VMProfiler  v1.8
vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu.
vmp2.hpp
Go to the documentation of this file.
1 #pragma once
2 #include <transform.hpp>
3 #include <vmhandlers.hpp>
4 #define VMP_MAGIC '2PMV'
5 
6 namespace vmp2
7 {
8  enum class exec_type_t
9  {
10  forward,
11  backward
12  };
13 
14  enum class version_t
15  {
16  invalid,
17  v1 = 0x101,
18  v2 = 0x102,
19  v3 = 0x103
20  };
21 
22  namespace v1
23  {
24  struct file_header
25  {
26  u32 magic; // VMP2
27  u64 epoch_time;
28  u64 module_base;
29  exec_type_t advancement;
30  version_t version;
31 
32  u32 entry_count;
33  u32 entry_offset;
34  };
35 
36  struct entry_t
37  {
38  u8 handler_idx;
39  u64 decrypt_key;
40  u64 vip;
41 
42  union
43  {
44  struct
45  {
46  u64 r15;
47  u64 r14;
48  u64 r13;
49  u64 r12;
50  u64 r11;
51  u64 r10;
52  u64 r9;
53  u64 r8;
54  u64 rbp;
55  u64 rdi;
56  u64 rsi;
57  u64 rdx;
58  u64 rcx;
59  u64 rbx;
60  u64 rax;
61  u64 rflags;
62  };
63  u64 raw[ 16 ];
64  } regs;
65 
66  union
67  {
68  u64 qword[ 0x28 ];
69  u8 raw[ 0x140 ];
70  } vregs;
71 
72  union
73  {
74  u64 qword[ 0x20 ];
75  u8 raw[ 0x100 ];
76  } vsp;
77  };
78  } // namespace v1
79 
80  namespace v2
81  {
82  struct file_header
83  {
84  u32 magic; // VMP2
85  u64 epoch_time;
86  version_t version;
87 
88  u64 module_base;
89  u64 image_base;
90  u64 vm_entry_rva;
91  exec_type_t advancement;
92 
93  u32 module_offset;
94  u32 module_size;
95 
96  u32 entry_count;
97  u32 entry_offset;
98  };
99 
100  struct entry_t
101  {
102  u8 handler_idx;
103  u64 decrypt_key;
104  u64 vip;
105 
106  union
107  {
108  struct
109  {
110  u64 r15;
111  u64 r14;
112  u64 r13;
113  u64 r12;
114  u64 r11;
115  u64 r10;
116  u64 r9;
117  u64 r8;
118  u64 rbp;
119  u64 rdi;
120  u64 rsi;
121  u64 rdx;
122  u64 rcx;
123  u64 rbx;
124  u64 rax;
125  u64 rflags;
126  };
127  u64 raw[ 16 ];
128  } regs;
129 
130  union
131  {
132  u64 qword[ 0x28 ];
133  u8 raw[ 0x140 ];
134  } vregs;
135 
136  union
137  {
138  u64 qword[ 0x20 ];
139  u8 raw[ 0x100 ];
140  } vsp;
141  };
142  } // namespace v2
143 } // namespace vmp2
144 
145 namespace vm
146 {
147  namespace instrs
148  {
149  struct virt_instr_t
150  {
151  vm::handler::mnemonic_t mnemonic_t;
152  std::uint8_t opcode; // aka vm handler idx...
153 
154  // can be used to look at values on the stack...
155  vmp2::v2::entry_t trace_data;
156 
157  struct
158  {
159  bool has_imm;
160  struct
161  {
162  std::uint8_t imm_size; // size in bits...
