#pragma once #include /// /// contains all information pertaining to vm handler identification... /// namespace vm::handler { /// /// vm handler mnemonic... so you dont need to compare strings! /// enum mnemonic_t { INVALID, LRFLAGS, PUSHVSP, MULQ, DIVQ, CALL, JMP, VMEXIT, SREGQ, SREGDW, SREGW, LREGQ, LREGDW, LCONSTQ, LCONSTBZXW, LCONSTBSXQ, LCONSTBSXDW, LCONSTDWSXQ, LCONSTWSXQ, LCONSTWSXDW, LCONSTDW, LCONSTW, READQ, READDW, READW, WRITEQ, WRITEDW, WRITEW, WRITEB, ADDQ, ADDDW, ADDW, SHLQ, SHLDW, SHRQ, SHRW, NANDQ, NANDDW, NANDW }; /// /// zydis callback lambda used to pattern match native instructions... /// using zydis_callback_t = std::function< bool( const zydis_decoded_instr_t &instr ) >; /// /// how sign extention is handled... /// enum extention_t { none, sign_extend, zero_extend }; /// /// pre defined vm handler profile containing all compiled time known information about a vm handler... /// struct profile_t { /// /// name of the vm handler, such as JMP or LCONST... /// const char *name; /// /// the mnemonic of the vm handler... so you dont need to compare strings... /// mnemonic_t mnemonic; /// /// size, in bits, of the operand (imm)... if there is none then this will be zero... /// u8 imm_size; /// /// a vector of signatures used to compare native instructions against zydis aided signatures... /// std::vector< zydis_callback_t > signature; /// /// how sign extention of operands are handled... /// extention_t extention; }; /// /// contains all profiles defined, as well as a vector of all of the defined profiles... /// namespace profile { extern vm::handler::profile_t sregq; extern vm::handler::profile_t sregdw; extern vm::handler::profile_t sregw; extern vm::handler::profile_t lregq; extern vm::handler::profile_t lregdw; /// /// mov rax, [rsi] /// xor rax, rbx ; transformation /// bswap rax ; transformation /// lea rsi, [rsi+8] ; advance VIP… /// rol rax, 0Ch ; transformation /// inc rax ; transformation /// xor rbx, rax ; transformation (update rolling decrypt key) /// sub rbp, 8 /// mov [rbp+0], rax /// extern vm::handler::profile_t lconstq; /// /// mov eax, [rsi-0x04] /// bswap eax /// add eax, ebx /// dec eax /// neg eax /// xor eax, 0x2FFD187C /// push rbx /// add [rsp], eax /// pop rbx /// sub rbp, 0x04 /// mov [rbp], eax /// add rsi, 0xFFFFFFFFFFFFFFFC /// extern vm::handler::profile_t lconstdw; extern vm::handler::profile_t lconstw; extern vm::handler::profile_t lconstbzxw; extern vm::handler::profile_t lconstbsxdw; extern vm::handler::profile_t lconstbsxq; extern vm::handler::profile_t lconstdwsxq; extern vm::handler::profile_t lconstwsxq; extern vm::handler::profile_t lconstwsxdw; /// /// mov rax, [rbp+0] /// add [rbp+8], rax /// pushfq /// pop qword ptr [rbp+0] /// extern vm::handler::profile_t addq; /// /// mov ax, [rbp] /// sub rbp, 0x06 /// add [rbp+0x08], ax /// pushfq /// pop [rbp] /// extern vm::handler::profile_t adddw; extern vm::handler::profile_t addw; extern vm::handler::profile_t shlq; extern vm::handler::profile_t shldw; extern vm::handler::profile_t nandq; extern vm::handler::profile_t nanddw; extern vm::handler::profile_t nandw; extern vm::handler::profile_t writeq; extern vm::handler::profile_t writedw; extern vm::handler::profile_t writeb; extern vm::handler::profile_t readq; extern vm::handler::profile_t readdw; extern vm::handler::profile_t shrq; extern vm::handler::profile_t shrw; extern vm::handler::profile_t lrflags; /// /// mov rdx, [rbp] /// add rbp, 0x08 /// call rdx /// extern vm::handler::profile_t call; extern vm::handler::profile_t pushvsp; extern vm::handler::profile_t mulq; /// /// mov rdx, [rbp] /// mov rax, [rbp+0x08] /// div [rbp+0x10] /// mov [rbp+0x08], rdx /// mov [rbp+0x10], rax /// pushfq /// pop [rbp] /// extern vm::handler::profile_t divq; /// /// mov esi, [rbp] /// add rbp, 0x08 /// lea r12, [0x0000000000048F29] /// mov rax, 0x00 ; image base bytes above 32bits... /// add rsi, rax /// mov rbx, rsi ; update decrypt key /// add rsi, [rbp] ; add module base address /// extern vm::handler::profile_t jmp; extern vm::handler::profile_t vmexit; /// /// a vector of pointers to all defined vm handler profiles... /// inline std::vector< vm::handler::profile_t * > all = { &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, &addq, &adddw, &addw, &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, &nandw, &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, &lrflags, &vmexit, &call }; } // namespace profile } // namespace vm::handler