ADDRINT GetInstructionLength (ADDRINT ip) { xed_state_t dstate; xed_error_enum_t xed_error; xed_decoded_inst_t xedd; ostringstream os; if (sizeof(ADDRINT) == 4) xed_state_init(&dstate, XED_MACHINE_MODE_LEGACY_32, XED_ADDRESS_WIDTH_32b, XED_ADDRESS_WIDTH_32b); else xed_state_init(&dstate, XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b, XED_ADDRESS_WIDTH_64b); xed_decoded_inst_zero_set_mode(&xedd, &dstate); UINT32 len = 15; xed_error = xed_decode(&xedd, reinterpret_cast<const UINT8*>(ip), len); if (xed_error != XED_ERROR_NONE) { printf ("Failure to decode at %p\n", (char *)ip); exit (1); } return xed_decoded_inst_get_length(&xedd); }
void init_disas(void) { xed_tables_init(); xed_state_zero(&dstate); xed_state_init(&dstate, XED_MACHINE_MODE_LEGACY_32, XED_ADDRESS_WIDTH_32b, XED_ADDRESS_WIDTH_32b); }
Disasm::Disasm(const Disasm::Options& opts) : m_opts(opts) { #ifdef HAVE_LIBXED xed_state_init(&m_xedState, XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b, XED_ADDRESS_WIDTH_64b); xed_tables_init(); xed_register_disassembly_callback(addressToSymbol); #endif // HAVE_LIBXED }
Disasm::Disasm(const Disasm::Options& opts) : m_opts(opts) { #ifdef HAVE_LIBXED xed_state_init(&m_xedState, XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b, XED_ADDRESS_WIDTH_64b); xed_tables_init(); #if XED_ENCODE_ORDER_MAX_ENTRIES == 28 // Older version of XED library xed_register_disassembly_callback(addressToSymbol); #endif #endif // HAVE_LIBXED }
/* XED2 initialization */ void xed2_init() { xed_tables_init (); xed_state_zero (&dstate); xed_state_init(&dstate, XED_MACHINE_MODE_LEGACY_32, XED_ADDRESS_WIDTH_32b, XED_ADDRESS_WIDTH_32b); // Format options xed_format_options_t xed_foptions; xed_foptions.hex_address_before_symbolic_name = 1; xed_foptions.no_sign_extend_signed_immediates = 1; xed_foptions.omit_unit_scale = 1; xed_foptions.xml_a = 0; xed_foptions.xml_f = 0; xed_format_set_options(xed_foptions); }
int main(int argc, char** argv) { xed_error_enum_t xed_error; xed_bool_t long_mode = 0; xed_bool_t real_mode = 0; xed_bool_t protected_16 = 0; xed_state_t dstate; unsigned int first_argv; unsigned int bytes = 0; unsigned char itext[XED_MAX_INSTRUCTION_BYTES]; int i; unsigned int u; xed_decoded_inst_t xedd; #define BUFLEN 1000 char buffer[BUFLEN]; xed_bool_t ok; unsigned int isyntax; xed_syntax_enum_t syntax; unsigned int memop_index = 0; unsigned int memops = 0; xed_uint64_t out_addr = 0; xed_tables_init(); xed_agen_register_callback( register_callback, segment_callback); xed_state_zero(&dstate); xed_set_verbosity( 99 ); if (argc > 2 && strcmp(argv[1], "-64") == 0) long_mode = 1; if (argc > 2 && strcmp(argv[1], "-r") == 0) real_mode = 1; if (argc > 2 && strcmp(argv[1], "-16") == 0) protected_16 = 1; if (long_mode) { first_argv = 2; dstate.mmode=XED_MACHINE_MODE_LONG_64; } else if (protected_16) { first_argv = 2; xed_state_init(&dstate, XED_MACHINE_MODE_LEGACY_16, XED_ADDRESS_WIDTH_16b, XED_ADDRESS_WIDTH_16b); } else if (real_mode) { first_argv = 2; /* we say that real mode uses 16b addressing even though the addresses returned are 20b long. */ xed_state_init(&dstate, XED_MACHINE_MODE_REAL_16, XED_ADDRESS_WIDTH_16b, XED_ADDRESS_WIDTH_16b); } else { first_argv=1; xed_state_init(&dstate, XED_MACHINE_MODE_LEGACY_32, XED_ADDRESS_WIDTH_32b, XED_ADDRESS_WIDTH_32b); } xed_decoded_inst_zero_set_mode(&xedd, &dstate); for( i=first_argv ; i < argc; i++) { xed_uint8_t x = (xed_uint8_t)(xed_atoi_hex(argv[i])); assert(bytes < XED_MAX_INSTRUCTION_BYTES); itext[bytes++] = x; } if (bytes == 0) { fprintf(stderr, "Must supply some hex bytes\n"); exit(1); } printf("PARSING BYTES: "); for( u=0; u<bytes; u++) printf("%02x ", STATIC_CAST(unsigned int,itext[u])); printf("\n"); xed_error = xed_decode(&xedd, REINTERPRET_CAST(const xed_uint8_t*,itext), bytes); switch(xed_error) { case XED_ERROR_NONE: break; case XED_ERROR_BUFFER_TOO_SHORT: fprintf(stderr,"Not enough bytes provided\n"); exit(1); case XED_ERROR_GENERAL_ERROR: fprintf(stderr,"Could not decode given input.