You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
_xeroxz
a818b3e9bc
|
4 years ago | |
---|---|---|
dependencies | 4 years ago | |
include | 4 years ago | |
src | 4 years ago | |
.clang-format | 4 years ago | |
.gitignore | 4 years ago | |
.gitmodules | 4 years ago | |
LICENSE | 4 years ago | |
README.md | 4 years ago | |
vmprofiler.sln | 4 years ago | |
vmprofiler.vcxproj | 4 years ago | |
vmprofiler.vcxproj.filters | 4 years ago |
README.md
VMProfiler - Library To Profile VMProtect 2 Virtual Machines
vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu. This is the base project for all other VMProtect 2 projects inside of this group on githacks.
Credit
- VTIL - Virtual-machine Translation Intermediate Language
- Zydis - Fast and lightweight x86/x86-64 disassembler library
- irql0 - helped with the first version of vm handler pattern matching
Basic Usage - Creating a vm::ctx_t Object
The vm::ctx_t
class is a small container-like class which is simply used to contain all information for a given vm entry. This class contains the following useful information:
- all vm handlers for a given vm entry
- the linear virtual address of the module base in memory
- the image base address
- the image size in virtual memory
- which way VIP advances (exec_type)
- vm entry relative virtual address
- vm entry deobfuscated and flattened
- calc jmp deobfuscated and flattened
All of the above information is generated by executing the vm::ctx_t::init
member function. Below is a C++ example of how to create a vm::ctx_t
object.
const auto module_base = reinterpret_cast< std::uintptr_t >(
LoadLibraryExA( parser.get< std::string >( "bin" ).c_str(),
NULL, DONT_RESOLVE_DLL_REFERENCES ) );
const auto vm_entry_rva = std::strtoull( parser.get< std::string >( "vmentry" ).c_str(), nullptr, 16 );
const auto image_base = umtils->image_base( parser.get< std::string >( "bin" ).c_str() );
const auto image_size = NT_HEADER( module_base )->OptionalHeader.SizeOfImage;
vm::ctx_t vmctx( module_base, image_base, image_size, vm_entry_rva );
if ( !vmctx.init() )
{
std::printf( "[!] failed to init vm::ctx_t... make sure all cli arguments are correct!\n" );
return -1;
}
Figure 1. Taken from VMProfiler CLI Project