vmprofiler/doxygen/html/index.html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "https://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/xhtml;charset=UTF-8"/>
<meta http-equiv="X-UA-Compatible" content="IE=9"/>
<meta name="generator" content="Doxygen 1.9.1"/>
<meta name="viewport" content="width=device-width, initial-scale=1"/>
<title>VMProfiler: Main Page</title>
<link href="tabs.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="dynsections.js"></script>
<link href="search/search.css" rel="stylesheet" type="text/css"/>
<script type="text/javascript" src="search/searchdata.js"></script>
<script type="text/javascript" src="search/search.js"></script>
<link href="doxygen.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="top"><!-- do not remove this div, it is closed by doxygen! -->
<div id="titlearea">
<table cellspacing="0" cellpadding="0">
 <tbody>
 <tr style="height: 56px;">
  <td id="projectlogo"><img alt="Logo" src="icon.png"/></td>
  <td id="projectalign" style="padding-left: 0.5em;">
   <div id="projectname">VMProfiler
   &#160;<span id="projectnumber">v1.8</span>
   </div>
   <div id="projectbrief">vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu.</div>
  </td>
 </tr>
 </tbody>
</table>
</div>
<!-- end header part -->
<!-- Generated by Doxygen 1.9.1 -->
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
var searchBox = new SearchBox("searchBox", "search",false,'Search','.html');
/* @license-end */
</script>
<script type="text/javascript" src="menudata.js"></script>
<script type="text/javascript" src="menu.js"></script>
<script type="text/javascript">
/* @license magnet:?xt=urn:btih:cf05388f2679ee054f2beb29a391d25f4e673ac3&amp;dn=gpl-2.0.txt GPL-v2 */
$(function() {
  initMenu('',true,false,'search.php','Search');
  $(document).ready(function() { init_search(); });
});
/* @license-end */</script>
<div id="main-nav"></div>
</div><!-- top -->
<!-- window showing the filter options -->
<div id="MSearchSelectWindow"
     onmouseover="return searchBox.OnSearchSelectShow()"
     onmouseout="return searchBox.OnSearchSelectHide()"
     onkeydown="return searchBox.OnSearchSelectKey(event)">
</div>

<!-- iframe showing the search results (closed by default) -->
<div id="MSearchResultsWindow">
<iframe src="javascript:void(0)" frameborder="0" 
        name="MSearchResults" id="MSearchResults">
</iframe>
</div>

<div class="PageDoc"><div class="header">
  <div class="headertitle">
<div class="title">VMProfiler Documentation</div>  </div>
</div><!--header-->
<div class="contents">
<div class="textblock"><p><a class="anchor" id="md_D__vmprofiler_qt_dependencies_vmprofiler_README"></a> </p><div align="center"> <div> <img src="https://githacks.org/uploads/-/system/project/avatar/374/icon-5.png" alt="" class="inline"/> </div> </div><h3><a class="anchor" id="autotoc_md0"></a>
VMProfiler - Library To Profile VMProtect 2 Virtual Machines</h3>
<p>vmprofiler is a c++ library which is used to statically analyze VMProtect 2 polymorphic virtual machines. This project is inherited in vmprofiler-qt, vmprofiler-cli, and vmemu. This is the base project for all other VMProtect 2 projects inside of this group on githacks.</p>
<h3><a class="anchor" id="autotoc_md1"></a>
Credit &amp; Contributors</h3>
<ul>
<li><a href="https://github.com/vtil-project/VTIL-Core">VTIL</a> - Virtual-machine Translation Intermediate Language</li>
<li><a href="https://github.com/zyantific/zydis">Zydis</a> - Fast and lightweight x86/x86-64 disassembler library</li>
<li><a href="https://github.com/irql0">irql0</a> - helped with the first version of vm handler pattern matching</li>
</ul>
<h3><a class="anchor" id="autotoc_md2"></a>
Basic Usage - Creating a vm::ctx_t Object</h3>
<p>The <code><a class="el" href="classvm_1_1ctx__t.html" title="vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....">vm::ctx_t</a></code> class is a small container-like class which is simply used to contain all information for a given vm entry. This class contains the following useful information:</p>
<ul>
<li>all vm handlers for a given vm entry</li>
<li>the linear virtual address of the module base in memory</li>
<li>the image base address</li>
<li>the image size in virtual memory</li>
<li>which way VIP advances (exec_type)</li>