\n"); exit(1); default: fprintf(stderr,"Unhandled error code %s\n", xed_error_enum_t2str(xed_error)); exit(1); } xed_decoded_inst_dump(&xedd,buffer, BUFLEN); printf("%s\n",buffer); for(isyntax= XED_SYNTAX_XED; isyntax < XED_SYNTAX_LAST; isyntax++) { syntax = STATIC_CAST(xed_syntax_enum_t, isyntax); ok = xed_format(syntax, &xedd, buffer, BUFLEN, 0); if (ok) printf("%s syntax: %s\n", xed_syntax_enum_t2str(syntax), buffer); else printf("Error disassembling %s syntax\n", xed_syntax_enum_t2str(syntax)); } memops = xed_decoded_inst_number_of_memory_operands(&xedd); printf("\nNumber of memory operands: %d\n", (int)memops); for(memop_index=0; memop_index<memops; memop_index++) { xed_error = xed_agen(&xedd, memop_index, 0, &out_addr); if (xed_error != XED_ERROR_NONE) { fprintf(stderr,"Agen error code %s\n", xed_error_enum_t2str(xed_error)); exit(1); } printf("\tMemory agen%d: " XED_FMT_LX "\n", (int)memop_index, out_addr); } return 0; }
//! Standard callback function - Initialize the plugin interface plugin_interface_t * init_plugin() { // Fail to create the plugin log if (!(loghandle = fopen(logfile, "w"))) { fprintf(stderr, "cannot create %s\n", logfile); return NULL; } // Init the function map, Don't really know its role // Check the definition in shared/hooks/function_map function_map_init(); // Same as above, Don't know nothing about it // Check the definition in shared/hookapi init_hookapi(); // Check the definition in shared/procmod procmod_init(); // Check the definition in shared/reduce_taint. There // is no documentation. The f**k. reduce_taint_init(); // XED2 is a X86 Encoder / Decoder. My guess is that // TEMU use this tool to translate instruction from // assembly to machine language. // Check the following link for XED2 documentation // www.cs.virginia.edu/kim/publicity/pin/docs/24110/Xed/html/main.html // Init XED instruction table xed_tables_init(); // Zero-out the structure ? xed_state_zero( &xed_state ); // Update the XED2 structure with some pre-defined values xed_state_init( &xed_state, XED_MACHINE_MODE_LEGACY_32, XED_ADDRESS_WIDTH_32b, XED_ADDRESS_WIDTH_32b); // The following portion of code registers all the // call-back functions. Check the file TEMU_main.h // for the full list of these functions. // These functions are user-defined functions which // we will play with // Cleanup interface.plugin_cleanup = detector_cleanup; // How the taint analysis works interface.taint_record_size = sizeof(taint_record_t); interface.taint_propagate = detector_taint_propagate; // Copy from sample plugin & hookfinder interface.guest_message = detector_guest_message; // Beginning of a block, used to indentify process interface.block_begin = detector_block_begin; // Beginning of an instruction interface.insn_begin = detector_insn_begin; // These twos are for user-interface interface.term_cmds = detector_term_cmds; interface.info_cmds = detector_info_cmds; // Send a tainted keystroke interface.send_keystroke = detector_send_keystroke; // What to do with network I/O, we don't need this yet // my_interface.nic_recv = detector_nic_recv; // my_interface.nic_send = detector_nic_send; // Need this to get the value of CR3 register interface.monitored_cr3 = 0; // We have TEMU interface now return & interface; }
static string disassemble(UINT64 start, UINT64 stop) { UINT64 pc = start; xed_state_t dstate; xed_syntax_enum_t syntax = XED_SYNTAX_INTEL; xed_error_enum_t xed_error; xed_decoded_inst_t xedd; ostringstream os; if (sizeof(ADDRINT) == 4) xed_state_init(&dstate, XED_MACHINE_MODE_LEGACY_32, XED_ADDRESS_WIDTH_32b, XED_ADDRESS_WIDTH_32b); else xed_state_init(&dstate, XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b, XED_ADDRESS_WIDTH_64b); /*while( pc < stop )*/ { xed_decoded_inst_zero_set_mode(&xedd, &dstate); UINT32 len = 15; if (stop - pc < 15) len = stop-pc; xed_error = xed_decode(&xedd, reinterpret_cast<const UINT8*>(pc), len); bool okay = (xed_error == XED_ERROR_NONE); iostream::fmtflags fmt = os.flags(); os << std::setfill('0') << "XDIS " << std::hex << std::setw(sizeof(ADDRINT)*2) << pc << std::dec << ": " << std::setfill(' ') << std::setw(4); if (okay) { char buffer[200]; unsigned int dec_len, sp; os << xed_extension_enum_t2str(xed_decoded_inst_get_extension(&xedd)); dec_len = xed_decoded_inst_get_length(&xedd); print_hex_line(buffer, reinterpret_cast<UINT8*>(pc), dec_len); os << " " << buffer; for ( sp=dec_len; sp < 12; sp++) // pad out the instruction bytes os << " "; os << " "; memset(buffer,0,200); int dis_okay = xed_format(syntax, &xedd, buffer, 200, pc); if (dis_okay) os << buffer << endl; else os << "Error disasassembling pc 0x" << std::hex << pc << std::dec << endl; pc += dec_len; } else { // print the byte and keep going. UINT8 memval = *reinterpret_cast<UINT8*>(pc); os << "???? " // no extension << std::hex << std::setw(2) << std::setfill('0') << static_cast<UINT32>(memval) << std::endl; pc += 1; } os.flags(fmt); } return os.str(); }
int main(int argn, char **argv) { uint32_t depend_id = 0; char *tail; static struct option long_options[] = { {"depend_id", 1, 0, 'd'}, {0, 0, 0, 0} }; xed_tables_init(); // The state of the machine -- required for decoding xed_state_t dstate; xed_state_zero(&dstate); xed_state_init(&dstate, XED_MACHINE_MODE_LEGACY_32, XED_ADDRESS_WIDTH_32b, XED_ADDRESS_WIDTH_32b); while (1) { int option_index = 0; int c = getopt_long(argn, argv, "d:", long_options, &option_index); if (c == -1) break; switch (c) { case 0: if (long_options[option_index].flag != 0) break; printf ("option %s", long_options[option_index].name); if (optarg) printf(" with arg %s", optarg); printf("\n"); break; case 'd': depend_id = strtol(optarg, &tail, 0); break; default: abort(); } } //trace_record_t rec; if(optind >= argn) { printf("usage: %s [-d id] trace_file\n", argv[0]); return -1; } FILE *fp = fopen(argv[optind++],"r"); if(!fp) { printf("cannnot open %s! errno=%d\n", argv[optind-1], errno); return -1; } if(depend_id == 0) print_all_records(fp); else trace_back(fp, depend_id); fclose(fp); return 0; }
int main(int argc, char** argv) { xed_error_enum_t xed_error; xed_bool_t long_mode = 0; xed_state_t dstate; unsigned int first_argv; unsigned int bytes = 0; unsigned char itext[XED_MAX_INSTRUCTION_BYTES]; int i; unsigned int u; xed_decoded_inst_t xedd; #define BUFLEN 1000 char buffer[BUFLEN]; xed_bool_t ok; unsigned int isyntax; xed_syntax_enum_t syntax; xed_tables_init(); xed_state_zero(&dstate); xed_set_verbosity( 99 ); if (argc > 2 && strcmp(argv[1], "-64") == 0) long_mode = 1; if (long_mode) { first_argv = 2; dstate.mmode=XED_MACHINE_MODE_LONG_64; } else { first_argv=1; xed_state_init(&dstate, XED_MACHINE_MODE_LEGACY_32, XED_ADDRESS_WIDTH_32b, XED_ADDRESS_WIDTH_32b); } xed_decoded_inst_zero_set_mode(&xedd, &dstate); for( i=first_argv ;i < argc; i++) { xed_uint8_t x = (xed_uint8_t)(xed_atoi_hex(argv[i])); assert(bytes < XED_MAX_INSTRUCTION_BYTES); itext[bytes++] = x; } if (bytes == 0) { fprintf(stderr, "Must supply some hex bytes\n"); exit(1); } printf("PARSING BYTES: "); for( u=0;u<bytes; u++) printf("%02x ", STATIC_CAST(unsigned int,itext[u])); printf("\n"); xed_error = xed_decode(&xedd, REINTERPRET_CAST(const xed_uint8_t*,itext), bytes); switch(xed_error) { case XED_ERROR_NONE: break; case XED_ERROR_BUFFER_TOO_SHORT: fprintf(stderr,"Not enough bytes provided\n"); exit(1); case XED_ERROR_GENERAL_ERROR: fprintf(stderr,"Could not decode given input.\n"); exit(1); default: fprintf(stderr,"Unhandled error code %s\n", xed_error_enum_t2str(xed_error)); exit(1); } //memset(buffer,0,BUFLEN); xed_decoded_inst_dump(&xedd,buffer, BUFLEN); printf("%s\n",buffer); for(isyntax= XED_SYNTAX_XED; isyntax < XED_SYNTAX_LAST; isyntax++) { syntax = STATIC_CAST(xed_syntax_enum_t, isyntax); ok = xed_format(syntax, &xedd, buffer, BUFLEN, 0); if (ok) printf("%s syntax: %s\n", xed_syntax_enum_t2str(syntax), buffer); else printf("Error disassembling %s syntax\n", xed_syntax_enum_t2str(syntax)); } return 0; }
void OfflineX86Code::xedInit() { xed_state_init(&xed_state, XED_MACHINE_MODE_LONG_64, XED_ADDRESS_WIDTH_64b, XED_ADDRESS_WIDTH_64b); xed_tables_init(); xed_syntax = getenv("HHVM_INTEL_DISAS") ? XED_SYNTAX_INTEL : XED_SYNTAX_ATT; }