vm::transform Namespace Reference

Typedefs
template<typename T >
using	transform_t = std::function< T(T, T) >
	transform function, such as ADD, SUB, BSWAP... etc... More...
using	map_t = std::map< transform::type, zydis_decoded_instr_t >
	map of transform type to zydis decoded instruction of the transform... More...

Enumerations
enum class	type {   generic0 , rolling_key , generic1 , generic2 ,   generic3 , update_key }
	type of transformation... More...

Functions
template<class T >
T	__ROL__ (T value, int count)
	rotate left template function take from IDA SDK... More...
u8	__ROL1__ (u8 value, int count)
	rotate left a one byte value... More...
u16	__ROL2__ (u16 value, int count)
	rotate left a two byte value... More...
u32	__ROL4__ (u32 value, int count)
	rotate left a four byte value... More...
u64	__ROL8__ (u64 value, int count)
	rotate left an eight byte value... More...
u8	__ROR1__ (u8 value, int count)
	rotate right a one byte value... More...
u16	__ROR2__ (u16 value, int count)
	rotate right a two byte value... More...
u32	__ROR4__ (u32 value, int count)
	rotate right a four byte value... More...
u64	__ROR8__ (u64 value, int count)
	rotate right an eight byte value... More...
bool	valid (zydis_mnemonic_t op)
	determines if the given mnemonic is a valid transformation... More...
void	inverse_transforms (transform::map_t &transforms, transform::map_t &inverse)
	inverse operand decryption transformations... More...
auto	inverse_transforms (std::vector< zydis_decoded_instr_t > &instrs) -> bool
	inverse transformations given a vector of them... More...
auto	apply (std::uint8_t bitsize, ZydisMnemonic op, std::uint64_t a, std::uint64_t b) -> std::uint64_t
bool	has_imm (const zydis_decoded_instr_t *instr)
	determines if a given decoded instruction has a second operand that is an immediate value... More...

Variables
template<class T >
const auto	_bswap
template<class T >
const auto	_add = []( T a, T b ) -> T { return a + b; }
template<class T >
const auto	_xor = []( T a, T b ) -> T { return a ^ b; }
template<class T >
const auto	_sub = []( T a, T b ) -> T { return a - b; }
template<class T >
const auto	_neg = []( T a, T b ) -> T { return a * -1; }
template<class T >
const auto	_not = []( T a, T b ) -> T { return ~a; }
template<class T >
const auto	_ror
template<class T >
const auto	_rol
template<class T >
const auto	_inc = []( T a, T b ) -> T { return a + 1; }
template<class T >
const auto	_dec = []( T a, T b ) -> T { return a - 1; }
template<class T >
std::map< zydis_mnemonic_t, transform_t< T > >	transforms
std::map< zydis_mnemonic_t, zydis_mnemonic_t >	inverse

Typedef Documentation

map_t

using vm::transform::map_t = typedef std::map< transform::type, zydis_decoded_instr_t >

map of transform type to zydis decoded instruction of the transform...

transform_t

template<typename T >

using vm::transform::transform_t = typedef std::function< T( T, T ) >

transform function, such as ADD, SUB, BSWAP... etc...

Template Parameters

T	returns the transform result...

Enumeration Type Documentation

type

enum vm::transform::type

strong

type of transformation...

Enumerator
generic0
rolling_key
generic1
generic2
generic3
update_key

Function Documentation

__ROL1__()

u8 vm::transform::__ROL1__ ( u8  value, int  count  )

inline

rotate left a one byte value...

Parameters

value	byte value
count	number of bits to rotate

Returns

return rotated value...

__ROL2__()

u16 vm::transform::__ROL2__ ( u16  value, int  count  )

inline

rotate left a two byte value...

Parameters

value	two byte value to rotate...
count	number of bits to rotate...

Returns

return rotated value...

__ROL4__()

u32 vm::transform::__ROL4__ ( u32  value, int  count  )

inline

rotate left a four byte value...

Parameters

value	four byte value to rotate...
count	number of bits to shift...

Returns

return rotated value...

__ROL8__()

u64 vm::transform::__ROL8__ ( u64  value, int  count  )

inline

rotate left an eight byte value...

Parameters

value	eight byte value...
count	number of bits to shift...

Returns

return rotated value...

__ROL__()

template<class T >

T vm::transform::__ROL__ ( T  value, int  count  )

inline

rotate left template function take from IDA SDK...

Template Parameters

T	type of data to rotate left...

Parameters

value	value to rotate left
count	number of bits to rotate left...

Returns

returns the rotated value...

__ROR1__()

u8 vm::transform::__ROR1__ ( u8  value, int  count  )

inline

rotate right a one byte value...

Parameters

value	one byte value...
count	number of bits to shift...

Returns

return rotated value...

__ROR2__()

u16 vm::transform::__ROR2__ ( u16  value, int  count  )

inline

rotate right a two byte value...

Parameters

value	two byte value to rotate...
count	number of bits to shift...

Returns

__ROR4__()

u32 vm::transform::__ROR4__ ( u32  value, int  count  )

inline

rotate right a four byte value...

Parameters

value	four byte value to rotate...
count	number of bits to rotate...

Returns

return rotated value...

__ROR8__()

u64 vm::transform::__ROR8__ ( u64  value, int  count  )

inline

rotate right an eight byte value...

Parameters

value	eight byte value
count	number of bits to rotate...

Returns

return rotated value...

apply()

auto vm::transform::apply ( std::uint8_t  bitsize, ZydisMnemonic  op, std::uint64_t  a, std::uint64_t  b  ) -> std::uint64_t

inline

has_imm()

bool vm::transform::has_imm ( const zydis_decoded_instr_t *  instr )

inline

determines if a given decoded instruction has a second operand that is an immediate value...