163  union
164  {
165  std::int64_t s;
166  std::uint64_t u;
167  };
168  } imm;
169  } operand;
170  };
171 
172  enum class jcc_type
173  {
174  none,
175  branching,
176  absolute
177  };
178 
179  struct jcc_data
180  {
181  bool has_jcc;
182  jcc_type type;
183  std::uintptr_t block_addr[ 2 ];
184  };
185 
186  struct code_block_t
187  {
188  std::uintptr_t vip_begin;
189  jcc_data jcc;
190  std::vector< virt_instr_t > vinstrs;
191  };
192  } // namespace instrs
193 } // namespace vm
194 
195 namespace vmp2
196 {
197  namespace v3
198  {
199  struct file_header
200  {
201  u32 magic; // VMP2
202  u64 epoch_time;
203  version_t version;
204 
205  u64 module_base;
206  u64 image_base;
207  u64 vm_entry_rva;
208 
209  u32 module_offset;
210  u32 module_size;
211 
212  u32 code_block_offset;
213  u32 code_block_count;
214  };
215 
216  struct code_block_t
217  {
218  std::uintptr_t vip_begin;
219  std::uintptr_t next_block_offset;
220  vm::instrs::jcc_data jcc;
221 
222  // serialized from std::vector<virt_instr_t>...
223  std::uint32_t vinstr_count;
224  vm::instrs::virt_instr_t vinstr[];
225  };
226  } // namespace v3
227 } // namespace vmp2
vm::handler::mnemonic_t
mnemonic_t
vm handler mnemonic... so you dont need to compare strings!
Definition: vmprofiles.hpp:13
vm::instrs::jcc_type
jcc_type
Definition: vmp2.hpp:173
vm
Definition: calc_jmp.hpp:6
vmp2
Definition: vmp2.hpp:7
vmp2::version_t
version_t
Definition: vmp2.hpp:15
vmp2::exec_type_t
exec_type_t
Definition: vmp2.hpp:9
vm::instrs::code_block_t
Definition: vmp2.hpp:187
vm::instrs::code_block_t::vinstrs
std::vector< virt_instr_t > vinstrs
Definition: vmp2.hpp:190
vm::instrs::code_block_t::jcc
jcc_data jcc
Definition: vmp2.hpp:189
vm::instrs::code_block_t::vip_begin
std::uintptr_t vip_begin
Definition: vmp2.hpp:188
vm::instrs::jcc_data
Definition: vmp2.hpp:180
vm::instrs::jcc_data::type
jcc_type type
Definition: vmp2.hpp:182
vm::instrs::jcc_data::block_addr
std::uintptr_t block_addr[2]
Definition: vmp2.hpp:183
vm::instrs::jcc_data::has_jcc
bool has_jcc
Definition: vmp2.hpp:181
vm::instrs::virt_instr_t
Definition: vmp2.hpp:150
vm::instrs::virt_instr_t::u
std::uint64_t u
Definition: vmp2.hpp:166
vm::instrs::virt_instr_t::imm_size
std::uint8_t imm_size
Definition: vmp2.hpp:162
vm::instrs::virt_instr_t::imm
struct vm::instrs::virt_instr_t::@10::@11 imm
vm::instrs::virt_instr_t::s
std::int64_t s
Definition: vmp2.hpp:165
vm::instrs::virt_instr_t::trace_data
vmp2::v2::entry_t trace_data
Definition: vmp2.hpp:155
vm::instrs::virt_instr_t::operand
struct vm::instrs::virt_instr_t::@10 operand
vm::instrs::virt_instr_t::mnemonic_t
vm::handler::mnemonic_t mnemonic_t
Definition: vmp2.hpp:151
vm::instrs::virt_instr_t::has_imm
bool has_imm
Definition: vmp2.hpp:159
vm::instrs::virt_instr_t::opcode
std::uint8_t opcode
Definition: vmp2.hpp:152
vmp2::v1::entry_t
Definition: vmp2.hpp:37
