Mirrors
/
ioc-collection
mirror of https://github.com/avast/ioc
6
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

VB Scripting examples

This commit is contained in:
Michal Salát 2023-01-04 16:31:51 +01:00 committed by GitHub
parent 7793f1fed3
commit aa0c9e4fb4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
55 changed files with 17207 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
VB-Research/ReadMe.txt Normal file
View File

@ -0,0 +1,45 @@
Credits:
-----------------------------
NTCore Hooking Engine written by Daniel Pistelli ntcore at gmail dot com (slightly modified)
https://ntcore.com/files/nthookengine.htm
diStorm x86/x64 BSD disassembler engine
Copyright (C) 2003-2012 Gil Dabah. diStorm at gmail dot com.
https://github.com/gdabah/distorm
vb_structs.h is from vbParser by sysenter-eip
openscript.dll and injector written by David Zimmer dzzie@yahoo.com
http://sandsprite.com
About:
-----------------------------
This is a research project aimed at making any VB6 application scriptable.
This starts with an injection dll that hooks some functions in the vb runtime,
patches internal class ObjectTypes, and registers the vb.global.forms
object in the Running Object Table (ROT)
Now all of the forms, embedded controls, public methods/variables/classes are accessible
as if it were an ActiveX exe. Clients can include WSH scripts, python scripts, VB6 etc.
Basically any language that use COM objects.
A brief overview of the technique is as follows:
- VB6 process is started with an injection dll
- New thread hooks CVBApplication_Init and BeginPaint
- CVBApplication_Init hook:
- Stores a reference to internal VB objects during runtime initialization
- Patches VBHeader.ProjectInfo.ObjectTable setting all classes public
- BeginPaint hook:
- Runs from main VB6 thread
- Adds a system menu item and subclasses main window for IPC (optional)
- Registers internal VB.Global.Forms object in the ROT
Note: This code is dependant on this particular version of the vb runtime (msvbvm60.dll)
See the following Avast blog post for more details: https://decoded.avast.io/davidzimmer/scripting-arbitrary-vb6-applications/

BIN
VB-Research/vbOpenScript/MSVBVM60.DLL Normal file
View File

Binary file not shown.

798
VB-Research/vbOpenScript/dll/NtHookEngine.cpp Normal file
View File

@ -0,0 +1,798 @@
#include <windows.h>
#include <stdlib.h>
#include "./distorm3.3/distorm.h"
#include <stdio.h>
#include <intrin.h>
#pragma warning(disable:4996)
//This is a modified version of the open source x86/x64
//NTCore Hooking Engine written by:
//Daniel Pistelli <ntcore@gmail.com>
//http://www.ntcore.com/files/nthookengine.htm
//
//It uses the x86/x64 GPL disassembler engine
//diStorm was written by Gil Dabah.
//Copyright (C) 2003-2012 Gil Dabah. diStorm at gmail dot com.
//
//Mods by David Zimmer <dzzie@yahoo.com>
//note: in several places we work on g_HookInfo[g_NumberOfHooks] as a global object in sub fx..
// 10000 hooks should be enough
#define MAX_HOOKS 10000
#define JUMP_WORST 0x10 // Worst case scenario + line all up on 0x10 boundary...
#define MAX_INSTRUCTIONS 100
#ifndef __cplusplus
#define extern "C" stdc
#else
#define stdc
#endif
#ifdef _M_IX86
#define isX64 false
#else
#define isX64 true
#endif
//on x86 htjmp requires less than 2gb between addresses
//on x64 pushret requires a 32 bit safe address use #pragma comment( linker, "/BASE:0x8000000")
// x86 only
enum hookType{ ht_jmp = 0, ht_pushret=1, ht_jmp5safe=2, ht_jmpderef=3, ht_micro, ht_auto };
enum hookErrors{ he_None=0, he_cantDisasm, he_cantHook, he_maxHooks, he_UnknownHookType, he_cantInit };
enum specificErrors{ hs_None, hs_NeedsAbs, hs_NoMicro, hs_ToBig, hs_x64NoPushRet };
char* hook_name[] = {"ht_jmp", "ht_pushret", "ht_jmp5safe", "ht_jmpderef", "ht_micro", "ht_auto"};
int logLevel = 0;
bool initilized = false;
char lastError[500] = {0};
hookErrors lastErrorCode = he_None;
specificErrors specificError = hs_None;
void (__cdecl *debugMsgHandler)(char* msg);
typedef struct _HOOK_INFO
{
ULONG_PTR Function; // Address of the original function
ULONG_PTR Hook; // Address of the function to call
ULONG_PTR Bridge; // Address of the instruction bridge
hookType hooktype;
char* ApiName;
bool Enabled;
int preAlignBytes;
int index;
int hookableBytes;
int OverwrittenBytes;
int OverwrittenInstructions;
} HOOK_INFO, *PHOOK_INFO;
HOOK_INFO g_HookInfo[MAX_HOOKS];
UINT g_NumberOfHooks = 0;
BYTE *g_pBridgeBuffer = NULL; // Here are going to be stored all the bridges
UINT g_CurrentBridgeBufferSize = 0; // This number is incremented as the bridge buffer is growing
char* GetHookName(hookType ht){
return hook_name[ht];
}
stdc
char* __cdecl GetHookError(void){
return (char*)lastError;
}
stdc
bool is32BitSafe(ULONG_PTR value){
ULONG_PTR b = value & 0x00000000FFFFFFFF;
return value == b ? true : false;
}
void dbgmsg(int level, const char *format, ...)
{
char buf[1024];
if(level > logLevel) return;
if(debugMsgHandler!=NULL && format!=NULL){
va_list args;
va_start(args,format);
try{
_vsnprintf(buf,1024,format,args);
(*debugMsgHandler)(buf);
}
catch(...){}
}
}
stdc
bool __cdecl InitHookEngine(void){
if(initilized) return true;
char* mem_marker = "APIHOOKS";
int len_marker = strlen(mem_marker);
UINT sz = MAX_HOOKS * (JUMP_WORST * 3);
sz +=len_marker;
//try to get a 32bit safe allocation address...
//g_pBridgeBuffer = (BYTE *)VirtualAlloc((void*)0x11000000 , sz, MEM_RESERVE | MEM_COMMIT , 0x40);
if(g_pBridgeBuffer == NULL){
g_pBridgeBuffer = (BYTE *) VirtualAlloc(NULL, sz, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
}else{
dbgmsg(1,"32 bit safe trampoline buffer obtained\n");
}
if(g_pBridgeBuffer == NULL) return false;
memset(g_pBridgeBuffer, 0 , sz);
memset(&g_HookInfo[0], 0, sizeof(struct _HOOK_INFO) * MAX_HOOKS);
memcpy(g_pBridgeBuffer, mem_marker, len_marker);
g_CurrentBridgeBufferSize += len_marker;
initilized = true;
return true;
}
//can now resolve from any pointer - dz 11.28.22
HOOK_INFO *GetHookInfoFromFunction(ULONG_PTR lpFunc)
{
if (g_NumberOfHooks == 0)
return NULL;
for (UINT x = 0; x < g_NumberOfHooks; x++)
{
if (g_HookInfo[x].Function == lpFunc) return &g_HookInfo[x];
if (g_HookInfo[x].Bridge == lpFunc) return &g_HookInfo[x];
if (g_HookInfo[x].Hook == lpFunc) return &g_HookInfo[x];
}
return NULL;
}
#ifdef _M_IX86
//these two are only used for x86 ht_jmp5safe hooks..
void __stdcall output(ULONG_PTR ra){
HOOK_INFO *hi = GetHookInfoFromFunction(ra);
if(hi){
dbgmsg(0,"jmp %s+5 api detected trying to recover...\n", hi->ApiName );
}else{
dbgmsg(0,"jmp+5 api caught %x\n", ra );
}
}
void __declspec(naked) UnwindProlog(void){
_asm{
mov eax, [ebp-4] //return address
sub eax, 10 //function entry point
push eax //arg to output
call output
pop eax //we got here through a call from our api hook stub so this is ret
sub eax, 10 //back to api start address
mov esp, ebp //now unwind the prolog the shellcode did on its own..
pop ebp //saved ebp
jmp eax //and jmp back to the api public entry point to hit main hook jmp
}
}
#endif
// This function retrieves the necessary size for the jump
// overwrite as little of the api function as possible per hook type...
UINT GetJumpSize(hookType ht)
{
#ifdef _M_IX86
switch(ht){
case ht_jmp: return 5;
case ht_pushret: return 6;
case ht_micro: return 2; //overwrite size is actually only 2 + 5 in preamble.
default: return 10;
}
#else
switch(ht){
case ht_jmpderef: return 14;
case ht_pushret: return 6;
case ht_micro: return 6; //overwrite size is actually only 6 + 8 in preamble.
default: return 12;
}
#endif
}
stdc
char* __cdecl GetDisasm(ULONG_PTR pAddress, int* retLen = NULL){ //just a helper doesnt set error code..
_DecodeResult res;
_DecodedInst decodedInstructions[MAX_INSTRUCTIONS];
unsigned int decodedInstructionsCount = 0;
_DecodeType dt = isX64 ? Decode64Bits : Decode32Bits;
_OffsetType offset = 0;
res = distorm_decode(offset, // offset for buffer
(const BYTE *) pAddress, // buffer to disassemble
50, // function size (code size to disasm)
dt, // x86 or x64?
decodedInstructions, // decoded instr
MAX_INSTRUCTIONS, // array size
&decodedInstructionsCount // how many instr were disassembled?
);
if (res == DECRES_INPUTERR) return NULL;
int bufsz = 120;
char* tmp = (char*)malloc(bufsz);
memset(tmp, 0, bufsz);
_snprintf(tmp, bufsz-1 , "%10x %-10s %-6s %s\n",
pAddress,
decodedInstructions[0].instructionHex.p,
decodedInstructions[0].mnemonic.p,
decodedInstructions[0].operands.p
);
if(retLen !=NULL) *retLen = decodedInstructions[0].size;
return tmp;
}
bool UnSupportedOpcode(BYTE *b, int hookIndex){ //primary instruction opcodes are the same for x64 and x86
BYTE bb = *b;
switch(bb){
case 0x74:
case 0x75:
case 0xEB:
case 0xE8:
case 0xE9:
case 0x0F: //can lead to false positive...
//case 0xFF:
case 0xc3:
case 0xc4:
goto failed;
}
return false;
failed:
UINT offset = (UINT)b - g_HookInfo[hookIndex].Function;
char* d = GetDisasm((ULONG_PTR)b);
if(d == NULL){
sprintf(lastError,"Unsupported opcode at %s+%d: Opcode: %x", g_HookInfo[hookIndex].ApiName, offset, *b);
lastErrorCode = he_cantHook;
}else{
sprintf(lastError,"Unsupported opcode at %s+%d\n%s", g_HookInfo[hookIndex].ApiName, offset, d);
lastErrorCode = he_cantHook;
free(d);
}
dbgmsg(1,lastError);
return true;
}
void WriteInt( BYTE *pAddress, UINT value){ //4 bytes always
*(UINT*)pAddress = value;
}
void WriteShort( BYTE *pAddress, short value){ //2 bytes always
*(short*)pAddress = value;
}
void WriteULONG( BYTE *pAddress, ULONG_PTR value){//8 BYTES ON X64
*(ULONG_PTR*)pAddress = value;
}
// A relative jump (opcode 0xE9) treats its operand as a 32 bit signed offset. If the unsigned
// distance between from and to is of sufficient magnitude that it cannot be represented as a
// signed 32 bit integer, then we'll have to use an absolute jump instead (0xFF 0x25).
//https://bitbucket.org/edd/nanohook/src/da62bc7232e6/src/hook.cpp
bool abs_jump_required(UINT from, UINT to)
{
const UINT upper = max(from, to);
const UINT lower = min(from, to);
return ((upper - lower) > 0x7FFFFFFF) ? true : false;
}
bool isRelativeJump(hookType ht){
#ifdef _M_IX86
if( ht == ht_pushret ) return false;
if( ht == ht_jmpderef ) return false;
return true;
#else
return false;
#endif
}
void OverWriteScratchPad(VOID *pAddress, HOOK_INFO *hinfo)
{
DWORD dwOldProtect = 0;
DWORD dwBuf = 0;
int minPreAlign = 0;
int sz = hinfo->OverwrittenBytes;
BYTE *pCur = (BYTE *)pAddress;
if(hinfo->hooktype == ht_micro){
minPreAlign = isX64 ? 8 : 5 ;
pCur -= minPreAlign;
sz += minPreAlign;
}
VirtualProtect(pCur, JUMP_WORST, PAGE_EXECUTE_READWRITE, &dwOldProtect);
for(int i=0; i<sz; i++) *pCur++ = 0xCC;
VirtualProtect(pCur, JUMP_WORST, dwOldProtect, &dwBuf);
}
bool WriteJump(VOID *pAddress, ULONG_PTR JumpTo, hookType ht, int hookIndex)
{
DWORD dwOldProtect = 0;
int minPreAlign = 0;
if(ht == ht_micro) minPreAlign = isX64 ? 8 : 5 ;
BYTE *pCur = (BYTE *)pAddress;
VirtualProtect(pCur - minPreAlign , JUMP_WORST, PAGE_EXECUTE_READWRITE, &dwOldProtect);
#ifdef _M_IX86
if( isRelativeJump(ht) ){
if( abs_jump_required( (UINT)pAddress, (UINT)JumpTo) ){
DebugBreak(); //this shouldnt happen with the pre-Validation
//sprintf(lastError, "Can not use a relative jump for this hook %s\n", g_HookInfo[hookIndex].ApiName);
//lastErrorCode = he_cantHook;
//dbgmsg(0, "Can not use a relative jump for this hook %s\n", g_HookInfo[hookIndex].ApiName);
return false;
}
}
if(ht == ht_pushret){
//68 DDCCBBAA PUSH AABBCCDD (6 bytes) - hook detectors wont see it,
//C3 RETN jmp+5 = crash (good no exec, bad crash..)
*pCur = 0x68;
*((ULONG_PTR *)++pCur) = JumpTo;
pCur+=4;
*pCur = 0xc3;
}
else if(ht == ht_micro){
// E9 xxxxxxxx jmp 0x11111111 <--in fx preamble (5 bytes)
// EB F9 jmp short here <--api entry point (2 bytes)
pAddress = (BYTE *)pAddress - 5;
UINT dst = JumpTo - (UINT)(pAddress) - 5; //2gb address limitation
*pCur = 0xE9;
WriteInt(pCur+1, dst);
WriteShort(pCur+5, 0xF9EB);
}
else if(ht == ht_jmpderef){
//eip> FF25 AABBCCDD JMP DWORD PTR DS:[eip+6] 10 bytes
//eip+6 xxxxxxxx data after instruction, other hookers will bad disasm, and large footprint
*pCur = 0xff; //if we can use the preALignBytes footprint down to 6...
*(pCur+1) = 0x25;
WriteInt(pCur+2, (int)pCur + 6);
WriteInt(pCur+6, JumpTo);
}
else if(ht== ht_jmp){
//E9 jmp (DESTINATION_RVA - CURRENT_RVA - 5 [sizeof(E9 xx xx xx xx)]) (5 bytes)
UINT dst = JumpTo - (UINT)(pAddress) - 5; //2gb address limitation
*pCur = 0xE9;
WriteInt(pCur+1, dst);
}
else if(ht = ht_jmp5safe){ //this needs a second trampoline if api+5 jmp is hit, it needs to reverse the push ebp to send to hook..
//E9 jmp normal prolog + eB call to UnwindProlog (10 bytes)
*(pCur) = 0xE9; //fancy and cool but big footprint and complex..
UINT dst = JumpTo - (UINT)(pCur) - 5;
WriteInt(pCur+1, dst);
*(pCur+5) = 0xE8;
dst = (UINT)&UnwindProlog - (UINT)(pCur+5) - 5; //api+5 jmps are sent to our generic unwinder
WriteInt(pCur+6, dst);
}
else{
dbgmsg(0, "Unimplemented hook type asked for");
DebugBreak();
return false;
}
#else ifdef _M_AMD64
if(ht == ht_jmpderef){
//ff 25 00 00 00 00 jmp [rip+addr] (14 bytes)
//80 70 8e 77 00 00 00 00 data: 00000000778E7080
WriteShort(pCur, 0x25FF);
WriteInt(pCur+2, 0x00000000);
WriteULONG(pCur+6, JumpTo);
}else if(ht == ht_pushret){
//68 DDCCBBAA PUSH AABBCCDD (6 bytes) - x64 push still takes a 32 bit const, 8 bytes written to stack, high 8 = 0
//C3 RETN
if(!is32BitSafe(JumpTo) ){
dbgmsg(0, "Hooking %s failed: Can not use x64 push ret hook - jumpTo address is not 32bit safe %016llx\n", g_HookInfo[hookIndex].ApiName, JumpTo);
DebugBreak(); //this shouldnt happen with the pre-Validation
return false;
}
*pCur = 0x68;
WriteInt(pCur+1, JumpTo);
pCur+=5;
*pCur = 0xc3;
}else if(ht == ht_micro){
//0000000011000000 8 data bytes in function prealignment paddding...
//0000000011000008 FF 25 F2 FF FF FF jmp qword ptr [11000000h] <-- 6 byte hook in API prolog
WriteInt(pCur, 0xFFF225FF);
WriteShort(pCur+4, 0xFFFF);
WriteULONG(pCur-8, JumpTo);
}else{
//default x64 hooktype..
//48 b8 80 70 8e 77 00 00 00 00 mov rax, 0x00000000778E7080 (12 bytes)
//ff e0 jmp rax
WriteShort(pCur, 0xb848);
WriteULONG(pCur+2, JumpTo);
WriteShort(pCur+10, 0xE0FF);
}
/*
how about ff25 [4byte address of alloced table entry]..
should be down to 6 bytes inline?
if you can stay in the 2gb range i think..
(16 bytes preserves rax)
50 push rax
48 B8 EF CD AB 90 78 56 34 12 mov rax, 1234567890ABCDEFh
48 87 04 24 xchg rax, [rsp]
C3 retn
*/
#endif
DWORD dwBuf = 0; // nessary othewrise the function fails
VirtualProtect(pCur - minPreAlign, JUMP_WORST, dwOldProtect, &dwBuf);
return true;
}
//is there any padding before the function start to emded data? many x86 have 5 bytes..
int CountPreAlignBytes(BYTE* pAddress){
int x;
for(x=0; x<=9; x++ ){
BYTE b = *(BYTE*)(pAddress-x-1);
if(b==0x90 || b==0xCC) ; else break;
}
return x;
}
VOID *CreateBridge(HOOK_INFO *hinfo)
{
if (g_pBridgeBuffer == NULL) return NULL;
UINT x = 0;
_DecodeResult res;
_DecodedInst decodedInstructions[MAX_INSTRUCTIONS];
unsigned int decodedInstructionsCount = 0;
_DecodeType dt = isX64 ? Decode64Bits : Decode32Bits;
_OffsetType offset = 0;
ULONG_PTR Function = hinfo->Function;
int JumpSize = GetJumpSize(hinfo->hooktype);
res = distorm_decode(offset, // offset for buffer
(const BYTE *) Function, // buffer to disassemble
50, // function size (code size to disasm)
// 50 instr should be _quite_ enough
dt, // x86 or x64?
decodedInstructions, // decoded instr
MAX_INSTRUCTIONS, // array size
&decodedInstructionsCount // how many instr were disassembled?
);
if (res == DECRES_INPUTERR){
sprintf(lastError, "Could not disassemble address %x", (UINT)Function);
//dbgmsg(lastError);
lastErrorCode = he_cantDisasm;
return NULL;
}
DWORD InstrSize = 0;
VOID *pBridge = (VOID *) &g_pBridgeBuffer[g_CurrentBridgeBufferSize];
//copy full instructions from API to our trampoline.
for (x ; x < decodedInstructionsCount; x++)
{
if (InstrSize >= JumpSize) break;
BYTE *pCurInstr = (BYTE *) (InstrSize + (ULONG_PTR) Function);
if(logLevel >=3){
dbgmsg(3, "%s+%d \t %-10s %-6s %s",
hinfo->ApiName,
InstrSize,
decodedInstructions[x].instructionHex.p,
decodedInstructions[x].mnemonic.p,
decodedInstructions[x].operands.p
);
}
if( UnSupportedOpcode(pCurInstr, hinfo->index) ){
dbgmsg(0, "CreatreBridge::UnSupportedOpcode found missed in pre-Validation?! needed=%d, hookable=%d, cur=%d, type=%s",
JumpSize, hinfo->hookableBytes,InstrSize, GetHookName(hinfo->hooktype)
);
DebugBreak();
//if we leave here, g_CurrentBridgeBufferSize has been incremented and bytes copied to
//the alloced g_pBridgeBuffer, but the API itself is untouched.
return NULL;
}
memcpy(&g_pBridgeBuffer[g_CurrentBridgeBufferSize], (VOID *) pCurInstr, decodedInstructions[x].size);
g_CurrentBridgeBufferSize += decodedInstructions[x].size;
InstrSize += decodedInstructions[x].size;
}
hinfo->OverwrittenInstructions = x;
hinfo->OverwrittenBytes = InstrSize; //we will 0xCC this many in API latter for debugging sake...
//to leave trampoline...
hookType ht = isX64 ? ht_jmp : ht_pushret; //both absolute address jumps for safety...
bool rv = WriteJump(&g_pBridgeBuffer[g_CurrentBridgeBufferSize], Function + InstrSize, ht, hinfo->index);
g_CurrentBridgeBufferSize += GetJumpSize(ht);
if(!rv) return NULL;
return pBridge;
}
void ZeroHookInfo(int hookIndex){
if( g_HookInfo[hookIndex].ApiName != NULL) free(g_HookInfo[hookIndex].ApiName);
memset(&g_HookInfo[hookIndex], 0, sizeof(struct _HOOK_INFO));
}
int HookableBytes(ULONG_PTR Function){
_DecodeResult res;
_DecodedInst decodedInstructions[MAX_INSTRUCTIONS];
unsigned int decodedInstructionsCount = 0;
_DecodeType dt = isX64 ? Decode64Bits : Decode32Bits;
_OffsetType offset = 0;
res = distorm_decode(offset, // offset for buffer
(const BYTE *) Function, // buffer to disassemble
50, // function size (code size to disasm)
// 50 instr should be _quite_ enough
dt, // x86 or x64?
decodedInstructions, // decoded instr
MAX_INSTRUCTIONS, // array size
&decodedInstructionsCount // how many instr were disassembled?
);
if (res == DECRES_INPUTERR) return 0;
DWORD InstrSize = 0;
for (UINT x = 0; x < decodedInstructionsCount; x++)
{
BYTE *pCurInstr = (BYTE *) (InstrSize + (ULONG_PTR)Function);
if (InstrSize >= 15) break;
if(UnSupportedOpcode(pCurInstr, g_NumberOfHooks)) break;
InstrSize += decodedInstructions[x].size;
}
return InstrSize;
}
bool ValidateHookType(HOOK_INFO *hinfo){
int neededSize = GetJumpSize(hinfo->hooktype);
char* name = hook_name[(int)hinfo->hooktype];
specificError = hs_None;
if(hinfo->hookableBytes < neededSize){
specificError = hs_ToBig;
sprintf(lastError, "%s hook failed %s only has %d hookable bytes available\n", name , hinfo->ApiName, hinfo->hookableBytes );
return false;
}
if( isRelativeJump( hinfo->hooktype ) ){//only use relative jumps for api->hook *never* bridge->real api
if( abs_jump_required( (UINT)hinfo->Function, (UINT)hinfo->Hook ) ){
specificError = hs_NeedsAbs;
sprintf(lastError, "Can not use a relative jump for this hook %s\n", hinfo->ApiName);
return false;
}
}
if(hinfo->hooktype == ht_micro){
int minPreAlign = isX64 ? 8 : 5 ;
if(hinfo->preAlignBytes < minPreAlign){
specificError = hs_NoMicro;
sprintf(lastError, "ht_micro hook failed %s only has %d preAmble bytes available\n", hinfo->ApiName, hinfo->preAlignBytes );
return false;
}
}
if(isX64 && !is32BitSafe(hinfo->Hook) ){
specificError = hs_x64NoPushRet;
sprintf(lastError, "Hooking %s failed: Can not use x64 push ret hook - jumpTo address is not 32bit safe %016llx\n", hinfo->ApiName, hinfo->Hook);
return false;
}
return true;
}
bool AutoChooseHookType(HOOK_INFO *hinfo){
// ht_jmp = 0, ht_pushret=1, ht_jmp5safe=2, ht_jmpderef=3, ht_micro, ht_auto
if(isX64){
//ht_jmpderef:14, ht_pushret 6; ht_micro 6; default: 12;
hinfo->hooktype = ht_jmp; //safest but requires 12 bytes...
if(ValidateHookType(hinfo)) return true;
hinfo->hooktype = ht_micro; //if size was an issue, lets try this one
if(ValidateHookType(hinfo)) return true;
hinfo->hooktype = ht_pushret; //maybe no preamble space, this one is more limited though in address range..
if(ValidateHookType(hinfo)) return true;
return false; //bummer no go...
}else{
//ht_jmp: 5; ht_pushret 6; ht_micro 2; default: 10
hinfo->hooktype = ht_jmp; //best general choice
if(ValidateHookType(hinfo)) return true;
hinfo->hooktype = ht_micro; //if size was an issue, lets try this one
if(ValidateHookType(hinfo)) return true;
return false; //bummer no go...
}
}
stdc
BOOL __cdecl HookFunction(ULONG_PTR OriginalFunction, ULONG_PTR NewFunction, char *name, hookType ht)
{
lastErrorCode = he_None;
specificError = hs_None;
lastError[0] = 0;
if(!initilized){
if( !InitHookEngine() ){
lastErrorCode = he_cantInit;
strcpy(lastError,"Can not Initilize HookEngine.");
dbgmsg(1,lastError);
return FALSE;
}
}
HOOK_INFO *hinfo = GetHookInfoFromFunction(OriginalFunction);
if (hinfo) return TRUE; //already hooked...
if (g_NumberOfHooks == (MAX_HOOKS - 1)){
lastErrorCode = he_maxHooks;
strcpy(lastError,"Maximum number of hooks reached.");
dbgmsg(1,lastError);
return FALSE;
}
if(ht > ht_auto){
sprintf(lastError, "Unimplemented hook type asked for");
lastErrorCode = he_UnknownHookType;
return false;
}
hinfo = &g_HookInfo[g_NumberOfHooks];
hinfo->Function = OriginalFunction;
hinfo->Hook = NewFunction;
hinfo->hooktype = ht;
hinfo->index = g_NumberOfHooks;
hinfo->ApiName = strdup(name);
hinfo->preAlignBytes = CountPreAlignBytes( (BYTE*)OriginalFunction );
hinfo->hookableBytes = HookableBytes( OriginalFunction );
dbgmsg(1, "Hooking %s (0x%llx) -> 0x%llx, pre=%d avail=%d\n", hinfo->ApiName, hinfo->Function , hinfo->Hook , hinfo->preAlignBytes, hinfo->hookableBytes);
if( ht == ht_auto ){
if(!AutoChooseHookType(hinfo)){
lastErrorCode = he_cantHook;
dbgmsg(1, lastError);
ZeroHookInfo(hinfo->index);
return FALSE;
}
dbgmsg(1, "AutoChooseHookType selected %s for %s\n", hook_name[(int)hinfo->hooktype], hinfo->ApiName );
}
if( !ValidateHookType(hinfo) ){
lastErrorCode = he_cantHook;
dbgmsg(1, lastError);
ZeroHookInfo(hinfo->index);
return FALSE;
}
VOID *pBridge = CreateBridge(hinfo);
if (pBridge == NULL){
ZeroHookInfo(g_NumberOfHooks);
return FALSE;
}
hinfo->Bridge = (ULONG_PTR) pBridge;
hinfo->Enabled = true;
OverWriteScratchPad((VOID *)OriginalFunction, hinfo); //make pad were going to overwrite all 0xCC for debugging sake..
if(!WriteJump((VOID *) OriginalFunction, NewFunction, hinfo->hooktype, g_NumberOfHooks)){ //activates hook in api prolog..
ZeroHookInfo(g_NumberOfHooks);
return FALSE;
}
g_NumberOfHooks++; //now its complete..
return TRUE;
}
stdc
int __cdecl DisableHook(ULONG_PTR Function)
{
HOOK_INFO *hinfo = GetHookInfoFromFunction(Function);
if (hinfo)
{
if(hinfo->Enabled){
hinfo->Enabled = false;
WriteJump((VOID *)hinfo->Function, hinfo->Bridge, ht_jmp, hinfo->index);
return 1;
}
return -1;
}
return -2;
}
stdc
VOID __cdecl EnableHook(ULONG_PTR Function)
{
HOOK_INFO *hinfo = GetHookInfoFromFunction(Function);
if (hinfo)
{
if(!hinfo->Enabled){
hinfo->Enabled = true;
WriteJump((VOID *)hinfo->Function, hinfo->Hook, hinfo->hooktype, hinfo->index );
}
}
}
stdc
ULONG_PTR __cdecl GetOriginalFunction(ULONG_PTR Hook)
{
if (g_NumberOfHooks == 0)
return NULL;
for (UINT x = 0; x < g_NumberOfHooks; x++)
{
if (g_HookInfo[x].Hook == Hook)
return g_HookInfo[x].Bridge;
}
return NULL;
}

37
VB-Research/vbOpenScript/dll/NtHookEngine.h Normal file
View File

@ -0,0 +1,37 @@
//This is a modified version of the open source x86/x64
//NTCore Hooking Engine written by:
//Daniel Pistelli <ntcore@gmail.com>
//http://www.ntcore.com/files/nthookengine.htm
//
//It uses the x86/x64 GPL disassembler engine
//diStorm was written by Gil Dabah.
//Copyright (C) 2003-2012 Gil Dabah. diStorm at gmail dot com.
//
//Mods by David Zimmer <dzzie@yahoo.com>
enum hookType{
ht_jmp = 0, /* 32 - 5 byte relative, 64 - 12 byte absolute */
ht_pushret=1, /* 32 - 6 byte absolute, 64 - 6 byte absolute (target MUST be 32 bit addressable) */
ht_jmp5safe=2, /* 32 bit only, 10 byte relative hook, safe against hook bypassers */
ht_jmpderef=3, /* 32 bit - 10 byte absolute, 64 bit - 14 byte absolute */
ht_micro, /* 32 bit - 2/5 byte hook (api/prealignment) relative jmp, 64 bit - 6/8 byte hook - absolute address */
ht_auto /* probes best hook to use automatically at runtime */
};
enum hookErrors{ he_None=0, he_cantDisasm, he_cantHook, he_maxHooks, he_UnknownHookType, he_cantInit };
enum specificErrors{ hs_None, hs_NeedsAbs, hs_NoMicro, hs_ToBig, hs_x64NoPushRet };
extern specificErrors specificError;
extern hookErrors lastErrorCode;
extern int logLevel;
extern void (__cdecl *debugMsgHandler)(char* msg);
extern char* __cdecl GetHookError(void);
extern char* __cdecl GetDisasm(ULONG_PTR pAddress, int* retLen = NULL);
extern int __cdecl DisableHook(ULONG_PTR Function);
extern void __cdecl EnableHook(ULONG_PTR Function);
extern ULONG_PTR __cdecl GetOriginalFunction(ULONG_PTR Hook);
extern BOOL __cdecl HookFunction(ULONG_PTR OriginalFunction, ULONG_PTR NewFunction, char* name, enum hookType ht);
extern bool is32BitSafe(ULONG_PTR value);

181
VB-Research/vbOpenScript/dll/diStorm3.3/config.h Normal file
View File

@ -0,0 +1,181 @@
/*
config.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef CONFIG_H
#define CONFIG_H
/* diStorm version number. */
#define __DISTORMV__ 0x030300
#include <string.h> /* memset, memcpy - can be easily self implemented for libc independency. */
#include "distorm.h"
/*
* 64 bit offsets support:
* This macro should be defined from compiler command line flags, e.g: -DSUPPORT_64BIT_OFFSET
* Note: make sure that the caller (library user) defines it too!
*/
/* #define SUPPORT_64BIT_OFFSET */
/*
* If you compile diStorm as a dynamic library (.dll or .so) file, make sure you uncomment the next line.
* So the interface functions will be exported, otherwise they are useable only for static library.
* For example, this macro is being set for compiling diStorm as a .dll for Python with CTypes.
*/
/* #define DISTORM_DYNAMIC */
/*
* If DISTORM_LIGHT is defined, everything involved in formatting the instructions
* as text will be excluded from compilation.
* distorm_decode(..) and distorm_format(..) will not be available.
* This will decrease the size of the executable and leave you with decomposition functionality only.
*
* Note: it should be either set in the preprocessor definitions manually or in command line -D switch.
* #define DISTORM_LIGHT
*/
/*
* diStorm now supports little/big endian CPU's.
* It should detect the endianness according to predefined macro's of the compiler.
* If you don't use GCC/MSVC you will have to define it on your own.
*/
/* These macros are used in order to make the code portable. */
#ifdef __GNUC__
#include <stdint.h>
#define _DLLEXPORT_
#define _FASTCALL_
#define _INLINE_ static
/* GCC ignores this directive... */
/*#define _FASTCALL_ __attribute__((__fastcall__))*/
/* Set endianity (supposed to be LE though): */
#ifdef __BIG_ENDIAN__
#define BE_SYSTEM
#endif
/* End of __GCC__ */
#elif __WATCOMC__
#include <stdint.h>
#define _DLLEXPORT_
#define _FASTCALL_
#define _INLINE_ __inline
/* End of __WATCOMC__ */
#elif __DMC__
#include <stdint.h>
#define _DLLEXPORT_
#define _FASTCALL_
#define _INLINE_ __inline
/* End of __DMC__ */
#elif __TINYC__
#include <stdint.h>
#define _DLLEXPORT_
#define _FASTCALL_
#define _INLINE_
/* End of __TINYC__ */
#elif _MSC_VER
/* stdint alternative is defined in distorm.h */
#define _DLLEXPORT_ __declspec(dllexport)
#define _FASTCALL_ __fastcall
#define _INLINE_ __inline
/* Set endianity (supposed to be LE though): */
#if !defined(_M_IX86) && !defined(_M_X64)
#define BE_SYSTEM
#endif
#endif /* #elif _MSC_VER */
/* If the library isn't compiled as a dynamic library don't export any functions. */
#ifndef DISTORM_DYNAMIC
#undef _DLLEXPORT_
#define _DLLEXPORT_
#endif
#ifndef FALSE
#define FALSE 0
#endif
#ifndef TRUE
#define TRUE 1
#endif
/* Define stream read functions for big endian systems. */
#ifdef BE_SYSTEM
/*
* These functions can read from the stream safely!
* Swap endianity of input to little endian.
*/
static _INLINE_ int16_t RSHORT(const uint8_t *s)
{
return s[0] | (s[1] << 8);
}
static _INLINE_ uint16_t RUSHORT(const uint8_t *s)
{
return s[0] | (s[1] << 8);
}
static _INLINE_ int32_t RLONG(const uint8_t *s)
{
return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24);
}
static _INLINE_ uint32_t RULONG(const uint8_t *s)
{
return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24);
}
static _INLINE_ int64_t RLLONG(const uint8_t *s)
{
return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24) | ((uint64_t)s[4] << 32) | ((uint64_t)s[5] << 40) | ((uint64_t)s[6] << 48) | ((uint64_t)s[7] << 56);
}
static _INLINE_ uint64_t RULLONG(const uint8_t *s)
{
return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24) | ((uint64_t)s[4] << 32) | ((uint64_t)s[5] << 40) | ((uint64_t)s[6] << 48) | ((uint64_t)s[7] << 56);
}
#else
/* Little endian macro's will just make the cast. */
#define RSHORT(x) *(int16_t *)x
#define RUSHORT(x) *(uint16_t *)x
#define RLONG(x) *(int32_t *)x
#define RULONG(x) *(uint32_t *)x
#define RLLONG(x) *(int64_t *)x
#define RULLONG(x) *(uint64_t *)x
#endif
#endif /* CONFIG_H */

