2016-11-26 20:08:37 +08:00
|
|
|
/***************************************************************************************************
|
|
|
|
|
2016-12-05 09:24:01 +08:00
|
|
|
Zyan Disassembler Library (Zydis)
|
2016-11-26 20:08:37 +08:00
|
|
|
|
|
|
|
Original Author : Florian Bernd
|
|
|
|
|
|
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
|
|
* in the Software without restriction, including without limitation the rights
|
|
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
|
|
* furnished to do so, subject to the following conditions:
|
|
|
|
*
|
|
|
|
* The above copyright notice and this permission notice shall be included in all
|
|
|
|
* copies or substantial portions of the Software.
|
|
|
|
*
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
|
|
* SOFTWARE.
|
|
|
|
|
|
|
|
***************************************************************************************************/
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @file
|
2017-07-03 23:36:03 +08:00
|
|
|
* @brief Demonstrates the hooking functionality of the @c ZydisFormatter class.
|
2016-11-26 20:08:37 +08:00
|
|
|
*
|
2017-07-03 23:36:03 +08:00
|
|
|
* This example demonstrates the hooking functionality of the @c ZydisFormatter class by
|
2016-11-26 20:08:37 +08:00
|
|
|
* rewriting the mnemonics of (V)CMPPS and (V)CMPPD to their corresponding alias-forms (based on
|
|
|
|
* the condition encoded in the immediate operand).
|
|
|
|
*/
|
|
|
|
|
2017-12-02 13:36:12 +08:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdarg.h>
|
2017-11-17 01:47:42 +08:00
|
|
|
#include <stdlib.h>
|
2016-11-29 08:27:39 +08:00
|
|
|
#include <inttypes.h>
|
2016-11-26 20:08:37 +08:00
|
|
|
#include <Zydis/Zydis.h>
|
2017-12-02 13:36:12 +08:00
|
|
|
|
|
|
|
/* ============================================================================================== */
|
|
|
|
/* Helper functions */
|
|
|
|
/* ============================================================================================== */
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief Appends formatted text to the given `string`.
|
|
|
|
*
|
|
|
|
* @param string A pointer to the string.
|
|
|
|
* @param format The format string.
|
|
|
|
*
|
|
|
|
* @return @c ZYDIS_STATUS_SUCCESS, if the function succeeded, or
|
|
|
|
* @c ZYDIS_STATUS_INSUFFICIENT_BUFFER_SIZE, if the size of the buffer was not
|
|
|
|
* sufficient to append the given text.
|
|
|
|
*/
|
|
|
|
ZYDIS_INLINE ZydisStatus ZydisStringAppendFormatC(ZydisString* string, const char* format, ...)
|
|
|
|
{
|
|
|
|
if (!string || !string->buffer || !format)
|
|
|
|
{
|
|
|
|
return ZYDIS_STATUS_INVALID_PARAMETER;
|
|
|
|
}
|
|
|
|
|
|
|
|
va_list arglist;
|
|
|
|
va_start(arglist, format);
|
|
|
|
const int w = vsnprintf(string->buffer + string->length, string->capacity - string->length,
|
|
|
|
format, arglist);
|
|
|
|
if ((w < 0) || ((size_t)w > string->capacity - string->length))
|
|
|
|
{
|
|
|
|
va_end(arglist);
|
|
|
|
return ZYDIS_STATUS_INSUFFICIENT_BUFFER_SIZE;
|
|
|
|
}
|
|
|
|
string->length += w;
|
|
|
|
va_end(arglist);
|
|
|
|
return ZYDIS_STATUS_SUCCESS;
|
|
|
|
}
|
2016-11-26 20:08:37 +08:00
|
|
|
|
|
|
|
/* ============================================================================================== */
|
|
|
|
/* Static data */
|
|
|
|
/* ============================================================================================== */
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief Static array with the condition-code strings.
