You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1.6 KiB
1.6 KiB
Introduction
This will disclose how to create a VTIL lifter for VMProfiler v1.8. The instructions may change in later versions of VMProfiler.
Example - Existing VTIL Lifter For LCONSTQ
Understand that LCONSTQ loads an eight byte value onto the stack. Thus the usage of vtil::operand
to create a 64 bit value.
Step 1, Declare Lifter
vm::lifters::lifter_t lconstq = {
// push imm<N>
vm::handler::LCONSTQ,
[]( vtil::basic_block *blk, vm::instrs::virt_instr_t *vinstr, vmp2::v3::code_block_t *code_blk ) {
blk->push( vtil::operand( vinstr->operand.imm.u, 64 ) );
} };
Step 2, Declare Extern In vmlifters.hpp
You can see this exact line of code here.
extern vm::lifters::lifter_t lconstq;
Step 3, Add Lifter To vm::lifters::all
inline std::vector< vm::lifters::lifter_t * > all = {
// lreg lifters...
&lregq, &lregdw,
// add lifters...
&addq, &adddw, &addw,
// sreg lifters...
&sregq, &sregdw, &sregw,
// lconst lifters...
&lconstq, &lconstdw, &lconstw, &lconstbzxw, &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw,
// nand lifters...
&nandq, &nanddw, &nandw,
// read lifters....
&readq, &readdw, &readw,
// shr lifters...
&shrq, &shrw,
// pushvsp lifter...
&pushvsp,
// jmp lifter...
&jmp,
// lflags lifter...
&lrflags,
// lvsp lifter...
&lvsp,
// vmexit lifter...
&vmexit };