615
VB-Research/vbOpenScript/dll/diStorm3.3/decoder.c Normal file
View File

@ -0,0 +1,615 @@
/*
decoder.c
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#include "decoder.h"
#include "instructions.h"
#include "insts.h"
#include "prefix.h"
#include "x86defs.h"
#include "operands.h"
#include "insts.h"
#include "mnemonics.h"
/* Instruction Prefixes - Opcode - ModR/M - SIB - Displacement - Immediate */
static _DecodeType decode_get_effective_addr_size(_DecodeType dt, _iflags decodedPrefixes)
{
/*
* This table is to map from the current decoding mode to an effective address size:
* Decode16 -> Decode32
* Decode32 -> Decode16
* Decode64 -> Decode32
*/
static _DecodeType AddrSizeTable[] = {Decode32Bits, Decode16Bits, Decode32Bits};
/* Switch to non default mode if prefix exists, only for ADDRESS SIZE. */
if (decodedPrefixes & INST_PRE_ADDR_SIZE) dt = AddrSizeTable[dt];
return dt;
}
static _DecodeType decode_get_effective_op_size(_DecodeType dt, _iflags decodedPrefixes, unsigned int rex, _iflags instFlags)
{
/*
* This table is to map from the current decoding mode to an effective operand size:
* Decode16 -> Decode32
* Decode32 -> Decode16
* Decode64 -> Decode16
* Not that in 64bits it's a bit more complicated, because of REX and promoted instructions.
*/
static _DecodeType OpSizeTable[] = {Decode32Bits, Decode16Bits, Decode16Bits};
if (decodedPrefixes & INST_PRE_OP_SIZE) return OpSizeTable[dt];
if (dt == Decode64Bits) {
/*
* REX Prefix toggles data size to 64 bits.
* Operand size prefix toggles data size to 16.
* Default data size is 32 bits.
* Promoted instructions are 64 bits if they don't require a REX perfix.
* Non promoted instructions are 64 bits if the REX prefix exists.
*/
/* Automatically promoted instructions have only INST_64BITS SET! */
if (((instFlags & (INST_64BITS | INST_PRE_REX)) == INST_64BITS) ||
/* Other instructions in 64 bits can be promoted only with a REX prefix. */
((decodedPrefixes & INST_PRE_REX) && (rex & PREFIX_EX_W))) dt = Decode64Bits;
else dt = Decode32Bits; /* Default. */
}
return dt;
}
static _DecodeResult decode_inst(_CodeInfo* ci, _PrefixState* ps, _DInst* di)
{
/* The ModR/M byte of the current instruction. */
unsigned int modrm = 0;
/* The REX/VEX prefix byte value. */
unsigned int vrex = ps->vrex;
/*
* Backup original input, so we can use it later if a problem occurs
* (like not enough data for decoding, invalid opcode, etc).
*/
const uint8_t* startCode = ci->code;
/* Holds the info about the current found instruction. */
_InstInfo* ii = NULL;
_InstSharedInfo* isi = NULL;
/* Used only for special CMP instructions which have pseudo opcodes suffix. */
unsigned char cmpType = 0;
/*
* Indicates whether it is right to LOCK the instruction by decoding its first operand.
* Only then you know if it's ok to output the LOCK prefix's text...
* Used for first operand only.
*/
int lockable = FALSE;
/* Calcualte (and cache) effective-operand-size and effective-address-size only once. */
_DecodeType effOpSz, effAdrSz;
_iflags instFlags;
ii = inst_lookup(ci, ps);
if (ii == NULL) goto _Undecodable;
isi = &InstSharedInfoTable[ii->sharedIndex];
instFlags = FlagsTable[isi->flagsIndex];
/*
* If both REX and OpSize are available we will have to disable the OpSize, because REX has precedence.
* However, only if REX.W is set !
* We had to wait with this test, since the operand size may be a mandatory prefix,
* and we know it only after prefetching.
*/
if ((ps->prefixExtType == PET_REX) &&
(ps->decodedPrefixes & INST_PRE_OP_SIZE) &&
(!ps->isOpSizeMandatory) &&
(vrex & PREFIX_EX_W)) {
ps->decodedPrefixes &= ~INST_PRE_OP_SIZE;
prefixes_ignore(ps, PFXIDX_OP_SIZE);
}
/*
* In this point we know the instruction we are about to decode and its operands (unless, it's an invalid one!),
* so it makes it the right time for decoding-type suitability testing.
* Which practically means, don't allow 32 bits instructions in 16 bits decoding mode, but do allow
* 16 bits instructions in 32 bits decoding mode, of course...
* NOTE: Make sure the instruction set for 32 bits has explicitly this specfic flag set.
* NOTE2: Make sure the instruction set for 64 bits has explicitly this specfic flag set.
* If this is the case, drop what we've got and restart all over after DB'ing that byte.
* Though, don't drop an instruction which is also supported in 16 and 32 bits.
*/
/* ! ! ! DISABLED UNTIL FURTHER NOTICE ! ! ! Decode16Bits CAN NOW DECODE 32 BITS INSTRUCTIONS ! ! !*/
/* if (ii && (dt == Decode16Bits) && (instFlags & INST_32BITS) && (~instFlags & INST_16BITS)) ii = NULL; */
/* Drop instructions which are invalid in 64 bits. */
if ((ci->dt == Decode64Bits) && (instFlags & INST_INVALID_64BITS)) goto _Undecodable;
/* If it's only a 64 bits instruction drop it in other decoding modes. */
if ((ci->dt != Decode64Bits) && (instFlags & INST_64BITS_FETCH)) goto _Undecodable;
if (instFlags & INST_MODRM_REQUIRED) {
/* If the ModRM byte is not part of the opcode, skip the last byte code, so code points now to ModRM. */
if (~instFlags & INST_MODRM_INCLUDED) {
ci->code++;
if (--ci->codeLen < 0) goto _Undecodable;
}
modrm = *ci->code;
/* Some instructions enforce that reg=000, so validate that. (Specifically EXTRQ). */
if ((instFlags & INST_FORCE_REG0) && (((modrm >> 3) & 7) != 0)) goto _Undecodable;
/* Some instructions enforce that mod=11, so validate that. */
if ((instFlags & INST_MODRR_REQUIRED) && (modrm < INST_DIVIDED_MODRM)) goto _Undecodable;
}
ci->code++; /* Skip the last byte we just read (either last opcode's byte code or a ModRM). */
/* Cache the effective operand-size and address-size. */
effOpSz = decode_get_effective_op_size(ci->dt, ps->decodedPrefixes, vrex, instFlags);
effAdrSz = decode_get_effective_addr_size(ci->dt, ps->decodedPrefixes);
memset(di, 0, sizeof(_DInst));
di->base = R_NONE;
/*
* Try to extract the next operand only if the latter exists.
* For example, if there is not first operand, no reason to try to extract second operand...
* I decided that a for-break is better for readability in this specific case than goto.
* Note: do-while with a constant 0 makes the compiler warning about it.
*/
for (;;) {
if (isi->d != OT_NONE) {
if (!operands_extract(ci, di, ii, instFlags, (_OpType)isi->d, ONT_1, modrm, ps, effOpSz, effAdrSz, &lockable)) goto _Undecodable;
} else break;
if (isi->s != OT_NONE) {
if (!operands_extract(ci, di, ii, instFlags, (_OpType)isi->s, ONT_2, modrm, ps, effOpSz, effAdrSz, NULL)) goto _Undecodable;
} else break;
/* Use third operand, only if the flags says this InstInfo requires it. */
if (instFlags & INST_USE_OP3) {
if (!operands_extract(ci, di, ii, instFlags, (_OpType)((_InstInfoEx*)ii)->op3, ONT_3, modrm, ps, effOpSz, effAdrSz, NULL)) goto _Undecodable;
} else break;
/* Support for a fourth operand is added for (i.e:) INSERTQ instruction. */
if (instFlags & INST_USE_OP4) {
if (!operands_extract(ci, di, ii, instFlags, (_OpType)((_InstInfoEx*)ii)->op4, ONT_4, modrm, ps, effOpSz, effAdrSz, NULL)) goto _Undecodable;
}
break;
} /* Continue here after all operands were extracted. */
/* If it were a 3DNow! instruction, we will have to find the instruction itself now that we got its operands extracted. */
if (instFlags & INST_3DNOW_FETCH) {
ii = inst_lookup_3dnow(ci);
if (ii == NULL) goto _Undecodable;
isi = &InstSharedInfoTable[ii->sharedIndex];
instFlags = FlagsTable[isi->flagsIndex];
}
/* Check whether pseudo opcode is needed, only for CMP instructions: */
if (instFlags & INST_PSEUDO_OPCODE) {
if (--ci->codeLen < 0) goto _Undecodable;
cmpType = *ci->code;
ci->code++;
if (instFlags & INST_PRE_VEX) {
/* AVX Comparison type must be between 0 to 32, otherwise Reserved. */
if (cmpType >= INST_VCMP_MAX_RANGE) goto _Undecodable;
} else {
/* SSE Comparison type must be between 0 to 8, otherwise Reserved. */
if (cmpType >= INST_CMP_MAX_RANGE) goto _Undecodable;
}
}
/*
* There's a limit of 15 bytes on instruction length. The only way to violate
* this limit is by putting redundant prefixes before an instruction.
* start points to first prefix if any, otherwise it points to instruction first byte.
*/
if ((ci->code - ps->start) > INST_MAXIMUM_SIZE) goto _Undecodable; /* Drop instruction. */
/*
* If we reached here the instruction was fully decoded, we located the instruction in the DB and extracted operands.
* Use the correct mnemonic according to the DT.
* If we are in 32 bits decoding mode it doesn't necessarily mean we will choose mnemonic2, alas,
* it means that if there is a mnemonic2, it will be used.
*/
/* Start with prefix LOCK. */
if ((lockable == TRUE) && (instFlags & INST_PRE_LOCK)) {
ps->usedPrefixes |= INST_PRE_LOCK;
di->flags |= FLAG_LOCK;
} else if ((instFlags & INST_PRE_REPNZ) && (ps->decodedPrefixes & INST_PRE_REPNZ)) {
ps->usedPrefixes |= INST_PRE_REPNZ;
di->flags |= FLAG_REPNZ;
} else if ((instFlags & INST_PRE_REP) && (ps->decodedPrefixes & INST_PRE_REP)) {
ps->usedPrefixes |= INST_PRE_REP;
di->flags |= FLAG_REP;
}
/* If it's JeCXZ the ADDR_SIZE prefix affects them. */
if ((instFlags & (INST_PRE_ADDR_SIZE | INST_USE_EXMNEMONIC)) == (INST_PRE_ADDR_SIZE | INST_USE_EXMNEMONIC)) {
ps->usedPrefixes |= INST_PRE_ADDR_SIZE;
if (effAdrSz == Decode16Bits) di->opcode = ii->opcodeId;
else if (effAdrSz == Decode32Bits) di->opcode = ((_InstInfoEx*)ii)->opcodeId2;
/* Ignore REX.W in 64bits, JECXZ is promoted. */
else /* Decode64Bits */ di->opcode = ((_InstInfoEx*)ii)->opcodeId3;
}
/* LOOPxx instructions are also native instruction, but they are special case ones, ADDR_SIZE prefix affects them. */
else if ((instFlags & (INST_PRE_ADDR_SIZE | INST_NATIVE)) == (INST_PRE_ADDR_SIZE | INST_NATIVE)) {
di->opcode = ii->opcodeId;
/* If LOOPxx gets here from 64bits, it must be Decode32Bits because Address Size perfix is set. */
ps->usedPrefixes |= INST_PRE_ADDR_SIZE;
}
/*
* Note:
* If the instruction is prefixed by operand size we will format it in the non-default decoding mode!
* So there might be a situation that an instruction of 32 bit gets formatted in 16 bits decoding mode.
* Both ways should end up with a correct and expected formatting of the text.
*/
else if (effOpSz == Decode16Bits) { /* Decode16Bits */
/* Set operand size. */
FLAG_SET_OPSIZE(di, Decode16Bits);
/*
* If it's a special instruction which has two mnemonics, then use the 16 bits one + update usedPrefixes.
* Note: use 16 bits mnemonic if that instruction supports 32 bit or 64 bit explicitly.
*/
if ((instFlags & INST_USE_EXMNEMONIC) && ((instFlags & (INST_32BITS | INST_64BITS)) == 0)) ps->usedPrefixes |= INST_PRE_OP_SIZE;
di->opcode = ii->opcodeId;
} else if (effOpSz == Decode32Bits) { /* Decode32Bits */
/* Set operand size. */
FLAG_SET_OPSIZE(di, Decode32Bits);
/* Give a chance for special mnemonic instruction in 32 bits decoding. */
if (instFlags & INST_USE_EXMNEMONIC) {
ps->usedPrefixes |= INST_PRE_OP_SIZE;
/* Is it a special instruction which has another mnemonic for mod=11 ? */
if (instFlags & INST_MNEMONIC_MODRM_BASED) {
if (modrm >= INST_DIVIDED_MODRM) di->opcode = ii->opcodeId;
else di->opcode = ((_InstInfoEx*)ii)->opcodeId2;
} else di->opcode = ((_InstInfoEx*)ii)->opcodeId2;
} else di->opcode = ii->opcodeId;
} else { /* Decode64Bits, note that some instructions might be decoded in Decode32Bits above. */
/* Set operand size. */
FLAG_SET_OPSIZE(di, Decode64Bits);
if (instFlags & (INST_USE_EXMNEMONIC | INST_USE_EXMNEMONIC2)) {
/*
* We shouldn't be here for MODRM based mnemonics with a MOD=11,
* because they must not use REX (otherwise it will get to the wrong instruction which share same opcode).
* See XRSTOR and XSAVEOPT.
*/
if ((instFlags & INST_MNEMONIC_MODRM_BASED) && (modrm >= INST_DIVIDED_MODRM)) goto _Undecodable;
/* Use third mnemonic, for 64 bits. */
if ((instFlags & INST_USE_EXMNEMONIC2) && (vrex & PREFIX_EX_W)) {
ps->usedPrefixes |= INST_PRE_REX;
di->opcode = ((_InstInfoEx*)ii)->opcodeId3;
} else di->opcode = ((_InstInfoEx*)ii)->opcodeId2; /* Use second mnemonic. */
} else di->opcode = ii->opcodeId;
}
/* If it's a native instruction use OpSize Prefix. */
if ((instFlags & INST_NATIVE) && (ps->decodedPrefixes & INST_PRE_OP_SIZE)) ps->usedPrefixes |= INST_PRE_OP_SIZE;
/* Check VEX mnemonics: */
if ((instFlags & INST_PRE_VEX) &&
(((((_InstInfoEx*)ii)->flagsEx & INST_MNEMONIC_VEXW_BASED) && (vrex & PREFIX_EX_W)) ||
((((_InstInfoEx*)ii)->flagsEx & INST_MNEMONIC_VEXL_BASED) && (vrex & PREFIX_EX_L)))) {
di->opcode = ((_InstInfoEx*)ii)->opcodeId2;
}
/* Or is it a special CMP instruction which needs a pseudo opcode suffix ? */
if (instFlags & INST_PSEUDO_OPCODE) {
/*
* The opcodeId is the offset to the FIRST pseudo compare mnemonic,
* we will have to fix it so it offsets into the corrected mnemonic.
* Therefore, we use another table to fix the offset.
*/
if (instFlags & INST_PRE_VEX) {
/* Use the AVX pesudo compare mnemonics table. */
di->opcode = ii->opcodeId + VCmpMnemonicOffsets[cmpType];
} else {
/* Use the SSE psuedo compare mnemonics table. */
di->opcode = ii->opcodeId + CmpMnemonicOffsets[cmpType];
}
}
/*
* Store the address size inside the flags.
* This is necessary for the caller to know the size of rSP when using PUSHA for example.
*/
FLAG_SET_ADDRSIZE(di, effAdrSz);
/* Copy DST_WR flag. */
if (instFlags & INST_DST_WR) di->flags |= FLAG_DST_WR;
/* Set the unused prefixes mask. */
di->unusedPrefixesMask = prefixes_set_unused_mask(ps);
/* Copy instruction meta. */
di->meta = isi->meta;
if (di->segment == 0) di->segment = R_NONE;
/* Take into account the O_MEM base register for the mask. */
if (di->base != R_NONE) di->usedRegistersMask |= _REGISTERTORCLASS[di->base];
/* Copy CPU affected flags. */
di->modifiedFlagsMask = isi->modifiedFlags;
di->testedFlagsMask = isi->testedFlags;
di->undefinedFlagsMask = isi->undefinedFlags;
/* Calculate the size of the instruction we've just decoded. */
di->size = (uint8_t)((ci->code - startCode) & 0xff);
return DECRES_SUCCESS;
_Undecodable: /* If the instruction couldn't be decoded for some reason, drop the first byte. */
memset(di, 0, sizeof(_DInst));
di->base = R_NONE;
di->size = 1;
/* Clean prefixes just in case... */
ps->usedPrefixes = 0;
/* Special case for WAIT instruction: If it's dropped, you have to return a valid instruction! */
if (*startCode == INST_WAIT_INDEX) {
di->opcode = I_WAIT;
META_SET_ISC(di, ISC_INTEGER);
return DECRES_SUCCESS;
}
/* Mark that we didn't manage to decode the instruction well, caller will drop it. */
return DECRES_INPUTERR;
}
/*
* decode_internal
*
* supportOldIntr - Since now we work with new structure instead of the old _DecodedInst, we are still interested in backward compatibility.
* So although, the array is now of type _DInst, we want to read it in jumps of the old array element's size.
* This is in order to save memory allocation for conversion between the new and the old structures.
* It really means we can do the conversion in-place now.
*/
_DecodeResult decode_internal(_CodeInfo* _ci, int supportOldIntr, _DInst result[], unsigned int maxResultCount, unsigned int* usedInstructionsCount)
{
_PrefixState ps;
unsigned int prefixSize;
_CodeInfo ci;
_OffsetType codeOffset = _ci->codeOffset;
const uint8_t* code = _ci->code;
int codeLen = _ci->codeLen;
/*
* This is used for printing only, it is the real offset of where the whole instruction begins.
* We need this variable in addition to codeOffset, because prefixes might change the real offset an instruction begins at.
* So we keep track of both.
*/
_OffsetType startInstOffset = 0;
const uint8_t* p;
/* Current working decoded instruction in results. */
unsigned int nextPos = 0;
_DInst *pdi = NULL;
_OffsetType addrMask = (_OffsetType)-1;
_DecodeResult decodeResult;
#ifdef DISTORM_LIGHT
supportOldIntr; /* Unreferenced. */
#endif
if (_ci->features & DF_MAXIMUM_ADDR32) addrMask = 0xffffffff;
else if (_ci->features & DF_MAXIMUM_ADDR16) addrMask = 0xffff;
/* No entries are used yet. */
*usedInstructionsCount = 0;
ci.dt = _ci->dt;
_ci->nextOffset = codeOffset;
/* Decode instructions as long as we have what to decode/enough room in entries. */
while (codeLen > 0) {
/* startInstOffset holds the displayed offset of current instruction. */
startInstOffset = codeOffset;
memset(&ps, 0, (size_t)((char*)&ps.pfxIndexer[0] - (char*)&ps));
memset(ps.pfxIndexer, PFXIDX_NONE, sizeof(int) * PFXIDX_MAX);
ps.start = code;
ps.last = code;
prefixSize = 0;
if (prefixes_is_valid(*code, ci.dt)) {
prefixes_decode(code, codeLen, &ps, ci.dt);
/* Count prefixes, start points to first prefix. */
prefixSize = (unsigned int)(ps.last - ps.start);
/*
* It might be that we will just notice that we ran out of bytes, or only prefixes
* so we will have to drop everything and halt.
* Also take into consideration of flow control instruction filter.
*/
codeLen -= prefixSize;
if ((codeLen == 0) || (prefixSize == INST_MAXIMUM_SIZE)) {
if (~_ci->features & DF_RETURN_FC_ONLY) {
/* Make sure there is enough room. */
if (nextPos + (ps.last - code) > maxResultCount) return DECRES_MEMORYERR;
for (p = code; p < ps.last; p++, startInstOffset++) {
/* Use next entry. */
#ifndef DISTORM_LIGHT
if (supportOldIntr) {
pdi = (_DInst*)((char*)result + nextPos * sizeof(_DecodedInst));
}
else
#endif /* DISTORM_LIGHT */
{
pdi = &result[nextPos];
}
nextPos++;
memset(pdi, 0, sizeof(_DInst));
pdi->flags = FLAG_NOT_DECODABLE;
pdi->imm.byte = *p;
pdi->size = 1;
pdi->addr = startInstOffset & addrMask;
}
*usedInstructionsCount = nextPos; /* Include them all. */
}
if (codeLen == 0) break; /* Bye bye, out of bytes. */
}
code += prefixSize;
codeOffset += prefixSize;
/* If we got only prefixes continue to next instruction. */
if (prefixSize == INST_MAXIMUM_SIZE) continue;
}
/*
* Now we decode the instruction and only then we do further prefixes handling.
* This is because the instruction could not be decoded at all, or an instruction requires
* a mandatory prefix, or some of the prefixes were useless, etc...
* Even if there were a mandatory prefix, we already took into account its size as a normal prefix.
* so prefixSize includes that, and the returned size in pdi is simply the size of the real(=without prefixes) instruction.
*/
if (ci.dt == Decode64Bits) {
if (ps.decodedPrefixes & INST_PRE_REX) {
/* REX prefix must precede first byte of instruction. */
if (ps.rexPos != (code - 1)) {
ps.decodedPrefixes &= ~INST_PRE_REX;
ps.prefixExtType = PET_NONE;
prefixes_ignore(&ps, PFXIDX_REX);
}
/*
* We will disable operand size prefix,
* if it exists only after decoding the instruction, since it might be a mandatory prefix.
* This will be done after calling inst_lookup in decode_inst.
*/
}
/* In 64 bits, segment overrides of CS, DS, ES and SS are ignored. So don't take'em into account. */
if (ps.decodedPrefixes & INST_PRE_SEGOVRD_MASK32) {
ps.decodedPrefixes &= ~INST_PRE_SEGOVRD_MASK32;
prefixes_ignore(&ps, PFXIDX_SEG);
}
}
/* Make sure there is at least one more entry to use, for the upcoming instruction. */
if (nextPos + 1 > maxResultCount) return DECRES_MEMORYERR;
#ifndef DISTORM_LIGHT
if (supportOldIntr) {
pdi = (_DInst*)((char*)result + nextPos * sizeof(_DecodedInst));
}
else
#endif /* DISTORM_LIGHT */
{
pdi = &result[nextPos];
}
nextPos++;
/*
* The reason we copy these two again is because we have to keep track on the input ourselves.
* There might be a case when an instruction is invalid, and then it will be counted as one byte only.
* But that instruction already read a byte or two from the stream and only then returned the error.
* Thus, we end up unsynchronized on the stream.
* This way, we are totally safe, because we keep track after the call to decode_inst, using the returned size.
*/
ci.code = code;
ci.codeLen = codeLen;
/* Nobody uses codeOffset in the decoder itself, so spare it. */
decodeResult = decode_inst(&ci, &ps, pdi);
/* See if we need to filter this instruction. */
if ((_ci->features & DF_RETURN_FC_ONLY) && (META_GET_FC(pdi->meta) == FC_NONE)) decodeResult = DECRES_FILTERED;
/* Set address to the beginning of the instruction. */
pdi->addr = startInstOffset & addrMask;
/* pdi->disp &= addrMask; */
/* Advance to next instruction. */
codeLen -= pdi->size;
codeOffset += pdi->size;
code += pdi->size;
/* Instruction's size should include prefixes. */
pdi->size += (uint8_t)prefixSize;
/* Drop all prefixes and the instruction itself, because the instruction wasn't successfully decoded. */
if ((decodeResult == DECRES_INPUTERR) && (~_ci->features & DF_RETURN_FC_ONLY)) {
nextPos--; /* Undo last result. */
if ((prefixSize + 1) > 0) { /* 1 for the first instruction's byte. */
if ((nextPos + prefixSize + 1) > maxResultCount) return DECRES_MEMORYERR;
for (p = ps.start; p < ps.last + 1; p++, startInstOffset++) {
/* Use next entry. */
#ifndef DISTORM_LIGHT
if (supportOldIntr) {
pdi = (_DInst*)((char*)result + nextPos * sizeof(_DecodedInst));
}
else
#endif /* DISTORM_LIGHT */
{
pdi = &result[nextPos];
}
nextPos++;
memset(pdi, 0, sizeof(_DInst));
pdi->flags = FLAG_NOT_DECODABLE;
pdi->imm.byte = *p;
pdi->size = 1;
pdi->addr = startInstOffset & addrMask;
}
}
} else if (decodeResult == DECRES_FILTERED) nextPos--; /* Return it to pool, since it was filtered. */
/* Alright, the caller can read, at least, up to this one. */
*usedInstructionsCount = nextPos;
/* Fix next offset. */
_ci->nextOffset = codeOffset;
/* Check whether we need to stop on any flow control instruction. */
if ((decodeResult == DECRES_SUCCESS) && (_ci->features & DF_STOP_ON_FLOW_CONTROL)) {
if (((_ci->features & DF_STOP_ON_CALL) && (META_GET_FC(pdi->meta) == FC_CALL)) ||
((_ci->features & DF_STOP_ON_RET) && (META_GET_FC(pdi->meta) == FC_RET)) ||
((_ci->features & DF_STOP_ON_SYS) && (META_GET_FC(pdi->meta) == FC_SYS)) ||
((_ci->features & DF_STOP_ON_UNC_BRANCH) && (META_GET_FC(pdi->meta) == FC_UNC_BRANCH)) ||
((_ci->features & DF_STOP_ON_CND_BRANCH) && (META_GET_FC(pdi->meta) == FC_CND_BRANCH)) ||
((_ci->features & DF_STOP_ON_INT) && (META_GET_FC(pdi->meta) == FC_INT)) ||
((_ci->features & DF_STOP_ON_CMOV) && (META_GET_FC(pdi->meta) == FC_CMOV)))
return DECRES_SUCCESS;
}
}
return DECRES_SUCCESS;
}

33
VB-Research/vbOpenScript/dll/diStorm3.3/decoder.h Normal file
View File

@ -0,0 +1,33 @@
/*
decoder.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2011 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef DECODER_H
#define DECODER_H
#include "config.h"
typedef unsigned int _iflags;
_DecodeResult decode_internal(_CodeInfo* ci, int supportOldIntr, _DInst result[], unsigned int maxResultCount, unsigned int* usedInstructionsCount);
#endif /* DECODER_H */

384
VB-Research/vbOpenScript/dll/diStorm3.3/distorm.c Normal file
View File

@ -0,0 +1,384 @@
/*
distorm.c
diStorm3 C Library Interface
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#include "distorm.h"
#include "config.h"
#include "decoder.h"
#include "x86defs.h"
#include "textdefs.h"
#include "wstring.h"
#include "mnemonics.h"
/* C DLL EXPORTS */
#ifdef SUPPORT_64BIT_OFFSET
_DLLEXPORT_ _DecodeResult distorm_decompose64(_CodeInfo* ci, _DInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount)
#else
_DLLEXPORT_ _DecodeResult distorm_decompose32(_CodeInfo* ci, _DInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount)
#endif
{
if (usedInstructionsCount == NULL) {
return DECRES_SUCCESS;
}
/* DECRES_SUCCESS still may indicate we may have something in the result, so zero it first thing. */
*usedInstructionsCount = 0;
if ((ci == NULL) ||
(ci->codeLen < 0) ||
((ci->dt != Decode16Bits) && (ci->dt != Decode32Bits) && (ci->dt != Decode64Bits)) ||
(ci->code == NULL) ||
(result == NULL) ||
((ci->features & (DF_MAXIMUM_ADDR16 | DF_MAXIMUM_ADDR32)) == (DF_MAXIMUM_ADDR16 | DF_MAXIMUM_ADDR32)))
{
return DECRES_INPUTERR;
}
/* Assume length=0 is success. */
if (ci->codeLen == 0) {
return DECRES_SUCCESS;
}
return decode_internal(ci, FALSE, result, maxInstructions, usedInstructionsCount);
}
#ifndef DISTORM_LIGHT
/* Helper function to concat an explicit size when it's unknown from the operands. */
static void distorm_format_size(_WString* str, const _DInst* di, int opNum)
{
/*
* We only have to output the size explicitly if it's not clear from the operands.
* For example:
* mov al, [0x1234] -> The size is 8, we know it from the AL register operand.
* mov [0x1234], 0x11 -> Now we don't know the size. Pam pam pam
*
* If given operand number is higher than 2, then output the size anyways.
*/
if (((opNum >= 2) || ((di->ops[0].type != O_REG) && (di->ops[1].type != O_REG))) ||
/* INS/OUTS are exception, because DX is a port specifier and not a real src/dst register. */
((di->opcode == I_INS) || (di->opcode == I_OUTS))) {
switch (di->ops[opNum].size)
{
case 0: break; /* OT_MEM's unknown size. */
case 8: strcat_WSN(str, "BYTE "); break;
case 16: strcat_WSN(str, "WORD "); break;
case 32: strcat_WSN(str, "DWORD "); break;
case 64: strcat_WSN(str, "QWORD "); break;
case 80: strcat_WSN(str, "TBYTE "); break;
case 128: strcat_WSN(str, "DQWORD "); break;
case 256: strcat_WSN(str, "YWORD "); break;
default: /* Big oh uh if it gets here. */ break;
}
}
}
static void distorm_format_signed_disp(_WString* str, const _DInst* di, uint64_t addrMask)
{
int64_t tmpDisp64;
if (di->dispSize) {
chrcat_WS(str, ((int64_t)di->disp < 0) ? MINUS_DISP_CHR : PLUS_DISP_CHR);
if ((int64_t)di->disp < 0) tmpDisp64 = -(int64_t)di->disp;
else tmpDisp64 = di->disp;
tmpDisp64 &= addrMask;
str_code_hqw(str, (uint8_t*)&tmpDisp64);
}
}
#ifdef SUPPORT_64BIT_OFFSET
_DLLEXPORT_ void distorm_format64(const _CodeInfo* ci, const _DInst* di, _DecodedInst* result)
#else
_DLLEXPORT_ void distorm_format32(const _CodeInfo* ci, const _DInst* di, _DecodedInst* result)
#endif
{
_WString* str;
unsigned int i, isDefault;
int64_t tmpDisp64;
uint64_t addrMask = (uint64_t)-1;
uint8_t segment;
const _WMnemonic* mnemonic;
/* Set address mask, when default is for 64bits addresses. */
if (ci->features & DF_MAXIMUM_ADDR32) addrMask = 0xffffffff;
else if (ci->features & DF_MAXIMUM_ADDR16) addrMask = 0xffff;
/* Copy other fields. */
result->size = di->size;
result->offset = di->addr & addrMask;
if (di->flags == FLAG_NOT_DECODABLE) {
str = &result->mnemonic;
strclear_WS(&result->operands);
strcpy_WSN(str, "DB ");
str_code_hb(str, di->imm.byte);
strclear_WS(&result->instructionHex);
str_hex_b(&result->instructionHex, di->imm.byte);
return; /* Skip to next instruction. */
}
str = &result->instructionHex;
strclear_WS(str);
for (i = 0; i < di->size; i++)
str_hex_b(str, ci->code[(unsigned int)(di->addr - ci->codeOffset + i)]);
str = &result->mnemonic;
switch (FLAG_GET_PREFIX(di->flags))
{
case FLAG_LOCK:
strcpy_WSN(str, "LOCK ");
break;
case FLAG_REP:
strcpy_WSN(str, "REP ");
break;
case FLAG_REPNZ:
strcpy_WSN(str, "REPNZ ");
break;
default:
/* Init mnemonic string, cause next touch is concatenation. */
strclear_WS(str);
break;
}
mnemonic = (const _WMnemonic*)&_MNEMONICS[di->opcode];
memcpy((int8_t*)&str->p[str->length], mnemonic->p, mnemonic->length + 1);
str->length += mnemonic->length;
/* Format operands: */
str = &result->operands;
strclear_WS(str);
/* Special treatment for String instructions. */
if ((META_GET_ISC(di->meta) == ISC_INTEGER) &&
((di->opcode == I_MOVS) ||
(di->opcode == I_CMPS) ||
(di->opcode == I_STOS) ||
(di->opcode == I_LODS) ||
(di->opcode == I_SCAS)))
{
/*
* No operands are needed if the address size is the default one,
* and no segment is overridden, so add the suffix letter,
* to indicate size of operation and continue to next instruction.
*/
if ((FLAG_GET_ADDRSIZE(di->flags) == ci->dt) && (SEGMENT_IS_DEFAULT(di->segment))) {
str = &result->mnemonic;
switch (di->ops[0].size)
{
case 8: chrcat_WS(str, 'B'); break;
case 16: chrcat_WS(str, 'W'); break;
case 32: chrcat_WS(str, 'D'); break;
case 64: chrcat_WS(str, 'Q'); break;
}
return;
}
}
for (i = 0; ((i < OPERANDS_NO) && (di->ops[i].type != O_NONE)); i++) {
if (i > 0) strcat_WSN(str, ", ");
switch (di->ops[i].type)
{
case O_REG:
strcat_WS(str, (const _WString*)&_REGISTERS[di->ops[i].index]);
break;
case O_IMM:
/* If the instruction is 'push', show explicit size (except byte imm). */
if (di->opcode == I_PUSH && di->ops[i].size != 8) distorm_format_size(str, di, i);
/* Special fix for negative sign extended immediates. */
if ((di->flags & FLAG_IMM_SIGNED) && (di->ops[i].size == 8)) {
if (di->imm.sbyte < 0) {
chrcat_WS(str, MINUS_DISP_CHR);
str_code_hb(str, -di->imm.sbyte);
break;
}
}
if (di->ops[i].size == 64) str_code_hqw(str, (uint8_t*)&di->imm.qword);
else str_code_hdw(str, di->imm.dword);
break;
case O_IMM1:
str_code_hdw(str, di->imm.ex.i1);
break;
case O_IMM2:
str_code_hdw(str, di->imm.ex.i2);
break;
case O_DISP:
distorm_format_size(str, di, i);
chrcat_WS(str, OPEN_CHR);
if ((SEGMENT_GET(di->segment) != R_NONE) && !SEGMENT_IS_DEFAULT(di->segment)) {
strcat_WS(str, (const _WString*)&_REGISTERS[SEGMENT_GET(di->segment)]);
chrcat_WS(str, SEG_OFF_CHR);
}
tmpDisp64 = di->disp & addrMask;
str_code_hqw(str, (uint8_t*)&tmpDisp64);
chrcat_WS(str, CLOSE_CHR);
break;
case O_SMEM:
distorm_format_size(str, di, i);
chrcat_WS(str, OPEN_CHR);
/*
* This is where we need to take special care for String instructions.
* If we got here, it means we need to explicitly show their operands.
* The problem with CMPS and MOVS is that they have two(!) memory operands.
* So we have to complete it ourselves, since the structure supplies only the segment that can be overridden.
* And make the rest of the String operations explicit.
*/
segment = SEGMENT_GET(di->segment);
isDefault = SEGMENT_IS_DEFAULT(di->segment);
switch (di->opcode)
{
case I_MOVS:
isDefault = FALSE;
if (i == 0) segment = R_ES;
break;
case I_CMPS:
isDefault = FALSE;
if (i == 1) segment = R_ES;
break;
case I_INS:
case I_LODS:
case I_STOS:
case I_SCAS: isDefault = FALSE; break;
}
if (!isDefault && (segment != R_NONE)) {
strcat_WS(str, (const _WString*)&_REGISTERS[segment]);
chrcat_WS(str, SEG_OFF_CHR);
}
strcat_WS(str, (const _WString*)&_REGISTERS[di->ops[i].index]);
distorm_format_signed_disp(str, di, addrMask);
chrcat_WS(str, CLOSE_CHR);
break;
case O_MEM:
distorm_format_size(str, di, i);
chrcat_WS(str, OPEN_CHR);
if ((SEGMENT_GET(di->segment) != R_NONE) && !SEGMENT_IS_DEFAULT(di->segment)) {
strcat_WS(str, (const _WString*)&_REGISTERS[SEGMENT_GET(di->segment)]);
chrcat_WS(str, SEG_OFF_CHR);
}
if (di->base != R_NONE) {
strcat_WS(str, (const _WString*)&_REGISTERS[di->base]);
chrcat_WS(str, PLUS_DISP_CHR);
}
strcat_WS(str, (const _WString*)&_REGISTERS[di->ops[i].index]);
if (di->scale != 0) {
chrcat_WS(str, '*');
if (di->scale == 2) chrcat_WS(str, '2');
else if (di->scale == 4) chrcat_WS(str, '4');
else /* if (di->scale == 8) */ chrcat_WS(str, '8');
}
distorm_format_signed_disp(str, di, addrMask);
chrcat_WS(str, CLOSE_CHR);
break;
case O_PC:
#ifdef SUPPORT_64BIT_OFFSET
str_off64(str, (di->imm.sqword + di->addr + di->size) & addrMask);
#else
str_code_hdw(str, ((_OffsetType)di->imm.sdword + di->addr + di->size) & (uint32_t)addrMask);
#endif
break;
case O_PTR:
str_code_hdw(str, di->imm.ptr.seg);
chrcat_WS(str, SEG_OFF_CHR);
str_code_hdw(str, di->imm.ptr.off);
break;
}
}
if (di->flags & FLAG_HINT_TAKEN) strcat_WSN(str, " ;TAKEN");
else if (di->flags & FLAG_HINT_NOT_TAKEN) strcat_WSN(str, " ;NOT TAKEN");
}
#ifdef SUPPORT_64BIT_OFFSET
_DLLEXPORT_ _DecodeResult distorm_decode64(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount)
#else
_DLLEXPORT_ _DecodeResult distorm_decode32(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount)
#endif
{
_DecodeResult res;
_DInst di;
_CodeInfo ci;
unsigned int instsCount = 0, i;
*usedInstructionsCount = 0;
/* I use codeLen as a signed variable in order to ease detection of underflow... and besides - */
if (codeLen < 0) {
return DECRES_INPUTERR;
}
if ((dt != Decode16Bits) && (dt != Decode32Bits) && (dt != Decode64Bits)) {
return DECRES_INPUTERR;
}
if (code == NULL || result == NULL) {
return DECRES_INPUTERR;
}
/* Assume length=0 is success. */
if (codeLen == 0) {
return DECRES_SUCCESS;
}
/*
* We have to format the result into text. But the interal decoder works with the new structure of _DInst.
* Therefore, we will pass the result array(!) from the caller and the interal decoder will fill it in with _DInst's.
* Then we will copy each result to a temporary structure, and use it to reformat that specific result.
*
* This is all done to save memory allocation and to work on the same result array in-place!!!
* It's a bit ugly, I have to admit, but worth it.
*/
ci.codeOffset = codeOffset;
ci.code = code;
ci.codeLen = codeLen;
ci.dt = dt;
ci.features = DF_NONE;
if (dt == Decode16Bits) ci.features = DF_MAXIMUM_ADDR16;
else if (dt == Decode32Bits) ci.features = DF_MAXIMUM_ADDR32;
res = decode_internal(&ci, TRUE, (_DInst*)result, maxInstructions, &instsCount);
for (i = 0; i < instsCount; i++) {
if ((*usedInstructionsCount + i) >= maxInstructions) return DECRES_MEMORYERR;
/* Copy the current decomposed result to a temp structure, so we can override the result with text. */
memcpy(&di, (char*)result + (i * sizeof(_DecodedInst)), sizeof(_DInst));
#ifdef SUPPORT_64BIT_OFFSET
distorm_format64(&ci, &di, &result[i]);
#else
distorm_format32(&ci, &di, &result[i]);
#endif
}
*usedInstructionsCount = instsCount;
return res;
}
#endif /* DISTORM_LIGHT */
_DLLEXPORT_ unsigned int distorm_version()
{
return __DISTORMV__;
}

