mirror of
https://github.com/bitdefender/bddisasm.git
synced 2024-12-22 14:08:08 +00:00
Added support for AESDEC, AESDECLAST and AESIMC emulation, using compiler intrinsics - they will be used only if the SHEMU_OPT_SUPPORT_AES is set (so the integrator can properly check for AES-NI support in hardware).
Fixed shemu option on Linux - make sure proper RIP is provided.
This commit is contained in:
parent
83ee0d120d
commit
f8a3011a49
@ -95,7 +95,7 @@ set(BDDISASM_COMPILE_OPTIONS
|
||||
-g3
|
||||
-gdwarf-4
|
||||
-grecord-gcc-switches
|
||||
-march=nehalem
|
||||
-march=westmere
|
||||
)
|
||||
|
||||
target_compile_options(bddisasm PRIVATE ${BDDISASM_COMPILE_OPTIONS})
|
||||
|
@ -10,7 +10,7 @@
|
||||
#include "nd_crt.h"
|
||||
#include "bddisasm.h"
|
||||
#include "bdshemu.h"
|
||||
|
||||
#include <immintrin.h>
|
||||
|
||||
//
|
||||
// A generic emulator value.
|
||||
@ -357,7 +357,7 @@ ShemuSetFlags(
|
||||
else if (FM_SHL == FlagsMode)
|
||||
{
|
||||
// CF is the last bit shifted out of the destination.
|
||||
if (ND_GET_BIT(Src1, (Size * 8) - Src2))
|
||||
if (ND_GET_BIT(Src1, (Size * 8ULL) - Src2))
|
||||
{
|
||||
Context->Registers.RegFlags |= NDR_RFLAG_CF;
|
||||
}
|
||||
@ -368,7 +368,7 @@ ShemuSetFlags(
|
||||
|
||||
if (Src2 == 1)
|
||||
{
|
||||
if (ND_GET_BIT(Size * 8 - 1, Dst) ^ ND_GET_BIT(Src1, (Size * 8) - Src2))
|
||||
if (ND_GET_BIT(Size * 8ULL - 1, Dst) ^ ND_GET_BIT(Src1, (Size * 8ULL) - Src2))
|
||||
{
|
||||
Context->Registers.RegFlags |= NDR_RFLAG_OF;
|
||||
}
|
||||
@ -1351,6 +1351,7 @@ ShemuSetOperandValue(
|
||||
if (ShemuIsStackPtr(Context, gla, MAX(op->Size, Context->Instruction.WordLength)))
|
||||
{
|
||||
uint8_t stckstrlen = 0;
|
||||
uint32_t i;
|
||||
|
||||
// Note: only Context->Instruction.WordLength bits are flagged as RIP, as that is the RIP size.
|
||||
if (Context->Instruction.Instruction == ND_INS_CALLNR ||
|
||||
@ -1384,7 +1385,7 @@ ShemuSetOperandValue(
|
||||
// Note that we will ignore registers which have not been modified during emulation; those are considered
|
||||
// input values for the emulated code, and may be pointers or other data. We are interested only in
|
||||
// stack values built within the emulate code.
|
||||
for (uint32_t i = 0; i < Value->Size; i++)
|
||||
for (i = 0; i < Value->Size; i++)
|
||||
{
|
||||
unsigned char c = Value->Value.Bytes[i];
|
||||
|
||||
@ -1402,7 +1403,7 @@ ShemuSetOperandValue(
|
||||
if (stckstrlen == Value->Size)
|
||||
{
|
||||
// Make sure the value is not present inside a non-dirty GPR.
|
||||
for (uint32_t i = 0; i < 16; i++)
|
||||
for (i = 0; i < 16; i++)
|
||||
{
|
||||
if (ShemuCmpGprValue(Context, i, Value->Size, Value->Value.Qwords[0], false) &&
|
||||
(0 == (Context->DirtyGprBitmap & (1 << i))))
|
||||
@ -1696,6 +1697,7 @@ ShemuEmulate(
|
||||
{
|
||||
NDSTATUS ndstatus;
|
||||
uint64_t rip;
|
||||
uint32_t i;
|
||||
|
||||
// The stop flag has been set, this means we've reached a valid instruction, but that instruction cannot be
|
||||
// emulated (for example, SYSCALL, INT, system instructions, etc).
