From cf403125643ac1e23391a36a3d8f484b33546a1f Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Wed, 2 Jun 2021 21:39:42 -0700 Subject: [PATCH] added get_jcc_data functions v1.0, still testing... --- include/vmprofiler.hpp | 5 ++--- src/vmctx.cpp | 23 +++++++++++++++++++---- src/vminstrs.cpp | 6 +++++- 3 files changed, 26 insertions(+), 8 deletions(-) diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index bbc0519..e9cd7ee 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -175,10 +175,9 @@ namespace vm explicit ctx_t( std::uintptr_t module_base, std::uintptr_t image_base, std::uintptr_t image_size, std::uintptr_t vm_entry_rva ); - // never change... + bool init(); const std::uintptr_t module_base, image_base, vm_entry_rva, image_size; - const vmp2::exec_type_t exec_type; - + vmp2::exec_type_t exec_type; zydis_routine_t vm_entry, calc_jmp; std::vector< vm::handler::handler_t > vm_handlers; }; diff --git a/src/vmctx.cpp b/src/vmctx.cpp index 145a1ec..e3742cc 100644 --- a/src/vmctx.cpp +++ b/src/vmctx.cpp @@ -6,11 +6,26 @@ namespace vm std::uintptr_t vm_entry_rva ) : module_base( module_base ), image_base( image_base ), image_size( image_size ), vm_entry_rva( vm_entry_rva ) { - vm::util::flatten( vm_entry, vm_entry_rva + module_base ); + } + + bool ctx_t::init() + { + if ( !vm::util::flatten( vm_entry, vm_entry_rva + module_base ) ) + return false; + vm::util::deobfuscate( vm_entry ); - vm::calc_jmp::get( vm_entry, calc_jmp ); + if ( !vm::calc_jmp::get( vm_entry, calc_jmp ) ) + return false; + + if ( auto vm_handler_table = vm::handler::table::get( vm_entry ); + !vm::handler::get_all( module_base, image_base, vm_entry, vm_handler_table, vm_handlers ) ) + return false; + + if ( auto advancement = vm::calc_jmp::get_advancement( calc_jmp ); advancement.has_value() ) + exec_type = advancement.value(); + else + return false; - auto vm_handler_table = vm::handler::table::get( vm_entry ); - vm::handler::get_all( module_base, image_base, vm_entry, vm_handler_table, vm_handlers ); + return true; } } // namespace vm \ No newline at end of file diff --git a/src/vminstrs.cpp b/src/vminstrs.cpp index f2d5df2..09e0ac5 100644 --- a/src/vminstrs.cpp +++ b/src/vminstrs.cpp @@ -254,7 +254,11 @@ namespace vm // else there are two branches... else { - jcc.block_rva[ 0 ] = + jcc.block_rva[ 0 ] = code_block_addr( vmctx, result->trace_data.vsp.qword[ 0 ] ^ xor_key ); + jcc.block_rva[ 1 ] = code_block_addr( vmctx, result->trace_data.vsp.qword[ 1 ] ^ xor_key ); + + jcc.has_jcc = true; + jcc.type = jcc_type::branching; } return jcc;