DBG: capstone helper stuff that is useful

2015-04-17 03:35:54 +02:00 · 2015-04-17 03:35:54 +02:00 · f5d72e3dc7
parent 530bec3cd5
commit f5d72e3dc7
4 changed files with 115 additions and 7 deletions
--- a/x64_dbg_dbg/capstone_wrapper.cpp
+++ b/x64_dbg_dbg/capstone_wrapper.cpp
@ -1,5 +1,6 @@
 #include "console.h"
 #include "capstone_wrapper.h"
+#include "TitanEngine\TitanEngine.h"

 Capstone::Capstone()
 {
@ -44,7 +45,79 @@ const cs_err Capstone::GetError()
    return mError;
 }

-const char* Capstone::RegName(unsigned int reg)
+const char* Capstone::RegName(x86_reg reg)
 {
    return cs_reg_name(mHandle, reg);
+}
+
+bool Capstone::InGroup(cs_group_type group)
+{
+    return cs_insn_group(mHandle, mInstr, group);
+}
+
+String Capstone::OperandText(int opindex)
+{
+    if(opindex >= mInstr->detail->x86.op_count)
+        return "";
+    const cs_x86_op & op = mInstr->detail->x86.operands[opindex];
+    String result;
+    char temp[32] = "";
+    switch(op.type)
+    {
+    case X86_OP_REG:
+    {
+        result = RegName((x86_reg)op.reg);
+    }
+    break;
+
+    case X86_OP_IMM:
+    {
+        sprintf_s(temp, "%"fext"X", op.imm);
+        result = temp;
+    }
+    break;
+
+    case X86_OP_MEM:
+    {
+        const x86_op_mem & mem = op.mem;
+        if(op.mem.base == X86_REG_RIP)  //rip-relative
+        {
+            sprintf_s(temp, "%"fext"X", mInstr->address + op.mem.disp + mInstr->size);
+            result += temp;
+        }
+        else //normal
+        {
+            bool prependPlus = false;
+            if(mem.base)
+            {
+                result += RegName((x86_reg)mem.base);
+                prependPlus = true;
+            }
+            if(mem.index)
+            {
+                if(prependPlus)
+                    result += "+";
+                result += RegName((x86_reg)mem.index);
+                sprintf_s(temp, "*%X", mem.scale);
+                result += temp;
+                prependPlus = true;
+            }
+            if(mem.disp)
+            {
+                if(prependPlus)
+                    result += "+";
+                sprintf_s(temp, "%"fext"X", mem.disp);
+                result += temp;
+            }
+        }
+    }
+    break;
+
+    case X86_OP_FP:
+    {
+        dprintf("float: %f\n", op.fp);
+    }
+    break;
+    }
+    return result;
 }
--- a/x64_dbg_dbg/capstone_wrapper.h
+++ b/x64_dbg_dbg/capstone_wrapper.h
@ -4,6 +4,7 @@
 #include "capstone\capstone.h"

 #define MAX_DISASM_BUFFER 16
+#define INVALID_TITAN_REG 0

 class Capstone
 {
@ -13,7 +14,9 @@ public:
    bool Disassemble(uint addr, unsigned char data[MAX_DISASM_BUFFER]);
    const cs_insn* GetInstr();
    const cs_err GetError();
-    const char* RegName(unsigned int reg);
+    const char* RegName(x86_reg reg);
+    bool InGroup(cs_group_type group);
+    String OperandText(int opindex);

 private:
    csh mHandle;
--- a/x64_dbg_dbg/disasm_helper.cpp
+++ b/x64_dbg_dbg/disasm_helper.cpp
@ -12,6 +12,7 @@
 #include "memory.h"
 #include <cwctype>
 #include <cwchar>
+#include "capstone_wrapper.h"

 uint disasmback(unsigned char* data, uint base, uint size, uint ip, int n)
 {
@ -221,6 +222,16 @@ static bool HandleArgument(ARGTYPE* Argument, INSTRTYPE* Instruction, DISASM_ARG
    return true;
 }

+static void HandleCapstoneOperand(Capstone & cp, int opindex, DISASM_ARG* arg)
+{
+    const cs_x86 & x86 = cp.GetInstr()->detail->x86;
+    const cs_x86_op & op = x86.operands[opindex];
+    switch(op.type)
+    {
+
+    }
+}
+
 void disasmget(unsigned char* buffer, uint addr, DISASM_INSTR* instr)
 {
    if(!DbgIsDebugging())
@ -230,6 +241,27 @@ void disasmget(unsigned char* buffer, uint addr, DISASM_INSTR* instr)
        return;
    }
    memset(instr, 0, sizeof(DISASM_INSTR));
+    Capstone cp;
+    unsigned char buf[MAX_DISASM_BUFFER];
+    memcpy(buf, buffer, sizeof(buf));
+    if(!cp.Disassemble(addr, buf))
+    {
+        instr->instr_size = 1;
+        instr->type = instr_normal;
+        instr->argcount = 0;
+        return;
+    }
+    const cs_x86 & x86 = cp.GetInstr()->detail->x86;
+    instr->instr_size = cp.GetInstr()->size;
+    if(cp.InGroup(CS_GRP_JUMP))
+        instr->type = instr_branch;
+    else if(strstr(cp.GetInstr()->op_str, "sp") || strstr(cp.GetInstr()->op_str, "bp"))
+        instr->type = instr_stack;
+    else
+        instr->type = instr_normal;
+
+
+    //old code under here
    DISASM disasm;
    memset(&disasm, 0, sizeof(DISASM));
    disasm.Options = NoformatNumeral | ShowSegmentRegs;
--- a/x64_dbg_dbg/instruction.cpp
+++ b/x64_dbg_dbg/instruction.cpp
@ -1850,11 +1850,11 @@ CMDRESULT cbInstrCapstone(int argc, char* argv[])
    for(int i = 0; i < argcount; i++)
    {
        const cs_x86_op & op = x86.operands[i];
-        dprintf("operand %d, ", i + 1);
+        dprintf("operand \"%s\" %d, ", cp.OperandText(i).c_str(), i + 1);
        switch(op.type)
        {
        case X86_OP_REG:
-            dprintf("register: %s\n", cp.RegName(op.reg));
+            dprintf("register: %s\n", cp.RegName((x86_reg)op.reg));
            break;
        case X86_OP_IMM:
            dprintf("immediate: 0x%p\n", op.imm);
@ -1864,9 +1864,9 @@ CMDRESULT cbInstrCapstone(int argc, char* argv[])
            //[base + index * scale +/- disp]
            const x86_op_mem & mem = op.mem;
            dprintf("memory segment: %s, base: %s, index: %s, scale: %d, displacement: 0x%p\n",
-                    cp.RegName(mem.segment),
-                    cp.RegName(mem.base),
-                    cp.RegName(mem.index),
+                    cp.RegName((x86_reg)mem.segment),
+                    cp.RegName((x86_reg)mem.base),
+                    cp.RegName((x86_reg)mem.index),
                    mem.scale,
                    mem.disp);
        }