From c932e71cdd4e4e26d6a4ac7e2f8019a98d54871d Mon Sep 17 00:00:00 2001
From: _xeroxz <xerox@back.engineering>
Date: Tue, 1 Jun 2021 22:26:58 -0700
Subject: [PATCH] added LRFLAGS virtual instruction

---
 include/vmprofiler.hpp    |  4 +++-
 src/vmprofiles/lflags.cpp | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 37 insertions(+), 1 deletion(-)
 create mode 100644 src/vmprofiles/lflags.cpp

diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp
index ff058b5..73a4a90 100644
--- a/include/vmprofiler.hpp
+++ b/include/vmprofiler.hpp
@@ -31,6 +31,7 @@ namespace vm
         enum mnemonic_t
         {
             INVALID,
+            LRFLAGS,
             PUSHVSP,
             MULQ,
             DIVQ,
@@ -166,6 +167,7 @@ namespace vm
             extern vm::handler::profile_t shrq;
             extern vm::handler::profile_t shrw;
 
+            extern vm::handler::profile_t lrflags;
             extern vm::handler::profile_t call;
             extern vm::handler::profile_t pushvsp;
             extern vm::handler::profile_t mulq;
@@ -181,7 +183,7 @@ namespace vm
                 &shlq,       &shldw,       &writeq,     &writedw,     &writeb,   &nandq,   &nanddw,     &nandw,
 
                 &shrq,       &shrw,        &readq,      &readdw,      &mulq,     &pushvsp, &divq,       &jmp,
-                &vmexit,     &call };
+                &lrflags,    &vmexit,      &call };
         } // namespace profile
     }     // namespace handler
 } // namespace vm
\ No newline at end of file
diff --git a/src/vmprofiles/lflags.cpp b/src/vmprofiles/lflags.cpp
new file mode 100644
index 0000000..ded18a8
--- /dev/null
+++ b/src/vmprofiles/lflags.cpp
@@ -0,0 +1,34 @@
+#include "../../include/vmprofiler.hpp"
+
+namespace vm
+{
+    namespace handler
+    {
+        namespace profile
+        {
+            vm::handler::profile_t lrflags = {
+                // PUSH [RBP]
+                // ADD RBP, 0x8
+                // POPFQ
+                "LRFLAGS",
+                LRFLAGS,
+                NULL,
+                { { // PUSH [RBP]
+                    []( const zydis_decoded_instr_t &instr ) -> bool {
+                        return instr.mnemonic == ZYDIS_MNEMONIC_PUSH &&
+                               instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY &&
+                               instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP;
+                    },
+                    // ADD RBP, 0x8
+                    []( const zydis_decoded_instr_t &instr ) -> bool {
+                        return instr.mnemonic == ZYDIS_MNEMONIC_ADD &&
+                               instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER &&
+                               instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP;
+                    },
+                    // POPFQ
+                    []( const zydis_decoded_instr_t &instr ) -> bool {
+                        return instr.mnemonic == ZYDIS_MNEMONIC_POPFQ;
+                    } } } };
+        }
+    } // namespace handler
+} // namespace vm
\ No newline at end of file