Beispiel #1
0
DWORD_PTR IATSearch::findNextFunctionAddress()
{
#ifdef DEBUG_COMMENTS
    _DecodedInst inst;
#endif

    for (unsigned int i = 0; i < decomposerInstructionsCount; i++)
    {

        if (decomposerResult[i].flags != FLAG_NOT_DECODABLE)
        {
            if (META_GET_FC(decomposerResult[i].meta) == FC_CALL || META_GET_FC(decomposerResult[i].meta) == FC_UNC_BRANCH)
            {
                if (decomposerResult[i].size >= 5)
                {
                    if (decomposerResult[i].ops[0].type == O_PC)
                    {
#ifdef DEBUG_COMMENTS
                        distorm_format(&decomposerCi, &decomposerResult[i], &inst);
                        Scylla::debugLog.log(L"%S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, inst.mnemonic.p, inst.operands.p, decomposerResult[i].ops[0].type, decomposerResult[i].size, INSTRUCTION_GET_TARGET(&decomposerResult[i]));
#endif
                        return (DWORD_PTR)INSTRUCTION_GET_TARGET(&decomposerResult[i]);
                    }
                }
            }
        }
    }

    return 0;
}
Beispiel #2
0
void IATSearch::findIATPointers(std::set<DWORD_PTR> & iatPointers)
{
#ifdef DEBUG_COMMENTS
    _DecodedInst inst;
#endif

    for (unsigned int i = 0; i < decomposerInstructionsCount; i++)
    {
        if (decomposerResult[i].flags != FLAG_NOT_DECODABLE)
        {
            if (META_GET_FC(decomposerResult[i].meta) == FC_CALL || META_GET_FC(decomposerResult[i].meta) == FC_UNC_BRANCH)
            {
                if (decomposerResult[i].size >= 5)
                {
#ifdef _WIN64
                    if (decomposerResult[i].flags & FLAG_RIP_RELATIVE)
                    {
#ifdef DEBUG_COMMENTS
                        distorm_format(&decomposerCi, &decomposerResult[i], &inst);
                        Scylla::debugLog.log(L"%S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, inst.mnemonic.p, inst.operands.p, decomposerResult[i].ops[0].type, decomposerResult[i].size, INSTRUCTION_GET_RIP_TARGET(&decomposerResult[i]));
#endif
                        iatPointers.insert(INSTRUCTION_GET_RIP_TARGET(&decomposerResult[i]));
                    }
#else
                    if (decomposerResult[i].ops[0].type == O_DISP)
                    {
                        //jmp dword ptr || call dword ptr
#ifdef DEBUG_COMMENTS
                        distorm_format(&decomposerCi, &decomposerResult[i], &inst);
                        Scylla::debugLog.log(L"%S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, inst.mnemonic.p, inst.operands.p, decomposerResult[i].ops[0].type, decomposerResult[i].size, decomposerResult[i].disp);
#endif
                        iatPointers.insert((DWORD_PTR)decomposerResult[i].disp);
                    }
#endif
                }
            }
        }
    }


}
Beispiel #3
0
blockinfo get_block_stats(const uint8_t *buf, unsigned long pc, size_t size, bool use64bit){

  blockinfo retval = {0,0};
   
#if defined(TARGET_I386)
   
    _DInst dec[256]; 
    unsigned int dec_count = 0;
    _DecodeType dt = use64bit ? Decode64Bits : Decode32Bits;

    _CodeInfo ci;
    ci.code = buf;
    ci.codeLen = size;
    ci.codeOffset = pc;
    ci.dt = dt;
    ci.features = DF_NONE;
    distorm_decompose(&ci, dec, 256, &dec_count);
    
    for (int i = dec_count - 1; i >= 0; i--) {
      _DecodedInst inst; 
        if (dec[i].flags == FLAG_NOT_DECODABLE) {
          printf("Instruction not decodable %lX\n", dec[i].addr);
          break;
        }
        switch(icls[dec[i].opcode]){
        case ICLS_NORMAL:
          retval.total_instr++;
          break;
        case ICLS_WARN:
          distorm_format(&ci, &dec[i], &inst);
          
          fprintf(stderr,"Could not classify instruction %s %s\n", inst.mnemonic.p, inst.operands.p);
          retval.total_instr++;
          break;
        case ICLS_BITARITH:
          retval.arith_instr++;
          retval.total_instr++;
          break;
        case ICLS_MOV:
          break;
        }
    }
#else
    fprintf(stderr, "Architecture not supported\n");
#endif
    return retval;

}