├── doc
├── README.md
├── Dive into Apple IO80211FamilyV2.pdf
├── Dive into Apple IO80211Family Vol.II.pdf
├── KSBox - A Fine-Grained macOS Malware Sandbox.pdf
├── Dead Pixel Detected - A Security Assessment of Apple's Graphics Subsystem.pdf
├── Kemon - An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring.pdf
└── Please Make A Dentist Appointment ASAP - Attacking IOBluetoothFamily HCI and Vendor-Specific Commands.pdf
├── kemon
├── distorm
│ ├── prefix.c
│ ├── operands.h
│ ├── wstring.c
│ ├── decoder.h
│ ├── wstring.h
│ ├── textdefs.h
│ ├── insts.h
│ ├── x86defs.h
│ ├── prefix.h
│ ├── config.h
│ ├── textdefs.c
│ ├── distorm.c
│ ├── instructions.h
│ ├── include
│ │ ├── distorm.h
│ │ └── mnemonics.h
│ └── mnemonics.c
├── nke.h
├── Info.plist
├── trace.h
├── network.h
├── include.h
├── inline.h
├── kemon.h
├── trace.c
└── policy.h
├── kemon.xcodeproj
├── project.xcworkspace
│ ├── contents.xcworkspacedata
│ ├── xcuserdata
│ │ └── YuWang.xcuserdatad
│ │ │ └── UserInterfaceState.xcuserstate
│ └── xcshareddata
│ │ └── IDEWorkspaceChecks.plist
└── xcuserdata
│ └── YuWang.xcuserdatad
│ └── xcschemes
│ └── xcschememanagement.plist
├── makefile
├── CONTRIBUTING.md
├── README.md
└── LICENSE
/doc/README.md:
--------------------------------------------------------------------------------
1 | #
2 |
--------------------------------------------------------------------------------
/kemon/distorm/prefix.c:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/didi/kemon/HEAD/kemon/distorm/prefix.c
--------------------------------------------------------------------------------
/doc/Dive into Apple IO80211FamilyV2.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/didi/kemon/HEAD/doc/Dive into Apple IO80211FamilyV2.pdf
--------------------------------------------------------------------------------
/doc/Dive into Apple IO80211Family Vol.II.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/didi/kemon/HEAD/doc/Dive into Apple IO80211Family Vol.II.pdf
--------------------------------------------------------------------------------
/doc/KSBox - A Fine-Grained macOS Malware Sandbox.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/didi/kemon/HEAD/doc/KSBox - A Fine-Grained macOS Malware Sandbox.pdf
--------------------------------------------------------------------------------
/doc/Dead Pixel Detected - A Security Assessment of Apple's Graphics Subsystem.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/didi/kemon/HEAD/doc/Dead Pixel Detected - A Security Assessment of Apple's Graphics Subsystem.pdf
--------------------------------------------------------------------------------
/doc/Kemon - An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/didi/kemon/HEAD/doc/Kemon - An Open-Source Pre and Post Callback-Based Framework for macOS Kernel Monitoring.pdf
--------------------------------------------------------------------------------
/kemon.xcodeproj/project.xcworkspace/contents.xcworkspacedata:
--------------------------------------------------------------------------------
1 |
2 |
4 |
6 |
7 |
8 |
--------------------------------------------------------------------------------
/kemon.xcodeproj/project.xcworkspace/xcuserdata/YuWang.xcuserdatad/UserInterfaceState.xcuserstate:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/didi/kemon/HEAD/kemon.xcodeproj/project.xcworkspace/xcuserdata/YuWang.xcuserdatad/UserInterfaceState.xcuserstate
--------------------------------------------------------------------------------
/doc/Please Make A Dentist Appointment ASAP - Attacking IOBluetoothFamily HCI and Vendor-Specific Commands.pdf:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/didi/kemon/HEAD/doc/Please Make A Dentist Appointment ASAP - Attacking IOBluetoothFamily HCI and Vendor-Specific Commands.pdf
--------------------------------------------------------------------------------
/kemon.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | IDEDidComputeMac32BitWarning
6 |
7 |
8 |
9 |
--------------------------------------------------------------------------------
/makefile:
--------------------------------------------------------------------------------
1 | XCODE_PROJECT = kemon.xcodeproj
2 | CC = /usr/bin/xcodebuild
3 |
4 | build:
5 | $(CC) build -project $(XCODE_PROJECT) -configuration Debug
6 | $(CC) build -project $(XCODE_PROJECT) -configuration Release
7 |
8 | clean:
9 | $(CC) clean -project $(XCODE_PROJECT) -configuration Debug
10 | $(CC) clean -project $(XCODE_PROJECT) -configuration Release
--------------------------------------------------------------------------------
/kemon.xcodeproj/xcuserdata/YuWang.xcuserdatad/xcschemes/xcschememanagement.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | SchemeUserState
6 |
7 | kemon.xcscheme_^#shared#^_
8 |
9 | orderHint
10 | 0
11 |
12 |
13 |
14 |
15 |
--------------------------------------------------------------------------------
/kemon/distorm/operands.h:
--------------------------------------------------------------------------------
1 | /*
2 | operands.h
3 |
4 | diStorm3 - Powerful disassembler for X86/AMD64
5 | http://ragestorm.net/distorm/
6 | distorm at gmail dot com
7 | Copyright (C) 2003-2018 Gil Dabah
8 | This library is licensed under the BSD license. See the file COPYING.
9 | */
10 |
11 |
12 | #ifndef OPERANDS_H
13 | #define OPERANDS_H
14 |
15 | #include "config.h"
16 | #include "decoder.h"
17 | #include "prefix.h"
18 | #include "instructions.h"
19 |
20 |
21 | extern uint32_t _REGISTERTORCLASS[];
22 |
23 | int operands_extract(_CodeInfo* ci, _DInst* di, _InstInfo* ii,
24 | _iflags instFlags, _OpType type, _OperandNumberType opNum,
25 | unsigned int modrm, _PrefixState* ps, _DecodeType effOpSz,
26 | _DecodeType effAdrSz, int* lockableInstruction);
27 |
28 | #endif /* OPERANDS_H */
29 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Contribution Guideline
2 |
3 | Thanks for considering to contribute this project. All issues and pull requests are highly appreciated.
4 |
5 | ## Pull Requests
6 |
7 | Before sending pull request to this project, please read and follow guidelines below.
8 |
9 | 1. Branch: We only accept pull request on `master` branch.
10 | 2. Coding style: Follow the coding style used in kemon.
11 | 3. Commit message: Use English and be aware of your spell.
12 | 4. Test: Make sure to test your code.
13 |
14 | Add device mode, API version, related log, screenshots and other related information in your pull request if possible.
15 |
16 | NOTE: We assume all your contribution can be licensed under the [Apache License 2.0](https://github.com/didi/kemon/blob/master/LICENSE).
17 |
18 | ## Issues
19 |
20 | We love clearly described issues. :)
21 |
22 | Following information can help us to resolve the issue faster.
23 |
24 | * Device mode and hardware information.
25 | * API version.
26 | * Logs.
27 | * Screenshots.
28 | * Steps to reproduce the issue.
29 |
--------------------------------------------------------------------------------
/kemon/nke.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) Didi Research America. All rights reserved.
4 |
5 | Module Name:
6 |
7 | nke.h
8 |
9 | Author:
10 |
11 | Yu Wang, 08-Feb-2017
12 |
13 | Revision History:
14 |
15 | --*/
16 |
17 |
18 | #ifndef __NKE_DRIVER_H__
19 | #define __NKE_DRIVER_H__
20 |
21 |
22 | //
23 | // kern_ctl_reg.ctl_name
24 | //
25 |
26 | #define NKE_BUNDLE_ID "com.assuresec.kemon.nke"
27 |
28 | #define ENQUEUED_EVENT_LIMIT 0x10086
29 |
30 | //
31 | // NKE log entry
32 | //
33 |
34 | struct nke_log_entry {
35 | TAILQ_ENTRY(nke_log_entry) list;
36 | uint32_t size;
37 | uint32_t retry;
38 | };
39 |
40 | //
41 | // Event queue
42 | //
43 |
44 | TAILQ_HEAD(nke_entry, nke_log_entry);
45 |
46 | static struct nke_entry nke_list;
47 |
48 | //
49 | // Declaration
50 | //
51 |
52 | extern lck_grp_t *glock_group;
53 |
54 | extern OSMallocTag gmalloc_tag;
55 |
56 | extern
57 | void
58 | send_message(
59 | struct message_header *message
60 | );
61 |
62 | extern
63 | kern_return_t
64 | nke_initialization(
65 | boolean_t flag
66 | );
67 |
68 | #endif
--------------------------------------------------------------------------------
/kemon/distorm/wstring.c:
--------------------------------------------------------------------------------
1 | /*
2 | wstring.c
3 |
4 | diStorm3 - Powerful disassembler for X86/AMD64
5 | http://ragestorm.net/distorm/
6 | distorm at gmail dot com
7 | Copyright (C) 2003-2018 Gil Dabah
8 | This library is licensed under the BSD license. See the file COPYING.
9 | */
10 |
11 |
12 | #include "wstring.h"
13 |
14 | #ifndef DISTORM_LIGHT
15 |
16 | void strclear_WS(_WString* s)
17 | {
18 | s->p[0] = '\0';
19 | s->length = 0;
20 | }
21 |
22 | void chrcat_WS(_WString* s, uint8_t ch)
23 | {
24 | s->p[s->length] = ch;
25 | s->p[s->length + 1] = '\0';
26 | s->length += 1;
27 | }
28 |
29 | void strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len)
30 | {
31 | s->length = len;
32 | memcpy((int8_t*)s->p, buf, len + 1);
33 | }
34 |
35 | void strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len)
36 | {
37 | memcpy((int8_t*)&s->p[s->length], buf, len + 1);
38 | s->length += len;
39 | }
40 |
41 | void strcat_WS(_WString* s, const _WString* s2)
42 | {
43 | memcpy((int8_t*)&s->p[s->length], s2->p, s2->length + 1);
44 | s->length += s2->length;
45 | }
46 |
47 | #endif /* DISTORM_LIGHT */
48 |
--------------------------------------------------------------------------------
/kemon/distorm/decoder.h:
--------------------------------------------------------------------------------
1 | /*
2 | decoder.h
3 |
4 | diStorm3 - Powerful disassembler for X86/AMD64
5 | http://ragestorm.net/distorm/
6 | distorm at gmail dot com
7 | Copyright (C) 2011 Gil Dabah
8 |
9 | This program is free software: you can redistribute it and/or modify
10 | it under the terms of the GNU General Public License as published by
11 | the Free Software Foundation, either version 3 of the License, or
12 | (at your option) any later version.
13 |
14 | This program is distributed in the hope that it will be useful,
15 | but WITHOUT ANY WARRANTY; without even the implied warranty of
16 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 | GNU General Public License for more details.
18 |
19 | You should have received a copy of the GNU General Public License
20 | along with this program. If not, see
21 | */
22 |
23 |
24 | #ifndef DECODER_H
25 | #define DECODER_H
26 |
27 | #include "config.h"
28 |
29 | typedef unsigned int _iflags;
30 |
31 | _DecodeResult decode_internal(_CodeInfo* ci, int supportOldIntr, _DInst result[], unsigned int maxResultCount, unsigned int* usedInstructionsCount);
32 |
33 | #endif /* DECODER_H */
34 |
--------------------------------------------------------------------------------
/kemon/distorm/wstring.h:
--------------------------------------------------------------------------------
1 | /*
2 | wstring.h
3 |
4 | diStorm3 - Powerful disassembler for X86/AMD64
5 | http://ragestorm.net/distorm/
6 | distorm at gmail dot com
7 | Copyright (C) 2003-2018 Gil Dabah
8 | This library is licensed under the BSD license. See the file COPYING.
9 | */
10 |
11 |
12 | #ifndef WSTRING_H
13 | #define WSTRING_H
14 |
15 | #include "config.h"
16 |
17 | #ifndef DISTORM_LIGHT
18 |
19 | void strclear_WS(_WString* s);
20 | void chrcat_WS(_WString* s, uint8_t ch);
21 | void strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len);
22 | void strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len);
23 | void strcat_WS(_WString* s, const _WString* s2);
24 |
25 | /*
26 | * Warning, this macro should be used only when the compiler knows the size of string in advance!
27 | * This macro is used in order to spare the call to strlen when the strings are known already.
28 | * Note: sizeof includes NULL terminated character.
29 | */
30 | #define strcat_WSN(s, t) strcatlen_WS((s), ((const int8_t*)t), sizeof((t))-1)
31 | #define strcpy_WSN(s, t) strcpylen_WS((s), ((const int8_t*)t), sizeof((t))-1)
32 |
33 | #endif /* DISTORM_LIGHT */
34 |
35 | #endif /* WSTRING_H */
36 |
--------------------------------------------------------------------------------
/kemon/Info.plist:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | CFBundleDevelopmentRegion
6 | $(DEVELOPMENT_LANGUAGE)
7 | CFBundleExecutable
8 | $(EXECUTABLE_NAME)
9 | CFBundleIdentifier
10 | $(PRODUCT_BUNDLE_IDENTIFIER)
11 | CFBundleInfoDictionaryVersion
12 | 6.0
13 | CFBundleName
14 | $(PRODUCT_NAME)
15 | CFBundlePackageType
16 | KEXT
17 | CFBundleShortVersionString
18 | 1.0.12
19 | CFBundleVersion
20 | 1.0.12
21 | NSHumanReadableCopyright
22 | Copyright © 2019 Didi Research America. All rights reserved.
23 | OSBundleLibraries
24 |
25 | com.apple.kpi.bsd
26 | 10.0.0
27 | com.apple.kpi.dsep
28 | 10.0.0
29 | com.apple.kpi.mach
30 | 10.0.0
31 | com.apple.kpi.libkern
32 | 10.0.0
33 |
34 |
35 |
--------------------------------------------------------------------------------
/kemon/distorm/textdefs.h:
--------------------------------------------------------------------------------
1 | /*
2 | textdefs.h
3 |
4 | diStorm3 - Powerful disassembler for X86/AMD64
5 | http://ragestorm.net/distorm/
6 | distorm at gmail dot com
7 | Copyright (C) 2003-2018 Gil Dabah
8 | This library is licensed under the BSD license. See the file COPYING.
9 | */
10 |
11 |
12 | #ifndef TEXTDEFS_H
13 | #define TEXTDEFS_H
14 |
15 | #include "config.h"
16 | #include "wstring.h"
17 |
18 | #ifndef DISTORM_LIGHT
19 |
20 | #define PLUS_DISP_CHR '+'
21 | #define MINUS_DISP_CHR '-'
22 | #define OPEN_CHR '['
23 | #define CLOSE_CHR ']'
24 | #define SP_CHR ' '
25 | #define SEG_OFF_CHR ':'
26 |
27 | /*
28 | Naming Convention:
29 |
30 | * get - returns a pointer to a string.
31 | * str - concatenates to string.
32 |
33 | * hex - means the function is used for hex dump (number is padded to required size) - Little Endian output.
34 | * code - means the function is used for disassembled instruction - Big Endian output.
35 | * off - means the function is used for 64bit offset - Big Endian output.
36 |
37 | * h - '0x' in front of the string.
38 |
39 | * b - byte
40 | * dw - double word (can be used for word also)
41 | * qw - quad word
42 |
43 | * all numbers are in HEX.
44 | */
45 |
46 | void _FASTCALL_ str_hex_b(_WString* s, unsigned int x);
47 | void _FASTCALL_ str_code_hb(_WString* s, unsigned int x);
48 | void _FASTCALL_ str_code_hdw(_WString* s, uint32_t x);
49 | void _FASTCALL_ str_code_hqw(_WString* s, uint8_t src[8]);
50 |
51 | #ifdef SUPPORT_64BIT_OFFSET
52 | void _FASTCALL_ str_off64(_WString* s, OFFSET_INTEGER x);
53 | #endif
54 |
55 | #endif /* DISTORM_LIGHT */
56 |
57 | #endif /* TEXTDEFS_H */
58 |
--------------------------------------------------------------------------------
/kemon/trace.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) Didi Research America. All rights reserved.
4 |
5 | Module Name:
6 |
7 | trace.h
8 |
9 | Author:
10 |
11 | Yu Wang, 08-Feb-2017
12 |
13 | Revision History:
14 |
15 | --*/
16 |
17 |
18 | #ifndef __TRACE_DRIVER_H__
19 | #define __TRACE_DRIVER_H__
20 |
21 |
22 | //
23 | // Driver name and version
24 | //
25 |
26 | #define DRIVER_NAME "Kemon"
27 |
28 | enum driver_version {
29 | ALPHA_VERSION_08_FEB_2017 = 0x01000001,
30 | ALPHA_VERSION_12_DEC_2018 = 0x01000010,
31 | ALPHA_VERSION_05_JUN_2019 = 0x01000011,
32 | ALPHA_VERSION_01_OCT_2019 = 0x01000012,
33 | RELEASE_VERSION
34 | };
35 |
36 | #define CURRENT_VERSION RELEASE_VERSION - 1
37 |
38 | //
39 | // Kemon framework troubleshooting
40 | //
41 |
42 | #define FRAMEWORK_TROUBLESHOOTING TRUE
43 |
44 | //
45 | // Kernel authorization troubleshooting
46 | //
47 |
48 | #define KAUTH_TROUBLESHOOTING FALSE
49 |
50 | //
51 | // Socket filter troubleshooting
52 | //
53 |
54 | #define SFLT_TROUBLESHOOTING FALSE
55 | #define SFLT_TRAFFIC_TROUBLESHOOTING FALSE
56 |
57 | //
58 | // MAC policy troubleshooting
59 | //
60 |
61 | #define MAC_TROUBLESHOOTING TRUE
62 |
63 | //
64 | // Breakpoint instruction
65 | //
66 |
67 | #define BreakPoint() __asm__ volatile ("int3");
68 |
69 | //
70 | // For macOS 10.14 Mojave
71 | //
72 |
73 | #define SNPRINTF_LENGTH_LIMIT 0xF0
74 |
75 | //
76 | // Hex printf
77 | //
78 |
79 | #define HEX_PRINTF_B 0x01
80 | #define HEX_PRINTF_W 0x02
81 | #define HEX_PRINTF_D 0x04
82 | #define HEX_PRINTF_Q 0x08
83 |
84 | //
85 | // Declaration
86 | //
87 |
88 | extern
89 | void
90 | hex_printf(
91 | void *buffer,
92 | unsigned long length,
93 | unsigned long flag
94 | );
95 |
96 | #endif
--------------------------------------------------------------------------------
/kemon/distorm/insts.h:
--------------------------------------------------------------------------------
1 | /*
2 | insts.h
3 |
4 | diStorm3 - Powerful disassembler for X86/AMD64
5 | http://ragestorm.net/distorm/
6 | distorm at gmail dot com
7 | Copyright (C) 2003-2018 Gil Dabah
8 | This library is licensed under the BSD license. See the file COPYING.
9 | */
10 |
11 |
12 | #ifndef INSTS_H
13 | #define INSTS_H
14 |
15 | #include "instructions.h"
16 |
17 |
18 | /* Flags Table */
19 | extern _iflags FlagsTable[];
20 |
21 | /* Root Trie DB */
22 | extern _InstSharedInfo InstSharedInfoTable[];
23 | extern _InstInfo InstInfos[];
24 | extern _InstInfoEx InstInfosEx[];
25 | extern _InstNode InstructionsTree[];
26 |
27 | /* 3DNow! Trie DB */
28 | extern _InstNode Table_0F_0F;
29 | /* AVX related: */
30 | extern _InstNode Table_0F, Table_0F_38, Table_0F_3A;
31 |
32 | /*
33 | * The inst_lookup will return on of these two instructions according to the specified decoding mode.
34 | * ARPL or MOVSXD on 64 bits is one byte instruction at index 0x63.
35 | */
36 | extern _InstInfo II_MOVSXD;
37 |
38 | /*
39 | * The NOP instruction can be prefixed by REX in 64bits, therefore we have to decide in runtime whether it's an XCHG or NOP instruction.
40 | * If 0x90 is prefixed by a usable REX it will become XCHG, otherwise it will become a NOP.
41 | * Also note that if it's prefixed by 0xf3, it becomes a Pause.
42 | */
43 | extern _InstInfo II_NOP;
44 | extern _InstInfo II_PAUSE;
45 |
46 | /*
47 | * RDRAND and VMPTRLD share same 2.3 bytes opcode, and then alternates on the MOD bits,
48 | * RDRAND is OT_FULL_REG while VMPTRLD is OT_MEM, and there's no such mixed type.
49 | * So a hack into the inst_lookup was added for this decision, the DB isn't flexible enough. :(
50 | */
51 | extern _InstInfo II_RDRAND;
52 |
53 | /*
54 | * Used for letting the extract operand know the type of operands without knowing the
55 | * instruction itself yet, because of the way those instructions work.
56 | * See function instructions.c!inst_lookup_3dnow.
57 | */
58 | extern _InstInfo II_3DNOW;
59 |
60 | /* Helper tables for pseudo compare mnemonics. */
61 | extern uint16_t CmpMnemonicOffsets[8]; /* SSE */
62 | extern uint16_t VCmpMnemonicOffsets[32]; /* AVX */
63 |
64 | #endif /* INSTS_H */
65 |
--------------------------------------------------------------------------------
/kemon/distorm/x86defs.h:
--------------------------------------------------------------------------------
1 | /*
2 | x86defs.h
3 |
4 | diStorm3 - Powerful disassembler for X86/AMD64
5 | http://ragestorm.net/distorm/
6 | distorm at gmail dot com
7 | Copyright (C) 2003-2018 Gil Dabah
8 | This library is licensed under the BSD license. See the file COPYING.
9 | */
10 |
11 |
12 | #ifndef X86DEFS_H
13 | #define X86DEFS_H
14 |
15 |
16 | #define SEG_REGS_MAX (6)
17 | #define CREGS_MAX (9)
18 | #define DREGS_MAX (8)
19 |
20 | /* Maximum instruction size, including prefixes */
21 | #define INST_MAXIMUM_SIZE (15)
22 |
23 | /* Maximum range of imm8 (comparison type) of special SSE CMP instructions. */
24 | #define INST_CMP_MAX_RANGE (8)
25 |
26 | /* Maximum range of imm8 (comparison type) of special AVX VCMP instructions. */
27 | #define INST_VCMP_MAX_RANGE (32)
28 |
29 | /* Wait instruction byte code. */
30 | #define INST_WAIT_INDEX (0x9b)
31 |
32 | /* Lea instruction byte code. */
33 | #define INST_LEA_INDEX (0x8d)
34 |
35 | /* NOP/XCHG instruction byte code. */
36 | #define INST_NOP_INDEX (0x90)
37 |
38 | /* ARPL/MOVSXD instruction byte code. */
39 | #define INST_ARPL_INDEX (0x63)
40 |
41 | /*
42 | * Minimal MODR/M value of divided instructions.
43 | * It's 0xc0, two MSBs set, which indicates a general purpose register is used too.
44 | */
45 | #define INST_DIVIDED_MODRM (0xc0)
46 |
47 | /* This is the escape byte value used for 3DNow! instructions. */
48 | #define _3DNOW_ESCAPE_BYTE (0x0f)
49 |
50 | #define PREFIX_LOCK (0xf0)
51 | #define PREFIX_REPNZ (0xf2)
52 | #define PREFIX_REP (0xf3)
53 | #define PREFIX_CS (0x2e)
54 | #define PREFIX_SS (0x36)
55 | #define PREFIX_DS (0x3e)
56 | #define PREFIX_ES (0x26)
57 | #define PREFIX_FS (0x64)
58 | #define PREFIX_GS (0x65)
59 | #define PREFIX_OP_SIZE (0x66)
60 | #define PREFIX_ADDR_SIZE (0x67)
61 | #define PREFIX_VEX2b (0xc5)
62 | #define PREFIX_VEX3b (0xc4)
63 |
64 | /* REX prefix value range, 64 bits mode decoding only. */
65 | #define PREFIX_REX_LOW (0x40)
66 | #define PREFIX_REX_HI (0x4f)
67 | /* In order to use the extended GPR's we have to add 8 to the Modr/M info values. */
68 | #define EX_GPR_BASE (8)
69 |
70 | /* Mask for REX and VEX features: */
71 | /* Base */
72 | #define PREFIX_EX_B (1)
73 | /* Index */
74 | #define PREFIX_EX_X (2)
75 | /* Register */
76 | #define PREFIX_EX_R (4)
77 | /* Operand Width */
78 | #define PREFIX_EX_W (8)
79 | /* Vector Lengh */
80 | #define PREFIX_EX_L (0x10)
81 |
82 | #endif /* X86DEFS_H */
83 |
--------------------------------------------------------------------------------
/kemon/distorm/prefix.h:
--------------------------------------------------------------------------------
1 | /*
2 | prefix.h
3 |
4 | diStorm3 - Powerful disassembler for X86/AMD64
5 | http://ragestorm.net/distorm/
6 | distorm at gmail dot com
7 | Copyright (C) 2003-2018 Gil Dabah
8 | This library is licensed under the BSD license. See the file COPYING.
9 | */
10 |
11 |
12 | #ifndef PREFIX_H
13 | #define PREFIX_H
14 |
15 | #include "config.h"
16 | #include "decoder.h"
17 |
18 |
19 | /* Specifies the type of the extension prefix, such as: REX, 2 bytes VEX, 3 bytes VEX. */
20 | typedef enum {PET_NONE = 0, PET_REX, PET_VEX2BYTES, PET_VEX3BYTES} _PrefixExtType;
21 |
22 | /* Specifies an index into a table of prefixes by their type. */
23 | typedef enum {PFXIDX_NONE = -1, PFXIDX_REX, PFXIDX_LOREP, PFXIDX_SEG, PFXIDX_OP_SIZE, PFXIDX_ADRS, PFXIDX_MAX} _PrefixIndexer;
24 |
25 | /*
26 | * This holds the prefixes state for the current instruction we decode.
27 | * decodedPrefixes includes all specific prefixes that the instruction got.
28 | * start is a pointer to the first prefix to take into account.
29 | * last is a pointer to the last byte we scanned.
30 | * Other pointers are used to keep track of prefixes positions and help us know if they appeared already and where.
31 | */
32 | typedef struct {
33 | _iflags decodedPrefixes, usedPrefixes;
34 | const uint8_t *start, *last, *vexPos, *rexPos;
35 | _PrefixExtType prefixExtType;
36 | uint16_t unusedPrefixesMask;
37 | /* Indicates whether the operand size prefix (0x66) was used as a mandatory prefix. */
38 | int isOpSizeMandatory;
39 | /* If VEX prefix is used, store the VEX.vvvv field. */
40 | unsigned int vexV;
41 | /* The fields B/X/R/W/L of REX and VEX are stored together in this byte. */
42 | unsigned int vrex;
43 |
44 | /* !! Make sure pfxIndexer is LAST! Otherwise memset won't work well with it. !! */
45 |
46 | /* Holds the offset to the prefix byte by its type. */
47 | int pfxIndexer[PFXIDX_MAX];
48 | } _PrefixState;
49 |
50 | /*
51 | * Intel supports 6 types of prefixes, whereas AMD supports 5 types (lock is seperated from rep/nz).
52 | * REX is the fifth prefix type, this time I'm based on AMD64.
53 | * VEX is the 6th, though it can't be repeated.
54 | */
55 | #define MAX_PREFIXES (5)
56 |
57 | int prefixes_is_valid(unsigned int ch, _DecodeType dt);
58 | void prefixes_ignore(_PrefixState* ps, _PrefixIndexer pi);
59 | void prefixes_ignore_all(_PrefixState* ps);
60 | uint16_t prefixes_set_unused_mask(_PrefixState* ps);
61 | void prefixes_decode(const uint8_t* code, int codeLen, _PrefixState* ps, _DecodeType dt);
62 | void prefixes_use_segment(_iflags defaultSeg, _PrefixState* ps, _DecodeType dt, _DInst* di);
63 |
64 | #endif /* PREFIX_H */
65 |
--------------------------------------------------------------------------------
/kemon/network.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) Didi Research America. All rights reserved.
4 |
5 | Module Name:
6 |
7 | network.h
8 |
9 | Author:
10 |
11 | Yu Wang, 08-Feb-2017
12 |
13 | Revision History:
14 |
15 | --*/
16 |
17 |
18 | #ifndef __NETWORK_DRIVER_H__
19 | #define __NETWORK_DRIVER_H__
20 |
21 |
22 | #include
23 |
24 |
25 | //
26 | // sflt_filter.sflt_handle
27 | //
28 |
29 | #define SFLT_HANDLE 0xFFF80386
30 |
31 | #define SFLT_RAW_HANDLE (SFLT_HANDLE - (AF_INET + IPPROTO_RAW))
32 | #define SFLT_TCP_IPV4_HANDLE (SFLT_HANDLE - (AF_INET + IPPROTO_TCP))
33 | #define SFLT_TCP_IPV6_HANDLE (SFLT_HANDLE - (AF_INET6 + IPPROTO_TCP))
34 | #define SFLT_UDP_IPV4_HANDLE (SFLT_HANDLE - (AF_INET + IPPROTO_UDP))
35 | #define SFLT_UDP_IPV6_HANDLE (SFLT_HANDLE - (AF_INET6 + IPPROTO_UDP))
36 | #define SFLT_ICMP_IPV4_HANDLE (SFLT_HANDLE - (AF_INET + IPPROTO_ICMP))
37 | #define SFLT_ICMP_IPV6_HANDLE (SFLT_HANDLE - (AF_INET6 + IPPROTO_ICMPV6))
38 |
39 | //
40 | // sflt_filter.sflt_name
41 | //
42 |
43 | #define SFLT_BUNDLE_ID "com.assuresec.kemon.sflt"
44 |
45 | //
46 | // DNS protocol
47 | //
48 |
49 | #define DNS_PORT 53
50 |
51 | struct dnshdr {
52 | unsigned short id; // 16 bit message ID
53 |
54 | unsigned char rd:1; // Recursion desired
55 | unsigned char tc:1; // Truncated message
56 | unsigned char aa:1; // Authoritative answer
57 | unsigned char opcode:4; // Identifies the request/operation type
58 | unsigned char qr:1; // Query/response bit
59 |
60 | unsigned char rcode:4; // Identifies the response type to the query
61 | unsigned char z:3; // Reserved for future use
62 | unsigned char ra:1; // Recursion available
63 |
64 | unsigned short qdcount; // Number of question entries
65 | unsigned short ancount; // Number of answer entries
66 | unsigned short nscount; // Number of authority entries
67 | unsigned short arcount; // Number of resource entries
68 | };
69 |
70 | //
71 | // Connection status
72 | //
73 |
74 | #define STATE_CONNECT_IN 0x01
75 | #define STATE_CONNECT_OUT 0x02
76 | #define STATE_LISTENING 0x04
77 |
78 | //
79 | // Packet information
80 | //
81 |
82 | struct log_info {
83 | pid_t pid;
84 | pid_t uid;
85 | size_t length;
86 | UInt32 status;
87 | struct timeval start;
88 | struct timeval stop;
89 |
90 | union {
91 | struct sockaddr_in addr4;
92 | struct sockaddr_in6 addr6;
93 | } source;
94 | union {
95 | struct sockaddr_in addr4;
96 | struct sockaddr_in6 addr6;
97 | } destination;
98 | SInt32 ether_header;
99 | u_char ether_shost[ETHER_ADDR_LEN];
100 | u_char ether_dhost[ETHER_ADDR_LEN];
101 |
102 | SInt32 in_bytes;
103 | SInt32 in_packets;
104 | UInt32 first_in_bytes;
105 | void *first_in_packet;
106 |
107 | SInt32 out_bytes;
108 | SInt32 out_packets;
109 | UInt32 first_out_bytes;
110 | void *first_out_packet;
111 | };
112 |
113 | //
114 | // Per socket extension control block for the log function
115 | //
116 |
117 | struct sflt_log_entry {
118 | TAILQ_ENTRY(sflt_log_entry) list;
119 | int protocol;
120 | socket_t socket;
121 | boolean_t tcp_ipv4_attached;
122 | boolean_t udp_ipv4_attached;
123 | boolean_t detached;
124 | struct log_info info;
125 | };
126 |
127 | //
128 | // Event queues
129 | //
130 |
131 | TAILQ_HEAD(sflt_entry, sflt_log_entry);
132 |
133 | static struct sflt_entry sflt_active_list;
134 | static struct sflt_entry sflt_inactive_list;
135 |
136 | struct filter_stats {
137 | //
138 | // TCP IPv4 socket
139 | //
140 |
141 | SInt32 tcp_ipv4_total;
142 | SInt32 tcp_ipv4_in_use;
143 | UInt32 tcp_ipv4_registered;
144 |
145 | //
146 | // UDP IPv4 socket
147 | //
148 |
149 | SInt32 udp_ipv4_total;
150 | SInt32 udp_ipv4_in_use;
151 | UInt32 udp_ipv4_registered;
152 |
153 | boolean_t filter_enabled;
154 | };
155 |
156 | static struct filter_stats filter_stats;
157 |
158 | //
159 | // Declaration
160 | //
161 |
162 | extern lck_grp_t *glock_group;
163 |
164 | extern OSMallocTag gmalloc_tag;
165 |
166 | extern
167 | kern_return_t
168 | sflt_initialization(
169 | boolean_t flag
170 | );
171 |
172 | #endif
--------------------------------------------------------------------------------
/kemon/include.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) Didi Research America. All rights reserved.