Parameters

instr

pointer to a decoded instruction...

Returns

returns true if the second operand is of type immediate...

inverse_transforms() [1/2]

auto vm::transform::inverse_transforms ( std::vector< zydis_decoded_instr_t > &  instrs ) -> bool

inline

inverse transformations given a vector of them...

Parameters

instrs

reference to a vector of transformations...

Returns

returns true if all transformations were inversed...

inverse_transforms() [2/2]

void vm::transform::inverse_transforms ( transform::map_t &  transforms, transform::map_t &  inverse  )

inline

inverse operand decryption transformations...

Parameters

transforms	reference to the transformations to be inversed...
inverse	reference to the resulting inversed transformations...

valid()

bool vm::transform::valid ( zydis_mnemonic_t  op )

inline

determines if the given mnemonic is a valid transformation...

Parameters

op	mnemonic of the native instruction...

Returns

returns true if the mnemonic is a transformation...

Variable Documentation

_add

template<class T >

const auto vm::transform::_add = []( T a, T b ) -> T { return a + b; }

inline

_bswap

template<class T >

const auto vm::transform::_bswap

inline

Initial value:

= []( T a, T b ) -> T {
        if constexpr ( std::is_same_v< T, std::uint64_t > )
            return _byteswap_uint64( a );
        if constexpr ( std::is_same_v< T, std::uint32_t > )
            return _byteswap_ulong( a );
        if constexpr ( std::is_same_v< T, std::uint16_t > )
            return _byteswap_ushort( a );
 
        throw std::invalid_argument( "invalid type size..." );
    }

_dec

template<class T >

const auto vm::transform::_dec = []( T a, T b ) -> T { return a - 1; }

inline

_inc

template<class T >

const auto vm::transform::_inc = []( T a, T b ) -> T { return a + 1; }

inline

_neg

template<class T >

const auto vm::transform::_neg = []( T a, T b ) -> T { return a * -1; }

inline

_not

template<class T >

const auto vm::transform::_not = []( T a, T b ) -> T { return ~a; }

inline

_rol

template<class T >

const auto vm::transform::_rol

inline

Initial value:

= []( T a, T b ) -> T {
        if constexpr ( std::is_same_v< T, std::uint64_t > )
            return __ROL8__( a, b );
        if constexpr ( std::is_same_v< T, std::uint32_t > )
            return __ROL4__( a, b );
        if constexpr ( std::is_same_v< T, std::uint16_t > )
            return __ROL2__( a, b );
        if constexpr ( std::is_same_v< T, std::uint8_t > )
            return __ROL1__( a, b );
 
        throw std::invalid_argument( "invalid type size..." );
    }

_ror

template<class T >

const auto vm::transform::_ror

inline

Initial value:

= []( T a, T b ) -> T {
        if constexpr ( std::is_same_v< T, std::uint64_t > )
            return __ROR8__( a, b );
        if constexpr ( std::is_same_v< T, std::uint32_t > )
            return __ROR4__( a, b );
        if constexpr ( std::is_same_v< T, std::uint16_t > )
            return __ROR2__( a, b );
        if constexpr ( std::is_same_v< T, std::uint8_t > )
            return __ROR1__( a, b );
 
        throw std::invalid_argument( "invalid type size..." );
    }

_sub

template<class T >

const auto vm::transform::_sub = []( T a, T b ) -> T { return a - b; }

inline

_xor

template<class T >

const auto vm::transform::_xor = []( T a, T b ) -> T { return a ^ b; }

inline

inverse

std::map< zydis_mnemonic_t, zydis_mnemonic_t > vm::transform::inverse

inline

Initial value:

= {
        { ZYDIS_MNEMONIC_ADD, ZYDIS_MNEMONIC_SUB },     { ZYDIS_MNEMONIC_XOR, ZYDIS_MNEMONIC_XOR },
        { ZYDIS_MNEMONIC_BSWAP, ZYDIS_MNEMONIC_BSWAP }, { ZYDIS_MNEMONIC_SUB, ZYDIS_MNEMONIC_ADD },
        { ZYDIS_MNEMONIC_NEG, ZYDIS_MNEMONIC_NEG },     { ZYDIS_MNEMONIC_NOT, ZYDIS_MNEMONIC_NOT },
        { ZYDIS_MNEMONIC_ROR, ZYDIS_MNEMONIC_ROL },     { ZYDIS_MNEMONIC_ROL, ZYDIS_MNEMONIC_ROR },
        { ZYDIS_MNEMONIC_INC, ZYDIS_MNEMONIC_DEC },     { ZYDIS_MNEMONIC_DEC, ZYDIS_MNEMONIC_INC } }

transforms

template<class T >

std::map< zydis_mnemonic_t, transform_t< T > > vm::transform::transforms

inline

Initial value:

= {
        { ZYDIS_MNEMONIC_ADD, _add< T > }, { ZYDIS_MNEMONIC_XOR, _xor< T > }, { ZYDIS_MNEMONIC_BSWAP, _bswap< T > },
        { ZYDIS_MNEMONIC_SUB, _sub< T > }, { ZYDIS_MNEMONIC_NEG, _neg< T > }, { ZYDIS_MNEMONIC_NOT, _not< T > },
        { ZYDIS_MNEMONIC_ROR, _ror< T > }, { ZYDIS_MNEMONIC_ROL, _rol< T > }, { ZYDIS_MNEMONIC_INC, _inc< T > },
        { ZYDIS_MNEMONIC_DEC, _dec< T > } }