int TraceProcessorX86InterruptLinux::processInstruction(History<TRInstructionX86>& insns) { if (insns.size() < 2) { return (-1); } if (!isInterested(insns.at(0))) { return (-1); } const TRInstructionX86& ins = insns.at(1); if (ins.insn.type != INSTRUCTION_TYPE_MOV) { return (-1); } //the instruction should be something like mov XXX, %eax (in ATT FORMAT) // where %eax is the first operand (in INTEL FORMAT) and XXX is the syscall number // if ( (ins.insn.op1.type != OPERAND_TYPE_REGISTER) || (ins.insn.op1.reg != REG_EAX) ) { return (-1); } if ( (ins.insn.op2.type == OPERAND_TYPE_IMMEDIATE) ) { size_t syscallNum = ins.insn.op2.immediate; if (syscallNum >= SYSCALLTABLE_LINUX_2_6_LEN) { return (-1); } curSyscallName = sysCallTable[syscallNum]; return (0); } return (-1); }
int TraceProcessorX86InterruptLinux::processInstruction(History<string>& strs) { if (strs.size() < 2) { return (-1); } if (!isInterested(strs.at(0))) { return (-1); } const string& prevS = strs.at(1); size_t t = prevS.find("mov"); if (t == string::npos) { return(-1); } //now that we found mov, lets find the $ size_t t2 = prevS.find('$', t); //now that we found the $, we need to find the comma size_t t3 = prevS.find(',',t2); //now we should just make sure that the next thing is eax size_t t4 = prevS.find("%eax", t3); //make sure all characters from t3 to t4 are whitespaces for (size_t i = t3+1; i < t4; i++) { if (!isspace(prevS[i])) { return (-1); } } //if we are here that means everything checked out so lets get // the syscall number uint32_t syscallNum = 0; if(myHexStrToul(syscallNum, prevS.substr(t2+1,t3-t2-1)) != 0) { return (-1); } /* t4 = str.find("$0x80"); outs = str.substr(0, t4); outs += "SYSCALL:"; outs += sysCallTable[syscallNum]; outs += "{"; outs += str.substr(t4, 5); outs += "}"; outs += str.substr(t4+5); */ if (syscallNum >= SYSCALLTABLE_LINUX_2_6_LEN) { return (-1); } curSyscallName = sysCallTable[syscallNum]; return (0); }