|
||||
@ -2182,7 +2184,7 @@ ShemuEmulate(
|
||||
GET_OP(Context, 0, &dst);
|
||||
GET_OP(Context, 1, &src);
|
||||
|
||||
src.Value.Qwords[0] %= dst.Size * 8;
|
||||
src.Value.Qwords[0] %= dst.Size * 8ULL;
|
||||
|
||||
// Store the bit inside CF.
|
||||
SET_FLAG(Context, NDR_RFLAG_CF, (dst.Value.Qwords[0] >> src.Value.Qwords[0]) & 1);
|
||||
@ -2811,7 +2813,7 @@ ShemuEmulate(
|
||||
case ND_INS_PXOR:
|
||||
GET_OP(Context, 0, &dst);
|
||||
GET_OP(Context, 1, &src);
|
||||
for (uint32_t i = 0; i < dst.Size; i++)
|
||||
for (i = 0; i < dst.Size; i++)
|
||||
{
|
||||
dst.Value.Bytes[i] ^= src.Value.Bytes[i];
|
||||
}
|
||||
@ -2839,7 +2841,7 @@ ShemuEmulate(
|
||||
case ND_INS_VPBROADCASTQ:
|
||||
GET_OP(Context, 1, &src);
|
||||
dst.Size = Context->Instruction.Operands[0].Size;
|
||||
for (uint32_t i = 0; i < dst.Size / src.Size; i++)
|
||||
for (i = 0; i < dst.Size / src.Size; i++)
|
||||
{
|
||||
switch (src.Size)
|
||||
{
|
||||
@ -2863,7 +2865,7 @@ ShemuEmulate(
|
||||
case ND_INS_VPXOR:
|
||||
GET_OP(Context, 1, &dst);
|
||||
GET_OP(Context, 2, &src);
|
||||
for (uint32_t i = 0; i < dst.Size; i++)
|
||||
for (i = 0; i < dst.Size; i++)
|
||||
{
|
||||
dst.Value.Bytes[i] ^= src.Value.Bytes[i];
|
||||
}
|
||||
@ -2928,6 +2930,45 @@ ShemuEmulate(
|
||||
stop = true;
|
||||
break;
|
||||
|
||||
case ND_INS_AESIMC:
|
||||
case ND_INS_AESDEC:
|
||||
case ND_INS_AESDECLAST:
|
||||
{
|
||||
__m128i val, key;
|
||||
|
||||
// Make sure AES support is present, and we can emulate AES decryption using AES instructions.
|
||||
if (0 == (Context->Options & SHEMU_OPT_SUPPORT_AES))
|
||||
{
|
||||
stop = true;
|
||||
break;
|
||||
}
|
||||
|
||||
GET_OP(Context, 0, &dst);
|
||||
GET_OP(Context, 1, &src);
|
||||
|
||||
shemu_memcpy(&val, &dst, 16);
|
||||
shemu_memcpy(&key, &src, 16);
|
||||
|
||||
if (Context->Instruction.Instruction == ND_INS_AESDEC)
|
||||
{
|
||||
val = _mm_aesdec_si128(val, key);
|
||||
}
|
||||
else if (Context->Instruction.Instruction == ND_INS_AESDECLAST)
|
||||
{
|
||||
val = _mm_aesdeclast_si128(val, key);
|
||||
}
|
||||
else if (Context->Instruction.Instruction == ND_INS_AESIMC)
|
||||
{
|
||||
val = _mm_aesimc_si128(key);
|
||||
}
|
||||
|
||||
shemu_memcpy(&dst, &val, 16);
|
||||
|
||||
SET_OP(Context, 0, &dst);
|
||||
break;
|
||||
}
|
||||
|
||||
|
||||
default:
|
||||
return SHEMU_ABORT_UNSUPPORTED_INSTRUX;
|
||||
}
|
||||
|
@ -50,8 +50,11 @@
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DebugKernel|Win32'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<TargetVersion>Windows7</TargetVersion>
|
||||
<DriverTargetPlatform>Desktop</DriverTargetPlatform>
|
||||
<SupportsPackaging>false</SupportsPackaging>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
@ -63,9 +66,12 @@
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseKernel|Win32'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
|
||||
<WholeProgramOptimization>true</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<TargetVersion>Windows7</TargetVersion>
|
||||
<DriverTargetPlatform>Desktop</DriverTargetPlatform>
|
||||
<SupportsPackaging>false</SupportsPackaging>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
@ -76,8 +82,11 @@