4 |
5 | Module Name:
6 |
7 | include.h
8 |
9 | Author:
10 |
11 | Yu Wang, 08-Feb-2017
12 |
13 | Revision History:
14 |
15 | --*/
16 |
17 |
18 | #ifndef __INCLUDE_DRIVER_H__
19 | #define __INCLUDE_DRIVER_H__
20 |
21 |
22 | #include
23 |
24 | //
25 | // macOS version
26 | //
27 |
28 | enum os_version {
29 | OS_X_LION = 0xB,
30 | OS_X_MOUNTAIN_LION,
31 | OS_X_MAVERICKS,
32 | OS_X_YOSEMITE,
33 | OS_X_EL_CAPITAN,
34 | MACOS_SIERRA,
35 | MACOS_HIGH_SIERRA,
36 | MACOS_MOJAVE,
37 | MACOS_CATALINA
38 | };
39 |
40 | //
41 | // Message type
42 | //
43 |
44 | enum message_type {
45 | FILEOP_OPEN = 0x00,
46 | FILEOP_CREATE,
47 | FILEOP_CLOSE,
48 | FILEOP_RENAME,
49 | FILEOP_EXCHANGE,
50 | FILEOP_LINK,
51 | FILEOP_EXEC,
52 | FILEOP_DELETE,
53 | FILEOP_WILL_RENAME,
54 | FILEOP_WRITE_OR_APPEND,
55 | DEVICE_OPEN = 0x20,
56 | NETWORK_TCP_IPV4_DETACH = 0x40,
57 | NETWORK_UDP_IPV4_DETACH,
58 | NETWORK_UDP_DNS_QUERY,
59 | MONITORING_DYNAMIC_LIBRARY = 0x60,
60 | MONITORING_KEXT_PRE_CALLBACK,
61 | MONITORING_KEXT_POST_CALLBACK
62 | };
63 |
64 | //
65 | // Message header
66 | //
67 |
68 | struct message_header {
69 | int type;
70 | int pid;
71 | int ppid;
72 | uid_t uid;
73 | gid_t gid;
74 | struct timeval event_time;
75 | char proc_name_pid[MAXPATHLEN];
76 | char proc_name_ppid[MAXPATHLEN];
77 | };
78 |
79 | //
80 | // File operation monitoring
81 | //
82 |
83 | struct file_operation_monitoring {
84 | struct message_header header;
85 | union {
86 | struct {
87 | char path[MAXPATHLEN];
88 | } fileop_open;
89 | struct {
90 | char path[MAXPATHLEN];
91 | } fileop_create;
92 | struct {
93 | char path[MAXPATHLEN];
94 | boolean_t modified;
95 | } fileop_close;
96 | struct {
97 | char from[MAXPATHLEN];
98 | char to[MAXPATHLEN];
99 | } fileop_rename;
100 | struct {
101 | char file1[MAXPATHLEN];
102 | char file2[MAXPATHLEN];
103 | } fileop_exchange;
104 | struct {
105 | char original[MAXPATHLEN];
106 | char new_link[MAXPATHLEN];
107 | } fileop_link;
108 | struct {
109 | char path[MAXPATHLEN];
110 | unsigned long command_line_length;
111 | // char command_line[command_line_length];
112 | } fileop_exec;
113 | struct {
114 | char path[MAXPATHLEN];
115 | } fileop_delete;
116 | struct {
117 | char from[MAXPATHLEN];
118 | char to[MAXPATHLEN];
119 | } fileop_will_rename;
120 | struct {
121 | char path[MAXPATHLEN];
122 | } fileop_write_or_append;
123 | struct {
124 | char path[MAXPATHLEN];
125 | } device_open;
126 | } body;
127 | };
128 |
129 | //
130 | // Network traffic monitoring
131 | //
132 |
133 | struct network_tcp_monitoring {
134 | struct message_header header;
135 | struct timeval start_time;
136 | struct timeval stop_time;
137 | u_char source_address_string[256];
138 | u_char destination_address_string[256];
139 | u_char source_address_ether[ETHER_ADDR_LEN];
140 | u_char destination_address_ether[ETHER_ADDR_LEN];
141 | uint16_t source_port;
142 | uint16_t destination_port;
143 | uint32_t in_bytes;
144 | uint32_t in_packets;
145 | uint32_t out_bytes;
146 | uint32_t out_packets;
147 | uint32_t first_in_bytes;
148 | uint32_t first_out_bytes;
149 | // char first_in_packet[first_in_bytes];
150 | // char first_out_packet[first_out_bytes];
151 | };
152 |
153 | struct network_udp_monitoring {
154 | struct message_header header;
155 | struct timeval start_time;
156 | struct timeval stop_time;
157 | u_char source_address_string[256];
158 | u_char destination_address_string[256];
159 | u_char source_address_ether[ETHER_ADDR_LEN];
160 | u_char destination_address_ether[ETHER_ADDR_LEN];
161 | uint16_t source_port;
162 | uint16_t destination_port;
163 | };
164 |
165 | struct network_dns_monitoring {
166 | struct message_header header;
167 | u_char source_address_string[256];
168 | u_char destination_address_string[256];
169 | uint16_t source_port;
170 | uint16_t destination_port;
171 | unsigned long dns_question_length;
172 | // char dns_question[dns_question_length];
173 | };
174 |
175 | //
176 | // Dynamic library monitoring
177 | //
178 |
179 | struct dynamic_library_monitoring {
180 | struct message_header header;
181 | char library_path[MAXPATHLEN];
182 | };
183 |
184 | //
185 | // Kernel module monitoring
186 | //
187 |
188 | struct kernel_module_monitoring {
189 | struct message_header header;
190 | unsigned int return_value;
191 | unsigned long module_base;
192 | unsigned long module_size;
193 | char module_name[MAXPATHLEN];
194 | char module_path[MAXPATHLEN];
195 | char module_version[MAXPATHLEN];
196 | };
197 |
198 | #endif
--------------------------------------------------------------------------------
/kemon/distorm/config.h:
--------------------------------------------------------------------------------
1 | /*
2 | config.h
3 |
4 | diStorm3 - Powerful disassembler for X86/AMD64
5 | http://ragestorm.net/distorm/
6 | distorm at gmail dot com
7 | Copyright (C) 2003-2018 Gil Dabah
8 | This library is licensed under the BSD license. See the file COPYING.
9 | */
10 |
11 |
12 | #ifndef CONFIG_H
13 | #define CONFIG_H
14 |
15 | /* diStorm version number. */
16 | #define __DISTORMV__ 0x030400
17 |
18 | #include /* memset, memcpy - can be easily self implemented for libc independency. */
19 |
20 | #include "include/distorm.h"
21 |
22 |
23 | /*
24 | * 64 bit offsets support:
25 | * This macro should be defined from compiler command line flags, e.g: -DSUPPORT_64BIT_OFFSET
26 | * Note: make sure that the caller (library user) defines it too!
27 | */
28 | /* #define SUPPORT_64BIT_OFFSET */
29 |
30 | /*
31 | * If you compile diStorm as a dynamic library (.dll or .so) file, make sure you uncomment the next line.
32 | * So the interface functions will be exported, otherwise they are useable only for static library.
33 | * For example, this macro is being set for compiling diStorm as a .dll for Python with CTypes.
34 | */
35 | /* #define DISTORM_DYNAMIC */
36 |
37 | /*
38 | * If DISTORM_LIGHT is defined, everything involved in formatting the instructions
39 | * as text will be excluded from compilation.
40 | * distorm_decode(..) and distorm_format(..) will not be available.
41 | * This will decrease the size of the executable and leave you with decomposition functionality only.
42 | *
43 | * Note: it should be either set in the preprocessor definitions manually or in command line -D switch.
44 | * #define DISTORM_LIGHT
45 | */
46 |
47 | /*
48 | * diStorm now supports little/big endian CPU's.
49 | * It should detect the endianness according to predefined macro's of the compiler.
50 | * If you don't use GCC/MSVC you will have to define it on your own.
51 | */
52 |
53 | /* These macros are used in order to make the code portable. */
54 | #ifdef __GNUC__
55 |
56 | #include
57 |
58 | #define _DLLEXPORT_
59 | #define _FASTCALL_
60 | #define _INLINE_ static
61 | /* GCC ignores this directive... */
62 | /*#define _FASTCALL_ __attribute__((__fastcall__))*/
63 |
64 | /* Set endianity (supposed to be LE though): */
65 | #ifdef __BIG_ENDIAN__
66 | #define BE_SYSTEM
67 | #endif
68 |
69 | /* End of __GCC__ */
70 |
71 | #elif __WATCOMC__
72 |
73 | #include
74 |
75 | #define _DLLEXPORT_
76 | #define _FASTCALL_
77 | #define _INLINE_ __inline
78 |
79 | /* End of __WATCOMC__ */
80 |
81 | #elif __DMC__
82 |
83 | #include
84 |
85 | #define _DLLEXPORT_
86 | #define _FASTCALL_
87 | #define _INLINE_ __inline
88 |
89 | /* End of __DMC__ */
90 |
91 | #elif __TINYC__
92 |
93 | #include
94 |
95 | #define _DLLEXPORT_
96 | #define _FASTCALL_
97 | #define _INLINE_
98 |
99 | /* End of __TINYC__ */
100 |
101 | #elif _MSC_VER
102 |
103 | /* stdint alternative is defined in distorm.h */
104 |
105 | #define _DLLEXPORT_ __declspec(dllexport)
106 | #define _FASTCALL_ __fastcall
107 | #define _INLINE_ __inline
108 |
109 | /* Set endianity (supposed to be LE though): */
110 | #if !defined(_M_IX86) && !defined(_M_X64)
111 | #define BE_SYSTEM
112 | #endif
113 |
114 | #endif /* #elif _MSC_VER */
115 |
116 | /* If the library isn't compiled as a dynamic library don't export any functions. */
117 | #ifndef DISTORM_DYNAMIC
118 | #undef _DLLEXPORT_
119 | #define _DLLEXPORT_
120 | #endif
121 |
122 | #ifndef FALSE
123 | #define FALSE 0
124 | #endif
125 | #ifndef TRUE
126 | #define TRUE 1
127 | #endif
128 |
129 | /* Define stream read functions for big endian systems. */
130 | #ifdef BE_SYSTEM
131 |
132 | /* Avoid defining 'static static' for GCC. */
133 | #ifndef __GNUC__
134 | #define STATIC_INLINE static _INLINE_
135 | #else
136 | #define STATIC_INLINE static
137 | #endif
138 |
139 | /*
140 | * Assumption: These functions can read from the stream safely!
141 | * Swap endianity of input to little endian.
142 | */
143 | STATIC_INLINE int16_t RSHORT(const uint8_t *s)
144 | {
145 | return s[0] | (s[1] << 8);
146 | }
147 | STATIC_INLINE uint16_t RUSHORT(const uint8_t *s)
148 | {
149 | return s[0] | (s[1] << 8);
150 | }
151 | STATIC_INLINE int32_t RLONG(const uint8_t *s)
152 | {
153 | return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24);
154 | }
155 | STATIC_INLINE uint32_t RULONG(const uint8_t *s)
156 | {
157 | return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24);
158 | }
159 | STATIC_INLINE int64_t RLLONG(const uint8_t *s)
160 | {
161 | return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24) | ((uint64_t)s[4] << 32) | ((uint64_t)s[5] << 40) | ((uint64_t)s[6] << 48) | ((uint64_t)s[7] << 56);
162 | }
163 | STATIC_INLINE uint64_t RULLONG(const uint8_t *s)
164 | {
165 | return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24) | ((uint64_t)s[4] << 32) | ((uint64_t)s[5] << 40) | ((uint64_t)s[6] << 48) | ((uint64_t)s[7] << 56);
166 | }
167 |
168 | #undef STATIC_INLINE
169 |
170 | #else
171 | /* Little endian macro's will just make the cast. */
172 | #define RSHORT(x) *(int16_t *)x
173 | #define RUSHORT(x) *(uint16_t *)x
174 | #define RLONG(x) *(int32_t *)x
175 | #define RULONG(x) *(uint32_t *)x
176 | #define RLLONG(x) *(int64_t *)x
177 | #define RULLONG(x) *(uint64_t *)x
178 | #endif
179 |
180 | #endif /* CONFIG_H */
181 |
--------------------------------------------------------------------------------
/kemon/inline.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) Didi Research America. All rights reserved.
4 |
5 | Module Name:
6 |
7 | inline.h
8 |
9 | Author:
10 |
11 | Yu Wang, 08-Feb-2017
12 |
13 | Revision History:
14 |
15 | --*/
16 |
17 |
18 | #ifndef __INLINE_DRIVER_H__
19 | #define __INLINE_DRIVER_H__
20 |
21 |
22 | //
23 | // 48 b8 00 00 00 00 00 00 00 00 movabsq $0x0, %rax
24 | // ff e0 jmpq *%rax
25 | //
26 |
27 | static char mac_policy_register_inline[12] =
28 | "\x48\xb8\x00\x00\x00\x00\x00\x00\x00\x00"
29 | "\xff\xe0";
30 |
31 | //
32 | // Please be careful if you want to modify the mac_policy_register_trampoline()
33 | //
34 |
35 | #define SIZE_OF_MAC_POLICY_REGISTER_TRAMPOLINE 30
36 |
37 | static uint64_t jmp_to_mac_policy_register_prologue_handler;
38 | static uint64_t jmp_back_to_mac_policy_register;
39 |
40 | static uint32_t mac_policy_register_original_size;
41 | static boolean_t mac_policy_register_inline_hooked;
42 |
43 | //
44 | // Returns EEXIST
45 | //
46 |
47 | #define MAC_POLICY_REGISTER_INJECTION TRUE
48 |
49 | #if MAC_POLICY_REGISTER_INJECTION
50 | static char *gmpc_name_amfi = "AMFI";
51 | static char *gmpc_name_sandbox = "Sandbox";
52 | #endif
53 |
54 | //
55 | // 48 b8 00 00 00 00 00 00 00 00 movabsq $0x0, %rax
56 | // ff e0 jmpq *%rax
57 | //
58 |
59 | static char oskext_start_inline[12] =
60 | "\x48\xb8\x00\x00\x00\x00\x00\x00\x00\x00"
61 | "\xff\xe0";
62 |
63 | //
64 | // Please be careful if you want to modify the oskext_start_trampoline()
65 | //
66 |
67 | #define SIZE_OF_OSKEXT_START_TRAMPOLINE 30
68 |
69 | static uint64_t jmp_to_oskext_start_prologue_handler;
70 | static uint64_t jmp_back_to_oskext_start;
71 |
72 | static uint32_t oskext_start_original_size;
73 | static boolean_t oskext_start_inline_hooked;
74 |
75 | //
76 | // ff 25 00 00 00 00 jmpq *(%rip)
77 | //
78 |
79 | static char oskext_call_inline[6] =
80 | "\xff\x25\x00\x00\x00\x00";
81 |
82 | //
83 | // Please be careful if you want to modify the oskext_call_trampoline()
84 | //
85 |
86 | #define OFFSET_OF_OSKEXT_CALL_TRAMPOLINE 60
87 |
88 | static uint64_t jmp_to_oskext_call_pre_handler;
89 | static uint64_t jmp_to_oskext_call_post_handler;
90 | static uint64_t jmp_back_to_oskext_call;
91 |
92 | static uint32_t oskext_call_original_size;
93 | static boolean_t oskext_call_inline_hooked;
94 |
95 | //
96 | // b8 05 00 00 00 movl $0x5, %eax
97 | // c3 retq
98 | //
99 |
100 | static char returns_five[6] =
101 | "\xb8\x05\x00\x00\x00"
102 | "\xc3";
103 |
104 | //
105 | // 31 c0 xorl %eax, %eax
106 | // c3 retq
107 | //
108 |
109 | static char returns_zero[3] =
110 | "\x31\xc0"
111 | "\xc3";
112 |
113 | //
114 | // OSString
115 | //
116 |
117 | struct osstring_el_capitan {
118 | void *osobject;
119 | unsigned long retain_count;
120 | unsigned int length;
121 | unsigned int flags;
122 | char *string;
123 | };
124 |
125 | struct osstring_macos_sierra {
126 | void *osobject;
127 | unsigned long retain_count;
128 | char *string;
129 | unsigned int length;
130 | unsigned int flags;
131 | };
132 |
133 | struct osstring_macos_high_sierra {
134 | void *osobject;
135 | unsigned long retain_count;
136 | char *string;
137 | unsigned int flags;
138 | unsigned int length;
139 | };
140 |
141 | struct osstring_macos_mojave {
142 | void *osobject;
143 | unsigned long retain_count;
144 | char *string;
145 | unsigned int flags;
146 | unsigned int length;
147 | };
148 |
149 | struct osstring_macos_catalina {
150 | void *osobject;
151 | unsigned long retain_count;
152 | char *string;
153 | unsigned int flags;
154 | unsigned int length;
155 | };
156 |
157 | //
158 | // OSKext
159 | //
160 |
161 | struct oskext {
162 | void *osobject;
163 | unsigned long retain_count;
164 | void *info_dict;
165 | void *bundle_id;
166 | void *path;
167 | void *executable_rel_path;
168 | unsigned long version;
169 | unsigned long compatible_version;
170 | unsigned long load_tag;
171 | kmod_info_t *kmod_info;
172 | };
173 |
174 | struct oskext_macos_catalina {
175 | void *osobject;
176 | unsigned long retain_count;
177 | void *info_dict;
178 | void *bundle_id;
179 | void *path;
180 | void *executable_rel_path;
181 | void *user_executable_rel_path;
182 | unsigned long version;
183 | unsigned long compatible_version;
184 | unsigned long load_tag;
185 | kmod_info_t *kmod_info;
186 | };
187 |
188 | //
189 | // Base address of the OSKext::start()
190 | //
191 |
192 | extern unsigned char *goskext_start;
193 | extern unsigned char *goskext_call_func;
194 |
195 | //
196 | // Call hook mode
197 | //
198 |
199 | extern boolean_t goskext_call_func_2_bytes;
200 | extern boolean_t goskext_call_func_3_bytes;
201 |
202 | //
203 | // Declaration
204 | //
205 |
206 | extern int gmacOS_major;
207 |
208 | extern lck_grp_t *glock_group;
209 |
210 | extern OSMallocTag gmalloc_tag;
211 |
212 | #if MAC_POLICY_SHADOW_WALKER
213 | extern
214 | const char *
215 | get_loadtime_option(
216 | int flags
217 | );
218 |
219 | extern
220 | void
221 | show_mac_policy_handlers(
222 | struct mac_policy_ops *ops
223 | );
224 | #endif
225 |
226 | //
227 | // This function is called to register a policy with the MAC framework
228 | // A policy module will typically call this from the Darwin KEXT registration routine
229 | //
230 |
231 | extern
232 | int
233 | mac_policy_register(
234 | struct mac_policy_conf *mpc,
235 | mac_policy_handle_t *handlep,
236 | void *xd
237 | );
238 |
239 | extern
240 | kern_return_t
241 | inline_initialization(
242 | boolean_t flag
243 | );
244 |
245 | #endif
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Kemon
2 | An Open Source Pre and Post Callback-based Framework for macOS Kernel Monitoring.
3 |
4 | [ Breaking News - 08/28/2019 ]
5 | macOS Catalina 10.15 Beta 7 Release Notes
6 | https://developer.apple.com/documentation/macos_release_notes/macos_catalina_10_15_beta_7_release_notes
7 |
8 | Endpoint Security
9 | - The kauth API has been removed. (50419013)
10 |
11 | /* After testing, I found that these Kauth interfaces are not really removed, and Kemon still works. But I think this release note means that the door to the macOS kernel is closing. (08/28/2019) */
12 |
13 | ## What is Kemon?
14 | Kemon is an open source Pre and Post callback-based framework [1] for macOS kernel monitoring [2]. With the power of Kemon, we can easily implement XPC/IPC communication monitoring [3], Mandatory Access Control (MAC) policy filtering, network traffic and kernel extension firewall, etc. In general, from an attacker's perspective, this framework can help achieve more powerful Rootkit. From the perspective of defense, Kemon can help construct more granular monitoring capabilities.
15 |
16 | I also implemented several kernel fuzzers [4] [7] based on this framework, which helped me find many kernel vulnerabilities, such as:
17 |
18 | 1. Apple Silicon AGX-based GPU, IOMobileFrameBuffer and Display Co-processor (DCP) [10]:
19 | CVE-2024-40854, CVE-2024-44197 [33], CVE-2024-44199 [34], CVE-2025-24106 [35], CVE-2025-24111 [38], CVE-2025-24257 [36], CVE-2025-24273 [37], CVE-2025-43326 [39] [40], etc.
20 |
21 | 3. Apple's AMD and Intel-based GPU:
22 | CVE-2017-7155, CVE-2017-7163, CVE-2017-13883 [11], CVE-2018-4350, CVE-2018-4396, CVE-2018-4418 [12], CVE-2019-8807 [13], CVE-2022-22631, CVE-2022-22661, CVE-2022-46706 [23], etc.
23 |
24 | 4. Wi-Fi IO80211FamilyV1/V2 [5] [9]:
25 | CVE-2020-9832, CVE-2020-9833, CVE-2020-9834 [15], CVE-2020-9899 [16], CVE-2020-10013 [17] [18] [19], CVE-2022-26761 [24], CVE-2022-26762 [25], CVE-2022-32837, CVE-2022-32847, CVE-2022-32860 [26] [27] [28], CVE-2022-32925, CVE-2022-46709 [29] [30], CVE-2023-38610 [31] [32], CVE-2025-43373 [41], etc.
26 |
27 | 5. Bluetooth Host Controller Interface (HCI) [6]:
28 | CVE-2020-3892, CVE-2020-3893, CVE-2020-3905, CVE-2020-3907, CVE-2020-3908, CVE-2020-3912, CVE-2020-9779, CVE-2020-9853 [14], CVE-2020-9831 [15], CVE-2020-9928, CVE-2020-9929 [16], etc.
29 |
30 | 6. Kernel memory mapping mechanism [8]:
31 | CVE-2020-27914, CVE-2020-27915, CVE-2020-27936 [20] [21], CVE-2021-30678 [22], etc.
32 |
33 | ## Supported Features
34 | Kemon's features include:
35 | - file operation monitoring
36 | - process creation monitoring
37 | - dynamic library and kernel extension monitoring
38 | - network traffic monitoring
39 | - Mandatory Access Control (MAC) policy monitoring, etc.
40 |
41 | In addition, Kemon project can also extend the Pre and Post callback-based monitoring interfaces for any macOS kernel function.
42 |
43 | ## Getting Started
44 | ### How to build the Kemon kernel extension
45 | Please use Xcode project or makefile to build the Kemon kext driver
46 |
47 | ### How to use the Kemon kernel extension
48 | Please turn off macOS System Integrity Protection (SIP) check if you don't have a valid kernel certificate
49 | Use the command "sudo chown -R root:wheel kemon.kext" to change the owner of the Kemon kernel extension
50 | Use the command "sudo kextload kemon.kext" to install the Kemon kernel extension
51 | Use the command "sudo kextunload kemon.kext" to uninstall the Kemon kernel extension
52 |
53 |
54 | ## Contributing
55 | Welcome to contribute by creating issues or sending pull requests. See Contributing Guide for guidelines.
56 |
57 | ## License
58 | Kemon is licensed under the Apache License 2.0. See the LICENSE file.
59 |
60 | ## References
61 | 1. https://patents.google.com/patent/US11106491B2
62 | 2. https://www.blackhat.com/us-18/arsenal/schedule/#kemon-an-open-source-pre-and-post-callback-based-framework-for-macos-kernel-monitoring-12085
63 | 3. https://www.blackhat.com/us-19/arsenal/schedule/#ksbox-a-fine-grained-macos-malware-sandbox-15059
64 | 4. https://www.defcon.org/html/defcon-26/dc-26-speakers.html#Wang
65 | 5. https://www.blackhat.com/us-20/briefings/schedule/index.html#dive-into-apple-iofamilyv-20023
66 | 6. https://www.blackhat.com/eu-20/briefings/schedule/index.html#please-make-a-dentist-appointment-asap-attacking-iobluetoothfamily-hci-and-vendor-specific-commands-21155
67 | 7. https://www.blackhat.com/us-20/arsenal/schedule/index.html#macos-bluetooth-analysis-suite-mbas-19886
68 | 8. https://www.blackhat.com/asia-21/briefings/schedule/index.html#racing-the-dark-a-new-tocttou-story-from-apples-core-22214
69 | 9. https://www.blackhat.com/us-22/briefings/schedule/#dive-into-apple-iofamily-vol--27728
70 | 10. https://www.blackhat.com/us-25/briefings/schedule/index.html#dead-pixel-detected---a-security-assessment-of-apples-graphics-subsystem-45392
71 | 11. https://support.apple.com/en-us/HT208331
72 | 12. https://support.apple.com/en-us/HT209193
73 | 13. https://support.apple.com/en-us/HT210722
74 | 14. https://support.apple.com/en-us/HT211100
75 | 15. https://support.apple.com/en-us/HT211170
76 | 16. https://support.apple.com/en-us/HT211289
77 | 17. https://support.apple.com/en-us/HT211843
78 | 18. https://support.apple.com/en-us/HT211849
79 | 19. https://support.apple.com/en-us/HT211850
80 | 20. https://support.apple.com/en-us/HT211931
81 | 21. https://support.apple.com/en-us/HT212011
82 | 22. https://support.apple.com/en-us/HT212529
83 | 23. https://support.apple.com/en-us/HT213183
84 | 24. https://support.apple.com/en-us/HT213257
85 | 25. https://support.apple.com/en-us/HT213258
86 | 26. https://support.apple.com/en-us/HT213346
87 | 27. https://support.apple.com/en-us/HT213345
88 | 28. https://support.apple.com/en-us/HT213344
89 | 29. https://support.apple.com/en-us/HT213446
90 | 30. https://support.apple.com/en-us/HT213486
91 | 31. https://support.apple.com/en-us/HT213938
92 | 32. https://support.apple.com/en-us/HT213940
93 | 33. https://support.apple.com/en-us/121564
94 | 34. https://support.apple.com/en-us/120911
95 | 35. https://support.apple.com/en-us/122068
96 | 36. https://support.apple.com/en-us/122371
97 | 37. https://support.apple.com/en-us/122373
98 | 38. https://support.apple.com/en-us/122066
99 | 39. https://support.apple.com/en-us/125111
100 | 40. https://support.apple.com/en-us/125110
101 | 41. https://support.apple.com/en-us/125634
102 |
--------------------------------------------------------------------------------
/kemon/distorm/textdefs.c:
--------------------------------------------------------------------------------
1 | /*
2 | textdefs.c
3 |
4 | diStorm3 - Powerful disassembler for X86/AMD64
5 | http://ragestorm.net/distorm/
6 | distorm at gmail dot com
7 | Copyright (C) 2003-2018 Gil Dabah
8 | This library is licensed under the BSD license. See the file COPYING.
9 | */
10 |
11 |
12 | #include "textdefs.h"
13 |
14 | #ifndef DISTORM_LIGHT
15 |
16 | static uint8_t Nibble2ChrTable[16] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
17 | #define NIBBLE_TO_CHR Nibble2ChrTable[t]
18 |
19 | void _FASTCALL_ str_hex_b(_WString* s, unsigned int x)
20 | {
21 | /*
22 | * def prebuilt():
23 | * s = ""
24 | * for i in xrange(256):
25 | * if ((i % 0x10) == 0):
26 | * s += "\r\n"
27 | * s += "\"%02x\", " % (i)
28 | * return s
29 | */
30 | static int8_t TextBTable[256][3] = {
31 | "00", "01", "02", "03", "04", "05", "06", "07", "08", "09", "0a", "0b", "0c", "0d", "0e", "0f",
32 | "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "1a", "1b", "1c", "1d", "1e", "1f",
33 | "20", "21", "22", "23", "24", "25", "26", "27", "28", "29", "2a", "2b", "2c", "2d", "2e", "2f",
34 | "30", "31", "32", "33", "34", "35", "36", "37", "38", "39", "3a", "3b", "3c", "3d", "3e", "3f",
35 | "40", "41", "42", "43", "44", "45", "46", "47", "48", "49", "4a", "4b", "4c", "4d", "4e", "4f",
36 | "50", "51", "52", "53", "54", "55", "56", "57", "58", "59", "5a", "5b", "5c", "5d", "5e", "5f",
37 | "60", "61", "62", "63", "64", "65", "66", "67", "68", "69", "6a", "6b", "6c", "6d", "6e", "6f",
38 | "70", "71", "72", "73", "74", "75", "76", "77", "78", "79", "7a", "7b", "7c", "7d", "7e", "7f",
39 | "80", "81", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f",
40 | "90", "91", "92", "93", "94", "95", "96", "97", "98", "99", "9a", "9b", "9c", "9d", "9e", "9f",
41 | "a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "aa", "ab", "ac", "ad", "ae", "af",
42 | "b0", "b1", "b2", "b3", "b4", "b5", "b6", "b7", "b8", "b9", "ba", "bb", "bc", "bd", "be", "bf",
43 | "c0", "c1", "c2", "c3", "c4", "c5", "c6", "c7", "c8", "c9", "ca", "cb", "cc", "cd", "ce", "cf",
44 | "d0", "d1", "d2", "d3", "d4", "d5", "d6", "d7", "d8", "d9", "da", "db", "dc", "dd", "de", "df",
45 | "e0", "e1", "e2", "e3", "e4", "e5", "e6", "e7", "e8", "e9", "ea", "eb", "ec", "ed", "ee", "ef",
46 | "f0", "f1", "f2", "f3", "f4", "f5", "f6", "f7", "f8", "f9", "fa", "fb", "fc", "fd", "fe", "ff"
47 | };
48 |
49 | /*
50 | * Fixed length of 3 including null terminate character.
51 | */
52 | memcpy(&s->p[s->length], TextBTable[x & 255], 3);
53 | s->length += 2;
54 | }
55 |
56 | void _FASTCALL_ str_code_hb(_WString* s, unsigned int x)
57 | {
58 | static int8_t TextHBTable[256][5] = {
59 | /*
60 | * def prebuilt():
61 | * s = ""
62 | * for i in xrange(256):
63 | * if ((i % 0x10) == 0):
64 | * s += "\r\n"
65 | * s += "\"0x%x\", " % (i)
66 | * return s
67 | */
68 | "0x0", "0x1", "0x2", "0x3", "0x4", "0x5", "0x6", "0x7", "0x8", "0x9", "0xa", "0xb", "0xc", "0xd", "0xe", "0xf",
69 | "0x10", "0x11", "0x12", "0x13", "0x14", "0x15", "0x16", "0x17", "0x18", "0x19", "0x1a", "0x1b", "0x1c", "0x1d", "0x1e", "0x1f",
70 | "0x20", "0x21", "0x22", "0x23", "0x24", "0x25", "0x26", "0x27", "0x28", "0x29", "0x2a", "0x2b", "0x2c", "0x2d", "0x2e", "0x2f",
71 | "0x30", "0x31", "0x32", "0x33", "0x34", "0x35", "0x36", "0x37", "0x38", "0x39", "0x3a", "0x3b", "0x3c", "0x3d", "0x3e", "0x3f",
72 | "0x40", "0x41", "0x42", "0x43", "0x44", "0x45", "0x46", "0x47", "0x48", "0x49", "0x4a", "0x4b", "0x4c", "0x4d", "0x4e", "0x4f",
73 | "0x50", "0x51", "0x52", "0x53", "0x54", "0x55", "0x56", "0x57", "0x58", "0x59", "0x5a", "0x5b", "0x5c", "0x5d", "0x5e", "0x5f",
74 | "0x60", "0x61", "0x62", "0x63", "0x64", "0x65", "0x66", "0x67", "0x68", "0x69", "0x6a", "0x6b", "0x6c", "0x6d", "0x6e", "0x6f",
75 | "0x70", "0x71", "0x72", "0x73", "0x74", "0x75", "0x76", "0x77", "0x78", "0x79", "0x7a", "0x7b", "0x7c", "0x7d", "0x7e", "0x7f",
76 | "0x80", "0x81", "0x82", "0x83", "0x84", "0x85", "0x86", "0x87", "0x88", "0x89", "0x8a", "0x8b", "0x8c", "0x8d", "0x8e", "0x8f",
77 | "0x90", "0x91", "0x92", "0x93", "0x94", "0x95", "0x96", "0x97", "0x98", "0x99", "0x9a", "0x9b", "0x9c", "0x9d", "0x9e", "0x9f",
78 | "0xa0", "0xa1", "0xa2", "0xa3", "0xa4", "0xa5", "0xa6", "0xa7", "0xa8", "0xa9", "0xaa", "0xab", "0xac", "0xad", "0xae", "0xaf",
79 | "0xb0", "0xb1", "0xb2", "0xb3", "0xb4", "0xb5", "0xb6", "0xb7", "0xb8", "0xb9", "0xba", "0xbb", "0xbc", "0xbd", "0xbe", "0xbf",
80 | "0xc0", "0xc1", "0xc2", "0xc3", "0xc4", "0xc5", "0xc6", "0xc7", "0xc8", "0xc9", "0xca", "0xcb", "0xcc", "0xcd", "0xce", "0xcf",
81 | "0xd0", "0xd1", "0xd2", "0xd3", "0xd4", "0xd5", "0xd6", "0xd7", "0xd8", "0xd9", "0xda", "0xdb", "0xdc", "0xdd", "0xde", "0xdf",
82 | "0xe0", "0xe1", "0xe2", "0xe3", "0xe4", "0xe5", "0xe6", "0xe7", "0xe8", "0xe9", "0xea", "0xeb", "0xec", "0xed", "0xee", "0xef",
83 | "0xf0", "0xf1", "0xf2", "0xf3", "0xf4", "0xf5", "0xf6", "0xf7", "0xf8", "0xf9", "0xfa", "0xfb", "0xfc", "0xfd", "0xfe", "0xff"
84 | };
85 |
86 | if (x < 0x10) { /* < 0x10 has a fixed length of 4 including null terminate. */
87 | memcpy(&s->p[s->length], TextHBTable[x & 255], 4);
88 | s->length += 3;
89 | } else { /* >= 0x10 has a fixed length of 5 including null terminate. */
90 | memcpy(&s->p[s->length], TextHBTable[x & 255], 5);
91 | s->length += 4;
92 | }
93 | }
94 |
95 | void _FASTCALL_ str_code_hdw(_WString* s, uint32_t x)
96 | {
97 | int8_t* buf;
98 | int i = 0, shift = 0;
99 | unsigned int t = 0;
100 |
101 | buf = (int8_t*)&s->p[s->length];
102 |
103 | buf[0] = '0';
104 | buf[1] = 'x';
105 | buf += 2;
106 |
107 | for (shift = 28; shift != 0; shift -= 4) {
108 | t = (x >> shift) & 0xf;
109 | if (i | t) buf[i++] = NIBBLE_TO_CHR;
110 | }
111 | t = x & 0xf;
112 | buf[i++] = NIBBLE_TO_CHR;
113 |
114 | s->length += i + 2;
115 | buf[i] = '\0';
116 | }
117 |
118 | void _FASTCALL_ str_code_hqw(_WString* s, uint8_t src[8])
119 | {
120 | int8_t* buf;
121 | int i = 0, shift = 0;
122 | uint32_t x = RULONG(&src[sizeof(int32_t)]);
123 | int t;
124 |
125 | buf = (int8_t*)&s->p[s->length];
126 | buf[0] = '0';
127 | buf[1] = 'x';
128 | buf += 2;
129 |
130 | for (shift = 28; shift != -4; shift -= 4) {
131 | t = (x >> shift) & 0xf;
132 | if (i | t) buf[i++] = NIBBLE_TO_CHR;
133 | }
134 |
135 | x = RULONG(src);
136 | for (shift = 28; shift != 0; shift -= 4) {
137 | t = (x >> shift) & 0xf;
138 | if (i | t) buf[i++] = NIBBLE_TO_CHR;
139 | }
140 | t = x & 0xf;
141 | buf[i++] = NIBBLE_TO_CHR;
142 |
143 | s->length += i + 2;
144 | buf[i] = '\0';
145 | }
146 |
147 | #ifdef SUPPORT_64BIT_OFFSET
148 | void _FASTCALL_ str_off64(_WString* s, OFFSET_INTEGER x)
149 | {
150 | int8_t* buf;
151 | int i = 0, shift = 0;
152 | OFFSET_INTEGER t = 0;
153 |
154 | buf = (int8_t*)&s->p[s->length];
155 |
156 | buf[0] = '0';
157 | buf[1] = 'x';
158 | buf += 2;
159 |
160 | for (shift = 60; shift != 0; shift -= 4) {
161 | t = (x >> shift) & 0xf;
162 | if (i | t) buf[i++] = NIBBLE_TO_CHR;
163 | }
164 | t = x & 0xf;
165 | buf[i++] = NIBBLE_TO_CHR;
166 |
167 | s->length += i + 2;
168 | buf[i] = '\0';
169 | }
170 | #endif /* SUPPORT_64BIT_OFFSET */
171 |
172 | #endif /* DISTORM_LIGHT */
173 |
--------------------------------------------------------------------------------
/kemon/kemon.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) Didi Research America. All rights reserved.
