VMProfiler  v1.8
vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu.
vmhandlers.hpp
Go to the documentation of this file.
1 #pragma once
2 #include <transform.hpp>
3 #include <vmprofiles.hpp>
4 
5 namespace vm::handler
6 {
12  struct handler_t
13  {
17  u8 imm_size;
18 
22  vm::transform::map_t transforms;
23 
27  vm::handler::profile_t *profile;
28 
32  zydis_routine_t instrs;
33 
37  std::uintptr_t address;
38  };
39 
45  bool has_imm( const zydis_routine_t &vm_handler );
46 
52  std::optional< std::uint8_t > imm_size( const zydis_routine_t &vm_handler );
53 
62  bool get( zydis_routine_t &vm_entry, zydis_routine_t &vm_handler, std::uintptr_t handler_addr );
63 
74  bool get_all( std::uintptr_t module_base, std::uintptr_t image_base, zydis_routine_t &vm_entry,
75  std::uintptr_t *vm_handler_table, std::vector< handler_t > &vm_handlers );
76 
84  bool get_operand_transforms( zydis_routine_t &vm_handler, transform::map_t &transforms );
85 
91  vm::handler::profile_t *get_profile( handler_t &vm_handler );
92 
98  vm::handler::profile_t *get_profile( vm::handler::mnemonic_t mnemonic );
99 
100  namespace table
101  {
107  std::uintptr_t *get( const zydis_routine_t &vm_entry );
108 
115  bool get_transform( const zydis_routine_t &vm_entry, zydis_decoded_instr_t *transform_instr );
116 
125  std::uint64_t encrypt( zydis_decoded_instr_t &transform_instr, std::uint64_t val );
126 
133  std::uint64_t decrypt( zydis_decoded_instr_t &transform_instr, std::uint64_t val );
134  } // namespace table
135 } // namespace vm::handler
vm::handler::table::get_transform
bool get_transform(const zydis_routine_t &vm_entry, zydis_decoded_instr_t *transform_instr)
get the single native instruction used to decrypt vm handler entries...
Definition: vmhandler.cpp:237
vm::handler::table::get
std::uintptr_t * get(const zydis_routine_t &vm_entry)
get the linear virtual address of the vm handler table give a deobfuscated, flattened,...
Definition: vmhandler.cpp:216
vm::handler::table::encrypt
std::uint64_t encrypt(zydis_decoded_instr_t &transform_instr, std::uint64_t val)
encrypt a linear virtual address given the transformation that is used to decrypt the vm handler tabl...
Definition: vmhandler.cpp:276
vm::handler::table::decrypt
std::uint64_t decrypt(zydis_decoded_instr_t &transform_instr, std::uint64_t val)
decrypts a vm handler table entry...
Definition: vmhandler.cpp:289
vm::handler
contains all information pertaining to vm handler identification...
Definition: vmhandlers.hpp:6
vm::handler::imm_size
std::optional< std::uint8_t > imm_size(const zydis_routine_t &vm_handler)
gets the imm size of a vm handler...
Definition: vmhandler.cpp:108
vm::handler::mnemonic_t
mnemonic_t
vm handler mnemonic... so you dont need to compare strings!
Definition: vmprofiles.hpp:13
vm::handler::get
bool get(zydis_routine_t &vm_entry, zydis_routine_t &vm_handler, std::uintptr_t handler_addr)
gets a vm handler, puts all of the native instructions inside of the vm_handler param....
Definition: vmhandler.cpp:5
vm::handler::has_imm
bool has_imm(const zydis_routine_t &vm_handler)
given a vm handler returns true if the vm handler decrypts an operand...
Definition: vmhandler.cpp:102
vm::handler::get_profile
vm::handler::profile_t * get_profile(handler_t &vm_handler)
get a vm handler profile given a handler_t...
Definition: vmhandler.cpp:177
vm::handler::get_operand_transforms
bool get_operand_transforms(zydis_routine_t &vm_handler, transform::map_t &transforms)
get operand decryption instructions given a vm handler...
Definition: vmhandler.cpp:117
vm::handler::get_all
bool get_all(std::uintptr_t module_base, std::uintptr_t image_base, zydis_routine_t &vm_entry, std::uintptr_t *vm_handler_table, std::vector< handler_t > &vm_handlers)
get all 256 vm handlers...
vm::transform::transforms
std::map< zydis_mnemonic_t, transform_t< T > > transforms
Definition: transform.hpp:207
vm::transform::map_t
std::map< transform::type, zydis_decoded_instr_t > map_t
map of transform type to zydis decoded instruction of the transform...
Definition: transform.hpp:150
vm::handler::handler_t
handler_t contains all the information for a vm handler such as its immidate value size (zero if ther...
Definition: vmhandlers.hpp:13
vm::handler::handler_t::transforms
vm::transform::map_t transforms
transformations to decrypt imm...
Definition: vmhandlers.hpp:22
vm::handler::handler_t::instrs
zydis_routine_t instrs
native instructions of the vm handler... (calc_jmp/check_vsp is removed from this)....
Definition: vmhandlers.hpp:32
vm::handler::handler_t::imm_size
u8 imm_size
imm size in bits, zero if no imm...
Definition: vmhandlers.hpp:17
vm::handler::handler_t::profile
vm::handler::profile_t * profile
pointer to the profile, nullptr if none...
Definition: vmhandlers.hpp:27
vm::handler::handler_t::address
std::uintptr_t address
linear virtual address to the vm handler...
Definition: vmhandlers.hpp:37
vm::handler::profile_t
pre defined vm handler profile containing all compiled time known information about a vm handler....
Definition: vmprofiles.hpp:84
zydis_routine_t
std::vector< zydis_instr_t > zydis_routine_t
Definition: vmutils.hpp:29
zydis_decoded_instr_t
ZydisDecodedInstruction zydis_decoded_instr_t
Definition: vmutils.hpp:18
u8
unsigned char u8
Definition: vmutils.hpp:12
Generated by doxygen 1.9.1