vmp2::v1::entry_t::rdi
u64 rdi
Definition: vmp2.hpp:55
vmp2::v1::entry_t::r11
u64 r11
Definition: vmp2.hpp:50
vmp2::v1::entry_t::qword
u64 qword[0x28]
Definition: vmp2.hpp:68
vmp2::v1::entry_t::raw
u64 raw[16]
Definition: vmp2.hpp:63
vmp2::v1::entry_t::r8
u64 r8
Definition: vmp2.hpp:53
vmp2::v1::entry_t::vsp
union vmp2::v1::entry_t::@2 vsp
vmp2::v1::entry_t::rdx
u64 rdx
Definition: vmp2.hpp:57
vmp2::v1::entry_t::handler_idx
u8 handler_idx
Definition: vmp2.hpp:38
vmp2::v1::entry_t::r14
u64 r14
Definition: vmp2.hpp:47
vmp2::v1::entry_t::r9
u64 r9
Definition: vmp2.hpp:52
vmp2::v1::entry_t::rbp
u64 rbp
Definition: vmp2.hpp:54
vmp2::v1::entry_t::r10
u64 r10
Definition: vmp2.hpp:51
vmp2::v1::entry_t::rsi
u64 rsi
Definition: vmp2.hpp:56
vmp2::v1::entry_t::r15
u64 r15
Definition: vmp2.hpp:46
vmp2::v1::entry_t::rflags
u64 rflags
Definition: vmp2.hpp:61
vmp2::v1::entry_t::r12
u64 r12
Definition: vmp2.hpp:49
vmp2::v1::entry_t::regs
union vmp2::v1::entry_t::@0 regs
vmp2::v1::entry_t::r13
u64 r13
Definition: vmp2.hpp:48
vmp2::v1::entry_t::rbx
u64 rbx
Definition: vmp2.hpp:59
vmp2::v1::entry_t::rcx
u64 rcx
Definition: vmp2.hpp:58
vmp2::v1::entry_t::vregs
union vmp2::v1::entry_t::@1 vregs
vmp2::v1::entry_t::rax
u64 rax
Definition: vmp2.hpp:60
vmp2::v1::entry_t::vip
u64 vip
Definition: vmp2.hpp:40
vmp2::v1::entry_t::decrypt_key
u64 decrypt_key
Definition: vmp2.hpp:39
vmp2::v1::file_header
Definition: vmp2.hpp:25
vmp2::v1::file_header::magic
u32 magic
Definition: vmp2.hpp:26
vmp2::v1::file_header::module_base
u64 module_base
Definition: vmp2.hpp:28
vmp2::v1::file_header::advancement
exec_type_t advancement
Definition: vmp2.hpp:29
vmp2::v1::file_header::version
version_t version
Definition: vmp2.hpp:30
vmp2::v1::file_header::entry_offset
u32 entry_offset
Definition: vmp2.hpp:33
vmp2::v1::file_header::entry_count
u32 entry_count
Definition: vmp2.hpp:32
vmp2::v1::file_header::epoch_time
u64 epoch_time
Definition: vmp2.hpp:27
vmp2::v2::entry_t
Definition: vmp2.hpp:101
vmp2::v2::entry_t::handler_idx
u8 handler_idx
Definition: vmp2.hpp:102
vmp2::v2::entry_t::r9
u64 r9
Definition: vmp2.hpp:116
vmp2::v2::entry_t::rsi
u64 rsi
Definition: vmp2.hpp:120
vmp2::v2::entry_t::raw
u64 raw[16]
Definition: vmp2.hpp:127
vmp2::v2::entry_t::vsp
union vmp2::v2::entry_t::@7 vsp
vmp2::v2::entry_t::r10
u64 r10
Definition: vmp2.hpp:115
vmp2::v2::entry_t::rax
u64 rax
Definition: vmp2.hpp:124
vmp2::v2::entry_t::r14
u64 r14
Definition: vmp2.hpp:111
vmp2::v2::entry_t::regs
union vmp2::v2::entry_t::@5 regs
vmp2::v2::entry_t::rdx
u64 rdx
Definition: vmp2.hpp:121
vmp2::v2::entry_t::rflags
u64 rflags
Definition: vmp2.hpp:125
vmp2::v2::entry_t::r8
u64 r8
Definition: vmp2.hpp:117
vmp2::v2::entry_t::r11
u64 r11
Definition: vmp2.hpp:114
vmp2::v2::entry_t::rdi
u64 rdi
Definition: vmp2.hpp:119
vmp2::v2::entry_t::decrypt_key
u64 decrypt_key
Definition: vmp2.hpp:103