4 |
5 | Module Name:
6 |
7 | kemon.h
8 |
9 | Author:
10 |
11 | Yu Wang, 08-Feb-2017
12 |
13 | Revision History:
14 |
15 | --*/
16 |
17 |
18 | #ifndef __KEMON_DRIVER_H__
19 | #define __KEMON_DRIVER_H__
20 |
21 |
22 | //
23 | // macOS version
24 | //
25 |
26 | int gmacOS_major;
27 | int gmacOS_minor;
28 | const char *gmacOS_version;
29 |
30 | //
31 | // The kmod_info_t linked list
32 | //
33 |
34 | kmod_info_t *gkmod_info;
35 |
36 | //
37 | // Global resources
38 | //
39 |
40 | #define DRIVER_TAG_NAME "com.assuresec.kemon"
41 |
42 | OSMallocTag gmalloc_tag;
43 |
44 | //
45 | // Lock group
46 | //
47 |
48 | lck_grp_t *glock_group;
49 |
50 | //
51 | // kauth_configuration[length] holds current configuration string
52 | //
53 |
54 | #define kauth_configuration_length 0x1000
55 |
56 | static char kauth_configuration[kauth_configuration_length];
57 |
58 | //
59 | // Kauth configuration mutex lock
60 | //
61 |
62 | static lck_mtx_t *kauth_configuration_lock;
63 |
64 | //
65 | // Points into kauth_configuration[length]
66 | //
67 |
68 | static const char *kauth_configuration_prefix;
69 |
70 | //
71 | // The maximum length of the listener scope and action string
72 | //
73 |
74 | #define max_string_length 0x4000
75 |
76 | //
77 | // An area of interest for Kauth
78 | //
79 |
80 | static char *kauth_listener_scope;
81 |
82 | //
83 | // kauth_listener is our handle to the installed scope listener
84 | //
85 |
86 | static kauth_listener_t kauth_listener;
87 |
88 | //
89 | // Kauth counter
90 | //
91 |
92 | static SInt32 kauth_activation_count;
93 |
94 | //
95 | // "com.apple.kauth.fileop" is the default setting of our Kauth listener
96 | //
97 |
98 | #define KAUTH_DEFAULT_SETTING TRUE
99 |
100 | #if KAUTH_DEFAULT_SETTING
101 | # define DEFAULT_SETTING "add com.apple.kauth.fileop"
102 | #endif
103 |
104 | //
105 | // For macOS 10.14 Mojave
106 | //
107 |
108 | #ifndef KAUTH_FILEOP_WILL_RENAME
109 | # define KAUTH_FILEOP_WILL_RENAME 8
110 | #endif
111 |
112 | //
113 | // For macOS 10.15 Catalina
114 | //
115 |
116 | static boolean_t process_namespace_fsctl_removed;
117 |
118 | //
119 | // vnode_action_info describes one of the action bits in the vnode scope's action field
120 | //
121 |
122 | struct vnode_action_info {
123 | kauth_action_t mask; // only one bit should be set
124 | const char *name_file; // descriptive name of the bit for files
125 | const char *name_directory; // descriptive name of the bit for directories
126 | };
127 |
128 | //
129 | // Make it easier to initialize vnode_action_table
130 | //
131 |
132 | #define VNODE_ACTION(action) \
133 | {KAUTH_VNODE_ ## action, #action, NULL}
134 |
135 | #define VNODE_ACTION_FILEDIR(action_file, action_directory) \
136 | {KAUTH_VNODE_ ## action_file, #action_file, #action_directory}
137 |
138 | //
139 | // vnode_action_table is a table of all the known action bits and their human readable names
140 | //
141 |
142 | static const struct vnode_action_info vnode_action_table[] = {
143 | VNODE_ACTION_FILEDIR(READ_DATA, LIST_DIRECTORY), // 1 << 1
144 | // #define KAUTH_VNODE_LIST_DIRECTORY KAUTH_VNODE_READ_DATA
145 | VNODE_ACTION_FILEDIR(WRITE_DATA, ADD_FILE), // 1 << 2
146 | // #define KAUTH_VNODE_ADD_FILE KAUTH_VNODE_WRITE_DATA
147 | VNODE_ACTION_FILEDIR(EXECUTE, SEARCH), // 1 << 3
148 | // #define KAUTH_VNODE_SEARCH KAUTH_VNODE_EXECUTE
149 | VNODE_ACTION(DELETE), // 1 << 4
150 | VNODE_ACTION_FILEDIR(APPEND_DATA, ADD_SUBDIRECTORY), // 1 << 5
151 | // #define KAUTH_VNODE_ADD_SUBDIRECTORY KAUTH_VNODE_APPEND_DATA
152 | VNODE_ACTION(DELETE_CHILD), // 1 << 6
153 | VNODE_ACTION(READ_ATTRIBUTES), // 1 << 7
154 | VNODE_ACTION(WRITE_ATTRIBUTES), // 1 << 8
155 | VNODE_ACTION(READ_EXTATTRIBUTES), // 1 << 9
156 | VNODE_ACTION(WRITE_EXTATTRIBUTES), // 1 << 10
157 | VNODE_ACTION(READ_SECURITY), // 1 << 11
158 | VNODE_ACTION(WRITE_SECURITY), // 1 << 12
159 | VNODE_ACTION_FILEDIR(TAKE_OWNERSHIP, CHANGE_OWNER), // 1 << 13
160 | // #define KAUTH_VNODE_CHANGE_OWNER KAUTH_VNODE_TAKE_OWNERSHIP
161 | VNODE_ACTION(SYNCHRONIZE), // 1 << 20
162 | VNODE_ACTION(LINKTARGET), // 1 << 25
163 | VNODE_ACTION(CHECKIMMUTABLE), // 1 << 26
164 | VNODE_ACTION(SEARCHBYANYONE), // 1 << 29
165 | VNODE_ACTION(NOIMMUTABLE), // 1 << 30
166 | VNODE_ACTION(ACCESS), // 1 << 31
167 | };
168 |
169 | #define vnode_action_count (sizeof(vnode_action_table) / sizeof(*vnode_action_table))
170 |
171 | enum two_pass_algorithm {
172 | calculate_length,
173 | allocate_string
174 | };
175 |
176 | //
177 | // For file creation
178 | //
179 |
180 | static unsigned char rbp_offset;
181 |
182 | static SInt32 process_namespace_fsctl_count;
183 |
184 | static boolean_t unknown_platform_fileop_open;
185 |
186 | //
187 | // For process command line
188 | //
189 |
190 | static boolean_t image_params_in_r15;
191 | static boolean_t image_params_in_r14;
192 | static boolean_t image_params_in_r13;
193 | static boolean_t image_params_in_r12;
194 |
195 | static UInt32 exec_activate_image_in_progress;
196 |
197 | static boolean_t unknown_platform_fileop_exec;
198 |
199 | //
200 | // image_params has been documented (/bsd/sys/imgact.h):
201 | // https://developer.apple.com/reference/kernel/image_params
202 | //
203 |
204 | #define IMG_SHELL_SIZE 512
205 |
206 | struct image_params {
207 | user_addr_t ip_user_fname;
208 | user_addr_t ip_user_argv;
209 | user_addr_t ip_user_envv;
210 | int ip_seg;
211 | struct vnode *ip_vp;
212 | struct vnode_attr *ip_vattr;
213 | struct vnode_attr *ip_origvattr;
214 | cpu_type_t ip_origcputype;
215 | cpu_subtype_t ip_origcpusubtype;
216 | char *ip_vdata;
217 | int ip_flags;
218 | int ip_argc;
219 | int ip_envc;
220 | int ip_applec;
221 | char *ip_startargv;
222 | char *ip_endargv;
223 | char *ip_endenvv;
224 | char *ip_strings;
225 | char *ip_strendp;
226 | int ip_argspace;
227 | int ip_strspace;
228 | user_size_t ip_arch_offset;
229 | user_size_t ip_arch_size;
230 | char ip_interp_buffer[IMG_SHELL_SIZE];
231 | int ip_interp_sugid_fd;
232 | struct vfs_context *ip_vfs_context;
233 | struct nameidata *ip_ndp;
234 | thread_t ip_new_thread;
235 | struct label *ip_execlabelp;
236 | struct label *ip_scriptlabelp;
237 | struct vnode *ip_scriptvp;
238 | unsigned int ip_csflags;
239 | int ip_mac_return;
240 | void *ip_px_sa;
241 | void *ip_px_sfa;
242 | void *ip_px_spa;
243 | void *ip_px_smpx;
244 | void *ip_px_persona;
245 | void *ip_cs_error;
246 |
247 | //
248 | // xnu-4570
249 | //
250 |
251 | uint64_t ip_dyld_fsid;
252 | uint64_t ip_dyld_fsobjid;
253 | };
254 |
255 | //
256 | // oid_registered tracks whether we've registered our OID or not
257 | //
258 |
259 | static UInt32 oid_registered;
260 |
261 | //
262 | // Declaration
263 | //
264 |
265 | extern
266 | kern_return_t
267 | kemon_start(
268 | kmod_info_t *kmod_info,
269 | void *data
270 | );
271 |
272 | extern
273 | kern_return_t
274 | kemon_stop(
275 | kmod_info_t *kmod_info,
276 | void *data
277 | );
278 |
279 | #endif
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | Apache License
2 |
3 | Version 2.0, January 2004
4 |
5 | http://www.apache.org/licenses/
6 |
7 |
8 |
9 |
10 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
11 |
12 |
13 |
14 |
15 | 1. Definitions.
16 |
17 |
18 |
19 |
20 | "License" shall mean the terms and conditions for use, reproduction,
21 |
22 | and distribution as defined by Sections 1 through 9 of this document.
23 |
24 |
25 |
26 |
27 | "Licensor" shall mean the copyright owner or entity authorized by
28 |
29 | the copyright owner that is granting the License.
30 |
31 |
32 |
33 |
34 | "Legal Entity" shall mean the union of the acting entity and all
35 |
36 | other entities that control, are controlled by, or are under common
37 |
38 | control with that entity. For the purposes of this definition,
39 |
40 | "control" means (i) the power, direct or indirect, to cause the
41 |
42 | direction or management of such entity, whether by contract or
43 |
44 | otherwise, or (ii) ownership of fifty percent (50%) or more of the
45 |
46 | outstanding shares, or (iii) beneficial ownership of such entity.
47 |
48 |
49 |
50 |
51 | "You" (or "Your") shall mean an individual or Legal Entity
52 |
53 | exercising permissions granted by this License.
54 |
55 |
56 |
57 |
58 | "Source" form shall mean the preferred form for making modifications,
59 |
60 | including but not limited to software source code, documentation
61 |
62 | source, and configuration files.
63 |
64 |
65 |
66 |
67 | "Object" form shall mean any form resulting from mechanical
68 |
69 | transformation or translation of a Source form, including but
70 |
71 | not limited to compiled object code, generated documentation,
72 |
73 | and conversions to other media types.
74 |
75 |
76 |
77 |
78 | "Work" shall mean the work of authorship, whether in Source or
79 |
80 | Object form, made available under the License, as indicated by a
81 |
82 | copyright notice that is included in or attached to the work
83 |
84 | (an example is provided in the Appendix below).
85 |
86 |
87 |
88 |
89 | "Derivative Works" shall mean any work, whether in Source or Object
90 |
91 | form, that is based on (or derived from) the Work and for which the
92 |
93 | editorial revisions, annotations, elaborations, or other modifications
94 |
95 | represent, as a whole, an original work of authorship. For the purposes
96 |
97 | of this License, Derivative Works shall not include works that remain
98 |
99 | separable from, or merely link (or bind by name) to the interfaces of,
100 |
101 | the Work and Derivative Works thereof.
102 |
103 |
104 |
105 |
106 | "Contribution" shall mean any work of authorship, including
107 |
108 | the original version of the Work and any modifications or additions
109 |
110 | to that Work or Derivative Works thereof, that is intentionally
111 |
112 | submitted to Licensor for inclusion in the Work by the copyright owner
113 |
114 | or by an individual or Legal Entity authorized to submit on behalf of
115 |
116 | the copyright owner. For the purposes of this definition, "submitted"
117 |
118 | means any form of electronic, verbal, or written communication sent
119 |
120 | to the Licensor or its representatives, including but not limited to
121 |
122 | communication on electronic mailing lists, source code control systems,
123 |
124 | and issue tracking systems that are managed by, or on behalf of, the
125 |
126 | Licensor for the purpose of discussing and improving the Work, but
127 |
128 | excluding communication that is conspicuously marked or otherwise
129 |
130 | designated in writing by the copyright owner as "Not a Contribution."
131 |
132 |
133 |
134 |
135 | "Contributor" shall mean Licensor and any individual or Legal Entity
136 |
137 | on behalf of whom a Contribution has been received by Licensor and
138 |
139 | subsequently incorporated within the Work.
140 |
141 |
142 |
143 |
144 | 2. Grant of Copyright License. Subject to the terms and conditions of
145 |
146 | this License, each Contributor hereby grants to You a perpetual,
147 |
148 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
149 |
150 | copyright license to reproduce, prepare Derivative Works of,
151 |
152 | publicly display, publicly perform, sublicense, and distribute the
153 |
154 | Work and such Derivative Works in Source or Object form.
155 |
156 |
157 |
158 |
159 | 3. Grant of Patent License. Subject to the terms and conditions of
160 |
161 | this License, each Contributor hereby grants to You a perpetual,
162 |
163 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable
164 |
165 | (except as stated in this section) patent license to make, have made,
166 |
167 | use, offer to sell, sell, import, and otherwise transfer the Work,
168 |
169 | where such license applies only to those patent claims licensable
170 |
171 | by such Contributor that are necessarily infringed by their
172 |
173 | Contribution(s) alone or by combination of their Contribution(s)
174 |
175 | with the Work to which such Contribution(s) was submitted. If You
176 |
177 | institute patent litigation against any entity (including a
178 |
179 | cross-claim or counterclaim in a lawsuit) alleging that the Work
180 |
181 | or a Contribution incorporated within the Work constitutes direct
182 |
183 | or contributory patent infringement, then any patent licenses
184 |
185 | granted to You under this License for that Work shall terminate
186 |
187 | as of the date such litigation is filed.
188 |
189 |
190 |
191 |
192 | 4. Redistribution. You may reproduce and distribute copies of the
193 |
194 | Work or Derivative Works thereof in any medium, with or without
195 |
196 | modifications, and in Source or Object form, provided that You
197 |
198 | meet the following conditions:
199 |
200 |
201 |
202 |
203 | (a) You must give any other recipients of the Work or
204 |
205 | Derivative Works a copy of this License; and
206 |
207 |
208 |
209 |
210 | (b) You must cause any modified files to carry prominent notices
211 |
212 | stating that You changed the files; and
213 |
214 |
215 |
216 |
217 | (c) You must retain, in the Source form of any Derivative Works
218 |
219 | that You distribute, all copyright, patent, trademark, and
220 |
221 | attribution notices from the Source form of the Work,
222 |
223 | excluding those notices that do not pertain to any part of
224 |
225 | the Derivative Works; and
226 |
227 |
228 |
229 |
230 | (d) If the Work includes a "NOTICE" text file as part of its
231 |
232 | distribution, then any Derivative Works that You distribute must
233 |
234 | include a readable copy of the attribution notices contained
235 |
236 | within such NOTICE file, excluding those notices that do not
237 |
238 | pertain to any part of the Derivative Works, in at least one
239 |
240 | of the following places: within a NOTICE text file distributed
241 |
242 | as part of the Derivative Works; within the Source form or
243 |
244 | documentation, if provided along with the Derivative Works; or,
245 |
246 | within a display generated by the Derivative Works, if and
247 |
248 | wherever such third-party notices normally appear. The contents
249 |
250 | of the NOTICE file are for informational purposes only and
251 |
252 | do not modify the License. You may add Your own attribution
253 |
254 | notices within Derivative Works that You distribute, alongside
255 |
256 | or as an addendum to the NOTICE text from the Work, provided
257 |
258 | that such additional attribution notices cannot be construed
259 |
260 | as modifying the License.
261 |
262 |
263 |
264 |
265 | You may add Your own copyright statement to Your modifications and
266 |
267 | may provide additional or different license terms and conditions
268 |
269 | for use, reproduction, or distribution of Your modifications, or
270 |
271 | for any such Derivative Works as a whole, provided Your use,
272 |
273 | reproduction, and distribution of the Work otherwise complies with
274 |
275 | the conditions stated in this License.
276 |
277 |
278 |
279 |
280 | 5. Submission of Contributions. Unless You explicitly state otherwise,
281 |
282 | any Contribution intentionally submitted for inclusion in the Work
283 |
284 | by You to the Licensor shall be under the terms and conditions of
285 |
286 | this License, without any additional terms or conditions.
287 |
288 | Notwithstanding the above, nothing herein shall supersede or modify
289 |
290 | the terms of any separate license agreement you may have executed
291 |
292 | with Licensor regarding such Contributions.
293 |
294 |
295 |
296 |
297 | 6. Trademarks. This License does not grant permission to use the trade
298 |
299 | names, trademarks, service marks, or product names of the Licensor,
300 |
301 | except as required for reasonable and customary use in describing the
302 |
303 | origin of the Work and reproducing the content of the NOTICE file.
304 |
305 |
306 |
307 |
308 | 7. Disclaimer of Warranty. Unless required by applicable law or
309 |
310 | agreed to in writing, Licensor provides the Work (and each
311 |
312 | Contributor provides its Contributions) on an "AS IS" BASIS,
313 |
314 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
315 |
316 | implied, including, without limitation, any warranties or conditions
317 |
318 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
319 |
320 | PARTICULAR PURPOSE. You are solely responsible for determining the
321 |
322 | appropriateness of using or redistributing the Work and assume any
323 |
324 | risks associated with Your exercise of permissions under this License.
325 |
326 |
327 |
328 |
329 | 8. Limitation of Liability. In no event and under no legal theory,
330 |
331 | whether in tort (including negligence), contract, or otherwise,
332 |
333 | unless required by applicable law (such as deliberate and grossly
334 |
335 | negligent acts) or agreed to in writing, shall any Contributor be
336 |
337 | liable to You for damages, including any direct, indirect, special,
338 |
339 | incidental, or consequential damages of any character arising as a
340 |
341 | result of this License or out of the use or inability to use the
342 |
343 | Work (including but not limited to damages for loss of goodwill,
344 |
345 | work stoppage, computer failure or malfunction, or any and all
346 |
347 | other commercial damages or losses), even if such Contributor
348 |
349 | has been advised of the possibility of such damages.
350 |
351 |
352 |
353 |
354 | 9. Accepting Warranty or Additional Liability. While redistributing
355 |
356 | the Work or Derivative Works thereof, You may choose to offer,
357 |
358 | and charge a fee for, acceptance of support, warranty, indemnity,
359 |
360 | or other liability obligations and/or rights consistent with this
361 |
362 | License. However, in accepting such obligations, You may act only
363 |
364 | on Your own behalf and on Your sole responsibility, not on behalf
365 |
366 | of any other Contributor, and only if You agree to indemnify,
367 |
368 | defend, and hold each Contributor harmless for any liability
369 |
370 | incurred by, or claims asserted against, such Contributor by reason
371 |
372 | of your accepting any such warranty or additional liability.
373 |
374 |
375 |
376 |
377 | END OF TERMS AND CONDITIONS
378 |
379 |
380 |
381 |
382 | APPENDIX: How to apply the Apache License to your work.
383 |
384 |
385 |
386 |
387 | To apply the Apache License to your work, attach the following
388 |
389 | boilerplate notice, with the fields enclosed by brackets "{}"
390 |
391 | replaced with your own identifying information. (Don't include
392 |
393 | the brackets!) The text should be enclosed in the appropriate
394 |
395 | comment syntax for the file format. We also recommend that a
396 |
397 | file or class name and description of purpose be included on the
398 |
399 | same "printed page" as the copyright notice for easier
400 |
401 | identification within third-party archives.
402 |
403 |
404 |
405 |
406 | Copyright (C) 2017 Beijing Didi Infinity Technology and Development Co.,Ltd. All rights reserved.
407 |
408 |
409 |
410 |
411 | Licensed under the Apache License, Version 2.0 (the "License");
412 |
413 | you may not use this file except in compliance with the License.
414 |
415 | You may obtain a copy of the License at
416 |
417 |
418 |
419 |
420 | http://www.apache.org/licenses/LICENSE-2.0
421 |
422 |
423 |
424 |
425 | Unless required by applicable law or agreed to in writing, software
426 |
427 | distributed under the License is distributed on an "AS IS" BASIS,
428 |
429 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
430 |
431 | See the License for the specific language governing permissions and
432 |
433 | limitations under the License.
434 |
--------------------------------------------------------------------------------
/kemon/distorm/distorm.c:
--------------------------------------------------------------------------------
1 | /*
2 | distorm.c
3 |
4 | diStorm3 C Library Interface
5 | diStorm3 - Powerful disassembler for X86/AMD64
6 | http://ragestorm.net/distorm/
7 | distorm at gmail dot com
8 | Copyright (C) 2003-2018 Gil Dabah
9 | This library is licensed under the BSD license. See the file COPYING.
10 | */
11 |
12 |
13 | #include "include/distorm.h"
14 | #include "config.h"
15 | #include "decoder.h"
16 | #include "x86defs.h"
17 | #include "textdefs.h"
18 | #include "wstring.h"
19 | #include "include/mnemonics.h"
20 |
21 | /* C DLL EXPORTS */
22 | #ifdef SUPPORT_64BIT_OFFSET
23 | _DLLEXPORT_ _DecodeResult distorm_decompose64(_CodeInfo* ci, _DInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount)
24 | #else
25 | _DLLEXPORT_ _DecodeResult distorm_decompose32(_CodeInfo* ci, _DInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount)
26 | #endif
27 | {
28 | if (usedInstructionsCount == NULL) {
29 | return DECRES_SUCCESS;
30 | }
31 |
32 | /* DECRES_SUCCESS still may indicate we may have something in the result, so zero it first thing. */
33 | *usedInstructionsCount = 0;
34 |
35 | if ((ci == NULL) ||
36 | (ci->codeLen < 0) ||
37 | ((ci->dt != Decode16Bits) && (ci->dt != Decode32Bits) && (ci->dt != Decode64Bits)) ||
38 | (ci->code == NULL) ||
39 | (result == NULL) ||
40 | ((ci->features & (DF_MAXIMUM_ADDR16 | DF_MAXIMUM_ADDR32)) == (DF_MAXIMUM_ADDR16 | DF_MAXIMUM_ADDR32)))
41 | {
42 | return DECRES_INPUTERR;
43 | }
44 |
45 | /* Assume length=0 is success. */
46 | if (ci->codeLen == 0) {
47 | return DECRES_SUCCESS;
48 | }
49 |
50 | return decode_internal(ci, FALSE, result, maxInstructions, usedInstructionsCount);
51 | }
52 |
53 | #ifndef DISTORM_LIGHT
54 |
55 | /* Helper function to concatenate an explicit size when it's unknown from the operands. */
56 | static void distorm_format_size(_WString* str, const _DInst* di, int opNum)
57 | {
58 | int isSizingRequired = 0;
59 | /*
60 | * We only have to output the size explicitly if it's not clear from the operands.
61 | * For example:
62 | * mov al, [0x1234] -> The size is 8, we know it from the AL register operand.
63 | * mov [0x1234], 0x11 -> Now we don't know the size. Pam pam pam
64 | *
65 | * If given operand number is higher than 2, then output the size anyways.
66 | */
67 | isSizingRequired = ((opNum >= 2) || ((di->ops[0].type != O_REG) && (di->ops[1].type != O_REG)));
68 |
69 | /* Still not sure? Try some special instructions. */
70 | if (!isSizingRequired) {
71 | /*
72 | * INS/OUTS are exception, because DX is a port specifier and not a real src/dst register.
73 | * A few exceptions that always requires sizing:
74 | * MOVZX, MOVSX, MOVSXD.
75 | * ROL, ROR, RCL, RCR, SHL, SHR, SAL, SAR.
76 | * SHLD, SHRD.
77 | */
78 | switch (di->opcode)
79 | {
80 | case I_INS:
81 | case I_OUTS:
82 | case I_MOVZX:
83 | case I_MOVSX:
84 | case I_MOVSXD:
85 | case I_ROL:
86 | case I_ROR:
87 | case I_RCL:
88 | case I_RCR:
89 | case I_SHL:
90 | case I_SHR:
91 | case I_SAL:
92 | case I_SAR:
93 | case I_SHLD:
94 | case I_SHRD:
95 | isSizingRequired = 1;
96 | break;
97 | default: /* Instruction doesn't require sizing. */ break;
98 | }
99 | }
100 |
101 | if (isSizingRequired)
102 | {
103 | switch (di->ops[opNum].size)
104 | {
105 | case 0: break; /* OT_MEM's unknown size. */
106 | case 8: strcat_WSN(str, "BYTE "); break;
107 | case 16: strcat_WSN(str, "WORD "); break;
108 | case 32: strcat_WSN(str, "DWORD "); break;
109 | case 64: strcat_WSN(str, "QWORD "); break;
110 | case 80: strcat_WSN(str, "TBYTE "); break;
111 | case 128: strcat_WSN(str, "DQWORD "); break;
112 | case 256: strcat_WSN(str, "YWORD "); break;
113 | default: /* Big oh uh if it gets here. */ break;
114 | }
115 | }
116 | }
117 |
118 | static void distorm_format_signed_disp(_WString* str, const _DInst* di, uint64_t addrMask)
119 | {
120 | int64_t tmpDisp64;
121 |
122 | if (di->dispSize) {
123 | chrcat_WS(str, ((int64_t)di->disp < 0) ? MINUS_DISP_CHR : PLUS_DISP_CHR);
124 | if ((int64_t)di->disp < 0) tmpDisp64 = -(int64_t)di->disp;
125 | else tmpDisp64 = di->disp;
126 | tmpDisp64 &= addrMask;
127 | str_code_hqw(str, (uint8_t*)&tmpDisp64);
128 | }
129 | }
130 |
131 | #ifdef SUPPORT_64BIT_OFFSET
132 | _DLLEXPORT_ void distorm_format64(const _CodeInfo* ci, const _DInst* di, _DecodedInst* result)
133 | #else
134 | _DLLEXPORT_ void distorm_format32(const _CodeInfo* ci, const _DInst* di, _DecodedInst* result)
135 | #endif
136 | {
137 | _WString* str;
138 | unsigned int i, isDefault;
139 | int64_t tmpDisp64;
140 | uint64_t addrMask = (uint64_t)-1;
141 | uint8_t segment;
142 | const _WMnemonic* mnemonic;
143 |
144 | /* Set address mask, when default is for 64bits addresses. */
145 | if (ci->features & DF_MAXIMUM_ADDR32) addrMask = 0xffffffff;
146 | else if (ci->features & DF_MAXIMUM_ADDR16) addrMask = 0xffff;
147 |
148 | /* Copy other fields. */
149 | result->size = di->size;
150 | result->offset = di->addr;
151 |
152 | if (di->flags == FLAG_NOT_DECODABLE) {
153 | str = &result->mnemonic;
154 | result->offset &= addrMask;
155 | strclear_WS(&result->operands);
156 | strcpy_WSN(str, "DB ");
157 | str_code_hb(str, di->imm.byte);
158 | strclear_WS(&result->instructionHex);
159 | str_hex_b(&result->instructionHex, di->imm.byte);
160 | return; /* Skip to next instruction. */
161 | }
162 |
163 | str = &result->instructionHex;
164 | strclear_WS(str);
165 | /* Gotta have full address for (di->addr - ci->codeOffset) to work in all modes. */
166 | for (i = 0; i < di->size; i++)
167 | str_hex_b(str, ci->code[(unsigned int)(di->addr - ci->codeOffset + i)]);
168 |
169 | /* Truncate address now. */
170 | result->offset &= addrMask;
171 |
172 | str = &result->mnemonic;
173 | switch (FLAG_GET_PREFIX(di->flags))
174 | {
175 | case FLAG_LOCK:
176 | strcpy_WSN(str, "LOCK ");
177 | break;
178 | case FLAG_REP:
179 | /* REP prefix for CMPS and SCAS is really a REPZ. */
180 | if ((di->opcode == I_CMPS) || (di->opcode == I_SCAS)) strcpy_WSN(str, "REPZ ");
181 | else strcpy_WSN(str, "REP ");
182 | break;
183 | case FLAG_REPNZ:
184 | strcpy_WSN(str, "REPNZ ");
185 | break;
186 | default:
187 | /* Init mnemonic string, cause next touch is concatenation. */
188 | strclear_WS(str);
189 | break;
190 | }
191 |
192 | mnemonic = (const _WMnemonic*)&_MNEMONICS[di->opcode];
193 | memcpy((int8_t*)&str->p[str->length], mnemonic->p, mnemonic->length + 1);
194 | str->length += mnemonic->length;
195 |
196 | /* Format operands: */
197 | str = &result->operands;
198 | strclear_WS(str);
199 |
200 | /* Special treatment for String instructions. */
201 | if ((META_GET_ISC(di->meta) == ISC_INTEGER) &&
202 | ((di->opcode == I_MOVS) ||
203 | (di->opcode == I_CMPS) ||
204 | (di->opcode == I_STOS) ||
205 | (di->opcode == I_LODS) ||
206 | (di->opcode == I_SCAS)))
207 | {
208 | /*
209 | * No operands are needed if the address size is the default one,
210 | * and no segment is overridden, so add the suffix letter,
211 | * to indicate size of operation and continue to next instruction.
212 | */
213 | if ((FLAG_GET_ADDRSIZE(di->flags) == ci->dt) && (SEGMENT_IS_DEFAULT(di->segment))) {
214 | str = &result->mnemonic;
215 | switch (di->ops[0].size)
216 | {
217 | case 8: chrcat_WS(str, 'B'); break;
218 | case 16: chrcat_WS(str, 'W'); break;
219 | case 32: chrcat_WS(str, 'D'); break;
220 | case 64: chrcat_WS(str, 'Q'); break;
221 | }
222 | return;
223 | }
224 | }
225 |
226 | for (i = 0; ((i < OPERANDS_NO) && (di->ops[i].type != O_NONE)); i++) {
227 | if (i > 0) strcat_WSN(str, ", ");
228 | switch (di->ops[i].type)
229 | {
230 | case O_REG:
231 | strcat_WS(str, (const _WString*)&_REGISTERS[di->ops[i].index]);
232 | break;
233 | case O_IMM:
234 | /* If the instruction is 'push', show explicit size (except byte imm). */
235 | if ((di->opcode == I_PUSH) && (di->ops[i].size != 8)) distorm_format_size(str, di, i);
236 | /* Special fix for negative sign extended immediates. */
237 | if ((di->flags & FLAG_IMM_SIGNED) && (di->ops[i].size == 8)) {
238 | if (di->imm.sbyte < 0) {
239 | chrcat_WS(str, MINUS_DISP_CHR);
240 | str_code_hb(str, -di->imm.sbyte);
241 | break;
242 | }
243 | }
244 | if (di->ops[i].size == 64) str_code_hqw(str, (uint8_t*)&di->imm.qword);
245 | else str_code_hdw(str, di->imm.dword);
246 | break;
247 | case O_IMM1:
248 | str_code_hdw(str, di->imm.ex.i1);
249 | break;
250 | case O_IMM2:
251 | str_code_hdw(str, di->imm.ex.i2);
252 | break;
253 | case O_DISP:
254 | distorm_format_size(str, di, i);
255 | chrcat_WS(str, OPEN_CHR);
256 | if ((SEGMENT_GET(di->segment) != R_NONE) && !SEGMENT_IS_DEFAULT(di->segment)) {
257 | strcat_WS(str, (const _WString*)&_REGISTERS[SEGMENT_GET(di->segment)]);
258 | chrcat_WS(str, SEG_OFF_CHR);
259 | }
260 | tmpDisp64 = di->disp & addrMask;
261 | str_code_hqw(str, (uint8_t*)&tmpDisp64);
262 | chrcat_WS(str, CLOSE_CHR);
263 | break;
264 | case O_SMEM:
265 | distorm_format_size(str, di, i);
266 | chrcat_WS(str, OPEN_CHR);
267 |
268 | /*
269 | * This is where we need to take special care for String instructions.
270 | * If we got here, it means we need to explicitly show their operands.
271 | * The problem with CMPS and MOVS is that they have two(!) memory operands.
272 | * So we have to complete it ourselves, since the structure supplies only the segment that can be overridden.
273 | * And make the rest of the String operations explicit.
274 | */
275 | segment = SEGMENT_GET(di->segment);
276 | isDefault = SEGMENT_IS_DEFAULT(di->segment);
277 | switch (di->opcode)
278 | {
279 | case I_MOVS:
280 | isDefault = FALSE;
281 | if (i == 0) segment = R_ES;
282 | break;
283 | case I_CMPS:
284 | isDefault = FALSE;
285 | if (i == 1) segment = R_ES;
286 | break;
287 | case I_INS:
288 | case I_LODS:
289 | case I_STOS:
290 | case I_SCAS: isDefault = FALSE; break;
291 | }
292 | if (!isDefault && (segment != R_NONE)) {
293 | strcat_WS(str, (const _WString*)&_REGISTERS[segment]);
294 | chrcat_WS(str, SEG_OFF_CHR);
295 | }
296 |
297 | strcat_WS(str, (const _WString*)&_REGISTERS[di->ops[i].index]);
298 |
299 | distorm_format_signed_disp(str, di, addrMask);
300 | chrcat_WS(str, CLOSE_CHR);
301 | break;
302 | case O_MEM:
303 | distorm_format_size(str, di, i);
304 | chrcat_WS(str, OPEN_CHR);
305 | if ((SEGMENT_GET(di->segment) != R_NONE) && !SEGMENT_IS_DEFAULT(di->segment)) {
306 | strcat_WS(str, (const _WString*)&_REGISTERS[SEGMENT_GET(di->segment)]);
307 | chrcat_WS(str, SEG_OFF_CHR);
308 | }
309 | if (di->base != R_NONE) {
310 | strcat_WS(str, (const _WString*)&_REGISTERS[di->base]);
311 | chrcat_WS(str, PLUS_DISP_CHR);
312 | }
313 | strcat_WS(str, (const _WString*)&_REGISTERS[di->ops[i].index]);
314 | if (di->scale != 0) {
315 | chrcat_WS(str, '*');
316 | if (di->scale == 2) chrcat_WS(str, '2');
317 | else if (di->scale == 4) chrcat_WS(str, '4');
318 | else /* if (di->scale == 8) */ chrcat_WS(str, '8');
319 | }
320 |
321 | distorm_format_signed_disp(str, di, addrMask);
322 | chrcat_WS(str, CLOSE_CHR);
323 | break;
324 | case O_PC:
325 | #ifdef SUPPORT_64BIT_OFFSET
326 | str_off64(str, (di->imm.sqword + di->addr + di->size) & addrMask);
327 | #else
328 | str_code_hdw(str, ((_OffsetType)di->imm.sdword + di->addr + di->size) & (uint32_t)addrMask);
329 | #endif
330 | break;
331 | case O_PTR:
332 | str_code_hdw(str, di->imm.ptr.seg);
333 | chrcat_WS(str, SEG_OFF_CHR);
334 | str_code_hdw(str, di->imm.ptr.off);
335 | break;
336 | }
337 | }
338 |
339 | if (di->flags & FLAG_HINT_TAKEN) strcat_WSN(str, " ;TAKEN");
340 | else if (di->flags & FLAG_HINT_NOT_TAKEN) strcat_WSN(str, " ;NOT TAKEN");
341 | }
342 |
343 | #ifdef SUPPORT_64BIT_OFFSET
344 | _DLLEXPORT_ _DecodeResult distorm_decode64(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount)
345 | #else
346 | _DLLEXPORT_ _DecodeResult distorm_decode32(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount)
347 | #endif
348 | {
349 | _DecodeResult res;
350 | _DInst di;
351 | _CodeInfo ci;
352 | unsigned int instsCount = 0, i;
353 |
354 | *usedInstructionsCount = 0;
355 |
356 | /* I use codeLen as a signed variable in order to ease detection of underflow... and besides - */
357 | if (codeLen < 0) {
358 | return DECRES_INPUTERR;
359 | }
360 |
361 | if ((dt != Decode16Bits) && (dt != Decode32Bits) && (dt != Decode64Bits)) {
362 | return DECRES_INPUTERR;
363 | }
364 |
365 | if (code == NULL || result == NULL) {
366 | return DECRES_INPUTERR;
367 | }
368 |
369 | /* Assume length=0 is success. */
370 | if (codeLen == 0) {
371 | return DECRES_SUCCESS;
372 | }
373 |
374 | /*
375 | * We have to format the result into text. But the interal decoder works with the new structure of _DInst.
