VMProfiler  v1.8
vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu.
Namespaces | Classes | Typedefs | Enumerations | Functions
vm::handler Namespace Reference

contains all information pertaining to vm handler identification... More...

Namespaces

 profile
 contains all profiles defined, as well as a vector of all of the defined profiles...
 
 table
 

Classes

struct  handler_t
 handler_t contains all the information for a vm handler such as its immidate value size (zero if there is no imm), the transformations applied to the imm to decrypt it (if any), a pointer to the profile (nullptr if there is none), and other meta data... More...
 
struct  profile_t
 pre defined vm handler profile containing all compiled time known information about a vm handler... More...
 

Typedefs

using zydis_callback_t = std::function< bool(const zydis_decoded_instr_t &instr) >
 zydis callback lambda used to pattern match native instructions... More...
 

Enumerations

enum  mnemonic_t {
  INVALID , LRFLAGS , PUSHVSP , MULQ ,
  DIVQ , CALL , JMP , VMEXIT ,
  LVSP , SREGQ , SREGDW , SREGW ,
  LREGQ , LREGDW , LCONSTQ , LCONSTBZXW ,
  LCONSTBSXQ , LCONSTBSXDW , LCONSTDWSXQ , LCONSTWSXQ ,
  LCONSTWSXDW , LCONSTDW , LCONSTW , READQ ,
  READDW , READW , WRITEQ , WRITEDW ,
  WRITEW , WRITEB , ADDQ , ADDDW ,
  ADDW , SHLQ , SHLDW , SHRQ ,
  SHRW , NANDQ , NANDDW , NANDW
}
 vm handler mnemonic... so you dont need to compare strings! More...
 
enum  extention_t { none , sign_extend , zero_extend }
 how sign extention is handled... More...
 

Functions

bool has_imm (const zydis_routine_t &vm_handler)
 given a vm handler returns true if the vm handler decrypts an operand... More...
 
std::optional< std::uint8_t > imm_size (const zydis_routine_t &vm_handler)
 gets the imm size of a vm handler... More...
 
bool get (zydis_routine_t &vm_entry, zydis_routine_t &vm_handler, std::uintptr_t handler_addr)
 gets a vm handler, puts all of the native instructions inside of the vm_handler param... More...
 
bool get_all (std::uintptr_t module_base, std::uintptr_t image_base, zydis_routine_t &vm_entry, std::uintptr_t *vm_handler_table, std::vector< handler_t > &vm_handlers)
 get all 256 vm handlers... More...
 
bool get_operand_transforms (zydis_routine_t &vm_handler, transform::map_t &transforms)
 get operand decryption instructions given a vm handler... More...
 
vm::handler::profile_tget_profile (handler_t &vm_handler)
 get a vm handler profile given a handler_t... More...
 
vm::handler::profile_tget_profile (vm::handler::mnemonic_t mnemonic)
 get a vm handler profile given the mnemonic of the vm handler... More...
 
bool get_all (std::uintptr_t module_base, std::uintptr_t image_base, zydis_routine_t &vm_entry, std::uintptr_t *vm_handler_table, std::vector< vm::handler::handler_t > &vm_handlers)
 

Detailed Description

contains all information pertaining to vm handler identification...

Typedef Documentation

◆ zydis_callback_t

using vm::handler::zydis_callback_t = typedef std::function< bool( const zydis_decoded_instr_t &instr ) >

zydis callback lambda used to pattern match native instructions...

Enumeration Type Documentation

◆ extention_t

enum vm::handler::extention_t

how sign extention is handled...

Enumerator
none 
sign_extend 
zero_extend 

◆ mnemonic_t

enum vm::handler::mnemonic_t

vm handler mnemonic... so you dont need to compare strings!

