From c7a5d0b61c1f983fc04c845569b165ef4b00db96 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 14:39:13 -0700 Subject: [PATCH 01/11] added vm::calc_jmp::get_advancement --- include/vmp2.hpp | 2 +- include/vmprofiler.hpp | 4 +++ src/calc_jmp.cpp | 66 ++++++++++++++++++++++++++++++++++ src/vmprofiler.vcxproj | 1 + src/vmprofiler.vcxproj.filters | 3 ++ 5 files changed, 75 insertions(+), 1 deletion(-) diff --git a/include/vmp2.hpp b/include/vmp2.hpp index a6469ca..6520d94 100644 --- a/include/vmp2.hpp +++ b/include/vmp2.hpp @@ -1,5 +1,5 @@ #pragma once -#include +#include namespace vmp2 { diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index d0ac42b..63cf5d4 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -1,11 +1,15 @@ #pragma once +#include #include +#include namespace vm { namespace calc_jmp { bool get( const zydis_routine_t &vm_entry, zydis_routine_t &calc_jmp ); + + std::optional< vmp2::exec_type_t > get_advancement( const zydis_routine_t &calc_jmp ); } namespace instrs diff --git a/src/calc_jmp.cpp b/src/calc_jmp.cpp index 4cc8eff..0902287 100644 --- a/src/calc_jmp.cpp +++ b/src/calc_jmp.cpp @@ -27,5 +27,71 @@ namespace vm calc_jmp.insert( calc_jmp.end(), result, vm_entry.end() ); return true; } + + std::optional< vmp2::exec_type_t > get_advancement( const zydis_routine_t &calc_jmp ) + { + auto result = + std::find_if( calc_jmp.begin(), calc_jmp.end(), []( const zydis_instr_t &instr_data ) -> bool { + // look for any instruction with RSI being the first operand... + return instr_data.instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr_data.instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RSI; + } ); + + if ( result == calc_jmp.end() ) + return {}; + + const auto instr = &result->instr; + + switch ( instr->mnemonic ) + { + case ZYDIS_MNEMONIC_LEA: + { + if ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY ) + { + if ( instr->operands[ 1 ].mem.disp.value > 0 ) + return vmp2::exec_type_t::forward; + else + return vmp2::exec_type_t::backward; + } + // else we dont know what we are looking at... + return {}; + } + case ZYDIS_MNEMONIC_ADD: + { + // ADD RSI, IMM... + if ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE ) + { + // see if IMM is negitive... + if ( instr->operands[ 1 ].imm.value.s > 0 ) + return vmp2::exec_type_t::forward; + else // adding a negitive number is sub... + return vmp2::exec_type_t::backward; + } + // else we dont know what we are looking at... + return {}; + } + case ZYDIS_MNEMONIC_SUB: + { + // SUB RSI, IMM... + if ( instr->operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE ) + { + // see if IMM is negitive... + if ( instr->operands[ 1 ].imm.value.s > 0 ) + return vmp2::exec_type_t::backward; + else // subtracting a negitive number means you are adding... + return vmp2::exec_type_t::forward; + } + // else we dont know what we are looking at... + return {}; + } + case ZYDIS_MNEMONIC_INC: + return vmp2::exec_type_t::forward; + case ZYDIS_MNEMONIC_DEC: + return vmp2::exec_type_t::backward; + default: + break; + } + return {}; + } } // namespace calc_jmp } // namespace vm \ No newline at end of file diff --git a/src/vmprofiler.vcxproj b/src/vmprofiler.vcxproj index 5e9f2de..7e0dd2c 100644 --- a/src/vmprofiler.vcxproj +++ b/src/vmprofiler.vcxproj @@ -164,6 +164,7 @@ + diff --git a/src/vmprofiler.vcxproj.filters b/src/vmprofiler.vcxproj.filters index 4de8ca3..c3db126 100644 --- a/src/vmprofiler.vcxproj.filters +++ b/src/vmprofiler.vcxproj.filters @@ -226,6 +226,9 @@ Header Files + + Header Files + From 9b255f14128aa70b48ef21ba04685cda057dc0cb Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 15:11:08 -0700 Subject: [PATCH 02/11] fixed vm::transform::inverse_transforms --- include/transform.hpp | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/include/transform.hpp b/include/transform.hpp index e06f440..d24facb 100644 --- a/include/transform.hpp +++ b/include/transform.hpp @@ -176,12 +176,13 @@ namespace vm transform::inverse[ transforms[ transform::type::update_key ].mnemonic ]; } - inline auto inverse_transform( std::vector< zydis_decoded_instr_t > &instrs ) -> bool + inline auto inverse_transforms( std::vector< zydis_decoded_instr_t > &instrs ) -> bool { - for ( auto idx = 0u; idx < instrs.size() - 1; ++idx ) + for ( auto idx = 0u; idx < instrs.size(); idx++ ) if ( !