376 | * Therefore, we will pass the result array(!) from the caller and the interal decoder will fill it in with _DInst's.
377 | * Then we will copy each result to a temporary structure, and use it to reformat that specific result.
378 | *
379 | * This is all done to save memory allocation and to work on the same result array in-place!!!
380 | * It's a bit ugly, I have to admit, but worth it.
381 | */
382 |
383 | ci.codeOffset = codeOffset;
384 | ci.code = code;
385 | ci.codeLen = codeLen;
386 | ci.dt = dt;
387 | ci.features = DF_NONE;
388 | if (dt == Decode16Bits) ci.features = DF_MAXIMUM_ADDR16;
389 | else if (dt == Decode32Bits) ci.features = DF_MAXIMUM_ADDR32;
390 |
391 | res = decode_internal(&ci, TRUE, (_DInst*)result, maxInstructions, &instsCount);
392 | for (i = 0; i < instsCount; i++) {
393 | if ((*usedInstructionsCount + i) >= maxInstructions) return DECRES_MEMORYERR;
394 |
395 | /* Copy the current decomposed result to a temp structure, so we can override the result with text. */
396 | memcpy(&di, (char*)result + (i * sizeof(_DecodedInst)), sizeof(_DInst));
397 | #ifdef SUPPORT_64BIT_OFFSET
398 | distorm_format64(&ci, &di, &result[i]);
399 | #else
400 | distorm_format32(&ci, &di, &result[i]);
401 | #endif
402 | }
403 |
404 | *usedInstructionsCount = instsCount;
405 | return res;
406 | }
407 |
408 | #endif /* DISTORM_LIGHT */
409 |
410 | _DLLEXPORT_ unsigned int distorm_version(void)
411 | {
412 | return __DISTORMV__;
413 | }
414 |
--------------------------------------------------------------------------------
/kemon/trace.c:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) Didi Research America. All rights reserved.
4 |
5 | Module Name:
6 |
7 | trace.c
8 |
9 | Author:
10 |
11 | Yu Wang, 08-Feb-2017
12 |
13 | Revision History:
14 |
15 | --*/
16 |
17 |
18 | #include
19 | #include
20 | #include "trace.h"
21 |
22 |
23 | extern
24 | void
25 | hex_printf(
26 | void *buffer,
27 | unsigned long length,
28 | unsigned long flag
29 | )
30 | {
31 | int timer_chan;
32 | struct timespec timer;
33 | unsigned char hex_buffer[0x80];
34 | unsigned char *tmp_buffer = buffer;
35 | unsigned long hex_length = sizeof(hex_buffer);
36 | unsigned long line, index, character;
37 |
38 | if (!buffer || !length ||
39 | ((flag & HEX_PRINTF_W) && (length % sizeof(uint16_t))) ||
40 | ((flag & HEX_PRINTF_D) && (length % sizeof(uint32_t))) ||
41 | ((flag & HEX_PRINTF_Q) && (length % sizeof(uint64_t)))) return;
42 |
43 | timer_chan = 0;
44 | timer.tv_sec = 0; timer.tv_nsec = 800000;
45 |
46 | if (flag & HEX_PRINTF_B) {
47 | printf(" -*> MEMORY DUMP <*- \n");
48 | printf("+---------------------+--------------------------------------------------+-------------------+\n");
49 | printf("| ADDRESS | 0 1 2 3 4 5 6 7 8 9 A B C D E F | 0123456789ABCDEF |\n");
50 | printf("| --------------------+--------------------------------------------------+------------------ |\n");
51 |
52 | for (index = 0; index < length; index += 0x10) {
53 | memset(hex_buffer, 0, hex_length);
54 |
55 | line = length - index > 0x10 ? 0x10 : length - index;
56 |
57 | snprintf((char *) hex_buffer, hex_length, "| %16p | ", tmp_buffer + index);
58 |
59 | for (character = 0; character < line; character++) {
60 | if (sizeof(char) * 7 == character)
61 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
62 | hex_length - strlen((char *) hex_buffer), "%02x ",
63 | tmp_buffer[index + character]);
64 | else
65 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
66 | hex_length - strlen((char *) hex_buffer), "%02x ",
67 | tmp_buffer[index + character]);
68 | }
69 |
70 | for (; character < 0x10; character++) {
71 | if (sizeof(char) * 7 == character)
72 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
73 | hex_length - strlen((char *) hex_buffer), "%s",
74 | " ");
75 | else
76 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
77 | hex_length - strlen((char *) hex_buffer), "%s",
78 | " ");
79 | }
80 |
81 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
82 | hex_length - strlen((char *) hex_buffer), "%s", "| ");
83 |
84 | for (character = 0; character < line; character++) {
85 | if (tmp_buffer[index + character] < 0x20 || tmp_buffer[index + character] > 0x7E)
86 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
87 | hex_length - strlen((char *) hex_buffer), "%c",
88 | '.');
89 | else
90 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
91 | hex_length - strlen((char *) hex_buffer), "%c",
92 | tmp_buffer[index + character]);
93 | }
94 |
95 | for (; character < 0x10; character++) {
96 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
97 | hex_length - strlen((char *) hex_buffer), "%c", ' ');
98 | }
99 |
100 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
101 | hex_length - strlen((char *) hex_buffer), "%s", " |\n");
102 |
103 | printf("%s", hex_buffer);
104 | }
105 |
106 | printf("+---------------------+--------------------------------------------------+-------------------+\n");
107 |
108 | msleep(&timer_chan, NULL, PUSER, "hex_printf_b", &timer);
109 | } else if (flag & HEX_PRINTF_W) {
110 | printf(" -*> MEMORY DUMP <*- \n");
111 | printf("+---------------------+------------------------------------------+-------------------+\n");
112 | printf("| ADDRESS | 1 0 3 2 5 4 7 6 9 8 B A D C F E | 0123456789ABCDEF |\n");
113 | printf("| --------------------+------------------------------------------+------------------ |\n");
114 |
115 | for (index = 0; index < length; index += 0x10) {
116 | memset(hex_buffer, 0, hex_length);
117 |
118 | line = length - index > 0x10 ? 0x10 : length - index;
119 |
120 | snprintf((char *) hex_buffer, hex_length, "| %16p | ", tmp_buffer + index);
121 |
122 | for (character = 0; character < line; character += sizeof(uint16_t)) {
123 | if (sizeof(uint16_t) * 3 == character)
124 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
125 | hex_length - strlen((char *) hex_buffer), "%04x ",
126 | *(unsigned short *) (tmp_buffer + index + character));
127 | else
128 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
129 | hex_length - strlen((char *) hex_buffer), "%04x ",
130 | *(unsigned short *) (tmp_buffer + index + character));
131 | }
132 |
133 | for (; character < 0x10; character += sizeof(uint16_t)) {
134 | if (sizeof(uint16_t) * 3 == character)
135 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
136 | hex_length - strlen((char *) hex_buffer), "%s",
137 | " ");
138 | else
139 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
140 | hex_length - strlen((char *) hex_buffer), "%s",
141 | " ");
142 | }
143 |
144 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
145 | hex_length - strlen((char *) hex_buffer), "%s", "| ");
146 |
147 | for (character = 0; character < line; character++) {
148 | if (tmp_buffer[index + character] < 0x20 || tmp_buffer[index + character] > 0x7E)
149 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
150 | hex_length - strlen((char *) hex_buffer), "%c",
151 | '.');
152 | else
153 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
154 | hex_length - strlen((char *) hex_buffer), "%c",
155 | tmp_buffer[index + character]);
156 | }
157 |
158 | for (; character < 0x10; character++) {
159 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
160 | hex_length - strlen((char *) hex_buffer), "%c", ' ');
161 | }
162 |
163 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
164 | hex_length - strlen((char *) hex_buffer), "%s", " |\n");
165 |
166 | printf("%s", hex_buffer);
167 | }
168 |
169 | printf("+---------------------+------------------------------------------+-------------------+\n");
170 |
171 | msleep(&timer_chan, NULL, PUSER, "hex_printf_w", &timer);
172 | } else if (flag & HEX_PRINTF_D) {
173 | printf(" -*> MEMORY DUMP <*- \n");
174 | printf("+---------------------+--------------------------------------+-------------------+\n");
175 | printf("| ADDRESS | 3 2 1 0 7 6 5 4 B A 9 8 F E D C | 0123456789ABCDEF |\n");
176 | printf("| --------------------+--------------------------------------+------------------ |\n");
177 |
178 | for (index = 0; index < length; index += 0x10) {
179 | memset(hex_buffer, 0, hex_length);
180 |
181 | line = length - index > 0x10 ? 0x10 : length - index;
182 |
183 | snprintf((char *) hex_buffer, hex_length, "| %16p | ", tmp_buffer + index);
184 |
185 | for (character = 0; character < line; character += sizeof(uint32_t)) {
186 | if (sizeof(uint32_t) == character)
187 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
188 | hex_length - strlen((char *) hex_buffer), "%08x ",
189 | *(unsigned int *) (tmp_buffer + index + character));
190 | else
191 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
192 | hex_length - strlen((char *) hex_buffer), "%08x ",
193 | *(unsigned int *) (tmp_buffer + index + character));
194 | }
195 |
196 | for (; character < 0x10; character += sizeof(uint32_t)) {
197 | if (sizeof(uint32_t) == character)
198 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
199 | hex_length - strlen((char *) hex_buffer), "%s",
200 | " ");
201 | else
202 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
203 | hex_length - strlen((char *) hex_buffer), "%s",
204 | " ");
205 | }
206 |
207 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
208 | hex_length - strlen((char *) hex_buffer), "%s", "| ");
209 |
210 | for (character = 0; character < line; character++) {
211 | if (tmp_buffer[index + character] < 0x20 || tmp_buffer[index + character] > 0x7E)
212 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
213 | hex_length - strlen((char *) hex_buffer), "%c",
214 | '.');
215 | else
216 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
217 | hex_length - strlen((char *) hex_buffer), "%c",
218 | tmp_buffer[index + character]);
219 | }
220 |
221 | for (; character < 0x10; character++) {
222 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
223 | hex_length - strlen((char *) hex_buffer), "%c", ' ');
224 | }
225 |
226 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
227 | hex_length - strlen((char *) hex_buffer), "%s", " |\n");
228 |
229 | printf("%s", hex_buffer);
230 | }
231 |
232 | printf("+---------------------+--------------------------------------+-------------------+\n");
233 |
234 | msleep(&timer_chan, NULL, PUSER, "hex_printf_d", &timer);
235 | } else if (flag & HEX_PRINTF_Q) {
236 | printf(" -*> MEMORY DUMP <*- \n");
237 | printf("+---------------------+--------------------------------------+-------------------+\n");
238 | printf("| ADDRESS | 7 6 5 4 3 2 1 0 F E D C B A 9 8 | 0123456789ABCDEF |\n");
239 | printf("| --------------------+--------------------------------------+------------------ |\n");
240 |
241 | for (index = 0; index < length; index += 0x10) {
242 | memset(hex_buffer, 0, hex_length);
243 |
244 | line = length - index > 0x10 ? 0x10 : length - index;
245 |
246 | snprintf((char *) hex_buffer, hex_length, "| %16p | ", tmp_buffer + index);
247 |
248 | for (character = 0; character < line; character += sizeof(uint64_t)) {
249 | if (!character)
250 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
251 | hex_length - strlen((char *) hex_buffer), "%08x`%08x ",
252 | *(unsigned int *) (tmp_buffer + index + character + sizeof(uint32_t) * 1),
253 | *(unsigned int *) (tmp_buffer + index + character + sizeof(uint32_t) * 0));
254 | else
255 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
256 | hex_length - strlen((char *) hex_buffer), "%08x`%08x ",
257 | *(unsigned int *) (tmp_buffer + index + character + sizeof(uint32_t) * 1),
258 | *(unsigned int *) (tmp_buffer + index + character + sizeof(uint32_t) * 0));
259 | }
260 |
261 | for (; character < 0x10; character += sizeof(uint64_t)) {
262 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
263 | hex_length - strlen((char *) hex_buffer), "%s",
264 | " ");
265 | }
266 |
267 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
268 | hex_length - strlen((char *) hex_buffer), "%s", "| ");
269 |
270 | for (character = 0; character < line; character++) {
271 | if (tmp_buffer[index + character] < 0x20 || tmp_buffer[index + character] > 0x7E)
272 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
273 | hex_length - strlen((char *) hex_buffer), "%c",
274 | '.');
275 | else
276 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
277 | hex_length - strlen((char *) hex_buffer), "%c",
278 | tmp_buffer[index + character]);
279 | }
280 |
281 | for (; character < 0x10; character++) {
282 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
283 | hex_length - strlen((char *) hex_buffer), "%c", ' ');
284 | }
285 |
286 | snprintf(((char *) hex_buffer + strlen((char *) hex_buffer)),
287 | hex_length - strlen((char *) hex_buffer), "%s", " |\n");
288 |
289 | printf("%s", hex_buffer);
290 | }
291 |
292 | printf("+---------------------+--------------------------------------+-------------------+\n");
293 |
294 | msleep(&timer_chan, NULL, PUSER, "hex_printf_q", &timer);
295 | }
296 | }
--------------------------------------------------------------------------------
/kemon/distorm/instructions.h:
--------------------------------------------------------------------------------
1 | /*
2 | instructions.h
3 |
4 | diStorm3 - Powerful disassembler for X86/AMD64
5 | http://ragestorm.net/distorm/
6 | distorm at gmail dot com
7 | Copyright (C) 2003-2018 Gil Dabah
8 | This library is licensed under the BSD license. See the file COPYING.
9 | */
10 |
11 |
12 | #ifndef INSTRUCTIONS_H
13 | #define INSTRUCTIONS_H
14 |
15 | #include "config.h"
16 | #include "prefix.h"
17 |
18 |
19 | /*
20 | * Operand type possibilities:
21 | * Note "_FULL" suffix indicates to decode the operand as 16 bits or 32 bits depends on DecodeType -
22 | * actually, it depends on the decoding mode, unless there's an operand/address size prefix.
23 | * For example, the code: 33 c0 could be decoded/executed as XOR AX, AX or XOR EAX, EAX.
24 | */
25 | typedef enum OpType {
26 | /* No operand is set */
27 | OT_NONE = 0,
28 |
29 | /* Read a byte(8 bits) immediate */
30 | OT_IMM8,
31 | /* Force a read of a word(16 bits) immediate, used by ret only */
32 | OT_IMM16,
33 | /* Read a word/dword immediate */
34 | OT_IMM_FULL,
35 | /* Read a double-word(32 bits) immediate */
36 | OT_IMM32,
37 |
38 | /* Read a signed extended byte(8 bits) immediate */
39 | OT_SEIMM8,
40 |
41 | /*
42 | * Special immediates for instructions which have more than one immediate,
43 | * which is an exception from standard instruction format.
44 | * As to version v1.0: ENTER, INSERTQ, EXTRQ are the only problematic ones.
45 | */
46 | /* 16 bits immediate using the first imm-slot */
47 | OT_IMM16_1,
48 | /* 8 bits immediate using the first imm-slot */
49 | OT_IMM8_1,
50 | /* 8 bits immediate using the second imm-slot */
51 | OT_IMM8_2,
52 |
53 | /* Use a 8bit register */
54 | OT_REG8,
55 | /* Use a 16bit register */
56 | OT_REG16,
57 | /* Use a 16/32/64bit register */
58 | OT_REG_FULL,
59 | /* Use a 32bit register */
60 | OT_REG32,
61 | /*
62 | * If used with REX the reg operand size becomes 64 bits, otherwise 32 bits.
63 | * VMX instructions are promoted automatically without a REX prefix.
64 | */
65 | OT_REG32_64,
66 | /* Used only by MOV CR/DR(n). Promoted with REX onlly. */
67 | OT_FREG32_64_RM,
68 |
69 | /* Use or read (indirection) a 8bit register or immediate byte */
70 | OT_RM8,
71 | /* Some instructions force 16 bits (mov sreg, rm16) */
72 | OT_RM16,
73 | /* Use or read a 16/32/64bit register or immediate word/dword/qword */
74 | OT_RM_FULL,
75 | /*
76 | * 32 or 64 bits (with REX) operand size indirection memory operand.
77 | * Some instructions are promoted automatically without a REX prefix.
78 | */
79 | OT_RM32_64,
80 | /* 16 or 32 bits RM. This is used only with MOVZXD instruction in 64bits. */
81 | OT_RM16_32,
82 | /* Same as OT_RMXX but POINTS to 16 bits [cannot use GENERAL-PURPOSE REG!] */
83 | OT_FPUM16,
84 | /* Same as OT_RMXX but POINTS to 32 bits (single precision) [cannot use GENERAL-PURPOSE REG!] */
85 | OT_FPUM32,
86 | /* Same as OT_RMXX but POINTS to 64 bits (double precision) [cannot use GENERAL-PURPOSE REG!] */
87 | OT_FPUM64,
88 | /* Same as OT_RMXX but POINTS to 80 bits (extended precision) [cannot use GENERAL-PURPOSE REG!] */
89 | OT_FPUM80,
90 |
91 | /*
92 | * Special operand type for SSE4 where the ModR/M might
93 | * be a 32 bits register or 8 bits memory indirection operand.
94 | */
95 | OT_R32_M8,
96 | /*
97 | * Special ModR/M for PINSRW, which need a 16 bits memory operand or 32 bits register.
98 | * In 16 bits decoding mode R32 becomes R16, operand size cannot affect this.
99 | */
100 | OT_R32_M16,
101 | /*
102 | * Special type for SSE4, ModR/M might be a 32 bits or 64 bits (with REX) register or
103 | * a 8 bits memory indirection operand.
104 | */
105 | OT_R32_64_M8,
106 | /*
107 | * Special type for SSE4, ModR/M might be a 32 bits or 64 bits (with REX) register or
108 | * a 16 bits memory indirection operand.
109 | */
110 | OT_R32_64_M16,
111 | /*
112 | * Special operand type for MOV reg16/32/64/mem16, segReg 8C /r. and SMSW.
113 | * It supports all decoding modes, but if used as a memory indirection it's a 16 bit ModR/M indirection.
114 | */
115 | OT_RFULL_M16,
116 |
117 | /* Use a control register */
118 | OT_CREG,
119 | /* Use a debug register */
120 | OT_DREG,
121 | /* Use a segment register */
122 | OT_SREG,
123 | /*
124 | * SEG is encoded in the flags of the opcode itself!
125 | * This is used for specific "push SS" where SS is a segment where
126 | * each "push SS" has an absolutely different opcode byte.
127 | * We need this to detect whether an operand size prefix is used.
128 | */
129 | OT_SEG,
130 |
131 | /* Use AL */
132 | OT_ACC8,
133 | /* Use AX (FSTSW) */
134 | OT_ACC16,
135 | /* Use AX/EAX/RAX */
136 | OT_ACC_FULL,
137 | /* Use AX/EAX, no REX is possible for RAX, used only with IN/OUT which don't support 64 bit registers */
138 | OT_ACC_FULL_NOT64,
139 |
140 | /*
141 | * Read one word (seg), and a word/dword/qword (depends on operand size) from memory.
142 | * JMP FAR [EBX] means EBX point to 16:32 ptr.
143 | */
144 | OT_MEM16_FULL,
145 | /* Read one word (seg) and a word/dword/qword (depends on operand size), usually SEG:OFF, JMP 1234:1234 */
146 | OT_PTR16_FULL,
147 | /* Read one word (limit) and a dword/qword (limit) (depends on operand size), used by SGDT, SIDT, LGDT, LIDT. */
148 | OT_MEM16_3264,
149 |
150 | /* Read a byte(8 bits) immediate and calculate it relatively to the current offset of the instruction being decoded */
151 | OT_RELCB,
152 | /* Read a word/dword immediate and calculate it relatively to the current offset of the instruction being decoded */
153 | OT_RELC_FULL,
154 |
155 | /* Use general memory indirection, with varying sizes: */
156 | OT_MEM,
157 | /* Used when a memory indirection is required, but if the mod field is 11, this operand will be ignored. */
158 | OT_MEM_OPT,
159 | OT_MEM32,
160 | /* Memory dereference for MOVNTI, either 32 or 64 bits (with REX). */
161 | OT_MEM32_64,
162 | OT_MEM64,
163 | OT_MEM128,
164 | /* Used for cmpxchg8b/16b. */
165 | OT_MEM64_128,
166 |
167 | /* Read an immediate as an absolute address, size is known by instruction, used by MOV (memory offset) only */
168 | OT_MOFFS8,
169 | OT_MOFFS_FULL,
170 | /* Use an immediate of 1, as for SHR R/M, 1 */
171 | OT_CONST1,
172 | /* Use CL, as for SHR R/M, CL */
173 | OT_REGCL,
174 |
175 | /*
176 | * Instruction-Block for one byte long instructions, used by INC/DEC/PUSH/POP/XCHG,
177 | * REG is extracted from the value of opcode
178 | * Use a 8bit register
179 | */
180 | OT_IB_RB,
181 | /* Use a 16/32/64bit register */
182 | OT_IB_R_FULL,
183 |
184 | /* Use [(r)SI] as INDIRECTION, for repeatable instructions */
185 | OT_REGI_ESI,
186 | /* Use [(r)DI] as INDIRECTION, for repeatable instructions */
187 | OT_REGI_EDI,
188 | /* Use [(r)BX + AL] as INDIRECTIOM, used by XLAT only */
189 | OT_REGI_EBXAL,
190 | /* Use [(r)AX] as INDIRECTION, used by AMD's SVM instructions */
191 | OT_REGI_EAX,
192 | /* Use DX, as for OUTS DX, BYTE [SI] */
193 | OT_REGDX,
194 | /* Use ECX in INVLPGA instruction */
195 | OT_REGECX,
196 |
197 | /* FPU registers: */
198 | OT_FPU_SI, /* ST(i) */
199 | OT_FPU_SSI, /* ST(0), ST(i) */
200 | OT_FPU_SIS, /* ST(i), ST(0) */
201 |
202 | /* MMX registers: */
203 | OT_MM,
204 | /* Extract the MMX register from the RM bits this time (used when the REG bits are used for opcode extension) */
205 | OT_MM_RM,
206 | /* ModR/M points to 32 bits MMX variable */
207 | OT_MM32,
208 | /* ModR/M points to 32 bits MMX variable */
209 | OT_MM64,
210 |
211 | /* SSE registers: */
212 | OT_XMM,
213 | /* Extract the SSE register from the RM bits this time (used when the REG bits are used for opcode extension) */
214 | OT_XMM_RM,
215 | /* ModR/M points to 16 bits SSE variable */
216 | OT_XMM16,
217 | /* ModR/M points to 32 bits SSE variable */
218 | OT_XMM32,
219 | /* ModR/M points to 64 bits SSE variable */
220 | OT_XMM64,
221 | /* ModR/M points to 128 bits SSE variable */
222 | OT_XMM128,
223 | /* Implied XMM0 register as operand, used in SSE4. */
224 | OT_REGXMM0,
225 |
226 | /* AVX operands: */
227 |
228 | /* ModR/M for 32 bits. */
229 | OT_RM32,
230 | /* Reg32/Reg64 (prefix width) or Mem8. */
231 | OT_REG32_64_M8,
232 | /* Reg32/Reg64 (prefix width) or Mem16. */
233 | OT_REG32_64_M16,
234 | /* Reg32/Reg 64 depends on prefix width only. */
235 | OT_WREG32_64,
236 | /* RM32/RM64 depends on prefix width only. */
237 | OT_WRM32_64,
238 | /* XMM or Mem32/Mem64 depends on perfix width only. */
239 | OT_WXMM32_64,
240 | /* XMM is encoded in VEX.VVVV. */
241 | OT_VXMM,
242 | /* XMM is encoded in the high nibble of an immediate byte. */
243 | OT_XMM_IMM,
244 | /* YMM/XMM is dependent on VEX.L. */
245 | OT_YXMM,
246 | /* YMM/XMM (depends on prefix length) is encoded in the high nibble of an immediate byte. */
247 | OT_YXMM_IMM,
248 | /* YMM is encoded in reg. */
249 | OT_YMM,
250 | /* YMM or Mem256. */
251 | OT_YMM256,
252 | /* YMM is encoded in VEX.VVVV. */
253 | OT_VYMM,
254 | /* YMM/XMM is dependent on VEX.L, and encoded in VEX.VVVV. */
255 | OT_VYXMM,
256 | /* YMM/XMM or Mem64/Mem256 is dependent on VEX.L. */
257 | OT_YXMM64_256,
258 | /* YMM/XMM or Mem128/Mem256 is dependent on VEX.L. */
259 | OT_YXMM128_256,
260 | /* XMM or Mem64/Mem256 is dependent on VEX.L. */
261 | OT_LXMM64_128,
262 | /* Mem128/Mem256 is dependent on VEX.L. */
263 | OT_LMEM128_256
264 | } _OpType;
265 |
266 | /* Flags for instruction: */
267 |
268 | /* Empty flags indicator: */
269 | #define INST_FLAGS_NONE (0)
270 | /* The instruction we are going to decode requires ModR/M encoding. */
271 | #define INST_MODRM_REQUIRED (1)
272 | /* Special treatment for instructions which are in the divided-category but still needs the whole byte for ModR/M... */
273 | #define INST_NOT_DIVIDED (1 << 1)
274 | /*
275 | * Used explicitly in repeatable instructions,
276 | * which needs a suffix letter in their mnemonic to specify operation-size (depend on operands).
277 | */
278 | #define INST_16BITS (1 << 2)
279 | /* If the opcode is supported by 80286 and upper models (16/32 bits). */
280 | #define INST_32BITS (1 << 3)
281 | /*
282 | * Prefix flags (6 types: lock/rep, seg override, addr-size, oper-size, REX, VEX)
283 | * There are several specific instructions that can follow LOCK prefix,
284 | * note that they must be using a memory operand form, otherwise they generate an exception.
285 | */
286 | #define INST_PRE_LOCK (1 << 4)
287 | /* REPNZ prefix for string instructions only - means an instruction can follow it. */
288 | #define INST_PRE_REPNZ (1 << 5)
289 | /* REP prefix for string instructions only - means an instruction can follow it. */
290 | #define INST_PRE_REP (1 << 6)
291 | /* CS override prefix. */
292 | #define INST_PRE_CS (1 << 7)
293 | /* SS override prefix. */
294 | #define INST_PRE_SS (1 << 8)
295 | /* DS override prefix. */
296 | #define INST_PRE_DS (1 << 9)
297 | /* ES override prefix. */
298 | #define INST_PRE_ES (1 << 10)
299 | /* FS override prefix. Funky Segment :) */
300 | #define INST_PRE_FS (1 << 11)
301 | /* GS override prefix. Groovy Segment, of course not, duh ! */
302 | #define INST_PRE_GS (1 << 12)
303 | /* Switch operand size from 32 to 16 and vice versa. */
304 | #define INST_PRE_OP_SIZE (1 << 13)
305 | /* Switch address size from 32 to 16 and vice versa. */
306 | #define INST_PRE_ADDR_SIZE (1 << 14)
307 | /* Native instructions which needs suffix letter to indicate their operation-size (and don't depend on operands). */
308 | #define INST_NATIVE (1 << 15)
309 | /* Use extended mnemonic, means it's an _InstInfoEx structure, which contains another mnemonic for 32 bits specifically. */
310 | #define INST_USE_EXMNEMONIC (1 << 16)
311 | /* Use third operand, means it's an _InstInfoEx structure, which contains another operand for special instructions. */
312 | #define INST_USE_OP3 (1 << 17)
313 | /* Use fourth operand, means it's an _InstInfoEx structure, which contains another operand for special instructions. */
314 | #define INST_USE_OP4 (1 << 18)
315 | /* The instruction's mnemonic depends on the mod value of the ModR/M byte (mod=11, mod!=11). */
316 | #define INST_MNEMONIC_MODRM_BASED (1 << 19)
317 | /* The instruction uses a ModR/M byte which the MOD must be 11 (for registers operands only). */
318 | #define INST_MODRR_REQUIRED (1 << 20)
319 | /* The way of 3DNow! instructions are built, we have to handle their locating specially. Suffix imm8 tells which instruction it is. */
320 | #define INST_3DNOW_FETCH (1 << 21)
321 | /* The instruction needs two suffixes, one for the comparison type (imm8) and the second for its operation size indication (second mnemonic). */
322 | #define INST_PSEUDO_OPCODE (1 << 22)
323 | /* Invalid instruction at 64 bits decoding mode. */
324 | #define INST_INVALID_64BITS (1 << 23)
325 | /* Specific instruction can be promoted to 64 bits (without REX, it is promoted automatically). */
326 | #define INST_64BITS (1 << 24)
327 | /* Indicates the instruction must be REX prefixed in order to use 64 bits operands. */
328 | #define INST_PRE_REX (1 << 25)
329 | /* Third mnemonic is set. */
330 | #define INST_USE_EXMNEMONIC2 (1 << 26)
331 | /* Instruction is only valid in 64 bits decoding mode. */
332 | #define INST_64BITS_FETCH (1 << 27)
333 | /* Forces that the ModRM-REG/Opcode field will be 0. (For EXTRQ). */
334 | #define INST_FORCE_REG0 (1 << 28)
335 | /* Indicates that instruction is encoded with a VEX prefix. */
336 | #define INST_PRE_VEX (1 << 29)
337 | /* Indicates that the instruction is encoded with a ModRM byte (REG field specifically). */
338 | #define INST_MODRM_INCLUDED (1 << 30)
339 | /* Indicates that the first (/destination) operand of the instruction is writable. */
340 | #define INST_DST_WR (1 << 31)
341 |
342 | #define INST_PRE_REPS (INST_PRE_REPNZ | INST_PRE_REP)
343 | #define INST_PRE_LOKREP_MASK (INST_PRE_LOCK | INST_PRE_REPNZ | INST_PRE_REP)
344 | #define INST_PRE_SEGOVRD_MASK32 (INST_PRE_CS | INST_PRE_SS | INST_PRE_DS | INST_PRE_ES)
345 | #define INST_PRE_SEGOVRD_MASK64 (INST_PRE_FS | INST_PRE_GS)
346 | #define INST_PRE_SEGOVRD_MASK (INST_PRE_SEGOVRD_MASK32 | INST_PRE_SEGOVRD_MASK64)
347 |
348 | /* Extended flags for VEX: */
349 | /* Indicates that the instruction might have VEX.L encoded. */
350 | #define INST_VEX_L (1)
351 | /* Indicates that the instruction might have VEX.W encoded. */
352 | #define INST_VEX_W (1 << 1)
353 | /* Indicates that the mnemonic of the instruction is based on the VEX.W bit. */
354 | #define INST_MNEMONIC_VEXW_BASED (1 << 2)
355 | /* Indicates that the mnemonic of the instruction is based on the VEX.L bit. */
356 | #define INST_MNEMONIC_VEXL_BASED (1 << 3)
357 | /* Forces the instruction to be encoded with VEX.L, otherwise it's undefined. */
358 | #define INST_FORCE_VEXL (1 << 4)
359 | /*
360 | * Indicates that the instruction is based on the MOD field of the ModRM byte.
361 | * (MOD==11: got the right instruction, else skip +4 in prefixed table for the correct instruction).
362 | */
363 | #define INST_MODRR_BASED (1 << 5)
364 | /* Indicates that the instruction doesn't use the VVVV field of the VEX prefix, if it does then it's undecodable. */
365 | #define INST_VEX_V_UNUSED (1 << 6)
366 |
367 | /* Indication that the instruction is privileged (Ring 0), this should be checked on the opcodeId field. */
368 | #define OPCODE_ID_PRIVILEGED ((uint16_t)0x8000)
369 |
370 | /*
371 | * Indicates which operand is being decoded.
372 | * Destination (1st), Source (2nd), op3 (3rd), op4 (4th).
373 | * Used to set the operands' fields in the _DInst structure!
374 | */
375 | typedef enum {ONT_NONE = -1, ONT_1 = 0, ONT_2 = 1, ONT_3 = 2, ONT_4 = 3} _OperandNumberType;
376 |
377 | /* CPU Flags that instructions modify, test or undefine, in compacted form (CF,PF,AF,ZF,SF are 1:1 map to EFLAGS). */
378 | #define D_COMPACT_CF 1 /* Carry */
379 | #define D_COMPACT_PF 4 /* Parity */
380 | #define D_COMPACT_AF 0x10 /* Auxiliary */
381 | #define D_COMPACT_ZF 0x40 /* Zero */
382 | #define D_COMPACT_SF 0x80 /* Sign */
383 | /* The following flags have to be translated to EFLAGS. */
384 | #define D_COMPACT_IF 2 /* Interrupt */
385 | #define D_COMPACT_DF 8 /* Direction */
386 | #define D_COMPACT_OF 0x20 /* Overflow */
387 |
388 | /* The mask of flags that are already compatible with EFLAGS. */
389 | #define D_COMPACT_SAME_FLAGS (D_COMPACT_CF | D_COMPACT_PF | D_COMPACT_AF | D_COMPACT_ZF | D_COMPACT_SF)
390 |
391 | /*
392 | * In order to save more space for storing the DB statically,
393 | * I came up with another level of shared info.
394 | * Because I saw that most of the information that instructions use repeats itself.
395 | *
396 | * Info about the instruction, source/dest types, meta and flags.
397 | * _InstInfo points to a table of _InstSharedInfo.
398 | */
399 | typedef struct {
400 | uint8_t flagsIndex; /* An index into FlagsTables */
401 | uint8_t s, d; /* OpType. */
402 | uint8_t meta; /* Hi 5 bits = Instruction set class | Lo 3 bits = flow control flags. */
403 | /*
404 | * The following are CPU flag masks that the instruction changes.
405 | * The flags are compacted so 8 bits representation is enough.
406 | * They will be expanded in runtime to be compatible to EFLAGS.
407 | */
408 | uint8_t modifiedFlagsMask;
409 | uint8_t testedFlagsMask;
410 | uint8_t undefinedFlagsMask;
411 | } _InstSharedInfo;
412 |
413 | /*
414 | * This structure is used for the instructions DB and NOT for the disassembled result code!
415 | * This is the BASE structure, there are extensions to this structure below.
416 | */
417 | typedef struct {
418 | uint16_t sharedIndex; /* An index into the SharedInfoTable. */
419 | uint16_t opcodeId; /* The opcodeId is really a byte-offset into the mnemonics table. MSB is a privileged indication. */
420 | } _InstInfo;
421 |
422 | /*
423 | * There are merely few instructions which need a second mnemonic for 32 bits.
424 | * Or a third for 64 bits. Therefore sometimes the second mnemonic is empty but not the third.
425 | * In all decoding modes the first mnemonic is the default.
426 | * A flag will indicate it uses another mnemonic.
427 | *
428 | * There are a couple of (SSE4) instructions in the whole DB which need both op3 and 3rd mnemonic for 64bits,
429 | * therefore, I decided to make the extended structure contain all extra info in the same structure.
430 | * There are a few instructions (SHLD/SHRD/IMUL and SSE too) which use third operand (or a fourth).
431 | * A flag will indicate it uses a third/fourth operand.
