On Fri, 2017-05-05 at 19:28 +0200, Borislav Petkov wrote:
On Wed, Apr 26, 2017 at 03:52:41PM -0700, Ricardo Neri wrote:
Probably insn_get_seg_base() itself can verify if there are segment override prefixes in the struct insn. If yes, use them except for specific cases such as CS.
... and depending on whether in long mode or not.
Yes, in my v7 I ignore the segment register if we are in long mode [1].
On an unrelated note, I still have the problem of using DS vs ES for string instructions. Perhaps instead of a use_default_seg flag, a string_instruction flag that indicates how to determine the default segment.
... or you can look at the insn opcode directly. AFAICT, you need to check whether the opcode is 0xa4 or 0xa5 and that the insn is a single-byte opcode, i.e., not from the secondary map escaped with 0xf or some of the other multi-byte opcode maps.
In my v7, I have added a section my function resolve_seg_register() that ignores segment overrides if it sees string instructions and the register EDI and defaults to ES. If the register is EIP, it defaults to CS. To determine if an instruction is a string instruction I do check for the size of the opcode and the opcodes that you mention plus others based on the Intel Software Development Manual[2].
[1]. https://lkml.org/lkml/2017/5/5/405 [2]. https://lkml.org/lkml/2017/5/5/410
Thanks and BR, Ricardo
-- Regards/Gruss, Boris.
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)