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='DebugKernel|x64'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>true</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<TargetVersion>Windows7</TargetVersion>
|
||||
<DriverTargetPlatform>Desktop</DriverTargetPlatform>
|
||||
<SupportsPackaging>false</SupportsPackaging>
|
||||
</PropertyGroup>
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
@ -89,9 +98,12 @@
|
||||
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='ReleaseKernel|x64'" Label="Configuration">
|
||||
<ConfigurationType>StaticLibrary</ConfigurationType>
|
||||
<UseDebugLibraries>false</UseDebugLibraries>
|
||||
<PlatformToolset>v142</PlatformToolset>
|
||||
<PlatformToolset>WindowsKernelModeDriver10.0</PlatformToolset>
|
||||
<WholeProgramOptimization>false</WholeProgramOptimization>
|
||||
<CharacterSet>Unicode</CharacterSet>
|
||||
<TargetVersion>Windows7</TargetVersion>
|
||||
<DriverTargetPlatform>Desktop</DriverTargetPlatform>
|
||||
<SupportsPackaging>false</SupportsPackaging>
|
||||
</PropertyGroup>
|
||||
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
|
||||
<ImportGroup Label="ExtensionSettings">
|
||||
@ -201,6 +213,7 @@
|
||||
<AdditionalIncludeDirectories>..\inc;..\bddisasm\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<TreatWarningAsError>true</TreatWarningAsError>
|
||||
<ProgramDataBaseFileName>$(SolutionDir)bin\$(Platform)\$(Configuration)\$(ProjectName).pdb</ProgramDataBaseFileName>
|
||||
<AdditionalOptions>/kernel /d1import_no_registry /d2AllowCompatibleILVersions /d2Zi+ %(AdditionalOptions)</AdditionalOptions>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
@ -259,7 +272,7 @@
|
||||
<BasicRuntimeChecks>Default</BasicRuntimeChecks>
|
||||
<IgnoreStandardIncludePath>false</IgnoreStandardIncludePath>
|
||||
<DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
|
||||
<AdditionalOptions>/D "AMD64" %(AdditionalOptions)</AdditionalOptions>
|
||||
<AdditionalOptions>/kernel /D "AMD64" %(AdditionalOptions)</AdditionalOptions>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
@ -315,6 +328,7 @@
|
||||
<AdditionalIncludeDirectories>..\inc;..\bddisasm\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<TreatWarningAsError>true</TreatWarningAsError>
|
||||
<ProgramDataBaseFileName>$(SolutionDir)bin\$(Platform)\$(Configuration)\$(ProjectName).pdb</ProgramDataBaseFileName>
|
||||
<AdditionalOptions> /kernel /d1nodatetime %(AdditionalOptions)</AdditionalOptions>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
@ -386,7 +400,7 @@
|
||||
<ProgramDataBaseFileName>$(SolutionDir)bin\$(Platform)\$(Configuration)\$(ProjectName).pdb</ProgramDataBaseFileName>
|
||||
<ExceptionHandling>Sync</ExceptionHandling>
|
||||
<MinimalRebuild>true</MinimalRebuild>
|
||||
<AdditionalOptions>/D "AMD64" %(AdditionalOptions)</AdditionalOptions>
|
||||
<AdditionalOptions>/kernel /D "AMD64" %(AdditionalOptions)</AdditionalOptions>
|
||||
</ClCompile>
|
||||
<Link>
|
||||
<SubSystem>Console</SubSystem>
|
||||
|
@ -1520,6 +1520,17 @@ handle_shemu(
|
||||
ctx.StrThreshold = SHEMU_DEFAULT_STR_THRESHOLD;
|
||||
ctx.MemThreshold = SHEMU_DEFAULT_MEM_THRESHOLD;
|
||||
|
||||
// Check for AES support.