432 | */
433 | typedef struct {
434 | /* Base structure (doesn't get accessed directly from code). */
435 | _InstInfo BASE;
436 |
437 | /* Extended starts here. */
438 | uint8_t flagsEx; /* 8 bits are enough, in the future we might make it a bigger integer. */
439 | uint8_t op3, op4; /* OpType. */
440 | uint16_t opcodeId2, opcodeId3;
441 | } _InstInfoEx;
442 |
443 | /* Trie data structure node type: */
444 | typedef enum {
445 | INT_NOTEXISTS = 0, /* Not exists. */
446 | INT_INFO = 1, /* It's an instruction info. */
447 | INT_INFOEX,
448 | INT_LIST_GROUP,
449 | INT_LIST_FULL,
450 | INT_LIST_DIVIDED,
451 | INT_LIST_PREFIXED
452 | } _InstNodeType;
453 |
454 | /* Used to check instType < INT_INFOS, means we got an inst-info. Cause it has to be only one of them. */
455 | #define INT_INFOS (INT_LIST_GROUP)
456 |
457 | /* Instruction node is treated as { int index:13; int type:3; } */
458 | typedef uint16_t _InstNode;
459 |
460 | _InstInfo* inst_lookup(_CodeInfo* ci, _PrefixState* ps);
461 | _InstInfo* inst_lookup_3dnow(_CodeInfo* ci);
462 |
463 | #endif /* INSTRUCTIONS_H */
464 |
--------------------------------------------------------------------------------
/kemon/policy.h:
--------------------------------------------------------------------------------
1 | /*++
2 |
3 | Copyright (c) Didi Research America. All rights reserved.
4 |
5 | Module Name:
6 |
7 | policy.h
8 |
9 | Author:
10 |
11 | Yu Wang, 08-Feb-2017
12 |
13 | Revision History:
14 |
15 | --*/
16 |
17 |
18 | #ifndef __POLICY_DRIVER_H__
19 | #define __POLICY_DRIVER_H__
20 |
21 |
22 | #define POLICY_FULL_NAME "Kemon MAC Policy"
23 |
24 | //
25 | // Shadow Walker
26 | //
27 |
28 | #define MAC_POLICY_SHADOW_WALKER TRUE
29 |
30 | //
31 | // Current MAC policy OPS version
32 | //
33 |
34 | #define MAC_POLICY_OPS_VERSION 55
35 |
36 | //
37 | // MAC policy module operations
38 | //
39 |
40 | struct mac_policy_ops {
41 | //
42 | // mpo_audit
43 | //
44 |
45 | void *mpo_audit_check_postselect;
46 | void *mpo_audit_check_preselect;
47 |
48 | //
49 | // mpo_bpfdesc
50 | //
51 |
52 | void *mpo_bpfdesc_label_associate;
53 | void *mpo_bpfdesc_label_destroy;
54 | void *mpo_bpfdesc_label_init;
55 | void *mpo_bpfdesc_check_receive;
56 |
57 | //
58 | // mpo_cred
59 | //
60 |
61 | void *mpo_cred_check_label_update_execve;
62 | void *mpo_cred_check_label_update;
63 | void *mpo_cred_check_visible;
64 | void *mpo_cred_label_associate_fork;
65 | void *mpo_cred_label_associate_kernel;
66 | void *mpo_cred_label_associate;
67 | void *mpo_cred_label_associate_user;
68 | void *mpo_cred_label_destroy;
69 | void *mpo_cred_label_externalize_audit;
70 | void *mpo_cred_label_externalize;
71 | void *mpo_cred_label_init;
72 | void *mpo_cred_label_internalize;
73 | void *mpo_cred_label_update_execve;
74 | void *mpo_cred_label_update;
75 |
76 | //
77 | // mpo_devfs
78 | //
79 |
80 | void *mpo_devfs_label_associate_device;
81 | void *mpo_devfs_label_associate_directory;
82 | void *mpo_devfs_label_copy;
83 | void *mpo_devfs_label_destroy;
84 | void *mpo_devfs_label_init;
85 | void *mpo_devfs_label_update;
86 |
87 | //
88 | // mpo_file
89 | //
90 |
91 | void *mpo_file_check_change_offset;
92 | void *mpo_file_check_create;
93 | void *mpo_file_check_dup;
94 | void *mpo_file_check_fcntl;
95 | void *mpo_file_check_get_offset;
96 | void *mpo_file_check_get;
97 | void *mpo_file_check_inherit;
98 | void *mpo_file_check_ioctl;
99 | void *mpo_file_check_lock;
100 | void *mpo_file_check_mmap_downgrade;
101 | void *mpo_file_check_mmap;
102 | void *mpo_file_check_receive;
103 | void *mpo_file_check_set;
104 | void *mpo_file_label_init;
105 | void *mpo_file_label_destroy;
106 | void *mpo_file_label_associate;
107 |
108 | //
109 | // mpo_ifnet
110 | //
111 |
112 | void *mpo_ifnet_check_label_update;
113 | void *mpo_ifnet_check_transmit;
114 | void *mpo_ifnet_label_associate;
115 | void *mpo_ifnet_label_copy;
116 | void *mpo_ifnet_label_destroy;
117 | void *mpo_ifnet_label_externalize;
118 | void *mpo_ifnet_label_init;
119 | void *mpo_ifnet_label_internalize;
120 | void *mpo_ifnet_label_update;
121 | void *mpo_ifnet_label_recycle;
122 |
123 | //
124 | // mpo_inpcb
125 | //
126 |
127 | void *mpo_inpcb_check_deliver;
128 | void *mpo_inpcb_label_associate;
129 | void *mpo_inpcb_label_destroy;
130 | void *mpo_inpcb_label_init;
131 | void *mpo_inpcb_label_recycle;
132 | void *mpo_inpcb_label_update;
133 |
134 | //
135 | // mpo_iokit (part 1)
136 | //
137 |
138 | void *mpo_iokit_check_device;
139 |
140 | //
141 | // mpo_ipq
142 | //
143 |
144 | void *mpo_ipq_label_associate;
145 | void *mpo_ipq_label_compare;
146 | void *mpo_ipq_label_destroy;
147 | void *mpo_ipq_label_init;
148 | void *mpo_ipq_label_update;
149 |
150 | //
151 | // mpo_lctx* were replaced by the follows (mpo_file and mpo_vnode)
152 | //
153 |
154 | void *mpo_file_check_library_validation;
155 | void *mpo_vnode_notify_setacl;
156 | void *mpo_vnode_notify_setattrlist;
157 | void *mpo_vnode_notify_setextattr;
158 | void *mpo_vnode_notify_setflags;
159 | void *mpo_vnode_notify_setmode;
160 | void *mpo_vnode_notify_setowner;
161 | void *mpo_vnode_notify_setutimes;
162 | void *mpo_vnode_notify_truncate;
163 |
164 | //
165 | // mpo_mbuf
166 | //
167 |
168 | void *mpo_mbuf_label_associate_bpfdesc;
169 | void *mpo_mbuf_label_associate_ifnet;
170 | void *mpo_mbuf_label_associate_inpcb;
171 | void *mpo_mbuf_label_associate_ipq;
172 | void *mpo_mbuf_label_associate_linklayer;
173 | void *mpo_mbuf_label_associate_multicast_encap;
174 | void *mpo_mbuf_label_associate_netlayer;
175 | void *mpo_mbuf_label_associate_socket;
176 | void *mpo_mbuf_label_copy;
177 | void *mpo_mbuf_label_destroy;
178 | void *mpo_mbuf_label_init;
179 |
180 | //
181 | // mpo_mount
182 | //
183 |
184 | void *mpo_mount_check_fsctl;
185 | void *mpo_mount_check_getattr;
186 | void *mpo_mount_check_label_update;
187 | void *mpo_mount_check_mount;
188 | void *mpo_mount_check_remount;
189 | void *mpo_mount_check_setattr;
190 | void *mpo_mount_check_stat;
191 | void *mpo_mount_check_umount;
192 | void *mpo_mount_label_associate;
193 | void *mpo_mount_label_destroy;
194 | void *mpo_mount_label_externalize;
195 | void *mpo_mount_label_init;
196 | void *mpo_mount_label_internalize;
197 |
198 | //
199 | // mpo_netinet
200 | //
201 |
202 | void *mpo_netinet_fragment;
203 | void *mpo_netinet_icmp_reply;
204 | void *mpo_netinet_tcp_reply;
205 |
206 | //
207 | // mpo_pipe
208 | //
209 |
210 | void *mpo_pipe_check_ioctl;
211 | void *mpo_pipe_check_kqfilter;
212 | void *mpo_pipe_check_label_update;
213 | void *mpo_pipe_check_read;
214 | void *mpo_pipe_check_select;
215 | void *mpo_pipe_check_stat;
216 | void *mpo_pipe_check_write;
217 | void *mpo_pipe_label_associate;
218 | void *mpo_pipe_label_copy;
219 | void *mpo_pipe_label_destroy;
220 | void *mpo_pipe_label_externalize;
221 | void *mpo_pipe_label_init;
222 | void *mpo_pipe_label_internalize;
223 | void *mpo_pipe_label_update;
224 |
225 | //
226 | // mpo_policy
227 | //
228 |
229 | void *mpo_policy_destroy;
230 | void *mpo_policy_init;
231 | void *mpo_policy_initbsd;
232 | void *mpo_policy_syscall;
233 |
234 | //
235 | // mpo_port* were replaced by the follows
236 | //
237 |
238 | void *mpo_system_check_sysctlbyname;
239 | void *mpo_proc_check_inherit_ipc_ports;
240 | void *mpo_vnode_check_rename;
241 | void *mpo_kext_check_query;
242 | void *mpo_proc_notify_exec_complete; // mpo_iokit_check_nvram_get, version 53
243 | void *mpo_reserved5; // mpo_iokit_check_nvram_set, version 53
244 | void *mpo_reserved6; // mpo_iokit_check_nvram_delete, version 53
245 | void *mpo_proc_check_expose_task;
246 | void *mpo_proc_check_set_host_special_port;
247 | void *mpo_proc_check_set_host_exception_port;
248 | void *mpo_exc_action_check_exception_send;
249 | void *mpo_exc_action_label_associate;
250 | void *mpo_exc_action_label_populate; // mpo_exc_action_label_copy, version 52
251 | void *mpo_exc_action_label_destroy;
252 | void *mpo_exc_action_label_init;
253 | void *mpo_exc_action_label_update;
254 | void *mpo_vnode_check_trigger_resolve; // version 53
255 | void *mpo_reserved1;
256 | void *mpo_reserved2;
257 | void *mpo_reserved3;
258 | void *mpo_skywalk_flow_check_connect; // version 52
259 | void *mpo_skywalk_flow_check_listen; // version 52
260 |
261 | //
262 | // mpo_posixsem and mpo_posixshm
263 | //
264 |
265 | void *mpo_posixsem_check_create;
266 | void *mpo_posixsem_check_open;
267 | void *mpo_posixsem_check_post;
268 | void *mpo_posixsem_check_unlink;
269 | void *mpo_posixsem_check_wait;
270 | void *mpo_posixsem_label_associate;
271 | void *mpo_posixsem_label_destroy;
272 | void *mpo_posixsem_label_init;
273 | void *mpo_posixshm_check_create;
274 | void *mpo_posixshm_check_mmap;
275 | void *mpo_posixshm_check_open;
276 | void *mpo_posixshm_check_stat;
277 | void *mpo_posixshm_check_truncate;
278 | void *mpo_posixshm_check_unlink;
279 | void *mpo_posixshm_label_associate;
280 | void *mpo_posixshm_label_destroy;
281 | void *mpo_posixshm_label_init;
282 |
283 | //
284 | // mpo_proc
285 | //
286 |
287 | void *mpo_proc_check_debug;
288 | void *mpo_proc_check_fork;
289 | void *mpo_proc_check_get_task_name;
290 | void *mpo_proc_check_get_task;
291 | void *mpo_proc_check_getaudit;
292 | void *mpo_proc_check_getauid;
293 | void *mpo_proc_check_getlcid;
294 | void *mpo_proc_check_mprotect;
295 | void *mpo_proc_check_sched;
296 | void *mpo_proc_check_setaudit;
297 | void *mpo_proc_check_setauid;
298 | void *mpo_proc_check_setlcid;
299 | void *mpo_proc_check_signal;
300 | void *mpo_proc_check_wait;
301 | void *mpo_proc_label_destroy;
302 | void *mpo_proc_label_init;
303 |
304 | //
305 | // mpo_socket
306 | //
307 |
308 | void *mpo_socket_check_accept;
309 | void *mpo_socket_check_accepted;
310 | void *mpo_socket_check_bind;
311 | void *mpo_socket_check_connect;
312 | void *mpo_socket_check_create;
313 | void *mpo_socket_check_deliver;
314 | void *mpo_socket_check_kqfilter;
315 | void *mpo_socket_check_label_update;
316 | void *mpo_socket_check_listen;
317 | void *mpo_socket_check_receive;
318 | void *mpo_socket_check_received;
319 | void *mpo_socket_check_select;
320 | void *mpo_socket_check_send;
321 | void *mpo_socket_check_stat;
322 | void *mpo_socket_check_setsockopt;
323 | void *mpo_socket_check_getsockopt;
324 | void *mpo_socket_label_associate_accept;
325 | void *mpo_socket_label_associate;
326 | void *mpo_socket_label_copy;
327 | void *mpo_socket_label_destroy;
328 | void *mpo_socket_label_externalize;
329 | void *mpo_socket_label_init;
330 | void *mpo_socket_label_internalize;
331 | void *mpo_socket_label_update;
332 |
333 | //
334 | // mpo_socketpeer
335 | //
336 |
337 | void *mpo_socketpeer_label_associate_mbuf;
338 | void *mpo_socketpeer_label_associate_socket;
339 | void *mpo_socketpeer_label_destroy;
340 | void *mpo_socketpeer_label_externalize;
341 | void *mpo_socketpeer_label_init;
342 |
343 | //
344 | // mpo_system
345 | //
346 |
347 | void *mpo_system_check_acct;
348 | void *mpo_system_check_audit;
349 | void *mpo_system_check_auditctl;
350 | void *mpo_system_check_auditon;
351 | void *mpo_system_check_host_priv;
352 | void *mpo_system_check_nfsd;
353 | void *mpo_system_check_reboot;
354 | void *mpo_system_check_settime;
355 | void *mpo_system_check_swapoff;
356 | void *mpo_system_check_swapon;
357 | void *mpo_socket_check_ioctl; // mpo_system_check_sysctl
358 |
359 | //
360 | // mpo_sysvmsg, mpo_sysvmsq, mpo_sysvsem and mpo_sysvshm
361 | //
362 |
363 | void *mpo_sysvmsg_label_associate;
364 | void *mpo_sysvmsg_label_destroy;
365 | void *mpo_sysvmsg_label_init;
366 | void *mpo_sysvmsg_label_recycle;
367 | void *mpo_sysvmsq_check_enqueue;
368 | void *mpo_sysvmsq_check_msgrcv;
369 | void *mpo_sysvmsq_check_msgrmid;
370 | void *mpo_sysvmsq_check_msqctl;
371 | void *mpo_sysvmsq_check_msqget;
372 | void *mpo_sysvmsq_check_msqrcv;
373 | void *mpo_sysvmsq_check_msqsnd;
374 | void *mpo_sysvmsq_label_associate;
375 | void *mpo_sysvmsq_label_destroy;
376 | void *mpo_sysvmsq_label_init;
377 | void *mpo_sysvmsq_label_recycle;
378 | void *mpo_sysvsem_check_semctl;
379 | void *mpo_sysvsem_check_semget;
380 | void *mpo_sysvsem_check_semop;
381 | void *mpo_sysvsem_label_associate;
382 | void *mpo_sysvsem_label_destroy;
383 | void *mpo_sysvsem_label_init;
384 | void *mpo_sysvsem_label_recycle;
385 | void *mpo_sysvshm_check_shmat;
386 | void *mpo_sysvshm_check_shmctl;
387 | void *mpo_sysvshm_check_shmdt;
388 | void *mpo_sysvshm_check_shmget;
389 | void *mpo_sysvshm_label_associate;
390 | void *mpo_sysvshm_label_destroy;
391 | void *mpo_sysvshm_label_init;
392 | void *mpo_sysvshm_label_recycle;
393 |
394 | //
395 | // mpo_task* and mpo_thread_userret were replaced by the follows
396 | //
397 |
398 | void *mpo_proc_notify_exit; // version 52
399 | void *mpo_mount_check_snapshot_revert; // version 47
400 | void *mpo_vnode_check_getattr; // version 46
401 | void *mpo_mount_check_snapshot_create;
402 | void *mpo_mount_check_snapshot_delete;
403 | void *mpo_vnode_check_clone;
404 | void *mpo_proc_check_get_cs_info;
405 | void *mpo_proc_check_set_cs_info;
406 | void *mpo_iokit_check_hid_control;
407 |
408 | //
409 | // mpo_vnode
410 | //
411 |
412 | void *mpo_vnode_check_access;
413 | void *mpo_vnode_check_chdir;
414 | void *mpo_vnode_check_chroot;
415 | void *mpo_vnode_check_create;
416 | void *mpo_vnode_check_deleteextattr;
417 | void *mpo_vnode_check_exchangedata;
418 | void *mpo_vnode_check_exec;
419 | void *mpo_vnode_check_getattrlist;
420 | void *mpo_vnode_check_getextattr;
421 | void *mpo_vnode_check_ioctl;
422 | void *mpo_vnode_check_kqfilter;
423 | void *mpo_vnode_check_label_update;
424 | void *mpo_vnode_check_link;
425 | void *mpo_vnode_check_listextattr;
426 | void *mpo_vnode_check_lookup;
427 | void *mpo_vnode_check_open;
428 | void *mpo_vnode_check_read;
429 | void *mpo_vnode_check_readdir;
430 | void *mpo_vnode_check_readlink;
431 | void *mpo_vnode_check_rename_from;
432 | void *mpo_vnode_check_rename_to;
433 | void *mpo_vnode_check_revoke;
434 | void *mpo_vnode_check_select;
435 | void *mpo_vnode_check_setattrlist;
436 | void *mpo_vnode_check_setextattr;
437 | void *mpo_vnode_check_setflags;
438 | void *mpo_vnode_check_setmode;
439 | void *mpo_vnode_check_setowner;
440 | void *mpo_vnode_check_setutimes;
441 | void *mpo_vnode_check_stat;
442 | void *mpo_vnode_check_truncate;
443 | void *mpo_vnode_check_unlink;
444 | void *mpo_vnode_check_write;
445 | void *mpo_vnode_label_associate_devfs;
446 | void *mpo_vnode_label_associate_extattr;
447 | void *mpo_vnode_label_associate_file;
448 | void *mpo_vnode_label_associate_pipe;
449 | void *mpo_vnode_label_associate_posixsem;
450 | void *mpo_vnode_label_associate_posixshm;
451 | void *mpo_vnode_label_associate_singlelabel;
452 | void *mpo_vnode_label_associate_socket;
453 | void *mpo_vnode_label_copy;
454 | void *mpo_vnode_label_destroy;
455 | void *mpo_vnode_label_externalize_audit;
456 | void *mpo_vnode_label_externalize;
457 | void *mpo_vnode_label_init;
458 | void *mpo_vnode_label_internalize;
459 | void *mpo_vnode_label_recycle;
460 | void *mpo_vnode_label_store;
461 | void *mpo_vnode_label_update_extattr;
462 | void *mpo_vnode_label_update;
463 | void *mpo_vnode_notify_create;
464 | void *mpo_vnode_check_signature;
465 | void *mpo_vnode_check_uipc_bind;
466 | void *mpo_vnode_check_uipc_connect;
467 |
468 | //
469 | // the others
470 | //
471 |
472 | void *mpo_proc_check_run_cs_invalid;
473 | void *mpo_proc_check_suspend_resume;
474 | void *mpo_thread_userret;
475 | void *mpo_iokit_check_set_properties;
476 | void *mpo_system_check_chud;
477 | void *mpo_vnode_check_searchfs;
478 | void *mpo_priv_check;
479 | void *mpo_priv_grant;
480 | void *mpo_proc_check_map_anon;
481 | void *mpo_vnode_check_fsgetpath;
482 | void *mpo_iokit_check_open;
483 | void *mpo_proc_check_ledger;
484 | void *mpo_vnode_notify_rename;
485 | void *mpo_vnode_check_setacl;
486 | void *mpo_vnode_notify_deleteextattr;
487 | void *mpo_system_check_kas_info;
488 | void *mpo_vnode_check_lookup_preflight; // mpo_proc_check_cpumon, version 52
489 | void *mpo_vnode_notify_open;
490 | void *mpo_system_check_info;
491 | void *mpo_pty_notify_grant;
492 | void *mpo_pty_notify_close;
493 | void *mpo_vnode_find_sigs;
494 | void *mpo_kext_check_load;
495 | void *mpo_kext_check_unload;
496 | void *mpo_proc_check_proc_info;
497 | void *mpo_vnode_notify_link;
498 | void *mpo_iokit_check_filter_properties;
499 | void *mpo_iokit_check_get_property;
500 | };
501 |
502 | //
503 | // This flag indicates that the policy module must be loaded and initialized early in the boot process
504 | // If the flag is specified, attempts to register the module following boot will be rejected
505 | //
506 |
507 | #define MPC_LOADTIME_FLAG_NOTLATE 0x00000001
508 |
509 | //
510 | // This flag indicates that the policy module may be unloaded
511 | // If this flag is not set, then the policy framework will reject requests to unload the module
512 | //
513 |
514 | #define MPC_LOADTIME_FLAG_UNLOADOK 0x00000002
515 |
516 | //
517 | // This flag is not yet supported
518 | //
519 |
520 | #define MPC_LOADTIME_FLAG_LABELMBUFS 0x00000004
521 |
522 | //
523 | // This flag indicates that the policy module is a base policy
524 | // Only one module can declare itself as base, otherwise the boot process will be halted
525 | //
526 |
527 | #define MPC_LOADTIME_BASE_POLICY 0x00000008
528 |
529 | //
530 | // This flag indicates that the policy module has been successfully registered with the TrustedBSD MAC framework
531 | // The framework will set this flag in the mpc_runtime_flags field of the policy's mac_policy_conf structure after registering the policy
532 | //
533 |
534 | #define MPC_RUNTIME_FLAG_REGISTERED 0x00000001
535 |
536 | //
537 | // MAC policy configuration
538 | //
539 |
540 | struct mac_policy_conf {
541 | char *mpc_name; // policy name
542 | char *mpc_fullname; // full name
543 | char const *const *mpc_labelnames; // managed label namespaces
544 | unsigned int mpc_labelname_count; // number of managed label namespaces
545 | struct mac_policy_ops *mpc_ops; // operation vector
546 | int mpc_loadtime_flags; // load time flags
547 | int *mpc_field_off; // label slot
548 | int mpc_runtime_flags; // run time flags
549 | struct mac_policy_conf *mpc_list; // list reference
550 | void *mpc_data; // module data
551 | };
552 |
553 | //
554 | // The MAC handle is used to uniquely identify a loaded policy within the MAC framework
555 | //
556 |
557 | typedef unsigned int mac_policy_handle_t;
558 |
559 | //
560 | // File internal
561 | //
562 |
563 | struct fileglob {
564 | LIST_ENTRY(fileglob) f_msglist;
565 | int32_t fg_flag;
566 | int32_t fg_type;
567 | int32_t fg_count;
568 | int32_t fg_msgcount;
569 | kauth_cred_t fg_cred;
570 | void *fg_ops;
571 | off_t fg_offset;
572 | void *fg_data;
573 | };
574 |
575 | //
576 | // This function is called to register a policy with the MAC framework
577 | // A policy module will typically call this from the Darwin KEXT registration routine
578 | //
579 |
580 | extern
581 | int
582 | mac_policy_register(
583 | struct mac_policy_conf *mpc,
584 | mac_policy_handle_t *handlep,
585 | void *xd
586 | );
587 |
588 | //
589 | // This function is called to de-register a policy with the MAC framework
590 | // A policy module will typically call this from the Darwin KEXT de-registration routine
591 | //
592 |
593 | extern
594 | int
595 | mac_policy_unregister(
596 | mac_policy_handle_t handle
597 | );
598 |
599 | //
600 | // Declaration
601 | //
602 |
603 | extern lck_grp_t *glock_group;
604 |
605 | extern OSMallocTag gmalloc_tag;
606 |
607 | extern kmod_info_t *gkmod_info;
608 |
609 | //
610 | // OSKext::start() module information and mutex lock
611 | //
612 |
613 | extern char *gkext_name;
614 | extern vm_address_t gkext_base;
615 | extern vm_size_t gkext_size;
616 |
617 | extern lck_mtx_t *goskext_handler_lock;
618 |
619 | extern
620 | int
621 | construct_path_from_vnode(
622 | vnode_t node,
623 | char **path
624 | );
625 |
626 | extern
627 | kern_return_t
628 | mac_initialization(
629 | boolean_t flag
630 | );
631 |
632 | #endif
--------------------------------------------------------------------------------
/kemon/distorm/include/distorm.h:
--------------------------------------------------------------------------------
1 | /* diStorm 3.4.0 */
2 |
3 | /*
4 | distorm.h
5 |
6 | diStorm3 - Powerful disassembler for X86/AMD64
7 | http://ragestorm.net/distorm/
8 | distorm at gmail dot com
9 | Copyright (C) 2003-2018 Gil Dabah
10 | This library is licensed under the BSD license. See the file COPYING.
11 | */
12 |
13 |
14 | #ifndef DISTORM_H
15 | #define DISTORM_H
16 |
17 | #define MAX_INSTRUCTIONS 15
18 |
19 | /*
20 | * 64 bit offsets support:
21 | * If the diStorm library you use was compiled with 64 bits offsets,
22 | * make sure you compile your own code with the following macro set:
23 | * SUPPORT_64BIT_OFFSET
24 | * Otherwise comment it out, or you will get a linker error of an unresolved symbol...
25 | * Turned on by default!
26 | */
27 |
28 | #if !(defined(DISTORM_STATIC) || defined(DISTORM_DYNAMIC))
29 | /* Define this macro for outer projects by default. */
30 | #define SUPPORT_64BIT_OFFSET
31 | #endif
32 |
33 | /* TINYC has a problem with some 64bits library functions, so ignore 64 bit offsets. */
34 | #ifdef __TINYC__
35 | #undef SUPPORT_64BIT_OFFSET
36 | #endif
37 |
38 | /* If your compiler doesn't support stdint.h, define your own 64 bits type. */
39 | #ifdef SUPPORT_64BIT_OFFSET
40 | #ifdef _MSC_VER
41 | #define OFFSET_INTEGER unsigned __int64
42 | #else
43 | #include
44 | #define OFFSET_INTEGER uint64_t
45 | #endif
46 | #else
47 | /* 32 bit offsets are used. */
48 | #define OFFSET_INTEGER unsigned long
49 | #endif
50 |
51 | #ifdef _MSC_VER
52 | /* Since MSVC isn't shipped with stdint.h, we will have our own: */
53 | typedef signed __int64 int64_t;
54 | typedef unsigned __int64 uint64_t;
55 | typedef signed __int32 int32_t;
56 | typedef unsigned __int32 uint32_t;
57 | typedef signed __int16 int16_t;
58 | typedef unsigned __int16 uint16_t;
59 | typedef signed __int8 int8_t;
60 | typedef unsigned __int8 uint8_t;
61 | #endif
62 |
63 | /* Support C++ compilers */
64 | #ifdef __cplusplus
65 | extern "C" {
66 | #endif
67 |
68 |
69 | /* *** Helper Macros *** */
70 |
71 | /* Get the ISC of the instruction, used with the definitions below. */
72 | #define META_GET_ISC(meta) (((meta) >> 3) & 0x1f)
73 | #define META_SET_ISC(di, isc) (((di)->meta) |= ((isc) << 3))
74 | /* Get the flow control flags of the instruction, see 'features for decompose' below. */
75 | #define META_GET_FC(meta) ((meta) & 0x7)
76 |
77 | /* Get the target address of a branching instruction. O_PC operand type. */
78 | #define INSTRUCTION_GET_TARGET(di) ((_OffsetType)(((di)->addr + (di)->imm.addr + (di)->size)))
79 | /* Get the target address of a RIP-relative memory indirection. */
80 | #define INSTRUCTION_GET_RIP_TARGET(di) ((_OffsetType)(((di)->addr + (di)->disp + (di)->size)))
81 |
82 | /*
83 | * Operand Size or Adderss size are stored inside the flags:
84 | * 00 - 16 bits
85 | * 01 - 32 bits
86 | * 10 - 64 bits
87 | * 11 - reserved
88 | *
89 | * If you call these set-macros more than once, you will have to clean the bits before doing so.
90 | */
91 | #define FLAG_SET_OPSIZE(di, size) ((di->flags) |= (((size) & 3) << 8))
92 | #define FLAG_SET_ADDRSIZE(di, size) ((di->flags) |= (((size) & 3) << 10))
93 | #define FLAG_GET_OPSIZE(flags) (((flags) >> 8) & 3)
94 | #define FLAG_GET_ADDRSIZE(flags) (((flags) >> 10) & 3)
95 | /* To get the LOCK/REPNZ/REP prefixes. */
96 | #define FLAG_GET_PREFIX(flags) ((flags) & 7)
97 | /* Indicates whether the instruction is privileged. */
98 | #define FLAG_GET_PRIVILEGED(flags) (((flags) & FLAG_PRIVILEGED_INSTRUCTION) != 0)
99 |
100 | /*
101 | * Macros to extract segment registers from 'segment':
102 | */
103 | #define SEGMENT_DEFAULT 0x80
104 | #define SEGMENT_SET(di, seg) ((di->segment) |= seg)
105 | #define SEGMENT_GET(segment) (((segment) == R_NONE) ? R_NONE : ((segment) & 0x7f))
106 | #define SEGMENT_IS_DEFAULT(segment) (((segment) & SEGMENT_DEFAULT) == SEGMENT_DEFAULT)
107 |
108 |
109 | /* Decodes modes of the disassembler, 16 bits or 32 bits or 64 bits for AMD64, x86-64. */
110 | typedef enum { Decode16Bits = 0, Decode32Bits = 1, Decode64Bits = 2 } _DecodeType;
111 |
112 | typedef OFFSET_INTEGER _OffsetType;
113 |
114 | typedef struct {
115 | _OffsetType codeOffset, nextOffset; /* nextOffset is OUT only. */
116 | const uint8_t* code;
117 | int codeLen; /* Using signed integer makes it easier to detect an underflow. */
118 | _DecodeType dt;
119 | unsigned int features;
120 | } _CodeInfo;
121 |
122 | typedef enum { O_NONE, O_REG, O_IMM, O_IMM1, O_IMM2, O_DISP, O_SMEM, O_MEM, O_PC, O_PTR } _OperandType;
123 |
124 | typedef union {
125 | /* Used by O_IMM: */
126 | int8_t sbyte;
127 | uint8_t byte;
128 | int16_t sword;
129 | uint16_t word;
130 | int32_t sdword;
131 | uint32_t dword;
132 | int64_t sqword; /* All immediates are SIGN-EXTENDED to 64 bits! */
133 | uint64_t qword;
134 |
135 | /* Used by O_PC: (Use GET_TARGET_ADDR).*/
136 | _OffsetType addr; /* It's a relative offset as for now. */
137 |
138 | /* Used by O_PTR: */
139 | struct {
140 | uint16_t seg;
141 | /* Can be 16 or 32 bits, size is in ops[n].size. */
142 | uint32_t off;
143 | } ptr;
144 |
145 | /* Used by O_IMM1 (i1) and O_IMM2 (i2). ENTER instruction only. */
146 | struct {
147 | uint32_t i1;
148 | uint32_t i2;
149 | } ex;
150 | } _Value;
151 |
152 | typedef struct {
153 | /* Type of operand:
154 | O_NONE: operand is to be ignored.
155 | O_REG: index holds global register index.
156 | O_IMM: instruction.imm.
157 | O_IMM1: instruction.imm.ex.i1.
158 | O_IMM2: instruction.imm.ex.i2.
159 | O_DISP: memory dereference with displacement only, instruction.disp.
160 | O_SMEM: simple memory dereference with optional displacement (a single register memory dereference).
161 | O_MEM: complex memory dereference (optional fields: s/i/b/disp).
162 | O_PC: the relative address of a branch instruction (instruction.imm.addr).
163 | O_PTR: the absolute target address of a far branch instruction (instruction.imm.ptr.seg/off).
164 | */
165 | uint8_t type; /* _OperandType */
166 |
167 | /* Index of:
168 | O_REG: holds global register index
169 | O_SMEM: holds the 'base' register. E.G: [ECX], [EBX+0x1234] are both in operand.index.
170 | O_MEM: holds the 'index' register. E.G: [EAX*4] is in operand.index.
171 | */
172 | uint8_t index;
173 |
174 | /* Size in bits of:
175 | O_REG: register
176 | O_IMM: instruction.imm
177 | O_IMM1: instruction.imm.ex.i1
178 | O_IMM2: instruction.imm.ex.i2
179 | O_DISP: instruction.disp
180 | O_SMEM: size of indirection.
181 | O_MEM: size of indirection.
182 | O_PC: size of the relative offset
183 | O_PTR: size of instruction.imm.ptr.off (16 or 32)
184 | */
185 | uint16_t size;
186 | } _Operand;
187 |
188 | #define OPCODE_ID_NONE 0
189 | /* Instruction could not be disassembled. */
190 | #define FLAG_NOT_DECODABLE ((uint16_t)-1)
191 | /* The instruction locks memory access. */
192 | #define FLAG_LOCK (1 << 0)
193 | /* The instruction is prefixed with a REPNZ. */
194 | #define FLAG_REPNZ (1 << 1)
195 | /* The instruction is prefixed with a REP, this can be a REPZ, it depends on the specific instruction. */
196 | #define FLAG_REP (1 << 2)
197 | /* Indicates there is a hint taken for Jcc instructions only. */
198 | #define FLAG_HINT_TAKEN (1 << 3)
199 | /* Indicates there is a hint non-taken for Jcc instructions only. */
200 | #define FLAG_HINT_NOT_TAKEN (1 << 4)
201 | /* The Imm value is signed extended (E.G in 64 bit decoding mode, a 32 bit imm is usually sign extended into 64 bit imm). */
202 | #define FLAG_IMM_SIGNED (1 << 5)
203 | /* The destination operand is writable. */
204 | #define FLAG_DST_WR (1 << 6)
205 | /* The instruction uses RIP-relative indirection. */
206 | #define FLAG_RIP_RELATIVE (1 << 7)
207 |
208 | /* See flag FLAG_GET_XXX macros above. */
209 |
210 | /* The instruction is privileged and can only be used from Ring0. */
211 | #define FLAG_PRIVILEGED_INSTRUCTION (1 << 15)
212 |
213 | /* No register was defined. */
214 | #define R_NONE ((uint8_t)-1)
215 |
216 | #define REGS64_BASE 0
217 | #define REGS32_BASE 16
218 | #define REGS16_BASE 32
219 | #define REGS8_BASE 48
220 | #define REGS8_REX_BASE 64
221 | #define SREGS_BASE 68
222 | #define FPUREGS_BASE 75
223 | #define MMXREGS_BASE 83
224 | #define SSEREGS_BASE 91
225 | #define AVXREGS_BASE 107
226 | #define CREGS_BASE 123
227 | #define DREGS_BASE 132
228 |
229 | #define OPERANDS_NO (4)
230 |
231 | typedef struct {
232 | /* Used by ops[n].type == O_IMM/O_IMM1&O_IMM2/O_PTR/O_PC. Its size is ops[n].size. */
233 | _Value imm;
234 | /* Used by ops[n].type == O_SMEM/O_MEM/O_DISP. Its size is dispSize. */
235 | uint64_t disp;
236 | /* Virtual address of first byte of instruction. */
237 | _OffsetType addr;
238 | /* General flags of instruction, holds prefixes and more, if FLAG_NOT_DECODABLE, instruction is invalid. */
239 | uint16_t flags;
240 | /* Unused prefixes mask, for each bit that is set that prefix is not used (LSB is byte [addr + 0]). */
241 | uint16_t unusedPrefixesMask;
242 | /* Mask of registers that were used in the operands, only used for quick look up, in order to know *some* operand uses that register class. */
243 | uint32_t usedRegistersMask;
244 | /* ID of opcode in the global opcode table. Use for mnemonic look up. */
245 | uint16_t opcode;
246 | /* Up to four operands per instruction, ignored if ops[n].type == O_NONE. */
247 | _Operand ops[OPERANDS_NO];
248 | /* Size of the whole instruction in bytes. */
249 | uint8_t size;
250 | /* Segment information of memory indirection, default segment, or overriden one, can be -1. Use SEGMENT macros. */
251 | uint8_t segment;
252 | /* Used by ops[n].type == O_MEM. Base global register index (might be R_NONE), scale size (2/4/8), ignored for 0 or 1. */
253 | uint8_t base, scale;
254 | uint8_t dispSize;
255 | /* Meta defines the instruction set class, and the flow control flags. Use META macros. */
256 | uint8_t meta;
257 | /* The CPU flags that the instruction operates upon. */
258 | uint16_t modifiedFlagsMask, testedFlagsMask, undefinedFlagsMask;
259 | } _DInst;
260 |
261 | #ifndef DISTORM_LIGHT
262 |
263 | /* Static size of strings. Do not change this value. Keep Python wrapper in sync. */
264 | #define MAX_TEXT_SIZE (48)
265 | typedef struct {
266 | unsigned int length;
267 | unsigned char p[MAX_TEXT_SIZE]; /* p is a null terminated string. */
268 | } _WString;
269 |
270 | /*
271 | * Old decoded instruction structure in text format.