|
|
|
|
*/
|
|
|
|
static const char* conditionCodeStrings[0x20] =
|
|
|
|
{
|
2017-01-13 03:14:12 +08:00
|
|
|
/*00*/ "eq",
|
|
|
|
/*01*/ "lt",
|
|
|
|
/*02*/ "le",
|
|
|
|
/*03*/ "unord",
|
|
|
|
/*04*/ "neq",
|
|
|
|
/*05*/ "nlt",
|
|
|
|
/*06*/ "nle",
|
|
|
|
/*07*/ "ord",
|
|
|
|
/*08*/ "eq_uq",
|
|
|
|
/*09*/ "nge",
|
|
|
|
/*0A*/ "ngt",
|
|
|
|
/*0B*/ "false",
|
|
|
|
/*0C*/ "oq",
|
|
|
|
/*0D*/ "ge",
|
|
|
|
/*0E*/ "gt",
|
|
|
|
/*0F*/ "true",
|
|
|
|
/*10*/ "eq_os",
|
|
|
|
/*11*/ "lt_oq",
|
|
|
|
/*12*/ "le_oq",
|
|
|
|
/*13*/ "unord_s",
|
|
|
|
/*14*/ "neq_us",
|
|
|
|
/*15*/ "nlt_uq",
|
|
|
|
/*16*/ "nle_uq",
|
|
|
|
/*17*/ "ord_s",
|
|
|
|
/*18*/ "eq_us",
|
|
|
|
/*19*/ "nge_uq",
|
|
|
|
/*1A*/ "ngt_uq",
|
|
|
|
/*1B*/ "false_os",
|
|
|
|
/*1C*/ "neq_os",
|
|
|
|
/*1D*/ "ge_oq",
|
|
|
|
/*1E*/ "gt_oq",
|
|
|
|
/*1F*/ "true_us"
|
2016-11-26 20:08:37 +08:00
|
|
|
};
|
|
|
|
|
2017-10-15 00:37:59 +08:00
|
|
|
/* ============================================================================================== */
|
|
|
|
/* Enums and Types */
|
|
|
|
/* ============================================================================================== */
|
|
|
|
|
|
|
|
/**
|
|
|
|
* @brief Custom user data struct.
|
|
|
|
*/
|
|
|
|
typedef struct ZydisCustomUserData_
|
|
|
|
{
|
|
|
|
ZydisBool ommitImmediate;
|
|
|
|
} ZydisCustomUserData;
|
|
|
|
|
2016-11-26 20:08:37 +08:00
|
|
|
/* ============================================================================================== */
|
|
|
|
/* Hook callbacks */
|
|
|
|
/* ============================================================================================== */
|
|
|
|
|
2017-12-04 01:49:45 +08:00
|
|
|
ZydisFormatterFunc defaultPrintMnemonic;
|
2016-11-26 20:08:37 +08:00
|
|
|
|
2017-07-03 23:36:03 +08:00
|
|
|
static ZydisStatus ZydisFormatterPrintMnemonic(const ZydisFormatter* formatter,
|
2017-12-02 13:36:12 +08:00
|
|
|
ZydisString* string, const ZydisDecodedInstruction* instruction, ZydisCustomUserData* userData)
|
2016-11-26 20:08:37 +08:00
|
|
|
{
|
2017-10-15 00:37:59 +08:00
|
|
|
// We use the user-data to pass data to the @c ZydisFormatterFormatOperandImm function.
|
|
|
|
userData->ommitImmediate = ZYDIS_TRUE;
|
2016-11-26 20:08:37 +08:00
|
|
|
|
|
|
|
// Rewrite the instruction-mnemonic for the given instructions
|
2017-07-03 09:58:25 +08:00
|
|
|
if (instruction->operands[instruction->operandCount - 1].type == ZYDIS_OPERAND_TYPE_IMMEDIATE)
|
|
|
|
{
|
2017-12-02 13:36:12 +08:00
|
|
|
const uint8_t conditionCode =
|
2017-07-03 09:58:25 +08:00
|
|
|
(uint8_t)instruction->operands[instruction->operandCount - 1].imm.value.u;
|
|
|
|
switch (instruction->mnemonic)
|
2016-11-26 20:08:37 +08:00
|
|
|
{
|
2017-07-03 09:58:25 +08:00
|
|
|
case ZYDIS_MNEMONIC_CMPPS:
|
|
|
|
if (conditionCode < 0x08)
|
2016-11-26 20:08:37 +08:00
|
|
|
{
|
2017-12-02 13:36:12 +08:00
|
|
|
return ZydisStringAppendFormatC(
|
|
|
|
string, "cmp%sps", conditionCodeStrings[conditionCode]);
|
2017-07-03 09:58:25 +08:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
case ZYDIS_MNEMONIC_CMPPD:
|
|
|
|
if (conditionCode < 0x08)
|
|
|
|
{
|
2017-12-02 13:36:12 +08:00
|
|
|
return ZydisStringAppendFormatC(
|
|
|
|
string, "cmp%spd", conditionCodeStrings[conditionCode]);
|
2016-11-26 20:08:37 +08:00
