VMProfiler  v1.8
vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu.
Namespaces | Functions
vm::util Namespace Reference

utils used by the other cpp files... misc things that get used a lot... More...

Namespaces

 reg
 utils pertaining to native registers...
 

Functions

bool get_fetch_operand (const zydis_routine_t &routine, zydis_instr_t &fetch_instr)
 get the instruction that fetches an operand out of VIP... More...
 
std::optional< zydis_routine_t::iterator > get_fetch_operand (zydis_routine_t &routine)
 gets the instruction that fetches an operand out of VIP and returns an iterator to it... More...
 
void print (zydis_routine_t &routine)
 prints a disassembly view of a routine... More...
 
void print (const zydis_decoded_instr_t &instr)
 prints a single disassembly view of an instruction... More...
 
bool is_jmp (const zydis_decoded_instr_t &instr)
 determines if a given decoded native instruction is a JCC... More...
 
bool flatten (zydis_routine_t &routine, std::uintptr_t routine_addr, bool keep_jmps=false)
 flatten native instruction stream, takes every JCC (follows the branch)... More...
 
void deobfuscate (zydis_routine_t &routine)
 deadstore deobfuscation of a flattened routine... More...
 

Detailed Description

utils used by the other cpp files... misc things that get used a lot...

Function Documentation

◆ deobfuscate()

void vm::util::deobfuscate ( zydis_routine_t routine)

deadstore deobfuscation of a flattened routine...

Parameters
routinereference to a flattened instruction vector...

◆ flatten()

bool vm::util::flatten ( zydis_routine_t routine,
std::uintptr_t  routine_addr,
bool  keep_jmps = false 
)

flatten native instruction stream, takes every JCC (follows the branch)...

Parameters
routinefilled with decoded instructions...
routine_addrlinear virtual address to start flattening from...
keep_jmpskeep JCC's in the flattened instruction stream...
Returns
returns true if flattened was successful...

◆ get_fetch_operand() [1/2]

bool vm::util::get_fetch_operand ( const zydis_routine_t routine,
zydis_instr_t fetch_instr 
)

get the instruction that fetches an operand out of VIP...

Parameters
routinethis is a deobfuscated, flattened, view of any set of native instructions that read an operand out of VIP... can be calc_jmp, vm_entry, or vm handlers...
fetch_instr
Returns
returns true of the fetch operand native instruction is found...

◆ get_fetch_operand() [2/2]

std::optional< zydis_routine_t::iterator > vm::util::get_fetch_operand ( zydis_routine_t routine)

gets the instruction that fetches an operand out of VIP and returns an iterator to it...

Parameters
routinethis is a deobfuscated, flattened, view of any set of native instructions that read an operand out of VIP... can be calc_jmp, vm_entry, or vm handlers...
Returns
returns the iterator of the native instruction, else an empty std::optional...

◆ is_jmp()

bool vm::util::is_jmp ( const zydis_decoded_instr_t instr)

determines if a given decoded native instruction is a JCC...

Parameters
instr
Returns

◆ print() [1/2]

void vm::util::print ( const zydis_decoded_instr_t instr)

prints a single disassembly view of an instruction...

Parameters
instrinstruction to print...

◆ print() [2/2]

void vm::util::print ( zydis_routine_t routine)

prints a disassembly view of a routine...

Parameters
routinereference to a zydis_routine_t to be printed...
Generated by doxygen 1.9.1