272 | * Used only for backward compatibility with diStorm64.
273 | * This structure holds all information the disassembler generates per instruction.
274 | */
275 | typedef struct {
276 | _WString mnemonic; /* Mnemonic of decoded instruction, prefixed if required by REP, LOCK etc. */
277 | _WString operands; /* Operands of the decoded instruction, up to 3 operands, comma-seperated. */
278 | _WString instructionHex; /* Hex dump - little endian, including prefixes. */
279 | unsigned int size; /* Size of decoded instruction in bytes. */
280 | _OffsetType offset; /* Start offset of the decoded instruction. */
281 | } _DecodedInst;
282 |
283 | #endif /* DISTORM_LIGHT */
284 |
285 | /* Register masks for quick look up, each mask indicates one of a register-class that is being used in some operand. */
286 | #define RM_AX 1 /* AL, AH, AX, EAX, RAX */
287 | #define RM_CX 2 /* CL, CH, CX, ECX, RCX */
288 | #define RM_DX 4 /* DL, DH, DX, EDX, RDX */
289 | #define RM_BX 8 /* BL, BH, BX, EBX, RBX */
290 | #define RM_SP 0x10 /* SPL, SP, ESP, RSP */
291 | #define RM_BP 0x20 /* BPL, BP, EBP, RBP */
292 | #define RM_SI 0x40 /* SIL, SI, ESI, RSI */
293 | #define RM_DI 0x80 /* DIL, DI, EDI, RDI */
294 | #define RM_FPU 0x100 /* ST(0) - ST(7) */
295 | #define RM_MMX 0x200 /* MM0 - MM7 */
296 | #define RM_SSE 0x400 /* XMM0 - XMM15 */
297 | #define RM_AVX 0x800 /* YMM0 - YMM15 */
298 | #define RM_CR 0x1000 /* CR0, CR2, CR3, CR4, CR8 */
299 | #define RM_DR 0x2000 /* DR0, DR1, DR2, DR3, DR6, DR7 */
300 | #define RM_R8 0x4000 /* R8B, R8W, R8D, R8 */
301 | #define RM_R9 0x8000 /* R9B, R9W, R9D, R9 */
302 | #define RM_R10 0x10000 /* R10B, R10W, R10D, R10 */
303 | #define RM_R11 0x20000 /* R11B, R11W, R11D, R11 */
304 | #define RM_R12 0x40000 /* R12B, R12W, R12D, R12 */
305 | #define RM_R13 0x80000 /* R13B, R13W, R13D, R13 */
306 | #define RM_R14 0x100000 /* R14B, R14W, R14D, R14 */
307 | #define RM_R15 0x200000 /* R15B, R15W, R15D, R15 */
308 |
309 | /* RIP should be checked using the 'flags' field and FLAG_RIP_RELATIVE.
310 | * Segments should be checked using the segment macros.
311 | * For now R8 - R15 are not supported and non general purpose registers map into same RM.
312 | */
313 |
314 | /* CPU flags that instructions modify, test or undefine (are EFLAGS compatible!). */
315 | #define D_CF 1 /* Carry */
316 | #define D_PF 4 /* Parity */
317 | #define D_AF 0x10 /* Auxiliary */
318 | #define D_ZF 0x40 /* Zero */
319 | #define D_SF 0x80 /* Sign */
320 | #define D_IF 0x200 /* Interrupt */
321 | #define D_DF 0x400 /* Direction */
322 | #define D_OF 0x800 /* Overflow */
323 |
324 | /*
325 | * Instructions Set classes:
326 | * if you want a better understanding of the available classes, look at disOps project, file: x86sets.py.
327 | */
328 | /* Indicates the instruction belongs to the General Integer set. */
329 | #define ISC_INTEGER 1
330 | /* Indicates the instruction belongs to the 387 FPU set. */
331 | #define ISC_FPU 2
332 | /* Indicates the instruction belongs to the P6 set. */
333 | #define ISC_P6 3
334 | /* Indicates the instruction belongs to the MMX set. */
335 | #define ISC_MMX 4
336 | /* Indicates the instruction belongs to the SSE set. */
337 | #define ISC_SSE 5
338 | /* Indicates the instruction belongs to the SSE2 set. */
339 | #define ISC_SSE2 6
340 | /* Indicates the instruction belongs to the SSE3 set. */
341 | #define ISC_SSE3 7
342 | /* Indicates the instruction belongs to the SSSE3 set. */
343 | #define ISC_SSSE3 8
344 | /* Indicates the instruction belongs to the SSE4.1 set. */
345 | #define ISC_SSE4_1 9
346 | /* Indicates the instruction belongs to the SSE4.2 set. */
347 | #define ISC_SSE4_2 10
348 | /* Indicates the instruction belongs to the AMD's SSE4.A set. */
349 | #define ISC_SSE4_A 11
350 | /* Indicates the instruction belongs to the 3DNow! set. */
351 | #define ISC_3DNOW 12
352 | /* Indicates the instruction belongs to the 3DNow! Extensions set. */
353 | #define ISC_3DNOWEXT 13
354 | /* Indicates the instruction belongs to the VMX (Intel) set. */
355 | #define ISC_VMX 14
356 | /* Indicates the instruction belongs to the SVM (AMD) set. */
357 | #define ISC_SVM 15
358 | /* Indicates the instruction belongs to the AVX (Intel) set. */
359 | #define ISC_AVX 16
360 | /* Indicates the instruction belongs to the FMA (Intel) set. */
361 | #define ISC_FMA 17
362 | /* Indicates the instruction belongs to the AES/AVX (Intel) set. */
363 | #define ISC_AES 18
364 | /* Indicates the instruction belongs to the CLMUL (Intel) set. */
365 | #define ISC_CLMUL 19
366 |
367 | /* Features for decompose: */
368 | #define DF_NONE 0
369 | /* The decoder will limit addresses to a maximum of 16 bits. */
370 | #define DF_MAXIMUM_ADDR16 1
371 | /* The decoder will limit addresses to a maximum of 32 bits. */
372 | #define DF_MAXIMUM_ADDR32 2
373 | /* The decoder will return only flow control instructions (and filter the others internally). */
374 | #define DF_RETURN_FC_ONLY 4
375 | /* The decoder will stop and return to the caller when the instruction 'CALL' (near and far) was decoded. */
376 | #define DF_STOP_ON_CALL 8
377 | /* The decoder will stop and return to the caller when the instruction 'RET' (near and far) was decoded. */
378 | #define DF_STOP_ON_RET 0x10
379 | /* The decoder will stop and return to the caller when the instruction system-call/ret was decoded. */
380 | #define DF_STOP_ON_SYS 0x20
381 | /* The decoder will stop and return to the caller when any of the branch 'JMP', (near and far) instructions were decoded. */
382 | #define DF_STOP_ON_UNC_BRANCH 0x40
383 | /* The decoder will stop and return to the caller when any of the conditional branch instruction were decoded. */
384 | #define DF_STOP_ON_CND_BRANCH 0x80
385 | /* The decoder will stop and return to the caller when the instruction 'INT' (INT, INT1, INTO, INT 3) was decoded. */
386 | #define DF_STOP_ON_INT 0x100
387 | /* The decoder will stop and return to the caller when any of the 'CMOVxx' instruction was decoded. */
388 | #define DF_STOP_ON_CMOV 0x200
389 | /* The decoder will stop and return to the caller when any flow control instruction was decoded. */
390 | #define DF_STOP_ON_FLOW_CONTROL (DF_STOP_ON_CALL | DF_STOP_ON_RET | DF_STOP_ON_SYS | DF_STOP_ON_UNC_BRANCH | DF_STOP_ON_CND_BRANCH | DF_STOP_ON_INT | DF_STOP_ON_CMOV)
391 |
392 | /* Indicates the instruction is not a flow-control instruction. */
393 | #define FC_NONE 0
394 | /* Indicates the instruction is one of: CALL, CALL FAR. */
395 | #define FC_CALL 1
396 | /* Indicates the instruction is one of: RET, IRET, RETF. */
397 | #define FC_RET 2
398 | /* Indicates the instruction is one of: SYSCALL, SYSRET, SYSENTER, SYSEXIT. */
399 | #define FC_SYS 3
400 | /* Indicates the instruction is one of: JMP, JMP FAR. */
401 | #define FC_UNC_BRANCH 4
402 | /*
403 | * Indicates the instruction is one of:
404 | * JCXZ, JO, JNO, JB, JAE, JZ, JNZ, JBE, JA, JS, JNS, JP, JNP, JL, JGE, JLE, JG, LOOP, LOOPZ, LOOPNZ.
405 | */
406 | #define FC_CND_BRANCH 5
407 | /* Indiciates the instruction is one of: INT, INT1, INT 3, INTO, UD2. */
408 | #define FC_INT 6
409 | /* Indicates the instruction is one of: CMOVxx. */
410 | #define FC_CMOV 7
411 |
412 | /* Return code of the decoding function. */
413 | typedef enum { DECRES_NONE, DECRES_SUCCESS, DECRES_MEMORYERR, DECRES_INPUTERR, DECRES_FILTERED } _DecodeResult;
414 |
415 | /* Define the following interface functions only for outer projects. */
416 | #if !(defined(DISTORM_STATIC) || defined(DISTORM_DYNAMIC))
417 |
418 | /* distorm_decode
419 | * Input:
420 | * offset - Origin of the given code (virtual address that is), NOT an offset in code.
421 | * code - Pointer to the code buffer to be disassembled.
422 | * length - Amount of bytes that should be decoded from the code buffer.
423 | * dt - Decoding mode, 16 bits (Decode16Bits), 32 bits (Decode32Bits) or AMD64 (Decode64Bits).
424 | * result - Array of type _DecodeInst which will be used by this function in order to return the disassembled instructions.
425 | * maxInstructions - The maximum number of entries in the result array that you pass to this function, so it won't exceed its bound.
426 | * usedInstructionsCount - Number of the instruction that successfully were disassembled and written to the result array.
427 | * Output: usedInstructionsCount will hold the number of entries used in the result array
428 | * and the result array itself will be filled with the disassembled instructions.
429 | * Return: DECRES_SUCCESS on success (no more to disassemble), DECRES_INPUTERR on input error (null code buffer, invalid decoding mode, etc...),
430 | * DECRES_MEMORYERR when there are not enough entries to use in the result array, BUT YOU STILL have to check for usedInstructionsCount!
431 | * Side-Effects: Even if the return code is DECRES_MEMORYERR, there might STILL be data in the
432 | * array you passed, this function will try to use as much entries as possible!
433 | * Notes: 1)The minimal size of maxInstructions is 15.
434 | * 2)You will have to synchronize the offset,code and length by yourself if you pass code fragments and not a complete code block!
435 | */
436 |
437 | /* distorm_decompose
438 | * See more documentation online at the GitHub project's wiki.
439 | *
440 | */
441 | #ifdef SUPPORT_64BIT_OFFSET
442 |
443 | _DecodeResult distorm_decompose64(_CodeInfo* ci, _DInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
444 | #define distorm_decompose distorm_decompose64
445 |
446 | #ifndef DISTORM_LIGHT
447 | /* If distorm-light is defined, we won't export these text-formatting functionality. */
448 | _DecodeResult distorm_decode64(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
449 | void distorm_format64(const _CodeInfo* ci, const _DInst* di, _DecodedInst* result);
450 | #define distorm_decode distorm_decode64
451 | #define distorm_format distorm_format64
452 | #endif /*DISTORM_LIGHT*/
453 |
454 | #else /*SUPPORT_64BIT_OFFSET*/
455 |
456 | _DecodeResult distorm_decompose32(_CodeInfo* ci, _DInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
457 | #define distorm_decompose distorm_decompose32
458 |
459 | #ifndef DISTORM_LIGHT
460 | /* If distorm-light is defined, we won't export these text-formatting functionality. */
461 | _DecodeResult distorm_decode32(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
462 | void distorm_format32(const _CodeInfo* ci, const _DInst* di, _DecodedInst* result);
463 | #define distorm_decode distorm_decode32
464 | #define distorm_format distorm_format32
465 | #endif /*DISTORM_LIGHT*/
466 |
467 | #endif
468 |
469 | /*
470 | * distorm_version
471 | * Input:
472 | * none
473 | *
474 | * Output: unsigned int - version of compiled library.
475 | */
476 | unsigned int distorm_version(void);
477 |
478 | #endif /* DISTORM_STATIC */
479 |
480 | #ifdef __cplusplus
481 | } /* End Of Extern */
482 | #endif
483 |
484 | #endif /* DISTORM_H */
485 |
--------------------------------------------------------------------------------
/kemon/distorm/include/mnemonics.h:
--------------------------------------------------------------------------------
1 | /*
2 | mnemonics.h
3 |
4 | diStorm3 - Powerful disassembler for X86/AMD64
5 | http://ragestorm.net/distorm/
6 | distorm at gmail dot com
7 | Copyright (C) 2003-2018 Gil Dabah
8 | This library is licensed under the BSD license. See the file COPYING.
9 | */
10 |
11 |
12 | #ifndef MNEMONICS_H
13 | #define MNEMONICS_H
14 |
15 | #ifdef __cplusplus
16 | extern "C" {
17 | #endif
18 |
19 | #ifndef DISTORM_LIGHT
20 |
21 | typedef struct WMnemonic {
22 | unsigned char length;
23 | unsigned char p[1]; /* p is a null terminated string, which contains 'length' characters. */
24 | } _WMnemonic;
25 |
26 | typedef struct WRegister {
27 | unsigned int length;
28 | unsigned char p[6]; /* p is a null terminated string. */
29 | } _WRegister;
30 |
31 | extern const unsigned char _MNEMONICS[];
32 | extern const _WRegister _REGISTERS[];
33 |
34 | #endif /* DISTORM_LIGHT */
35 |
36 | #ifdef __cplusplus
37 | } /* End Of Extern */
38 | #endif
39 |
40 | #define GET_REGISTER_NAME(r) (unsigned char*)_REGISTERS[(r)].p
41 | #define GET_MNEMONIC_NAME(m) ((_WMnemonic*)&_MNEMONICS[(m)])->p
42 |
43 | typedef enum {
44 | I_UNDEFINED = 0, I_AAA = 66, I_AAD = 389, I_AAM = 384, I_AAS = 76, I_ADC = 31, I_ADD = 11, I_ADDPD = 3132,
45 | I_ADDPS = 3125, I_ADDSD = 3146, I_ADDSS = 3139, I_ADDSUBPD = 6416, I_ADDSUBPS = 6426,
46 | I_AESDEC = 9231, I_AESDECLAST = 9248, I_AESENC = 9189, I_AESENCLAST = 9206,
47 | I_AESIMC = 9172, I_AESKEYGENASSIST = 9817, I_AND = 41, I_ANDNPD = 3043, I_ANDNPS = 3035,
48 | I_ANDPD = 3012, I_ANDPS = 3005, I_ARPL = 111, I_BLENDPD = 9394, I_BLENDPS = 9375,
49 | I_BLENDVPD = 7641, I_BLENDVPS = 7631, I_BOUND = 104, I_BSF = 4368, I_BSR = 4380,
50 | I_BSWAP = 960, I_BT = 872, I_BTC = 934, I_BTR = 912, I_BTS = 887, I_CALL = 456,
51 | I_CALL_FAR = 260, I_CBW = 228, I_CDQ = 250, I_CDQE = 239, I_CLC = 492, I_CLD = 512,
52 | I_CLFLUSH = 4351, I_CLGI = 1855, I_CLI = 502, I_CLTS = 541, I_CMC = 487, I_CMOVA = 694,
53 | I_CMOVAE = 663, I_CMOVB = 656, I_CMOVBE = 686, I_CMOVG = 754, I_CMOVGE = 738,
54 | I_CMOVL = 731, I_CMOVLE = 746, I_CMOVNO = 648, I_CMOVNP = 723, I_CMOVNS = 708,
55 | I_CMOVNZ = 678, I_CMOVO = 641, I_CMOVP = 716, I_CMOVS = 701, I_CMOVZ = 671,
56 | I_CMP = 71, I_CMPEQPD = 4471, I_CMPEQPS = 4392, I_CMPEQSD = 4629, I_CMPEQSS = 4550,
57 | I_CMPLEPD = 4489, I_CMPLEPS = 4410, I_CMPLESD = 4647, I_CMPLESS = 4568, I_CMPLTPD = 4480,
58 | I_CMPLTPS = 4401, I_CMPLTSD = 4638, I_CMPLTSS = 4559, I_CMPNEQPD = 4510, I_CMPNEQPS = 4431,
59 | I_CMPNEQSD = 4668, I_CMPNEQSS = 4589, I_CMPNLEPD = 4530, I_CMPNLEPS = 4451,
60 | I_CMPNLESD = 4688, I_CMPNLESS = 4609, I_CMPNLTPD = 4520, I_CMPNLTPS = 4441,
61 | I_CMPNLTSD = 4678, I_CMPNLTSS = 4599, I_CMPORDPD = 4540, I_CMPORDPS = 4461,
62 | I_CMPORDSD = 4698, I_CMPORDSS = 4619, I_CMPS = 301, I_CMPUNORDPD = 4498, I_CMPUNORDPS = 4419,
63 | I_CMPUNORDSD = 4656, I_CMPUNORDSS = 4577, I_CMPXCHG = 898, I_CMPXCHG16B = 6395,
64 | I_CMPXCHG8B = 6384, I_COMISD = 2801, I_COMISS = 2793, I_CPUID = 865, I_CQO = 255,
65 | I_CRC32 = 9280, I_CVTDQ2PD = 6809, I_CVTDQ2PS = 3329, I_CVTPD2DQ = 6819, I_CVTPD2PI = 2703,
66 | I_CVTPD2PS = 3255, I_CVTPH2PS = 4183, I_CVTPI2PD = 2517, I_CVTPI2PS = 2507,
67 | I_CVTPS2DQ = 3339, I_CVTPS2PD = 3245, I_CVTPS2PH = 4193, I_CVTPS2PI = 2693,
68 | I_CVTSD2SI = 2723, I_CVTSD2SS = 3275, I_CVTSI2SD = 2537, I_CVTSI2SS = 2527,
69 | I_CVTSS2SD = 3265, I_CVTSS2SI = 2713, I_CVTTPD2DQ = 6798, I_CVTTPD2PI = 2636,
70 | I_CVTTPS2DQ = 3349, I_CVTTPS2PI = 2625, I_CVTTSD2SI = 2658, I_CVTTSS2SI = 2647,
71 | I_CWD = 245, I_CWDE = 233, I_DAA = 46, I_DAS = 56, I_DEC = 86, I_DIV = 1646,
72 | I_DIVPD = 3521, I_DIVPS = 3514, I_DIVSD = 3535, I_DIVSS = 3528, I_DPPD = 9637,
73 | I_DPPS = 9624, I_EMMS = 4122, I_ENTER = 340, I_EXTRACTPS = 9502, I_EXTRQ = 4158,
74 | I_F2XM1 = 1192, I_FABS = 1123, I_FADD = 1023, I_FADDP = 1549, I_FBLD = 1601,
75 | I_FBSTP = 1607, I_FCHS = 1117, I_FCLEX = 7311, I_FCMOVB = 1376, I_FCMOVBE = 1392,
76 | I_FCMOVE = 1384, I_FCMOVNB = 1445, I_FCMOVNBE = 1463, I_FCMOVNE = 1454, I_FCMOVNU = 1473,
77 | I_FCMOVU = 1401, I_FCOM = 1035, I_FCOMI = 1512, I_FCOMIP = 1623, I_FCOMP = 1041,
78 | I_FCOMPP = 1563, I_FCOS = 1311, I_FDECSTP = 1238, I_FDIV = 1061, I_FDIVP = 1594,
79 | I_FDIVR = 1067, I_FDIVRP = 1586, I_FEDISI = 1488, I_FEMMS = 574, I_FENI = 1482,
80 | I_FFREE = 1527, I_FIADD = 1317, I_FICOM = 1331, I_FICOMP = 1338, I_FIDIV = 1361,
81 | I_FIDIVR = 1368, I_FILD = 1418, I_FIMUL = 1324, I_FINCSTP = 1247, I_FINIT = 7326,
82 | I_FIST = 1432, I_FISTP = 1438, I_FISTTP = 1424, I_FISUB = 1346, I_FISUBR = 1353,
83 | I_FLD = 1074, I_FLD1 = 1141, I_FLDCW = 1098, I_FLDENV = 1090, I_FLDL2E = 1155,
84 | I_FLDL2T = 1147, I_FLDLG2 = 1170, I_FLDLN2 = 1178, I_FLDPI = 1163, I_FLDZ = 1186,
85 | I_FMUL = 1029, I_FMULP = 1556, I_FNCLEX = 7303, I_FNINIT = 7318, I_FNOP = 1111,
86 | I_FNSAVE = 7333, I_FNSTCW = 7288, I_FNSTENV = 7271, I_FNSTSW = 7348, I_FPATAN = 1213,
87 | I_FPREM = 1256, I_FPREM1 = 1230, I_FPTAN = 1206, I_FRNDINT = 1288, I_FRSTOR = 1519,
88 | I_FSAVE = 7341, I_FSCALE = 1297, I_FSETPM = 1496, I_FSIN = 1305, I_FSINCOS = 1279,
89 | I_FSQRT = 1272, I_FST = 1079, I_FSTCW = 7296, I_FSTENV = 7280, I_FSTP = 1084,
90 | I_FSTSW = 7356, I_FSUB = 1048, I_FSUBP = 1579, I_FSUBR = 1054, I_FSUBRP = 1571,
91 | I_FTST = 1129, I_FUCOM = 1534, I_FUCOMI = 1504, I_FUCOMIP = 1614, I_FUCOMP = 1541,
92 | I_FUCOMPP = 1409, I_FXAM = 1135, I_FXCH = 1105, I_FXRSTOR = 9914, I_FXRSTOR64 = 9923,
93 | I_FXSAVE = 9886, I_FXSAVE64 = 9894, I_FXTRACT = 1221, I_FYL2X = 1199, I_FYL2XP1 = 1263,
94 | I_GETSEC = 633, I_HADDPD = 4203, I_HADDPS = 4211, I_HLT = 482, I_HSUBPD = 4237,
95 | I_HSUBPS = 4245, I_IDIV = 1651, I_IMUL = 117, I_IN = 447, I_INC = 81, I_INS = 123,
96 | I_INSERTPS = 9569, I_INSERTQ = 4165, I_INT = 367, I_INT_3 = 360, I_INT1 = 476,
97 | I_INTO = 372, I_INVD = 555, I_INVEPT = 8306, I_INVLPG = 1727, I_INVLPGA = 1869,
98 | I_INVPCID = 8323, I_INVVPID = 8314, I_IRET = 378, I_JA = 166, I_JAE = 147,
99 | I_JB = 143, I_JBE = 161, I_JCXZ = 427, I_JECXZ = 433, I_JG = 202, I_JGE = 192,
100 | I_JL = 188, I_JLE = 197, I_JMP = 462, I_JMP_FAR = 467, I_JNO = 138, I_JNP = 183,
101 | I_JNS = 174, I_JNZ = 156, I_JO = 134, I_JP = 179, I_JRCXZ = 440, I_JS = 170,
102 | I_JZ = 152, I_LAHF = 289, I_LAR = 522, I_LDDQU = 7016, I_LDMXCSR = 9944, I_LDS = 335,
103 | I_LEA = 223, I_LEAVE = 347, I_LES = 330, I_LFENCE = 4287, I_LFS = 917, I_LGDT = 1703,
104 | I_LGS = 922, I_LIDT = 1709, I_LLDT = 1668, I_LMSW = 1721, I_LODS = 313, I_LOOP = 421,
105 | I_LOOPNZ = 406, I_LOOPZ = 414, I_LSL = 527, I_LSS = 907, I_LTR = 1674, I_LZCNT = 4385,
106 | I_MASKMOVDQU = 7141, I_MASKMOVQ = 7131, I_MAXPD = 3581, I_MAXPS = 3574, I_MAXSD = 3595,
107 | I_MAXSS = 3588, I_MFENCE = 4313, I_MINPD = 3461, I_MINPS = 3454, I_MINSD = 3475,
108 | I_MINSS = 3468, I_MONITOR = 1771, I_MOV = 218, I_MOVAPD = 2481, I_MOVAPS = 2473,
109 | I_MOVBE = 9273, I_MOVD = 3942, I_MOVDDUP = 2208, I_MOVDQ2Q = 6544, I_MOVDQA = 3968,
110 | I_MOVDQU = 3976, I_MOVHLPS = 2173, I_MOVHPD = 2367, I_MOVHPS = 2359, I_MOVLHPS = 2350,
111 | I_MOVLPD = 2190, I_MOVLPS = 2182, I_MOVMSKPD = 2837, I_MOVMSKPS = 2827, I_MOVNTDQ = 6871,
112 | I_MOVNTDQA = 7917, I_MOVNTI = 952, I_MOVNTPD = 2578, I_MOVNTPS = 2569, I_MOVNTQ = 6863,
113 | I_MOVNTSD = 2596, I_MOVNTSS = 2587, I_MOVQ = 3948, I_MOVQ2DQ = 6535, I_MOVS = 295,
114 | I_MOVSD = 2132, I_MOVSHDUP = 2375, I_MOVSLDUP = 2198, I_MOVSS = 2125, I_MOVSX = 939,
115 | I_MOVSXD = 10027, I_MOVUPD = 2117, I_MOVUPS = 2109, I_MOVZX = 927, I_MPSADBW = 9650,
116 | I_MUL = 1641, I_MULPD = 3192, I_MULPS = 3185, I_MULSD = 3206, I_MULSS = 3199,
117 | I_MWAIT = 1780, I_NEG = 1636, I_NOP = 581, I_NOT = 1631, I_OR = 27, I_ORPD = 3075,
118 | I_ORPS = 3069, I_OUT = 451, I_OUTS = 128, I_PABSB = 7710, I_PABSD = 7740, I_PABSW = 7725,
119 | I_PACKSSDW = 3871, I_PACKSSWB = 3703, I_PACKUSDW = 7938, I_PACKUSWB = 3781,
120 | I_PADDB = 7226, I_PADDD = 7256, I_PADDQ = 6503, I_PADDSB = 6952, I_PADDSW = 6969,
121 | I_PADDUSB = 6642, I_PADDUSW = 6661, I_PADDW = 7241, I_PALIGNR = 9432, I_PAND = 6629,
122 | I_PANDN = 6687, I_PAUSE = 10035, I_PAVGB = 6702, I_PAVGUSB = 2100, I_PAVGW = 6747,
123 | I_PBLENDVB = 7621, I_PBLENDW = 9413, I_PCLMULQDQ = 9669, I_PCMPEQB = 4065,
124 | I_PCMPEQD = 4103, I_PCMPEQQ = 7898, I_PCMPEQW = 4084, I_PCMPESTRI = 9748,
125 | I_PCMPESTRM = 9725, I_PCMPGTB = 3724, I_PCMPGTD = 3762, I_PCMPGTQ = 8109,
126 | I_PCMPGTW = 3743, I_PCMPISTRI = 9794, I_PCMPISTRM = 9771, I_PEXTRB = 9451,
127 | I_PEXTRD = 9468, I_PEXTRQ = 9476, I_PEXTRW = 6333, I_PF2ID = 1936, I_PF2IW = 1929,
128 | I_PFACC = 2050, I_PFADD = 1999, I_PFCMPEQ = 2057, I_PFCMPGE = 1960, I_PFCMPGT = 2006,
129 | I_PFMAX = 2015, I_PFMIN = 1969, I_PFMUL = 2066, I_PFNACC = 1943, I_PFPNACC = 1951,
130 | I_PFRCP = 1976, I_PFRCPIT1 = 2022, I_PFRCPIT2 = 2073, I_PFRSQIT1 = 2032, I_PFRSQRT = 1983,
131 | I_PFSUB = 1992, I_PFSUBR = 2042, I_PHADDD = 7397, I_PHADDSW = 7414, I_PHADDW = 7380,
132 | I_PHMINPOSUW = 8281, I_PHSUBD = 7473, I_PHSUBSW = 7490, I_PHSUBW = 7456, I_PI2FD = 1922,
133 | I_PI2FW = 1915, I_PINSRB = 9552, I_PINSRD = 9590, I_PINSRQ = 9598, I_PINSRW = 6316,
134 | I_PMADDUBSW = 7433, I_PMADDWD = 7095, I_PMAXSB = 8196, I_PMAXSD = 8213, I_PMAXSW = 6986,
135 | I_PMAXUB = 6670, I_PMAXUD = 8247, I_PMAXUW = 8230, I_PMINSB = 8128, I_PMINSD = 8145,
