|
#include <idc.idc> static main() {
auto start, end, addr, mnem, count, opnd, opnd1, opnd2; start = SegStart( ScreenEA() ); nd = SegEnd( ScreenEA() ); addr = start; count = 0; while( addr < end ) { mnem = GetMnem( addr ); // Common VM detect instructions if( mnem == "sidt" || mnem == "sgdt" || mnem == "sldt" || mnem == "smsw" || mnem == "str" ) { Message( "%08x: Found %s\n", addr, mnem ); SetColor( addr, CIC_ITEM, 0x0088ff ); // orange } // Read Time Stamp Counter if( mnem == "rdtsc" ) { Message( "%08x: Found %s\n", addr, mnem ); SetColor( addr, CIC_ITEM, 0xff8800 ); // blue } // Exception Handling or other PEB/TEB access opnd = ""; opnd1 = GetOpnd( addr, 0 ); opnd2 = GetOpnd( addr, 1 ); if( strstr( opnd1, "fs:" ) > -1 ) { opnd = opnd1; } else { if( strstr( opnd2, "fs:" ) > -1 ) opnd = opnd2; } if( opnd != "" ) { Message( "%08x: Found %s\n", addr, opnd ); SetColor( addr, CIC_ITEM, 0xff8888 ); // purple } addr = NextHead( addr, BADADDR ); count = count + 1; } Message( "Processed %d instructions from %08x to %08x\n", count, start, end ); }
0 Comments
Leave a Reply. |
AuthorVitali Kremez Archives
August 2016
Categories |
RSS Feed