<li>vm entry relative virtual address</li>
<li>vm entry deobfuscated and flattened</li>
<li>calc jmp deobfuscated and flattened</li>
</ul>
<p>All of the above information is generated by executing the <code><a class="el" href="classvm_1_1ctx__t.html#a7f24e3ed32d1cca86c296dd8dae4b6d2" title="init all per-vm entry data such as vm_entry, calc_jmp, and vm handlers...">vm::ctx_t::init</a></code> member function. Below is a C++ example of how to create a <code><a class="el" href="classvm_1_1ctx__t.html" title="vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....">vm::ctx_t</a></code> object.</p>
<div class="fragment"><div class="line"><span class="keyword">const</span> <span class="keyword">auto</span> module_base = <span class="keyword">reinterpret_cast&lt;</span> std::uintptr_t <span class="keyword">&gt;</span>(</div>
<div class="line">    LoadLibraryExA( parser.get&lt; std::string &gt;( <span class="stringliteral">&quot;bin&quot;</span> ).c_str(),</div>
<div class="line">        NULL, DONT_RESOLVE_DLL_REFERENCES ) );</div>
<div class="line"> </div>
<div class="line"><span class="keyword">const</span> <span class="keyword">auto</span> vm_entry_rva = std::strtoull( parser.get&lt; std::string &gt;( <span class="stringliteral">&quot;vmentry&quot;</span> ).c_str(), <span class="keyword">nullptr</span>, 16 );</div>
<div class="line"><span class="keyword">const</span> <span class="keyword">auto</span> image_base = umtils-&gt;image_base( parser.get&lt; std::string &gt;( <span class="stringliteral">&quot;bin&quot;</span> ).c_str() );</div>
<div class="line"><span class="keyword">const</span> <span class="keyword">auto</span> image_size = NT_HEADER( module_base )-&gt;OptionalHeader.SizeOfImage;</div>
<div class="line"><a class="code" href="classvm_1_1ctx__t.html">vm::ctx_t</a> vmctx( module_base, image_base, image_size, vm_entry_rva );</div>
<div class="line"> </div>
<div class="line"><span class="keywordflow">if</span> ( !vmctx.init() )</div>
<div class="line">{</div>
<div class="line">    std::printf( <span class="stringliteral">&quot;[!] failed to init vm::ctx_t... make sure all cli arguments are correct!\n&quot;</span> );</div>
<div class="line">    <span class="keywordflow">return</span> -1;</div>
<div class="line">}</div>
<div class="ttc" id="aclassvm_1_1ctx__t_html"><div class="ttname"><a href="classvm_1_1ctx__t.html">vm::ctx_t</a></div><div class="ttdoc">vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....</div><div class="ttdef"><b>Definition:</b> vmctx.hpp:13</div></div>
</div><!-- fragment --><h3><a class="anchor" id="autotoc_md3"></a>
Using vm::ctx_t Object</h3>
<p>Once you have instantiated <code><a class="el" href="classvm_1_1ctx__t.html" title="vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....">vm::ctx_t</a></code> and called <code><a class="el" href="classvm_1_1ctx__t.html#a7f24e3ed32d1cca86c296dd8dae4b6d2" title="init all per-vm entry data such as vm_entry, calc_jmp, and vm handlers...">vm::ctx_t::init</a></code> with success, you now can directly access the data members of <code><a class="el" href="classvm_1_1ctx__t.html" title="vm::ctx_t class is used to auto generate vm_entry, calc_jmp, and other per-vm entry information....">vm::ctx_t</a></code>. Most importantly, <code><a class="el" href="classvm_1_1ctx__t.html#aed0dfa1748035f48bda0f59f76643d8d">vm::ctx_t::calc_jmp</a></code>, <code><a class="el" href="classvm_1_1ctx__t.html#a40f0524813578bcddf9ded1e74443793">vm::ctx_t::vm_entry</a></code>, and <code><a class="el" href="classvm_1_1ctx__t.html#a0fa31b5bd78861dbd2c5cf04af81aa4d" title="all the vm handlers for the given vm entry...">vm::ctx_t::vm_handlers</a></code>. An example usage of this data could be dumping the native x86_64 instructions which make up <code><a class="el" href="classvm_1_1ctx__t.html#a40f0524813578bcddf9ded1e74443793">vm::ctx_t::vm_entry</a></code>. Example c++ code for this is displayed below.</p>
<div class="fragment"><div class="line">std::puts( <span class="stringliteral">&quot;======================== [vm entry] ========================\n&quot;</span> );</div>
<div class="line"><a class="code" href="namespacevm_1_1util.html#abcfe75a7d22f907a6187579373679204">vm::util::print</a>( vmctx.vm_entry );</div>