|
|
|
}
|
2017-07-03 09:58:25 +08:00
|
|
|
break;
|
|
|
|
case ZYDIS_MNEMONIC_VCMPPS:
|
|
|
|
if (conditionCode < 0x20)
|
2016-11-26 20:08:37 +08:00
|
|
|
{
|
2017-12-02 13:36:12 +08:00
|
|
|
return ZydisStringAppendFormatC(
|
|
|
|
string, "vcmp%sps", conditionCodeStrings[conditionCode]);
|
2017-07-03 09:58:25 +08:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
case ZYDIS_MNEMONIC_VCMPPD:
|
|
|
|
if (conditionCode < 0x20)
|
|
|
|
{
|
2017-12-02 13:36:12 +08:00
|
|
|
return ZydisStringAppendFormatC(
|
|
|
|
string, "vcmp%spd", conditionCodeStrings[conditionCode]);
|
2016-11-26 20:08:37 +08:00
|
|
|
}
|
2017-07-03 09:58:25 +08:00
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
2016-11-26 20:08:37 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
// We did not rewrite the instruction-mnemonic. Signal the @c ZydisFormatterFormatOperandImm
|
|
|
|
// function not to omit the operand
|
2017-10-15 00:37:59 +08:00
|
|
|
userData->ommitImmediate = ZYDIS_FALSE;
|
2016-11-26 20:08:37 +08:00
|
|
|
|
|
|
|
// Default mnemonic printing
|
2017-12-02 13:36:12 +08:00
|
|
|
return defaultPrintMnemonic(formatter, string, instruction, userData);
|
2016-11-26 20:08:37 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* ---------------------------------------------------------------------------------------------- */
|
|
|
|
|
2017-12-04 01:49:45 +08:00
|
|
|
ZydisFormatterOperandFunc defaultFormatOperandImm;
|
2016-11-26 20:08:37 +08:00
|
|
|
|
2017-07-03 23:36:03 +08:00
|
|
|
static ZydisStatus ZydisFormatterFormatOperandImm(const ZydisFormatter* formatter,
|
2017-12-02 13:36:12 +08:00
|
|
|
ZydisString* string, const ZydisDecodedInstruction* instruction,
|
2017-10-15 00:37:59 +08:00
|
|
|
const ZydisDecodedOperand* operand, ZydisCustomUserData* userData)
|
2016-11-26 20:08:37 +08:00
|
|
|
{
|
|
|
|
// The @c ZydisFormatterFormatMnemonic sinals us to omit the immediate (condition-code)
|
|
|
|
// operand, because it got replaced by the alias-mnemonic
|
2017-10-15 00:37:59 +08:00
|
|
|
if (userData->ommitImmediate)
|
2016-11-26 20:08:37 +08:00
|
|
|
{
|
|
|
|
// The formatter will automatically omit the operand, if the buffer remains unchanged
|
|
|
|
// after the callback returns
|
|
|
|
return ZYDIS_STATUS_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Default immediate formatting
|
2017-12-02 13:36:12 +08:00
|
|
|
return defaultFormatOperandImm(formatter, string, instruction, operand, userData);
|
2016-11-26 20:08:37 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
/* ---------------------------------------------------------------------------------------------- */
|
|
|
|
|
|
|
|
/* ============================================================================================== */
|
|
|
|
/* Helper functions */
|
|
|
|
/* ============================================================================================== */
|
|
|
|
|
2017-07-03 23:36:03 +08:00
|
|
|
void disassembleBuffer(ZydisDecoder* decoder, uint8_t* data, size_t length, ZydisBool installHooks)
|
2016-11-26 20:08:37 +08:00
|
|
|
{
|
2017-07-03 23:36:03 +08:00
|
|
|
ZydisFormatter formatter;
|
2017-11-03 09:24:02 +08:00
|
|
|
ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
|
2017-12-04 01:49:45 +08:00
|
|
|
ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_MEMSEG, ZYDIS_TRUE);
|
|
|
|
ZydisFormatterSetProperty(&formatter, ZYDIS_FORMATTER_PROP_FORCE_MEMSIZE, ZYDIS_TRUE);
|
2016-11-26 20:08:37 +08:00
|
|
|
|
|
|
|
if (installHooks)
|
|
|
|
{
|
2017-12-04 01:49:45 +08:00
|
|
|
defaultPrintMnemonic = (ZydisFormatterFunc)&ZydisFormatterPrintMnemonic;
|
2016-11-26 20:08:37 +08:00
|
|
|
ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_HOOK_PRINT_MNEMONIC,
|
|
|
|
(const void**)&defaultPrintMnemonic);
|
2017-12-04 01:49:45 +08:00
|
|
|
defaultFormatOperandImm = (ZydisFormatterOperandFunc)&ZydisFormatterFormatOperandImm;
|
2016-11-26 20:08:37 +08:00
|
|
|
ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_HOOK_FORMAT_OPERAND_IMM,
|
|
|
|
(const void**)&defaultFormatOperandImm);
|
|
|
|
}
|
2017-01-13 03:14:12 +08:00
|
|
|
|
|
|
|
uint64_t instructionPointer = 0x007FFFFFFF400000;
|
|
|
|
|
2017-07-03 09:58:25 +08:00
|
|
|
ZydisDecodedInstruction instruction;
|
2017-10-15 00:37:59 +08:00
|
|
|
ZydisCustomUserData userData;
|
2016-11-26 20:08:37 +08:00
|
|
|
char buffer[256];
|
2017-01-13 03:14:12 +08:00
|
|
|
while (ZYDIS_SUCCESS(
|
2017-07-03 09:58:25 +08:00
|
|
|
ZydisDecoderDecodeBuffer(decoder, data, length, instructionPointer, &instruction)))
|
2016-11-26 20:08:37 +08:00
|
|
|
{
|
2017-07-03 09:58:25 +08:00
|
|
|
data += instruction.length;
|
|
|
|
length -= instruction.length;
|
|
|
|
instructionPointer += instruction.length;
|
|
|
|
printf("%016" PRIX64 " ", instruction.instrAddress);
|
2017-10-15 00:37:59 +08:00
|
|
|
ZydisFormatterFormatInstructionEx(
|
|
|
|
&formatter, &instruction, &buffer[0], sizeof(buffer), &userData);
|
2016-11-26 20:08:37 +08:00
|
|
|
printf(" %s\n", &buffer[0]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ============================================================================================== */
|
|
|
|
/* Entry point */
|
|
|
|
/* ============================================================================================== */
|
|
|
|
|
|
|
|
int main()
|
|
|
|
{
|
2017-09-20 21:46:51 +08:00
|
|
|
if (ZydisGetVersion() != ZYDIS_VERSION)
|
|
|
|
{
|
|
|
|
fputs("Invalid zydis version\n", stderr);
|
|
|
|
return EXIT_FAILURE;
|
|
|
|
}
|
2017-07-03 23:36:03 +08:00
|
|
|
|
2016-11-26 20:08:37 +08:00
|
|
|
uint8_t data[] =
|
|
|
|
{
|
|
|
|
// cmpps xmm1, xmm4, 0x03
|
|
|
|
0x0F, 0xC2, 0xCC, 0x03,
|
|
|
|
|
2017-06-13 01:16:01 +08:00
|
|
|
// vcmppd xmm1, xmm2, xmm3, 0x17
|
2016-11-26 20:08:37 +08:00
|
|
|
0xC5, 0xE9, 0xC2, 0xCB, 0x17,
|
|
|
|
|
2017-07-10 00:06:43 +08:00
|
|
|
// vcmpps k2 {k7}, zmm2, dword ptr ds:[rax + rbx*4 + 0x100] {1to16}, 0x0F
|
2016-11-26 20:08:37 +08:00
|
|
|
0x62, 0xF1, 0x6C, 0x5F, 0xC2, 0x54, 0x98, 0x40, 0x0F
|
|
|
|
};
|
|
|
|
|
2017-07-03 23:36:03 +08:00
|
|
|
ZydisDecoder decoder;
|
|
|
|
ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_ADDRESS_WIDTH_64);
|
2017-06-13 01:16:01 +08:00
|
|
|
|
|
|
|
disassembleBuffer(&decoder, &data[0], sizeof(data), ZYDIS_FALSE);
|
2016-11-26 20:08:37 +08:00
|
|
|
puts("");
|
2017-06-13 01:16:01 +08:00
|
|
|
disassembleBuffer(&decoder, &data[0], sizeof(data), ZYDIS_TRUE);
|
2016-11-26 20:08:37 +08:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/* ============================================================================================== */
|