136 | I_PMINSW = 6924, I_PMINUB = 6612, I_PMINUD = 8179, I_PMINUW = 8162, I_PMOVMSKB = 6553,
137 | I_PMOVSXBD = 7776, I_PMOVSXBQ = 7797, I_PMOVSXBW = 7755, I_PMOVSXDQ = 7860,
138 | I_PMOVSXWD = 7818, I_PMOVSXWQ = 7839, I_PMOVZXBD = 8004, I_PMOVZXBQ = 8025,
139 | I_PMOVZXBW = 7983, I_PMOVZXDQ = 8088, I_PMOVZXWD = 8046, I_PMOVZXWQ = 8067,
140 | I_PMULDQ = 7881, I_PMULHRSW = 7560, I_PMULHRW = 2083, I_PMULHUW = 6762, I_PMULHW = 6781,
141 | I_PMULLD = 8264, I_PMULLW = 6518, I_PMULUDQ = 7076, I_POP = 22, I_POPA = 98,
142 | I_POPCNT = 4360, I_POPF = 277, I_POR = 6941, I_PREFETCH = 1894, I_PREFETCHNTA = 2424,
143 | I_PREFETCHT0 = 2437, I_PREFETCHT1 = 2449, I_PREFETCHT2 = 2461, I_PREFETCHW = 1904,
144 | I_PSADBW = 7114, I_PSHUFB = 7363, I_PSHUFD = 4010, I_PSHUFHW = 4018, I_PSHUFLW = 4027,
145 | I_PSHUFW = 4002, I_PSIGNB = 7509, I_PSIGND = 7543, I_PSIGNW = 7526, I_PSLLD = 7046,
146 | I_PSLLDQ = 9869, I_PSLLQ = 7061, I_PSLLW = 7031, I_PSRAD = 6732, I_PSRAW = 6717,
147 | I_PSRLD = 6473, I_PSRLDQ = 9852, I_PSRLQ = 6488, I_PSRLW = 6458, I_PSUBB = 7166,
148 | I_PSUBD = 7196, I_PSUBQ = 7211, I_PSUBSB = 6890, I_PSUBSW = 6907, I_PSUBUSB = 6574,
149 | I_PSUBUSW = 6593, I_PSUBW = 7181, I_PSWAPD = 2092, I_PTEST = 7651, I_PUNPCKHBW = 3802,
150 | I_PUNPCKHDQ = 3848, I_PUNPCKHQDQ = 3917, I_PUNPCKHWD = 3825, I_PUNPCKLBW = 3634,
151 | I_PUNPCKLDQ = 3680, I_PUNPCKLQDQ = 3892, I_PUNPCKLWD = 3657, I_PUSH = 16,
152 | I_PUSHA = 91, I_PUSHF = 270, I_PXOR = 7003, I_RCL = 977, I_RCPPS = 2975, I_RCPSS = 2982,
153 | I_RCR = 982, I_RDFSBASE = 9904, I_RDGSBASE = 9934, I_RDMSR = 600, I_RDPMC = 607,
154 | I_RDRAND = 10048, I_RDTSC = 593, I_RDTSCP = 1886, I_RET = 325, I_RETF = 354,
155 | I_ROL = 967, I_ROR = 972, I_ROUNDPD = 9318, I_ROUNDPS = 9299, I_ROUNDSD = 9356,
156 | I_ROUNDSS = 9337, I_RSM = 882, I_RSQRTPS = 2937, I_RSQRTSS = 2946, I_SAHF = 283,
157 | I_SAL = 997, I_SALC = 394, I_SAR = 1002, I_SBB = 36, I_SCAS = 319, I_SETA = 807,
158 | I_SETAE = 780, I_SETB = 774, I_SETBE = 800, I_SETG = 859, I_SETGE = 845, I_SETL = 839,
159 | I_SETLE = 852, I_SETNO = 767, I_SETNP = 832, I_SETNS = 819, I_SETNZ = 793,
160 | I_SETO = 761, I_SETP = 826, I_SETS = 813, I_SETZ = 787, I_SFENCE = 4343, I_SGDT = 1691,
161 | I_SHL = 987, I_SHLD = 876, I_SHR = 992, I_SHRD = 892, I_SHUFPD = 6358, I_SHUFPS = 6350,
162 | I_SIDT = 1697, I_SKINIT = 1861, I_SLDT = 1657, I_SMSW = 1715, I_SQRTPD = 2877,
163 | I_SQRTPS = 2869, I_SQRTSD = 2893, I_SQRTSS = 2885, I_STC = 497, I_STD = 517,
164 | I_STGI = 1849, I_STI = 507, I_STMXCSR = 9973, I_STOS = 307, I_STR = 1663, I_SUB = 51,
165 | I_SUBPD = 3401, I_SUBPS = 3394, I_SUBSD = 3415, I_SUBSS = 3408, I_SWAPGS = 1878,
166 | I_SYSCALL = 532, I_SYSENTER = 614, I_SYSEXIT = 624, I_SYSRET = 547, I_TEST = 206,
167 | I_TZCNT = 4373, I_UCOMISD = 2764, I_UCOMISS = 2755, I_UD2 = 569, I_UNPCKHPD = 2318,
168 | I_UNPCKHPS = 2308, I_UNPCKLPD = 2276, I_UNPCKLPS = 2266, I_VADDPD = 3161,
169 | I_VADDPS = 3153, I_VADDSD = 3177, I_VADDSS = 3169, I_VADDSUBPD = 6436, I_VADDSUBPS = 6447,
170 | I_VAESDEC = 9239, I_VAESDECLAST = 9260, I_VAESENC = 9197, I_VAESENCLAST = 9218,
171 | I_VAESIMC = 9180, I_VAESKEYGENASSIST = 9834, I_VANDNPD = 3060, I_VANDNPS = 3051,
172 | I_VANDPD = 3027, I_VANDPS = 3019, I_VBLENDPD = 9403, I_VBLENDPS = 9384, I_VBLENDVPD = 9703,
173 | I_VBLENDVPS = 9692, I_VBROADCASTF128 = 7694, I_VBROADCASTSD = 7680, I_VBROADCASTSS = 7666,
174 | I_VCMPEQPD = 5110, I_VCMPEQPS = 4708, I_VCMPEQSD = 5914, I_VCMPEQSS = 5512,
175 | I_VCMPEQ_OSPD = 5291, I_VCMPEQ_OSPS = 4889, I_VCMPEQ_OSSD = 6095, I_VCMPEQ_OSSS = 5693,
176 | I_VCMPEQ_UQPD = 5197, I_VCMPEQ_UQPS = 4795, I_VCMPEQ_UQSD = 6001, I_VCMPEQ_UQSS = 5599,
177 | I_VCMPEQ_USPD = 5400, I_VCMPEQ_USPS = 4998, I_VCMPEQ_USSD = 6204, I_VCMPEQ_USSS = 5802,
178 | I_VCMPFALSEPD = 5232, I_VCMPFALSEPS = 4830, I_VCMPFALSESD = 6036, I_VCMPFALSESS = 5634,
179 | I_VCMPFALSE_OSPD = 5441, I_VCMPFALSE_OSPS = 5039, I_VCMPFALSE_OSSD = 6245,
180 | I_VCMPFALSE_OSSS = 5843, I_VCMPGEPD = 5259, I_VCMPGEPS = 4857, I_VCMPGESD = 6063,
181 | I_VCMPGESS = 5661, I_VCMPGE_OQPD = 5471, I_VCMPGE_OQPS = 5069, I_VCMPGE_OQSD = 6275,
182 | I_VCMPGE_OQSS = 5873, I_VCMPGTPD = 5269, I_VCMPGTPS = 4867, I_VCMPGTSD = 6073,
183 | I_VCMPGTSS = 5671, I_VCMPGT_OQPD = 5484, I_VCMPGT_OQPS = 5082, I_VCMPGT_OQSD = 6288,
184 | I_VCMPGT_OQSS = 5886, I_VCMPLEPD = 5130, I_VCMPLEPS = 4728, I_VCMPLESD = 5934,
185 | I_VCMPLESS = 5532, I_VCMPLE_OQPD = 5317, I_VCMPLE_OQPS = 4915, I_VCMPLE_OQSD = 6121,
186 | I_VCMPLE_OQSS = 5719, I_VCMPLTPD = 5120, I_VCMPLTPS = 4718, I_VCMPLTSD = 5924,
187 | I_VCMPLTSS = 5522, I_VCMPLT_OQPD = 5304, I_VCMPLT_OQPS = 4902, I_VCMPLT_OQSD = 6108,
188 | I_VCMPLT_OQSS = 5706, I_VCMPNEQPD = 5153, I_VCMPNEQPS = 4751, I_VCMPNEQSD = 5957,
189 | I_VCMPNEQSS = 5555, I_VCMPNEQ_OQPD = 5245, I_VCMPNEQ_OQPS = 4843, I_VCMPNEQ_OQSD = 6049,
190 | I_VCMPNEQ_OQSS = 5647, I_VCMPNEQ_OSPD = 5457, I_VCMPNEQ_OSPS = 5055, I_VCMPNEQ_OSSD = 6261,
191 | I_VCMPNEQ_OSSS = 5859, I_VCMPNEQ_USPD = 5345, I_VCMPNEQ_USPS = 4943, I_VCMPNEQ_USSD = 6149,
192 | I_VCMPNEQ_USSS = 5747, I_VCMPNGEPD = 5210, I_VCMPNGEPS = 4808, I_VCMPNGESD = 6014,
193 | I_VCMPNGESS = 5612, I_VCMPNGE_UQPD = 5413, I_VCMPNGE_UQPS = 5011, I_VCMPNGE_UQSD = 6217,
194 | I_VCMPNGE_UQSS = 5815, I_VCMPNGTPD = 5221, I_VCMPNGTPS = 4819, I_VCMPNGTSD = 6025,
195 | I_VCMPNGTSS = 5623, I_VCMPNGT_UQPD = 5427, I_VCMPNGT_UQPS = 5025, I_VCMPNGT_UQSD = 6231,
196 | I_VCMPNGT_UQSS = 5829, I_VCMPNLEPD = 5175, I_VCMPNLEPS = 4773, I_VCMPNLESD = 5979,
197 | I_VCMPNLESS = 5577, I_VCMPNLE_UQPD = 5373, I_VCMPNLE_UQPS = 4971, I_VCMPNLE_UQSD = 6177,
198 | I_VCMPNLE_UQSS = 5775, I_VCMPNLTPD = 5164, I_VCMPNLTPS = 4762, I_VCMPNLTSD = 5968,
199 | I_VCMPNLTSS = 5566, I_VCMPNLT_UQPD = 5359, I_VCMPNLT_UQPS = 4957, I_VCMPNLT_UQSD = 6163,
200 | I_VCMPNLT_UQSS = 5761, I_VCMPORDPD = 5186, I_VCMPORDPS = 4784, I_VCMPORDSD = 5990,
201 | I_VCMPORDSS = 5588, I_VCMPORD_SPD = 5387, I_VCMPORD_SPS = 4985, I_VCMPORD_SSD = 6191,
202 | I_VCMPORD_SSS = 5789, I_VCMPTRUEPD = 5279, I_VCMPTRUEPS = 4877, I_VCMPTRUESD = 6083,
203 | I_VCMPTRUESS = 5681, I_VCMPTRUE_USPD = 5497, I_VCMPTRUE_USPS = 5095, I_VCMPTRUE_USSD = 6301,
204 | I_VCMPTRUE_USSS = 5899, I_VCMPUNORDPD = 5140, I_VCMPUNORDPS = 4738, I_VCMPUNORDSD = 5944,
205 | I_VCMPUNORDSS = 5542, I_VCMPUNORD_SPD = 5330, I_VCMPUNORD_SPS = 4928, I_VCMPUNORD_SSD = 6134,
206 | I_VCMPUNORD_SSS = 5732, I_VCOMISD = 2818, I_VCOMISS = 2809, I_VCVTDQ2PD = 6841,
207 | I_VCVTDQ2PS = 3360, I_VCVTPD2DQ = 6852, I_VCVTPD2PS = 3296, I_VCVTPS2DQ = 3371,
208 | I_VCVTPS2PD = 3285, I_VCVTSD2SI = 2744, I_VCVTSD2SS = 3318, I_VCVTSI2SD = 2558,
209 | I_VCVTSI2SS = 2547, I_VCVTSS2SD = 3307, I_VCVTSS2SI = 2733, I_VCVTTPD2DQ = 6829,
210 | I_VCVTTPS2DQ = 3382, I_VCVTTSD2SI = 2681, I_VCVTTSS2SI = 2669, I_VDIVPD = 3550,
211 | I_VDIVPS = 3542, I_VDIVSD = 3566, I_VDIVSS = 3558, I_VDPPD = 9643, I_VDPPS = 9630,
212 | I_VERR = 1679, I_VERW = 1685, I_VEXTRACTF128 = 9538, I_VEXTRACTPS = 9513,
213 | I_VFMADD132PD = 8409, I_VFMADD132PS = 8396, I_VFMADD132SD = 8435, I_VFMADD132SS = 8422,
214 | I_VFMADD213PD = 8689, I_VFMADD213PS = 8676, I_VFMADD213SD = 8715, I_VFMADD213SS = 8702,
215 | I_VFMADD231PD = 8969, I_VFMADD231PS = 8956, I_VFMADD231SD = 8995, I_VFMADD231SS = 8982,
216 | I_VFMADDSUB132PD = 8348, I_VFMADDSUB132PS = 8332, I_VFMADDSUB213PD = 8628,
217 | I_VFMADDSUB213PS = 8612, I_VFMADDSUB231PD = 8908, I_VFMADDSUB231PS = 8892,
218 | I_VFMSUB132PD = 8461, I_VFMSUB132PS = 8448, I_VFMSUB132SD = 8487, I_VFMSUB132SS = 8474,
219 | I_VFMSUB213PD = 8741, I_VFMSUB213PS = 8728, I_VFMSUB213SD = 8767, I_VFMSUB213SS = 8754,
220 | I_VFMSUB231PD = 9021, I_VFMSUB231PS = 9008, I_VFMSUB231SD = 9047, I_VFMSUB231SS = 9034,
221 | I_VFMSUBADD132PD = 8380, I_VFMSUBADD132PS = 8364, I_VFMSUBADD213PD = 8660,
222 | I_VFMSUBADD213PS = 8644, I_VFMSUBADD231PD = 8940, I_VFMSUBADD231PS = 8924,
223 | I_VFNMADD132PD = 8514, I_VFNMADD132PS = 8500, I_VFNMADD132SD = 8542, I_VFNMADD132SS = 8528,
224 | I_VFNMADD213PD = 8794, I_VFNMADD213PS = 8780, I_VFNMADD213SD = 8822, I_VFNMADD213SS = 8808,
225 | I_VFNMADD231PD = 9074, I_VFNMADD231PS = 9060, I_VFNMADD231SD = 9102, I_VFNMADD231SS = 9088,
226 | I_VFNMSUB132PD = 8570, I_VFNMSUB132PS = 8556, I_VFNMSUB132SD = 8598, I_VFNMSUB132SS = 8584,
227 | I_VFNMSUB213PD = 8850, I_VFNMSUB213PS = 8836, I_VFNMSUB213SD = 8878, I_VFNMSUB213SS = 8864,
228 | I_VFNMSUB231PD = 9130, I_VFNMSUB231PS = 9116, I_VFNMSUB231SD = 9158, I_VFNMSUB231SS = 9144,
229 | I_VHADDPD = 4219, I_VHADDPS = 4228, I_VHSUBPD = 4253, I_VHSUBPS = 4262, I_VINSERTF128 = 9525,
230 | I_VINSERTPS = 9579, I_VLDDQU = 7023, I_VLDMXCSR = 9963, I_VMASKMOVDQU = 7153,
231 | I_VMASKMOVPD = 7971, I_VMASKMOVPS = 7959, I_VMAXPD = 3610, I_VMAXPS = 3602,
232 | I_VMAXSD = 3626, I_VMAXSS = 3618, I_VMCALL = 1735, I_VMCLEAR = 10011, I_VMFUNC = 1803,
233 | I_VMINPD = 3490, I_VMINPS = 3482, I_VMINSD = 3506, I_VMINSS = 3498, I_VMLAUNCH = 1743,
234 | I_VMLOAD = 1833, I_VMMCALL = 1824, I_VMOVAPD = 2498, I_VMOVAPS = 2489, I_VMOVD = 3954,
235 | I_VMOVDDUP = 2256, I_VMOVDQA = 3984, I_VMOVDQU = 3993, I_VMOVHLPS = 2217,
236 | I_VMOVHPD = 2404, I_VMOVHPS = 2395, I_VMOVLHPS = 2385, I_VMOVLPD = 2236, I_VMOVLPS = 2227,
237 | I_VMOVMSKPD = 2858, I_VMOVMSKPS = 2847, I_VMOVNTDQ = 6880, I_VMOVNTDQA = 7927,
238 | I_VMOVNTPD = 2615, I_VMOVNTPS = 2605, I_VMOVQ = 3961, I_VMOVSD = 2165, I_VMOVSHDUP = 2413,
239 | I_VMOVSLDUP = 2245, I_VMOVSS = 2157, I_VMOVUPD = 2148, I_VMOVUPS = 2139, I_VMPSADBW = 9659,
240 | I_VMPTRLD = 10002, I_VMPTRST = 6407, I_VMREAD = 4150, I_VMRESUME = 1753, I_VMRUN = 1817,
241 | I_VMSAVE = 1841, I_VMULPD = 3221, I_VMULPS = 3213, I_VMULSD = 3237, I_VMULSS = 3229,
242 | I_VMWRITE = 4174, I_VMXOFF = 1763, I_VMXON = 10020, I_VORPD = 3088, I_VORPS = 3081,
243 | I_VPABSB = 7717, I_VPABSD = 7747, I_VPABSW = 7732, I_VPACKSSDW = 3881, I_VPACKSSWB = 3713,
244 | I_VPACKUSDW = 7948, I_VPACKUSWB = 3791, I_VPADDB = 7233, I_VPADDD = 7263,
245 | I_VPADDQ = 6510, I_VPADDSB = 6960, I_VPADDSW = 6977, I_VPADDUSW = 6651, I_VPADDW = 7248,
246 | I_VPALIGNR = 9441, I_VPAND = 6635, I_VPANDN = 6694, I_VPAVGB = 6709, I_VPAVGW = 6754,
247 | I_VPBLENDVB = 9714, I_VPBLENDW = 9422, I_VPCLMULQDQ = 9680, I_VPCMPEQB = 4074,
248 | I_VPCMPEQD = 4112, I_VPCMPEQQ = 7907, I_VPCMPEQW = 4093, I_VPCMPESTRI = 9759,
249 | I_VPCMPESTRM = 9736, I_VPCMPGTB = 3733, I_VPCMPGTD = 3771, I_VPCMPGTQ = 8118,
250 | I_VPCMPGTW = 3752, I_VPCMPISTRI = 9805, I_VPCMPISTRM = 9782, I_VPERM2F128 = 9287,
251 | I_VPERMILPD = 7592, I_VPERMILPS = 7581, I_VPEXTRB = 9459, I_VPEXTRD = 9484,
252 | I_VPEXTRQ = 9493, I_VPEXTRW = 6341, I_VPHADDD = 7405, I_VPHADDSW = 7423, I_VPHADDW = 7388,
253 | I_VPHMINPOSUW = 8293, I_VPHSUBD = 7481, I_VPHSUBSW = 7499, I_VPHSUBW = 7464,
254 | I_VPINSRB = 9560, I_VPINSRD = 9606, I_VPINSRQ = 9615, I_VPINSRW = 6324, I_VPMADDUBSW = 7444,
255 | I_VPMADDWD = 7104, I_VPMAXSB = 8204, I_VPMAXSD = 8221, I_VPMAXSW = 6994, I_VPMAXUB = 6678,
256 | I_VPMAXUD = 8255, I_VPMAXUW = 8238, I_VPMINSB = 8136, I_VPMINSD = 8153, I_VPMINSW = 6932,
257 | I_VPMINUB = 6620, I_VPMINUD = 8187, I_VPMINUW = 8170, I_VPMOVMSKB = 6563,
258 | I_VPMOVSXBD = 7786, I_VPMOVSXBQ = 7807, I_VPMOVSXBW = 7765, I_VPMOVSXDQ = 7870,
259 | I_VPMOVSXWD = 7828, I_VPMOVSXWQ = 7849, I_VPMOVZXBD = 8014, I_VPMOVZXBQ = 8035,
260 | I_VPMOVZXBW = 7993, I_VPMOVZXDQ = 8098, I_VPMOVZXWD = 8056, I_VPMOVZXWQ = 8077,
261 | I_VPMULDQ = 7889, I_VPMULHRSW = 7570, I_VPMULHUW = 6771, I_VPMULHW = 6789,
262 | I_VPMULLD = 8272, I_VPMULLW = 6526, I_VPMULUDQ = 7085, I_VPOR = 6946, I_VPSADBW = 7122,
263 | I_VPSHUFB = 7371, I_VPSHUFD = 4036, I_VPSHUFHW = 4045, I_VPSHUFLW = 4055,
264 | I_VPSIGNB = 7517, I_VPSIGND = 7551, I_VPSIGNW = 7534, I_VPSLLD = 7053, I_VPSLLDQ = 9877,
265 | I_VPSLLQ = 7068, I_VPSLLW = 7038, I_VPSRAD = 6739, I_VPSRAW = 6724, I_VPSRLD = 6480,
266 | I_VPSRLDQ = 9860, I_VPSRLQ = 6495, I_VPSRLW = 6465, I_VPSUBB = 7173, I_VPSUBD = 7203,
267 | I_VPSUBQ = 7218, I_VPSUBSB = 6898, I_VPSUBSW = 6915, I_VPSUBUSB = 6583, I_VPSUBUSW = 6602,
268 | I_VPSUBW = 7188, I_VPTEST = 7658, I_VPUNPCKHBW = 3813, I_VPUNPCKHDQ = 3859,
269 | I_VPUNPCKHQDQ = 3929, I_VPUNPCKHWD = 3836, I_VPUNPCKLBW = 3645, I_VPUNPCKLDQ = 3691,
270 | I_VPUNPCKLQDQ = 3904, I_VPUNPCKLWD = 3668, I_VPXOR = 7009, I_VRCPPS = 2989,
271 | I_VRCPSS = 2997, I_VROUNDPD = 9327, I_VROUNDPS = 9308, I_VROUNDSD = 9365,
272 | I_VROUNDSS = 9346, I_VRSQRTPS = 2955, I_VRSQRTSS = 2965, I_VSHUFPD = 6375,
273 | I_VSHUFPS = 6366, I_VSQRTPD = 2910, I_VSQRTPS = 2901, I_VSQRTSD = 2928, I_VSQRTSS = 2919,
274 | I_VSTMXCSR = 9992, I_VSUBPD = 3430, I_VSUBPS = 3422, I_VSUBSD = 3446, I_VSUBSS = 3438,
275 | I_VTESTPD = 7612, I_VTESTPS = 7603, I_VUCOMISD = 2783, I_VUCOMISS = 2773,
276 | I_VUNPCKHPD = 2339, I_VUNPCKHPS = 2328, I_VUNPCKLPD = 2297, I_VUNPCKLPS = 2286,
277 | I_VXORPD = 3117, I_VXORPS = 3109, I_VZEROALL = 4140, I_VZEROUPPER = 4128,
278 | I_WAIT = 10042, I_WBINVD = 561, I_WRFSBASE = 9953, I_WRGSBASE = 9982, I_WRMSR = 586,
279 | I_XABORT = 1007, I_XADD = 946, I_XBEGIN = 1015, I_XCHG = 212, I_XEND = 1811,
280 | I_XGETBV = 1787, I_XLAT = 400, I_XOR = 61, I_XORPD = 3102, I_XORPS = 3095,
281 | I_XRSTOR = 4295, I_XRSTOR64 = 4303, I_XSAVE = 4271, I_XSAVE64 = 4278, I_XSAVEOPT = 4321,
282 | I_XSAVEOPT64 = 4331, I_XSETBV = 1795, I__3DNOW = 10056
283 | } _InstructionType;
284 |
285 | typedef enum {
286 | R_RAX, R_RCX, R_RDX, R_RBX, R_RSP, R_RBP, R_RSI, R_RDI, R_R8, R_R9, R_R10, R_R11, R_R12, R_R13, R_R14, R_R15,
287 | R_EAX, R_ECX, R_EDX, R_EBX, R_ESP, R_EBP, R_ESI, R_EDI, R_R8D, R_R9D, R_R10D, R_R11D, R_R12D, R_R13D, R_R14D, R_R15D,
288 | R_AX, R_CX, R_DX, R_BX, R_SP, R_BP, R_SI, R_DI, R_R8W, R_R9W, R_R10W, R_R11W, R_R12W, R_R13W, R_R14W, R_R15W,
289 | R_AL, R_CL, R_DL, R_BL, R_AH, R_CH, R_DH, R_BH, R_R8B, R_R9B, R_R10B, R_R11B, R_R12B, R_R13B, R_R14B, R_R15B,
290 | R_SPL, R_BPL, R_SIL, R_DIL,
291 | R_ES, R_CS, R_SS, R_DS, R_FS, R_GS,
292 | R_RIP,
293 | R_ST0, R_ST1, R_ST2, R_ST3, R_ST4, R_ST5, R_ST6, R_ST7,
294 | R_MM0, R_MM1, R_MM2, R_MM3, R_MM4, R_MM5, R_MM6, R_MM7,
295 | R_XMM0, R_XMM1, R_XMM2, R_XMM3, R_XMM4, R_XMM5, R_XMM6, R_XMM7, R_XMM8, R_XMM9, R_XMM10, R_XMM11, R_XMM12, R_XMM13, R_XMM14, R_XMM15,
296 | R_YMM0, R_YMM1, R_YMM2, R_YMM3, R_YMM4, R_YMM5, R_YMM6, R_YMM7, R_YMM8, R_YMM9, R_YMM10, R_YMM11, R_YMM12, R_YMM13, R_YMM14, R_YMM15,
297 | R_CR0, R_UNUSED0, R_CR2, R_CR3, R_CR4, R_UNUSED1, R_UNUSED2, R_UNUSED3, R_CR8,
298 | R_DR0, R_DR1, R_DR2, R_DR3, R_UNUSED4, R_UNUSED5, R_DR6, R_DR7
299 | } _RegisterType;
300 |
301 | #endif /* MNEMONICS_H */
302 |
--------------------------------------------------------------------------------
/kemon/distorm/mnemonics.c:
--------------------------------------------------------------------------------
1 | /*
2 | mnemonics.c
3 |
4 | diStorm3 - Powerful disassembler for X86/AMD64
5 | http://ragestorm.net/distorm/
6 | distorm at gmail dot com
7 | Copyright (C) 2003-2018 Gil Dabah
8 | This library is licensed under the BSD license. See the file COPYING.
9 | */
10 |
11 |
12 | #include "include/mnemonics.h"
13 |
14 | #ifndef DISTORM_LIGHT
15 |
16 | const unsigned char _MNEMONICS[] =
17 | "\x09" "UNDEFINED\0" "\x03" "ADD\0" "\x04" "PUSH\0" "\x03" "POP\0" \
18 | "\x02" "OR\0" "\x03" "ADC\0" "\x03" "SBB\0" "\x03" "AND\0" "\x03" "DAA\0" \
19 | "\x03" "SUB\0" "\x03" "DAS\0" "\x03" "XOR\0" "\x03" "AAA\0" "\x03" "CMP\0" \
20 | "\x03" "AAS\0" "\x03" "INC\0" "\x03" "DEC\0" "\x05" "PUSHA\0" "\x04" "POPA\0" \
21 | "\x05" "BOUND\0" "\x04" "ARPL\0" "\x04" "IMUL\0" "\x03" "INS\0" "\x04" "OUTS\0" \
22 | "\x02" "JO\0" "\x03" "JNO\0" "\x02" "JB\0" "\x03" "JAE\0" "\x02" "JZ\0" \
23 | "\x03" "JNZ\0" "\x03" "JBE\0" "\x02" "JA\0" "\x02" "JS\0" "\x03" "JNS\0" \
24 | "\x02" "JP\0" "\x03" "JNP\0" "\x02" "JL\0" "\x03" "JGE\0" "\x03" "JLE\0" \
25 | "\x02" "JG\0" "\x04" "TEST\0" "\x04" "XCHG\0" "\x03" "MOV\0" "\x03" "LEA\0" \
26 | "\x03" "CBW\0" "\x04" "CWDE\0" "\x04" "CDQE\0" "\x03" "CWD\0" "\x03" "CDQ\0" \
27 | "\x03" "CQO\0" "\x08" "CALL FAR\0" "\x05" "PUSHF\0" "\x04" "POPF\0" \
28 | "\x04" "SAHF\0" "\x04" "LAHF\0" "\x04" "MOVS\0" "\x04" "CMPS\0" "\x04" "STOS\0" \
29 | "\x04" "LODS\0" "\x04" "SCAS\0" "\x03" "RET\0" "\x03" "LES\0" "\x03" "LDS\0" \
30 | "\x05" "ENTER\0" "\x05" "LEAVE\0" "\x04" "RETF\0" "\x05" "INT 3\0" \
31 | "\x03" "INT\0" "\x04" "INTO\0" "\x04" "IRET\0" "\x03" "AAM\0" "\x03" "AAD\0" \
32 | "\x04" "SALC\0" "\x04" "XLAT\0" "\x06" "LOOPNZ\0" "\x05" "LOOPZ\0" \
33 | "\x04" "LOOP\0" "\x04" "JCXZ\0" "\x05" "JECXZ\0" "\x05" "JRCXZ\0" "\x02" "IN\0" \
34 | "\x03" "OUT\0" "\x04" "CALL\0" "\x03" "JMP\0" "\x07" "JMP FAR\0" "\x04" "INT1\0" \
35 | "\x03" "HLT\0" "\x03" "CMC\0" "\x03" "CLC\0" "\x03" "STC\0" "\x03" "CLI\0" \
36 | "\x03" "STI\0" "\x03" "CLD\0" "\x03" "STD\0" "\x03" "LAR\0" "\x03" "LSL\0" \
37 | "\x07" "SYSCALL\0" "\x04" "CLTS\0" "\x06" "SYSRET\0" "\x04" "INVD\0" \
38 | "\x06" "WBINVD\0" "\x03" "UD2\0" "\x05" "FEMMS\0" "\x03" "NOP\0" "\x05" "WRMSR\0" \
39 | "\x05" "RDTSC\0" "\x05" "RDMSR\0" "\x05" "RDPMC\0" "\x08" "SYSENTER\0" \
40 | "\x07" "SYSEXIT\0" "\x06" "GETSEC\0" "\x05" "CMOVO\0" "\x06" "CMOVNO\0" \
41 | "\x05" "CMOVB\0" "\x06" "CMOVAE\0" "\x05" "CMOVZ\0" "\x06" "CMOVNZ\0" \
42 | "\x06" "CMOVBE\0" "\x05" "CMOVA\0" "\x05" "CMOVS\0" "\x06" "CMOVNS\0" \
43 | "\x05" "CMOVP\0" "\x06" "CMOVNP\0" "\x05" "CMOVL\0" "\x06" "CMOVGE\0" \
44 | "\x06" "CMOVLE\0" "\x05" "CMOVG\0" "\x04" "SETO\0" "\x05" "SETNO\0" \
45 | "\x04" "SETB\0" "\x05" "SETAE\0" "\x04" "SETZ\0" "\x05" "SETNZ\0" "\x05" "SETBE\0" \
46 | "\x04" "SETA\0" "\x04" "SETS\0" "\x05" "SETNS\0" "\x04" "SETP\0" "\x05" "SETNP\0" \
47 | "\x04" "SETL\0" "\x05" "SETGE\0" "\x05" "SETLE\0" "\x04" "SETG\0" "\x05" "CPUID\0" \
48 | "\x02" "BT\0" "\x04" "SHLD\0" "\x03" "RSM\0" "\x03" "BTS\0" "\x04" "SHRD\0" \
49 | "\x07" "CMPXCHG\0" "\x03" "LSS\0" "\x03" "BTR\0" "\x03" "LFS\0" "\x03" "LGS\0" \
50 | "\x05" "MOVZX\0" "\x03" "BTC\0" "\x05" "MOVSX\0" "\x04" "XADD\0" "\x06" "MOVNTI\0" \
51 | "\x05" "BSWAP\0" "\x03" "ROL\0" "\x03" "ROR\0" "\x03" "RCL\0" "\x03" "RCR\0" \
52 | "\x03" "SHL\0" "\x03" "SHR\0" "\x03" "SAL\0" "\x03" "SAR\0" "\x06" "XABORT\0" \
53 | "\x06" "XBEGIN\0" "\x04" "FADD\0" "\x04" "FMUL\0" "\x04" "FCOM\0" "\x05" "FCOMP\0" \
54 | "\x04" "FSUB\0" "\x05" "FSUBR\0" "\x04" "FDIV\0" "\x05" "FDIVR\0" "\x03" "FLD\0" \
55 | "\x03" "FST\0" "\x04" "FSTP\0" "\x06" "FLDENV\0" "\x05" "FLDCW\0" "\x04" "FXCH\0" \
56 | "\x04" "FNOP\0" "\x04" "FCHS\0" "\x04" "FABS\0" "\x04" "FTST\0" "\x04" "FXAM\0" \
57 | "\x04" "FLD1\0" "\x06" "FLDL2T\0" "\x06" "FLDL2E\0" "\x05" "FLDPI\0" \
58 | "\x06" "FLDLG2\0" "\x06" "FLDLN2\0" "\x04" "FLDZ\0" "\x05" "F2XM1\0" \
59 | "\x05" "FYL2X\0" "\x05" "FPTAN\0" "\x06" "FPATAN\0" "\x07" "FXTRACT\0" \
60 | "\x06" "FPREM1\0" "\x07" "FDECSTP\0" "\x07" "FINCSTP\0" "\x05" "FPREM\0" \
61 | "\x07" "FYL2XP1\0" "\x05" "FSQRT\0" "\x07" "FSINCOS\0" "\x07" "FRNDINT\0" \
62 | "\x06" "FSCALE\0" "\x04" "FSIN\0" "\x04" "FCOS\0" "\x05" "FIADD\0" \
63 | "\x05" "FIMUL\0" "\x05" "FICOM\0" "\x06" "FICOMP\0" "\x05" "FISUB\0" \
64 | "\x06" "FISUBR\0" "\x05" "FIDIV\0" "\x06" "FIDIVR\0" "\x06" "FCMOVB\0" \
65 | "\x06" "FCMOVE\0" "\x07" "FCMOVBE\0" "\x06" "FCMOVU\0" "\x07" "FUCOMPP\0" \
66 | "\x04" "FILD\0" "\x06" "FISTTP\0" "\x04" "FIST\0" "\x05" "FISTP\0" \
67 | "\x07" "FCMOVNB\0" "\x07" "FCMOVNE\0" "\x08" "FCMOVNBE\0" "\x07" "FCMOVNU\0" \
68 | "\x04" "FENI\0" "\x06" "FEDISI\0" "\x06" "FSETPM\0" "\x06" "FUCOMI\0" \
69 | "\x05" "FCOMI\0" "\x06" "FRSTOR\0" "\x05" "FFREE\0" "\x05" "FUCOM\0" \
70 | "\x06" "FUCOMP\0" "\x05" "FADDP\0" "\x05" "FMULP\0" "\x06" "FCOMPP\0" \
71 | "\x06" "FSUBRP\0" "\x05" "FSUBP\0" "\x06" "FDIVRP\0" "\x05" "FDIVP\0" \
72 | "\x04" "FBLD\0" "\x05" "FBSTP\0" "\x07" "FUCOMIP\0" "\x06" "FCOMIP\0" \
73 | "\x03" "NOT\0" "\x03" "NEG\0" "\x03" "MUL\0" "\x03" "DIV\0" "\x04" "IDIV\0" \
74 | "\x04" "SLDT\0" "\x03" "STR\0" "\x04" "LLDT\0" "\x03" "LTR\0" "\x04" "VERR\0" \
75 | "\x04" "VERW\0" "\x04" "SGDT\0" "\x04" "SIDT\0" "\x04" "LGDT\0" "\x04" "LIDT\0" \
76 | "\x04" "SMSW\0" "\x04" "LMSW\0" "\x06" "INVLPG\0" "\x06" "VMCALL\0" \
77 | "\x08" "VMLAUNCH\0" "\x08" "VMRESUME\0" "\x06" "VMXOFF\0" "\x07" "MONITOR\0" \
78 | "\x05" "MWAIT\0" "\x06" "XGETBV\0" "\x06" "XSETBV\0" "\x06" "VMFUNC\0" \
79 | "\x04" "XEND\0" "\x05" "VMRUN\0" "\x07" "VMMCALL\0" "\x06" "VMLOAD\0" \
80 | "\x06" "VMSAVE\0" "\x04" "STGI\0" "\x04" "CLGI\0" "\x06" "SKINIT\0" \
81 | "\x07" "INVLPGA\0" "\x06" "SWAPGS\0" "\x06" "RDTSCP\0" "\x08" "PREFETCH\0" \
