需要一些x86程序集的帮助
[英]Need some help with x86 assembly
问题描述
MODRM_EAX_06 MACRO ;/* [EAX], with reg/opcode: /6 */
BYTE 030h
ENDM
What does byte 030h do ? 
字节030h做什么?
For additional info this macro is used in 有关其他信息,请使用此宏
void vmxPtrld(u64 addr)
VmxPtrld PROC StdCall _addr_low,_addr_high
mov eax,8
add eax,ebp
vmx_ptrld
MODRM_EAX_06
ret
VmxPtrld ENDP
I just want to understand what the macro does in the following code? 我只是想了解宏在下面的代码中做了什么?
3 个解决方案
解决方案1
5 已采纳 2011-06-27 23:22:56
Many opcodes are followed by a ModR/M byte, which is split into 3 portions: the top two bits are "Mod", the next three are "Reg", and the bottom three are "R/M". 许多操作码之后是一个ModR / M字节,它被分成3个部分:前两位是“Mod”,后三位是“Reg”,后三位是“R / M”。
The combination of the "Mod" and "R/M" portions specify a register and addressing mode; “Mod”和“R / M”部分的组合指定寄存器和寻址模式; the "Reg" portion may specify another register, or, in some cases, may specify a further extension to the opcode. “Reg”部分可以指定另一个寄存器,或者在某些情况下,可以指定对操作码的进一步扩展。
In this case, the ModR/M byte looks like this: 在这种情况下,ModR / M字节如下所示:
0 0 1 1 0 0 0 0
\_/ \___/ \___/
Mod Reg R/M
Mod bits of 00 and R/M bits of 000 mean an addressing mode of [EAX] (in 32-bit mode). 00硬件位和000 R / M位表示[EAX]的寻址模式(在32位模式下)。
The remaining Reg bits are 6 in decimal. 其余的Reg位是十进制的6 。 Hence MODRM_EAX_06 . 因此MODRM_EAX_06 。
To fully understand what is going on in your example, you need to know what the vmx_ptrld macro does. 要完全了解示例中的内容,您需要知道vmx_ptrld宏的作用。 Assuming that this is indeed what @sixlettervariables found, vmx_ptrld produces bytes 0F C7 . 假设这确实是@sixlettervariables找到的, vmx_ptrld产生字节0F C7 。
0F is the first byte of a two-byte opcode. 0F是双字节操作码的第一个字节。 In many cases, the next byte will complete the opcode; 在许多情况下,下一个字节将完成操作码; but C7 indicates that further bits must be read from the Reg field of the ModR/M byte to determine what the opcode is. 但是C7表示必须从ModR / M字节的Reg字段读取更多位以确定操作码是什么。 So the final opcode is 0F followed by C7 followed by the 6 from the Reg field of the ModR/M byte, written as 0F C7 /6 in Intel's manuals (which can be found here ). 所以最终的操作码0F之后C7其次是6从MODR / M字节的Reg字段,写成0F C7 /6英特尔手册(可以发现这里 )。
0F C7 /6 is VMPTRLD , so the real meaning of your routine is: 0F C7 /6是VMPTRLD ,因此您例程的真正含义是:
mov eax,8
add eax,ebp
vmptrld [eax]
ret
Presumably it has been written like this for the benefit of old assemblers which do not understand the (relatively recent) VMX instructions. 据推测,它是为了旧的汇编程序的利益而编写的,它们不了解(相对较新的)VMX指令。
解决方案2
4 2011-06-27 22:07:33
看起来他们正在使用它来生成指令,这是指令的mod r / m字节 。
解决方案3
1 2011-06-27 23:22:10
Looking at bluepill (which I guess is the code the OP is asking about), vmx_ptrld is also a macro, so 看看bluepill (我猜是OP正在询问的代码), vmx_ptrld也是一个宏,所以
vmx_ptrld
MODRM_EAX_06
is a single instruction, MODRM_EAX_06 being the data for the instruction. 是一条指令, MODRM_EAX_06是指令的数据。
Rationale: bluepill is a PoC exploit for virtualization. 理由: bluepill是用于虚拟化的PoC漏洞。 When it was written, apparently the assembler that was used didn't yet support virtualization-related instructions, so they got coded inline via macros. 在编写时,显然使用的汇编程序还不支持与虚拟化相关的指令,因此它们通过宏进行内联编码。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.