( instrs[ idx ].mnemonic = inverse[ instrs[ idx ].mnemonic ] ) ) return false; + std::reverse( instrs.begin(), instrs.end() ); return true; } From ac9a2b445f5429725bedb812eaf66c4f830ea10e Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 15:32:27 -0700 Subject: [PATCH 03/11] added readdw virtual instruction profile --- include/vmprofiler.hpp | 19 +++++++++++-------- src/vmprofiles/read.cpp | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 43 insertions(+), 8 deletions(-) diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index 63cf5d4..6bcbfa9 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -1,7 +1,7 @@ #pragma once -#include -#include #include +#include +#include namespace vm { @@ -10,7 +10,7 @@ namespace vm bool get( const zydis_routine_t &vm_entry, zydis_routine_t &calc_jmp ); std::optional< vmp2::exec_type_t > get_advancement( const zydis_routine_t &calc_jmp ); - } + } // namespace calc_jmp namespace instrs { @@ -144,20 +144,23 @@ namespace vm extern vm::handler::profile_t writeq; extern vm::handler::profile_t writedw; + extern vm::handler::profile_t readq; + extern vm::handler::profile_t readdw; + extern vm::handler::profile_t shrq; extern vm::handler::profile_t pushvsp; extern vm::handler::profile_t mulq; extern vm::handler::profile_t divq; extern vm::handler::profile_t jmp; - extern vm::handler::profile_t readq; + extern vm::handler::profile_t vmexit; inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, - &lconstbsxdw, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, &shlq, - &shldw, &writeq, &writedw, &nandq, &nanddw, + &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, + &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, &shlq, &shldw, &writeq, + &writedw, &nandq, &nanddw, - &shrq, &readq, &mulq, &pushvsp, &divq, &jmp, &vmexit }; + &shrq, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, &vmexit }; } // namespace profile } // namespace handler } // namespace vm \ No newline at end of file diff --git a/src/vmprofiles/read.cpp b/src/vmprofiles/read.cpp index 6a2ee42..31fc822 100644 --- a/src/vmprofiles/read.cpp +++ b/src/vmprofiles/read.cpp @@ -29,6 +29,38 @@ namespace vm instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX; } } } }; + + vm::handler::profile_t readdw = { + // ADD RBP, 0x4 + // MOV EAX, [RAX] + // MOV [RBP], EAX + "READDW", + READDW, + NULL, + { { // ADD RBP, 0x4 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_ADD && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x4; + }, + // MOV EAX, [RAX] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_EAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RAX; + }, + // MOV [RBP], EAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; + } } } }; } } // namespace handler } // namespace vm \ No newline at end of file From 145251c09ae63ff6bcbc6a56ee98197a85a13f69 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 15:44:00 -0700 Subject: [PATCH 04/11] added LCONSTBSXQ --- include/vmprofiler.hpp | 10 ++++++---- src/vmprofiles/lconst.cpp | 27 +++++++++++++++++++++++++++ 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index 6bcbfa9..6d7d178 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -47,6 +47,7 @@ namespace vm LCONSTQ, LCONSTBZXW, + LCONSTBSXQ, LCONSTBSXDW, LCONSTDWSXQ, LCONSTWSXQ, @@ -128,6 +129,7 @@ namespace vm extern vm::handler::profile_t lconstq; extern vm::handler::profile_t lconstbzxw; extern vm::handler::profile_t lconstbsxdw; + extern vm::handler::profile_t lconstbsxq; extern vm::handler::profile_t lconstdwsxq; extern vm::handler::profile_t lconstwsxq; extern vm::handler::profile_t lconstdw; @@ -156,11 +158,11 @@ namespace vm extern vm::handler::profile_t vmexit; inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, - &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, &shlq, &shldw, &writeq, - &writedw, &nandq, &nanddw, + &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, + &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, &shlq, &shldw, + &writeq, &writedw, &nandq, &nanddw, - &shrq, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, &vmexit }; + &shrq, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, &vmexit }; } // namespace profile } // namespace handler } // namespace vm \ No newline at end of file diff --git a/src/vmprofiles/lconst.cpp b/src/vmprofiles/lconst.cpp index 863bb5a..cbf950d 100644 --- a/src/vmprofiles/lconst.cpp +++ b/src/vmprofiles/lconst.cpp @@ -81,6 +81,33 @@ namespace vm } } }, vm::handler::extention_t::sign_extend }; + vm::handler::profile_t lconstbsxq = { + // CDQE + // SUB RBP, 0x8 + // MOV [RBP], RAX + "LCONSTBSXQ", + LCONSTBSXQ, + 8, + { { // CDQE + []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_CDQE; }, + // SUB RBP, 0x8 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x8; + }, + // MOV [RBP], RAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX; + } } }, + vm::handler::extention_t::sign_extend }; + vm::handler::profile_t lconstdwsxq = { // CDQE // SUB RBP, 8 From 2a934fd61f39cc7d4fc76cba6935d08007c56cec Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 15:53:16 -0700 Subject: [PATCH 05/11] added CALL virtual instruction --- include/vmprofiler.hpp | 11 +++++++---- src/vmprofiles/call.cpp | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 47 insertions(+), 4 deletions(-) create mode 100644 src/vmprofiles/call.cpp diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index 6d7d178..45e227c 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -35,6 +35,7 @@ namespace vm SHRQ, MULQ, DIVQ, + CALL, JMP, VMEXIT, @@ -149,6 +150,7 @@ namespace vm extern vm::handler::profile_t readq; extern vm::handler::profile_t readdw; + extern vm::handler::profile_t call; extern vm::handler::profile_t shrq; extern vm::handler::profile_t pushvsp; extern vm::handler::profile_t mulq; @@ -158,11 +160,12 @@ namespace vm extern vm::handler::profile_t vmexit; inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, - &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, &shlq, &shldw, - &writeq, &writedw, &nandq, &nanddw, + &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, + &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, + &shlq, &shldw, &writeq, &writedw, &nandq, &nanddw, - &shrq, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, &vmexit }; + &shrq, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, + &vmexit, &call }; } // namespace profile } // namespace handler } // namespace vm \ No newline at end of file diff --git a/src/vmprofiles/call.cpp b/src/vmprofiles/call.cpp new file mode 100644 index 0000000..bb3af63 --- /dev/null +++ b/src/vmprofiles/call.cpp @@ -0,0 +1,40 @@ +#include "../../include/vmprofiler.hpp" + +namespace vm +{ + namespace handler + { + namespace profile + { + vm::handler::profile_t call = { + // MOV RDX, [RBP] + // ADD RBP, 0x8 + // CALL RDX + "CALL", + CALL, + NULL, + { { // MOV RDX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RDX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // ADD RBP, 0x8 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_ADD && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x8; + }, + // CALL RDX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_CALL && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RDX; + } } } }; + } + } // namespace handler +} // namespace vm \ No newline at end of file From bc9f0e944bd75aab7f1adc12d79cac0818797a92 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 16:00:11 -0700 Subject: [PATCH 06/11] added ADDW virtual instruction --- include/vmprofiler.hpp | 13 ++++++++----- src/vmprofiler.vcxproj | 1 + src/vmprofiler.vcxproj.filters | 3 +++ src/vmprofiles/add.cpp | 27 +++++++++++++++++++++++++++ 4 files changed, 39 insertions(+), 5 deletions(-) diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index 45e227c..532d42e 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -64,6 +64,7 @@ namespace vm ADDQ, ADDDW, + ADDW, SHLQ, SHLDW, @@ -137,6 +138,7 @@ namespace vm extern vm::handler::profile_t addq; extern vm::handler::profile_t adddw; + extern vm::handler::profile_t addw; extern vm::handler::profile_t shlq; extern vm::handler::profile_t shldw; @@ -160,12 +162,13 @@ namespace vm extern vm::handler::profile_t vmexit; inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, - &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, - &shlq, &shldw, &writeq, &writedw, &nandq, &nanddw, + &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, + &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, &addw, - &shrq, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, - &vmexit, &call }; + &shlq, &shldw, &writeq, &writedw, &nandq, &nanddw, + + &shrq, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, &vmexit, + &call }; } // namespace profile } // namespace handler } // namespace vm \ No newline at end of file diff --git a/src/vmprofiler.vcxproj b/src/vmprofiler.vcxproj index 7e0dd2c..b45f86b 100644 --- a/src/vmprofiler.vcxproj +++ b/src/vmprofiler.vcxproj @@ -104,6 +104,7 @@ + diff --git a/src/vmprofiler.vcxproj.filters b/src/vmprofiler.vcxproj.filters index c3db126..ad7842b 100644 --- a/src/vmprofiler.vcxproj.filters +++ b/src/vmprofiler.vcxproj.filters @@ -86,6 +86,9 @@ Source Files + + Source Files\vmprofiles + diff --git a/src/vmprofiles/add.cpp b/src/vmprofiles/add.cpp index 8982d8e..4d92c58 100644 --- a/src/vmprofiles/add.cpp +++ b/src/vmprofiles/add.cpp @@ -59,6 +59,33 @@ namespace vm instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; } } } }; + + vm::handler::profile_t addw = { + // ADD [RBP+8], AX + // PUSHFQ + // POP [RBP] + "ADDW", + ADDW, + NULL, + { { // ADD [RBP+8], AX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_ADD && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX; + }, + // PUSHFQ + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; + }, + // POP [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; } // namespace profile } // namespace handler } // namespace vm \ No newline at end of file From 442edfd1c4c4de1e54a5deb62148ff3595198cea Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 16:09:11 -0700 Subject: [PATCH 07/11] added SHRW virtual instruction --- include/vmprofiler.hpp | 18 +++++++----- src/vmprofiles/shr.cpp | 64 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 75 insertions(+), 7 deletions(-) diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index 532d42e..f4f3640 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -32,7 +32,6 @@ namespace vm { INVALID, PUSHVSP, - SHRQ, MULQ, DIVQ, CALL, @@ -69,6 +68,9 @@ namespace vm SHLQ, SHLDW, + SHRQ, + SHRW, + NANDQ, NANDDW }; @@ -152,8 +154,10 @@ namespace vm extern vm::handler::profile_t readq; extern vm::handler::profile_t readdw; - extern vm::handler::profile_t call; extern vm::handler::profile_t shrq; + extern vm::handler::profile_t shrw; + + extern vm::handler::profile_t call; extern vm::handler::profile_t pushvsp; extern vm::handler::profile_t mulq; extern vm::handler::profile_t divq; @@ -162,13 +166,13 @@ namespace vm extern vm::handler::profile_t vmexit; inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, - &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, &addw, + &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, + &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, &addw, - &shlq, &shldw, &writeq, &writedw, &nandq, &nanddw, + &shlq, &shldw, &writeq, &writedw, &nandq, &nanddw, - &shrq, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, &vmexit, - &call }; + &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, + &vmexit, &call }; } // namespace profile } // namespace handler } // namespace vm \ No newline at end of file diff --git a/src/vmprofiles/shr.cpp b/src/vmprofiles/shr.cpp index e9ec812..610e2f7 100644 --- a/src/vmprofiles/shr.cpp +++ b/src/vmprofiles/shr.cpp @@ -69,6 +69,70 @@ namespace vm instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; } } } }; + + vm::handler::profile_t shrw = { + // MOV AX, [RBP] + // MOV CL, [RBP+0x2] + // SUB RBP, 0x6 + // SHR AX, CL + // MOV [RBP+0x8], AX + // PUSHFQ + // POP [RBP] + "SHRW", + SHRW, + NULL, + { { // MOV AX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // MOV CL, [RBP+0x2] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_CL && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].mem.disp.value == 0x2; + }, + // SUB RBP, 0x6 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x6; + }, + // SHR AX, CL + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SHR && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_AX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_CL; + }, + // MOV [RBP+0x8], AX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 0 ].mem.disp.value == 0x8 && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX; + }, + // PUSHFQ + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_PUSHFQ; + }, + // POP [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_POP && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP; + } } } }; } } // namespace handler } // namespace vm \ No newline at end of file From afaa27eb228f7e4e6e3882d3bf3c760046e69ebb Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 16:13:27 -0700 Subject: [PATCH 08/11] added WRITEB virtual instruction --- include/vmprofiler.hpp | 2 ++ src/vmprofiles/write.cpp | 42 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index f4f3640..ec41e0f 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -60,6 +60,7 @@ namespace vm WRITEQ, WRITEDW, WRITEW, + WRITEB, ADDQ, ADDDW, @@ -150,6 +151,7 @@ namespace vm extern vm::handler::profile_t writeq; extern vm::handler::profile_t writedw; + extern vm::handler::profile_t writeb; extern vm::handler::profile_t readq; extern vm::handler::profile_t readdw; diff --git a/src/vmprofiles/write.cpp b/src/vmprofiles/write.cpp index 4c569ed..bf0b7ff 100644 --- a/src/vmprofiles/write.cpp +++ b/src/vmprofiles/write.cpp @@ -89,6 +89,48 @@ namespace vm instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EDX; } } } }; + + vm::handler::profile_t writeb = { + // MOV RAX, [RBP] + // MOV DL, [RBP+0x8] + // ADD RBP, 0xA + // MOV [RAX], DL + "WRITEB", + WRITEB, + NULL, + { { // MOV RAX, [RBP] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP; + }, + // MOV DL, [RBP+0x8] + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_DL && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 1 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].mem.disp.value == 0x8; + }, + // ADD RBP, 0xA + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_ADD && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0xA; + }, + // MOV [RAX], DL + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RAX && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_DL; + } } } }; } // namespace profile } // namespace handler } // namespace vm \ No newline at end of file From ce4581743985cda7354ec03bb1154209bc0baa02 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 16:13:49 -0700 Subject: [PATCH 09/11] added WRITEB virtual instruction --- include/vmprofiler.hpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index ec41e0f..4337b76 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -171,7 +171,7 @@ namespace vm &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, &addw, - &shlq, &shldw, &writeq, &writedw, &nandq, &nanddw, + &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, &vmexit, &call }; From 6fa384cf69bdc2a1d813bc0c473c62d982187e04 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 16:19:44 -0700 Subject: [PATCH 10/11] added LCONSTBSXDW virtual instruction --- include/vmprofiler.hpp | 14 ++++++++------ src/vmprofiles/lconst.cpp | 27 +++++++++++++++++++++++++++ 2 files changed, 35 insertions(+), 6 deletions(-) diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index 4337b76..46ebe24 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -51,6 +51,7 @@ namespace vm LCONSTBSXDW, LCONSTDWSXQ, LCONSTWSXQ, + LCONSTWSXDW, LCONSTDW, READQ, @@ -132,12 +133,14 @@ namespace vm extern vm::handler::profile_t lregdw; extern vm::handler::profile_t lconstq; + extern vm::handler::profile_t lconstdw; + extern vm::handler::profile_t lconstbzxw; extern vm::handler::profile_t lconstbsxdw; extern vm::handler::profile_t lconstbsxq; extern vm::handler::profile_t lconstdwsxq; extern vm::handler::profile_t lconstwsxq; - extern vm::handler::profile_t lconstdw; + extern vm::handler::profile_t lconstwsxdw; extern vm::handler::profile_t addq; extern vm::handler::profile_t adddw; @@ -164,16 +167,15 @@ namespace vm extern vm::handler::profile_t mulq; extern vm::handler::profile_t divq; extern vm::handler::profile_t jmp; - extern vm::handler::profile_t vmexit; inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, - &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstdw, &addq, &adddw, &addw, + &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, + &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &addq, &adddw, &addw, - &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, + &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, - &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, + &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, &vmexit, &call }; } // namespace profile } // namespace handler diff --git a/src/vmprofiles/lconst.cpp b/src/vmprofiles/lconst.cpp index cbf950d..fca5536 100644 --- a/src/vmprofiles/lconst.cpp +++ b/src/vmprofiles/lconst.cpp @@ -162,6 +162,33 @@ namespace vm } } }, vm::handler::extention_t::sign_extend }; + vm::handler::profile_t lconstwsxdw = { + // CWDE + // SUB RBP, 4 + // MOV [RBP], EAX + "LCONSTWSXDW", + LCONSTWSXDW, + 16, + { { // CWDE + []( const