473
VB-Research/vbOpenScript/dll/diStorm3.3/distorm.h Normal file
View File

@ -0,0 +1,473 @@
/* diStorm3 3.2 */
/*
distorm.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef DISTORM_H
#define DISTORM_H
/*
* 64 bit offsets support:
* If the diStorm library you use was compiled with 64 bits offsets,
* make sure you compile your own code with the following macro set:
* SUPPORT_64BIT_OFFSET
* Otherwise comment it out, or you will get a linker error of an unresolved symbol...
* Turned on by default!
*/
#if !(defined(DISTORM_STATIC) || defined(DISTORM_DYNAMIC))
/* Define this macro for outer projects by default. */
#define SUPPORT_64BIT_OFFSET
#endif
/* TINYC has a problem with some 64bits library functions, so ignore 64 bit offsets. */
#ifdef __TINYC__
#undef SUPPORT_64BIT_OFFSET
#endif
/* If your compiler doesn't support stdint.h, define your own 64 bits type. */
#ifdef SUPPORT_64BIT_OFFSET
#ifdef _MSC_VER
#define OFFSET_INTEGER unsigned __int64
#else
#include <stdint.h>
#define OFFSET_INTEGER uint64_t
#endif
#else
/* 32 bit offsets are used. */
#define OFFSET_INTEGER unsigned long
#endif
#ifdef _MSC_VER
/* Since MSVC isn't shipped with stdint.h, we will have our own: */
typedef signed __int64 int64_t;
typedef unsigned __int64 uint64_t;
typedef signed __int32 int32_t;
typedef unsigned __int32 uint32_t;
typedef signed __int16 int16_t;
typedef unsigned __int16 uint16_t;
typedef signed __int8 int8_t;
typedef unsigned __int8 uint8_t;
#endif
/* Support C++ compilers */
#ifdef __cplusplus
extern "C" {
#endif
/* *** Helper Macros *** */
/* Get the ISC of the instruction, used with the definitions below. */
#define META_GET_ISC(meta) (((meta) >> 3) & 0x1f)
#define META_SET_ISC(di, isc) (((di)->meta) |= ((isc) << 3))
/* Get the flow control flags of the instruction, see 'features for decompose' below. */
#define META_GET_FC(meta) ((meta) & 0x7)
/* Get the target address of a branching instruction. O_PC operand type. */
#define INSTRUCTION_GET_TARGET(di) ((_OffsetType)(((di)->addr + (di)->imm.addr + (di)->size)))
/* Get the target address of a RIP-relative memory indirection. */
#define INSTRUCTION_GET_RIP_TARGET(di) ((_OffsetType)(((di)->addr + (di)->disp + (di)->size)))
/*
* Operand Size or Adderss size are stored inside the flags:
* 0 - 16 bits
* 1 - 32 bits
* 2 - 64 bits
* 3 - reserved
*
* If you call these set-macros more than once, you will have to clean the bits before doing so.
*/
#define FLAG_SET_OPSIZE(di, size) ((di->flags) |= (((size) & 3) << 8))
#define FLAG_SET_ADDRSIZE(di, size) ((di->flags) |= (((size) & 3) << 10))
#define FLAG_GET_OPSIZE(flags) (((flags) >> 8) & 3)
#define FLAG_GET_ADDRSIZE(flags) (((flags) >> 10) & 3)
/* To get the LOCK/REPNZ/REP prefixes. */
#define FLAG_GET_PREFIX(flags) ((flags) & 7)
/*
* Macros to extract segment registers from 'segment':
*/
#define SEGMENT_DEFAULT 0x80
#define SEGMENT_SET(di, seg) ((di->segment) |= seg)
#define SEGMENT_GET(segment) (((segment) == R_NONE) ? R_NONE : ((segment) & 0x7f))
#define SEGMENT_IS_DEFAULT(segment) (((segment) & SEGMENT_DEFAULT) == SEGMENT_DEFAULT)
/* Decodes modes of the disassembler, 16 bits or 32 bits or 64 bits for AMD64, x86-64. */
typedef enum { Decode16Bits = 0, Decode32Bits = 1, Decode64Bits = 2 } _DecodeType;
typedef OFFSET_INTEGER _OffsetType;
typedef struct {
_OffsetType codeOffset, nextOffset; /* nextOffset is OUT only. */
const uint8_t* code;
int codeLen; /* Using signed integer makes it easier to detect an underflow. */
_DecodeType dt;
unsigned int features;
} _CodeInfo;
typedef enum { O_NONE, O_REG, O_IMM, O_IMM1, O_IMM2, O_DISP, O_SMEM, O_MEM, O_PC, O_PTR } _OperandType;
typedef union {
/* Used by O_IMM: */
int8_t sbyte;
uint8_t byte;
int16_t sword;
uint16_t word;
int32_t sdword;
uint32_t dword;
int64_t sqword; /* All immediates are SIGN-EXTENDED to 64 bits! */
uint64_t qword;
/* Used by O_PC: (Use GET_TARGET_ADDR).*/
_OffsetType addr; /* It's a relative offset as for now. */
/* Used by O_PTR: */
struct {
uint16_t seg;
/* Can be 16 or 32 bits, size is in ops[n].size. */
uint32_t off;
} ptr;
/* Used by O_IMM1 (i1) and O_IMM2 (i2). ENTER instruction only. */
struct {
uint32_t i1;
uint32_t i2;
} ex;
} _Value;
typedef struct {
/* Type of operand:
O_NONE: operand is to be ignored.
O_REG: index holds global register index.
O_IMM: instruction.imm.
O_IMM1: instruction.imm.ex.i1.
O_IMM2: instruction.imm.ex.i2.
O_DISP: memory dereference with displacement only, instruction.disp.
O_SMEM: simple memory dereference with optional displacement (a single register memory dereference).
O_MEM: complex memory dereference (optional fields: s/i/b/disp).
O_PC: the relative address of a branch instruction (instruction.imm.addr).
O_PTR: the absolute target address of a far branch instruction (instruction.imm.ptr.seg/off).
*/
uint8_t type; /* _OperandType */
/* Index of:
O_REG: holds global register index
O_SMEM: holds the 'base' register. E.G: [ECX], [EBX+0x1234] are both in operand.index.
O_MEM: holds the 'index' register. E.G: [EAX*4] is in operand.index.
*/
uint8_t index;
/* Size of:
O_REG: register
O_IMM: instruction.imm
O_IMM1: instruction.imm.ex.i1
O_IMM2: instruction.imm.ex.i2
O_DISP: instruction.disp
O_SMEM: size of indirection.
O_MEM: size of indirection.
O_PC: size of the relative offset
O_PTR: size of instruction.imm.ptr.off (16 or 32)
*/
uint16_t size;
} _Operand;
#define OPCODE_ID_NONE 0
/* Instruction could not be disassembled. */
#define FLAG_NOT_DECODABLE ((uint16_t)-1)
/* The instruction locks memory access. */
#define FLAG_LOCK (1 << 0)
/* The instruction is prefixed with a REPNZ. */
#define FLAG_REPNZ (1 << 1)
/* The instruction is prefixed with a REP, this can be a REPZ, it depends on the specific instruction. */
#define FLAG_REP (1 << 2)
/* Indicates there is a hint taken for Jcc instructions only. */
#define FLAG_HINT_TAKEN (1 << 3)
/* Indicates there is a hint non-taken for Jcc instructions only. */
#define FLAG_HINT_NOT_TAKEN (1 << 4)
/* The Imm value is signed extended. */
#define FLAG_IMM_SIGNED (1 << 5)
/* The destination operand is writable. */
#define FLAG_DST_WR (1 << 6)
/* The instruction uses RIP-relative indirection. */
#define FLAG_RIP_RELATIVE (1 << 7)
/* No register was defined. */
#define R_NONE ((uint8_t)-1)
#define REGS64_BASE 0
#define REGS32_BASE 16
#define REGS16_BASE 32
#define REGS8_BASE 48
#define REGS8_REX_BASE 64
#define SREGS_BASE 68
#define FPUREGS_BASE 75
#define MMXREGS_BASE 83
#define SSEREGS_BASE 91
#define AVXREGS_BASE 107
#define CREGS_BASE 123
#define DREGS_BASE 132
#define OPERANDS_NO (4)
typedef struct {
/* Used by ops[n].type == O_IMM/O_IMM1&O_IMM2/O_PTR/O_PC. Its size is ops[n].size. */
_Value imm;
/* Used by ops[n].type == O_SMEM/O_MEM/O_DISP. Its size is dispSize. */
uint64_t disp;
/* Virtual address of first byte of instruction. */
_OffsetType addr;
/* General flags of instruction, holds prefixes and more, if FLAG_NOT_DECODABLE, instruction is invalid. */
uint16_t flags;
/* Unused prefixes mask, for each bit that is set that prefix is not used (LSB is byte [addr + 0]). */
uint16_t unusedPrefixesMask;
/* Mask of registers that were used in the operands, only used for quick look up, in order to know *some* operand uses that register class. */
uint16_t usedRegistersMask;
/* ID of opcode in the global opcode table. Use for mnemonic look up. */
uint16_t opcode;
/* Up to four operands per instruction, ignored if ops[n].type == O_NONE. */
_Operand ops[OPERANDS_NO];
/* Size of the whole instruction. */
uint8_t size;
/* Segment information of memory indirection, default segment, or overriden one, can be -1. Use SEGMENT macros. */
uint8_t segment;
/* Used by ops[n].type == O_MEM. Base global register index (might be R_NONE), scale size (2/4/8), ignored for 0 or 1. */
uint8_t base, scale;
uint8_t dispSize;
/* Meta defines the instruction set class, and the flow control flags. Use META macros. */
uint8_t meta;
/* The CPU flags that the instruction operates upon. */
uint8_t modifiedFlagsMask, testedFlagsMask, undefinedFlagsMask;
} _DInst;
#ifndef DISTORM_LIGHT
/* Static size of strings. Do not change this value. Keep Python wrapper in sync. */
#define MAX_TEXT_SIZE (48)
typedef struct {
unsigned int length;
unsigned char p[MAX_TEXT_SIZE]; /* p is a null terminated string. */
} _WString;
/*
* Old decoded instruction structure in text format.
* Used only for backward compatibility with diStorm64.
* This structure holds all information the disassembler generates per instruction.
*/
typedef struct {
_WString mnemonic; /* Mnemonic of decoded instruction, prefixed if required by REP, LOCK etc. */
_WString operands; /* Operands of the decoded instruction, up to 3 operands, comma-seperated. */
_WString instructionHex; /* Hex dump - little endian, including prefixes. */
unsigned int size; /* Size of decoded instruction. */
_OffsetType offset; /* Start offset of the decoded instruction. */
} _DecodedInst;
#endif /* DISTORM_LIGHT */
/* Register masks for quick look up, each mask indicates one of a register-class that is being used in some operand. */
#define RM_AX 1 /* AL, AH, AX, EAX, RAX */
#define RM_CX 2 /* CL, CH, CX, ECX, RCX */
#define RM_DX 4 /* DL, DH, DX, EDX, RDX */
#define RM_BX 8 /* BL, BH, BX, EBX, RBX */
#define RM_SP 0x10 /* SPL, SP, ESP, RSP */
#define RM_BP 0x20 /* BPL, BP, EBP, RBP */
#define RM_SI 0x40 /* SIL, SI, ESI, RSI */
#define RM_DI 0x80 /* DIL, DI, EDI, RDI */
#define RM_FPU 0x100 /* ST(0) - ST(7) */
#define RM_MMX 0x200 /* MM0 - MM7 */
#define RM_SSE 0x400 /* XMM0 - XMM15 */
#define RM_AVX 0x800 /* YMM0 - YMM15 */
#define RM_CR 0x1000 /* CR0, CR2, CR3, CR4, CR8 */
#define RM_DR 0x2000 /* DR0, DR1, DR2, DR3, DR6, DR7 */
/* RIP should be checked using the 'flags' field and FLAG_RIP_RELATIVE.
* Segments should be checked using the segment macros.
* For now R8 - R15 are not supported and non general purpose registers map into same RM.
*/
/* CPU Flags that instructions modify, test or undefine. */
#define D_ZF 1 /* Zero */
#define D_SF 2 /* Sign */
#define D_CF 4 /* Carry */
#define D_OF 8 /* Overflow */
#define D_PF 0x10 /* Parity */
#define D_AF 0x20 /* Auxilary */
#define D_DF 0x40 /* Direction */
#define D_IF 0x80 /* Interrupt */
/*
* Instructions Set classes:
* if you want a better understanding of the available classes, look at disOps project, file: x86sets.py.
*/
/* Indicates the instruction belongs to the General Integer set. */
#define ISC_INTEGER 1
/* Indicates the instruction belongs to the 387 FPU set. */
#define ISC_FPU 2
/* Indicates the instruction belongs to the P6 set. */
#define ISC_P6 3
/* Indicates the instruction belongs to the MMX set. */
#define ISC_MMX 4
/* Indicates the instruction belongs to the SSE set. */
#define ISC_SSE 5
/* Indicates the instruction belongs to the SSE2 set. */
#define ISC_SSE2 6
/* Indicates the instruction belongs to the SSE3 set. */
#define ISC_SSE3 7
/* Indicates the instruction belongs to the SSSE3 set. */
#define ISC_SSSE3 8
/* Indicates the instruction belongs to the SSE4.1 set. */
#define ISC_SSE4_1 9
/* Indicates the instruction belongs to the SSE4.2 set. */
#define ISC_SSE4_2 10
/* Indicates the instruction belongs to the AMD's SSE4.A set. */
#define ISC_SSE4_A 11
/* Indicates the instruction belongs to the 3DNow! set. */
#define ISC_3DNOW 12
/* Indicates the instruction belongs to the 3DNow! Extensions set. */
#define ISC_3DNOWEXT 13
/* Indicates the instruction belongs to the VMX (Intel) set. */
#define ISC_VMX 14
/* Indicates the instruction belongs to the SVM (AMD) set. */
#define ISC_SVM 15
/* Indicates the instruction belongs to the AVX (Intel) set. */
#define ISC_AVX 16
/* Indicates the instruction belongs to the FMA (Intel) set. */
#define ISC_FMA 17
/* Indicates the instruction belongs to the AES/AVX (Intel) set. */
#define ISC_AES 18
/* Indicates the instruction belongs to the CLMUL (Intel) set. */
#define ISC_CLMUL 19
/* Features for decompose: */
#define DF_NONE 0
/* The decoder will limit addresses to a maximum of 16 bits. */
#define DF_MAXIMUM_ADDR16 1
/* The decoder will limit addresses to a maximum of 32 bits. */
#define DF_MAXIMUM_ADDR32 2
/* The decoder will return only flow control instructions (and filter the others internally). */
#define DF_RETURN_FC_ONLY 4
/* The decoder will stop and return to the caller when the instruction 'CALL' (near and far) was decoded. */
#define DF_STOP_ON_CALL 8
/* The decoder will stop and return to the caller when the instruction 'RET' (near and far) was decoded. */
#define DF_STOP_ON_RET 0x10
/* The decoder will stop and return to the caller when the instruction system-call/ret was decoded. */
#define DF_STOP_ON_SYS 0x20
/* The decoder will stop and return to the caller when any of the branch 'JMP', (near and far) instructions were decoded. */
#define DF_STOP_ON_UNC_BRANCH 0x40
/* The decoder will stop and return to the caller when any of the conditional branch instruction were decoded. */
#define DF_STOP_ON_CND_BRANCH 0x80
/* The decoder will stop and return to the caller when the instruction 'INT' (INT, INT1, INTO, INT 3) was decoded. */
#define DF_STOP_ON_INT 0x100
/* The decoder will stop and return to the caller when any of the 'CMOVxx' instruction was decoded. */
#define DF_STOP_ON_CMOV 0x200
/* The decoder will stop and return to the caller when any flow control instruction was decoded. */
#define DF_STOP_ON_FLOW_CONTROL (DF_STOP_ON_CALL | DF_STOP_ON_RET | DF_STOP_ON_SYS | DF_STOP_ON_UNC_BRANCH | DF_STOP_ON_CND_BRANCH | DF_STOP_ON_INT | DF_STOP_ON_CMOV)
/* Indicates the instruction is not a flow-control instruction. */
#define FC_NONE 0
/* Indicates the instruction is one of: CALL, CALL FAR. */
#define FC_CALL 1
/* Indicates the instruction is one of: RET, IRET, RETF. */
#define FC_RET 2
/* Indicates the instruction is one of: SYSCALL, SYSRET, SYSENTER, SYSEXIT. */
#define FC_SYS 3
/* Indicates the instruction is one of: JMP, JMP FAR. */
#define FC_UNC_BRANCH 4
/*
* Indicates the instruction is one of:
* JCXZ, JO, JNO, JB, JAE, JZ, JNZ, JBE, JA, JS, JNS, JP, JNP, JL, JGE, JLE, JG, LOOP, LOOPZ, LOOPNZ.
*/
#define FC_CND_BRANCH 5
/* Indiciates the instruction is one of: INT, INT1, INT 3, INTO, UD2. */
#define FC_INT 6
/* Indicates the instruction is one of: CMOVxx. */
#define FC_CMOV 7
/* Return code of the decoding function. */
typedef enum { DECRES_NONE, DECRES_SUCCESS, DECRES_MEMORYERR, DECRES_INPUTERR, DECRES_FILTERED } _DecodeResult;
/* Define the following interface functions only for outer projects. */
#if !(defined(DISTORM_STATIC) || defined(DISTORM_DYNAMIC))
/* distorm_decode
* Input:
* offset - Origin of the given code (virtual address that is), NOT an offset in code.
* code - Pointer to the code buffer to be disassembled.
* length - Amount of bytes that should be decoded from the code buffer.
* dt - Decoding mode, 16 bits (Decode16Bits), 32 bits (Decode32Bits) or AMD64 (Decode64Bits).
* result - Array of type _DecodeInst which will be used by this function in order to return the disassembled instructions.
* maxInstructions - The maximum number of entries in the result array that you pass to this function, so it won't exceed its bound.
* usedInstructionsCount - Number of the instruction that successfully were disassembled and written to the result array.
* Output: usedInstructionsCount will hold the number of entries used in the result array
* and the result array itself will be filled with the disassembled instructions.
* Return: DECRES_SUCCESS on success (no more to disassemble), DECRES_INPUTERR on input error (null code buffer, invalid decoding mode, etc...),
* DECRES_MEMORYERR when there are not enough entries to use in the result array, BUT YOU STILL have to check for usedInstructionsCount!
* Side-Effects: Even if the return code is DECRES_MEMORYERR, there might STILL be data in the
* array you passed, this function will try to use as much entries as possible!
* Notes: 1)The minimal size of maxInstructions is 15.
* 2)You will have to synchronize the offset,code and length by yourself if you pass code fragments and not a complete code block!
*/
#ifdef SUPPORT_64BIT_OFFSET
_DecodeResult distorm_decompose64(_CodeInfo* ci, _DInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
#define distorm_decompose distorm_decompose64
#ifndef DISTORM_LIGHT
/* If distorm-light is defined, we won't export these text-formatting functionality. */
_DecodeResult distorm_decode64(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
void distorm_format64(const _CodeInfo* ci, const _DInst* di, _DecodedInst* result);
#define distorm_decode distorm_decode64
#define distorm_format distorm_format64
#endif /*DISTORM_LIGHT*/
#else /*SUPPORT_64BIT_OFFSET*/
_DecodeResult distorm_decompose32(_CodeInfo* ci, _DInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
#define distorm_decompose distorm_decompose32
#ifndef DISTORM_LIGHT
/* If distorm-light is defined, we won't export these text-formatting functionality. */
_DecodeResult distorm_decode32(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
void distorm_format32(const _CodeInfo* ci, const _DInst* di, _DecodedInst* result);
#define distorm_decode distorm_decode32
#define distorm_format distorm_format32
#endif /*DISTORM_LIGHT*/
#endif
/*
* distorm_version
* Input:
* none
*
* Output: unsigned int - version of compiled library.
*/
unsigned int distorm_version();
#endif /* DISTORM_STATIC */
#ifdef __cplusplus
} /* End Of Extern */
#endif
#endif /* DISTORM_H */

590
VB-Research/vbOpenScript/dll/diStorm3.3/instructions.c Normal file
View File

@ -0,0 +1,590 @@
/*
instructions.c
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#include "instructions.h"
#include "insts.h"
#include "prefix.h"
#include "x86defs.h"
#include "mnemonics.h"
/* Helper macros to extract the type or index from an inst-node value. */
#define INST_NODE_INDEX(n) ((n) & 0x1fff)
#define INST_NODE_TYPE(n) ((n) >> 13)
/* Helper macro to read the actual flags that are associated with an inst-info. */
#define INST_INFO_FLAGS(ii) (FlagsTable[InstSharedInfoTable[(ii)->sharedIndex].flagsIndex])
/*
I use the trie data structure as I found it most fitting to a disassembler mechanism.
When you read a byte and have to decide if it's enough or you should read more bytes, 'till you get to the instruction information.
It's really fast because you POP the instruction info in top 3 iterates on the DB, because an instruction can be formed from two bytes + 3 bits reg from the ModR/M byte.
For a simple explanation, check this out:
http://www.csse.monash.edu.au/~lloyd/tildeAlgDS/Tree/Trie/
Futher reading: http://en.wikipedia.org/wiki/Trie
The first GATE (array you read off a trie data structure), as I call them, is statically allocated by the compiler.
The second and third gates if used are being allocated dynamically by the instructions-insertion functionality.
How would such a thing look in memory, say we support 4 instructions with 3 bytes top (means 2 dynamically allocated gates).
->
|-------| 0,
|0| -------------------------------> |-------|
|1|RET | 1, |0|AND |
|2| -----> |-------| |1|XOR |
|3|INT3 | |0|PUSH | |2|OR | 0,3,
|-------| |1|POP | |3| --------->|-------|
|2|PUSHF| |-------| |0|ROR |
|3|POPF | |1|ROL |
|-------| |2|SHR |
|3|SHL |
|-------|
Of course, this is NOT how Intel instructions set looks!!!
but I just wanted to give a small demonstration.
Now the instructions you get from such a trie DB goes like this:
0, 0 - AND
0, 1 - XOR
0, 2 - OR
0, 3, 0, ROR
0, 3, 1, ROL
0, 3, 2, SHR
0, 3, 3, SHL
1 - RET
2, 0 - PUSH
2, 1 - POP
2, 2 - PUSHF
2, 3 - POPF
3 - INT3
I guess it's clear by now.
So now, if you read 0, you know that you have to enter the second gate(list) with the second byte specifying the index.
But if you read 1, you know that you go to an instruction (in this case, a RET).
That's why there's an Instruction-Node structure, it tells you whether you got to an instruction or another list
so you should keep on reading byte).
In Intel, you could go through 4 gates at top, because there're instructions which are built from 2 bytes and another smaller list
for the REG part, or newest SSE4 instructions which use 4 bytes for opcode.
Therefore, Intel's first gate is 256 long, and other gates are 256 (/72) or 8 long, yes, it costs pretty much alot of memory
for non-used defined instructions, but I think that it still rocks.
*/
/*
* A helper function to look up the correct inst-info structure.
* It does one fetch from the index-table, and then another to get the inst-info.
* Note that it takes care about basic inst-info or inst-info-ex.
* The caller should worry about boundary checks and whether it accesses a last-level table.
*/
static _InstInfo* inst_get_info(_InstNode in, int index)
{
int instIndex = 0;
in = InstructionsTree[INST_NODE_INDEX(in) + index];
if (in == INT_NOTEXISTS) return NULL;
instIndex = INST_NODE_INDEX(in);
return INST_NODE_TYPE(in) == INT_INFO ? &InstInfos[instIndex] : (_InstInfo*)&InstInfosEx[instIndex];
}
/*
* This function is responsible to return the instruction information of the first found in code.
* It returns the _InstInfo of the found instruction, otherwise NULL.
* code should point to the ModR/M byte upon exit (if used), or after the instruction binary code itself.
* This function is NOT decoding-type dependant, it is up to the caller to see whether the instruction is valid.
* Get the instruction info, using a Trie data structure.
*
* Sometimes normal prefixes become mandatory prefixes, which means they are now part of the instruction opcode bytes.
* This is a bit tricky now,
* if the first byte is a REP (F3) prefix, we will have to give a chance to an SSE instruction.
* If an instruction doesn't exist, we will make it as a prefix and re-locateinst.
* A case such that a REP prefix is being changed into an instruction byte and also an SSE instruction will not be found can't happen,
* simply because there are no collisions between string instruction and SSE instructions (they are escaped).
* As for S/SSE2/3, check for F2 and 66 as well.
* In 64 bits, we have to make sure that we will skip the REX prefix, if it exists.
* There's a specific case, where a 66 is mandatory but it was dropped because REG.W was used,
* but it doesn't behave as an operand size prefix but as a mandatory, so we will have to take it into account.
* For example (64 bits decoding mode):
* 66 98 CBW
* 48 98 CDQE
* 66 48 98: db 0x66; CDQE
* Shows that operand size is dropped.
* Now, it's a mandatory prefix and NOT an operand size one.
* 66480f2dc0 db 0x48; CVTPD2PI XMM0, XMM0
* Although this instruction doesn't require a REX.W, it just shows, that even if it did - it doesn't matter.
* REX.W is dropped because it's not requried, but the decode function disabled the operand size even so.
*/
static _InstInfo* inst_lookup_prefixed(_InstNode in, _PrefixState* ps)
{
int checkOpSize = FALSE;
int index = 0;
_InstInfo* ii = NULL;
/* Check prefixes of current decoded instruction (None, 0x66, 0xf3, 0xf2). */
switch (ps->decodedPrefixes & (INST_PRE_OP_SIZE | INST_PRE_REPS))
{
case 0:
/* Non-prefixed, index = 0. */
index = 0;
break;
case INST_PRE_OP_SIZE:
/* 0x66, index = 1. */
index = 1;
/* Mark that we used it as a mandatory prefix. */
ps->isOpSizeMandatory = TRUE;
ps->decodedPrefixes &= ~INST_PRE_OP_SIZE;
break;
case INST_PRE_REP:
/* 0xf3, index = 2. */
index = 2;
ps->decodedPrefixes &= ~INST_PRE_REP;
break;
case INST_PRE_REPNZ:
/* 0xf2, index = 3. */
index = 3;
ps->decodedPrefixes &= ~INST_PRE_REPNZ;
break;
default:
/*
* Now we got a problem, since there are a few mandatory prefixes at once.
* There is only one case when it's ok, when the operand size prefix is for real (not mandatory).
* Otherwise we will have to return NULL, since the instruction is illegal.
* Therefore we will start with REPNZ and REP prefixes,
* try to get the instruction and only then check for the operand size prefix.
*/
/* If both REPNZ and REP are together, it's illegal for sure. */
if ((ps->decodedPrefixes & INST_PRE_REPS) == INST_PRE_REPS) return NULL;
/* Now we know it's either REPNZ+OPSIZE or REP+OPSIZE, so examine the instruction. */
if (ps->decodedPrefixes & INST_PRE_REPNZ) {
index = 3;
ps->decodedPrefixes &= ~INST_PRE_REPNZ;
} else if (ps->decodedPrefixes & INST_PRE_REP) {
index = 2;
ps->decodedPrefixes &= ~INST_PRE_REP;
}
/* Mark to verify the operand-size prefix of the fetched instruction below. */
checkOpSize = TRUE;
break;
}
/* Fetch the inst-info from the index. */
ii = inst_get_info(in, index);
if (checkOpSize) {
/* If the instruction doesn't support operand size prefix, then it's illegal. */
if ((ii == NULL) || (~INST_INFO_FLAGS(ii) & INST_PRE_OP_SIZE)) return NULL;
}
/* If there was a prefix, but the instruction wasn't found. Try to fall back to use the normal instruction. */
if (ii == NULL) ii = inst_get_info(in, 0);
return ii;
}
/* A helper function to look up special VEX instructions.
* See if it's a MOD based instruction and fix index if required.
* Only after a first lookup (that was done by caller), we can tell if we need to fix the index.
* Because these are coupled instructions
* (which means that the base instruction hints about the other instruction).
* Note that caller should check if it's a MOD dependent instruction before getting in here.
*/
static _InstInfo* inst_vex_mod_lookup(_CodeInfo* ci, _InstNode in, _InstInfo* ii, unsigned int index)
{
/* Advance to read the MOD from ModRM byte. */
ci->code += 1;
ci->codeLen -= 1;
if (ci->codeLen < 0) return NULL;
if (*ci->code < INST_DIVIDED_MODRM) {
/* MOD is not 11, therefore change the index to 8 - 12 range in the prefixed table. */
index += 4;
/* Make a second lookup for this special instruction. */
return inst_get_info(in, index);
}
/* Return the original one, in case we didn't find a stuited instruction. */
return ii;
}
static _InstInfo* inst_vex_lookup(_CodeInfo* ci, _PrefixState* ps)
{
_InstNode in = 0;
unsigned int pp = 0, start = 0;
unsigned int index = 4; /* VEX instructions start at index 4 in the Prefixed table. */
uint8_t vex = *ps->vexPos, vex2 = 0, v = 0;
int instType = 0, instIndex = 0;
/* The VEX instruction will #ud if any of 66, f0, f2, f3, REX prefixes precede. */
_iflags illegal = (INST_PRE_OP_SIZE | INST_PRE_LOCK | INST_PRE_REP | INST_PRE_REPNZ | INST_PRE_REX);
if ((ps->decodedPrefixes & illegal) != 0) return NULL;
/* Read the some fields from the VEX prefix we need to extract the instruction. */
if (ps->prefixExtType == PET_VEX2BYTES) {
ps->vexV = v = (~vex >> 3) & 0xf;
pp = vex & 3;
/* Implied leading 0x0f byte by default for 2 bytes VEX prefix. */
start = 1;
} else { /* PET_VEX3BYTES */
start = vex & 0x1f;
vex2 = *(ps->vexPos + 1);
ps->vexV = v = (~vex2 >> 3) & 0xf;
pp = vex2 & 3;
}
/* start can be either 1 (0x0f), 2 (0x0f, 0x038) or 3 (0x0f, 0x3a), otherwise it's illegal. */
switch (start)
{
case 1: in = Table_0F; break;
case 2: in = Table_0F_38; break;
case 3: in = Table_0F_3A; break;
default: return NULL;
}
/* pp is actually the implied mandatory prefix, apply it to the index. */
index += pp; /* (None, 0x66, 0xf3, 0xf2) */
/* Read a byte from the stream. */
ci->codeLen -= 1;
if (ci->codeLen < 0) return NULL;
in = InstructionsTree[INST_NODE_INDEX(in) + *ci->code];
if (in == INT_NOTEXISTS) return NULL;
instType = INST_NODE_TYPE(in);
instIndex = INST_NODE_INDEX(in);
/*
* If we started with 0f38 or 0f3a so it's a prefixed table,
* therefore it's surely a VEXed instruction (because of a high index).
* However, starting with 0f, could also lead immediately to a prefixed table for some bytes.
* it might return NULL, if the index is invalid.
*/
if (instType == INT_LIST_PREFIXED) {
_InstInfo* ii = inst_get_info(in, index);
/* See if the instruction is dependent on MOD. */
if ((ii != NULL) && (((_InstInfoEx*)ii)->flagsEx & INST_MODRR_BASED)) {
ii = inst_vex_mod_lookup(ci, in, ii, index);
}
return ii;
}
/*
* If we reached here, obviously we started with 0f. VEXed instructions must be nodes of a prefixed table.
* But since we found an instruction (or divided one), just return NULL.
* They cannot lead to a VEXed instruction.
*/
if ((instType == INT_INFO) || (instType == INT_INFOEX) || (instType == INT_LIST_DIVIDED)) return NULL;
/* Now we are left with handling either GROUP or FULL tables, therefore we will read another byte from the stream. */
ci->code += 1;
ci->codeLen -= 1;
if (ci->codeLen < 0) return NULL;
if (instType == INT_LIST_GROUP) {
in = InstructionsTree[instIndex + ((*ci->code >> 3) & 7)];
/* Continue below to check prefixed table. */
} else if (instType == INT_LIST_FULL) {
in = InstructionsTree[instIndex + *ci->code];
/* Continue below to check prefixed table. */
}
/* Now that we got to the last table in the trie, check for a prefixed table. */
if (INST_NODE_TYPE(in) == INT_LIST_PREFIXED) {
_InstInfo* ii = inst_get_info(in, index);
/* See if the instruction is dependent on MOD. */
if ((ii != NULL) && (((_InstInfoEx*)ii)->flagsEx & INST_MODRR_BASED)) {
ii = inst_vex_mod_lookup(ci, in, ii, index);
}
return ii;
}
/* No VEXed instruction was found. */
return NULL;
}
_InstInfo* inst_lookup(_CodeInfo* ci, _PrefixState* ps)
{
unsigned int tmpIndex0 = 0, tmpIndex1 = 0, tmpIndex2 = 0, rex = ps->vrex;
int instType = 0;
_InstNode in = 0;
_InstInfo* ii = NULL;
int isWaitIncluded = FALSE;
/* See whether we have to handle a VEX prefixed instruction. */
if (ps->decodedPrefixes & INST_PRE_VEX) {
ii = inst_vex_lookup(ci, ps);
if (ii != NULL) {
/* Make sure that VEX.L exists when forced. */
if ((((_InstInfoEx*)ii)->flagsEx & INST_FORCE_VEXL) && (~ps->vrex & PREFIX_EX_L)) return NULL;
/* If the instruction doesn't use VEX.vvvv it must be zero. */
if ((((_InstInfoEx*)ii)->flagsEx & INST_VEX_V_UNUSED) && ps->vexV) return NULL;
}
return ii;
}
/* Read first byte. */
ci->codeLen -= 1;
if (ci->codeLen < 0) return NULL;
tmpIndex0 = *ci->code;
/* Check for special 0x9b, WAIT instruction, which can be part of some instructions(x87). */
if (tmpIndex0 == INST_WAIT_INDEX) {
/* Only OCST_1dBYTES get a chance to include this byte as part of the opcode. */
isWaitIncluded = TRUE;
/* Ignore all prefixes, since they are useless and operate on the WAIT instruction itself. */
prefixes_ignore_all(ps);
/* Move to next code byte as a new whole instruction. */
ci->code += 1;
ci->codeLen -= 1;
if (ci->codeLen < 0) return NULL; /* Faster to return NULL, it will be detected as WAIT later anyway. */
/* Since we got a WAIT prefix, we re-read the first byte. */
tmpIndex0 = *ci->code;
}
/* Walk first byte in InstructionsTree root. */
in = InstructionsTree[tmpIndex0];
if (in == INT_NOTEXISTS) return NULL;
instType = INST_NODE_TYPE(in);
/* Single byte instruction (OCST_1BYTE). */
if ((instType < INT_INFOS) && (!isWaitIncluded)) {
/* Some single byte instructions need extra treatment. */
switch (tmpIndex0)
{
case INST_ARPL_INDEX:
/*
* ARPL/MOVSXD share the same opcode, and both have different operands and mnemonics, of course.
* Practically, I couldn't come up with a comfortable way to merge the operands' types of ARPL/MOVSXD.
* And since the DB can't be patched dynamically, because the DB has to be multi-threaded compliant,
* I have no choice but to check for ARPL/MOVSXD right here - "right about now, the funk soul brother, check it out now, the funk soul brother...", fatboy slim
*/
if (ci->dt == Decode64Bits) {
return &II_MOVSXD;
} /* else ARPL will be returned because its defined in the DB already. */
break;
case INST_NOP_INDEX: /* Nopnopnop */
/* Check for Pause, since it's prefixed with 0xf3, which is not a real mandatory prefix. */
if (ps->decodedPrefixes & INST_PRE_REP) {
/* Flag this prefix as used. */
ps->usedPrefixes |= INST_PRE_REP;
return &II_PAUSE;
}
/*
* Treat NOP/XCHG specially.
* If we're not in 64bits restore XCHG to NOP, since in the DB it's XCHG.
* Else if we're in 64bits examine REX, if exists, and decide which instruction should go to output.
* 48 90 XCHG RAX, RAX is a true NOP (eat REX in this case because it's valid).
* 90 XCHG EAX, EAX is a true NOP (and not high dword of RAX = 0 although it should be a 32 bits operation).
* Note that if the REX.B is used, then the register is not RAX anymore but R8, which means it's not a NOP.
*/
if (rex & PREFIX_EX_W) ps->usedPrefixes |= INST_PRE_REX;
if ((ci->dt != Decode64Bits) || (~rex & PREFIX_EX_B)) return &II_NOP;
break;
case INST_LEA_INDEX:
/* Ignore segment override prefixes for LEA instruction. */
ps->decodedPrefixes &= ~INST_PRE_SEGOVRD_MASK;
/* Update unused mask for ignoring segment prefix. */
prefixes_ignore(ps, PFXIDX_SEG);
break;
}
/* Return the 1 byte instruction we found. */
return instType == INT_INFO ? &InstInfos[INST_NODE_INDEX(in)] : (_InstInfo*)&InstInfosEx[INST_NODE_INDEX(in)];
}
/* Read second byte, still doens't mean all of its bits are used (I.E: ModRM). */
ci->code += 1;
ci->codeLen -= 1;
if (ci->codeLen < 0) return NULL;
tmpIndex1 = *ci->code;
/* Try single byte instruction + reg bits (OCST_13BYTES). */
if ((instType == INT_LIST_GROUP) && (!isWaitIncluded)) return inst_get_info(in, (tmpIndex1 >> 3) & 7);
/* Try single byte instruction + reg byte OR one whole byte (OCST_1dBYTES). */
if (instType == INT_LIST_DIVIDED) {
/* OCST_1dBYTES is relatively simple to OCST_2dBYTES, since it's really divided at 0xc0. */
if (tmpIndex1 < INST_DIVIDED_MODRM) {
/* An instruction which requires a ModR/M byte. Thus it's 1.3 bytes long instruction. */
tmpIndex1 = (tmpIndex1 >> 3) & 7; /* Isolate the 3 REG/OPCODE bits. */
} else { /* Normal 2 bytes instruction. */
/*
* Divided instructions can't be in the range of 0x8-0xc0.
* That's because 0-8 are used for 3 bits group.
* And 0xc0-0xff are used for not-divided instruction.
* So the inbetween range is omitted, thus saving some more place in the tables.
*/
tmpIndex1 -= INST_DIVIDED_MODRM - 8;
}
in = InstructionsTree[INST_NODE_INDEX(in) + tmpIndex1];
if (in == INT_NOTEXISTS) return NULL;
instType = INST_NODE_TYPE(in);
if (instType < INT_INFOS) {
/* If the instruction doesn't support the wait (marked as opsize) as part of the opcode, it's illegal. */
ii = instType == INT_INFO ? &InstInfos[INST_NODE_INDEX(in)] : (_InstInfo*)&InstInfosEx[INST_NODE_INDEX(in)];
if ((~INST_INFO_FLAGS(ii) & INST_PRE_OP_SIZE) && (isWaitIncluded)) return NULL;
return ii;
}
/*
* If we got here the instruction can support the wait prefix, so see if it was part of the stream.
* Examine prefixed table, specially used for 0x9b, since it's optional.
* No Wait: index = 0.
* Wait Exists, index = 1.
*/
return inst_get_info(in, isWaitIncluded);
}
/* Don't allow to continue if WAIT is part of the opcode, because there are no instructions that include it. */
if (isWaitIncluded) return NULL;
/* Try 2 bytes long instruction (doesn't include ModRM byte). */
if (instType == INT_LIST_FULL) {
in = InstructionsTree[INST_NODE_INDEX(in) + tmpIndex1];
if (in == INT_NOTEXISTS) return NULL;
instType = INST_NODE_TYPE(in);
/* This is where we check if we just read two escape bytes in a row, which means it is a 3DNow! instruction. */
if ((tmpIndex0 == _3DNOW_ESCAPE_BYTE) && (tmpIndex1 == _3DNOW_ESCAPE_BYTE)) return &II_3DNOW;
/* 2 bytes instruction (OCST_2BYTES). */
if (instType < INT_INFOS)
return instType == INT_INFO ? &InstInfos[INST_NODE_INDEX(in)] : (_InstInfo*)&InstInfosEx[INST_NODE_INDEX(in)];
/*
* 2 bytes + mandatory perfix.
* Mandatory prefixes can be anywhere in the prefixes.
* There cannot be more than one mandatory prefix, unless it's a normal operand size prefix.
*/
if (instType == INT_LIST_PREFIXED) return inst_lookup_prefixed(in, ps);
}
/* Read third byte, still doens't mean all of its bits are used (I.E: ModRM). */
ci->code += 1;
ci->codeLen -= 1;
if (ci->codeLen < 0) return NULL;
tmpIndex2 = *ci->code;
/* Try 2 bytes + reg instruction (OCST_23BYTES). */
if (instType == INT_LIST_GROUP) {
in = InstructionsTree[INST_NODE_INDEX(in) + ((tmpIndex2 >> 3) & 7)];
if (in == INT_NOTEXISTS) return NULL;
instType = INST_NODE_TYPE(in);
if (instType < INT_INFOS)
return instType == INT_INFO ? &InstInfos[INST_NODE_INDEX(in)] : (_InstInfo*)&InstInfosEx[INST_NODE_INDEX(in)];
/* It has to be a prefixed table then. */
return inst_lookup_prefixed(in, ps);
}
/* Try 2 bytes + divided range (OCST_2dBYTES). */
if (instType == INT_LIST_DIVIDED) {
_InstNode in2 = InstructionsTree[INST_NODE_INDEX(in) + ((tmpIndex2 >> 3) & 7)];
/*
* Do NOT check for NULL here, since we do a bit of a guess work,
* hence we don't override 'in', cause we might still need it.
*/
instType = INST_NODE_TYPE(in2);
if (instType == INT_INFO) ii = &InstInfos[INST_NODE_INDEX(in2)];
else if (instType == INT_INFOEX) ii = (_InstInfo*)&InstInfosEx[INST_NODE_INDEX(in2)];
/*
* OCST_2dBYTES is complex, because there are a few instructions which are not divided in some special cases.
* If the instruction wasn't divided (but still it must be a 2.3 because we are in divided category)
* or it was an official 2.3 (because its index was less than 0xc0) -
* Then it means the instruction should be using the REG bits, otherwise give a chance to range 0xc0-0xff.
*/
/* If we found an instruction only by its REG bits, AND it is not divided, then return it. */
if ((ii != NULL) && (INST_INFO_FLAGS(ii) & INST_NOT_DIVIDED)) return ii;
/* Otherwise, if the range is above 0xc0, try the special divided range (range 0x8-0xc0 is omitted). */
if (tmpIndex2 >= INST_DIVIDED_MODRM) return inst_get_info(in, tmpIndex2 - INST_DIVIDED_MODRM + 8);
/* It might be that we got here without touching ii in the above if statements, then it becomes an invalid instruction prolly. */
return ii;
}
/* Try 3 full bytes (OCST_3BYTES - no ModRM byte). */
if (instType == INT_LIST_FULL) {
/* OCST_3BYTES. */
in = InstructionsTree[INST_NODE_INDEX(in) + tmpIndex2];
if (in == INT_NOTEXISTS) return NULL;
instType = INST_NODE_TYPE(in);
if (instType < INT_INFOS)
return instType == INT_INFO ? &InstInfos[INST_NODE_INDEX(in)] : (_InstInfo*)&InstInfosEx[INST_NODE_INDEX(in)];
if (instType == INT_LIST_PREFIXED) return inst_lookup_prefixed(in, ps);
}
/* Kahtchinggg, damn. */
return NULL;
}
/*
* 3DNow! instruction handling:
* This is used when we encounter a 3DNow! instruction.
* We can't really locate a 3DNow! instruction before we see two escaped bytes,
* 0x0f, 0x0f. Then we have to extract operands which are, dest=mmx register, src=mmx register or quadword indirection.
* When we are finished with the extraction of operands we can resume to locate the instruction by reading another byte
* which tells us which 3DNow instruction we really tracked down...
* So in order to tell the extract operands function which operands the 3DNow! instruction require, we need to set up some
* generic instruction info for 3DNow! instructions.
* In the inst_lookup itself, when we read an OCST_3BYTES which the two first bytes are 0x0f and 0x0f.
* we will return this special generic II for the specific operands we are interested in (MM, MM64).
* Then after extracting the operand, we'll call a completion routine for locating the instruction
* which will be called only for 3DNow! instructions, distinguished by a flag, and it will read the last byte of the 3 bytes.
*
* The id of this opcode should not be used, the following function should change it anyway.
*/
_InstInfo* inst_lookup_3dnow(_CodeInfo* ci)
{
/* Start off from the two escape bytes gates... which is 3DNow! table.*/
_InstNode in = Table_0F_0F;
int index;
/* Make sure we can read a byte off the stream. */
if (ci->codeLen < 1) return NULL;
index = *ci->code;
ci->codeLen -= 1;
ci->code += 1;
return inst_get_info(in, index);
}