82 | "\x09" "PREFETCHW\0" "\x05" "PI2FW\0" "\x05" "PI2FD\0" "\x05" "PF2IW\0" \
83 | "\x05" "PF2ID\0" "\x06" "PFNACC\0" "\x07" "PFPNACC\0" "\x07" "PFCMPGE\0" \
84 | "\x05" "PFMIN\0" "\x05" "PFRCP\0" "\x07" "PFRSQRT\0" "\x05" "PFSUB\0" \
85 | "\x05" "PFADD\0" "\x07" "PFCMPGT\0" "\x05" "PFMAX\0" "\x08" "PFRCPIT1\0" \
86 | "\x08" "PFRSQIT1\0" "\x06" "PFSUBR\0" "\x05" "PFACC\0" "\x07" "PFCMPEQ\0" \
87 | "\x05" "PFMUL\0" "\x08" "PFRCPIT2\0" "\x07" "PMULHRW\0" "\x06" "PSWAPD\0" \
88 | "\x07" "PAVGUSB\0" "\x06" "MOVUPS\0" "\x06" "MOVUPD\0" "\x05" "MOVSS\0" \
89 | "\x05" "MOVSD\0" "\x07" "VMOVUPS\0" "\x07" "VMOVUPD\0" "\x06" "VMOVSS\0" \
90 | "\x06" "VMOVSD\0" "\x07" "MOVHLPS\0" "\x06" "MOVLPS\0" "\x06" "MOVLPD\0" \
91 | "\x08" "MOVSLDUP\0" "\x07" "MOVDDUP\0" "\x08" "VMOVHLPS\0" "\x07" "VMOVLPS\0" \
92 | "\x07" "VMOVLPD\0" "\x09" "VMOVSLDUP\0" "\x08" "VMOVDDUP\0" "\x08" "UNPCKLPS\0" \
93 | "\x08" "UNPCKLPD\0" "\x09" "VUNPCKLPS\0" "\x09" "VUNPCKLPD\0" "\x08" "UNPCKHPS\0" \
94 | "\x08" "UNPCKHPD\0" "\x09" "VUNPCKHPS\0" "\x09" "VUNPCKHPD\0" "\x07" "MOVLHPS\0" \
95 | "\x06" "MOVHPS\0" "\x06" "MOVHPD\0" "\x08" "MOVSHDUP\0" "\x08" "VMOVLHPS\0" \
96 | "\x07" "VMOVHPS\0" "\x07" "VMOVHPD\0" "\x09" "VMOVSHDUP\0" "\x0b" "PREFETCHNTA\0" \
97 | "\x0a" "PREFETCHT0\0" "\x0a" "PREFETCHT1\0" "\x0a" "PREFETCHT2\0" "\x06" "MOVAPS\0" \
98 | "\x06" "MOVAPD\0" "\x07" "VMOVAPS\0" "\x07" "VMOVAPD\0" "\x08" "CVTPI2PS\0" \
99 | "\x08" "CVTPI2PD\0" "\x08" "CVTSI2SS\0" "\x08" "CVTSI2SD\0" "\x09" "VCVTSI2SS\0" \
100 | "\x09" "VCVTSI2SD\0" "\x07" "MOVNTPS\0" "\x07" "MOVNTPD\0" "\x07" "MOVNTSS\0" \
101 | "\x07" "MOVNTSD\0" "\x08" "VMOVNTPS\0" "\x08" "VMOVNTPD\0" "\x09" "CVTTPS2PI\0" \
102 | "\x09" "CVTTPD2PI\0" "\x09" "CVTTSS2SI\0" "\x09" "CVTTSD2SI\0" "\x0a" "VCVTTSS2SI\0" \
103 | "\x0a" "VCVTTSD2SI\0" "\x08" "CVTPS2PI\0" "\x08" "CVTPD2PI\0" "\x08" "CVTSS2SI\0" \
104 | "\x08" "CVTSD2SI\0" "\x09" "VCVTSS2SI\0" "\x09" "VCVTSD2SI\0" "\x07" "UCOMISS\0" \
105 | "\x07" "UCOMISD\0" "\x08" "VUCOMISS\0" "\x08" "VUCOMISD\0" "\x06" "COMISS\0" \
106 | "\x06" "COMISD\0" "\x07" "VCOMISS\0" "\x07" "VCOMISD\0" "\x08" "MOVMSKPS\0" \
107 | "\x08" "MOVMSKPD\0" "\x09" "VMOVMSKPS\0" "\x09" "VMOVMSKPD\0" "\x06" "SQRTPS\0" \
108 | "\x06" "SQRTPD\0" "\x06" "SQRTSS\0" "\x06" "SQRTSD\0" "\x07" "VSQRTPS\0" \
109 | "\x07" "VSQRTPD\0" "\x07" "VSQRTSS\0" "\x07" "VSQRTSD\0" "\x07" "RSQRTPS\0" \
110 | "\x07" "RSQRTSS\0" "\x08" "VRSQRTPS\0" "\x08" "VRSQRTSS\0" "\x05" "RCPPS\0" \
111 | "\x05" "RCPSS\0" "\x06" "VRCPPS\0" "\x06" "VRCPSS\0" "\x05" "ANDPS\0" \
112 | "\x05" "ANDPD\0" "\x06" "VANDPS\0" "\x06" "VANDPD\0" "\x06" "ANDNPS\0" \
113 | "\x06" "ANDNPD\0" "\x07" "VANDNPS\0" "\x07" "VANDNPD\0" "\x04" "ORPS\0" \
114 | "\x04" "ORPD\0" "\x05" "VORPS\0" "\x05" "VORPD\0" "\x05" "XORPS\0" \
115 | "\x05" "XORPD\0" "\x06" "VXORPS\0" "\x06" "VXORPD\0" "\x05" "ADDPS\0" \
116 | "\x05" "ADDPD\0" "\x05" "ADDSS\0" "\x05" "ADDSD\0" "\x06" "VADDPS\0" \
117 | "\x06" "VADDPD\0" "\x06" "VADDSS\0" "\x06" "VADDSD\0" "\x05" "MULPS\0" \
118 | "\x05" "MULPD\0" "\x05" "MULSS\0" "\x05" "MULSD\0" "\x06" "VMULPS\0" \
119 | "\x06" "VMULPD\0" "\x06" "VMULSS\0" "\x06" "VMULSD\0" "\x08" "CVTPS2PD\0" \
120 | "\x08" "CVTPD2PS\0" "\x08" "CVTSS2SD\0" "\x08" "CVTSD2SS\0" "\x09" "VCVTPS2PD\0" \
121 | "\x09" "VCVTPD2PS\0" "\x09" "VCVTSS2SD\0" "\x09" "VCVTSD2SS\0" "\x08" "CVTDQ2PS\0" \
122 | "\x08" "CVTPS2DQ\0" "\x09" "CVTTPS2DQ\0" "\x09" "VCVTDQ2PS\0" "\x09" "VCVTPS2DQ\0" \
123 | "\x0a" "VCVTTPS2DQ\0" "\x05" "SUBPS\0" "\x05" "SUBPD\0" "\x05" "SUBSS\0" \
124 | "\x05" "SUBSD\0" "\x06" "VSUBPS\0" "\x06" "VSUBPD\0" "\x06" "VSUBSS\0" \
125 | "\x06" "VSUBSD\0" "\x05" "MINPS\0" "\x05" "MINPD\0" "\x05" "MINSS\0" \
126 | "\x05" "MINSD\0" "\x06" "VMINPS\0" "\x06" "VMINPD\0" "\x06" "VMINSS\0" \
127 | "\x06" "VMINSD\0" "\x05" "DIVPS\0" "\x05" "DIVPD\0" "\x05" "DIVSS\0" \
128 | "\x05" "DIVSD\0" "\x06" "VDIVPS\0" "\x06" "VDIVPD\0" "\x06" "VDIVSS\0" \
129 | "\x06" "VDIVSD\0" "\x05" "MAXPS\0" "\x05" "MAXPD\0" "\x05" "MAXSS\0" \
130 | "\x05" "MAXSD\0" "\x06" "VMAXPS\0" "\x06" "VMAXPD\0" "\x06" "VMAXSS\0" \
131 | "\x06" "VMAXSD\0" "\x09" "PUNPCKLBW\0" "\x0a" "VPUNPCKLBW\0" "\x09" "PUNPCKLWD\0" \
132 | "\x0a" "VPUNPCKLWD\0" "\x09" "PUNPCKLDQ\0" "\x0a" "VPUNPCKLDQ\0" "\x08" "PACKSSWB\0" \
133 | "\x09" "VPACKSSWB\0" "\x07" "PCMPGTB\0" "\x08" "VPCMPGTB\0" "\x07" "PCMPGTW\0" \
134 | "\x08" "VPCMPGTW\0" "\x07" "PCMPGTD\0" "\x08" "VPCMPGTD\0" "\x08" "PACKUSWB\0" \
135 | "\x09" "VPACKUSWB\0" "\x09" "PUNPCKHBW\0" "\x0a" "VPUNPCKHBW\0" "\x09" "PUNPCKHWD\0" \
136 | "\x0a" "VPUNPCKHWD\0" "\x09" "PUNPCKHDQ\0" "\x0a" "VPUNPCKHDQ\0" "\x08" "PACKSSDW\0" \
137 | "\x09" "VPACKSSDW\0" "\x0a" "PUNPCKLQDQ\0" "\x0b" "VPUNPCKLQDQ\0" "\x0a" "PUNPCKHQDQ\0" \
138 | "\x0b" "VPUNPCKHQDQ\0" "\x04" "MOVD\0" "\x04" "MOVQ\0" "\x05" "VMOVD\0" \
139 | "\x05" "VMOVQ\0" "\x06" "MOVDQA\0" "\x06" "MOVDQU\0" "\x07" "VMOVDQA\0" \
140 | "\x07" "VMOVDQU\0" "\x06" "PSHUFW\0" "\x06" "PSHUFD\0" "\x07" "PSHUFHW\0" \
141 | "\x07" "PSHUFLW\0" "\x07" "VPSHUFD\0" "\x08" "VPSHUFHW\0" "\x08" "VPSHUFLW\0" \
142 | "\x07" "PCMPEQB\0" "\x08" "VPCMPEQB\0" "\x07" "PCMPEQW\0" "\x08" "VPCMPEQW\0" \
143 | "\x07" "PCMPEQD\0" "\x08" "VPCMPEQD\0" "\x04" "EMMS\0" "\x0a" "VZEROUPPER\0" \
144 | "\x08" "VZEROALL\0" "\x06" "VMREAD\0" "\x05" "EXTRQ\0" "\x07" "INSERTQ\0" \
145 | "\x07" "VMWRITE\0" "\x08" "CVTPH2PS\0" "\x08" "CVTPS2PH\0" "\x06" "HADDPD\0" \
146 | "\x06" "HADDPS\0" "\x07" "VHADDPD\0" "\x07" "VHADDPS\0" "\x06" "HSUBPD\0" \
147 | "\x06" "HSUBPS\0" "\x07" "VHSUBPD\0" "\x07" "VHSUBPS\0" "\x05" "XSAVE\0" \
148 | "\x07" "XSAVE64\0" "\x06" "LFENCE\0" "\x06" "XRSTOR\0" "\x08" "XRSTOR64\0" \
149 | "\x06" "MFENCE\0" "\x08" "XSAVEOPT\0" "\x0a" "XSAVEOPT64\0" "\x06" "SFENCE\0" \
150 | "\x07" "CLFLUSH\0" "\x06" "POPCNT\0" "\x03" "BSF\0" "\x05" "TZCNT\0" \
151 | "\x03" "BSR\0" "\x05" "LZCNT\0" "\x07" "CMPEQPS\0" "\x07" "CMPLTPS\0" \
152 | "\x07" "CMPLEPS\0" "\x0a" "CMPUNORDPS\0" "\x08" "CMPNEQPS\0" "\x08" "CMPNLTPS\0" \
153 | "\x08" "CMPNLEPS\0" "\x08" "CMPORDPS\0" "\x07" "CMPEQPD\0" "\x07" "CMPLTPD\0" \
154 | "\x07" "CMPLEPD\0" "\x0a" "CMPUNORDPD\0" "\x08" "CMPNEQPD\0" "\x08" "CMPNLTPD\0" \
155 | "\x08" "CMPNLEPD\0" "\x08" "CMPORDPD\0" "\x07" "CMPEQSS\0" "\x07" "CMPLTSS\0" \
156 | "\x07" "CMPLESS\0" "\x0a" "CMPUNORDSS\0" "\x08" "CMPNEQSS\0" "\x08" "CMPNLTSS\0" \
157 | "\x08" "CMPNLESS\0" "\x08" "CMPORDSS\0" "\x07" "CMPEQSD\0" "\x07" "CMPLTSD\0" \
158 | "\x07" "CMPLESD\0" "\x0a" "CMPUNORDSD\0" "\x08" "CMPNEQSD\0" "\x08" "CMPNLTSD\0" \
159 | "\x08" "CMPNLESD\0" "\x08" "CMPORDSD\0" "\x08" "VCMPEQPS\0" "\x08" "VCMPLTPS\0" \
160 | "\x08" "VCMPLEPS\0" "\x0b" "VCMPUNORDPS\0" "\x09" "VCMPNEQPS\0" "\x09" "VCMPNLTPS\0" \
161 | "\x09" "VCMPNLEPS\0" "\x09" "VCMPORDPS\0" "\x0b" "VCMPEQ_UQPS\0" "\x09" "VCMPNGEPS\0" \
162 | "\x09" "VCMPNGTPS\0" "\x0b" "VCMPFALSEPS\0" "\x0c" "VCMPNEQ_OQPS\0" "\x08" "VCMPGEPS\0" \
163 | "\x08" "VCMPGTPS\0" "\x0a" "VCMPTRUEPS\0" "\x0b" "VCMPEQ_OSPS\0" "\x0b" "VCMPLT_OQPS\0" \
164 | "\x0b" "VCMPLE_OQPS\0" "\x0d" "VCMPUNORD_SPS\0" "\x0c" "VCMPNEQ_USPS\0" \
165 | "\x0c" "VCMPNLT_UQPS\0" "\x0c" "VCMPNLE_UQPS\0" "\x0b" "VCMPORD_SPS\0" \
166 | "\x0b" "VCMPEQ_USPS\0" "\x0c" "VCMPNGE_UQPS\0" "\x0c" "VCMPNGT_UQPS\0" \
167 | "\x0e" "VCMPFALSE_OSPS\0" "\x0c" "VCMPNEQ_OSPS\0" "\x0b" "VCMPGE_OQPS\0" \
168 | "\x0b" "VCMPGT_OQPS\0" "\x0d" "VCMPTRUE_USPS\0" "\x08" "VCMPEQPD\0" "\x08" "VCMPLTPD\0" \
169 | "\x08" "VCMPLEPD\0" "\x0b" "VCMPUNORDPD\0" "\x09" "VCMPNEQPD\0" "\x09" "VCMPNLTPD\0" \
170 | "\x09" "VCMPNLEPD\0" "\x09" "VCMPORDPD\0" "\x0b" "VCMPEQ_UQPD\0" "\x09" "VCMPNGEPD\0" \
171 | "\x09" "VCMPNGTPD\0" "\x0b" "VCMPFALSEPD\0" "\x0c" "VCMPNEQ_OQPD\0" "\x08" "VCMPGEPD\0" \
172 | "\x08" "VCMPGTPD\0" "\x0a" "VCMPTRUEPD\0" "\x0b" "VCMPEQ_OSPD\0" "\x0b" "VCMPLT_OQPD\0" \
173 | "\x0b" "VCMPLE_OQPD\0" "\x0d" "VCMPUNORD_SPD\0" "\x0c" "VCMPNEQ_USPD\0" \
174 | "\x0c" "VCMPNLT_UQPD\0" "\x0c" "VCMPNLE_UQPD\0" "\x0b" "VCMPORD_SPD\0" \
175 | "\x0b" "VCMPEQ_USPD\0" "\x0c" "VCMPNGE_UQPD\0" "\x0c" "VCMPNGT_UQPD\0" \
176 | "\x0e" "VCMPFALSE_OSPD\0" "\x0c" "VCMPNEQ_OSPD\0" "\x0b" "VCMPGE_OQPD\0" \
177 | "\x0b" "VCMPGT_OQPD\0" "\x0d" "VCMPTRUE_USPD\0" "\x08" "VCMPEQSS\0" "\x08" "VCMPLTSS\0" \
178 | "\x08" "VCMPLESS\0" "\x0b" "VCMPUNORDSS\0" "\x09" "VCMPNEQSS\0" "\x09" "VCMPNLTSS\0" \
179 | "\x09" "VCMPNLESS\0" "\x09" "VCMPORDSS\0" "\x0b" "VCMPEQ_UQSS\0" "\x09" "VCMPNGESS\0" \
180 | "\x09" "VCMPNGTSS\0" "\x0b" "VCMPFALSESS\0" "\x0c" "VCMPNEQ_OQSS\0" "\x08" "VCMPGESS\0" \
181 | "\x08" "VCMPGTSS\0" "\x0a" "VCMPTRUESS\0" "\x0b" "VCMPEQ_OSSS\0" "\x0b" "VCMPLT_OQSS\0" \
182 | "\x0b" "VCMPLE_OQSS\0" "\x0d" "VCMPUNORD_SSS\0" "\x0c" "VCMPNEQ_USSS\0" \
183 | "\x0c" "VCMPNLT_UQSS\0" "\x0c" "VCMPNLE_UQSS\0" "\x0b" "VCMPORD_SSS\0" \
184 | "\x0b" "VCMPEQ_USSS\0" "\x0c" "VCMPNGE_UQSS\0" "\x0c" "VCMPNGT_UQSS\0" \
185 | "\x0e" "VCMPFALSE_OSSS\0" "\x0c" "VCMPNEQ_OSSS\0" "\x0b" "VCMPGE_OQSS\0" \
186 | "\x0b" "VCMPGT_OQSS\0" "\x0d" "VCMPTRUE_USSS\0" "\x08" "VCMPEQSD\0" "\x08" "VCMPLTSD\0" \
187 | "\x08" "VCMPLESD\0" "\x0b" "VCMPUNORDSD\0" "\x09" "VCMPNEQSD\0" "\x09" "VCMPNLTSD\0" \
188 | "\x09" "VCMPNLESD\0" "\x09" "VCMPORDSD\0" "\x0b" "VCMPEQ_UQSD\0" "\x09" "VCMPNGESD\0" \
189 | "\x09" "VCMPNGTSD\0" "\x0b" "VCMPFALSESD\0" "\x0c" "VCMPNEQ_OQSD\0" "\x08" "VCMPGESD\0" \
190 | "\x08" "VCMPGTSD\0" "\x0a" "VCMPTRUESD\0" "\x0b" "VCMPEQ_OSSD\0" "\x0b" "VCMPLT_OQSD\0" \
191 | "\x0b" "VCMPLE_OQSD\0" "\x0d" "VCMPUNORD_SSD\0" "\x0c" "VCMPNEQ_USSD\0" \
192 | "\x0c" "VCMPNLT_UQSD\0" "\x0c" "VCMPNLE_UQSD\0" "\x0b" "VCMPORD_SSD\0" \
193 | "\x0b" "VCMPEQ_USSD\0" "\x0c" "VCMPNGE_UQSD\0" "\x0c" "VCMPNGT_UQSD\0" \
194 | "\x0e" "VCMPFALSE_OSSD\0" "\x0c" "VCMPNEQ_OSSD\0" "\x0b" "VCMPGE_OQSD\0" \
195 | "\x0b" "VCMPGT_OQSD\0" "\x0d" "VCMPTRUE_USSD\0" "\x06" "PINSRW\0" "\x07" "VPINSRW\0" \
196 | "\x06" "PEXTRW\0" "\x07" "VPEXTRW\0" "\x06" "SHUFPS\0" "\x06" "SHUFPD\0" \
197 | "\x07" "VSHUFPS\0" "\x07" "VSHUFPD\0" "\x09" "CMPXCHG8B\0" "\x0a" "CMPXCHG16B\0" \
198 | "\x07" "VMPTRST\0" "\x08" "ADDSUBPD\0" "\x08" "ADDSUBPS\0" "\x09" "VADDSUBPD\0" \
199 | "\x09" "VADDSUBPS\0" "\x05" "PSRLW\0" "\x06" "VPSRLW\0" "\x05" "PSRLD\0" \
200 | "\x06" "VPSRLD\0" "\x05" "PSRLQ\0" "\x06" "VPSRLQ\0" "\x05" "PADDQ\0" \
201 | "\x06" "VPADDQ\0" "\x06" "PMULLW\0" "\x07" "VPMULLW\0" "\x07" "MOVQ2DQ\0" \
202 | "\x07" "MOVDQ2Q\0" "\x08" "PMOVMSKB\0" "\x09" "VPMOVMSKB\0" "\x07" "PSUBUSB\0" \
203 | "\x08" "VPSUBUSB\0" "\x07" "PSUBUSW\0" "\x08" "VPSUBUSW\0" "\x06" "PMINUB\0" \
204 | "\x07" "VPMINUB\0" "\x04" "PAND\0" "\x05" "VPAND\0" "\x07" "PADDUSB\0" \
205 | "\x08" "VPADDUSW\0" "\x07" "PADDUSW\0" "\x06" "PMAXUB\0" "\x07" "VPMAXUB\0" \
206 | "\x05" "PANDN\0" "\x06" "VPANDN\0" "\x05" "PAVGB\0" "\x06" "VPAVGB\0" \
207 | "\x05" "PSRAW\0" "\x06" "VPSRAW\0" "\x05" "PSRAD\0" "\x06" "VPSRAD\0" \
208 | "\x05" "PAVGW\0" "\x06" "VPAVGW\0" "\x07" "PMULHUW\0" "\x08" "VPMULHUW\0" \
209 | "\x06" "PMULHW\0" "\x07" "VPMULHW\0" "\x09" "CVTTPD2DQ\0" "\x08" "CVTDQ2PD\0" \
210 | "\x08" "CVTPD2DQ\0" "\x0a" "VCVTTPD2DQ\0" "\x09" "VCVTDQ2PD\0" "\x09" "VCVTPD2DQ\0" \
211 | "\x06" "MOVNTQ\0" "\x07" "MOVNTDQ\0" "\x08" "VMOVNTDQ\0" "\x06" "PSUBSB\0" \
212 | "\x07" "VPSUBSB\0" "\x06" "PSUBSW\0" "\x07" "VPSUBSW\0" "\x06" "PMINSW\0" \
213 | "\x07" "VPMINSW\0" "\x03" "POR\0" "\x04" "VPOR\0" "\x06" "PADDSB\0" \
214 | "\x07" "VPADDSB\0" "\x06" "PADDSW\0" "\x07" "VPADDSW\0" "\x06" "PMAXSW\0" \
215 | "\x07" "VPMAXSW\0" "\x04" "PXOR\0" "\x05" "VPXOR\0" "\x05" "LDDQU\0" \
216 | "\x06" "VLDDQU\0" "\x05" "PSLLW\0" "\x06" "VPSLLW\0" "\x05" "PSLLD\0" \
217 | "\x06" "VPSLLD\0" "\x05" "PSLLQ\0" "\x06" "VPSLLQ\0" "\x07" "PMULUDQ\0" \
218 | "\x08" "VPMULUDQ\0" "\x07" "PMADDWD\0" "\x08" "VPMADDWD\0" "\x06" "PSADBW\0" \
219 | "\x07" "VPSADBW\0" "\x08" "MASKMOVQ\0" "\x0a" "MASKMOVDQU\0" "\x0b" "VMASKMOVDQU\0" \
220 | "\x05" "PSUBB\0" "\x06" "VPSUBB\0" "\x05" "PSUBW\0" "\x06" "VPSUBW\0" \
221 | "\x05" "PSUBD\0" "\x06" "VPSUBD\0" "\x05" "PSUBQ\0" "\x06" "VPSUBQ\0" \
222 | "\x05" "PADDB\0" "\x06" "VPADDB\0" "\x05" "PADDW\0" "\x06" "VPADDW\0" \
223 | "\x05" "PADDD\0" "\x06" "VPADDD\0" "\x07" "FNSTENV\0" "\x06" "FSTENV\0" \
224 | "\x06" "FNSTCW\0" "\x05" "FSTCW\0" "\x06" "FNCLEX\0" "\x05" "FCLEX\0" \
225 | "\x06" "FNINIT\0" "\x05" "FINIT\0" "\x06" "FNSAVE\0" "\x05" "FSAVE\0" \
226 | "\x06" "FNSTSW\0" "\x05" "FSTSW\0" "\x06" "PSHUFB\0" "\x07" "VPSHUFB\0" \
227 | "\x06" "PHADDW\0" "\x07" "VPHADDW\0" "\x06" "PHADDD\0" "\x07" "VPHADDD\0" \
228 | "\x07" "PHADDSW\0" "\x08" "VPHADDSW\0" "\x09" "PMADDUBSW\0" "\x0a" "VPMADDUBSW\0" \
229 | "\x06" "PHSUBW\0" "\x07" "VPHSUBW\0" "\x06" "PHSUBD\0" "\x07" "VPHSUBD\0" \
230 | "\x07" "PHSUBSW\0" "\x08" "VPHSUBSW\0" "\x06" "PSIGNB\0" "\x07" "VPSIGNB\0" \
231 | "\x06" "PSIGNW\0" "\x07" "VPSIGNW\0" "\x06" "PSIGND\0" "\x07" "VPSIGND\0" \
232 | "\x08" "PMULHRSW\0" "\x09" "VPMULHRSW\0" "\x09" "VPERMILPS\0" "\x09" "VPERMILPD\0" \
233 | "\x07" "VTESTPS\0" "\x07" "VTESTPD\0" "\x08" "PBLENDVB\0" "\x08" "BLENDVPS\0" \
234 | "\x08" "BLENDVPD\0" "\x05" "PTEST\0" "\x06" "VPTEST\0" "\x0c" "VBROADCASTSS\0" \
235 | "\x0c" "VBROADCASTSD\0" "\x0e" "VBROADCASTF128\0" "\x05" "PABSB\0" "\x06" "VPABSB\0" \
236 | "\x05" "PABSW\0" "\x06" "VPABSW\0" "\x05" "PABSD\0" "\x06" "VPABSD\0" \
237 | "\x08" "PMOVSXBW\0" "\x09" "VPMOVSXBW\0" "\x08" "PMOVSXBD\0" "\x09" "VPMOVSXBD\0" \
238 | "\x08" "PMOVSXBQ\0" "\x09" "VPMOVSXBQ\0" "\x08" "PMOVSXWD\0" "\x09" "VPMOVSXWD\0" \
239 | "\x08" "PMOVSXWQ\0" "\x09" "VPMOVSXWQ\0" "\x08" "PMOVSXDQ\0" "\x09" "VPMOVSXDQ\0" \
240 | "\x06" "PMULDQ\0" "\x07" "VPMULDQ\0" "\x07" "PCMPEQQ\0" "\x08" "VPCMPEQQ\0" \
241 | "\x08" "MOVNTDQA\0" "\x09" "VMOVNTDQA\0" "\x08" "PACKUSDW\0" "\x09" "VPACKUSDW\0" \
242 | "\x0a" "VMASKMOVPS\0" "\x0a" "VMASKMOVPD\0" "\x08" "PMOVZXBW\0" "\x09" "VPMOVZXBW\0" \
243 | "\x08" "PMOVZXBD\0" "\x09" "VPMOVZXBD\0" "\x08" "PMOVZXBQ\0" "\x09" "VPMOVZXBQ\0" \
244 | "\x08" "PMOVZXWD\0" "\x09" "VPMOVZXWD\0" "\x08" "PMOVZXWQ\0" "\x09" "VPMOVZXWQ\0" \
245 | "\x08" "PMOVZXDQ\0" "\x09" "VPMOVZXDQ\0" "\x07" "PCMPGTQ\0" "\x08" "VPCMPGTQ\0" \
246 | "\x06" "PMINSB\0" "\x07" "VPMINSB\0" "\x06" "PMINSD\0" "\x07" "VPMINSD\0" \
247 | "\x06" "PMINUW\0" "\x07" "VPMINUW\0" "\x06" "PMINUD\0" "\x07" "VPMINUD\0" \
248 | "\x06" "PMAXSB\0" "\x07" "VPMAXSB\0" "\x06" "PMAXSD\0" "\x07" "VPMAXSD\0" \
249 | "\x06" "PMAXUW\0" "\x07" "VPMAXUW\0" "\x06" "PMAXUD\0" "\x07" "VPMAXUD\0" \
250 | "\x06" "PMULLD\0" "\x07" "VPMULLD\0" "\x0a" "PHMINPOSUW\0" "\x0b" "VPHMINPOSUW\0" \
251 | "\x06" "INVEPT\0" "\x07" "INVVPID\0" "\x07" "INVPCID\0" "\x0e" "VFMADDSUB132PS\0" \
252 | "\x0e" "VFMADDSUB132PD\0" "\x0e" "VFMSUBADD132PS\0" "\x0e" "VFMSUBADD132PD\0" \
253 | "\x0b" "VFMADD132PS\0" "\x0b" "VFMADD132PD\0" "\x0b" "VFMADD132SS\0" \
254 | "\x0b" "VFMADD132SD\0" "\x0b" "VFMSUB132PS\0" "\x0b" "VFMSUB132PD\0" \
255 | "\x0b" "VFMSUB132SS\0" "\x0b" "VFMSUB132SD\0" "\x0c" "VFNMADD132PS\0" \
256 | "\x0c" "VFNMADD132PD\0" "\x0c" "VFNMADD132SS\0" "\x0c" "VFNMADD132SD\0" \
257 | "\x0c" "VFNMSUB132PS\0" "\x0c" "VFNMSUB132PD\0" "\x0c" "VFNMSUB132SS\0" \
258 | "\x0c" "VFNMSUB132SD\0" "\x0e" "VFMADDSUB213PS\0" "\x0e" "VFMADDSUB213PD\0" \
259 | "\x0e" "VFMSUBADD213PS\0" "\x0e" "VFMSUBADD213PD\0" "\x0b" "VFMADD213PS\0" \
260 | "\x0b" "VFMADD213PD\0" "\x0b" "VFMADD213SS\0" "\x0b" "VFMADD213SD\0" \
261 | "\x0b" "VFMSUB213PS\0" "\x0b" "VFMSUB213PD\0" "\x0b" "VFMSUB213SS\0" \
262 | "\x0b" "VFMSUB213SD\0" "\x0c" "VFNMADD213PS\0" "\x0c" "VFNMADD213PD\0" \
263 | "\x0c" "VFNMADD213SS\0" "\x0c" "VFNMADD213SD\0" "\x0c" "VFNMSUB213PS\0" \
264 | "\x0c" "VFNMSUB213PD\0" "\x0c" "VFNMSUB213SS\0" "\x0c" "VFNMSUB213SD\0" \
265 | "\x0e" "VFMADDSUB231PS\0" "\x0e" "VFMADDSUB231PD\0" "\x0e" "VFMSUBADD231PS\0" \
266 | "\x0e" "VFMSUBADD231PD\0" "\x0b" "VFMADD231PS\0" "\x0b" "VFMADD231PD\0" \
267 | "\x0b" "VFMADD231SS\0" "\x0b" "VFMADD231SD\0" "\x0b" "VFMSUB231PS\0" \
268 | "\x0b" "VFMSUB231PD\0" "\x0b" "VFMSUB231SS\0" "\x0b" "VFMSUB231SD\0" \
269 | "\x0c" "VFNMADD231PS\0" "\x0c" "VFNMADD231PD\0" "\x0c" "VFNMADD231SS\0" \
270 | "\x0c" "VFNMADD231SD\0" "\x0c" "VFNMSUB231PS\0" "\x0c" "VFNMSUB231PD\0" \
271 | "\x0c" "VFNMSUB231SS\0" "\x0c" "VFNMSUB231SD\0" "\x06" "AESIMC\0" "\x07" "VAESIMC\0" \
272 | "\x06" "AESENC\0" "\x07" "VAESENC\0" "\x0a" "AESENCLAST\0" "\x0b" "VAESENCLAST\0" \
273 | "\x06" "AESDEC\0" "\x07" "VAESDEC\0" "\x0a" "AESDECLAST\0" "\x0b" "VAESDECLAST\0" \
274 | "\x05" "MOVBE\0" "\x05" "CRC32\0" "\x0a" "VPERM2F128\0" "\x07" "ROUNDPS\0" \
275 | "\x08" "VROUNDPS\0" "\x07" "ROUNDPD\0" "\x08" "VROUNDPD\0" "\x07" "ROUNDSS\0" \
276 | "\x08" "VROUNDSS\0" "\x07" "ROUNDSD\0" "\x08" "VROUNDSD\0" "\x07" "BLENDPS\0" \
277 | "\x08" "VBLENDPS\0" "\x07" "BLENDPD\0" "\x08" "VBLENDPD\0" "\x07" "PBLENDW\0" \
278 | "\x08" "VPBLENDW\0" "\x07" "PALIGNR\0" "\x08" "VPALIGNR\0" "\x06" "PEXTRB\0" \
279 | "\x07" "VPEXTRB\0" "\x06" "PEXTRD\0" "\x06" "PEXTRQ\0" "\x07" "VPEXTRD\0" \
280 | "\x07" "VPEXTRQ\0" "\x09" "EXTRACTPS\0" "\x0a" "VEXTRACTPS\0" "\x0b" "VINSERTF128\0" \
281 | "\x0c" "VEXTRACTF128\0" "\x06" "PINSRB\0" "\x07" "VPINSRB\0" "\x08" "INSERTPS\0" \
282 | "\x09" "VINSERTPS\0" "\x06" "PINSRD\0" "\x06" "PINSRQ\0" "\x07" "VPINSRD\0" \
283 | "\x07" "VPINSRQ\0" "\x04" "DPPS\0" "\x05" "VDPPS\0" "\x04" "DPPD\0" \
284 | "\x05" "VDPPD\0" "\x07" "MPSADBW\0" "\x08" "VMPSADBW\0" "\x09" "PCLMULQDQ\0" \
285 | "\x0a" "VPCLMULQDQ\0" "\x09" "VBLENDVPS\0" "\x09" "VBLENDVPD\0" "\x09" "VPBLENDVB\0" \
286 | "\x09" "PCMPESTRM\0" "\x0a" "VPCMPESTRM\0" "\x09" "PCMPESTRI\0" "\x0a" "VPCMPESTRI\0" \
287 | "\x09" "PCMPISTRM\0" "\x0a" "VPCMPISTRM\0" "\x09" "PCMPISTRI\0" "\x0a" "VPCMPISTRI\0" \
288 | "\x0f" "AESKEYGENASSIST\0" "\x10" "VAESKEYGENASSIST\0" "\x06" "PSRLDQ\0" \
289 | "\x07" "VPSRLDQ\0" "\x06" "PSLLDQ\0" "\x07" "VPSLLDQ\0" "\x06" "FXSAVE\0" \
290 | "\x08" "FXSAVE64\0" "\x08" "RDFSBASE\0" "\x07" "FXRSTOR\0" "\x09" "FXRSTOR64\0" \
291 | "\x08" "RDGSBASE\0" "\x07" "LDMXCSR\0" "\x08" "WRFSBASE\0" "\x08" "VLDMXCSR\0" \
292 | "\x07" "STMXCSR\0" "\x08" "WRGSBASE\0" "\x08" "VSTMXCSR\0" "\x07" "VMPTRLD\0" \
293 | "\x07" "VMCLEAR\0" "\x05" "VMXON\0" "\x06" "MOVSXD\0" "\x05" "PAUSE\0" \
294 | "\x04" "WAIT\0" "\x06" "RDRAND\0" "\x06" "_3DNOW\0";
295 |
296 | const _WRegister _REGISTERS[] = {
297 | { 3, "RAX" }, { 3, "RCX" }, { 3, "RDX" }, { 3, "RBX" }, { 3, "RSP" }, { 3, "RBP" }, { 3, "RSI" }, { 3, "RDI" }, { 2, "R8" }, { 2, "R9" }, { 3, "R10" }, { 3, "R11" }, { 3, "R12" }, { 3, "R13" }, { 3, "R14" }, { 3, "R15" },
298 | { 3, "EAX" }, { 3, "ECX" }, { 3, "EDX" }, { 3, "EBX" }, { 3, "ESP" }, { 3, "EBP" }, { 3, "ESI" }, { 3, "EDI" }, { 3, "R8D" }, { 3, "R9D" }, { 4, "R10D" }, { 4, "R11D" }, { 4, "R12D" }, { 4, "R13D" }, { 4, "R14D" }, { 4, "R15D" },
299 | { 2, "AX" }, { 2, "CX" }, { 2, "DX" }, { 2, "BX" }, { 2, "SP" }, { 2, "BP" }, { 2, "SI" }, { 2, "DI" }, { 3, "R8W" }, { 3, "R9W" }, { 4, "R10W" }, { 4, "R11W" }, { 4, "R12W" }, { 4, "R13W" }, { 4, "R14W" }, { 4, "R15W" },
300 | { 2, "AL" }, { 2, "CL" }, { 2, "DL" }, { 2, "BL" }, { 2, "AH" }, { 2, "CH" }, { 2, "DH" }, { 2, "BH" }, { 3, "R8B" }, { 3, "R9B" }, { 4, "R10B" }, { 4, "R11B" }, { 4, "R12B" }, { 4, "R13B" }, { 4, "R14B" }, { 4, "R15B" },
301 | { 3, "SPL" }, { 3, "BPL" }, { 3, "SIL" }, { 3, "DIL" },
302 | { 2, "ES" }, { 2, "CS" }, { 2, "SS" }, { 2, "DS" }, { 2, "FS" }, { 2, "GS" },
303 | { 3, "RIP" },
304 | { 3, "ST0" }, { 3, "ST1" }, { 3, "ST2" }, { 3, "ST3" }, { 3, "ST4" }, { 3, "ST5" }, { 3, "ST6" }, { 3, "ST7" },
305 | { 3, "MM0" }, { 3, "MM1" }, { 3, "MM2" }, { 3, "MM3" }, { 3, "MM4" }, { 3, "MM5" }, { 3, "MM6" }, { 3, "MM7" },
306 | { 4, "XMM0" }, { 4, "XMM1" }, { 4, "XMM2" }, { 4, "XMM3" }, { 4, "XMM4" }, { 4, "XMM5" }, { 4, "XMM6" }, { 4, "XMM7" }, { 4, "XMM8" }, { 4, "XMM9" }, { 5, "XMM10" }, { 5, "XMM11" }, { 5, "XMM12" }, { 5, "XMM13" }, { 5, "XMM14" }, { 5, "XMM15" },
307 | { 4, "YMM0" }, { 4, "YMM1" }, { 4, "YMM2" }, { 4, "YMM3" }, { 4, "YMM4" }, { 4, "YMM5" }, { 4, "YMM6" }, { 4, "YMM7" }, { 4, "YMM8" }, { 4, "YMM9" }, { 5, "YMM10" }, { 5, "YMM11" }, { 5, "YMM12" }, { 5, "YMM13" }, { 5, "YMM14" }, { 5, "YMM15" },
308 | { 3, "CR0" }, { 0, "" }, { 3, "CR2" }, { 3, "CR3" }, { 3, "CR4" }, { 0, "" }, { 0, "" }, { 0, "" }, { 3, "CR8" },
309 | { 3, "DR0" }, { 3, "DR1" }, { 3, "DR2" }, { 3, "DR3" }, { 0, "" }, { 0, "" }, { 3, "DR6" }, { 3, "DR7" }
310 | };
311 |
312 | #endif /* DISTORM_LIGHT */
313 |
--------------------------------------------------------------------------------