zydis_decoded_instr_t &instr ) -> bool { return instr.mnemonic == ZYDIS_MNEMONIC_CWDE; }, + // SUB RBP, 4 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x4; + }, + // MOV [RBP], EAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; + } } }, + vm::handler::extention_t::sign_extend }; + vm::handler::profile_t lconstdw = { // SUB RBP, 4 // MOV [RBP], EAX From ac50fe5128f63d0a81132130503dd8a37efd2477 Mon Sep 17 00:00:00 2001 From: _xeroxz Date: Tue, 1 Jun 2021 16:26:11 -0700 Subject: [PATCH 11/11] added LCONSTW virtual instruction --- include/vmprofiler.hpp | 13 +++++--- src/vmprofiles/lconst.cpp | 69 ++++++++++++++++++++++++++------------- 2 files changed, 54 insertions(+), 28 deletions(-) diff --git a/include/vmprofiler.hpp b/include/vmprofiler.hpp index 46ebe24..2e9838d 100644 --- a/include/vmprofiler.hpp +++ b/include/vmprofiler.hpp @@ -53,6 +53,7 @@ namespace vm LCONSTWSXQ, LCONSTWSXDW, LCONSTDW, + LCONSTW, READQ, READDW, @@ -134,6 +135,7 @@ namespace vm extern vm::handler::profile_t lconstq; extern vm::handler::profile_t lconstdw; + extern vm::handler::profile_t lconstw; extern vm::handler::profile_t lconstbzxw; extern vm::handler::profile_t lconstbsxdw; @@ -170,13 +172,14 @@ namespace vm extern vm::handler::profile_t vmexit; inline std::vector< vm::handler::profile_t * > all = { - &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, &lconstbsxdw, - &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &addq, &adddw, &addw, + &sregq, &sregdw, &sregw, &lregq, &lregdw, &lconstq, &lconstbzxw, + &lconstbsxdw, &lconstbsxq, &lconstdwsxq, &lconstwsxq, &lconstwsxdw, &lconstdw, &lconstw, + &addq, &adddw, &addw, - &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, + &shlq, &shldw, &writeq, &writedw, &writeb, &nandq, &nanddw, - &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, &jmp, - &vmexit, &call }; + &shrq, &shrw, &readq, &readdw, &mulq, &pushvsp, &divq, + &jmp, &vmexit, &call }; } // namespace profile } // namespace handler } // namespace vm \ No newline at end of file diff --git a/src/vmprofiles/lconst.cpp b/src/vmprofiles/lconst.cpp index fca5536..9b7bbca 100644 --- a/src/vmprofiles/lconst.cpp +++ b/src/vmprofiles/lconst.cpp @@ -30,6 +30,52 @@ namespace vm instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_RAX; } } } }; + vm::handler::profile_t lconstdw = { + // SUB RBP, 4 + // MOV [RBP], EAX + "LCONSTDW", + LCONSTDW, + 32, + { { // SUB RBP, 4 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x4; + }, + // MOV [RBP], EAX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; + } } } }; + + vm::handler::profile_t lconstw = { + // SUB RBP, 2 + // MOV [RBP], AX + "LCONSTW", + LCONSTW, + 16, + { { // SUB RBP, 2 + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_SUB && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && + instr.operands[ 1 ].imm.value.u == 0x2; + }, + // MOV [RBP], AX + []( const zydis_decoded_instr_t &instr ) -> bool { + return instr.mnemonic == ZYDIS_MNEMONIC_MOV && + instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && + instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && + instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && + instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_AX; + } } } }; + vm::handler::profile_t lconstbzxw = { // MOV AL, [RSI] // SUB RBP, 2 @@ -188,29 +234,6 @@ namespace vm instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; } } }, vm::handler::extention_t::sign_extend }; - - vm::handler::profile_t lconstdw = { - // SUB RBP, 4 - // MOV [RBP], EAX - "LCONSTDW", - LCONSTDW, - 32, - { { // SUB RBP, 4 - []( const zydis_decoded_instr_t &instr ) -> bool { - return instr.mnemonic == ZYDIS_MNEMONIC_SUB && - instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_REGISTER && - instr.operands[ 0 ].reg.value == ZYDIS_REGISTER_RBP && - instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_IMMEDIATE && - instr.operands[ 1 ].imm.value.u == 0x4; - }, - // MOV [RBP], EAX - []( const zydis_decoded_instr_t &instr ) -> bool { - return instr.mnemonic == ZYDIS_MNEMONIC_MOV && - instr.operands[ 0 ].type == ZYDIS_OPERAND_TYPE_MEMORY && - instr.operands[ 0 ].mem.base == ZYDIS_REGISTER_RBP && - instr.operands[ 1 ].type == ZYDIS_OPERAND_TYPE_REGISTER && - instr.operands[ 1 ].reg.value == ZYDIS_REGISTER_EAX; - } } } }; } // namespace profile } // namespace handler } // namespace vm \ No newline at end of file