From b9dc2520fea397d1ff110cabb71786db3375b787 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Mon, 31 May 2021 19:57:36 -0700 Subject: [PATCH] added shrq --- include/vmprofiler.hpp | 49 +++++++------------- src/vmprofiler.vcxproj | 2 + src/vmprofiler.vcxproj.filters | 6 +++ src/vmprofiles/shr.cpp | 85 ++++++++++++++++++++++++++++++++++ 4 files changed, 110 insertions(+), 32 deletions(-) create mode 100644 src/vmprofiles/shr.cpp diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index 4de31aa..98bcaad 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -10,6 +10,12 @@ namespace vm enum mnemonic_t { INVALID, + PUSHVSP, + SHRQ, + MULQ, + DIVQ, + JMP, + VMEXIT, SREGQ, SREGDW, @@ -33,24 +39,14 @@ namespace vm WRITEDW, WRITEW, - PUSHVSP, - ADDQ, ADDDW, SHLQ, SHLDW, - MULQ, - - DIVQ, - NANDQ, - NANDDW, - - JMP, - - VMEXIT + NANDDW }; enum extention_t @@ -85,8 +81,6 @@ namespace vm extern vm::handler::profile_t lconstwsxq; extern vm::handler::profile_t lconstdw; - extern vm::handler::profile_t pushvsp; - extern vm::handler::profile_t addq; extern vm::handler::profile_t adddw; @@ -96,42 +90,33 @@ namespace vm extern vm::handler::profile_t nandq; extern vm::handler::profile_t nanddw; - extern vm::handler::profile_t mulq; - extern vm::handler::profile_t divq; - extern vm::handler::profile_t jmp; - extern vm::handler::profile_t writeq; extern vm::handler::profile_t writedw; + extern vm::handler::profile_t shrq; + extern vm::handler::profile_t pushvsp; + extern vm::handler::profile_t mulq; + extern vm::handler::profile_t divq; + extern vm::handler::profile_t jmp; extern vm::handler::profile_t readq; extern vm::handler::profile_t vmexit; inline std::vector all = { &sregq, &sregdw, &sregw, - &lregq, &lregdw, - &lconstq, &lconstbzxw, &lconstbsxdw, &lconstdwsxq, &lconstwsxq, &lconstdw, - - &pushvsp, - &addq, &adddw, - - &mulq, - - &divq, - &shlq, &shldw, - &writeq, &writedw, - - &readq, - &nandq, &nanddw, + &shrq, + &readq, + &mulq, + &pushvsp, + &divq, &jmp, - &vmexit }; } diff --git a/src/vmprofiler.vcxproj b/src/vmprofiler.vcxproj index 407d106..a5424d9 100644 --- a/src/vmprofiler.vcxproj +++ b/src/vmprofiler.vcxproj @@ -111,6 +111,8 @@ + + diff --git a/src/vmprofiler.vcxproj.filters b/src/vmprofiler.vcxproj.filters index 3dd0543..3ecd888 100644 --- a/src/vmprofiler.vcxproj.filters +++ b/src/vmprofiler.vcxproj.filters @@ -74,6 +74,12 @@ Source Files\vmprofiles + + Source Files\vmprofiles + + + Source Files\vmprofiles + diff --git a/src/vmprofiles/shr.cpp b/src/vmprofiles/shr.cpp new file mode 100644 index 0000000..5ac355f --- /dev/null +++ b/src/vmprofiles/shr.cpp @@ -0,0 +1,85 @@ +#include "../../include/vmprofiler.hpp" + +namespace vm +{ + namespace handler + { + namespace profile + { + vm::handler::profile_t shrq = + { + // MOV RAX, [RBP] + // MOV CL, [RBP+0x8] + // SUB RBP, 0x6 + // SHR RAX, CL + // MOV [RBP+0x8], RAX + // PUSHFQ + // POP [RBP] + "SHRQ", SHRQ, NULL, + { + { + // MOV RAX, [RBP] + [](const zydis_decoded_instr_t& instr) -> bool + { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[0].reg.value == ZYDIS_REGISTER_RAX && + instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[1].mem.base == ZYDIS_REGISTER_RBP; + }, + // MOV CL, [RBP+0x8] + [](const zydis_decoded_instr_t& instr) -> bool + { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[0].reg.value == ZYDIS_REGISTER_CL && + instr.operands[1].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[1].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[1].mem.index == 0x8; + }, + // SUB RBP, 0x6 + [](const zydis_decoded_instr_t& instr) -> bool + { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[0].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[1].imm.value.u == 0x6; + }, + // SHR RAX, CL + [](const zydis_decoded_instr_t& instr) -> bool + { + return instr.mnemonic == ZYDIS_MNEMONIC_SHR && + instr.operands[0].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[0].reg.value == ZYDIS_REGISTER_RAX && + instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[1].reg.value == ZYDIS_REGISTER_CL; + }, + // MOV [RBP+0x8], RAX + [](const zydis_decoded_instr_t& instr) -> bool + { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[0].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[0].mem.index == 0x8 && + instr.operands[1].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[1].reg.value == ZYDIS_REGISTER_RAX; + }, + // PUSHFQ + [](const zydis_decoded_instr_t& instr) -> bool + { + return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; + }, + // POP [RBP] + [](const zydis_decoded_instr_t& instr) -> bool + { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && + instr.operands[0].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[0].mem.base == ZYDIS_REGISTER_RBP; + } + } + } + }; + } + } +} \ No newline at end of file