454
VB-Research/vbOpenScript/dll/diStorm3.3/instructions.h Normal file
View File

@ -0,0 +1,454 @@
/*
instructions.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef INSTRUCTIONS_H
#define INSTRUCTIONS_H
#include "config.h"
#include "prefix.h"
/*
* Operand type possibilities:
* Note "_FULL" suffix indicates to decode the operand as 16 bits or 32 bits depends on DecodeType -
* actually, it depends on the decoding mode, unless there's an operand/address size prefix.
* For example, the code: 33 c0 could be decoded/executed as XOR AX, AX or XOR EAX, EAX.
*/
typedef enum OpType {
/* No operand is set */
OT_NONE = 0,
/* Read a byte(8 bits) immediate */
OT_IMM8,
/* Force a read of a word(16 bits) immediate, used by ret only */
OT_IMM16,
/* Read a word/dword immediate */
OT_IMM_FULL,
/* Read a double-word(32 bits) immediate */
OT_IMM32,
/* Read a signed extended byte(8 bits) immediate */
OT_SEIMM8,
/*
* Special immediates for instructions which have more than one immediate,
* which is an exception from standard instruction format.
* As to version v1.0: ENTER, INSERTQ, EXTRQ are the only problematic ones.
*/
/* 16 bits immediate using the first imm-slot */
OT_IMM16_1,
/* 8 bits immediate using the first imm-slot */
OT_IMM8_1,
/* 8 bits immediate using the second imm-slot */
OT_IMM8_2,
/* Use a 8bit register */
OT_REG8,
/* Use a 16bit register */
OT_REG16,
/* Use a 16/32/64bit register */
OT_REG_FULL,
/* Use a 32bit register */
OT_REG32,
/*
* If used with REX the reg operand size becomes 64 bits, otherwise 32 bits.
* VMX instructions are promoted automatically without a REX prefix.
*/
OT_REG32_64,
/* Used only by MOV CR/DR(n). Promoted with REX onlly. */
OT_FREG32_64_RM,
/* Use or read (indirection) a 8bit register or immediate byte */
OT_RM8,
/* Some instructions force 16 bits (mov sreg, rm16) */
OT_RM16,
/* Use or read a 16/32/64bit register or immediate word/dword/qword */
OT_RM_FULL,
/*
* 32 or 64 bits (with REX) operand size indirection memory operand.
* Some instructions are promoted automatically without a REX prefix.
*/
OT_RM32_64,
/* 16 or 32 bits RM. This is used only with MOVZXD instruction in 64bits. */
OT_RM16_32,
/* Same as OT_RMXX but POINTS to 16 bits [cannot use GENERAL-PURPOSE REG!] */
OT_FPUM16,
/* Same as OT_RMXX but POINTS to 32 bits (single precision) [cannot use GENERAL-PURPOSE REG!] */
OT_FPUM32,
/* Same as OT_RMXX but POINTS to 64 bits (double precision) [cannot use GENERAL-PURPOSE REG!] */
OT_FPUM64,
/* Same as OT_RMXX but POINTS to 80 bits (extended precision) [cannot use GENERAL-PURPOSE REG!] */
OT_FPUM80,
/*
* Special operand type for SSE4 where the ModR/M might
* be a 32 bits register or 8 bits memory indirection operand.
*/
OT_R32_M8,
/*
* Special ModR/M for PINSRW, which need a 16 bits memory operand or 32 bits register.
* In 16 bits decoding mode R32 becomes R16, operand size cannot affect this.
*/
OT_R32_M16,
/*
* Special type for SSE4, ModR/M might be a 32 bits or 64 bits (with REX) register or
* a 8 bits memory indirection operand.
*/
OT_R32_64_M8,
/*
* Special type for SSE4, ModR/M might be a 32 bits or 64 bits (with REX) register or
* a 16 bits memory indirection operand.
*/
OT_R32_64_M16,
/*
* Special operand type for MOV reg16/32/64/mem16, segReg 8C /r. and SMSW.
* It supports all decoding modes, but if used as a memory indirection it's a 16 bit ModR/M indirection.
*/
OT_RFULL_M16,
/* Use a control register */
OT_CREG,
/* Use a debug register */
OT_DREG,
/* Use a segment register */
OT_SREG,
/*
* SEG is encoded in the flags of the opcode itself!
* This is used for specific "push SS" where SS is a segment where
* each "push SS" has an absolutely different opcode byte.
* We need this to detect whether an operand size prefix is used.
*/
OT_SEG,
/* Use AL */
OT_ACC8,
/* Use AX (FSTSW) */
OT_ACC16,
/* Use AX/EAX/RAX */
OT_ACC_FULL,
/* Use AX/EAX, no REX is possible for RAX, used only with IN/OUT which don't support 64 bit registers */
OT_ACC_FULL_NOT64,
/*
* Read one word (seg), and a word/dword/qword (depends on operand size) from memory.
* JMP FAR [EBX] means EBX point to 16:32 ptr.
*/
OT_MEM16_FULL,
/* Read one word (seg) and a word/dword/qword (depends on operand size), usually SEG:OFF, JMP 1234:1234 */
OT_PTR16_FULL,
/* Read one word (limit) and a dword/qword (limit) (depends on operand size), used by SGDT, SIDT, LGDT, LIDT. */
OT_MEM16_3264,
/* Read a byte(8 bits) immediate and calculate it relatively to the current offset of the instruction being decoded */
OT_RELCB,
/* Read a word/dword immediate and calculate it relatively to the current offset of the instruction being decoded */
OT_RELC_FULL,
/* Use general memory indirection, with varying sizes: */
OT_MEM,
/* Used when a memory indirection is required, but if the mod field is 11, this operand will be ignored. */
OT_MEM_OPT,
OT_MEM32,
/* Memory dereference for MOVNTI, either 32 or 64 bits (with REX). */
OT_MEM32_64,
OT_MEM64,
OT_MEM128,
/* Used for cmpxchg8b/16b. */
OT_MEM64_128,
/* Read an immediate as an absolute address, size is known by instruction, used by MOV (memory offset) only */
OT_MOFFS8,
OT_MOFFS_FULL,
/* Use an immediate of 1, as for SHR R/M, 1 */
OT_CONST1,
/* Use CL, as for SHR R/M, CL */
OT_REGCL,
/*
* Instruction-Block for one byte long instructions, used by INC/DEC/PUSH/POP/XCHG,
* REG is extracted from the value of opcode
* Use a 8bit register
*/
OT_IB_RB,
/* Use a 16/32/64bit register */
OT_IB_R_FULL,
/* Use [(r)SI] as INDIRECTION, for repeatable instructions */
OT_REGI_ESI,
/* Use [(r)DI] as INDIRECTION, for repeatable instructions */
OT_REGI_EDI,
/* Use [(r)BX + AL] as INDIRECTIOM, used by XLAT only */
OT_REGI_EBXAL,
/* Use [(r)AX] as INDIRECTION, used by AMD's SVM instructions */
OT_REGI_EAX,
/* Use DX, as for OUTS DX, BYTE [SI] */
OT_REGDX,
/* Use ECX in INVLPGA instruction */
OT_REGECX,
/* FPU registers: */
OT_FPU_SI, /* ST(i) */
OT_FPU_SSI, /* ST(0), ST(i) */
OT_FPU_SIS, /* ST(i), ST(0) */
/* MMX registers: */
OT_MM,
/* Extract the MMX register from the RM bits this time (used when the REG bits are used for opcode extension) */
OT_MM_RM,
/* ModR/M points to 32 bits MMX variable */
OT_MM32,
/* ModR/M points to 32 bits MMX variable */
OT_MM64,
/* SSE registers: */
OT_XMM,
/* Extract the SSE register from the RM bits this time (used when the REG bits are used for opcode extension) */
OT_XMM_RM,
/* ModR/M points to 16 bits SSE variable */
OT_XMM16,
/* ModR/M points to 32 bits SSE variable */
OT_XMM32,
/* ModR/M points to 64 bits SSE variable */
OT_XMM64,
/* ModR/M points to 128 bits SSE variable */
OT_XMM128,
/* Implied XMM0 register as operand, used in SSE4. */
OT_REGXMM0,
/* AVX operands: */
/* ModR/M for 32 bits. */
OT_RM32,
/* Reg32/Reg64 (prefix width) or Mem8. */
OT_REG32_64_M8,
/* Reg32/Reg64 (prefix width) or Mem16. */
OT_REG32_64_M16,
/* Reg32/Reg 64 depends on prefix width only. */
OT_WREG32_64,
/* RM32/RM64 depends on prefix width only. */
OT_WRM32_64,
/* XMM or Mem32/Mem64 depends on perfix width only. */
OT_WXMM32_64,
/* XMM is encoded in VEX.VVVV. */
OT_VXMM,
/* XMM is encoded in the high nibble of an immediate byte. */
OT_XMM_IMM,
/* YMM/XMM is dependent on VEX.L. */
OT_YXMM,
/* YMM/XMM (depends on prefix length) is encoded in the high nibble of an immediate byte. */
OT_YXMM_IMM,
/* YMM is encoded in reg. */
OT_YMM,
/* YMM or Mem256. */
OT_YMM256,
/* YMM is encoded in VEX.VVVV. */
OT_VYMM,
/* YMM/XMM is dependent on VEX.L, and encoded in VEX.VVVV. */
OT_VYXMM,
/* YMM/XMM or Mem64/Mem256 is dependent on VEX.L. */
OT_YXMM64_256,
/* YMM/XMM or Mem128/Mem256 is dependent on VEX.L. */
OT_YXMM128_256,
/* XMM or Mem64/Mem256 is dependent on VEX.L. */
OT_LXMM64_128,
/* Mem128/Mem256 is dependent on VEX.L. */
OT_LMEM128_256
} _OpType;
/* Flags for instruction: */
/* Empty flags indicator: */
#define INST_FLAGS_NONE (0)
/* The instruction we are going to decode requires ModR/M encoding. */
#define INST_MODRM_REQUIRED (1)
/* Special treatment for instructions which are in the divided-category but still needs the whole byte for ModR/M... */
#define INST_NOT_DIVIDED (1 << 1)
/*
* Used explicitly in repeatable instructions,
* which needs a suffix letter in their mnemonic to specify operation-size (depend on operands).
*/
#define INST_16BITS (1 << 2)
/* If the opcode is supported by 80286 and upper models (16/32 bits). */
#define INST_32BITS (1 << 3)
/*
* Prefix flags (6 types: lock/rep, seg override, addr-size, oper-size, REX, VEX)
* There are several specific instructions that can follow LOCK prefix,
* note that they must be using a memory operand form, otherwise they generate an exception.
*/
#define INST_PRE_LOCK (1 << 4)
/* REPNZ prefix for string instructions only - means an instruction can follow it. */
#define INST_PRE_REPNZ (1 << 5)
/* REP prefix for string instructions only - means an instruction can follow it. */
#define INST_PRE_REP (1 << 6)
/* CS override prefix. */
#define INST_PRE_CS (1 << 7)
/* SS override prefix. */
#define INST_PRE_SS (1 << 8)
/* DS override prefix. */
#define INST_PRE_DS (1 << 9)
/* ES override prefix. */
#define INST_PRE_ES (1 << 10)
/* FS override prefix. Funky Segment :) */
#define INST_PRE_FS (1 << 11)
/* GS override prefix. Groovy Segment, of course not, duh ! */
#define INST_PRE_GS (1 << 12)
/* Switch operand size from 32 to 16 and vice versa. */
#define INST_PRE_OP_SIZE (1 << 13)
/* Switch address size from 32 to 16 and vice versa. */
#define INST_PRE_ADDR_SIZE (1 << 14)
/* Native instructions which needs suffix letter to indicate their operation-size (and don't depend on operands). */
#define INST_NATIVE (1 << 15)
/* Use extended mnemonic, means it's an _InstInfoEx structure, which contains another mnemonic for 32 bits specifically. */
#define INST_USE_EXMNEMONIC (1 << 16)
/* Use third operand, means it's an _InstInfoEx structure, which contains another operand for special instructions. */
#define INST_USE_OP3 (1 << 17)
/* Use fourth operand, means it's an _InstInfoEx structure, which contains another operand for special instructions. */
#define INST_USE_OP4 (1 << 18)
/* The instruction's mnemonic depends on the mod value of the ModR/M byte (mod=11, mod!=11). */
#define INST_MNEMONIC_MODRM_BASED (1 << 19)
/* The instruction uses a ModR/M byte which the MOD must be 11 (for registers operands only). */
#define INST_MODRR_REQUIRED (1 << 20)
/* The way of 3DNow! instructions are built, we have to handle their locating specially. Suffix imm8 tells which instruction it is. */
#define INST_3DNOW_FETCH (1 << 21)
/* The instruction needs two suffixes, one for the comparison type (imm8) and the second for its operation size indication (second mnemonic). */
#define INST_PSEUDO_OPCODE (1 << 22)
/* Invalid instruction at 64 bits decoding mode. */
#define INST_INVALID_64BITS (1 << 23)
/* Specific instruction can be promoted to 64 bits (without REX, it is promoted automatically). */
#define INST_64BITS (1 << 24)
/* Indicates the instruction must be REX prefixed in order to use 64 bits operands. */
#define INST_PRE_REX (1 << 25)
/* Third mnemonic is set. */
#define INST_USE_EXMNEMONIC2 (1 << 26)
/* Instruction is only valid in 64 bits decoding mode. */
#define INST_64BITS_FETCH (1 << 27)
/* Forces that the ModRM-REG/Opcode field will be 0. (For EXTRQ). */
#define INST_FORCE_REG0 (1 << 28)
/* Indicates that instruction is encoded with a VEX prefix. */
#define INST_PRE_VEX (1 << 29)
/* Indicates that the instruction is encoded with a ModRM byte (REG field specifically). */
#define INST_MODRM_INCLUDED (1 << 30)
/* Indicates that the first (/destination) operand of the instruction is writable. */
#define INST_DST_WR (1 << 31)
#define INST_PRE_REPS (INST_PRE_REPNZ | INST_PRE_REP)
#define INST_PRE_LOKREP_MASK (INST_PRE_LOCK | INST_PRE_REPNZ | INST_PRE_REP)
#define INST_PRE_SEGOVRD_MASK32 (INST_PRE_CS | INST_PRE_SS | INST_PRE_DS | INST_PRE_ES)
#define INST_PRE_SEGOVRD_MASK64 (INST_PRE_FS | INST_PRE_GS)
#define INST_PRE_SEGOVRD_MASK (INST_PRE_SEGOVRD_MASK32 | INST_PRE_SEGOVRD_MASK64)
/* Extended flags for VEX: */
/* Indicates that the instruction might have VEX.L encoded. */
#define INST_VEX_L (1)
/* Indicates that the instruction might have VEX.W encoded. */
#define INST_VEX_W (1 << 1)
/* Indicates that the mnemonic of the instruction is based on the VEX.W bit. */
#define INST_MNEMONIC_VEXW_BASED (1 << 2)
/* Indicates that the mnemonic of the instruction is based on the VEX.L bit. */
#define INST_MNEMONIC_VEXL_BASED (1 << 3)
/* Forces the instruction to be encoded with VEX.L, otherwise it's undefined. */
#define INST_FORCE_VEXL (1 << 4)
/*
* Indicates that the instruction is based on the MOD field of the ModRM byte.
* (MOD==11: got the right instruction, else skip +4 in prefixed table for the correct instruction).
*/
#define INST_MODRR_BASED (1 << 5)
/* Indicates that the instruction doesn't use the VVVV field of the VEX prefix, if it does then it's undecodable. */
#define INST_VEX_V_UNUSED (1 << 6)
/*
* Indicates which operand is being decoded.
* Destination (1st), Source (2nd), op3 (3rd), op4 (4th).
* Used to set the operands' fields in the _DInst structure!
*/
typedef enum {ONT_NONE = -1, ONT_1 = 0, ONT_2 = 1, ONT_3 = 2, ONT_4 = 3} _OperandNumberType;
/*
* In order to save more space for storing the DB statically,
* I came up with another level of shared info.
* Because I saw that most of the information that instructions use repeats itself.
*
* Info about the instruction, source/dest types, meta and flags.
* _InstInfo points to a table of _InstSharedInfo.
*/
typedef struct {
uint8_t flagsIndex; /* An index into FlagsTables */
uint8_t s, d; /* OpType. */
uint8_t meta; /* Hi 5 bits = Instruction set class | Lo 3 bits = flow control flags. */
/* The following are CPU flag masks that the instruction changes. */
uint8_t modifiedFlags;
uint8_t testedFlags;
uint8_t undefinedFlags;
} _InstSharedInfo;
/*
* This structure is used for the instructions DB and NOT for the disassembled result code!
* This is the BASE structure, there are extentions to this structure below.
*/
typedef struct {
uint16_t sharedIndex; /* An index into the SharedInfoTable. */
uint16_t opcodeId; /* The opcodeId is really a byte-offset into the mnemonics table. */
} _InstInfo;
/*
* There are merely few instructions which need a second mnemonic for 32 bits.
* Or a third for 64 bits. Therefore sometimes the second mnemonic is empty but not the third.
* In all decoding modes the first mnemonic is the default.
* A flag will indicate it uses another mnemonic.
*
* There are a couple of (SSE4) instructions in the whole DB which need both op3 and 3rd mnemonic for 64bits,
* therefore, I decided to make the extended structure contain all extra info in the same structure.
* There are a few instructions (SHLD/SHRD/IMUL and SSE too) which use third operand (or a fourth).
* A flag will indicate it uses a third/fourth operand.
*/
typedef struct {
/* Base structure (doesn't get accessed directly from code). */
_InstInfo BASE;
/* Extended starts here. */
uint8_t flagsEx; /* 8 bits are enough, in the future we might make it a bigger integer. */
uint8_t op3, op4; /* OpType. */
uint16_t opcodeId2, opcodeId3;
} _InstInfoEx;
/* Trie data structure node type: */
typedef enum {
INT_NOTEXISTS = 0, /* Not exists. */
INT_INFO = 1, /* It's an instruction info. */
INT_INFOEX,
INT_LIST_GROUP,
INT_LIST_FULL,
INT_LIST_DIVIDED,
INT_LIST_PREFIXED
} _InstNodeType;
/* Used to check instType < INT_INFOS, means we got an inst-info. Cause it has to be only one of them. */
#define INT_INFOS (INT_LIST_GROUP)
/* Instruction node is treated as { int index:13; int type:3; } */
typedef uint16_t _InstNode;
_InstInfo* inst_lookup(_CodeInfo* ci, _PrefixState* ps);
_InstInfo* inst_lookup_3dnow(_CodeInfo* ci);
#endif /* INSTRUCTIONS_H */

7811
VB-Research/vbOpenScript/dll/diStorm3.3/insts.c Normal file
View File

File diff suppressed because it is too large Load Diff

70
VB-Research/vbOpenScript/dll/diStorm3.3/insts.h Normal file
View File

@ -0,0 +1,70 @@
/*
insts.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef INSTS_H
#define INSTS_H
#include "instructions.h"
/* Flags Table */
extern _iflags FlagsTable[];
/* Root Trie DB */
extern _InstSharedInfo InstSharedInfoTable[];
extern _InstInfo InstInfos[];
extern _InstInfoEx InstInfosEx[];
extern _InstNode InstructionsTree[];
/* 3DNow! Trie DB */
extern _InstNode Table_0F_0F;
/* AVX related: */
extern _InstNode Table_0F, Table_0F_38, Table_0F_3A;
/*
* The inst_lookup will return on of these two instructions according to the specified decoding mode.
* ARPL or MOVSXD on 64 bits is one byte instruction at index 0x63.
*/
extern _InstInfo II_ARPL;
extern _InstInfo II_MOVSXD;
/*
* The NOP instruction can be prefixed by REX in 64bits, therefore we have to decide in runtime whether it's an XCHG or NOP instruction.
* If 0x90 is prefixed by a useable REX it will become XCHG, otherwise it will become a NOP.
* Also note that if it's prefixed by 0xf3, it becomes a Pause.
*/
extern _InstInfo II_NOP;
extern _InstInfo II_PAUSE;
/*
* Used for letting the extract operand know the type of operands without knowing the
* instruction itself yet, because of the way those instructions work.
* See function instructions.c!inst_lookup_3dnow.
*/
extern _InstInfo II_3DNOW;
/* Helper tables for pesudo compare mnemonics. */
extern uint16_t CmpMnemonicOffsets[8]; /* SSE */
extern uint16_t VCmpMnemonicOffsets[32]; /* AVX */
#endif /* INSTS_H */

295
VB-Research/vbOpenScript/dll/diStorm3.3/mnemonics.c Normal file
View File

@ -0,0 +1,295 @@
/*
mnemonics.c
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#include "mnemonics.h"
#ifndef DISTORM_LIGHT
const unsigned char _MNEMONICS[] =
"\x09" "UNDEFINED\0" "\x03" "ADD\0" "\x04" "PUSH\0" "\x03" "POP\0" "\x02" "OR\0" \
"\x03" "ADC\0" "\x03" "SBB\0" "\x03" "AND\0" "\x03" "DAA\0" "\x03" "SUB\0" \
"\x03" "DAS\0" "\x03" "XOR\0" "\x03" "AAA\0" "\x03" "CMP\0" "\x03" "AAS\0" \
"\x03" "INC\0" "\x03" "DEC\0" "\x05" "PUSHA\0" "\x04" "POPA\0" "\x05" "BOUND\0" \
"\x04" "ARPL\0" "\x04" "IMUL\0" "\x03" "INS\0" "\x04" "OUTS\0" "\x02" "JO\0" \
"\x03" "JNO\0" "\x02" "JB\0" "\x03" "JAE\0" "\x02" "JZ\0" "\x03" "JNZ\0" "\x03" "JBE\0" \
"\x02" "JA\0" "\x02" "JS\0" "\x03" "JNS\0" "\x02" "JP\0" "\x03" "JNP\0" "\x02" "JL\0" \
"\x03" "JGE\0" "\x03" "JLE\0" "\x02" "JG\0" "\x04" "TEST\0" "\x04" "XCHG\0" \
"\x03" "MOV\0" "\x03" "LEA\0" "\x03" "CBW\0" "\x04" "CWDE\0" "\x04" "CDQE\0" \
"\x03" "CWD\0" "\x03" "CDQ\0" "\x03" "CQO\0" "\x08" "CALL FAR\0" "\x05" "PUSHF\0" \
"\x04" "POPF\0" "\x04" "SAHF\0" "\x04" "LAHF\0" "\x04" "MOVS\0" "\x04" "CMPS\0" \
"\x04" "STOS\0" "\x04" "LODS\0" "\x04" "SCAS\0" "\x03" "RET\0" "\x03" "LES\0" \
"\x03" "LDS\0" "\x05" "ENTER\0" "\x05" "LEAVE\0" "\x04" "RETF\0" "\x05" "INT 3\0" \
"\x03" "INT\0" "\x04" "INTO\0" "\x04" "IRET\0" "\x03" "AAM\0" "\x03" "AAD\0" \
"\x04" "SALC\0" "\x04" "XLAT\0" "\x06" "LOOPNZ\0" "\x05" "LOOPZ\0" "\x04" "LOOP\0" \
"\x04" "JCXZ\0" "\x05" "JECXZ\0" "\x05" "JRCXZ\0" "\x02" "IN\0" "\x03" "OUT\0" \
"\x04" "CALL\0" "\x03" "JMP\0" "\x07" "JMP FAR\0" "\x04" "INT1\0" "\x03" "HLT\0" \
"\x03" "CMC\0" "\x03" "CLC\0" "\x03" "STC\0" "\x03" "CLI\0" "\x03" "STI\0" \
"\x03" "CLD\0" "\x03" "STD\0" "\x03" "LAR\0" "\x03" "LSL\0" "\x07" "SYSCALL\0" \
"\x04" "CLTS\0" "\x06" "SYSRET\0" "\x04" "INVD\0" "\x06" "WBINVD\0" "\x03" "UD2\0" \
"\x05" "FEMMS\0" "\x03" "NOP\0" "\x05" "WRMSR\0" "\x05" "RDTSC\0" "\x05" "RDMSR\0" \
"\x05" "RDPMC\0" "\x08" "SYSENTER\0" "\x07" "SYSEXIT\0" "\x06" "GETSEC\0" "\x05" "CMOVO\0" \
"\x06" "CMOVNO\0" "\x05" "CMOVB\0" "\x06" "CMOVAE\0" "\x05" "CMOVZ\0" "\x06" "CMOVNZ\0" \
"\x06" "CMOVBE\0" "\x05" "CMOVA\0" "\x05" "CMOVS\0" "\x06" "CMOVNS\0" "\x05" "CMOVP\0" \
"\x06" "CMOVNP\0" "\x05" "CMOVL\0" "\x06" "CMOVGE\0" "\x06" "CMOVLE\0" "\x05" "CMOVG\0" \
"\x04" "SETO\0" "\x05" "SETNO\0" "\x04" "SETB\0" "\x05" "SETAE\0" "\x04" "SETZ\0" \
"\x05" "SETNZ\0" "\x05" "SETBE\0" "\x04" "SETA\0" "\x04" "SETS\0" "\x05" "SETNS\0" \
"\x04" "SETP\0" "\x05" "SETNP\0" "\x04" "SETL\0" "\x05" "SETGE\0" "\x05" "SETLE\0" \
"\x04" "SETG\0" "\x05" "CPUID\0" "\x02" "BT\0" "\x04" "SHLD\0" "\x03" "RSM\0" \
"\x03" "BTS\0" "\x04" "SHRD\0" "\x07" "CMPXCHG\0" "\x03" "LSS\0" "\x03" "BTR\0" \
"\x03" "LFS\0" "\x03" "LGS\0" "\x05" "MOVZX\0" "\x03" "BTC\0" "\x05" "MOVSX\0" \
"\x04" "XADD\0" "\x06" "MOVNTI\0" "\x05" "BSWAP\0" "\x03" "ROL\0" "\x03" "ROR\0" \
"\x03" "RCL\0" "\x03" "RCR\0" "\x03" "SHL\0" "\x03" "SHR\0" "\x03" "SAL\0" \
"\x03" "SAR\0" "\x04" "FADD\0" "\x04" "FMUL\0" "\x04" "FCOM\0" "\x05" "FCOMP\0" \
"\x04" "FSUB\0" "\x05" "FSUBR\0" "\x04" "FDIV\0" "\x05" "FDIVR\0" "\x03" "FLD\0" \
"\x03" "FST\0" "\x04" "FSTP\0" "\x06" "FLDENV\0" "\x05" "FLDCW\0" "\x04" "FXCH\0" \
"\x04" "FNOP\0" "\x04" "FCHS\0" "\x04" "FABS\0" "\x04" "FTST\0" "\x04" "FXAM\0" \
"\x04" "FLD1\0" "\x06" "FLDL2T\0" "\x06" "FLDL2E\0" "\x05" "FLDPI\0" "\x06" "FLDLG2\0" \
"\x06" "FLDLN2\0" "\x04" "FLDZ\0" "\x05" "F2XM1\0" "\x05" "FYL2X\0" "\x05" "FPTAN\0" \
"\x06" "FPATAN\0" "\x07" "FXTRACT\0" "\x06" "FPREM1\0" "\x07" "FDECSTP\0" "\x07" "FINCSTP\0" \
"\x05" "FPREM\0" "\x07" "FYL2XP1\0" "\x05" "FSQRT\0" "\x07" "FSINCOS\0" "\x07" "FRNDINT\0" \
"\x06" "FSCALE\0" "\x04" "FSIN\0" "\x04" "FCOS\0" "\x05" "FIADD\0" "\x05" "FIMUL\0" \
"\x05" "FICOM\0" "\x06" "FICOMP\0" "\x05" "FISUB\0" "\x06" "FISUBR\0" "\x05" "FIDIV\0" \
"\x06" "FIDIVR\0" "\x06" "FCMOVB\0" "\x06" "FCMOVE\0" "\x07" "FCMOVBE\0" "\x06" "FCMOVU\0" \
"\x07" "FUCOMPP\0" "\x04" "FILD\0" "\x06" "FISTTP\0" "\x04" "FIST\0" "\x05" "FISTP\0" \
"\x07" "FCMOVNB\0" "\x07" "FCMOVNE\0" "\x08" "FCMOVNBE\0" "\x07" "FCMOVNU\0" \
"\x04" "FENI\0" "\x06" "FEDISI\0" "\x06" "FSETPM\0" "\x06" "FUCOMI\0" "\x05" "FCOMI\0" \
"\x06" "FRSTOR\0" "\x05" "FFREE\0" "\x05" "FUCOM\0" "\x06" "FUCOMP\0" "\x05" "FADDP\0" \
"\x05" "FMULP\0" "\x06" "FCOMPP\0" "\x06" "FSUBRP\0" "\x05" "FSUBP\0" "\x06" "FDIVRP\0" \
"\x05" "FDIVP\0" "\x04" "FBLD\0" "\x05" "FBSTP\0" "\x07" "FUCOMIP\0" "\x06" "FCOMIP\0" \
"\x03" "NOT\0" "\x03" "NEG\0" "\x03" "MUL\0" "\x03" "DIV\0" "\x04" "IDIV\0" \
"\x04" "SLDT\0" "\x03" "STR\0" "\x04" "LLDT\0" "\x03" "LTR\0" "\x04" "VERR\0" \
"\x04" "VERW\0" "\x04" "SGDT\0" "\x04" "SIDT\0" "\x04" "LGDT\0" "\x04" "LIDT\0" \
"\x04" "SMSW\0" "\x04" "LMSW\0" "\x06" "INVLPG\0" "\x06" "VMCALL\0" "\x08" "VMLAUNCH\0" \
"\x08" "VMRESUME\0" "\x06" "VMXOFF\0" "\x07" "MONITOR\0" "\x05" "MWAIT\0" "\x06" "XGETBV\0" \
"\x06" "XSETBV\0" "\x06" "VMFUNC\0" "\x05" "VMRUN\0" "\x07" "VMMCALL\0" "\x06" "VMLOAD\0" \
"\x06" "VMSAVE\0" "\x04" "STGI\0" "\x04" "CLGI\0" "\x06" "SKINIT\0" "\x07" "INVLPGA\0" \
"\x06" "SWAPGS\0" "\x06" "RDTSCP\0" "\x08" "PREFETCH\0" "\x09" "PREFETCHW\0" \
"\x05" "PI2FW\0" "\x05" "PI2FD\0" "\x05" "PF2IW\0" "\x05" "PF2ID\0" "\x06" "PFNACC\0" \
"\x07" "PFPNACC\0" "\x07" "PFCMPGE\0" "\x05" "PFMIN\0" "\x05" "PFRCP\0" "\x07" "PFRSQRT\0" \
"\x05" "PFSUB\0" "\x05" "PFADD\0" "\x07" "PFCMPGT\0" "\x05" "PFMAX\0" "\x08" "PFRCPIT1\0" \
"\x08" "PFRSQIT1\0" "\x06" "PFSUBR\0" "\x05" "PFACC\0" "\x07" "PFCMPEQ\0" "\x05" "PFMUL\0" \
"\x08" "PFRCPIT2\0" "\x07" "PMULHRW\0" "\x06" "PSWAPD\0" "\x07" "PAVGUSB\0" \
"\x06" "MOVUPS\0" "\x06" "MOVUPD\0" "\x05" "MOVSS\0" "\x05" "MOVSD\0" "\x07" "VMOVUPS\0" \
"\x07" "VMOVUPD\0" "\x06" "VMOVSS\0" "\x06" "VMOVSD\0" "\x07" "MOVHLPS\0" "\x06" "MOVLPS\0" \
"\x06" "MOVLPD\0" "\x08" "MOVSLDUP\0" "\x07" "MOVDDUP\0" "\x08" "VMOVHLPS\0" \
"\x07" "VMOVLPS\0" "\x07" "VMOVLPD\0" "\x09" "VMOVSLDUP\0" "\x08" "VMOVDDUP\0" \
"\x08" "UNPCKLPS\0" "\x08" "UNPCKLPD\0" "\x09" "VUNPCKLPS\0" "\x09" "VUNPCKLPD\0" \
"\x08" "UNPCKHPS\0" "\x08" "UNPCKHPD\0" "\x09" "VUNPCKHPS\0" "\x09" "VUNPCKHPD\0" \
"\x07" "MOVLHPS\0" "\x06" "MOVHPS\0" "\x06" "MOVHPD\0" "\x08" "MOVSHDUP\0" \
"\x08" "VMOVLHPS\0" "\x07" "VMOVHPS\0" "\x07" "VMOVHPD\0" "\x09" "VMOVSHDUP\0" \
"\x0b" "PREFETCHNTA\0" "\x0a" "PREFETCHT0\0" "\x0a" "PREFETCHT1\0" "\x0a" "PREFETCHT2\0" \
"\x06" "MOVAPS\0" "\x06" "MOVAPD\0" "\x07" "VMOVAPS\0" "\x07" "VMOVAPD\0" "\x08" "CVTPI2PS\0" \
"\x08" "CVTPI2PD\0" "\x08" "CVTSI2SS\0" "\x08" "CVTSI2SD\0" "\x09" "VCVTSI2SS\0" \
"\x09" "VCVTSI2SD\0" "\x07" "MOVNTPS\0" "\x07" "MOVNTPD\0" "\x07" "MOVNTSS\0" \
"\x07" "MOVNTSD\0" "\x08" "VMOVNTPS\0" "\x08" "VMOVNTPD\0" "\x09" "CVTTPS2PI\0" \
"\x09" "CVTTPD2PI\0" "\x09" "CVTTSS2SI\0" "\x09" "CVTTSD2SI\0" "\x0a" "VCVTTSS2SI\0" \
"\x0a" "VCVTTSD2SI\0" "\x08" "CVTPS2PI\0" "\x08" "CVTPD2PI\0" "\x08" "CVTSS2SI\0" \
"\x08" "CVTSD2SI\0" "\x09" "VCVTSS2SI\0" "\x09" "VCVTSD2SI\0" "\x07" "UCOMISS\0" \
"\x07" "UCOMISD\0" "\x08" "VUCOMISS\0" "\x08" "VUCOMISD\0" "\x06" "COMISS\0" \
"\x06" "COMISD\0" "\x07" "VCOMISS\0" "\x07" "VCOMISD\0" "\x08" "MOVMSKPS\0" \
"\x08" "MOVMSKPD\0" "\x09" "VMOVMSKPS\0" "\x09" "VMOVMSKPD\0" "\x06" "SQRTPS\0" \
"\x06" "SQRTPD\0" "\x06" "SQRTSS\0" "\x06" "SQRTSD\0" "\x07" "VSQRTPS\0" "\x07" "VSQRTPD\0" \
"\x07" "VSQRTSS\0" "\x07" "VSQRTSD\0" "\x07" "RSQRTPS\0" "\x07" "RSQRTSS\0" \
"\x08" "VRSQRTPS\0" "\x08" "VRSQRTSS\0" "\x05" "RCPPS\0" "\x05" "RCPSS\0" "\x06" "VRCPPS\0" \
"\x06" "VRCPSS\0" "\x05" "ANDPS\0" "\x05" "ANDPD\0" "\x06" "VANDPS\0" "\x06" "VANDPD\0" \
"\x06" "ANDNPS\0" "\x06" "ANDNPD\0" "\x07" "VANDNPS\0" "\x07" "VANDNPD\0" "\x04" "ORPS\0" \
"\x04" "ORPD\0" "\x05" "VORPS\0" "\x05" "VORPD\0" "\x05" "XORPS\0" "\x05" "XORPD\0" \
"\x06" "VXORPS\0" "\x06" "VXORPD\0" "\x05" "ADDPS\0" "\x05" "ADDPD\0" "\x05" "ADDSS\0" \
"\x05" "ADDSD\0" "\x06" "VADDPS\0" "\x06" "VADDPD\0" "\x06" "VADDSS\0" "\x06" "VADDSD\0" \
"\x05" "MULPS\0" "\x05" "MULPD\0" "\x05" "MULSS\0" "\x05" "MULSD\0" "\x06" "VMULPS\0" \
"\x06" "VMULPD\0" "\x06" "VMULSS\0" "\x06" "VMULSD\0" "\x08" "CVTPS2PD\0" "\x08" "CVTPD2PS\0" \
"\x08" "CVTSS2SD\0" "\x08" "CVTSD2SS\0" "\x09" "VCVTPS2PD\0" "\x09" "VCVTPD2PS\0" \
"\x09" "VCVTSS2SD\0" "\x09" "VCVTSD2SS\0" "\x08" "CVTDQ2PS\0" "\x08" "CVTPS2DQ\0" \
"\x09" "CVTTPS2DQ\0" "\x09" "VCVTDQ2PS\0" "\x09" "VCVTPS2DQ\0" "\x0a" "VCVTTPS2DQ\0" \
"\x05" "SUBPS\0" "\x05" "SUBPD\0" "\x05" "SUBSS\0" "\x05" "SUBSD\0" "\x06" "VSUBPS\0" \
"\x06" "VSUBPD\0" "\x06" "VSUBSS\0" "\x06" "VSUBSD\0" "\x05" "MINPS\0" "\x05" "MINPD\0" \
"\x05" "MINSS\0" "\x05" "MINSD\0" "\x06" "VMINPS\0" "\x06" "VMINPD\0" "\x06" "VMINSS\0" \
"\x06" "VMINSD\0" "\x05" "DIVPS\0" "\x05" "DIVPD\0" "\x05" "DIVSS\0" "\x05" "DIVSD\0" \
"\x06" "VDIVPS\0" "\x06" "VDIVPD\0" "\x06" "VDIVSS\0" "\x06" "VDIVSD\0" "\x05" "MAXPS\0" \
"\x05" "MAXPD\0" "\x05" "MAXSS\0" "\x05" "MAXSD\0" "\x06" "VMAXPS\0" "\x06" "VMAXPD\0" \
"\x06" "VMAXSS\0" "\x06" "VMAXSD\0" "\x09" "PUNPCKLBW\0" "\x0a" "VPUNPCKLBW\0" \
"\x09" "PUNPCKLWD\0" "\x0a" "VPUNPCKLWD\0" "\x09" "PUNPCKLDQ\0" "\x0a" "VPUNPCKLDQ\0" \
"\x08" "PACKSSWB\0" "\x09" "VPACKSSWB\0" "\x07" "PCMPGTB\0" "\x08" "VPCMPGTB\0" \
"\x07" "PCMPGTW\0" "\x08" "VPCMPGTW\0" "\x07" "PCMPGTD\0" "\x08" "VPCMPGTD\0" \
"\x08" "PACKUSWB\0" "\x09" "VPACKUSWB\0" "\x09" "PUNPCKHBW\0" "\x0a" "VPUNPCKHBW\0" \
"\x09" "PUNPCKHWD\0" "\x0a" "VPUNPCKHWD\0" "\x09" "PUNPCKHDQ\0" "\x0a" "VPUNPCKHDQ\0" \
"\x08" "PACKSSDW\0" "\x09" "VPACKSSDW\0" "\x0a" "PUNPCKLQDQ\0" "\x0b" "VPUNPCKLQDQ\0" \
"\x0a" "PUNPCKHQDQ\0" "\x0b" "VPUNPCKHQDQ\0" "\x04" "MOVD\0" "\x04" "MOVQ\0" \
"\x05" "VMOVD\0" "\x05" "VMOVQ\0" "\x06" "MOVDQA\0" "\x06" "MOVDQU\0" "\x07" "VMOVDQA\0" \
"\x07" "VMOVDQU\0" "\x06" "PSHUFW\0" "\x06" "PSHUFD\0" "\x07" "PSHUFHW\0" "\x07" "PSHUFLW\0" \
"\x07" "VPSHUFD\0" "\x08" "VPSHUFHW\0" "\x08" "VPSHUFLW\0" "\x07" "PCMPEQB\0" \
"\x08" "VPCMPEQB\0" "\x07" "PCMPEQW\0" "\x08" "VPCMPEQW\0" "\x07" "PCMPEQD\0" \
"\x08" "VPCMPEQD\0" "\x04" "EMMS\0" "\x0a" "VZEROUPPER\0" "\x08" "VZEROALL\0" \
"\x06" "VMREAD\0" "\x05" "EXTRQ\0" "\x07" "INSERTQ\0" "\x07" "VMWRITE\0" "\x08" "CVTPH2PS\0" \
"\x08" "CVTPS2PH\0" "\x06" "HADDPD\0" "\x06" "HADDPS\0" "\x07" "VHADDPD\0" \
"\x07" "VHADDPS\0" "\x06" "HSUBPD\0" "\x06" "HSUBPS\0" "\x07" "VHSUBPD\0" "\x07" "VHSUBPS\0" \
"\x05" "XSAVE\0" "\x07" "XSAVE64\0" "\x06" "LFENCE\0" "\x06" "XRSTOR\0" "\x08" "XRSTOR64\0" \
"\x06" "MFENCE\0" "\x08" "XSAVEOPT\0" "\x0a" "XSAVEOPT64\0" "\x06" "SFENCE\0" \
"\x07" "CLFLUSH\0" "\x06" "POPCNT\0" "\x03" "BSF\0" "\x05" "TZCNT\0" "\x03" "BSR\0" \
"\x05" "LZCNT\0" "\x07" "CMPEQPS\0" "\x07" "CMPLTPS\0" "\x07" "CMPLEPS\0" "\x0a" "CMPUNORDPS\0" \
"\x08" "CMPNEQPS\0" "\x08" "CMPNLTPS\0" "\x08" "CMPNLEPS\0" "\x08" "CMPORDPS\0" \
"\x07" "CMPEQPD\0" "\x07" "CMPLTPD\0" "\x07" "CMPLEPD\0" "\x0a" "CMPUNORDPD\0" \
"\x08" "CMPNEQPD\0" "\x08" "CMPNLTPD\0" "\x08" "CMPNLEPD\0" "\x08" "CMPORDPD\0" \
"\x07" "CMPEQSS\0" "\x07" "CMPLTSS\0" "\x07" "CMPLESS\0" "\x0a" "CMPUNORDSS\0" \
"\x08" "CMPNEQSS\0" "\x08" "CMPNLTSS\0" "\x08" "CMPNLESS\0" "\x08" "CMPORDSS\0" \
"\x07" "CMPEQSD\0" "\x07" "CMPLTSD\0" "\x07" "CMPLESD\0" "\x0a" "CMPUNORDSD\0" \
"\x08" "CMPNEQSD\0" "\x08" "CMPNLTSD\0" "\x08" "CMPNLESD\0" "\x08" "CMPORDSD\0" \
"\x08" "VCMPEQPS\0" "\x08" "VCMPLTPS\0" "\x08" "VCMPLEPS\0" "\x0b" "VCMPUNORDPS\0" \
"\x09" "VCMPNEQPS\0" "\x09" "VCMPNLTPS\0" "\x09" "VCMPNLEPS\0" "\x09" "VCMPORDPS\0" \
"\x0b" "VCMPEQ_UQPS\0" "\x09" "VCMPNGEPS\0" "\x09" "VCMPNGTPS\0" "\x0b" "VCMPFALSEPS\0" \
"\x0c" "VCMPNEQ_OQPS\0" "\x08" "VCMPGEPS\0" "\x08" "VCMPGTPS\0" "\x0a" "VCMPTRUEPS\0" \
"\x0b" "VCMPEQ_OSPS\0" "\x0b" "VCMPLT_OQPS\0" "\x0b" "VCMPLE_OQPS\0" "\x0d" "VCMPUNORD_SPS\0" \
"\x0c" "VCMPNEQ_USPS\0" "\x0c" "VCMPNLT_UQPS\0" "\x0c" "VCMPNLE_UQPS\0" "\x0b" "VCMPORD_SPS\0" \
"\x0b" "VCMPEQ_USPS\0" "\x0c" "VCMPNGE_UQPS\0" "\x0c" "VCMPNGT_UQPS\0" "\x0e" "VCMPFALSE_OSPS\0" \
"\x0c" "VCMPNEQ_OSPS\0" "\x0b" "VCMPGE_OQPS\0" "\x0b" "VCMPGT_OQPS\0" "\x0d" "VCMPTRUE_USPS\0" \
"\x08" "VCMPEQPD\0" "\x08" "VCMPLTPD\0" "\x08" "VCMPLEPD\0" "\x0b" "VCMPUNORDPD\0" \
"\x09" "VCMPNEQPD\0" "\x09" "VCMPNLTPD\0" "\x09" "VCMPNLEPD\0" "\x09" "VCMPORDPD\0" \
"\x0b" "VCMPEQ_UQPD\0" "\x09" "VCMPNGEPD\0" "\x09" "VCMPNGTPD\0" "\x0b" "VCMPFALSEPD\0" \
"\x0c" "VCMPNEQ_OQPD\0" "\x08" "VCMPGEPD\0" "\x08" "VCMPGTPD\0" "\x0a" "VCMPTRUEPD\0" \
"\x0b" "VCMPEQ_OSPD\0" "\x0b" "VCMPLT_OQPD\0" "\x0b" "VCMPLE_OQPD\0" "\x0d" "VCMPUNORD_SPD\0" \
"\x0c" "VCMPNEQ_USPD\0" "\x0c" "VCMPNLT_UQPD\0" "\x0c" "VCMPNLE_UQPD\0" "\x0b" "VCMPORD_SPD\0" \
"\x0b" "VCMPEQ_USPD\0" "\x0c" "VCMPNGE_UQPD\0" "\x0c" "VCMPNGT_UQPD\0" "\x0e" "VCMPFALSE_OSPD\0" \
"\x0c" "VCMPNEQ_OSPD\0" "\x0b" "VCMPGE_OQPD\0" "\x0b" "VCMPGT_OQPD\0" "\x0d" "VCMPTRUE_USPD\0" \
"\x08" "VCMPEQSS\0" "\x08" "VCMPLTSS\0" "\x08" "VCMPLESS\0" "\x0b" "VCMPUNORDSS\0" \
"\x09" "VCMPNEQSS\0" "\x09" "VCMPNLTSS\0" "\x09" "VCMPNLESS\0" "\x09" "VCMPORDSS\0" \
"\x0b" "VCMPEQ_UQSS\0" "\x09" "VCMPNGESS\0" "\x09" "VCMPNGTSS\0" "\x0b" "VCMPFALSESS\0" \
"\x0c" "VCMPNEQ_OQSS\0" "\x08" "VCMPGESS\0" "\x08" "VCMPGTSS\0" "\x0a" "VCMPTRUESS\0" \
"\x0b" "VCMPEQ_OSSS\0" "\x0b" "VCMPLT_OQSS\0" "\x0b" "VCMPLE_OQSS\0" "\x0d" "VCMPUNORD_SSS\0" \
"\x0c" "VCMPNEQ_USSS\0" "\x0c" "VCMPNLT_UQSS\0" "\x0c" "VCMPNLE_UQSS\0" "\x0b" "VCMPORD_SSS\0" \
"\x0b" "VCMPEQ_USSS\0" "\x0c" "VCMPNGE_UQSS\0" "\x0c" "VCMPNGT_UQSS\0" "\x0e" "VCMPFALSE_OSSS\0" \
"\x0c" "VCMPNEQ_OSSS\0" "\x0b" "VCMPGE_OQSS\0" "\x0b" "VCMPGT_OQSS\0" "\x0d" "VCMPTRUE_USSS\0" \
"\x08" "VCMPEQSD\0" "\x08" "VCMPLTSD\0" "\x08" "VCMPLESD\0" "\x0b" "VCMPUNORDSD\0" \
"\x09" "VCMPNEQSD\0" "\x09" "VCMPNLTSD\0" "\x09" "VCMPNLESD\0" "\x09" "VCMPORDSD\0" \
"\x0b" "VCMPEQ_UQSD\0" "\x09" "VCMPNGESD\0" "\x09" "VCMPNGTSD\0" "\x0b" "VCMPFALSESD\0" \
"\x0c" "VCMPNEQ_OQSD\0" "\x08" "VCMPGESD\0" "\x08" "VCMPGTSD\0" "\x0a" "VCMPTRUESD\0" \
"\x0b" "VCMPEQ_OSSD\0" "\x0b" "VCMPLT_OQSD\0" "\x0b" "VCMPLE_OQSD\0" "\x0d" "VCMPUNORD_SSD\0" \
"\x0c" "VCMPNEQ_USSD\0" "\x0c" "VCMPNLT_UQSD\0" "\x0c" "VCMPNLE_UQSD\0" "\x0b" "VCMPORD_SSD\0" \
"\x0b" "VCMPEQ_USSD\0" "\x0c" "VCMPNGE_UQSD\0" "\x0c" "VCMPNGT_UQSD\0" "\x0e" "VCMPFALSE_OSSD\0" \
"\x0c" "VCMPNEQ_OSSD\0" "\x0b" "VCMPGE_OQSD\0" "\x0b" "VCMPGT_OQSD\0" "\x0d" "VCMPTRUE_USSD\0" \
"\x06" "PINSRW\0" "\x07" "VPINSRW\0" "\x06" "PEXTRW\0" "\x07" "VPEXTRW\0" "\x06" "SHUFPS\0" \
"\x06" "SHUFPD\0" "\x07" "VSHUFPS\0" "\x07" "VSHUFPD\0" "\x09" "CMPXCHG8B\0" \
"\x0a" "CMPXCHG16B\0" "\x07" "VMPTRST\0" "\x08" "ADDSUBPD\0" "\x08" "ADDSUBPS\0" \
"\x09" "VADDSUBPD\0" "\x09" "VADDSUBPS\0" "\x05" "PSRLW\0" "\x06" "VPSRLW\0" \
"\x05" "PSRLD\0" "\x06" "VPSRLD\0" "\x05" "PSRLQ\0" "\x06" "VPSRLQ\0" "\x05" "PADDQ\0" \
"\x06" "VPADDQ\0" "\x06" "PMULLW\0" "\x07" "VPMULLW\0" "\x07" "MOVQ2DQ\0" "\x07" "MOVDQ2Q\0" \
"\x08" "PMOVMSKB\0" "\x09" "VPMOVMSKB\0" "\x07" "PSUBUSB\0" "\x08" "VPSUBUSB\0" \
"\x07" "PSUBUSW\0" "\x08" "VPSUBUSW\0" "\x06" "PMINUB\0" "\x07" "VPMINUB\0" \
"\x04" "PAND\0" "\x05" "VPAND\0" "\x07" "PADDUSB\0" "\x08" "VPADDUSW\0" "\x07" "PADDUSW\0" \
"\x06" "PMAXUB\0" "\x07" "VPMAXUB\0" "\x05" "PANDN\0" "\x06" "VPANDN\0" "\x05" "PAVGB\0" \
"\x06" "VPAVGB\0" "\x05" "PSRAW\0" "\x06" "VPSRAW\0" "\x05" "PSRAD\0" "\x06" "VPSRAD\0" \
"\x05" "PAVGW\0" "\x06" "VPAVGW\0" "\x07" "PMULHUW\0" "\x08" "VPMULHUW\0" "\x06" "PMULHW\0" \
"\x07" "VPMULHW\0" "\x09" "CVTTPD2DQ\0" "\x08" "CVTDQ2PD\0" "\x08" "CVTPD2DQ\0" \
"\x0a" "VCVTTPD2DQ\0" "\x09" "VCVTDQ2PD\0" "\x09" "VCVTPD2DQ\0" "\x06" "MOVNTQ\0" \
"\x07" "MOVNTDQ\0" "\x08" "VMOVNTDQ\0" "\x06" "PSUBSB\0" "\x07" "VPSUBSB\0" \
"\x06" "PSUBSW\0" "\x07" "VPSUBSW\0" "\x06" "PMINSW\0" "\x07" "VPMINSW\0" "\x03" "POR\0" \
"\x04" "VPOR\0" "\x06" "PADDSB\0" "\x07" "VPADDSB\0" "\x06" "PADDSW\0" "\x07" "VPADDSW\0" \
"\x06" "PMAXSW\0" "\x07" "VPMAXSW\0" "\x04" "PXOR\0" "\x05" "VPXOR\0" "\x05" "LDDQU\0" \
"\x06" "VLDDQU\0" "\x05" "PSLLW\0" "\x06" "VPSLLW\0" "\x05" "PSLLD\0" "\x06" "VPSLLD\0" \
"\x05" "PSLLQ\0" "\x06" "VPSLLQ\0" "\x07" "PMULUDQ\0" "\x08" "VPMULUDQ\0" "\x07" "PMADDWD\0" \
"\x08" "VPMADDWD\0" "\x06" "PSADBW\0" "\x07" "VPSADBW\0" "\x08" "MASKMOVQ\0" \
"\x0a" "MASKMOVDQU\0" "\x0b" "VMASKMOVDQU\0" "\x05" "PSUBB\0" "\x06" "VPSUBB\0" \
"\x05" "PSUBW\0" "\x06" "VPSUBW\0" "\x05" "PSUBD\0" "\x06" "VPSUBD\0" "\x05" "PSUBQ\0" \
"\x06" "VPSUBQ\0" "\x05" "PADDB\0" "\x06" "VPADDB\0" "\x05" "PADDW\0" "\x06" "VPADDW\0" \
"\x05" "PADDD\0" "\x06" "VPADDD\0" "\x07" "FNSTENV\0" "\x06" "FSTENV\0" "\x06" "FNSTCW\0" \
"\x05" "FSTCW\0" "\x06" "FNCLEX\0" "\x05" "FCLEX\0" "\x06" "FNINIT\0" "\x05" "FINIT\0" \
"\x06" "FNSAVE\0" "\x05" "FSAVE\0" "\x06" "FNSTSW\0" "\x05" "FSTSW\0" "\x06" "PSHUFB\0" \
"\x07" "VPSHUFB\0" "\x06" "PHADDW\0" "\x07" "VPHADDW\0" "\x06" "PHADDD\0" "\x07" "VPHADDD\0" \
"\x07" "PHADDSW\0" "\x08" "VPHADDSW\0" "\x09" "PMADDUBSW\0" "\x0a" "VPMADDUBSW\0" \
"\x06" "PHSUBW\0" "\x07" "VPHSUBW\0" "\x06" "PHSUBD\0" "\x07" "VPHSUBD\0" "\x07" "PHSUBSW\0" \
"\x08" "VPHSUBSW\0" "\x06" "PSIGNB\0" "\x07" "VPSIGNB\0" "\x06" "PSIGNW\0" \
"\x07" "VPSIGNW\0" "\x06" "PSIGND\0" "\x07" "VPSIGND\0" "\x08" "PMULHRSW\0" \
"\x09" "VPMULHRSW\0" "\x09" "VPERMILPS\0" "\x09" "VPERMILPD\0" "\x07" "VTESTPS\0" \
"\x07" "VTESTPD\0" "\x08" "PBLENDVB\0" "\x08" "BLENDVPS\0" "\x08" "BLENDVPD\0" \
"\x05" "PTEST\0" "\x06" "VPTEST\0" "\x0c" "VBROADCASTSS\0" "\x0c" "VBROADCASTSD\0" \
"\x0e" "VBROADCASTF128\0" "\x05" "PABSB\0" "\x06" "VPABSB\0" "\x05" "PABSW\0" \
"\x06" "VPABSW\0" "\x05" "PABSD\0" "\x06" "VPABSD\0" "\x08" "PMOVSXBW\0" "\x09" "VPMOVSXBW\0" \
"\x08" "PMOVSXBD\0" "\x09" "VPMOVSXBD\0" "\x08" "PMOVSXBQ\0" "\x09" "VPMOVSXBQ\0" \
"\x08" "PMOVSXWD\0" "\x09" "VPMOVSXWD\0" "\x08" "PMOVSXWQ\0" "\x09" "VPMOVSXWQ\0" \
"\x08" "PMOVSXDQ\0" "\x09" "VPMOVSXDQ\0" "\x06" "PMULDQ\0" "\x07" "VPMULDQ\0" \
"\x07" "PCMPEQQ\0" "\x08" "VPCMPEQQ\0" "\x08" "MOVNTDQA\0" "\x09" "VMOVNTDQA\0" \
"\x08" "PACKUSDW\0" "\x09" "VPACKUSDW\0" "\x0a" "VMASKMOVPS\0" "\x0a" "VMASKMOVPD\0" \
"\x08" "PMOVZXBW\0" "\x09" "VPMOVZXBW\0" "\x08" "PMOVZXBD\0" "\x09" "VPMOVZXBD\0" \
"\x08" "PMOVZXBQ\0" "\x09" "VPMOVZXBQ\0" "\x08" "PMOVZXWD\0" "\x09" "VPMOVZXWD\0" \
"\x08" "PMOVZXWQ\0" "\x09" "VPMOVZXWQ\0" "\x08" "PMOVZXDQ\0" "\x09" "VPMOVZXDQ\0" \
"\x07" "PCMPGTQ\0" "\x08" "VPCMPGTQ\0" "\x06" "PMINSB\0" "\x07" "VPMINSB\0" \
"\x06" "PMINSD\0" "\x07" "VPMINSD\0" "\x06" "PMINUW\0" "\x07" "VPMINUW\0" "\x06" "PMINUD\0" \
"\x07" "VPMINUD\0" "\x06" "PMAXSB\0" "\x07" "VPMAXSB\0" "\x06" "PMAXSD\0" "\x07" "VPMAXSD\0" \
"\x06" "PMAXUW\0" "\x07" "VPMAXUW\0" "\x06" "PMAXUD\0" "\x07" "VPMAXUD\0" "\x06" "PMULLD\0" \
"\x07" "VPMULLD\0" "\x0a" "PHMINPOSUW\0" "\x0b" "VPHMINPOSUW\0" "\x06" "INVEPT\0" \
"\x07" "INVVPID\0" "\x07" "INVPCID\0" "\x0e" "VFMADDSUB132PS\0" "\x0e" "VFMADDSUB132PD\0" \
"\x0e" "VFMSUBADD132PS\0" "\x0e" "VFMSUBADD132PD\0" "\x0b" "VFMADD132PS\0" \
"\x0b" "VFMADD132PD\0" "\x0b" "VFMADD132SS\0" "\x0b" "VFMADD132SD\0" "\x0b" "VFMSUB132PS\0" \
"\x0b" "VFMSUB132PD\0" "\x0b" "VFMSUB132SS\0" "\x0b" "VFMSUB132SD\0" "\x0c" "VFNMADD132PS\0" \
"\x0c" "VFNMADD132PD\0" "\x0c" "VFNMADD132SS\0" "\x0c" "VFNMADD132SD\0" "\x0c" "VFNMSUB132PS\0" \
"\x0c" "VFNMSUB132PD\0" "\x0c" "VFNMSUB132SS\0" "\x0c" "VFNMSUB132SD\0" "\x0e" "VFMADDSUB213PS\0" \
"\x0e" "VFMADDSUB213PD\0" "\x0e" "VFMSUBADD213PS\0" "\x0e" "VFMSUBADD213PD\0" \
"\x0b" "VFMADD213PS\0" "\x0b" "VFMADD213PD\0" "\x0b" "VFMADD213SS\0" "\x0b" "VFMADD213SD\0" \
"\x0b" "VFMSUB213PS\0" "\x0b" "VFMSUB213PD\0" "\x0b" "VFMSUB213SS\0" "\x0b" "VFMSUB213SD\0" \
"\x0c" "VFNMADD213PS\0" "\x0c" "VFNMADD213PD\0" "\x0c" "VFNMADD213SS\0" "\x0c" "VFNMADD213SD\0" \
"\x0c" "VFNMSUB213PS\0" "\x0c" "VFNMSUB213PD\0" "\x0c" "VFNMSUB213SS\0" "\x0c" "VFNMSUB213SD\0" \
"\x0e" "VFMADDSUB231PS\0" "\x0e" "VFMADDSUB231PD\0" "\x0e" "VFMSUBADD231PS\0" \
"\x0e" "VFMSUBADD231PD\0" "\x0b" "VFMADD231PS\0" "\x0b" "VFMADD231PD\0" "\x0b" "VFMADD231SS\0" \
"\x0b" "VFMADD231SD\0" "\x0b" "VFMSUB231PS\0" "\x0b" "VFMSUB231PD\0" "\x0b" "VFMSUB231SS\0" \
"\x0b" "VFMSUB231SD\0" "\x0c" "VFNMADD231PS\0" "\x0c" "VFNMADD231PD\0" "\x0c" "VFNMADD231SS\0" \
"\x0c" "VFNMADD231SD\0" "\x0c" "VFNMSUB231PS\0" "\x0c" "VFNMSUB231PD\0" "\x0c" "VFNMSUB231SS\0" \
"\x0c" "VFNMSUB231SD\0" "\x06" "AESIMC\0" "\x07" "VAESIMC\0" "\x06" "AESENC\0" \
"\x07" "VAESENC\0" "\x0a" "AESENCLAST\0" "\x0b" "VAESENCLAST\0" "\x06" "AESDEC\0" \
"\x07" "VAESDEC\0" "\x0a" "AESDECLAST\0" "\x0b" "VAESDECLAST\0" "\x05" "MOVBE\0" \
"\x05" "CRC32\0" "\x0a" "VPERM2F128\0" "\x07" "ROUNDPS\0" "\x08" "VROUNDPS\0" \
"\x07" "ROUNDPD\0" "\x08" "VROUNDPD\0" "\x07" "ROUNDSS\0" "\x08" "VROUNDSS\0" \
"\x07" "ROUNDSD\0" "\x08" "VROUNDSD\0" "\x07" "BLENDPS\0" "\x08" "VBLENDPS\0" \
"\x07" "BLENDPD\0" "\x08" "VBLENDPD\0" "\x07" "PBLENDW\0" "\x08" "VPBLENDW\0" \
"\x07" "PALIGNR\0" "\x08" "VPALIGNR\0" "\x06" "PEXTRB\0" "\x07" "VPEXTRB\0" \
"\x06" "PEXTRD\0" "\x06" "PEXTRQ\0" "\x07" "VPEXTRD\0" "\x07" "VPEXTRQ\0" "\x09" "EXTRACTPS\0" \
"\x0a" "VEXTRACTPS\0" "\x0b" "VINSERTF128\0" "\x0c" "VEXTRACTF128\0" "\x06" "PINSRB\0" \
"\x07" "VPINSRB\0" "\x08" "INSERTPS\0" "\x09" "VINSERTPS\0" "\x06" "PINSRD\0" \
"\x06" "PINSRQ\0" "\x07" "VPINSRD\0" "\x07" "VPINSRQ\0" "\x04" "DPPS\0" "\x05" "VDPPS\0" \
"\x04" "DPPD\0" "\x05" "VDPPD\0" "\x07" "MPSADBW\0" "\x08" "VMPSADBW\0" "\x09" "PCLMULQDQ\0" \
"\x0a" "VPCLMULQDQ\0" "\x09" "VBLENDVPS\0" "\x09" "VBLENDVPD\0" "\x09" "VPBLENDVB\0" \
"\x09" "PCMPESTRM\0" "\x0a" "VPCMPESTRM\0" "\x09" "PCMPESTRI\0" "\x0a" "VPCMPESTRI\0" \
"\x09" "PCMPISTRM\0" "\x0a" "VPCMPISTRM\0" "\x09" "PCMPISTRI\0" "\x0a" "VPCMPISTRI\0" \
"\x0f" "AESKEYGENASSIST\0" "\x10" "VAESKEYGENASSIST\0" "\x06" "PSRLDQ\0" "\x07" "VPSRLDQ\0" \
"\x06" "PSLLDQ\0" "\x07" "VPSLLDQ\0" "\x06" "FXSAVE\0" "\x08" "FXSAVE64\0" \
"\x08" "RDFSBASE\0" "\x07" "FXRSTOR\0" "\x09" "FXRSTOR64\0" "\x08" "RDGSBASE\0" \
"\x07" "LDMXCSR\0" "\x08" "WRFSBASE\0" "\x08" "VLDMXCSR\0" "\x07" "STMXCSR\0" \
"\x08" "WRGSBASE\0" "\x08" "VSTMXCSR\0" "\x06" "RDRAND\0" "\x07" "VMPTRLD\0" \
"\x07" "VMCLEAR\0" "\x05" "VMXON\0" "\x06" "MOVSXD\0" "\x05" "PAUSE\0" "\x04" "WAIT\0" \
"\x05" "3DNOW\0";
const _WRegister _REGISTERS[] = {
{3, "RAX"}, {3, "RCX"}, {3, "RDX"}, {3, "RBX"}, {3, "RSP"}, {3, "RBP"}, {3, "RSI"}, {3, "RDI"}, {2, "R8"}, {2, "R9"}, {3, "R10"}, {3, "R11"}, {3, "R12"}, {3, "R13"}, {3, "R14"}, {3, "R15"},
{3, "EAX"}, {3, "ECX"}, {3, "EDX"}, {3, "EBX"}, {3, "ESP"}, {3, "EBP"}, {3, "ESI"}, {3, "EDI"}, {3, "R8D"}, {3, "R9D"}, {4, "R10D"}, {4, "R11D"}, {4, "R12D"}, {4, "R13D"}, {4, "R14D"}, {4, "R15D"},
{2, "AX"}, {2, "CX"}, {2, "DX"}, {2, "BX"}, {2, "SP"}, {2, "BP"}, {2, "SI"}, {2, "DI"}, {3, "R8W"}, {3, "R9W"}, {4, "R10W"}, {4, "R11W"}, {4, "R12W"}, {4, "R13W"}, {4, "R14W"}, {4, "R15W"},
{2, "AL"}, {2, "CL"}, {2, "DL"}, {2, "BL"}, {2, "AH"}, {2, "CH"}, {2, "DH"}, {2, "BH"}, {3, "R8B"}, {3, "R9B"}, {4, "R10B"}, {4, "R11B"}, {4, "R12B"}, {4, "R13B"}, {4, "R14B"}, {4, "R15B"},
{3, "SPL"}, {3, "BPL"}, {3, "SIL"}, {3, "DIL"},
{2, "ES"}, {2, "CS"}, {2, "SS"}, {2, "DS"}, {2, "FS"}, {2, "GS"},
{3, "RIP"},
{3, "ST0"}, {3, "ST1"}, {3, "ST2"}, {3, "ST3"}, {3, "ST4"}, {3, "ST5"}, {3, "ST6"}, {3, "ST7"},
{3, "MM0"}, {3, "MM1"}, {3, "MM2"}, {3, "MM3"}, {3, "MM4"}, {3, "MM5"}, {3, "MM6"}, {3, "MM7"},
{4, "XMM0"}, {4, "XMM1"}, {4, "XMM2"}, {4, "XMM3"}, {4, "XMM4"}, {4, "XMM5"}, {4, "XMM6"}, {4, "XMM7"}, {4, "XMM8"}, {4, "XMM9"}, {5, "XMM10"}, {5, "XMM11"}, {5, "XMM12"}, {5, "XMM13"}, {5, "XMM14"}, {5, "XMM15"},
{4, "YMM0"}, {4, "YMM1"}, {4, "YMM2"}, {4, "YMM3"}, {4, "YMM4"}, {4, "YMM5"}, {4, "YMM6"}, {4, "YMM7"}, {4, "YMM8"}, {4, "YMM9"}, {5, "YMM10"}, {5, "YMM11"}, {5, "YMM12"}, {5, "YMM13"}, {5, "YMM14"}, {5, "YMM15"},
{3, "CR0"}, {0, ""}, {3, "CR2"}, {3, "CR3"}, {3, "CR4"}, {0, ""}, {0, ""}, {0, ""}, {3, "CR8"},
{3, "DR0"}, {3, "DR1"}, {3, "DR2"}, {3, "DR3"}, {0, ""}, {0, ""}, {3, "DR6"}, {3, "DR7"}
};
#endif /* DISTORM_LIGHT */

