DWORD_PTR IATSearch::findNextFunctionAddress() { #ifdef DEBUG_COMMENTS _DecodedInst inst; #endif for (unsigned int i = 0; i < decomposerInstructionsCount; i++) { if (decomposerResult[i].flags != FLAG_NOT_DECODABLE) { if (META_GET_FC(decomposerResult[i].meta) == FC_CALL || META_GET_FC(decomposerResult[i].meta) == FC_UNC_BRANCH) { if (decomposerResult[i].size >= 5) { if (decomposerResult[i].ops[0].type == O_PC) { #ifdef DEBUG_COMMENTS distorm_format(&decomposerCi, &decomposerResult[i], &inst); Scylla::debugLog.log(L"%S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, inst.mnemonic.p, inst.operands.p, decomposerResult[i].ops[0].type, decomposerResult[i].size, INSTRUCTION_GET_TARGET(&decomposerResult[i])); #endif return (DWORD_PTR)INSTRUCTION_GET_TARGET(&decomposerResult[i]); } } } } } return 0; }
void IATSearch::findIATPointers(std::set<DWORD_PTR> & iatPointers) { #ifdef DEBUG_COMMENTS _DecodedInst inst; #endif for (unsigned int i = 0; i < decomposerInstructionsCount; i++) { if (decomposerResult[i].flags != FLAG_NOT_DECODABLE) { if (META_GET_FC(decomposerResult[i].meta) == FC_CALL || META_GET_FC(decomposerResult[i].meta) == FC_UNC_BRANCH) { if (decomposerResult[i].size >= 5) { #ifdef _WIN64 if (decomposerResult[i].flags & FLAG_RIP_RELATIVE) { #ifdef DEBUG_COMMENTS distorm_format(&decomposerCi, &decomposerResult[i], &inst); Scylla::debugLog.log(L"%S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, inst.mnemonic.p, inst.operands.p, decomposerResult[i].ops[0].type, decomposerResult[i].size, INSTRUCTION_GET_RIP_TARGET(&decomposerResult[i])); #endif iatPointers.insert(INSTRUCTION_GET_RIP_TARGET(&decomposerResult[i])); } #else if (decomposerResult[i].ops[0].type == O_DISP) { //jmp dword ptr || call dword ptr #ifdef DEBUG_COMMENTS distorm_format(&decomposerCi, &decomposerResult[i], &inst); Scylla::debugLog.log(L"%S %S %d %d - target address: " PRINTF_DWORD_PTR_FULL, inst.mnemonic.p, inst.operands.p, decomposerResult[i].ops[0].type, decomposerResult[i].size, decomposerResult[i].disp); #endif iatPointers.insert((DWORD_PTR)decomposerResult[i].disp); } #endif } } } } }
blockinfo get_block_stats(const uint8_t *buf, unsigned long pc, size_t size, bool use64bit){ blockinfo retval = {0,0}; #if defined(TARGET_I386) _DInst dec[256]; unsigned int dec_count = 0; _DecodeType dt = use64bit ? Decode64Bits : Decode32Bits; _CodeInfo ci; ci.code = buf; ci.codeLen = size; ci.codeOffset = pc; ci.dt = dt; ci.features = DF_NONE; distorm_decompose(&ci, dec, 256, &dec_count); for (int i = dec_count - 1; i >= 0; i--) { _DecodedInst inst; if (dec[i].flags == FLAG_NOT_DECODABLE) { printf("Instruction not decodable %lX\n", dec[i].addr); break; } switch(icls[dec[i].opcode]){ case ICLS_NORMAL: retval.total_instr++; break; case ICLS_WARN: distorm_format(&ci, &dec[i], &inst); fprintf(stderr,"Could not classify instruction %s %s\n", inst.mnemonic.p, inst.operands.p); retval.total_instr++; break; case ICLS_BITARITH: retval.arith_instr++; retval.total_instr++; break; case ICLS_MOV: break; } } #else fprintf(stderr, "Architecture not supported\n"); #endif return retval; }