<div class="ttc" id="anamespacevm_1_1util_html_abcfe75a7d22f907a6187579373679204"><div class="ttname"><a href="namespacevm_1_1util.html#abcfe75a7d22f907a6187579373679204">vm::util::print</a></div><div class="ttdeci">void print(zydis_routine_t &amp;routine)</div><div class="ttdoc">prints a disassembly view of a routine...</div><div class="ttdef"><b>Definition:</b> vmutils.cpp:69</div></div>
</div><!-- fragment --><p><em><b>Output</b></em></p>
<div class="fragment"><div class="line">======================== [vm entry] ========================</div>
<div class="line">&gt; 0x00007FF7911A822C push 0xFFFFFFFF890001FA</div>
<div class="line">&gt; 0x00007FF7911A7FC9 push 0x45D3BF1F</div>
<div class="line">&gt; 0x00007FF7911A48E4 push r13</div>
<div class="line">&gt; 0x00007FF7911A4690 push rsi</div>
<div class="line">&gt; 0x00007FF7911A4E53 push r14</div>
<div class="line">&gt; 0x00007FF7911A74FB push rcx</div>
<div class="line">&gt; 0x00007FF7911A607C push rsp</div>
<div class="line">&gt; 0x00007FF7911A4926 pushfq</div>
<div class="line">&gt; 0x00007FF7911A4DC2 push rbp</div>
<div class="line">&gt; 0x00007FF7911A5C8C push r12</div>
<div class="line">&gt; 0x00007FF7911A52AC push r10</div>
<div class="line">&gt; 0x00007FF7911A51A5 push r9</div>
<div class="line">&gt; 0x00007FF7911A5189 push rdx</div>
<div class="line">&gt; 0x00007FF7911A7D5F push r8</div>
<div class="line">&gt; 0x00007FF7911A4505 push rdi</div>
<div class="line">&gt; 0x00007FF7911A4745 push r11</div>
<div class="line">&gt; 0x00007FF7911A478B push rax</div>
<div class="line">&gt; 0x00007FF7911A7A53 push rbx</div>
<div class="line">&gt; 0x00007FF7911A500D push r15</div>
<div class="line">&gt; 0x00007FF7911A6030 push [0x00007FF7911A7912]</div>
<div class="line">&gt; 0x00007FF7911A593A mov rax, 0x7FF6511A0000</div>
<div class="line">&gt; 0x00007FF7911A5955 mov r13, rax</div>
<div class="line">&gt; 0x00007FF7911A595F test dl, al</div>
<div class="line">&gt; 0x00007FF7911A5965 push rax</div>
<div class="line">&gt; 0x00007FF7911A5969 btr si, bx</div>
<div class="line">&gt; 0x00007FF7911A596F mov esi, [rsp+0xA0]</div>
<div class="line">&gt; 0x00007FF7911A5979 not esi</div>
<div class="line">&gt; 0x00007FF7911A5985 neg esi</div>
<div class="line">&gt; 0x00007FF7911A598D ror esi, 0x1A</div>
<div class="line">&gt; 0x00007FF7911A599E mov rbp, rsp</div>
<div class="line">&gt; 0x00007FF7911A59A8 sub rsp, 0x140</div>
<div class="line">&gt; 0x00007FF7911A59B5 and rsp, 0xFFFFFFFFFFFFFFF0</div>
<div class="line">&gt; 0x00007FF7911A59BE inc ax</div>
<div class="line">&gt; 0x00007FF7911A59C1 mov rdi, rsp</div>
<div class="line">&gt; 0x00007FF7911A59C7 bsr r12, rax</div>
<div class="line">&gt; 0x00007FF7911A59CB lea r12, [0x00007FF7911A6473]</div>
<div class="line">&gt; 0x00007FF7911A59DF mov rax, 0x100000000</div>
<div class="line">&gt; 0x00007FF7911A59EC add rsi, rax</div>
<div class="line">&gt; 0x00007FF7911A59F3 mov rbx, rsi</div>
<div class="line">&gt; 0x00007FF7911A59FA add rsi, [rbp]</div>
<div class="line">&gt; 0x00007FF7911A5A03 rcr dl, cl</div>
<div class="line">&gt; 0x00007FF7911A5A05 mov al, [rsi]</div>
<div class="line">&gt; 0x00007FF7911A5A0A xor al, bl</div>
<div class="line">&gt; 0x00007FF7911A5A11 neg al</div>
<div class="line">&gt; 0x00007FF7911A5A19 rol al, 0x05</div>
<div class="line">&gt; 0x00007FF7911A5A26 inc al</div>
<div class="line">&gt; 0x00007FF7911A5A2F xor bl, al</div>
<div class="line">&gt; 0x00007FF7911A5A34 movzx rax, al</div>
<div class="line">&gt; 0x00007FF7911A5A41 mov rdx, [r12+rax*8]</div>
<div class="line">&gt; 0x00007FF7911A5A49 xor rdx, 0x7F3D2149</div>
<div class="line">&gt; 0x00007FF7911A5507 inc rsi</div>
<div class="line">&gt; 0x00007FF7911A7951 add rdx, r13</div>
<div class="line">&gt; 0x00007FF7911A7954 jmp rdx</div>
</div><!-- fragment --><h3><a class="anchor" id="autotoc_md4"></a>
License &amp; Copyright</h3>
<p>Copyright (c) 2021 _xeroxz, Independent Researcher @back.engineering</p>
<p>Licensed under the MIT License </p>
</div></div><!-- PageDoc -->
</div><!-- contents -->
<!-- start footer part -->
<hr class="footer"/><address class="footer"><small>
Generated by&#160;<a href="https://www.doxygen.org/index.html"><img class="footer" src="doxygen.svg" width="104" height="31" alt="doxygen"/></a> 1.9.1
</small></address>
</body>
</html>