[英]Need some help with x86 assembly
MODRM_EAX_06 MACRO ;/* [EAX], with reg/opcode: /6 */
BYTE 030h
ENDM
What does byte 030h do ? 字节030h做什么?
For additional info this macro is used in 有关其他信息,请使用此宏
void vmxPtrld(u64 addr)
VmxPtrld PROC StdCall _addr_low,_addr_high
mov eax,8
add eax,ebp
vmx_ptrld
MODRM_EAX_06
ret
VmxPtrld ENDP
I just want to understand what the macro does in the following code? 我只是想了解宏在下面的代码中做了什么?
Many opcodes are followed by a ModR/M byte, which is split into 3 portions: the top two bits are "Mod", the next three are "Reg", and the bottom three are "R/M". 许多操作码之后是一个ModR / M字节,它被分成3个部分:前两位是“Mod”,后三位是“Reg”,后三位是“R / M”。
The combination of the "Mod" and "R/M" portions specify a register and addressing mode; “Mod”和“R / M”部分的组合指定寄存器和寻址模式; the "Reg" portion may specify another register, or, in some cases, may specify a further extension to the opcode.
“Reg”部分可以指定另一个寄存器,或者在某些情况下,可以指定对操作码的进一步扩展。
In this case, the ModR/M byte looks like this: 在这种情况下,ModR / M字节如下所示:
0 0 1 1 0 0 0 0 \_/ \___/ \___/ Mod Reg R/M
Mod bits of 00
and R/M bits of 000
mean an addressing mode of [EAX]
(in 32-bit mode). 00
硬件位和000
R / M位表示[EAX]
的寻址模式(在32位模式下)。
The remaining Reg bits are 6
in decimal. 其余的Reg位是十进制的
6
。 Hence MODRM_EAX_06
. 因此
MODRM_EAX_06
。
To fully understand what is going on in your example, you need to know what the vmx_ptrld
macro does. 要完全了解示例中的内容,您需要知道
vmx_ptrld
宏的作用。 Assuming that this is indeed what @sixlettervariables found, vmx_ptrld
produces bytes 0F C7
. 假设这确实是@sixlettervariables找到的,
vmx_ptrld
产生字节0F C7
。
0F
is the first byte of a two-byte opcode. 0F
是双字节操作码的第一个字节。 In many cases, the next byte will complete the opcode; 在许多情况下,下一个字节将完成操作码; but
C7
indicates that further bits must be read from the Reg field of the ModR/M byte to determine what the opcode is. 但是
C7
表示必须从ModR / M字节的Reg字段读取更多位以确定操作码是什么。 So the final opcode is 0F
followed by C7
followed by the 6
from the Reg field of the ModR/M byte, written as 0F C7 /6
in Intel's manuals (which can be found here ). 所以最终的操作码
0F
之后C7
其次是6
从MODR / M字节的Reg字段,写成0F C7 /6
英特尔手册(可以发现这里 )。
0F C7 /6
is VMPTRLD
, so the real meaning of your routine is: 0F C7 /6
是VMPTRLD
,因此您例程的真正含义是:
mov eax,8
add eax,ebp
vmptrld [eax]
ret
Presumably it has been written like this for the benefit of old assemblers which do not understand the (relatively recent) VMX instructions. 据推测,它是为了旧的汇编程序的利益而编写的,它们不了解(相对较新的)VMX指令。
看起来他们正在使用它来生成指令,这是指令的mod r / m字节 。
Looking at bluepill (which I guess is the code the OP is asking about), vmx_ptrld
is also a macro, so 看看bluepill (我猜是OP正在询问的代码),
vmx_ptrld
也是一个宏,所以
vmx_ptrld
MODRM_EAX_06
is a single instruction, MODRM_EAX_06
being the data for the instruction. 是一条指令,
MODRM_EAX_06
是指令的数据。
Rationale: bluepill is a PoC exploit for virtualization. 理由: bluepill是用于虚拟化的PoC漏洞。 When it was written, apparently the assembler that was used didn't yet support virtualization-related instructions, so they got coded inline via macros.
在编写时,显然使用的汇编程序还不支持与虚拟化相关的指令,因此它们通过宏进行内联编码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.