313
VB-Research/vbOpenScript/dll/diStorm3.3/mnemonics.h Normal file
View File

@ -0,0 +1,313 @@
/*
mnemonics.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef MNEMONICS_H
#define MNEMONICS_H
#ifdef __cplusplus
extern "C" {
#endif
#ifndef DISTORM_LIGHT
typedef struct WMnemonic {
unsigned char length;
unsigned char p[1]; /* p is a null terminated string, which contains 'length' characters. */
} _WMnemonic;
typedef struct WRegister {
unsigned int length;
unsigned char p[6]; /* p is a null terminated string. */
} _WRegister;
extern const unsigned char _MNEMONICS[];
extern const _WRegister _REGISTERS[];
#endif /* DISTORM_LIGHT */
#ifdef __cplusplus
} /* End Of Extern */
#endif
#define GET_REGISTER_NAME(r) (unsigned char*)_REGISTERS[(r)].p
#define GET_MNEMONIC_NAME(m) ((_WMnemonic*)&_MNEMONICS[(m)])->p
typedef enum {
I_UNDEFINED = 0, I_3DNOW = 10034, I_AAA = 66, I_AAD = 389, I_AAM = 384, I_AAS = 76, I_ADC = 31,
I_ADD = 11, I_ADDPD = 3110, I_ADDPS = 3103, I_ADDSD = 3124, I_ADDSS = 3117,
I_ADDSUBPD = 6394, I_ADDSUBPS = 6404, I_AESDEC = 9209, I_AESDECLAST = 9226,
I_AESENC = 9167, I_AESENCLAST = 9184, I_AESIMC = 9150, I_AESKEYGENASSIST = 9795,
I_AND = 41, I_ANDNPD = 3021, I_ANDNPS = 3013, I_ANDPD = 2990, I_ANDPS = 2983,
I_ARPL = 111, I_BLENDPD = 9372, I_BLENDPS = 9353, I_BLENDVPD = 7619, I_BLENDVPS = 7609,
I_BOUND = 104, I_BSF = 4346, I_BSR = 4358, I_BSWAP = 960, I_BT = 872, I_BTC = 934,
I_BTR = 912, I_BTS = 887, I_CALL = 456, I_CALL_FAR = 260, I_CBW = 228, I_CDQ = 250,
I_CDQE = 239, I_CLC = 492, I_CLD = 512, I_CLFLUSH = 4329, I_CLGI = 1833, I_CLI = 502,
I_CLTS = 541, I_CMC = 487, I_CMOVA = 694, I_CMOVAE = 663, I_CMOVB = 656, I_CMOVBE = 686,
I_CMOVG = 754, I_CMOVGE = 738, I_CMOVL = 731, I_CMOVLE = 746, I_CMOVNO = 648,
I_CMOVNP = 723, I_CMOVNS = 708, I_CMOVNZ = 678, I_CMOVO = 641, I_CMOVP = 716,
I_CMOVS = 701, I_CMOVZ = 671, I_CMP = 71, I_CMPEQPD = 4449, I_CMPEQPS = 4370,
I_CMPEQSD = 4607, I_CMPEQSS = 4528, I_CMPLEPD = 4467, I_CMPLEPS = 4388, I_CMPLESD = 4625,
I_CMPLESS = 4546, I_CMPLTPD = 4458, I_CMPLTPS = 4379, I_CMPLTSD = 4616, I_CMPLTSS = 4537,
I_CMPNEQPD = 4488, I_CMPNEQPS = 4409, I_CMPNEQSD = 4646, I_CMPNEQSS = 4567,
I_CMPNLEPD = 4508, I_CMPNLEPS = 4429, I_CMPNLESD = 4666, I_CMPNLESS = 4587,
I_CMPNLTPD = 4498, I_CMPNLTPS = 4419, I_CMPNLTSD = 4656, I_CMPNLTSS = 4577,
I_CMPORDPD = 4518, I_CMPORDPS = 4439, I_CMPORDSD = 4676, I_CMPORDSS = 4597,
I_CMPS = 301, I_CMPUNORDPD = 4476, I_CMPUNORDPS = 4397, I_CMPUNORDSD = 4634,
I_CMPUNORDSS = 4555, I_CMPXCHG = 898, I_CMPXCHG16B = 6373, I_CMPXCHG8B = 6362,
I_COMISD = 2779, I_COMISS = 2771, I_CPUID = 865, I_CQO = 255, I_CRC32 = 9258,
I_CVTDQ2PD = 6787, I_CVTDQ2PS = 3307, I_CVTPD2DQ = 6797, I_CVTPD2PI = 2681,
I_CVTPD2PS = 3233, I_CVTPH2PS = 4161, I_CVTPI2PD = 2495, I_CVTPI2PS = 2485,
I_CVTPS2DQ = 3317, I_CVTPS2PD = 3223, I_CVTPS2PH = 4171, I_CVTPS2PI = 2671,
I_CVTSD2SI = 2701, I_CVTSD2SS = 3253, I_CVTSI2SD = 2515, I_CVTSI2SS = 2505,
I_CVTSS2SD = 3243, I_CVTSS2SI = 2691, I_CVTTPD2DQ = 6776, I_CVTTPD2PI = 2614,
I_CVTTPS2DQ = 3327, I_CVTTPS2PI = 2603, I_CVTTSD2SI = 2636, I_CVTTSS2SI = 2625,
I_CWD = 245, I_CWDE = 233, I_DAA = 46, I_DAS = 56, I_DEC = 86, I_DIV = 1630,
I_DIVPD = 3499, I_DIVPS = 3492, I_DIVSD = 3513, I_DIVSS = 3506, I_DPPD = 9615,
I_DPPS = 9602, I_EMMS = 4100, I_ENTER = 340, I_EXTRACTPS = 9480, I_EXTRQ = 4136,
I_F2XM1 = 1176, I_FABS = 1107, I_FADD = 1007, I_FADDP = 1533, I_FBLD = 1585,
I_FBSTP = 1591, I_FCHS = 1101, I_FCLEX = 7289, I_FCMOVB = 1360, I_FCMOVBE = 1376,
I_FCMOVE = 1368, I_FCMOVNB = 1429, I_FCMOVNBE = 1447, I_FCMOVNE = 1438, I_FCMOVNU = 1457,
I_FCMOVU = 1385, I_FCOM = 1019, I_FCOMI = 1496, I_FCOMIP = 1607, I_FCOMP = 1025,
I_FCOMPP = 1547, I_FCOS = 1295, I_FDECSTP = 1222, I_FDIV = 1045, I_FDIVP = 1578,
I_FDIVR = 1051, I_FDIVRP = 1570, I_FEDISI = 1472, I_FEMMS = 574, I_FENI = 1466,
I_FFREE = 1511, I_FIADD = 1301, I_FICOM = 1315, I_FICOMP = 1322, I_FIDIV = 1345,
I_FIDIVR = 1352, I_FILD = 1402, I_FIMUL = 1308, I_FINCSTP = 1231, I_FINIT = 7304,
I_FIST = 1416, I_FISTP = 1422, I_FISTTP = 1408, I_FISUB = 1330, I_FISUBR = 1337,
I_FLD = 1058, I_FLD1 = 1125, I_FLDCW = 1082, I_FLDENV = 1074, I_FLDL2E = 1139,
I_FLDL2T = 1131, I_FLDLG2 = 1154, I_FLDLN2 = 1162, I_FLDPI = 1147, I_FLDZ = 1170,
I_FMUL = 1013, I_FMULP = 1540, I_FNCLEX = 7281, I_FNINIT = 7296, I_FNOP = 1095,
I_FNSAVE = 7311, I_FNSTCW = 7266, I_FNSTENV = 7249, I_FNSTSW = 7326, I_FPATAN = 1197,
I_FPREM = 1240, I_FPREM1 = 1214, I_FPTAN = 1190, I_FRNDINT = 1272, I_FRSTOR = 1503,
I_FSAVE = 7319, I_FSCALE = 1281, I_FSETPM = 1480, I_FSIN = 1289, I_FSINCOS = 1263,
I_FSQRT = 1256, I_FST = 1063, I_FSTCW = 7274, I_FSTENV = 7258, I_FSTP = 1068,
I_FSTSW = 7334, I_FSUB = 1032, I_FSUBP = 1563, I_FSUBR = 1038, I_FSUBRP = 1555,
I_FTST = 1113, I_FUCOM = 1518, I_FUCOMI = 1488, I_FUCOMIP = 1598, I_FUCOMP = 1525,
I_FUCOMPP = 1393, I_FXAM = 1119, I_FXCH = 1089, I_FXRSTOR = 9892, I_FXRSTOR64 = 9901,
I_FXSAVE = 9864, I_FXSAVE64 = 9872, I_FXTRACT = 1205, I_FYL2X = 1183, I_FYL2XP1 = 1247,
I_GETSEC = 633, I_HADDPD = 4181, I_HADDPS = 4189, I_HLT = 482, I_HSUBPD = 4215,
I_HSUBPS = 4223, I_IDIV = 1635, I_IMUL = 117, I_IN = 447, I_INC = 81, I_INS = 123,
I_INSERTPS = 9547, I_INSERTQ = 4143, I_INT = 367, I_INT_3 = 360, I_INT1 = 476,
I_INTO = 372, I_INVD = 555, I_INVEPT = 8284, I_INVLPG = 1711, I_INVLPGA = 1847,
I_INVPCID = 8301, I_INVVPID = 8292, I_IRET = 378, I_JA = 166, I_JAE = 147,
I_JB = 143, I_JBE = 161, I_JCXZ = 427, I_JECXZ = 433, I_JG = 202, I_JGE = 192,
I_JL = 188, I_JLE = 197, I_JMP = 462, I_JMP_FAR = 467, I_JNO = 138, I_JNP = 183,
I_JNS = 174, I_JNZ = 156, I_JO = 134, I_JP = 179, I_JRCXZ = 440, I_JS = 170,
I_JZ = 152, I_LAHF = 289, I_LAR = 522, I_LDDQU = 6994, I_LDMXCSR = 9922, I_LDS = 335,
I_LEA = 223, I_LEAVE = 347, I_LES = 330, I_LFENCE = 4265, I_LFS = 917, I_LGDT = 1687,
I_LGS = 922, I_LIDT = 1693, I_LLDT = 1652, I_LMSW = 1705, I_LODS = 313, I_LOOP = 421,
I_LOOPNZ = 406, I_LOOPZ = 414, I_LSL = 527, I_LSS = 907, I_LTR = 1658, I_LZCNT = 4363,
I_MASKMOVDQU = 7119, I_MASKMOVQ = 7109, I_MAXPD = 3559, I_MAXPS = 3552, I_MAXSD = 3573,
I_MAXSS = 3566, I_MFENCE = 4291, I_MINPD = 3439, I_MINPS = 3432, I_MINSD = 3453,
I_MINSS = 3446, I_MONITOR = 1755, I_MOV = 218, I_MOVAPD = 2459, I_MOVAPS = 2451,
I_MOVBE = 9251, I_MOVD = 3920, I_MOVDDUP = 2186, I_MOVDQ2Q = 6522, I_MOVDQA = 3946,
I_MOVDQU = 3954, I_MOVHLPS = 2151, I_MOVHPD = 2345, I_MOVHPS = 2337, I_MOVLHPS = 2328,
I_MOVLPD = 2168, I_MOVLPS = 2160, I_MOVMSKPD = 2815, I_MOVMSKPS = 2805, I_MOVNTDQ = 6849,
I_MOVNTDQA = 7895, I_MOVNTI = 952, I_MOVNTPD = 2556, I_MOVNTPS = 2547, I_MOVNTQ = 6841,
I_MOVNTSD = 2574, I_MOVNTSS = 2565, I_MOVQ = 3926, I_MOVQ2DQ = 6513, I_MOVS = 295,
I_MOVSD = 2110, I_MOVSHDUP = 2353, I_MOVSLDUP = 2176, I_MOVSS = 2103, I_MOVSX = 939,
I_MOVSXD = 10013, I_MOVUPD = 2095, I_MOVUPS = 2087, I_MOVZX = 927, I_MPSADBW = 9628,
I_MUL = 1625, I_MULPD = 3170, I_MULPS = 3163, I_MULSD = 3184, I_MULSS = 3177,
I_MWAIT = 1764, I_NEG = 1620, I_NOP = 581, I_NOT = 1615, I_OR = 27, I_ORPD = 3053,
I_ORPS = 3047, I_OUT = 451, I_OUTS = 128, I_PABSB = 7688, I_PABSD = 7718, I_PABSW = 7703,
I_PACKSSDW = 3849, I_PACKSSWB = 3681, I_PACKUSDW = 7916, I_PACKUSWB = 3759,
I_PADDB = 7204, I_PADDD = 7234, I_PADDQ = 6481, I_PADDSB = 6930, I_PADDSW = 6947,
I_PADDUSB = 6620, I_PADDUSW = 6639, I_PADDW = 7219, I_PALIGNR = 9410, I_PAND = 6607,
I_PANDN = 6665, I_PAUSE = 10021, I_PAVGB = 6680, I_PAVGUSB = 2078, I_PAVGW = 6725,
I_PBLENDVB = 7599, I_PBLENDW = 9391, I_PCLMULQDQ = 9647, I_PCMPEQB = 4043,
I_PCMPEQD = 4081, I_PCMPEQQ = 7876, I_PCMPEQW = 4062, I_PCMPESTRI = 9726,
I_PCMPESTRM = 9703, I_PCMPGTB = 3702, I_PCMPGTD = 3740, I_PCMPGTQ = 8087,
I_PCMPGTW = 3721, I_PCMPISTRI = 9772, I_PCMPISTRM = 9749, I_PEXTRB = 9429,
I_PEXTRD = 9446, I_PEXTRQ = 9454, I_PEXTRW = 6311, I_PF2ID = 1914, I_PF2IW = 1907,
I_PFACC = 2028, I_PFADD = 1977, I_PFCMPEQ = 2035, I_PFCMPGE = 1938, I_PFCMPGT = 1984,
I_PFMAX = 1993, I_PFMIN = 1947, I_PFMUL = 2044, I_PFNACC = 1921, I_PFPNACC = 1929,
I_PFRCP = 1954, I_PFRCPIT1 = 2000, I_PFRCPIT2 = 2051, I_PFRSQIT1 = 2010, I_PFRSQRT = 1961,
I_PFSUB = 1970, I_PFSUBR = 2020, I_PHADDD = 7375, I_PHADDSW = 7392, I_PHADDW = 7358,
I_PHMINPOSUW = 8259, I_PHSUBD = 7451, I_PHSUBSW = 7468, I_PHSUBW = 7434, I_PI2FD = 1900,
I_PI2FW = 1893, I_PINSRB = 9530, I_PINSRD = 9568, I_PINSRQ = 9576, I_PINSRW = 6294,
I_PMADDUBSW = 7411, I_PMADDWD = 7073, I_PMAXSB = 8174, I_PMAXSD = 8191, I_PMAXSW = 6964,
I_PMAXUB = 6648, I_PMAXUD = 8225, I_PMAXUW = 8208, I_PMINSB = 8106, I_PMINSD = 8123,
I_PMINSW = 6902, I_PMINUB = 6590, I_PMINUD = 8157, I_PMINUW = 8140, I_PMOVMSKB = 6531,
I_PMOVSXBD = 7754, I_PMOVSXBQ = 7775, I_PMOVSXBW = 7733, I_PMOVSXDQ = 7838,
I_PMOVSXWD = 7796, I_PMOVSXWQ = 7817, I_PMOVZXBD = 7982, I_PMOVZXBQ = 8003,
I_PMOVZXBW = 7961, I_PMOVZXDQ = 8066, I_PMOVZXWD = 8024, I_PMOVZXWQ = 8045,
I_PMULDQ = 7859, I_PMULHRSW = 7538, I_PMULHRW = 2061, I_PMULHUW = 6740, I_PMULHW = 6759,
I_PMULLD = 8242, I_PMULLW = 6496, I_PMULUDQ = 7054, I_POP = 22, I_POPA = 98,
I_POPCNT = 4338, I_POPF = 277, I_POR = 6919, I_PREFETCH = 1872, I_PREFETCHNTA = 2402,
I_PREFETCHT0 = 2415, I_PREFETCHT1 = 2427, I_PREFETCHT2 = 2439, I_PREFETCHW = 1882,
I_PSADBW = 7092, I_PSHUFB = 7341, I_PSHUFD = 3988, I_PSHUFHW = 3996, I_PSHUFLW = 4005,
I_PSHUFW = 3980, I_PSIGNB = 7487, I_PSIGND = 7521, I_PSIGNW = 7504, I_PSLLD = 7024,
I_PSLLDQ = 9847, I_PSLLQ = 7039, I_PSLLW = 7009, I_PSRAD = 6710, I_PSRAW = 6695,
I_PSRLD = 6451, I_PSRLDQ = 9830, I_PSRLQ = 6466, I_PSRLW = 6436, I_PSUBB = 7144,
I_PSUBD = 7174, I_PSUBQ = 7189, I_PSUBSB = 6868, I_PSUBSW = 6885, I_PSUBUSB = 6552,
I_PSUBUSW = 6571, I_PSUBW = 7159, I_PSWAPD = 2070, I_PTEST = 7629, I_PUNPCKHBW = 3780,
I_PUNPCKHDQ = 3826, I_PUNPCKHQDQ = 3895, I_PUNPCKHWD = 3803, I_PUNPCKLBW = 3612,
I_PUNPCKLDQ = 3658, I_PUNPCKLQDQ = 3870, I_PUNPCKLWD = 3635, I_PUSH = 16,
I_PUSHA = 91, I_PUSHF = 270, I_PXOR = 6981, I_RCL = 977, I_RCPPS = 2953, I_RCPSS = 2960,
I_RCR = 982, I_RDFSBASE = 9882, I_RDGSBASE = 9912, I_RDMSR = 600, I_RDPMC = 607,
I_RDRAND = 9980, I_RDTSC = 593, I_RDTSCP = 1864, I_RET = 325, I_RETF = 354,
I_ROL = 967, I_ROR = 972, I_ROUNDPD = 9296, I_ROUNDPS = 9277, I_ROUNDSD = 9334,
I_ROUNDSS = 9315, I_RSM = 882, I_RSQRTPS = 2915, I_RSQRTSS = 2924, I_SAHF = 283,
I_SAL = 997, I_SALC = 394, I_SAR = 1002, I_SBB = 36, I_SCAS = 319, I_SETA = 807,
I_SETAE = 780, I_SETB = 774, I_SETBE = 800, I_SETG = 859, I_SETGE = 845, I_SETL = 839,
I_SETLE = 852, I_SETNO = 767, I_SETNP = 832, I_SETNS = 819, I_SETNZ = 793,
I_SETO = 761, I_SETP = 826, I_SETS = 813, I_SETZ = 787, I_SFENCE = 4321, I_SGDT = 1675,
I_SHL = 987, I_SHLD = 876, I_SHR = 992, I_SHRD = 892, I_SHUFPD = 6336, I_SHUFPS = 6328,
I_SIDT = 1681, I_SKINIT = 1839, I_SLDT = 1641, I_SMSW = 1699, I_SQRTPD = 2855,
I_SQRTPS = 2847, I_SQRTSD = 2871, I_SQRTSS = 2863, I_STC = 497, I_STD = 517,
I_STGI = 1827, I_STI = 507, I_STMXCSR = 9951, I_STOS = 307, I_STR = 1647, I_SUB = 51,
I_SUBPD = 3379, I_SUBPS = 3372, I_SUBSD = 3393, I_SUBSS = 3386, I_SWAPGS = 1856,
I_SYSCALL = 532, I_SYSENTER = 614, I_SYSEXIT = 624, I_SYSRET = 547, I_TEST = 206,
I_TZCNT = 4351, I_UCOMISD = 2742, I_UCOMISS = 2733, I_UD2 = 569, I_UNPCKHPD = 2296,
I_UNPCKHPS = 2286, I_UNPCKLPD = 2254, I_UNPCKLPS = 2244, I_VADDPD = 3139,
I_VADDPS = 3131, I_VADDSD = 3155, I_VADDSS = 3147, I_VADDSUBPD = 6414, I_VADDSUBPS = 6425,
I_VAESDEC = 9217, I_VAESDECLAST = 9238, I_VAESENC = 9175, I_VAESENCLAST = 9196,
I_VAESIMC = 9158, I_VAESKEYGENASSIST = 9812, I_VANDNPD = 3038, I_VANDNPS = 3029,
I_VANDPD = 3005, I_VANDPS = 2997, I_VBLENDPD = 9381, I_VBLENDPS = 9362, I_VBLENDVPD = 9681,
I_VBLENDVPS = 9670, I_VBROADCASTF128 = 7672, I_VBROADCASTSD = 7658, I_VBROADCASTSS = 7644,
I_VCMPEQPD = 5088, I_VCMPEQPS = 4686, I_VCMPEQSD = 5892, I_VCMPEQSS = 5490,
I_VCMPEQ_OSPD = 5269, I_VCMPEQ_OSPS = 4867, I_VCMPEQ_OSSD = 6073, I_VCMPEQ_OSSS = 5671,
I_VCMPEQ_UQPD = 5175, I_VCMPEQ_UQPS = 4773, I_VCMPEQ_UQSD = 5979, I_VCMPEQ_UQSS = 5577,
I_VCMPEQ_USPD = 5378, I_VCMPEQ_USPS = 4976, I_VCMPEQ_USSD = 6182, I_VCMPEQ_USSS = 5780,
I_VCMPFALSEPD = 5210, I_VCMPFALSEPS = 4808, I_VCMPFALSESD = 6014, I_VCMPFALSESS = 5612,
I_VCMPFALSE_OSPD = 5419, I_VCMPFALSE_OSPS = 5017, I_VCMPFALSE_OSSD = 6223,
I_VCMPFALSE_OSSS = 5821, I_VCMPGEPD = 5237, I_VCMPGEPS = 4835, I_VCMPGESD = 6041,
I_VCMPGESS = 5639, I_VCMPGE_OQPD = 5449, I_VCMPGE_OQPS = 5047, I_VCMPGE_OQSD = 6253,
I_VCMPGE_OQSS = 5851, I_VCMPGTPD = 5247, I_VCMPGTPS = 4845, I_VCMPGTSD = 6051,
I_VCMPGTSS = 5649, I_VCMPGT_OQPD = 5462, I_VCMPGT_OQPS = 5060, I_VCMPGT_OQSD = 6266,
I_VCMPGT_OQSS = 5864, I_VCMPLEPD = 5108, I_VCMPLEPS = 4706, I_VCMPLESD = 5912,
I_VCMPLESS = 5510, I_VCMPLE_OQPD = 5295, I_VCMPLE_OQPS = 4893, I_VCMPLE_OQSD = 6099,
I_VCMPLE_OQSS = 5697, I_VCMPLTPD = 5098, I_VCMPLTPS = 4696, I_VCMPLTSD = 5902,
I_VCMPLTSS = 5500, I_VCMPLT_OQPD = 5282, I_VCMPLT_OQPS = 4880, I_VCMPLT_OQSD = 6086,
I_VCMPLT_OQSS = 5684, I_VCMPNEQPD = 5131, I_VCMPNEQPS = 4729, I_VCMPNEQSD = 5935,
I_VCMPNEQSS = 5533, I_VCMPNEQ_OQPD = 5223, I_VCMPNEQ_OQPS = 4821, I_VCMPNEQ_OQSD = 6027,
I_VCMPNEQ_OQSS = 5625, I_VCMPNEQ_OSPD = 5435, I_VCMPNEQ_OSPS = 5033, I_VCMPNEQ_OSSD = 6239,
I_VCMPNEQ_OSSS = 5837, I_VCMPNEQ_USPD = 5323, I_VCMPNEQ_USPS = 4921, I_VCMPNEQ_USSD = 6127,
I_VCMPNEQ_USSS = 5725, I_VCMPNGEPD = 5188, I_VCMPNGEPS = 4786, I_VCMPNGESD = 5992,
I_VCMPNGESS = 5590, I_VCMPNGE_UQPD = 5391, I_VCMPNGE_UQPS = 4989, I_VCMPNGE_UQSD = 6195,
I_VCMPNGE_UQSS = 5793, I_VCMPNGTPD = 5199, I_VCMPNGTPS = 4797, I_VCMPNGTSD = 6003,
I_VCMPNGTSS = 5601, I_VCMPNGT_UQPD = 5405, I_VCMPNGT_UQPS = 5003, I_VCMPNGT_UQSD = 6209,
I_VCMPNGT_UQSS = 5807, I_VCMPNLEPD = 5153, I_VCMPNLEPS = 4751, I_VCMPNLESD = 5957,
I_VCMPNLESS = 5555, I_VCMPNLE_UQPD = 5351, I_VCMPNLE_UQPS = 4949, I_VCMPNLE_UQSD = 6155,
I_VCMPNLE_UQSS = 5753, I_VCMPNLTPD = 5142, I_VCMPNLTPS = 4740, I_VCMPNLTSD = 5946,
I_VCMPNLTSS = 5544, I_VCMPNLT_UQPD = 5337, I_VCMPNLT_UQPS = 4935, I_VCMPNLT_UQSD = 6141,
I_VCMPNLT_UQSS = 5739, I_VCMPORDPD = 5164, I_VCMPORDPS = 4762, I_VCMPORDSD = 5968,
I_VCMPORDSS = 5566, I_VCMPORD_SPD = 5365, I_VCMPORD_SPS = 4963, I_VCMPORD_SSD = 6169,
I_VCMPORD_SSS = 5767, I_VCMPTRUEPD = 5257, I_VCMPTRUEPS = 4855, I_VCMPTRUESD = 6061,
I_VCMPTRUESS = 5659, I_VCMPTRUE_USPD = 5475, I_VCMPTRUE_USPS = 5073, I_VCMPTRUE_USSD = 6279,
I_VCMPTRUE_USSS = 5877, I_VCMPUNORDPD = 5118, I_VCMPUNORDPS = 4716, I_VCMPUNORDSD = 5922,
I_VCMPUNORDSS = 5520, I_VCMPUNORD_SPD = 5308, I_VCMPUNORD_SPS = 4906, I_VCMPUNORD_SSD = 6112,
I_VCMPUNORD_SSS = 5710, I_VCOMISD = 2796, I_VCOMISS = 2787, I_VCVTDQ2PD = 6819,
I_VCVTDQ2PS = 3338, I_VCVTPD2DQ = 6830, I_VCVTPD2PS = 3274, I_VCVTPS2DQ = 3349,
I_VCVTPS2PD = 3263, I_VCVTSD2SI = 2722, I_VCVTSD2SS = 3296, I_VCVTSI2SD = 2536,
I_VCVTSI2SS = 2525, I_VCVTSS2SD = 3285, I_VCVTSS2SI = 2711, I_VCVTTPD2DQ = 6807,
I_VCVTTPS2DQ = 3360, I_VCVTTSD2SI = 2659, I_VCVTTSS2SI = 2647, I_VDIVPD = 3528,
I_VDIVPS = 3520, I_VDIVSD = 3544, I_VDIVSS = 3536, I_VDPPD = 9621, I_VDPPS = 9608,
I_VERR = 1663, I_VERW = 1669, I_VEXTRACTF128 = 9516, I_VEXTRACTPS = 9491,
I_VFMADD132PD = 8387, I_VFMADD132PS = 8374, I_VFMADD132SD = 8413, I_VFMADD132SS = 8400,
I_VFMADD213PD = 8667, I_VFMADD213PS = 8654, I_VFMADD213SD = 8693, I_VFMADD213SS = 8680,
I_VFMADD231PD = 8947, I_VFMADD231PS = 8934, I_VFMADD231SD = 8973, I_VFMADD231SS = 8960,
I_VFMADDSUB132PD = 8326, I_VFMADDSUB132PS = 8310, I_VFMADDSUB213PD = 8606,
I_VFMADDSUB213PS = 8590, I_VFMADDSUB231PD = 8886, I_VFMADDSUB231PS = 8870,
I_VFMSUB132PD = 8439, I_VFMSUB132PS = 8426, I_VFMSUB132SD = 8465, I_VFMSUB132SS = 8452,
I_VFMSUB213PD = 8719, I_VFMSUB213PS = 8706, I_VFMSUB213SD = 8745, I_VFMSUB213SS = 8732,
I_VFMSUB231PD = 8999, I_VFMSUB231PS = 8986, I_VFMSUB231SD = 9025, I_VFMSUB231SS = 9012,
I_VFMSUBADD132PD = 8358, I_VFMSUBADD132PS = 8342, I_VFMSUBADD213PD = 8638,
I_VFMSUBADD213PS = 8622, I_VFMSUBADD231PD = 8918, I_VFMSUBADD231PS = 8902,
I_VFNMADD132PD = 8492, I_VFNMADD132PS = 8478, I_VFNMADD132SD = 8520, I_VFNMADD132SS = 8506,
I_VFNMADD213PD = 8772, I_VFNMADD213PS = 8758, I_VFNMADD213SD = 8800, I_VFNMADD213SS = 8786,
I_VFNMADD231PD = 9052, I_VFNMADD231PS = 9038, I_VFNMADD231SD = 9080, I_VFNMADD231SS = 9066,
I_VFNMSUB132PD = 8548, I_VFNMSUB132PS = 8534, I_VFNMSUB132SD = 8576, I_VFNMSUB132SS = 8562,
I_VFNMSUB213PD = 8828, I_VFNMSUB213PS = 8814, I_VFNMSUB213SD = 8856, I_VFNMSUB213SS = 8842,
I_VFNMSUB231PD = 9108, I_VFNMSUB231PS = 9094, I_VFNMSUB231SD = 9136, I_VFNMSUB231SS = 9122,
I_VHADDPD = 4197, I_VHADDPS = 4206, I_VHSUBPD = 4231, I_VHSUBPS = 4240, I_VINSERTF128 = 9503,
I_VINSERTPS = 9557, I_VLDDQU = 7001, I_VLDMXCSR = 9941, I_VMASKMOVDQU = 7131,
I_VMASKMOVPD = 7949, I_VMASKMOVPS = 7937, I_VMAXPD = 3588, I_VMAXPS = 3580,
I_VMAXSD = 3604, I_VMAXSS = 3596, I_VMCALL = 1719, I_VMCLEAR = 9997, I_VMFUNC = 1787,
I_VMINPD = 3468, I_VMINPS = 3460, I_VMINSD = 3484, I_VMINSS = 3476, I_VMLAUNCH = 1727,
I_VMLOAD = 1811, I_VMMCALL = 1802, I_VMOVAPD = 2476, I_VMOVAPS = 2467, I_VMOVD = 3932,
I_VMOVDDUP = 2234, I_VMOVDQA = 3962, I_VMOVDQU = 3971, I_VMOVHLPS = 2195,
I_VMOVHPD = 2382, I_VMOVHPS = 2373, I_VMOVLHPS = 2363, I_VMOVLPD = 2214, I_VMOVLPS = 2205,
I_VMOVMSKPD = 2836, I_VMOVMSKPS = 2825, I_VMOVNTDQ = 6858, I_VMOVNTDQA = 7905,
I_VMOVNTPD = 2593, I_VMOVNTPS = 2583, I_VMOVQ = 3939, I_VMOVSD = 2143, I_VMOVSHDUP = 2391,
I_VMOVSLDUP = 2223, I_VMOVSS = 2135, I_VMOVUPD = 2126, I_VMOVUPS = 2117, I_VMPSADBW = 9637,
I_VMPTRLD = 9988, I_VMPTRST = 6385, I_VMREAD = 4128, I_VMRESUME = 1737, I_VMRUN = 1795,
I_VMSAVE = 1819, I_VMULPD = 3199, I_VMULPS = 3191, I_VMULSD = 3215, I_VMULSS = 3207,
I_VMWRITE = 4152, I_VMXOFF = 1747, I_VMXON = 10006, I_VORPD = 3066, I_VORPS = 3059,
I_VPABSB = 7695, I_VPABSD = 7725, I_VPABSW = 7710, I_VPACKSSDW = 3859, I_VPACKSSWB = 3691,
I_VPACKUSDW = 7926, I_VPACKUSWB = 3769, I_VPADDB = 7211, I_VPADDD = 7241,
I_VPADDQ = 6488, I_VPADDSB = 6938, I_VPADDSW = 6955, I_VPADDUSW = 6629, I_VPADDW = 7226,
I_VPALIGNR = 9419, I_VPAND = 6613, I_VPANDN = 6672, I_VPAVGB = 6687, I_VPAVGW = 6732,
I_VPBLENDVB = 9692, I_VPBLENDW = 9400, I_VPCLMULQDQ = 9658, I_VPCMPEQB = 4052,
I_VPCMPEQD = 4090, I_VPCMPEQQ = 7885, I_VPCMPEQW = 4071, I_VPCMPESTRI = 9737,
I_VPCMPESTRM = 9714, I_VPCMPGTB = 3711, I_VPCMPGTD = 3749, I_VPCMPGTQ = 8096,
I_VPCMPGTW = 3730, I_VPCMPISTRI = 9783, I_VPCMPISTRM = 9760, I_VPERM2F128 = 9265,
I_VPERMILPD = 7570, I_VPERMILPS = 7559, I_VPEXTRB = 9437, I_VPEXTRD = 9462,
I_VPEXTRQ = 9471, I_VPEXTRW = 6319, I_VPHADDD = 7383, I_VPHADDSW = 7401, I_VPHADDW = 7366,
I_VPHMINPOSUW = 8271, I_VPHSUBD = 7459, I_VPHSUBSW = 7477, I_VPHSUBW = 7442,
I_VPINSRB = 9538, I_VPINSRD = 9584, I_VPINSRQ = 9593, I_VPINSRW = 6302, I_VPMADDUBSW = 7422,
I_VPMADDWD = 7082, I_VPMAXSB = 8182, I_VPMAXSD = 8199, I_VPMAXSW = 6972, I_VPMAXUB = 6656,
I_VPMAXUD = 8233, I_VPMAXUW = 8216, I_VPMINSB = 8114, I_VPMINSD = 8131, I_VPMINSW = 6910,
I_VPMINUB = 6598, I_VPMINUD = 8165, I_VPMINUW = 8148, I_VPMOVMSKB = 6541,
I_VPMOVSXBD = 7764, I_VPMOVSXBQ = 7785, I_VPMOVSXBW = 7743, I_VPMOVSXDQ = 7848,
I_VPMOVSXWD = 7806, I_VPMOVSXWQ = 7827, I_VPMOVZXBD = 7992, I_VPMOVZXBQ = 8013,
I_VPMOVZXBW = 7971, I_VPMOVZXDQ = 8076, I_VPMOVZXWD = 8034, I_VPMOVZXWQ = 8055,
I_VPMULDQ = 7867, I_VPMULHRSW = 7548, I_VPMULHUW = 6749, I_VPMULHW = 6767,
I_VPMULLD = 8250, I_VPMULLW = 6504, I_VPMULUDQ = 7063, I_VPOR = 6924, I_VPSADBW = 7100,
I_VPSHUFB = 7349, I_VPSHUFD = 4014, I_VPSHUFHW = 4023, I_VPSHUFLW = 4033,
I_VPSIGNB = 7495, I_VPSIGND = 7529, I_VPSIGNW = 7512, I_VPSLLD = 7031, I_VPSLLDQ = 9855,
I_VPSLLQ = 7046, I_VPSLLW = 7016, I_VPSRAD = 6717, I_VPSRAW = 6702, I_VPSRLD = 6458,
I_VPSRLDQ = 9838, I_VPSRLQ = 6473, I_VPSRLW = 6443, I_VPSUBB = 7151, I_VPSUBD = 7181,
I_VPSUBQ = 7196, I_VPSUBSB = 6876, I_VPSUBSW = 6893, I_VPSUBUSB = 6561, I_VPSUBUSW = 6580,
I_VPSUBW = 7166, I_VPTEST = 7636, I_VPUNPCKHBW = 3791, I_VPUNPCKHDQ = 3837,
I_VPUNPCKHQDQ = 3907, I_VPUNPCKHWD = 3814, I_VPUNPCKLBW = 3623, I_VPUNPCKLDQ = 3669,
I_VPUNPCKLQDQ = 3882, I_VPUNPCKLWD = 3646, I_VPXOR = 6987, I_VRCPPS = 2967,
I_VRCPSS = 2975, I_VROUNDPD = 9305, I_VROUNDPS = 9286, I_VROUNDSD = 9343,
I_VROUNDSS = 9324, I_VRSQRTPS = 2933, I_VRSQRTSS = 2943, I_VSHUFPD = 6353,
I_VSHUFPS = 6344, I_VSQRTPD = 2888, I_VSQRTPS = 2879, I_VSQRTSD = 2906, I_VSQRTSS = 2897,
I_VSTMXCSR = 9970, I_VSUBPD = 3408, I_VSUBPS = 3400, I_VSUBSD = 3424, I_VSUBSS = 3416,
I_VTESTPD = 7590, I_VTESTPS = 7581, I_VUCOMISD = 2761, I_VUCOMISS = 2751,
I_VUNPCKHPD = 2317, I_VUNPCKHPS = 2306, I_VUNPCKLPD = 2275, I_VUNPCKLPS = 2264,
I_VXORPD = 3095, I_VXORPS = 3087, I_VZEROALL = 4118, I_VZEROUPPER = 4106,
I_WAIT = 10028, I_WBINVD = 561, I_WRFSBASE = 9931, I_WRGSBASE = 9960, I_WRMSR = 586,
I_XADD = 946, I_XCHG = 212, I_XGETBV = 1771, I_XLAT = 400, I_XOR = 61, I_XORPD = 3080,
I_XORPS = 3073, I_XRSTOR = 4273, I_XRSTOR64 = 4281, I_XSAVE = 4249, I_XSAVE64 = 4256,
I_XSAVEOPT = 4299, I_XSAVEOPT64 = 4309, I_XSETBV = 1779
} _InstructionType;
typedef enum {
R_RAX, R_RCX, R_RDX, R_RBX, R_RSP, R_RBP, R_RSI, R_RDI, R_R8, R_R9, R_R10, R_R11, R_R12, R_R13, R_R14, R_R15,
R_EAX, R_ECX, R_EDX, R_EBX, R_ESP, R_EBP, R_ESI, R_EDI, R_R8D, R_R9D, R_R10D, R_R11D, R_R12D, R_R13D, R_R14D, R_R15D,
R_AX, R_CX, R_DX, R_BX, R_SP, R_BP, R_SI, R_DI, R_R8W, R_R9W, R_R10W, R_R11W, R_R12W, R_R13W, R_R14W, R_R15W,
R_AL, R_CL, R_DL, R_BL, R_AH, R_CH, R_DH, R_BH, R_R8B, R_R9B, R_R10B, R_R11B, R_R12B, R_R13B, R_R14B, R_R15B,
R_SPL, R_BPL, R_SIL, R_DIL,
R_ES, R_CS, R_SS, R_DS, R_FS, R_GS,
R_RIP,
R_ST0, R_ST1, R_ST2, R_ST3, R_ST4, R_ST5, R_ST6, R_ST7,
R_MM0, R_MM1, R_MM2, R_MM3, R_MM4, R_MM5, R_MM6, R_MM7,
R_XMM0, R_XMM1, R_XMM2, R_XMM3, R_XMM4, R_XMM5, R_XMM6, R_XMM7, R_XMM8, R_XMM9, R_XMM10, R_XMM11, R_XMM12, R_XMM13, R_XMM14, R_XMM15,
R_YMM0, R_YMM1, R_YMM2, R_YMM3, R_YMM4, R_YMM5, R_YMM6, R_YMM7, R_YMM8, R_YMM9, R_YMM10, R_YMM11, R_YMM12, R_YMM13, R_YMM14, R_YMM15,
R_CR0, R_UNUSED0, R_CR2, R_CR3, R_CR4, R_UNUSED1, R_UNUSED2, R_UNUSED3, R_CR8,
R_DR0, R_DR1, R_DR2, R_DR3, R_UNUSED4, R_UNUSED5, R_DR6, R_DR7
} _RegisterType;
#endif /* MNEMONICS_H */