|
||||
int regs[4] = { 0 };
|
||||
|
||||
__cpuid(regs, 1);
|
||||
|
||||
// CPUID leaf function 1, register ECX, bit 25 indicates AES-NI support.
|
||||
if (!!(regs[2] & (1UL << 25)))
|
||||
{
|
||||
ctx.Options |= SHEMU_OPT_SUPPORT_AES;
|
||||
}
|
||||
|
||||
if (Options->UseShemuRegs)
|
||||
{
|
||||
// Copy the new GPRs
|
||||
|
@ -7,6 +7,7 @@
|
||||
#include <memory>
|
||||
#include <limits>
|
||||
#include <cmath>
|
||||
#include <cpuid.h>
|
||||
|
||||
#include "external/argparse.h"
|
||||
|
||||
@ -526,7 +527,7 @@ void shemu(options &opts)
|
||||
ctx.IntbufSize = opts.actual_size + STACK_SIZE;
|
||||
|
||||
ctx.Registers.RegFlags = NDR_RFLAG_IF | 2;
|
||||
ctx.Registers.RegRip = opts.rip;
|
||||
ctx.Registers.RegRip = opts.rip ? opts.rip : 0x200000;
|
||||
ctx.Segments.Cs.Selector = 0x10;
|
||||
ctx.Segments.Ds.Selector = 0x28;
|
||||
ctx.Segments.Es.Selector = 0x28;
|
||||
@ -547,6 +548,17 @@ void shemu(options &opts)
|
||||
ctx.Options = SHEMU_OPT_TRACE_EMULATION;
|
||||
ctx.Log = shemu_log;
|
||||
ctx.AccessMemory = shemu_access_mem;
|
||||
|
||||
uint32_t eax, ebx, ecx, edx;
|
||||
|
||||
eax = ebx = ecx = edx = 0;
|
||||
|
||||
__get_cpuid(1, &eax, &ebx, &ecx, &edx);
|
||||
|
||||
if (!!(ecx & (1UL << 25)))
|
||||
{
|
||||
ctx.Options |= SHEMU_OPT_SUPPORT_AES;
|
||||
}
|
||||
|
||||
// Configurable thresholds.
|
||||
ctx.NopThreshold = SHEMU_DEFAULT_NOP_THRESHOLD;
|
||||
|
@ -263,6 +263,9 @@ typedef unsigned int SHEMU_STATUS;
|
||||
//
|
||||
#define SHEMU_OPT_TRACE_EMULATION 0x00000001 // Trace each emulated instruction.
|
||||
#define SHEMU_OPT_STOP_ON_EXPLOIT 0x00000002 // When shellcode indications are confirmed, stop emulation.
|
||||
#define SHEMU_OPT_SUPPORT_AES 0x00010000 // Indicates that AES instructions are supported, and
|
||||
// therefore, the AES intrinsics can be used to emulate
|
||||
// AES decryption.
|
||||
|
||||
|
||||
//
|
||||
|
@ -7,6 +7,6 @@
|
||||
|
||||
#define DISASM_VERSION_MAJOR 1
|
||||
#define DISASM_VERSION_MINOR 31
|
||||
#define DISASM_VERSION_REVISION 4
|
||||
#define DISASM_VERSION_REVISION 5
|
||||
|
||||
#endif // DISASM_VER_H
|
||||
|
@ -12,7 +12,7 @@ from setuptools import find_packages, setup, Command, Extension, Distribution
|
||||
from codecs import open
|
||||
|
||||
VERSION = (0, 1, 3)
|
||||
LIBRARY_VERSION = (1, 31, 4)
|
||||
LIBRARY_VERSION = (1, 31, 5)
|
||||
LIBRARY_INSTRUX_SIZE = 864
|
||||
|
||||
packages = ['pybddisasm']
|
||||
|
Loading…
Reference in New Issue
Block a user