added get_jcc_data functions v1.0, still testing...

4 years ago · cf40312564
parent ffd45ecb8a
commit cf40312564
3 changed files with 26 additions and 8 deletions
--- a/include/vmprofiler.hpp
+++ b/include/vmprofiler.hpp
@ -175,10 +175,9 @@ namespace vm
        explicit ctx_t( std::uintptr_t module_base, std::uintptr_t image_base, std::uintptr_t image_size,
                        std::uintptr_t vm_entry_rva );

-        // never change...
+        bool init();
        const std::uintptr_t module_base, image_base, vm_entry_rva, image_size;
-        const vmp2::exec_type_t exec_type;
-
+        vmp2::exec_type_t exec_type;
        zydis_routine_t vm_entry, calc_jmp;
        std::vector< vm::handler::handler_t > vm_handlers;
    };
--- a/src/vmctx.cpp
+++ b/src/vmctx.cpp
@ -6,11 +6,26 @@ namespace vm
                  std::uintptr_t vm_entry_rva )
        : module_base( module_base ), image_base( image_base ), image_size( image_size ), vm_entry_rva( vm_entry_rva )
    {
-        vm::util::flatten( vm_entry, vm_entry_rva + module_base );
+    }
+
+    bool ctx_t::init()
+    {
+        if ( !vm::util::flatten( vm_entry, vm_entry_rva + module_base ) )
+            return false;
+
        vm::util::deobfuscate( vm_entry );
-        vm::calc_jmp::get( vm_entry, calc_jmp );
+        if ( !vm::calc_jmp::get( vm_entry, calc_jmp ) )
+            return false;
+
+        if ( auto vm_handler_table = vm::handler::table::get( vm_entry );
+             !vm::handler::get_all( module_base, image_base, vm_entry, vm_handler_table, vm_handlers ) )
+            return false;
+
+        if ( auto advancement = vm::calc_jmp::get_advancement( calc_jmp ); advancement.has_value() )
+            exec_type = advancement.value();
+        else
+            return false;

-        auto vm_handler_table = vm::handler::table::get( vm_entry );
-        vm::handler::get_all( module_base, image_base, vm_entry, vm_handler_table, vm_handlers );
+        return true;
    }
 } // namespace vm
--- a/src/vminstrs.cpp
+++ b/src/vminstrs.cpp
@ -254,7 +254,11 @@ namespace vm
            // else there are two branches...
            else
            {
-                jcc.block_rva[ 0 ] =
+                jcc.block_rva[ 0 ] = code_block_addr( vmctx, result->trace_data.vsp.qword[ 0 ] ^ xor_key );
+                jcc.block_rva[ 1 ] = code_block_addr( vmctx, result->trace_data.vsp.qword[ 1 ] ^ xor_key );
+
+                jcc.has_jcc = true;
+                jcc.type = jcc_type::branching;
            }

            return jcc;