1298
VB-Research/vbOpenScript/dll/diStorm3.3/operands.c Normal file
View File

File diff suppressed because it is too large Load Diff

40
VB-Research/vbOpenScript/dll/diStorm3.3/operands.h Normal file
View File

@ -0,0 +1,40 @@
/*
operands.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef OPERANDS_H
#define OPERANDS_H
#include "config.h"
#include "decoder.h"
#include "prefix.h"
#include "instructions.h"
extern uint16_t _REGISTERTORCLASS[];
int operands_extract(_CodeInfo* ci, _DInst* di, _InstInfo* ii,
_iflags instFlags, _OpType type, _OperandNumberType opNum,
unsigned int modrm, _PrefixState* ps, _DecodeType effOpSz,
_DecodeType effAdrSz, int* lockableInstruction);
#endif /* OPERANDS_H */

380
VB-Research/vbOpenScript/dll/diStorm3.3/prefix.c Normal file
View File

@ -0,0 +1,380 @@
/*
prefix.c
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#include "prefix.h"
#include "x86defs.h"
#include "instructions.h"
#include "mnemonics.h"
/*
* The main purpose of this module is to keep track of all kind of prefixes a single instruction may have.
* The problem is that a single instruction may have up to six different prefix-types.
* That's why I have to detect such cases and drop those excess prefixes.
*/
int prefixes_is_valid(unsigned int ch, _DecodeType dt)
{
switch (ch) {
/* for i in xrange(0x40, 0x50): print "case 0x%2x:" % i */
case 0x40: /* REX: */
case 0x41:
case 0x42:
case 0x43:
case 0x44:
case 0x45:
case 0x46:
case 0x47:
case 0x48:
case 0x49:
case 0x4a:
case 0x4b:
case 0x4c:
case 0x4d:
case 0x4e:
case 0x4f: return (dt == Decode64Bits);
case PREFIX_LOCK: return TRUE;
case PREFIX_REPNZ: return TRUE;
case PREFIX_REP: return TRUE;
case PREFIX_CS: return TRUE;
case PREFIX_SS: return TRUE;
case PREFIX_DS: return TRUE;
case PREFIX_ES: return TRUE;
case PREFIX_FS: return TRUE;
case PREFIX_GS: return TRUE;
case PREFIX_OP_SIZE: return TRUE;
case PREFIX_ADDR_SIZE: return TRUE;
/* The VEXs might be false positives, the decode_perfixes will determine for sure. */
case PREFIX_VEX2b: /* VEX is supported for all modes, because 16 bits Pmode is included. */
case PREFIX_VEX3b: return TRUE;
}
return FALSE;
}
/* Ignore a specific prefix type. */
void prefixes_ignore(_PrefixState* ps, _PrefixIndexer pi)
{
/*
* If that type of prefix appeared already, set the bit of that *former* prefix.
* Anyway, set the new index of that prefix type to the current index, so next time we know its position.
*/
if (ps->pfxIndexer[pi] != PFXIDX_NONE) ps->unusedPrefixesMask |= (1 << ps->pfxIndexer[pi]);
}
/* Ignore all prefix. */
void prefixes_ignore_all(_PrefixState* ps)
{
int i;
for (i = 0; i < PFXIDX_MAX; i++)
prefixes_ignore(ps, i);
}
/* Calculates which prefixes weren't used and accordingly sets the bits in the unusedPrefixesMask. */
uint16_t prefixes_set_unused_mask(_PrefixState* ps)
{
/*
* The decodedPrefixes represents the prefixes that were *read* from the binary stream for the instruction.
* The usedPrefixes represents the prefixes that were actually used by the instruction in the *decode* phase.
* Xoring between the two will result in a 'diff' which returns the prefixes that were read
* from the stream *and* that were never used in the actual decoding.
*
* Only one prefix per type can be set in decodedPrefixes from the stream.
* Therefore it's enough to check each type once and set the flag accordingly.
* That's why we had to book-keep each prefix type and its position.
* So now we know which bits we need to set exactly in the mask.
*/
_iflags unusedPrefixesDiff = ps->decodedPrefixes ^ ps->usedPrefixes;
/* Examine unused prefixes by type: */
/*
* About REX: it might be set in the diff although it was never in the stream itself.
* This is because the vrex is shared between VEX and REX and some places flag it as REX usage, while
* we were really decoding an AVX instruction.
* It's not a big problem, because the prefixes_ignore func will ignore it anyway,
* since it wasn't seen earlier. But it's important to know this.
*/
if (unusedPrefixesDiff & INST_PRE_REX) prefixes_ignore(ps, PFXIDX_REX);
if (unusedPrefixesDiff & INST_PRE_SEGOVRD_MASK) prefixes_ignore(ps, PFXIDX_SEG);
if (unusedPrefixesDiff & INST_PRE_LOKREP_MASK) prefixes_ignore(ps, PFXIDX_LOREP);
if (unusedPrefixesDiff & INST_PRE_OP_SIZE) prefixes_ignore(ps, PFXIDX_OP_SIZE);
if (unusedPrefixesDiff & INST_PRE_ADDR_SIZE) prefixes_ignore(ps, PFXIDX_ADRS);
/* If a VEX instruction was found, its prefix is considered as used, therefore no point for checking for it. */
return ps->unusedPrefixesMask;
}
/*
* Mark a prefix as unused, and bookkeep where we last saw this same type,
* because in the future we might want to disable it too.
*/
_INLINE_ void prefixes_track_unused(_PrefixState* ps, int index, _PrefixIndexer pi)
{
prefixes_ignore(ps, pi);
/* Book-keep the current index for this type. */
ps->pfxIndexer[pi] = index;
}
/*
* Read as many prefixes as possible, up to 15 bytes, and halt when we encounter non-prefix byte.
* This algorithm tries to imitate a real processor, where the same prefix can appear a few times, etc.
* The tiny complexity is that we want to know when a prefix was superfluous and mark any copy of it as unused.
* Note that the last prefix of its type will be considered as used, and all the others (of same type) before it as unused.
*/
void prefixes_decode(const uint8_t* code, int codeLen, _PrefixState* ps, _DecodeType dt)
{
int index, done;
uint8_t vex;
/*
* First thing to do, scan for prefixes, there are six types of prefixes.
* There may be up to six prefixes before a single instruction, not the same type, no special order,
* except REX/VEX must precede immediately the first opcode byte.
* BTW - This is the reason why I didn't make the REP prefixes part of the instructions (STOS/SCAS/etc).
*
* Another thing, the instruction maximum size is 15 bytes, thus if we read more than 15 bytes, we will halt.
*
* We attach all prefixes to the next instruction, there might be two or more occurrences from the same prefix.
* Also, since VEX can be allowed only once we will test it separately.
*/
for (index = 0, done = FALSE;
(codeLen > 0) && (code - ps->start < INST_MAXIMUM_SIZE);
code++, codeLen--, index++) {
/*
NOTE: AMD treat lock/rep as two different groups... But I am based on Intel.
- Lock and Repeat:
- 0xF0 LOCK
- 0xF2 REPNE/REPNZ
- 0xF3 - REP/REPE/REPZ
- Segment Override:
- 0x2E - CS
- 0x36 - SS
- 0x3E - DS
- 0x26 - ES
- 0x64 - FS
- 0x65 - GS
- Operand-Size Override: 0x66, switching default size.
- Address-Size Override: 0x67, switching default size.
64 Bits:
- REX: 0x40 - 0x4f, extends register access.
- 2 Bytes VEX: 0xc4
- 3 Bytes VEX: 0xc5
32 Bits:
- 2 Bytes VEX: 0xc4 11xx-xxxx
- 3 Bytes VEX: 0xc5 11xx-xxxx
*/
/* Examine what type of prefix we got. */
switch (*code)
{
/* REX type, 64 bits decoding mode only: */
case 0x40:
case 0x41:
case 0x42:
case 0x43:
case 0x44:
case 0x45:
case 0x46:
case 0x47:
case 0x48:
case 0x49:
case 0x4a:
case 0x4b:
case 0x4c:
case 0x4d:
case 0x4e:
case 0x4f:
if (dt == Decode64Bits) {
ps->decodedPrefixes |= INST_PRE_REX;
ps->vrex = *code & 0xf; /* Keep only BXRW. */
ps->rexPos = code;
ps->prefixExtType = PET_REX;
prefixes_track_unused(ps, index, PFXIDX_REX);
} else done = TRUE; /* If we are not in 64 bits mode, it's an instruction, then halt. */
break;
/* LOCK and REPx type: */
case PREFIX_LOCK:
ps->decodedPrefixes |= INST_PRE_LOCK;
prefixes_track_unused(ps, index, PFXIDX_LOREP);
break;
case PREFIX_REPNZ:
ps->decodedPrefixes |= INST_PRE_REPNZ;
prefixes_track_unused(ps, index, PFXIDX_LOREP);
break;
case PREFIX_REP:
ps->decodedPrefixes |= INST_PRE_REP;
prefixes_track_unused(ps, index, PFXIDX_LOREP);
break;
/* Seg Overide type: */
case PREFIX_CS:
ps->decodedPrefixes |= INST_PRE_CS;
prefixes_track_unused(ps, index, PFXIDX_SEG);
break;
case PREFIX_SS:
ps->decodedPrefixes |= INST_PRE_SS;
prefixes_track_unused(ps, index, PFXIDX_SEG);
break;
case PREFIX_DS:
ps->decodedPrefixes |= INST_PRE_DS;
prefixes_track_unused(ps, index, PFXIDX_SEG);
break;
case PREFIX_ES:
ps->decodedPrefixes |= INST_PRE_ES;
prefixes_track_unused(ps, index, PFXIDX_SEG);
break;
case PREFIX_FS:
ps->decodedPrefixes |= INST_PRE_FS;
prefixes_track_unused(ps, index, PFXIDX_SEG);
break;
case PREFIX_GS:
ps->decodedPrefixes |= INST_PRE_GS;
prefixes_track_unused(ps, index, PFXIDX_SEG);
break;
/* Op Size type: */
case PREFIX_OP_SIZE:
ps->decodedPrefixes |= INST_PRE_OP_SIZE;
prefixes_track_unused(ps, index, PFXIDX_OP_SIZE);
break;
/* Addr Size type: */
case PREFIX_ADDR_SIZE:
ps->decodedPrefixes |= INST_PRE_ADDR_SIZE;
prefixes_track_unused(ps, index, PFXIDX_ADRS);
break;
/* Non-prefix byte now, so break 2. */
default: done = TRUE; break;
}
if (done) break;
}
/* 2 Bytes VEX: */
if ((codeLen >= 2) &&
(*code == PREFIX_VEX2b) &&
((code - ps->start) <= INST_MAXIMUM_SIZE - 2)) {
/*
* In 32 bits the second byte has to be in the special range of Mod=11.
* Otherwise it might be a normal LDS instruction.
*/
if ((dt == Decode64Bits) || (*(code + 1) >= INST_DIVIDED_MODRM)) {
ps->vexPos = code + 1;
ps->decodedPrefixes |= INST_PRE_VEX;
ps->prefixExtType = PET_VEX2BYTES;
/*
* VEX 1 byte bits:
* |7-6--3-2-10|
* |R|vvvv|L|pp|
* |-----------|
*/
/* -- Convert from VEX prefix to VREX flags -- */
vex = *ps->vexPos;
if (~vex & 0x80 && dt == Decode64Bits) ps->vrex |= PREFIX_EX_R; /* Convert VEX.R. */
if (vex & 4) ps->vrex |= PREFIX_EX_L; /* Convert VEX.L. */
code += 2;
}
}
/* 3 Bytes VEX: */
if ((codeLen >= 3) &&
(*code == PREFIX_VEX3b) &&
((code - ps->start) <= INST_MAXIMUM_SIZE - 3) &&
(~ps->decodedPrefixes & INST_PRE_VEX)) {
/*
* In 32 bits the second byte has to be in the special range of Mod=11.
* Otherwise it might be a normal LES instruction.
* And we don't care now about the 3rd byte.
*/
if ((dt == Decode64Bits) || (*(code + 1) >= INST_DIVIDED_MODRM)) {
ps->vexPos = code + 1;
ps->decodedPrefixes |= INST_PRE_VEX;
ps->prefixExtType = PET_VEX3BYTES;
/*
* VEX first and second bytes:
* |7-6-5-4----0| |7-6--3-2-10|
* |R|X|B|m-mmmm| |W|vvvv|L|pp|
* |------------| |-----------|
*/
/* -- Convert from VEX prefix to VREX flags -- */
vex = *ps->vexPos;
ps->vrex |= ((~vex >> 5) & 0x7); /* Shift and invert VEX.R/X/B to their place */
vex = *(ps->vexPos + 1);
if (vex & 4) ps->vrex |= PREFIX_EX_L; /* Convert VEX.L. */
if (vex & 0x80) ps->vrex |= PREFIX_EX_W; /* Convert VEX.W. */
/* Clear some flags if the mode isn't 64 bits. */
if (dt != Decode64Bits) ps->vrex &= ~(PREFIX_EX_B | PREFIX_EX_X | PREFIX_EX_R | PREFIX_EX_W);
code += 3;
}
}
/*
* Save last byte scanned address, so the decoder could keep on scanning from this point and on and on and on.
* In addition the decoder is able to know that the last byte could lead to MMX/SSE instructions (preceding REX if exists).
*/
ps->last = code; /* ps->last points to an opcode byte. */
}
/*
* For every memory-indirection operand we want to set its corresponding default segment.
* If the segment is being overrided, we need to see whether we use it or not.
* We will use it only if it's not the default one already.
*/
void prefixes_use_segment(_iflags defaultSeg, _PrefixState* ps, _DecodeType dt, _DInst* di)
{
_iflags flags = 0;
if (dt == Decode64Bits) flags = ps->decodedPrefixes & INST_PRE_SEGOVRD_MASK64;
else flags = ps->decodedPrefixes & INST_PRE_SEGOVRD_MASK;
if ((flags == 0) || (flags == defaultSeg)) {
flags = defaultSeg;
di->segment |= SEGMENT_DEFAULT;
} else if (flags != defaultSeg) {
/* Use it only if it's non-default segment. */
ps->usedPrefixes |= flags;
}
/* ASSERT: R_XX must be below 128. */
switch (flags)
{
case INST_PRE_ES: di->segment |= R_ES; break;
case INST_PRE_CS: di->segment |= R_CS; break;
case INST_PRE_SS: di->segment |= R_SS; break;
case INST_PRE_DS: di->segment |= R_DS; break;
case INST_PRE_FS: di->segment |= R_FS; break;
case INST_PRE_GS: di->segment |= R_GS; break;
}
/* If it's one of the CS,SS,DS,ES and the mode is 64 bits, set segment it to none, since it's ignored. */
if ((dt == Decode64Bits) && (flags & INST_PRE_SEGOVRD_MASK32)) di->segment = R_NONE;
}

76
VB-Research/vbOpenScript/dll/diStorm3.3/prefix.h Normal file
View File

@ -0,0 +1,76 @@
/*
prefix.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef PREFIX_H
#define PREFIX_H
#include "config.h"
#include "decoder.h"
/* Specifies the type of the extension prefix, such as: REX, 2 bytes VEX, 3 bytes VEX. */
typedef enum {PET_NONE = 0, PET_REX, PET_VEX2BYTES, PET_VEX3BYTES} _PrefixExtType;
/* Specifies an index into a table of prefixes by their type. */
typedef enum {PFXIDX_NONE = -1, PFXIDX_REX, PFXIDX_LOREP, PFXIDX_SEG, PFXIDX_OP_SIZE, PFXIDX_ADRS, PFXIDX_MAX} _PrefixIndexer;
/*
* This holds the prefixes state for the current instruction we decode.
* decodedPrefixes includes all specific prefixes that the instruction got.
* start is a pointer to the first prefix to take into account.
* last is a pointer to the last byte we scanned.
* Other pointers are used to keep track of prefixes positions and help us know if they appeared already and where.
*/
typedef struct {
_iflags decodedPrefixes, usedPrefixes;
const uint8_t *start, *last, *vexPos, *rexPos;
_PrefixExtType prefixExtType;
uint16_t unusedPrefixesMask;
/* Indicates whether the operand size prefix (0x66) was used as a mandatory prefix. */
int isOpSizeMandatory;
/* If VEX prefix is used, store the VEX.vvvv field. */
unsigned int vexV;
/* The fields B/X/R/W/L of REX and VEX are stored together in this byte. */
unsigned int vrex;
/* !! Make sure pfxIndexer is LAST! Otherwise memset won't work well with it. !! */
/* Holds the offset to the prefix byte by its type. */
int pfxIndexer[PFXIDX_MAX];
} _PrefixState;
/*
* Intel supports 6 types of prefixes, whereas AMD supports 5 types (lock is seperated from rep/nz).
* REX is the fifth prefix type, this time I'm based on AMD64.
* VEX is the 6th, though it can't be repeated.
*/
#define MAX_PREFIXES (5)
int prefixes_is_valid(unsigned int ch, _DecodeType dt);
void prefixes_ignore(_PrefixState* ps, _PrefixIndexer pi);
void prefixes_ignore_all(_PrefixState* ps);
uint16_t prefixes_set_unused_mask(_PrefixState* ps);
void prefixes_decode(const uint8_t* code, int codeLen, _PrefixState* ps, _DecodeType dt);
void prefixes_use_segment(_iflags defaultSeg, _PrefixState* ps, _DecodeType dt, _DInst* di);
#endif /* PREFIX_H */

184
VB-Research/vbOpenScript/dll/diStorm3.3/textdefs.c Normal file
View File

@ -0,0 +1,184 @@
/*
textdefs.c
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#include "textdefs.h"
#ifndef DISTORM_LIGHT
static uint8_t Nibble2ChrTable[16] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
#define NIBBLE_TO_CHR Nibble2ChrTable[t]
void _FASTCALL_ str_hex_b(_WString* s, unsigned int x)
{
/*
* def prebuilt():
* s = ""
* for i in xrange(256):
* if ((i % 0x10) == 0):
* s += "\r\n"
* s += "\"%02x\", " % (i)
* return s
*/
static int8_t TextBTable[256][3] = {
"00", "01", "02", "03", "04", "05", "06", "07", "08", "09", "0a", "0b", "0c", "0d", "0e", "0f",
"10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "1a", "1b", "1c", "1d", "1e", "1f",
"20", "21", "22", "23", "24", "25", "26", "27", "28", "29", "2a", "2b", "2c", "2d", "2e", "2f",
"30", "31", "32", "33", "34", "35", "36", "37", "38", "39", "3a", "3b", "3c", "3d", "3e", "3f",
"40", "41", "42", "43", "44", "45", "46", "47", "48", "49", "4a", "4b", "4c", "4d", "4e", "4f",
"50", "51", "52", "53", "54", "55", "56", "57", "58", "59", "5a", "5b", "5c", "5d", "5e", "5f",
"60", "61", "62", "63", "64", "65", "66", "67", "68", "69", "6a", "6b", "6c", "6d", "6e", "6f",
"70", "71", "72", "73", "74", "75", "76", "77", "78", "79", "7a", "7b", "7c", "7d", "7e", "7f",
"80", "81", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f",
"90", "91", "92", "93", "94", "95", "96", "97", "98", "99", "9a", "9b", "9c", "9d", "9e", "9f",
"a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "aa", "ab", "ac", "ad", "ae", "af",
"b0", "b1", "b2", "b3", "b4", "b5", "b6", "b7", "b8", "b9", "ba", "bb", "bc", "bd", "be", "bf",
"c0", "c1", "c2", "c3", "c4", "c5", "c6", "c7", "c8", "c9", "ca", "cb", "cc", "cd", "ce", "cf",
"d0", "d1", "d2", "d3", "d4", "d5", "d6", "d7", "d8", "d9", "da", "db", "dc", "dd", "de", "df",
"e0", "e1", "e2", "e3", "e4", "e5", "e6", "e7", "e8", "e9", "ea", "eb", "ec", "ed", "ee", "ef",
"f0", "f1", "f2", "f3", "f4", "f5", "f6", "f7", "f8", "f9", "fa", "fb", "fc", "fd", "fe", "ff"
};
/*
* Fixed length of 3 including null terminate character.
*/
memcpy(&s->p[s->length], TextBTable[x & 255], 3);
s->length += 2;
}
void _FASTCALL_ str_code_hb(_WString* s, unsigned int x)
{
static int8_t TextHBTable[256][5] = {
/*
* def prebuilt():
* s = ""
* for i in xrange(256):
* if ((i % 0x10) == 0):
* s += "\r\n"
* s += "\"0x%x\", " % (i)
* return s
*/
"0x0", "0x1", "0x2", "0x3", "0x4", "0x5", "0x6", "0x7", "0x8", "0x9", "0xa", "0xb", "0xc", "0xd", "0xe", "0xf",
"0x10", "0x11", "0x12", "0x13", "0x14", "0x15", "0x16", "0x17", "0x18", "0x19", "0x1a", "0x1b", "0x1c", "0x1d", "0x1e", "0x1f",
"0x20", "0x21", "0x22", "0x23", "0x24", "0x25", "0x26", "0x27", "0x28", "0x29", "0x2a", "0x2b", "0x2c", "0x2d", "0x2e", "0x2f",
"0x30", "0x31", "0x32", "0x33", "0x34", "0x35", "0x36", "0x37", "0x38", "0x39", "0x3a", "0x3b", "0x3c", "0x3d", "0x3e", "0x3f",
"0x40", "0x41", "0x42", "0x43", "0x44", "0x45", "0x46", "0x47", "0x48", "0x49", "0x4a", "0x4b", "0x4c", "0x4d", "0x4e", "0x4f",
"0x50", "0x51", "0x52", "0x53", "0x54", "0x55", "0x56", "0x57", "0x58", "0x59", "0x5a", "0x5b", "0x5c", "0x5d", "0x5e", "0x5f",
"0x60", "0x61", "0x62", "0x63", "0x64", "0x65", "0x66", "0x67", "0x68", "0x69", "0x6a", "0x6b", "0x6c", "0x6d", "0x6e", "0x6f",
"0x70", "0x71", "0x72", "0x73", "0x74", "0x75", "0x76", "0x77", "0x78", "0x79", "0x7a", "0x7b", "0x7c", "0x7d", "0x7e", "0x7f",
"0x80", "0x81", "0x82", "0x83", "0x84", "0x85", "0x86", "0x87", "0x88", "0x89", "0x8a", "0x8b", "0x8c", "0x8d", "0x8e", "0x8f",
"0x90", "0x91", "0x92", "0x93", "0x94", "0x95", "0x96", "0x97", "0x98", "0x99", "0x9a", "0x9b", "0x9c", "0x9d", "0x9e", "0x9f",
"0xa0", "0xa1", "0xa2", "0xa3", "0xa4", "0xa5", "0xa6", "0xa7", "0xa8", "0xa9", "0xaa", "0xab", "0xac", "0xad", "0xae", "0xaf",
"0xb0", "0xb1", "0xb2", "0xb3", "0xb4", "0xb5", "0xb6", "0xb7", "0xb8", "0xb9", "0xba", "0xbb", "0xbc", "0xbd", "0xbe", "0xbf",
"0xc0", "0xc1", "0xc2", "0xc3", "0xc4", "0xc5", "0xc6", "0xc7", "0xc8", "0xc9", "0xca", "0xcb", "0xcc", "0xcd", "0xce", "0xcf",
"0xd0", "0xd1", "0xd2", "0xd3", "0xd4", "0xd5", "0xd6", "0xd7", "0xd8", "0xd9", "0xda", "0xdb", "0xdc", "0xdd", "0xde", "0xdf",
"0xe0", "0xe1", "0xe2", "0xe3", "0xe4", "0xe5", "0xe6", "0xe7", "0xe8", "0xe9", "0xea", "0xeb", "0xec", "0xed", "0xee", "0xef",
"0xf0", "0xf1", "0xf2", "0xf3", "0xf4", "0xf5", "0xf6", "0xf7", "0xf8", "0xf9", "0xfa", "0xfb", "0xfc", "0xfd", "0xfe", "0xff"
};
if (x < 0x10) { /* < 0x10 has a fixed length of 4 including null terminate. */
memcpy(&s->p[s->length], TextHBTable[x & 255], 4);
s->length += 3;
} else { /* >= 0x10 has a fixed length of 5 including null terminate. */
memcpy(&s->p[s->length], TextHBTable[x & 255], 5);
s->length += 4;
}
}
void _FASTCALL_ str_code_hdw(_WString* s, uint32_t x)
{
int8_t* buf;
int i = 0, shift = 0;
unsigned int t = 0;
buf = (int8_t*)&s->p[s->length];
buf[0] = '0';
buf[1] = 'x';
buf += 2;
for (shift = 28; shift != 0; shift -= 4) {
t = (x >> shift) & 0xf;
if (i | t) buf[i++] = NIBBLE_TO_CHR;
}
t = x & 0xf;
buf[i++] = NIBBLE_TO_CHR;
s->length += i + 2;
buf[i] = '\0';
}
void _FASTCALL_ str_code_hqw(_WString* s, uint8_t src[8])
{
int8_t* buf;
int i = 0, shift = 0;
uint32_t x = RULONG(&src[sizeof(int32_t)]);
int t;
buf = (int8_t*)&s->p[s->length];
buf[0] = '0';
buf[1] = 'x';
buf += 2;
for (shift = 28; shift != -4; shift -= 4) {
t = (x >> shift) & 0xf;
if (i | t) buf[i++] = NIBBLE_TO_CHR;
}
x = RULONG(src);
for (shift = 28; shift != 0; shift -= 4) {
t = (x >> shift) & 0xf;
if (i | t) buf[i++] = NIBBLE_TO_CHR;
}
t = x & 0xf;
buf[i++] = NIBBLE_TO_CHR;
s->length += i + 2;
buf[i] = '\0';
}
#ifdef SUPPORT_64BIT_OFFSET
void _FASTCALL_ str_off64(_WString* s, OFFSET_INTEGER x)
{
int8_t* buf;
int i = 0, shift = 0;
OFFSET_INTEGER t = 0;
buf = (int8_t*)&s->p[s->length];
buf[0] = '0';
buf[1] = 'x';
buf += 2;
for (shift = 60; shift != 0; shift -= 4) {
t = (x >> shift) & 0xf;
if (i | t) buf[i++] = NIBBLE_TO_CHR;
}
t = x & 0xf;
buf[i++] = NIBBLE_TO_CHR;
s->length += i + 2;
buf[i] = '\0';
}
#endif /* SUPPORT_64BIT_OFFSET */
#endif /* DISTORM_LIGHT */