Enumerator
INVALID 
LRFLAGS 
PUSHVSP 
MULQ 
DIVQ 
CALL 
JMP 
VMEXIT 
LVSP 
SREGQ 
SREGDW 
SREGW 
LREGQ 
LREGDW 
LCONSTQ 
LCONSTBZXW 
LCONSTBSXQ 
LCONSTBSXDW 
LCONSTDWSXQ 
LCONSTWSXQ 
LCONSTWSXDW 
LCONSTDW 
LCONSTW 
READQ 
READDW 
READW 
WRITEQ 
WRITEDW 
WRITEW 
WRITEB 
ADDQ 
ADDDW 
ADDW 
SHLQ 
SHLDW 
SHRQ 
SHRW 
NANDQ 
NANDDW 
NANDW 

Function Documentation

◆ get()

bool vm::handler::get ( zydis_routine_t vm_entry,
zydis_routine_t vm_handler,
std::uintptr_t  handler_addr 
)

gets a vm handler, puts all of the native instructions inside of the vm_handler param...

Parameters
vm_entryreference to a zydis_routine_t containing the native instructions of a vm entry...
vm_handlerreference to a zydis_routine_t that will get filled with the native instructions of the vm handler...
handler_addrlinear virtual address to the first instruction of the vm handler...
Returns
returns true if the native instructions of the vm handler was extracted...

◆ get_all() [1/2]

bool vm::handler::get_all ( std::uintptr_t  module_base,
std::uintptr_t  image_base,
zydis_routine_t vm_entry,
std::uintptr_t *  vm_handler_table,
std::vector< handler_t > &  vm_handlers 
)

get all 256 vm handlers...

Parameters
module_baselinear virtual address of the module base...
image_baseimage base from optional nt header... IMAGE_OPTIONAL_HEADER64...
vm_entryzydis_routine_t containing the deobfuscated and flattened vm entry native instructions...
vm_handler_tablelinear virtual address to the vm handler table...
vm_handlersvector of handler_t's that will be filled with the vm handlers...
Returns
returns true if all vm handlers were extracted, else false...

◆ get_all() [2/2]

bool vm::handler::get_all ( std::uintptr_t  module_base,
std::uintptr_t  image_base,
zydis_routine_t vm_entry,
std::uintptr_t *  vm_handler_table,
std::vector< vm::handler::handler_t > &  vm_handlers 
)

◆ get_operand_transforms()

bool vm::handler::get_operand_transforms ( zydis_routine_t vm_handler,
transform::map_t transforms 
)

get operand decryption instructions given a vm handler...

Parameters
vm_handlerreference to a zydis_routine_t containing the deobfuscated and flattened vm handler native instructions...
transformsreference to a transform::map_t that will get filled up with the transforms needed to decrypt operands...
Returns
returns true if the transformations were extracted successfully

◆ get_profile() [1/2]

vm::handler::profile_t * vm::handler::get_profile ( handler_t vm_handler)

get a vm handler profile given a handler_t...

Parameters
vm_handlerreference to a handler_t structure that contains all the information of a given vm handler...
Returns
returns a pointer to the vm profile, else a nullptr...

◆ get_profile() [2/2]

vm::handler::profile_t * vm::handler::get_profile ( vm::handler::mnemonic_t  mnemonic)

get a vm handler profile given the mnemonic of the vm handler...

Parameters
mnemonicmnemonic of the vm handler...
Returns
returns a pointer to the profile if the given menmonic is implimented, else a nullptr...

◆ has_imm()

bool vm::handler::has_imm ( const zydis_routine_t vm_handler)

given a vm handler returns true if the vm handler decrypts an operand...

Parameters
vm_handlerconst reference to a vm handler...
Returns
returns true if the vm handler decrypts an operand, else false...

◆ imm_size()

std::optional< std::uint8_t > vm::handler::imm_size ( const zydis_routine_t vm_handler)

gets the imm size of a vm handler...

Parameters
vm_handlerconst reference to a vm handler...
Returns
returns the imm size, otherwise returns an empty optional value...
Generated by doxygen 1.9.1