VMProfiler  v1.8
vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu.
vminstrs.hpp
Go to the documentation of this file.
1 #pragma once
2 #include <transform.hpp>
3 #include <vmctx.hpp>
4 #include <vmhandlers.hpp>
5 #include <vmp2.hpp>
6 
10 namespace vm::instrs
11 {
19  bool get_rva_decrypt( const zydis_routine_t &vm_entry, std::vector< zydis_decoded_instr_t > &transform_instrs );
20 
30  std::pair< std::uint64_t, std::uint64_t > decrypt_operand( transform::map_t &transforms, std::uint64_t operand,
31  std::uint64_t rolling_key );
32 
42  std::pair< std::uint64_t, std::uint64_t > encrypt_operand( transform::map_t &transforms, std::uint64_t operand,
43  std::uint64_t rolling_key );
44 
51  std::optional< virt_instr_t > get( vm::ctx_t &ctx, vmp2::v2::entry_t &entry );
52 
60  std::optional< std::uint64_t > get_imm( vm::ctx_t &ctx, std::uint8_t imm_size, std::uintptr_t vip );
61 
73  std::optional< jcc_data > get_jcc_data( vm::ctx_t &ctx, code_block_t &code_block );
74 
84  std::uintptr_t code_block_addr( const vm::ctx_t &ctx, const vmp2::v2::entry_t &entry );
85 
92  std::uintptr_t code_block_addr( const vm::ctx_t &ctx, const std::uint32_t lower_32bits );
93 } // namespace vm::instrs
vm::ctx_t
vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....
Definition: vmctx.hpp:13
vm::handler::imm_size
std::optional< std::uint8_t > imm_size(const zydis_routine_t &vm_handler)
gets the imm size of a vm handler...
Definition: vmhandler.cpp:108
vm::instrs
contains all functions related to virtual instructions...
Definition: vminstrs.hpp:11
vm::instrs::get_jcc_data
std::optional< jcc_data > get_jcc_data(vm::ctx_t &ctx, code_block_t &code_block)
get jcc data out of a code block... this function will loop over the code block and look for the last...
Definition: vminstrs.cpp:200
vm::instrs::encrypt_operand
std::pair< std::uint64_t, std::uint64_t > encrypt_operand(transform::map_t &transforms, std::uint64_t operand, std::uint64_t rolling_key)
encrypt a virtual instructions operand given the transformations to decrypt the operand....
Definition: vminstrs.cpp:64
vm::instrs::get_imm
std::optional< std::uint64_t > get_imm(vm::ctx_t &ctx, std::uint8_t imm_size, std::uintptr_t vip)
gets the encrypted second operand (imm) given vip and vm::ctx_t...
Definition: vminstrs.cpp:160
vm::instrs::code_block_addr
std::uintptr_t code_block_addr(const vm::ctx_t &ctx, const vmp2::v2::entry_t &entry)
the top of the stack will contain the lower 32bits of the RVA to the virtual instructions that will b...
Definition: vminstrs.cpp:263
vm::instrs::decrypt_operand
std::pair< std::uint64_t, std::uint64_t > decrypt_operand(transform::map_t &transforms, std::uint64_t operand, std::uint64_t rolling_key)
decrypt virtual instruction operand given the decryption transformations... you can read about these ...
Definition: vminstrs.cpp:5
vm::instrs::get
std::optional< virt_instr_t > get(vm::ctx_t &ctx, vmp2::v2::entry_t &entry)
get virt_instr_t filled in with data given a vmp2 trace entry and vm context...
Definition: vminstrs.cpp:173
vm::instrs::get_rva_decrypt
bool get_rva_decrypt(const zydis_routine_t &vm_entry, std::vector< zydis_decoded_instr_t > &transform_instrs)
gets the native instructions that are used to decrypt the relative virtual address to virtual instruc...
Definition: vminstrs.cpp:126
vm::transform::transforms
std::map< zydis_mnemonic_t, transform_t< T > > transforms
Definition: transform.hpp:207
vm::transform::map_t
std::map< transform::type, zydis_decoded_instr_t > map_t
map of transform type to zydis decoded instruction of the transform...
Definition: transform.hpp:150
vm::instrs::code_block_t
Definition: vmp2.hpp:187
vmp2::v2::entry_t
Definition: vmp2.hpp:101
zydis_routine_t
std::vector< zydis_instr_t > zydis_routine_t
Definition: vmutils.hpp:29
Generated by doxygen 1.9.1