vmp2::v2::entry_t::r12
u64 r12
Definition: vmp2.hpp:113
vmp2::v2::entry_t::r13
u64 r13
Definition: vmp2.hpp:112
vmp2::v2::entry_t::r15
u64 r15
Definition: vmp2.hpp:110
vmp2::v2::entry_t::rbp
u64 rbp
Definition: vmp2.hpp:118
vmp2::v2::entry_t::rbx
u64 rbx
Definition: vmp2.hpp:123
vmp2::v2::entry_t::qword
u64 qword[0x28]
Definition: vmp2.hpp:132
vmp2::v2::entry_t::rcx
u64 rcx
Definition: vmp2.hpp:122
vmp2::v2::entry_t::vip
u64 vip
Definition: vmp2.hpp:104
vmp2::v2::entry_t::vregs
union vmp2::v2::entry_t::@6 vregs
vmp2::v2::file_header
Definition: vmp2.hpp:83
vmp2::v2::file_header::version
version_t version
Definition: vmp2.hpp:86
vmp2::v2::file_header::module_offset
u32 module_offset
Definition: vmp2.hpp:93
vmp2::v2::file_header::entry_count
u32 entry_count
Definition: vmp2.hpp:96
vmp2::v2::file_header::epoch_time
u64 epoch_time
Definition: vmp2.hpp:85
vmp2::v2::file_header::entry_offset
u32 entry_offset
Definition: vmp2.hpp:97
vmp2::v2::file_header::module_base
u64 module_base
Definition: vmp2.hpp:88
vmp2::v2::file_header::image_base
u64 image_base
Definition: vmp2.hpp:89
vmp2::v2::file_header::advancement
exec_type_t advancement
Definition: vmp2.hpp:91
vmp2::v2::file_header::module_size
u32 module_size
Definition: vmp2.hpp:94
vmp2::v2::file_header::magic
u32 magic
Definition: vmp2.hpp:84
vmp2::v2::file_header::vm_entry_rva
u64 vm_entry_rva
Definition: vmp2.hpp:90
vmp2::v3::code_block_t
Definition: vmp2.hpp:217
vmp2::v3::code_block_t::jcc
vm::instrs::jcc_data jcc
Definition: vmp2.hpp:220
vmp2::v3::code_block_t::vinstr
vm::instrs::virt_instr_t vinstr[]
Definition: vmp2.hpp:224
vmp2::v3::code_block_t::next_block_offset
std::uintptr_t next_block_offset
Definition: vmp2.hpp:219
vmp2::v3::code_block_t::vip_begin
std::uintptr_t vip_begin
Definition: vmp2.hpp:218
vmp2::v3::code_block_t::vinstr_count
std::uint32_t vinstr_count
Definition: vmp2.hpp:223
vmp2::v3::file_header
Definition: vmp2.hpp:200
vmp2::v3::file_header::code_block_count
u32 code_block_count
Definition: vmp2.hpp:213
vmp2::v3::file_header::magic
u32 magic
Definition: vmp2.hpp:201
vmp2::v3::file_header::code_block_offset
u32 code_block_offset
Definition: vmp2.hpp:212
vmp2::v3::file_header::module_offset
u32 module_offset
Definition: vmp2.hpp:209
vmp2::v3::file_header::module_base
u64 module_base
Definition: vmp2.hpp:205
vmp2::v3::file_header::module_size
u32 module_size
Definition: vmp2.hpp:210
vmp2::v3::file_header::image_base
u64 image_base
Definition: vmp2.hpp:206
vmp2::v3::file_header::version
version_t version
Definition: vmp2.hpp:203
vmp2::v3::file_header::epoch_time
u64 epoch_time
Definition: vmp2.hpp:202
vmp2::v3::file_header::vm_entry_rva
u64 vm_entry_rva
Definition: vmp2.hpp:207
u64
unsigned long long u64
Definition: vmutils.hpp:15
u32
unsigned int u32
Definition: vmutils.hpp:14
u8
unsigned char u8
Definition: vmutils.hpp:12
Generated by doxygen 1.9.1