71
VB-Research/vbOpenScript/dll/diStorm3.3/textdefs.h Normal file
View File

@ -0,0 +1,71 @@
/*
textdefs.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef TEXTDEFS_H
#define TEXTDEFS_H
#include "config.h"
#include "wstring.h"
#ifndef DISTORM_LIGHT
#define PLUS_DISP_CHR '+'
#define MINUS_DISP_CHR '-'
#define OPEN_CHR '['
#define CLOSE_CHR ']'
#define SP_CHR ' '
#define SEG_OFF_CHR ':'
/*
Naming Convention:
* get - returns a pointer to a string.
* str - concatenates to string.
* hex - means the function is used for hex dump (number is padded to required size) - Little Endian output.
* code - means the function is used for disassembled instruction - Big Endian output.
* off - means the function is used for 64bit offset - Big Endian output.
* h - '0x' in front of the string.
* b - byte
* dw - double word (can be used for word also)
* qw - quad word
* all numbers are in HEX.
*/
extern int8_t TextBTable[256][4];
void _FASTCALL_ str_hex_b(_WString* s, unsigned int x);
void _FASTCALL_ str_code_hb(_WString* s, unsigned int x);
void _FASTCALL_ str_code_hdw(_WString* s, uint32_t x);
void _FASTCALL_ str_code_hqw(_WString* s, uint8_t src[8]);
#ifdef SUPPORT_64BIT_OFFSET
void _FASTCALL_ str_off64(_WString* s, OFFSET_INTEGER x);
#endif
#endif /* DISTORM_LIGHT */
#endif /* TEXTDEFS_H */

59
VB-Research/vbOpenScript/dll/diStorm3.3/wstring.c Normal file
View File

@ -0,0 +1,59 @@
/*
wstring.c
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#include "wstring.h"
#ifndef DISTORM_LIGHT
void strclear_WS(_WString* s)
{
s->p[0] = '\0';
s->length = 0;
}
void chrcat_WS(_WString* s, uint8_t ch)
{
s->p[s->length] = ch;
s->p[s->length + 1] = '\0';
s->length += 1;
}
void strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len)
{
s->length = len;
memcpy((int8_t*)s->p, buf, len + 1);
}
void strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len)
{
memcpy((int8_t*)&s->p[s->length], buf, len + 1);
s->length += len;
}
void strcat_WS(_WString* s, const _WString* s2)
{
memcpy((int8_t*)&s->p[s->length], s2->p, s2->length + 1);
s->length += s2->length;
}
#endif /* DISTORM_LIGHT */

47
VB-Research/vbOpenScript/dll/diStorm3.3/wstring.h Normal file
View File

@ -0,0 +1,47 @@
/*
wstring.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef WSTRING_H
#define WSTRING_H
#include "config.h"
#ifndef DISTORM_LIGHT
void strclear_WS(_WString* s);
void chrcat_WS(_WString* s, uint8_t ch);
void strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len);
void strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len);
void strcat_WS(_WString* s, const _WString* s2);
/*
* Warning, this macro should be used only when the compiler knows the size of string in advance!
* This macro is used in order to spare the call to strlen when the strings are known already.
* Note: sizeof includes NULL terminated character.
*/
#define strcat_WSN(s, t) strcatlen_WS((s), ((const int8_t*)t), sizeof((t))-1)
#define strcpy_WSN(s, t) strcpylen_WS((s), ((const int8_t*)t), sizeof((t))-1)
#endif /* DISTORM_LIGHT */
#endif /* WSTRING_H */

94
VB-Research/vbOpenScript/dll/diStorm3.3/x86defs.h Normal file
View File

@ -0,0 +1,94 @@
/*
x86defs.h
diStorm3 - Powerful disassembler for X86/AMD64
http://ragestorm.net/distorm/
distorm at gmail dot com
Copyright (C) 2003-2012 Gil Dabah
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation, either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program. If not, see <http://www.gnu.org/licenses/>
*/
#ifndef X86DEFS_H
#define X86DEFS_H
#define SEG_REGS_MAX (6)
#define CREGS_MAX (9)
#define DREGS_MAX (8)
/* Maximum instruction size, including prefixes */
#define INST_MAXIMUM_SIZE (15)
/* Maximum range of imm8 (comparison type) of special SSE CMP instructions. */
#define INST_CMP_MAX_RANGE (8)
/* Maximum range of imm8 (comparison type) of special AVX VCMP instructions. */
#define INST_VCMP_MAX_RANGE (32)
/* Wait instruction byte code. */
#define INST_WAIT_INDEX (0x9b)
/* Lea instruction byte code. */
#define INST_LEA_INDEX (0x8d)
/* NOP/XCHG instruction byte code. */
#define INST_NOP_INDEX (0x90)
/* ARPL/MOVSXD instruction byte code. */
#define INST_ARPL_INDEX (0x63)
/*
* Minimal MODR/M value of divided instructions.
* It's 0xc0, two MSBs set, which indicates a general purpose register is used too.
*/
#define INST_DIVIDED_MODRM (0xc0)
/* This is the escape byte value used for 3DNow! instructions. */
#define _3DNOW_ESCAPE_BYTE (0x0f)
#define PREFIX_LOCK (0xf0)
#define PREFIX_REPNZ (0xf2)
#define PREFIX_REP (0xf3)
#define PREFIX_CS (0x2e)
#define PREFIX_SS (0x36)
#define PREFIX_DS (0x3e)
#define PREFIX_ES (0x26)
#define PREFIX_FS (0x64)
#define PREFIX_GS (0x65)
#define PREFIX_OP_SIZE (0x66)
#define PREFIX_ADDR_SIZE (0x67)
#define PREFIX_VEX2b (0xc5)
#define PREFIX_VEX3b (0xc4)
/* REX prefix value range, 64 bits mode decoding only. */
#define PREFIX_REX_LOW (0x40)
#define PREFIX_REX_HI (0x4f)
/* In order to use the extended GPR's we have to add 8 to the Modr/M info values. */
#define EX_GPR_BASE (8)
/* Mask for REX and VEX features: */
/* Base */
#define PREFIX_EX_B (1)
/* Index */
#define PREFIX_EX_X (2)
/* Register */
#define PREFIX_EX_R (4)
/* Operand Width */
#define PREFIX_EX_W (8)
/* Vector Lengh */
#define PREFIX_EX_L (0x10)
#endif /* X86DEFS_H */

BIN
VB-Research/vbOpenScript/dll/dll.cpp Normal file
View File

Binary file not shown.

BIN
VB-Research/vbOpenScript/dll/dll.opt Normal file
View File

Binary file not shown.

26
VB-Research/vbOpenScript/dll/dll.sln Normal file
View File

@ -0,0 +1,26 @@

Microsoft Visual Studio Solution File, Format Version 10.00
# Visual Studio 2008
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "dll", "dll.vcproj", "{1461E901-4125-4CC8-ADBC-8ED146DCF048}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Debug|x64 = Debug|x64
Release|Win32 = Release|Win32
Release|x64 = Release|x64
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{1461E901-4125-4CC8-ADBC-8ED146DCF048}.Debug|Win32.ActiveCfg = Debug|Win32
{1461E901-4125-4CC8-ADBC-8ED146DCF048}.Debug|Win32.Build.0 = Debug|Win32
{1461E901-4125-4CC8-ADBC-8ED146DCF048}.Debug|x64.ActiveCfg = Debug|x64
{1461E901-4125-4CC8-ADBC-8ED146DCF048}.Debug|x64.Build.0 = Debug|x64
{1461E901-4125-4CC8-ADBC-8ED146DCF048}.Release|Win32.ActiveCfg = Release|Win32
{1461E901-4125-4CC8-ADBC-8ED146DCF048}.Release|Win32.Build.0 = Release|Win32
{1461E901-4125-4CC8-ADBC-8ED146DCF048}.Release|x64.ActiveCfg = Release|x64
{1461E901-4125-4CC8-ADBC-8ED146DCF048}.Release|x64.Build.0 = Release|x64
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

BIN
VB-Research/vbOpenScript/dll/dll.suo Normal file
View File

Binary file not shown.

543
VB-Research/vbOpenScript/dll/dll.vcproj Normal file
View File

@ -0,0 +1,543 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="9.00"
Name="dll"
ProjectGUID="{1461E901-4125-4CC8-ADBC-8ED146DCF048}"
RootNamespace="dll"
TargetFrameworkVersion="0"
>
<Platforms>
<Platform
Name="Win32"
/>
<Platform
Name="x64"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory=".\Debug"
IntermediateDirectory=".\Debug"
ConfigurationType="2"
InheritedPropertySheets="$(VCInstallDir)VCProjectDefaults\UpgradeFromVC60.vsprops"
UseOfMFC="0"
ATLMinimizesCRunTimeLibraryUsage="false"
CharacterSet="2"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
PreprocessorDefinitions="_DEBUG"
MkTypLibCompatible="true"
SuppressStartupBanner="true"
TargetEnvironment="1"
TypeLibraryName=".\Debug/dll.tlb"
HeaderFileName=""
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="1"
PrecompiledHeaderFile=".\Debug/dll.pch"
AssemblerListingLocation=".\Debug/"
ObjectFile=".\Debug/"
ProgramDataBaseFileName=".\Debug/"
WarningLevel="3"
SuppressStartupBanner="true"
DebugInformationFormat="4"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
PreprocessorDefinitions="_DEBUG"
Culture="1033"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="odbc32.lib odbccp32.lib urlmon.lib ws2_32.lib wininet.lib"
OutputFile="./../openScript.dll"
LinkIncremental="2"
SuppressStartupBanner="true"
GenerateDebugInformation="true"
ProgramDatabaseFile="./../../api_log.pdb"
RandomizedBaseAddress="1"
DataExecutionPrevention="0"
ImportLibrary=".\Debug/api_log.lib"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
SuppressStartupBanner="true"
OutputFile=".\Debug/dll.bsc"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Debug|x64"
OutputDirectory="$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
InheritedPropertySheets="$(VCInstallDir)VCProjectDefaults\UpgradeFromVC60.vsprops"
UseOfMFC="0"
ATLMinimizesCRunTimeLibraryUsage="false"
CharacterSet="2"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
PreprocessorDefinitions="_DEBUG"
MkTypLibCompatible="true"
SuppressStartupBanner="true"
TargetEnvironment="3"
TypeLibraryName=".\Debug/dll.tlb"
HeaderFileName=""
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
PreprocessorDefinitions="WIN32;_DEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="1"
PrecompiledHeaderFile=".\Debug/dll.pch"
AssemblerListingLocation=".\Debug/"
ObjectFile=".\Debug/"
ProgramDataBaseFileName=".\Debug/"
WarningLevel="3"
SuppressStartupBanner="true"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
PreprocessorDefinitions="_DEBUG"
Culture="1033"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="odbc32.lib odbccp32.lib urlmon.lib ws2_32.lib wininet.lib"
OutputFile="./../../api_log.x64.dll"
LinkIncremental="2"
SuppressStartupBanner="true"
GenerateDebugInformation="true"
ProgramDatabaseFile="./../../api_log.x64.pdb"
RandomizedBaseAddress="1"
DataExecutionPrevention="0"
ImportLibrary=".\Debug/api_log.lib"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
SuppressStartupBanner="true"
OutputFile=".\Debug/dll.bsc"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory=".\Release"
IntermediateDirectory=".\Release"
ConfigurationType="2"
InheritedPropertySheets="$(VCInstallDir)VCProjectDefaults\UpgradeFromVC60.vsprops"
UseOfMFC="0"
ATLMinimizesCRunTimeLibraryUsage="false"
CharacterSet="2"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
PreprocessorDefinitions="NDEBUG"
MkTypLibCompatible="true"
SuppressStartupBanner="true"
TargetEnvironment="1"
TypeLibraryName=".\Release/dll.tlb"
HeaderFileName=""
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
InlineFunctionExpansion="1"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS"
StringPooling="true"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
PrecompiledHeaderFile=".\Release/dll.pch"
AssemblerListingLocation=".\Release/"
ObjectFile=".\Release/"
ProgramDataBaseFileName=".\Release/"
WarningLevel="3"
SuppressStartupBanner="true"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
PreprocessorDefinitions="NDEBUG"
Culture="1033"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="odbc32.lib odbccp32.lib urlmon.lib ws2_32.lib"
OutputFile="./../openScript.dll"
LinkIncremental="1"
SuppressStartupBanner="true"
ProgramDatabaseFile=".\Release/api_log.pdb"
RandomizedBaseAddress="1"
DataExecutionPrevention="0"
ImportLibrary=".\Release/api_log.lib"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
SuppressStartupBanner="true"
OutputFile=".\Release/dll.bsc"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|x64"
OutputDirectory="$(PlatformName)\$(ConfigurationName)"
IntermediateDirectory="$(PlatformName)\$(ConfigurationName)"
ConfigurationType="2"
InheritedPropertySheets="$(VCInstallDir)VCProjectDefaults\UpgradeFromVC60.vsprops"
UseOfMFC="0"
ATLMinimizesCRunTimeLibraryUsage="false"
CharacterSet="2"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
PreprocessorDefinitions="NDEBUG"
MkTypLibCompatible="true"
SuppressStartupBanner="true"
TargetEnvironment="3"
TypeLibraryName=".\Release/dll.tlb"
HeaderFileName=""
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
InlineFunctionExpansion="1"
PreprocessorDefinitions="WIN32;NDEBUG;_WINDOWS;_USRDLL;DLL_EXPORTS"
StringPooling="true"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
PrecompiledHeaderFile=".\Release/dll.pch"
AssemblerListingLocation=".\Release/"
ObjectFile=".\Release/"
ProgramDataBaseFileName=".\Release/"
WarningLevel="3"
SuppressStartupBanner="true"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
PreprocessorDefinitions="NDEBUG"
Culture="1033"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
AdditionalDependencies="odbc32.lib odbccp32.lib urlmon.lib ws2_32.lib"
OutputFile="./../../api_log.x64.dll"
LinkIncremental="1"
SuppressStartupBanner="true"
ProgramDatabaseFile=".\Release/api_log.x64.pdb"
RandomizedBaseAddress="1"
DataExecutionPrevention="0"
ImportLibrary=".\Release/api_log.lib"
TargetMachine="17"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
SuppressStartupBanner="true"
OutputFile=".\Release/dll.bsc"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<Filter
Name="diStorm3.3"
Filter="h;hpp;hxx;hm;inl"
>
<File
RelativePath=".\diStorm3.3\config.h"
>
</File>
<File
RelativePath=".\diStorm3.3\decoder.c"
>
</File>
<File
RelativePath=".\diStorm3.3\decoder.h"
>
</File>
<File
RelativePath=".\diStorm3.3\distorm.c"
>
</File>
<File
RelativePath=".\diStorm3.3\distorm.h"
>
</File>
<File
RelativePath=".\diStorm3.3\instructions.c"
>
</File>
<File
RelativePath=".\diStorm3.3\instructions.h"
>
</File>
<File
RelativePath=".\diStorm3.3\insts.c"
>
</File>
<File
RelativePath=".\diStorm3.3\insts.h"
>
</File>
<File
RelativePath=".\diStorm3.3\mnemonics.c"
>
</File>
<File
RelativePath=".\diStorm3.3\mnemonics.h"
>
</File>
<File
RelativePath=".\diStorm3.3\operands.c"
>
</File>
<File
RelativePath=".\diStorm3.3\operands.h"
>
</File>
<File
RelativePath=".\diStorm3.3\prefix.c"
>
</File>
<File
RelativePath=".\diStorm3.3\prefix.h"
>
</File>
<File
RelativePath=".\diStorm3.3\textdefs.c"
>
</File>
<File
RelativePath=".\diStorm3.3\textdefs.h"
>
</File>
<File
RelativePath=".\diStorm3.3\wstring.c"
>
</File>
<File
RelativePath=".\diStorm3.3\wstring.h"
>
</File>
<File
RelativePath=".\diStorm3.3\x86defs.h"
>
</File>
</Filter>
<File
RelativePath="dll.cpp"
>
<FileConfiguration
Name="Debug|Win32"
>
<Tool
Name="VCCLCompilerTool"
PreprocessorDefinitions=""
/>
</FileConfiguration>
<FileConfiguration
Name="Debug|x64"
>
<Tool
Name="VCCLCompilerTool"
PreprocessorDefinitions=""
/>
</FileConfiguration>
<FileConfiguration
Name="Release|Win32"
>
<Tool
Name="VCCLCompilerTool"
PreprocessorDefinitions=""
/>
</FileConfiguration>
<FileConfiguration
Name="Release|x64"
>
<Tool
Name="VCCLCompilerTool"
PreprocessorDefinitions=""
/>
</FileConfiguration>
</File>
<File
RelativePath=".\exports.def"
>
</File>
<File
RelativePath="main.h"
>
</File>
<File
RelativePath=".\NtHookEngine.cpp"
>
</File>
<File
RelativePath=".\NtHookEngine.h"
>
</File>
<File
RelativePath=".\vb_structs.h"
>
</File>
</Files>
<Globals>
</Globals>
</VisualStudioProject>

121
VB-Research/vbOpenScript/dll/dll.vcproj.DESKTOP-F9V9H70.dzzie.user Normal file
View File

@ -0,0 +1,121 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioUserFile
ProjectType="Visual C++"
Version="9.00"
ShowAllFiles="false"
>
<Configurations>
<Configuration
Name="Debug|Win32"
>
<DebugSettings
Command=""
WorkingDirectory=""
CommandArguments=""
Attach="false"
DebuggerType="3"
Remote="1"
RemoteMachine="DESKTOP-F9V9H70"
RemoteCommand=""
HttpUrl=""
PDBPath=""
SQLDebugging=""
Environment=""
EnvironmentMerge="true"
DebuggerFlavor=""
MPIRunCommand=""
MPIRunArguments=""
MPIRunWorkingDirectory=""
ApplicationCommand=""
ApplicationArguments=""
ShimCommand=""
MPIAcceptMode=""
MPIAcceptFilter=""
/>
</Configuration>
<Configuration
Name="Debug|x64"
>
<DebugSettings
Command=""
WorkingDirectory=""
CommandArguments=""
Attach="false"
DebuggerType="3"
Remote="1"
RemoteMachine="DESKTOP-F9V9H70"
RemoteCommand=""
HttpUrl=""
PDBPath=""
SQLDebugging=""
Environment=""
EnvironmentMerge="true"
DebuggerFlavor=""
MPIRunCommand=""
MPIRunArguments=""
MPIRunWorkingDirectory=""
ApplicationCommand=""
ApplicationArguments=""
ShimCommand=""
MPIAcceptMode=""
MPIAcceptFilter=""
/>
</Configuration>
<Configuration
Name="Release|Win32"
>
<DebugSettings
Command=""
WorkingDirectory=""
CommandArguments=""
Attach="false"
DebuggerType="3"
Remote="1"
RemoteMachine="DESKTOP-F9V9H70"
RemoteCommand=""
HttpUrl=""
PDBPath=""
SQLDebugging=""
Environment=""
EnvironmentMerge="true"
DebuggerFlavor=""
MPIRunCommand=""
MPIRunArguments=""
MPIRunWorkingDirectory=""
ApplicationCommand=""
ApplicationArguments=""
ShimCommand=""
MPIAcceptMode=""
MPIAcceptFilter=""
/>
</Configuration>
<Configuration
Name="Release|x64"
>
<DebugSettings
Command=""
WorkingDirectory=""
CommandArguments=""
Attach="false"
DebuggerType="3"
Remote="1"
RemoteMachine="DESKTOP-F9V9H70"
RemoteCommand=""
HttpUrl=""
PDBPath=""
SQLDebugging=""
Environment=""
EnvironmentMerge="true"
DebuggerFlavor=""
MPIRunCommand=""
MPIRunArguments=""
MPIRunWorkingDirectory=""
ApplicationCommand=""
ApplicationArguments=""
ShimCommand=""
MPIAcceptMode=""
MPIAcceptFilter=""
/>
</Configuration>
</Configurations>
</VisualStudioUserFile>

2
VB-Research/vbOpenScript/dll/exports.def Normal file
View File

@ -0,0 +1,2 @@
EXPORT
NullSub

80
VB-Research/vbOpenScript/dll/main.h Normal file
View File

@ -0,0 +1,80 @@
#include <intrin.h>
void msg(char);
void msgf(const char*, ...);
HWND hServer=0;
typedef struct{
int dwFlag;
int cbSize;
int lpData;
} cpyData;
void FindVBWindow(){
char *vbIDEClassName = "ThunderFormDC" ;
char *vbEXEClassName = "ThunderRT6FormDC" ;
char *vbWindowCaption = "injector" ;
hServer = FindWindowA( vbIDEClassName, vbWindowCaption );
if(hServer==0) hServer = FindWindowA( vbEXEClassName, vbWindowCaption );
}
int msg(char *Buffer){
char msgbuf[0x1001];
if(!IsWindow(hServer)) hServer=0;
if(hServer==0) FindVBWindow();
COPYDATASTRUCT cpStructData;
memset(&cpStructData,0, sizeof(struct tagCOPYDATASTRUCT )) ;
_snprintf(msgbuf, 0x1000, "%x,%x,%s", GetCurrentProcessId(), GetCurrentThreadId(), Buffer);
cpStructData.dwData = 3;
cpStructData.cbData = strlen(msgbuf) ;
cpStructData.lpData = (void*)msgbuf;
int ret = SendMessage(hServer, WM_COPYDATA, 0,(LPARAM)&cpStructData);
//if ret = trigger then do something special
return ret;
}
void msgf(const char *format, ...)
{
DWORD dwErr = GetLastError();
if(format){
char buf[1024];
va_list args;
va_start(args,format);
try{
_vsnprintf(buf,1024,format,args);
msg(buf);
}
catch(...){}
}
SetLastError(dwErr);
}
int* pPlus(int * p, int increment){
_asm{
mov eax, p
add eax, increment
}
}
int* pPlus(void * p, int increment){
_asm{
mov eax, p
add eax, increment
}
}

90
VB-Research/vbOpenScript/dll/vb_structs.h Normal file
View File

@ -0,0 +1,90 @@
//slightly tweaked structures from vbParser by sysenter-eip
typedef struct {
DWORD lpObjectInfo;
DWORD dwReserved;
DWORD lpPublicBytes;
DWORD lpStaticBytes;
DWORD lpModulePublic;
DWORD lpModuleStatic;
DWORD lpszObjectName;
DWORD dwMethodCount;
DWORD lpMethodNames;
DWORD bStaticVars;
DWORD fObjectType;
DWORD dwNull;
} VBObject;
typedef struct {
DWORD lpHeapLink;
DWORD lpExecProj;
DWORD lpProjectInfo2;
DWORD dwReserved;
DWORD dwNull;
DWORD lpProjectObject;
UUID uuidObject;
WORD fCompileState;
WORD dwTotalObjects;
WORD dwCompiledObjects;
WORD dwObjectsInUse;
VBObject *ObjectArray;
DWORD fIdeFlag;
DWORD lpIdeData;
DWORD lpIdeData2;
DWORD lpszProjectName;
DWORD dwLcid;
DWORD dwLcid2;
DWORD lpIdeData3;
DWORD dwIdentifier;
} VB_ObjectTable;
typedef struct {
DWORD dwVersion;
VB_ObjectTable *ObjectTable;
DWORD dwNull;
DWORD lpCodeStart;
DWORD lpCodeEnd;
DWORD dwDataSize;
DWORD lpThreadSpace;
DWORD lpVbaSeh;
DWORD lpNativeCode;
WCHAR wsPrimitivePath[3];
WCHAR wsProjectPath[261];
DWORD lpExternalTable;
DWORD dwExternalCount;
} VB_ProjInfo;
typedef struct {
CHAR szVbMagic[4];
WORD wRuntimeBuild;
CHAR szLangDll[14];
CHAR szSecLangDll[14];
WORD wRuntimeRevision;
DWORD dwLCID;
DWORD dwSecLCID;
DWORD lpSubMain;
VB_ProjInfo *ProjectInfo;
DWORD fMdlIntCtls;
DWORD fMdlIntCtls2;
DWORD dwThreadFlags;
DWORD dwThreadCount;
WORD wFormCount;
WORD wExternalComponentCount;
DWORD dwThunkCount;
DWORD lpGuiTable;
DWORD lpExternalComponentTable;
DWORD lpComRegisterData;
DWORD bSZProjectDescription;
DWORD bSZProjectExeName;
DWORD bSZProjectHelpFile;
DWORD bSZProjectName;
} VBHeader;

BIN
VB-Research/vbOpenScript/injector.exe Normal file
View File

Binary file not shown.

520
VB-Research/vbOpenScript/injector/CFileSystem2.cls Normal file
View File

@ -0,0 +1,520 @@
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "CFileSystem2"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
'Author: david zimmer <dzzie@yahoo.com>
'Site: http://sandsprite.com
'Revision 3 <- Incompatiable with all previous..simplified & streamlined
'
'Info: These are basically macros for VB's built in file processes
' this should streamline your code quite a bit and hopefully
' remove alot of redundant coding.
'
'Author: dzzie@yahoo.com
'Sight: http://www.geocities.com/dzzie
'Changes Jan 5 05
'GetFreeFileName - fixed periodic overflow in
'GetFolderFiles - Added recursive option
'CreateFolder - now returns boolean
'GetFreeFolderName - Added
'RandomNum - wrapped with 10 try error handling in case of periodic overflow
'Move - changed mechanism of copy to name x as y instead of copy delete
'CreateFile - now returns boolean
'
'changes feb 8 06
' updated fileexists function to not throw err on bad path
'
' 5.21.12 - bugfix in RandomNum sporotic overflow time of day related...
' 11.14.13- bugfix in FileExists,FolderExists, GetFolderFiles recursive filter, GetParentFolder trailing \ bugfix
' 1.21.14- bugfix deletefile detects readonly attribute and removes
' 11.15.15- bugfix GetParentFolder could fail is ub folder name was repeated in path (sloppy replace)
' 5.31.17 = bugfix GetSubFolders.GetAttr could fail, FileExists could fail with embedded nulls (.\0file)
Option Explicit
Private Declare Function GetTickCount Lib "kernel32" () As Long
Function GetFolderFiles(folderPath As String, Optional Filter As String = "*", Optional retFullPath As Boolean = True, Optional recursive As Boolean = False) As String()
Dim fnames() As String
Dim fs As String
Dim folders() As String
Dim i As Integer
If Not FolderExists(folderPath) Then
'returns empty array if fails
GetFolderFiles = fnames()
Exit Function
End If
folderPath = IIf(Right(folderPath, 1) = "\", folderPath, folderPath & "\")
fs = Dir(folderPath & Filter, vbHidden Or vbNormal Or vbReadOnly Or vbSystem)
While fs <> ""
If fs <> "" Then push fnames(), IIf(retFullPath = True, folderPath & fs, fs)
fs = Dir()
Wend
If recursive Then
folders() = GetSubFolders(folderPath)
If Not AryIsEmpty(folders) Then
For i = 0 To UBound(folders)
FolderEngine folders(i), fnames(), Filter
Next
End If
If Not retFullPath Then
For i = 0 To UBound(fnames)
fnames(i) = Replace(fnames(i), folderPath, Empty) 'make relative path from base
Next
End If
End If
GetFolderFiles = fnames()
End Function
Private Sub FolderEngine(fldrpath As String, ary() As String, Optional Filter As String = "*")
Dim files() As String
Dim folders() As String
Dim i As Long
files = GetFolderFiles(fldrpath, Filter)
folders = GetSubFolders(fldrpath)
If Not AryIsEmpty(files) Then
For i = 0 To UBound(files)
push ary, files(i)
Next
End If
If Not AryIsEmpty(folders) Then
For i = 0 To UBound(folders)
FolderEngine folders(i), ary, Filter
Next
End If
End Sub
Function GetSubFolders(folderPath As String, Optional retFullPath As Boolean = True) As String()
Dim fnames() As String
Dim fd As String
On Error Resume Next 'getattr can barf on weird file names..
If Not FolderExists(folderPath) Then
'returns empty array if fails
GetSubFolders = fnames()
Exit Function
End If
If Right(folderPath, 1) <> "\" Then folderPath = folderPath & "\"
fd = Dir(folderPath, vbDirectory)
While fd <> ""
If Left(fd, 1) <> "." Then
If (GetAttr(folderPath & fd) And vbDirectory) = vbDirectory Then
If Err.Number = 0 Then
push fnames(), IIf(retFullPath = True, folderPath & fd, fd)
Else
Err.Clear
End If
End If
End If
fd = Dir()
Wend
GetSubFolders = fnames()
End Function
Function FolderExists(path As String) As Boolean
On Error GoTo hell
Dim tmp As String
tmp = path & "\"
If Len(tmp) = 1 Then Exit Function
If Dir(tmp, vbDirectory) <> "" Then FolderExists = True
Exit Function
hell:
FolderExists = False
End Function
Function FileExists(path As String) As Boolean
On Error GoTo hell
If Len(path) = 0 Then Exit Function
If Right(path, 1) = "\" Then Exit Function
If InStr(path, Chr(0)) > 0 Then Exit Function
If Dir(path, vbHidden Or vbNormal Or vbReadOnly Or vbSystem) <> "" Then FileExists = True
Exit Function
hell: FileExists = False
End Function
Function GetParentFolder(path) As String
Dim tmp() As String
Dim my_path
Dim ub As String
On Error GoTo hell
If Len(path) = 0 Then Exit Function
my_path = path
While Len(my_path) > 0 And Right(my_path, 1) = "\"
my_path = Mid(my_path, 1, Len(my_path) - 1)
Wend
tmp = Split(my_path, "\")
tmp(UBound(tmp)) = Empty
my_path = Replace(Join(tmp, "\"), "\\", "\")
If VBA.Right(my_path, 1) = "\" Then my_path = Mid(my_path, 1, Len(my_path) - 1)
GetParentFolder = my_path
Exit Function
hell:
GetParentFolder = Empty
End Function
Function CreateFolder(path As String) As Boolean
On Error GoTo blah
If FolderExists(path) Then Exit Function
MkDir path
If Not FolderExists(path) Then Exit Function
CreateFolder = True
blah:
End Function
Function FileNameFromPath(FullPath As String) As String
Dim tmp() As String
If InStr(FullPath, "\") > 0 Then
tmp = Split(FullPath, "\")
FileNameFromPath = CStr(tmp(UBound(tmp)))
End If
End Function
Function WebFileNameFromPath(FullPath As String)
Dim tmp() As String
If InStr(FullPath, "/") > 0 Then
tmp = Split(FullPath, "/")
WebFileNameFromPath = CStr(tmp(UBound(tmp)))
End If
End Function
Function DeleteFile(fpath As String) As Boolean
On Error GoTo hadErr
Dim attributes As VbFileAttribute
attributes = GetAttr(fpath)
If (attributes And vbReadOnly) Then
attributes = attributes - vbReadOnly
SetAttr fpath, attributes
End If
Kill fpath
DeleteFile = True
Exit Function
hadErr:
'MsgBox "DeleteFile Failed" & vbCrLf & vbCrLf & fpath
DeleteFile = False
End Function
Sub Rename(FullPath As String, newName As String)
Dim pf As String
pf = GetParentFolder(FullPath)
Name FullPath As pf & "\" & newName
End Sub
Sub SetAttribute(fpath, it As VbFileAttribute)
SetAttr fpath, it
End Sub
'always returns lcase
Function GetExtension(path) As String
Dim tmp() As String
Dim ub As String
If Len(path) = 0 Then Exit Function
tmp = Split(path, "\")
ub = tmp(UBound(tmp))
If InStr(1, ub, ".") > 0 Then
GetExtension = LCase(Mid(ub, InStrRev(ub, "."), Len(ub)))
Else
GetExtension = ""
End If
End Function
Function GetBaseName(path As String) As String
Dim tmp() As String
Dim ub As String
If Len(path) = 0 Then Exit Function
tmp = Split(path, "\")
ub = tmp(UBound(tmp))
If InStr(1, ub, ".") > 0 Then
GetBaseName = Mid(ub, 1, InStrRev(ub, ".") - 1)
Else
GetBaseName = ub
End If
End Function
'can also just accept a file name
Function ChangeExt(path As String, ext As String)
Dim newPath As String
If Left(ext, 1) <> "." Then ext = "." & ext
newPath = GetBaseName(path) & ext
If LCase(path) <> LCase(newPath) Then
If FileExists(path) Then
Rename path, newPath
End If
End If
ChangeExt = newPath
End Function
Function SafeFileName(proposed As String) As String
Dim badChars As String, bad() As String, i As Long
badChars = ">,<,&,/,\,:,|,?,*,"""
bad = Split(badChars, ",")
For i = 0 To UBound(bad)
proposed = Replace(proposed, bad(i), "")
Next
SafeFileName = CStr(proposed)
End Function
Function RandomNum() As Long
Dim tmp As Long
Dim tries As Long
On Error Resume Next
Do While 1
Err.Clear
Randomize
tmp = Round(Timer * Now * Rnd(), 0)
RandomNum = tmp
If Err.Number = 0 Then Exit Function
If tries < 100 Then
tries = tries + 1
Else
Exit Do
End If
Loop
RandomNum = GetTickCount
End Function
Function GetFreeFileName(ByVal folder As String, Optional extension = ".txt") As String
On Error GoTo Handler 'can have overflow err once in awhile :(
Dim i As Integer
Dim tmp As String
If Not FolderExists(folder) Then Exit Function
If Right(folder, 1) <> "\" Then folder = folder & "\"
If Left(extension, 1) <> "." Then extension = "." & extension
again:
Do
tmp = folder & RandomNum() & extension
Loop Until Not FileExists(tmp)
GetFreeFileName = tmp
Exit Function
Handler:
If i < 10 Then
i = i + 1
GoTo again
End If
End Function
Function GetFreeFolderName(ByVal parentFolder As String, Optional prefix As String = "") As String
On Error GoTo Handler 'can have overflow err once in awhile :(
Dim i As Integer
Dim tmp As String
If Not FolderExists(parentFolder) Then Exit Function
If Right(parentFolder, 1) <> "\" Then parentFolder = parentFolder & "\"
again:
Do
tmp = parentFolder & prefix & RandomNum()
Loop Until Not FolderExists(tmp)
GetFreeFolderName = tmp
Exit Function
Handler:
If i < 10 Then
i = i + 1
GoTo again
End If
End Function
Function buildPath(folderPath As String) As Boolean
On Error GoTo oops
If FolderExists(folderPath) Then buildPath = True: Exit Function
Dim tmp() As String, build As String, i As Long
tmp = Split(folderPath, "\")
build = tmp(0)
For i = 1 To UBound(tmp)
build = build & "\" & tmp(i)
If InStr(tmp(i), ".") < 1 Then
If Not FolderExists(build) Then CreateFolder (build)
End If
Next
buildPath = True
Exit Function
oops: buildPath = False
End Function
Function ReadFile(filename) As Variant
Dim f As Long
Dim temp As Variant
f = FreeFile
temp = ""
Open filename For Binary As #f ' Open file.(can be text or image)
temp = Input(FileLen(filename), #f) ' Get entire Files data
Close #f
ReadFile = temp
End Function
Sub WriteFile(path As String, it As Variant)
Dim f As Long
f = FreeFile
Open path For Output As #f
Print #f, it
Close f
End Sub
Sub AppendFile(path, it)
Dim f As Long
f = FreeFile
Open path For Append As #f
Print #f, it
Close f
End Sub
Function Copy(fpath As String, toFolder As String)
Dim baseName As String, newName As String
If FolderExists(toFolder) Then
baseName = FileNameFromPath(fpath)
toFolder = IIf(Right(toFolder, 1) = "\", toFolder, toFolder & "\")
newName = toFolder & baseName
FileCopy fpath, newName
Copy = newName
Else 'assume tofolder is actually new desired file path
FileCopy fpath, toFolder
Copy = toFolder
End If
End Function
Function Move(fpath As String, toFolder As String)
Dim fName As String
fName = FileNameFromPath(fpath)
toFolder = IIf(Right(toFolder, 1) = "\", toFolder, toFolder & "\")
Name fpath As toFolder & fName
Move = toFolder & fName
End Function
Function CreateFile(fpath As String) As Boolean
On Error GoTo hell
Dim f As Long
f = FreeFile
If FileExists(fpath) Then Exit Function
Open fpath For Binary As f
Close f
If FileExists(fpath) Then CreateFile = True
hell:
End Function
Function DeleteFolder(folderPath As String, Optional force As Boolean = True) As Boolean
On Error GoTo failed
Call delTree(folderPath, force)
RmDir folderPath
DeleteFolder = True
Exit Function
failed: DeleteFolder = False
End Function
Private Sub delTree(folderPath As String, Optional force As Boolean = True)
Dim sfi() As String, sfo() As String, i As Integer
sfi() = GetFolderFiles(folderPath)
sfo() = GetSubFolders(folderPath)
If Not AryIsEmpty(sfi) And force = True Then
For i = 0 To UBound(sfi)
DeleteFile sfi(i)
Next
End If
If Not AryIsEmpty(sfo) And force = True Then
For i = 0 To UBound(sfo)
Call DeleteFolder(sfo(i), True)
Next
End If
End Sub
Private Sub push(ary, value) 'this modifies parent ary object
On Error GoTo init
Dim x As Long
x = UBound(ary) '<-throws Error If Not initalized
ReDim Preserve ary(UBound(ary) + 1)
ary(UBound(ary)) = value
Exit Sub
init: ReDim ary(0): ary(0) = value
End Sub
Private Function AryIsEmpty(ary) As Boolean
On Error GoTo oops
Dim x As Long
x = UBound(ary)
AryIsEmpty = False
Exit Function
oops: AryIsEmpty = True
End Function
Function FolderName(folderPath) As String
Dim ret As String, tmp() As String
If Len(folderPath) = 0 Then Exit Function
tmp = Split(folderPath, "\")
If Not AryIsEmpty(tmp) Then
If Len(tmp(UBound(tmp))) <> 0 Then ret = tmp(UBound(tmp)) _
Else ret = tmp(UBound(tmp) - 1)
Else
ret = CStr(folderPath)
End If
FolderName = ret
End Function
Private Sub Class_Initialize()
' If Not isRegistered And Not isInitalized Then TellThemAllAboutIt
End Sub

83
VB-Research/vbOpenScript/injector/CSubClass2.cls Normal file
View File

@ -0,0 +1,83 @@
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "CSubclass2"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Option Explicit
'Author: david zimmer <dzzie@yahoo.com>
'Site: http://sandsprite.com
'added 5.17.12 - supports changing the return value to the callers SendMessage()
Event MessageReceived(hwnd As Long, wMsg As Long, wParam As Long, lParam As Long, Cancel As Boolean)
Public ErrorMessage As String
Public ErrorNumber As Long
Private mOverRide As Boolean
Private mVal As Long
Public Windows As New Collection
Friend Function WasOverRidden() As Boolean
WasOverRidden = mOverRide
End Function
Friend Function OverRideVal() As Long
OverRideVal = mVal
End Function
Function OverRideRetVal(newRetVal As Long)
mOverRide = True
mVal = newRetVal
End Function
Function AttachMessage(hwnd As Long, wMsg As Long) As Boolean
On Error GoTo hell
modSubclass.MonitorWindowMessage Me, hwnd, wMsg
AttachMessage = True
ErrorMessage = ""
ErrorNumber = 0
Exit Function
hell:
ErrorMessage = Err.Description
ErrorNumber = Err.Number
End Function
Sub DetatchMessage(hwnd As Long, wMsg As Long)
modSubclass.DetachWindowMessage hwnd, wMsg
End Sub
Private Sub Class_Initialize()
modSubclass.RegisterClassActive Me
End Sub
Private Sub Class_Terminate()
modSubclass.RemoveActiveClass Me
End Sub
Friend Sub ForwardMessage(hwnd As Long, wMsg As Long, wParam As Long, lParam As Long, Optional Cancel As Boolean)
'this sub is only called from the module,
'friend methods are not externally visible in compiled dll interface
mOverRide = False
RaiseEvent MessageReceived(hwnd, wMsg, wParam, lParam, Cancel)
End Sub

93
VB-Research/vbOpenScript/injector/CWindow.cls Normal file
View File

@ -0,0 +1,93 @@
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "CWindow"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Option Explicit
'Author: david zimmer <dzzie@yahoo.com>
'Site: http://sandsprite.com
'each window can only be subclassed by one subclasser.
'this is a new limitation for simplicity/sanity/stability/readability etc!
Public hwnd As Long
Private Messages() As Long
Public pOldWndProc As Long
Public Handler As CSubclass2
Public Function MsgExists(msg As Long) As Boolean
On Error Resume Next
If AryIsEmpty(Messages) Then
MsgExists = False
Exit Function
End If
Dim i As Long
For i = 0 To UBound(Messages)
If Messages(i) = msg Then
MsgExists = True
Exit Function
End If
Next
Exit Function
End Function
Public Function ActiveMessages() As Long
Dim i, found As Long
If Not AryIsEmpty(Messages) Then
For i = 0 To UBound(Messages)
If Messages(i) <> 0 Then
found = found + 1
End If
Next
End If
ActiveMessages = found
End Function
Public Sub RemoveMsg(msg As Long)
Dim i As Long
If AryIsEmpty(Messages) Then Exit Sub
For i = 0 To UBound(Messages)
If Messages(i) = msg Then
Messages(i) = 0
Exit Sub
End If
Next
End Sub
Public Function AddMsg(msg As Long) As Boolean
lpush Messages, msg
End Function
Private Function AryIsEmpty(ary) As Boolean
On Error GoTo oops
Dim x As Long
x = UBound(ary)
AryIsEmpty = False
Exit Function
oops: AryIsEmpty = True
End Function
Private Sub lpush(ary() As Long, value As Long) 'this modifies parent ary object
On Error GoTo init
Dim x As Long
x = UBound(ary) '<-throws Error If Not initalized
ReDim Preserve ary(UBound(ary) + 1)
ary(UBound(ary)) = value
Exit Sub
init: ReDim ary(0): ary(0) = value
End Sub

