|
|
@ -22,8 +22,8 @@ namespace vm
|
|
|
|
// find LEA RAX, [RDI+0xE0], else determine if the instruction is inside of calc_jmp...
|
|
|
|
// find LEA RAX, [RDI+0xE0], else determine if the instruction is inside of calc_jmp...
|
|
|
|
auto result = std::find_if( vm_handler.begin(), vm_handler.end(), []( const zydis_instr_t &instr ) -> bool {
|
|
|
|
auto result = std::find_if( vm_handler.begin(), vm_handler.end(), []( const zydis_instr_t &instr ) -> bool {
|
|
|
|
return instr.instr.mnemonic == ZYDIS_MNEMONIC_LEA &&
|
|
|
|
return instr.instr.mnemonic == ZYDIS_MNEMONIC_LEA &&
|
|
|
|
instr.instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX &&
|
|
|
|
instr.instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX &&
|
|
|
|
instr.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RDI &&
|
|
|
|
instr.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RDI &&
|
|
|
|
instr.instr.operands[ 1 ].mem.disp.value == 0xE0
|
|
|
|
instr.instr.operands[ 1 ].mem.disp.value == 0xE0
|
|
|
|
? true
|
|
|
|
? true
|
|
|
|
: calc_jmp_check( instr.addr );
|
|
|
|
: calc_jmp_check( instr.addr );
|
|
|
@ -124,13 +124,13 @@ namespace vm
|
|
|
|
std::find_if( vm_handler.begin(), vm_handler.end(), []( const zydis_instr_t &instr_data ) -> bool {
|
|
|
|
std::find_if( vm_handler.begin(), vm_handler.end(), []( const zydis_instr_t &instr_data ) -> bool {
|
|
|
|
// mov/movsx/movzx rax/eax/ax/al, [rsi]
|
|
|
|
// mov/movsx/movzx rax/eax/ax/al, [rsi]
|
|
|
|
return instr_data.instr.operand_count > 1 &&
|
|
|
|
return instr_data.instr.operand_count > 1 &&
|
|
|
|
( instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV ||
|
|
|
|
( instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOV ||
|
|
|
|
instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVSX ||
|
|
|
|
instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVSX ||
|
|
|
|
instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVZX ) &&
|
|
|
|
instr_data.instr.mnemonic == ZYDIS_MNEMONIC_MOVZX ) &&
|
|
|
|
instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
|
|
instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
|
|
|
|
util::reg::to64( instr_data.instr.operands[ 0 ].reg.value ) == ZYDIS_REGISTER_RAX &&
|
|
|
|
util::reg::to64( instr_data.instr.operands[ 0 ].reg.value ) == ZYDIS_REGISTER_RAX &&
|
|
|
|
instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
|
|
|
|
instr_data.instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
|
|
|
|
instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI;
|
|
|
|
instr_data.instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RSI;
|
|
|
|
} );
|
|
|
|
} );
|
|
|
|
|
|
|
|
|
|
|
|
if ( result == vm_handler.end() )
|
|
|
|
if ( result == vm_handler.end() )
|
|
|
@ -196,7 +196,7 @@ namespace vm
|
|
|
|
transform_instr =
|
|
|
|
transform_instr =
|
|
|
|
std::find_if( ++transform_instr, vm_handler.end(), []( const zydis_instr_t &instr_data ) -> bool {
|
|
|
|
std::find_if( ++transform_instr, vm_handler.end(), []( const zydis_instr_t &instr_data ) -> bool {
|
|
|
|
return vm::transform::valid( instr_data.instr.mnemonic ) &&
|
|
|
|
return vm::transform::valid( instr_data.instr.mnemonic ) &&
|
|
|
|
instr_data.instr.operands[0].actions & ZYDIS_OPERAND_ACTION_WRITE &&
|
|
|
|
instr_data.instr.operands[ 0 ].actions & ZYDIS_OPERAND_ACTION_WRITE &&
|
|
|
|
util::reg::compare( instr_data.instr.operands[ 0 ].reg.value, ZYDIS_REGISTER_RAX );
|
|
|
|
util::reg::compare( instr_data.instr.operands[ 0 ].reg.value, ZYDIS_REGISTER_RAX );
|
|
|
|
} );
|
|
|
|
} );
|
|
|
|
|
|
|
|
|
|
|
@ -219,8 +219,10 @@ namespace vm
|
|
|
|
|
|
|
|
|
|
|
|
for ( auto &instr : vprofile->signature )
|
|
|
|
for ( auto &instr : vprofile->signature )
|
|
|
|
{
|
|
|
|
{
|
|
|
|
contains = std::find_if(contains, vm_handler->instrs.end(),
|
|
|
|
contains =
|
|
|
|
[ & ]( zydis_instr_t &instr_data ) -> bool { return instr( instr_data.instr ); } );
|
|
|
|
std::find_if( contains, vm_handler->instrs.end(), [ & ]( zydis_instr_t &instr_data ) -> bool {
|
|
|
|
|
|
|
|
return instr( instr_data.instr );
|
|
|
|
|
|
|
|
} );
|
|
|
|
|
|
|
|
|
|
|
|
if ( contains == vm_handler->instrs.end() )
|
|
|
|
if ( contains == vm_handler->instrs.end() )
|
|
|
|
return false;
|
|
|
|
return false;
|
|
|
@ -236,6 +238,15 @@ namespace vm
|
|
|
|
return nullptr;
|
|
|
|
return nullptr;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
vm::handler::profile_t *get_profile( vm::handler::mnemonic_t mnemonic )
|
|
|
|
|
|
|
|
{
|
|
|
|
|
|
|
|
auto result = std::find_if(
|
|
|
|
|
|
|
|
vm::handler::profile::all.begin(), vm::handler::profile::all.end(),
|
|
|
|
|
|
|
|
[ & ]( vm::handler::profile_t *profile ) -> bool { return profile->mnemonic == mnemonic; } );
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return result != vm::handler::profile::all.end() ? *result : nullptr;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
namespace table
|
|
|
|
namespace table
|
|
|
|
{
|
|
|
|
{
|
|
|
|
std::uintptr_t *get( const zydis_routine_t &vm_entry )
|
|
|
|
std::uintptr_t *get( const zydis_routine_t &vm_entry )
|
|
|
|