+				// SHR RAX, CL
+				// MOV [RBP+0x8], RAX
+				// PUSHFQ
+				// POP [RBP]
+				"SHRQ", SHRQ, NULL,
+				{
+					{
+						// MOV RAX, [RBP]
+						[](const zydis_decoded_instr_t& instr) -> bool
+						{
+							return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+								instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+								instr.operands[0].reg.value == ZYDIS_REGISTER_RAX &&
+								instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+								instr.operands[1].mem.base == ZYDIS_REGISTER_RBP;
+						},
+						// MOV CL, [RBP+0x8]
+						[](const zydis_decoded_instr_t& instr) -> bool
+						{
+							return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+								instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+								instr.operands[0].reg.value == ZYDIS_REGISTER_CL &&
+								instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+								instr.operands[1].mem.base == ZYDIS_REGISTER_RBP &&
+								instr.operands[1].mem.index == 0x8;
+						},
+						// SUB RBP, 0x6
+						[](const zydis_decoded_instr_t& instr) -> bool
+						{
+							return instr.mnemonic == ZYDIS_MNEMONIC_SUB &&
+								instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+								instr.operands[0].reg.value == ZYDIS_REGISTER_RBP &&
+								instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE &&
+								instr.operands[1].imm.value.u == 0x6;
+						},
+						// SHR RAX, CL
+						[](const zydis_decoded_instr_t& instr) -> bool
+						{
+							return instr.mnemonic == ZYDIS_MNEMONIC_SHR &&
+								instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+								instr.operands[0].reg.value == ZYDIS_REGISTER_RAX &&
+								instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+								instr.operands[1].reg.value == ZYDIS_REGISTER_CL;
+						},
+						// MOV [RBP+0x8], RAX
+						[](const zydis_decoded_instr_t& instr) -> bool
+						{
+							return instr.mnemonic == ZYDIS_MNEMONIC_MOV &&
+								instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+								instr.operands[0].mem.base == ZYDIS_REGISTER_RBP &&
+								instr.operands[0].mem.index == 0x8 &&
+								instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+								instr.operands[1].reg.value == ZYDIS_REGISTER_RAX;
+						},
+						// PUSHFQ
+						[](const zydis_decoded_instr_t& instr) -> bool
+						{
+							return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ;
+						},
+						// POP [RBP]
+						[](const zydis_decoded_instr_t& instr) -> bool
+						{
+							return instr.mnemonic == ZYDIS_MNEMONIC_POP &&
+								instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+								instr.operands[0].mem.base == ZYDIS_REGISTER_RBP;
+						}
+					}
+				}	
+			};
+		}
+	}
+}