46
VB-Research/vbOpenScript/injector/Project1.vbp Normal file
View File

@ -0,0 +1,46 @@
Type=Exe
Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\..\..\..\..\Windows\SysWOW64\stdole2.tlb#OLE Automation
Form=frmMain.frm
Class=CFileSystem2; CFileSystem2.cls
Class=clsCmnDlg; clsCmnDlg.cls
Module=modSubclass; modSubclass.bas
Class=CSubclass2; CSubClass2.cls
Class=CWindow; CWindow.cls
IconForm="frmMain"
Startup="frmMain"
HelpFile=""
Title="injector"
ExeName32="injector.exe"
Path32=".."
Command32=""
Name="injector"
HelpContextID="0"
CompatibleMode="0"
MajorVer=1
MinorVer=0
RevisionVer=0
AutoIncrementVer=0
ServerSupportFiles=0
VersionCompanyName="sandsprite.com"
CompilationType=0
OptimizationType=0
FavorPentiumPro(tm)=0
CodeViewDebugInfo=0
NoAliasing=0
BoundsCheck=0
OverflowCheck=0
FlPointCheck=0
FDIVCheck=0
UnroundedFP=0
StartMode=0
Unattended=0
Retained=0
ThreadPerObject=0
MaxNumberOfThreads=1
DebugStartupOption=0
[MS Transaction Server]
AutoRefresh=1
[fastBuild]
fullPath=%ap%\..\injector.exe

6
VB-Research/vbOpenScript/injector/Project1.vbw Normal file
View File

@ -0,0 +1,6 @@
frmMain = 25, 4, 1328, 882, , 60, 8, 1062, 827, C
CFileSystem2 = 182, 182, 1072, 655,
clsCmnDlg = 208, 208, 1098, 681, C
modSubclass = 208, 208, 1098, 681,
CSubclass2 = 182, 182, 1072, 655, C
CWindow = 26, 26, 916, 499, C

226
VB-Research/vbOpenScript/injector/clsCmnDlg.cls Normal file
View File

@ -0,0 +1,226 @@
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "clsCmnDlg"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Option Explicit
Private Type OPENFILENAME
lStructSize As Long
hWndOwner As Long
hInstance As Long
lpstrFilter As String
lpstrCustomFilter As String
nMaxCustFilter As Long
nFilterIndex As Long
lpstrFile As String
nMaxFile As Long
lpstrFileTitle As String
nMaxFileTitle As Long
lpstrInitialDir As String
lpstrTitle As String
flags As Long
nFileOffset As Integer
nFileExtension As Integer
lpstrDefExt As String
lCustData As Long
lpfnHook As Long
lpTemplateName As String
End Type
Private Type oColorDlg
lStructSize As Long
hWndOwner As Long
hInstance As Long
rgbResult As Long
lpCustColors As String
flags As Long
lCustData As Long
lpfnHook As Long
lpTemplateName As String
End Type
Private Type BrowseInfo
hWndOwner As Long
pIDLRoot As Long
pszDisplayName As Long
lpszTitle As Long
ulFlags As Long
lpfnCallback As Long
lParam As Long
iImage As Long
End Type
Public Enum FilterTypes
textFiles = 0
htmlFiles = 1
exeFiles = 2
zipFiles = 3
AllFiles = 4
CustomFilter = 5
End Enum
Private Declare Function GetOpenFileName Lib "comdlg32.dll" Alias "GetOpenFileNameA" (pOpenfilename As OPENFILENAME) As Long
Private Declare Function GetSaveFileName Lib "comdlg32.dll" Alias "GetSaveFileNameA" (pOpenfilename As OPENFILENAME) As Long
Private Declare Function ChooseColor Lib "comdlg32.dll" Alias "ChooseColorA" (pChoosecolor As oColorDlg) As Long
Private Declare Function lstrcat Lib "kernel32" Alias "lstrcatA" (ByVal lpString1 As String, ByVal lpString2 As String) As Long
Private Declare Function SHBrowseForFolder Lib "shell32" (lpbi As BrowseInfo) As Long
Private Declare Function SHGetPathFromIDList Lib "shell32" (ByVal pidList As Long, ByVal lpBuffer As String) As Long
Private Declare Sub CoTaskMemFree Lib "ole32.dll" (ByVal hMem As Long)
Private Declare Function GetForegroundWindow Lib "user32" () As Long
Private o As OPENFILENAME
Private filters(6) As String
Private extensions(6) As String
Private errOnCancel As Boolean
Property Let ErrorOnCancel(bln As Boolean)
errOnCancel = bln
End Property
Property Get ErrorOnCancel() As Boolean
ErrorOnCancel = errOnCancel
End Property
Sub SetCustomFilter(displayText As String, Optional wildCardExtMatch = "*.*")
filters(5) = "____" + Chr$(0) + "___" + Chr$(0) + "All Files (*.*)" + Chr$(0) + "*.*" + Chr$(0)
filters(5) = Replace(filters(5), "____", displayText)
filters(5) = Replace(filters(5), "___", wildCardExtMatch)
extensions(5) = Replace(wildCardExtMatch, "*", "")
End Sub
Private Sub Class_Initialize()
' If Not isRegistered And Not isInitalized Then TellThemAllAboutIt
filters(0) = "Text Files (*.txt)" + Chr$(0) + "*.txt" + Chr$(0) + "All Files (*.*)" + Chr$(0) + "*.*" + Chr$(0)
filters(1) = "Html Files (*.htm*)" + Chr$(0) + "*.htm*" + Chr$(0) + "All Files (*.*)" + Chr$(0) + "*.*" + Chr$(0)
filters(2) = "Exe Files (*.exe)" + Chr$(0) + "*.exe" + Chr$(0) + "All Files (*.*)" + Chr$(0) + "*.*" + Chr$(0)
filters(3) = "Zip Files (*.zip)" + Chr$(0) + "*.zip" + Chr$(0) + "All Files (*.*)" + Chr$(0) + "*.*" + Chr$(0)
filters(4) = "All Files (*.*)" + Chr$(0) + "*.*" + Chr$(0)
extensions(0) = ".txt"
extensions(1) = ".html"
extensions(2) = ".exe"
extensions(3) = ".zip"
extensions(4) = ".bin"
End Sub
Function OpenDialog(filt As FilterTypes, Optional initDir As String, Optional title As String, Optional pHwnd As Long = 0) As String
If pHwnd = 0 Then pHwnd = GetForegroundWindow()
o.lStructSize = Len(o)
o.hWndOwner = pHwnd
o.hInstance = 0
o.lpstrFilter = filters(filt)
o.lpstrFile = Space$(254)
o.nMaxFile = 255
o.lpstrFileTitle = Space$(254)
o.nMaxFileTitle = 255
o.lpstrInitialDir = initDir
o.lpstrTitle = title
o.flags = 0
OpenDialog = IIf(GetOpenFileName(o), Trim$(o.lpstrFile), "")
OpenDialog = Replace(OpenDialog, Chr(0), Empty)
If Len(OpenDialog) = 0 And errOnCancel Then Err.Raise 1, "OpenDialog", "Cancel"
End Function
Function SaveDialog(filt As FilterTypes, Optional initDir As String, Optional title As String = "", Optional ConfirmOvewrite As Boolean = True, Optional pHwnd As Long = 0) As String
If pHwnd = 0 Then pHwnd = GetForegroundWindow()
o.lStructSize = Len(o)
o.hWndOwner = pHwnd
o.hInstance = pHwnd
o.lpstrFilter = filters(filt)
o.lpstrFile = Space$(254)
o.nMaxFile = 255
o.lpstrFileTitle = Space$(254)
o.nMaxFileTitle = 255
o.lpstrInitialDir = initDir
o.lpstrTitle = title
o.lpstrDefExt = extensions(filt)
o.flags = 0
Dim tmp As String
tmp = IIf(GetSaveFileName(o), Trim$(o.lpstrFile), "")
If ConfirmOvewrite And tmp <> "" Then
If FileExists(tmp) Then
If MsgBox("File Already Exists" & vbCrLf & vbCrLf & "Are you sure you wish to overwrite existing file?", vbYesNo + vbExclamation, "Confirm Overwrite") = vbYes Then SaveDialog = tmp
Else
SaveDialog = tmp
End If
Else
SaveDialog = tmp
End If
If Len(SaveDialog) = 0 And errOnCancel Then Err.Raise 1, "SaveDialog", "Cancel"
End Function
Function ColorDialog(Optional pHwnd As Long) As Long
Dim c As oColorDlg
Dim cColors() As Byte
If pHwnd = 0 Then pHwnd = GetForegroundWindow()
c.lStructSize = Len(c)
c.hWndOwner = pHwnd
c.hInstance = App.hInstance
c.lpCustColors = StrConv(cColors, vbUnicode)
c.flags = 0
If ChooseColor(c) <> 0 Then
ColorDialog = c.rgbResult
cColors = StrConv(c.lpCustColors, vbFromUnicode)
Else
ColorDialog = -1
If errOnCancel Then Err.Raise 1, "ShowColor", "Cancel"
End If
End Function
Function FolderDialog(Optional initDir As String, Optional pHwnd As Long = 0) As String
Dim bInfo As BrowseInfo, ret As String, ptrList As Long, nullChar As Long
If pHwnd = 0 Then pHwnd = GetForegroundWindow()
With bInfo
.hWndOwner = pHwnd
.lpszTitle = lstrcat(initDir, "") 'returns memaddress
.ulFlags = 1 'only directories
End With
ptrList = SHBrowseForFolder(bInfo)
If ptrList Then
ret = String$(260, 0)
SHGetPathFromIDList ptrList, ret 'Get the path from the IDList
CoTaskMemFree ptrList 'free the block of memory
nullChar = InStr(ret, vbNullChar)
If nullChar > 0 Then ret = Left$(ret, nullChar - 1)
End If
FolderDialog = ret
If Len(ret) = 0 And errOnCancel Then Err.Raise 1, "ChooseFolder", "Cancel"
End Function
Private Function FileExists(path) As Boolean
If Len(path) = 0 Then Exit Function
If Dir(path, vbHidden Or vbNormal Or vbReadOnly Or vbSystem) <> "" Then FileExists = True
End Function

514
VB-Research/vbOpenScript/injector/frmMain.frm Normal file
View File

@ -0,0 +1,514 @@
VERSION 5.00
Begin VB.Form frmMain
Caption = "injector"
ClientHeight = 7305
ClientLeft = 165
ClientTop = 450
ClientWidth = 8670
LinkTopic = "frmMain"
ScaleHeight = 7305
ScaleWidth = 8670
StartUpPosition = 2 'CenterScreen
Begin VB.ListBox List1
BeginProperty Font
Name = "Courier"
Size = 9.75
Charset = 0
Weight = 400
Underline = 0 'False
Italic = 0 'False
Strikethrough = 0 'False
EndProperty
Height = 5130
Left = 90
TabIndex = 14
Top = 1935
Width = 8295
End
Begin VB.TextBox txtIPCHwnd
Height = 330
Left = 1215
TabIndex = 13
Top = 1080
Width = 1185
End
Begin VB.CommandButton cmdSendIPC
Caption = "Send Cmd"
Height = 285
Left = 6210
TabIndex = 12
Top = 1125
Width = 1095
End
Begin VB.TextBox txtIPCCmd
Height = 330
Left = 2520
TabIndex = 11
Text = "my test IPC command"
Top = 1080
Width = 3615
End
Begin VB.CommandButton cmdBrowse
Caption = "..."
Height = 270
Index = 2
Left = 6240
TabIndex = 9
Top = 405
Width = 615
End
Begin VB.CommandButton cmdBrowse
Caption = "..."
Height = 270
Index = 1
Left = 6240
TabIndex = 8
Top = 765
Width = 615
End
Begin VB.CommandButton cmdBrowse
Caption = "..."
Height = 255
Index = 0
Left = 6255
TabIndex = 7
Top = 45
Width = 615
End
Begin VB.TextBox txtArgs
Height = 315
Left = 1200
OLEDropMode = 1 'Manual
TabIndex = 6
Top = 360
Width = 4965
End
Begin VB.TextBox txtDll
Height = 285
Left = 1200
OLEDropMode = 1 'Manual
TabIndex = 4
Top = 720
Width = 4965
End
Begin VB.CommandButton cmdStart
Caption = "Inject"
Height = 300
Left = 7065
TabIndex = 2
Top = 45
Width = 1335
End
Begin VB.TextBox txtExe
Height = 315
Left = 1200
OLEDropMode = 1 'Manual
TabIndex = 1
Top = 0
Width = 4920
End
Begin VB.Label Label3
Caption = "Log Output"
Height = 285
Left = 90
TabIndex = 15
Top = 1530
Width = 915
End
Begin VB.Label Label2
Caption = "IPC hWnd"
Height = 240
Left = 0
TabIndex = 10
Top = 1125
Width = 1095
End
Begin VB.Label Label7
Caption = "Args"
Height = 285
Left = 60
TabIndex = 5
Top = 360
Width = 945
End
Begin VB.Label lblDll
Caption = "Inject DLL"
ForeColor = &H00000000&
Height = 315
Left = 45
TabIndex = 3
Top = 750
Width = 1335
End
Begin VB.Label Label1
Caption = "Executable"
Height = 255
Left = 60
TabIndex = 0
Top = 60
Width = 975
End
End
Attribute VB_Name = "frmMain"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Option Explicit
'Author: david zimmer <dzzie@yahoo.com>
'Site: http://sandsprite.com
Dim WithEvents sc As CSubclass2
Attribute sc.VB_VarHelpID = -1
Public fso As New CFileSystem2
Public dlg As New clsCmnDlg
Private runtime As String
Const targetRuntime As Long = &H360C5B48
'Compiled: Sat, Sep 26 1998, 3:11:04
'MD5: EEBEB73979D0AD3C74B248EBF1B6E770
'SHA256: E86CBB17C8FCD97BB04D9E0B7FB3EF7A33C6896E681705FC95405F14008737CD
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Long, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal ProcessHandle As Long, lpThreadAttributes As Long, ByVal dwStackSize As Long, ByVal lpStartAddress As Any, ByVal lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadID As Long) As Long
Private Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal fAllocType As Long, FlProtect As Long) As Long
Private Declare Function CreateProcess Lib "kernel32" Alias "CreateProcessA" (ByVal lpApplicationName As Long, ByVal lpCommandLine As String, ByVal lpProcessAttributes As Long, ByVal lpThreadAttributes As Long, ByVal bInheritHandles As Long, ByVal dwCreationFlags As Long, ByVal lpEnvironment As Long, ByVal lpCurrentDriectory As Long, lpStartupInfo As STARTUPINFO, lpProcessInformation As PROCESS_INFORMATION) As Long
Private Declare Function ResumeThread Lib "kernel32" (ByVal hThread As Long) As Long
Private Declare Sub DebugBreak Lib "kernel32" ()
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)
Private Declare Function WriteProcessBytes Lib "kernel32" Alias "WriteProcessMemory" (ByVal hProcess As Long, lpBaseAddress As Long, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function IsWindow Lib "user32" (ByVal hwnd As Long) As Long
'Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (hpvDest As Any, hpvSource As Any, ByVal cbCopy As Long)
Private Const WM_COPYDATA = &H4A
Private Const PAGE_READWRITE = 4
Private Const CREATE_SUSPENDED = &H4
Private Const MEM_COMMIT = &H1000
Private Const STANDARD_RIGHTS_REQUIRED = &HF0000
Private Const SYNCHRONIZE = &H100000
Private Const PROCESS_ALL_ACCESS = (STANDARD_RIGHTS_REQUIRED Or SYNCHRONIZE Or &HFFF)
Private Type COPYDATASTRUCT
dwFlag As Long
cbSize As Long
lpData As Long
End Type
Private Type PROCESS_INFORMATION
hProcess As Long
hThread As Long
dwProcessId As Long
dwThreadId As Long
End Type
Private Type STARTUPINFO
cb As Long
lpReserved As String
lpDesktop As String
lpTitle As String
dwX As Long
dwY As Long
dwXSize As Long
dwYSize As Long
dwXCountChars As Long
dwYCountChars As Long
dwFillAttribute As Long
dwFlags As Long
wShowWindow As Integer
cbReserved2 As Integer
lpReserved2 As Long
hStdInput As Long
hStdOutput As Long
hStdError As Long
End Type
Private Sub cmdBrowse_Click(index As Integer)
Dim f As String
f = dlg.OpenDialog(AllFiles, , "Open Executable", Me.hwnd)
f = Trim(Replace(f, Chr(0), Empty))
If Len(f) = 0 Then Exit Sub
Select Case index
Case 0: txtExe = f
Case 1: txtDll = f
Case 2: txtArgs = f
End Select
End Sub
Private Sub cmdSendIPC_Click()
On Error Resume Next
Dim hwnd As Long
txtIPCCmd = Trim(txtIPCCmd)
If Len(txtIPCCmd) = 0 Then
MsgBox "Nothing to send", vbInformation
Exit Sub
End If
hwnd = Replace(txtIPCHwnd, "0x", "&h", , , vbTextCompare)
If Err.Number <> 0 Then
MsgBox "hwnd not numeric? " & Err.Description, vbExclamation
Exit Sub
End If
If IsWindow(hwnd) <> 1 Then
MsgBox "hwnd not a valid window ", vbExclamation
Exit Sub
End If
SendIPC hwnd, txtIPCCmd, Me.hwnd
End Sub
Private Sub cmdStart_Click()
Dim exe As String
Dim pf As String
Dim ver As Long
Dim tmp As String
On Error GoTo hell
List1.Clear
If Not fso.FileExists(txtExe) Then
List1.AddItem "Executable not found"
Exit Sub
End If
If Not fso.FileExists(txtDll) Then
List1.AddItem "Dll To inject not found"
Exit Sub
End If
If Not fso.FileExists(runtime) Then
List1.AddItem "Could not find a copy of our target runtime in my folder?"
Exit Sub
Else
pf = fso.GetParentFolder(txtExe) & "\"
tmp = pf & "msvbvm60.dll"
If Not fso.FileExists(tmp) Then
fso.Copy runtime, pf
If Not fso.FileExists(tmp) Then
List1.AddItem "Could not copy target runtime to exe folder"
Exit Sub
Else
List1.AddItem "Target runtime copied to exe folder"
End If
Else
'a copy of runtime is already in exe folder, is it ours?
ver = GetCompileTime(tmp, True)
List1.AddItem "Runtime timestamp: " & Hex(ver) & " - " & GetCompileTime(tmp)
If ver <> targetRuntime Then
List1.AddItem "VB runtime in exe folder does not match our target version."
Exit Sub
End If
End If
End If
exe = txtExe
If Len(txtArgs) > 0 Then exe = exe & " " & txtArgs
If StartWithDLL(exe, txtDll) = 0 Then
List1.AddItem "Injection failed"
End If
Exit Sub
hell:
MsgBox "Error: " & Err.Description
End Sub
Private Sub Form_Load()
Set sc = New CSubclass2
sc.AttachMessage Me.hwnd, WM_COPYDATA
txtDll = App.path & IIf(isIde(), "\..\", "\") & "openscript.dll"
runtime = App.path & IIf(isIde(), "\..\", "\") & "msvbvm60.dll"
If Not fso.FileExists(runtime) Then
List1.AddItem "Could not locate target version of the runtime"
runtime = Empty
Else
Dim ver As Long
ver = GetCompileTime(runtime, True)
If ver <> targetRuntime Then
List1.AddItem "Target Runtime version mismatch? Time stamp is: " & GetCompileTime(runtime)
runtime = Empty
End If
End If
If Len(Command) > 0 Then
txtExe = Replace(Command, """", Empty)
Else
txtExe = App.path & IIf(isIde(), "\..\", "\") & "testApp.exe"
End If
End Sub
Private Sub Form_Unload(Cancel As Integer)
Set sc = Nothing
End Sub
Private Sub sc_MessageReceived(hwnd As Long, wMsg As Long, wParam As Long, lParam As Long, Cancel As Boolean) '
Dim CopyData As COPYDATASTRUCT
Dim Buffer(1 To 2048) As Byte
Dim temp As String, a As Long
On Error Resume Next
If wMsg = WM_COPYDATA Then
CopyMemory CopyData, ByVal lParam, Len(CopyData)
If CopyData.dwFlag = 3 Then
CopyMemory Buffer(1), ByVal CopyData.lpData, CopyData.cbSize
temp = StrConv(Buffer, vbUnicode, &H409)
temp = Left$(temp, InStr(1, temp, Chr$(0)) - 1)
temp = Trim(temp)
If Len(temp) > 0 Then List1.AddItem temp
If InStr(1, temp, "IPC listening on hwnd", vbTextCompare) > 0 Then
a = InStrRev(temp, " ")
If a > 0 Then txtIPCHwnd = "0x" & Trim(Mid(temp, a))
End If
End If
End If
End Sub
Private Sub txtArgs_OLEDragDrop(data As DataObject, Effect As Long, Button As Integer, Shift As Integer, x As Single, y As Single)
On Error Resume Next
txtArgs = data.files(1)
End Sub
Private Sub txtDll_OLEDragDrop(data As DataObject, Effect As Long, Button As Integer, Shift As Integer, x As Single, y As Single)
On Error Resume Next
txtDll = data.files(1)
End Sub
Private Sub txtexe_OLEDragDrop(data As DataObject, Effect As Long, Button As Integer, Shift As Integer, x As Single, y As Single)
On Error Resume Next
txtExe = data.files(1)
End Sub
Private Sub Form_Resize()
On Error Resume Next
List1.Width = Me.Width - List1.Left - 200
List1.Height = Me.Height - List1.Top - 500
End Sub
Function isIde() As Boolean
On Error GoTo hell
Debug.Print 1 \ 0
Exit Function
hell: isIde = True
End Function
Function GetCompileTime(Optional ByVal exe As String, Optional returnRawVal As Boolean = False)
Dim f As Long, i As Integer
Dim stamp As Long, e_lfanew As Long
Dim base As Date, compiled As Date
On Error GoTo errExit
If Len(exe) = 0 Then
exe = App.path & "" & App.EXEName & ".exe"
End If
FileLen exe 'throw error if not exist
f = FreeFile
Open exe For Binary Access Read As f
Get f, , i
If i <> &H5A4D Then GoTo errExit 'MZ check
Get f, 60 + 1, e_lfanew
Get f, e_lfanew + 1, i
If i <> &H4550 Then GoTo errExit 'PE check
Get f, e_lfanew + 9, stamp
Close f
If returnRawVal Then
GetCompileTime = stamp
Else
base = DateSerial(1970, 1, 1)
compiled = DateAdd("s", stamp, base)
GetCompileTime = Format(compiled, "ddd, mmm d yyyy, h:nn:ss ")
End If
Exit Function
errExit:
Close f
End Function
Function SendIPC(targetHwnd As Long, msg As String, Optional senderHwnd As Long = 0) As Long
Dim cds As COPYDATASTRUCT
Dim buf(1 To 255) As Byte
List1.AddItem "SendIPC(hwnd=" & targetHwnd & ", msg=" & msg & ")"
Call CopyMemory(buf(1), ByVal msg, Len(msg))
cds.dwFlag = 3
cds.cbSize = Len(msg) + 1
cds.lpData = VarPtr(buf(1))
SendIPC = SendMessage(targetHwnd, WM_COPYDATA, senderHwnd, cds)
End Function
Public Function StartWithDLL(exe As String, dll As String) As Long
Dim hProcess As Long, hThread As Long, remoteLoadLib As Long, remoteMem As Long, bufLen As Long, writeLen As Long
Dim pi As PROCESS_INFORMATION, si As STARTUPINFO, buf() As Byte
buf() = StrConv(dll & Chr(0), vbFromUnicode)
bufLen = UBound(buf) + 1
If CreateProcess(0&, exe, 0&, 0&, 1&, CREATE_SUSPENDED, 0&, 0&, si, pi) = 0 Then Exit Function
List1.AddItem "PID: 0x" & Hex(pi.dwProcessId) & " (" & pi.dwProcessId & ")"
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, pi.dwProcessId)
If hProcess = -1 Then Exit Function
remoteMem = VirtualAllocEx(hProcess, ByVal 0, bufLen, MEM_COMMIT, ByVal PAGE_READWRITE)
If remoteMem <> 0 Then
If WriteProcessBytes(hProcess, ByVal remoteMem, buf(0), bufLen, writeLen) <> 0 Then
remoteLoadLib = GetProcAddress(GetModuleHandle("kernel32.dll"), "LoadLibraryA")
If CreateRemoteThread(hProcess, ByVal 0, 0, remoteLoadLib, remoteMem, 0, hThread) <> -1 Then
List1.AddItem "ThreadID: 0x" & Hex(hThread)
Sleep 300
If ResumeThread(pi.hThread) <> -1 Then StartWithDLL = 1
End If
End If
End If
CloseHandle hProcess
End Function

165
VB-Research/vbOpenScript/injector/modSubclass.bas Normal file
View File

@ -0,0 +1,165 @@
Attribute VB_Name = "modSubclass"
Option Explicit
'Author: david zimmer <dzzie@yahoo.com>
'Site: http://sandsprite.com
'Design: you can have an unlimited number of classes, and should be
' able to subclass an unlimited number of windows. Each class
' can in turn subclass as many windows as it wants, and it should
' be able to attach to as many messages per window as it wants.
'
' You can edit message parameters and cancel them directly in
' the eventhandler you implement for the clsSubClass in your code.
'
' One thing you cannot do, is to have multiple classes subclass the
' same window looking for the same message. Different subclasses can not
' subclass the same window (new limitation in sake of cleanliness/sanity/stability)
Private Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Private Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hwnd As Long, ByVal nIndex As Long) As Long
Private Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, ByVal hwnd As Long, ByVal msg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Private Declare Function IsWindow Lib "user32" (ByVal hwnd As Long) As Long
Private Const GWL_WNDPROC = (-4)
Private ActiveClasses As New Collection 'of CSubclass2
Private Windows As New Collection 'of CWindow
Function RegisterClassActive(clsActive As CSubclass2)
ActiveClasses.Add clsActive, "Objptr:" & ObjPtr(clsActive)
End Function
Sub RemoveActiveClass(clsTerminate As CSubclass2)
On Error Resume Next
CloseOutClass clsTerminate
ActiveClasses.Remove "Objptr:" & ObjPtr(clsTerminate)
If ActiveClasses.Count = 0 Then InitTearDown
End Sub
'updated
Private Sub InitTearDown()
On Error Resume Next
Dim cw As CWindow
For Each cw In Windows
SetWindowLong cw.hwnd, GWL_WNDPROC, cw.pOldWndProc
Set cw.Handler = Nothing
Next
Set Windows = New Collection
End Sub
Sub MonitorWindowMessage(notify As CSubclass2, ByVal hwnd As Long, ByVal wMsg As Long)
'updated
If IsWindow(hwnd) = False Then Err.Raise 1, , "Invalid Window Handle"
Dim cw As CWindow
If AlreadySubclassing(hwnd, cw) Then
If Not ObjPtr(cw.Handler) <> ObjPtr(notify) Then
Err.Raise 3, , "This window is already subclassed by another class, not supported in name of stability.."
Else
If Not cw.MsgExists(wMsg) Then cw.AddMsg wMsg
End If
Else
'subclass each window only once
Set cw = New CWindow
cw.pOldWndProc = SetWindowLong(hwnd, GWL_WNDPROC, AddressOf WindowProc)
If cw.pOldWndProc = 0 Then Err.Raise 2, , "Subclass failed hwnd: " & hwnd
cw.hwnd = hwnd
Set cw.Handler = notify
cw.AddMsg wMsg
Windows.Add cw, "Hwnd:" & hwnd
End If
End Sub
'updated
Sub DetachWindowMessage(ByVal hwnd As Long, ByVal wMsg As Long)
Dim cw As CWindow
If AlreadySubclassing(hwnd, cw) Then
cw.RemoveMsg wMsg
If cw.ActiveMessages = 0 Then
SetWindowLong hwnd, GWL_WNDPROC, cw.pOldWndProc
Set cw.Handler = Nothing
Set cw = Nothing
Windows.Remove "Hwnd:" & hwnd
End If
End If
End Sub
Function CloseOutClass(c As CSubclass2)
Dim cw As CWindow
For Each cw In Windows
If ObjPtr(cw.Handler) = ObjPtr(c) Then
SetWindowLong cw.hwnd, GWL_WNDPROC, cw.pOldWndProc
Set cw.Handler = Nothing
Windows.Remove "Hwnd:" & cw.hwnd
End If
Next
End Function
Function WindowProc(ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
Dim stopIt As Boolean
Dim ret As Long
Dim s2 As CSubclass2
Dim cw As CWindow
If Not AlreadySubclassing(hwnd, cw) Then Exit Function 'shouldnt happen...
If cw.Handler Is Nothing Then 'shouldnt happen
DetachWindowMessage hwnd, wMsg
Exit Function
End If
If Not cw.MsgExists(wMsg) Then 'we dont care just pass it on..
WindowProc = CallWindowProc(cw.pOldWndProc, hwnd, wMsg, wParam, ByVal lParam)
Exit Function
End If
cw.Handler.ForwardMessage hwnd, wMsg, wParam, lParam, stopIt
If cw.Handler.WasOverRidden() Then
WindowProc = cw.Handler.OverRideVal()
Exit Function
End If
'stopit can be set = true when event is raised from clsSubClass
'any of the parameters passed in forward message could be changed
If Not stopIt Then
WindowProc = CallWindowProc(cw.pOldWndProc, hwnd, wMsg, wParam, ByVal lParam)
End If
End Function
Private Function AlreadySubclassing(hwnd As Long, cw As CWindow) As Boolean
On Error Resume Next
For Each cw In Windows
If cw.hwnd = hwnd Then
AlreadySubclassing = True
Exit Function
End If
Next
AlreadySubclassing = False
End Function

BIN
VB-Research/vbOpenScript/msvbvm60.dbg Normal file
View File

Binary file not shown.

BIN
VB-Research/vbOpenScript/openScript.dll Normal file
View File

Binary file not shown.

17
VB-Research/vbOpenScript/test.js Normal file
View File

@ -0,0 +1,17 @@
// make sure you are running exe and script at same permission level
var o = GetObject("remote.forms")
var f = o.Item(0)
f.List1.Clear()
WScript.Echo( f.text1.text)
f.text1.text = "test from js"
f.List1.AddItem("test list item",0)
f.caption = "yup it works"
WScript.echo(f.formMeth("remote hi").toString(16))
WScript.echo(f.pubClass.classMeth("remote class hi").toString(16))
for(i=0; i< f.controls.count; i++){
f.List1.AddItem('Control ' + i + ' = ' + f.controls(i).name)
}

28
VB-Research/vbOpenScript/test.py Normal file
View File

@ -0,0 +1,28 @@
import os, sys
import win32com.client
# tested w/ 32bit python 2.7
# If you do not have the win32com module run 'pip install pywin32'
# make sure you are running exe and script at same permission level
os.system("cls")
forms = win32com.client.GetObject("remote.forms")
for form in forms:
print form.Name
for c in form.Controls:
print " " + c.Name
f = forms(0)
print "Text1 = " + f.text1.text
print hex(f.formMeth("remote hi"))
print hex(f.pubClass.classMeth("remote class hi"))
print f.pubClass.pubString
f.text1.Text = "I see you"
if f.width < 8000:
f.width = 8000
else:
f.width = 4000

27
VB-Research/vbOpenScript/test.vbs Normal file
View File

@ -0,0 +1,27 @@
'usage: cscript test.vbs
' make sure you are running exe and script at same permission level
'32/64 bit cmd prompt doesnt matter.
'If you just double click on the file it will run in wscript and
'the echo will be a msgbox vrs console print (still works but)
Set o = GetObject("remote.forms")
Set f = o.Item(0)
f.List1.Clear()
For Each form In o
f.List1.AddItem "Form: " & form.Name
For Each c In form.Controls
f.List1.AddItem vbTab & "Control: " & c.Name & " - " & TypeName(c)
Next
Next
WScript.echo Hex(f.formMeth("remote hi"))
WScript.echo Hex(f.pubClass.classMeth("remote class hi"))
WScript.echo f.pubClass.pubString
f.text1.Text = "I see you"
f.text1.Font.Name = "System"
if f.width < 8000 then f.width = 8000 else f.width = 4000
f.List1.AddItem "hi from script"

BIN
VB-Research/vbOpenScript/testApp.exe Normal file
View File

Binary file not shown.

23
VB-Research/vbOpenScript/testApp/Class1.cls Normal file
View File

@ -0,0 +1,23 @@
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "Class1"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Public pubString As String
Public Function classMeth(x) As Long
Form1.List1.AddItem "Class1.classMeth received: " & x
classMeth = &H44556677
End Function
Private Sub Class_Initialize()
pubString = "my public class string"
End Sub

15
VB-Research/vbOpenScript/testApp/Class2.cls Normal file
View File

@ -0,0 +1,15 @@
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "Class2"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Public pubString2 As String

47
VB-Research/vbOpenScript/testApp/Form1.frm Normal file
View File

@ -0,0 +1,47 @@
VERSION 5.00
Begin VB.Form Form1
Caption = "Sample App"
ClientHeight = 3015
ClientLeft = 60
ClientTop = 405
ClientWidth = 3165
LinkTopic = "Form1"
ScaleHeight = 3015
ScaleWidth = 3165
StartUpPosition = 3 'Windows Default
Begin VB.ListBox List1
Height = 2400
Left = 135
TabIndex = 1
Top = 495
Width = 2850
End
Begin VB.TextBox Text1
Height = 285
Left = 135
TabIndex = 0
Text = "Text1"
Top = 90
Width = 2850
End
End
Attribute VB_Name = "Form1"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Private Declare Function GetCurrentThreadId Lib "kernel32" () As Long
Public pubClass As New Class1
Public Function formMeth(x) As Long
List1.AddItem "form1.formMeth received: " & x
formMeth = &H11223344
End Function
Private Sub Form_Load()
List1.AddItem "VB.Forms: " & Hex(ObjPtr(VB.Forms))
List1.AddItem "ThreadID: " & Hex(GetCurrentThreadId())
If Len(Command) > 0 Then List1.AddItem "CmdLine: " & Command
End Sub

37
VB-Research/vbOpenScript/testApp/Project1.vbp Normal file
View File

@ -0,0 +1,37 @@
Type=Exe
Reference=*\G{00020430-0000-0000-C000-000000000046}#2.0#0#..\..\..\..\..\Windows\SysWOW64\stdole2.tlb#OLE Automation
Form=Form1.frm
Class=Class1; Class1.cls
Class=Class2; Class2.cls
IconForm="Form1"
Startup="Form1"
HelpFile=""
ExeName32="Project1.exe"
Path32=".."
Command32=""
Name="Project1"
HelpContextID="0"
CompatibleMode="0"
MajorVer=1
MinorVer=0
RevisionVer=0
AutoIncrementVer=0
ServerSupportFiles=0
CompilationType=0
OptimizationType=0
FavorPentiumPro(tm)=0
CodeViewDebugInfo=0
NoAliasing=0
BoundsCheck=0
OverflowCheck=0
FlPointCheck=0
FDIVCheck=0
UnroundedFP=0
StartMode=0
Unattended=0
Retained=0
ThreadPerObject=0
MaxNumberOfThreads=1
[fastBuild]
fullPath=%ap%\..\testApp.exe

3
VB-Research/vbOpenScript/testApp/Project1.vbw Normal file
View File

@ -0,0 +1,3 @@
Form1 = 52, 52, 864, 657, , 26, 26, 838, 475, C
Class1 = 52, 52, 864, 501, C
Class2 = 52, 52, 728, 489, C

105
VB-Research/vbOpenScript/vbdec/injector.exe/FileReport.txt Normal file
View File

@ -0,0 +1,105 @@
----------------------------------
VB Exe Info
----------------------------------
VB Version: 6
VBStartOffset= 0
FormCount= 1
CompileType= Native
----------------------------------
VB Project Infomation
----------------------------------
ProjectTitle= injector
ProjectName= injector
ExeName= injector
HelpFile=
ExternalComponentCount= 0
----------------------------------
Object List
----------------------------------
frmMain
CFileSystem2
clsCmnDlg
modSubclass
CSubclass2
CWindow
----------------------------------
External Ocx List
----------------------------------
----------------------------------
Api List
----------------------------------
26 Api Calls - 5 Dlls
user32
CallWindowProcA @ 406168
GetWindowLongA @ 406120
SetWindowLongA @ 4060D8
GetForegroundWindow @ 404E48
IsWindow @ 404A70
SendMessageA @ 404A2C
kernel32
GetTickCount @ 405084
lstrcatA @ 404D00
RtlMoveMemory @ 4049D8
CloseHandle @ 404990
DebugBreak @ 404934
ResumeThread @ 4048F0
CreateProcessA @ 4048A8
VirtualAllocEx @ 404860
GetProcAddress @ 404818
GetModuleHandleA @ 4047D0
CreateRemoteThread @ 404768
WriteProcessMemory @ 40471C
OpenProcess @ 4046D0
Sleep @ 40468C
ole32.dll
CoTaskMemFree @ 404DFC
shell32
SHGetPathFromIDList @ 404DA4
SHBrowseForFolder @ 404D58
comdlg32.dll
ChooseColorA @ 404CAC
GetSaveFileNameA @ 404C64
GetOpenFileNameA @ 404C18
----------------------------------
Controls Guids
----------------------------------
Parent Form, Control Name, GUID
frmMain , List1 , {33AD4F10-6699-11CF-B70C-00AA0060D393}
frmMain , Form , {33AD4F38-6699-11CF-B70C-00AA0060D393}
frmMain , mnuUpdateConfig , {33AD4F68-6699-11CF-B70C-00AA0060D393}
frmMain , mnuCaptures , {33AD4F68-6699-11CF-B70C-00AA0060D393}
frmMain , mnuClearPidList , {33AD4F68-6699-11CF-B70C-00AA0060D393}
frmMain , mnuUpdateAll , {33AD4F68-6699-11CF-B70C-00AA0060D393}
frmMain , lblDll , {33AD4ED8-6699-11CF-B70C-00AA0060D393}
frmMain , mnuSuspend , {33AD4F68-6699-11CF-B70C-00AA0060D393}
frmMain , mnuFind , {33AD4F68-6699-11CF-B70C-00AA0060D393}
frmMain , mnuPopup , {33AD4F68-6699-11CF-B70C-00AA0060D393}
frmMain , mnuResume , {33AD4F68-6699-11CF-B70C-00AA0060D393}
frmMain , mnuTerminate , {33AD4F68-6699-11CF-B70C-00AA0060D393}
frmMain , Label7 , {33AD4ED8-6699-11CF-B70C-00AA0060D393}
frmMain , Label1 , {33AD4ED8-6699-11CF-B70C-00AA0060D393}
frmMain , Label2 , {33AD4ED8-6699-11CF-B70C-00AA0060D393}
frmMain , Label3 , {33AD4ED8-6699-11CF-B70C-00AA0060D393}
frmMain , mnuProcess , {33AD4F68-6699-11CF-B70C-00AA0060D393}
frmMain , cmdStart , {33AD4EF0-6699-11CF-B70C-00AA0060D393}
frmMain , cmdSendIPC , {33AD4EF0-6699-11CF-B70C-00AA0060D393}
frmMain , mnuLoadSampleApiLog , {33AD4F68-6699-11CF-B70C-00AA0060D393}
frmMain , mnuKillAll , {33AD4F68-6699-11CF-B70C-00AA0060D393}
frmMain , txtDll , {33AD4EE0-6699-11CF-B70C-00AA0060D393}
frmMain , txtArgs , {33AD4EE0-6699-11CF-B70C-00AA0060D393}
frmMain , txtExe , {33AD4EE0-6699-11CF-B70C-00AA0060D393}
frmMain , txtIPCCmd , {33AD4EE0-6699-11CF-B70C-00AA0060D393}
frmMain , cmdBrowse , {33AD4EF1-6699-11CF-B70C-00AA0060D393}
frmMain , sc , {CE6C35D1-1F61-414D-AE57-226CB7A5A9A2}
frmMain , txtIPCHwnd , {33AD4EE0-6699-11CF-B70C-00AA0060D393}
CFileSystem2 , Class , {FCFB3D1F-A0FA-1068-A738-08002B3371B5}
clsCmnDlg , Class , {FCFB3D1F-A0FA-1068-A738-08002B3371B5}
CSubclass2 , Class , {FCFB3D1F-A0FA-1068-A738-08002B3371B5}
CWindow , Class , {FCFB3D1F-A0FA-1068-A738-08002B3371B5}

42
VB-Research/vbOpenScript/vbdec/testApp.exe/FileReport.txt Normal file
View File

@ -0,0 +1,42 @@
----------------------------------
VB Exe Info
----------------------------------
VB Version: 6
VBStartOffset= 0
FormCount= 1
CompileType= Native
----------------------------------
VB Project Infomation
----------------------------------
ProjectTitle= Project1
ProjectName= Project1
ExeName= testApp
HelpFile=
ExternalComponentCount= 0
----------------------------------
Object List
----------------------------------
Form1
Class1
Class2
----------------------------------
External Ocx List
----------------------------------
----------------------------------
Api List
----------------------------------
1 Api Calls - 1 Dlls
kernel32
GetCurrentThreadId @ 401E04
----------------------------------
Controls Guids
----------------------------------
Parent Form, Control Name, GUID
Form1 , List1 , {33AD4F10-6699-11CF-B70C-00AA0060D393}
Form1 , Form , {33AD4F38-6699-11CF-B70C-00AA0060D393}
Form1 , Text1 , {33AD4EE0-6699-11CF-B70C-00AA0060D393}
Class1 , Class , {FCFB3D1F-A0FA-1068-A738-08002B3371B5}
Class2 , Class , {FCFB3D1F-A0FA-1068-A738-08002B3371B5}