GitList

libclamav/disasm-common.h

b54e540e	/*
e1cbc270	* Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.
b2489cf7	* Copyright (C) 2008-2013 Sourcefire, Inc.
b54e540e	* * Authors: Török Edvin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, * MA 02110-1301, USA. / #ifndef DISASM_BC_H #define DISASM_BC_H /* @file / /* X86 opcode */ enum X86OPS {
288057e9	OP_INVALID, OP_AAA, /*< Ascii Adjust after Addition / OP_AAD, /*< Ascii Adjust AX before Division / OP_AAM, /*< Ascii Adjust AX after Multiply / OP_AAS, /*< Ascii Adjust AL after Subtraction / OP_ADD, /*< Add / OP_ADC, /*< Add with Carry / OP_AND, /*< Logical And / OP_ARPL, /*< Adjust Requested Privilege Level / OP_BOUND, /*< Check Array Index Against Bounds / OP_BSF, /*< Bit Scan Forward / OP_BSR, /*< Bit Scan Reverse / OP_BSWAP, /*< Byte Swap / OP_BT, /*< Bit Test / OP_BTC, /*< Bit Test and Complement / OP_BTR, /*< Bit Test and Reset / OP_BTS, /*< Bit Test and Set / OP_CALL, /*< Call / OP_CDQ, /*< Convert DoubleWord to QuadWord/ OP_CWD, OP_CWDE, /*< Convert Word to DoubleWord / OP_CBW, /*< Convert Byte to Word / OP_CLC, /*< Clear Carry Flag / OP_CLD, /*< Clear Direction Flag / OP_CLI, /*< Clear Interrupt Flag / OP_CLTS, /*< Clear Task-Switched Flag in CR0 / OP_CMC, /*< Complement Carry Flag / OP_CMOVO, /*< Conditional Move if Overflow / OP_CMOVNO, /*< Conditional Move if Not Overflow / OP_CMOVC, /*< Conditional Move if Carry / OP_CMOVNC, /*< Conditional Move if Not Carry / OP_CMOVZ, /*< Conditional Move if Zero / OP_CMOVNZ, /*< Conditional Move if Non-Zero / OP_CMOVBE, /*< Conditional Move if Below or Equal / OP_CMOVA, /*< Conditional Move if Above / OP_CMOVS, /*< Conditional Move if Sign / OP_CMOVNS, /*< Conditional Move if Not Sign / OP_CMOVP, /*< Conditional Move if Parity / OP_CMOVNP, /*< Conditional Move if Not Parity / OP_CMOVL, /*< Conditional Move if Less / OP_CMOVGE, /*< Conditional Move if Greater or Equal / OP_CMOVLE, /*< Conditional Move if Less than or Equal / OP_CMOVG, /*< Conditional Move if Greater / OP_CMP, /*< Compare / OP_CMPSD, /*< Compare String DoubleWord / OP_CMPSW, /*< Compare String Word / OP_CMPSB, /*< Compare String Byte / OP_CMPXCHG, /*< Compare and Exchange / OP_CMPXCHG8B, /*< Compare and Exchange Bytes / OP_CPUID, /*< CPU Identification / OP_DAA, /*< Decimal Adjust AL after Addition / OP_DAS, /*< Decimal Adjust AL after Subtraction / OP_DEC, /*< Decrement by 1 / OP_DIV, /*< Unsigned Divide / OP_ENTER, /*< Make Stack Frame for Procedure Parameters / OP_FWAIT, /*< Wait / OP_HLT, /*< Halt / OP_IDIV, /*< Signed Divide / OP_IMUL, /*< Signed Multiply / OP_INC, /*< Increment by 1 / OP_IN, /*< INput from port / OP_INSD, /*< INput from port to String Doubleword / OP_INSW, /*< INput from port to String Word / OP_INSB, /*< INput from port to String Byte / OP_INT, /*< INTerrupt / OP_INT3, /*< INTerrupt 3 (breakpoint) / OP_INTO, /*< INTerrupt 4 if Overflow / OP_INVD, /*< Invalidate Internal Caches / OP_INVLPG, /*< Invalidate TLB Entry / OP_IRET, /*< Interrupt Return / OP_JO, /*< Jump if Overflow / OP_JNO, /*< Jump if Not Overflow / OP_JC, /*< Jump if Carry / OP_JNC, /*< Jump if Not Carry / OP_JZ, /*< Jump if Zero / OP_JNZ, /*< Jump if Not Zero / OP_JBE, /*< Jump if Below or Equal / OP_JA, /*< Jump if Above / OP_JS, /*< Jump if Sign / OP_JNS, /*< Jump if Not Sign / OP_JP, /*< Jump if Parity / OP_JNP, /*< Jump if Not Parity / OP_JL, /*< Jump if Less / OP_JGE, /*< Jump if Greater or Equal / OP_JLE, /*< Jump if Less or Equal / OP_JG, /*< Jump if Greater / OP_JMP, /*< Jump (unconditional) / OP_LAHF, /*< Load Status Flags into AH Register / OP_LAR, /*< load Access Rights Byte / OP_LDS, /*< Load Far Pointer into DS / OP_LES, /*< Load Far Pointer into ES / OP_LFS, /*< Load Far Pointer into FS / OP_LGS, /*< Load Far Pointer into GS / OP_LEA, /*< Load Effective Address / OP_LEAVE, /*< High Level Procedure Exit / OP_LGDT, /*< Load Global Descript Table Register / OP_LIDT, /*< Load Interrupt Descriptor Table Register / OP_LLDT, /*< Load Local Descriptor Table Register / OP_PREFIX_LOCK, /*< Assert LOCK# Signal Prefix / OP_LODSD, /*< Load String Dword/ OP_LODSW, /*< Load String Word / OP_LODSB, /*< Load String Byte / OP_LOOP, /*< Loop According to ECX Counter / OP_LOOPE, /*< Loop According to ECX Counter and ZF=1 / OP_LOOPNE, /*< Loop According to ECX Counter and ZF=0 / OP_JECXZ, /*< Jump if ECX is Zero / OP_LSL, /*< Load Segment Limit / OP_LSS, /*< Load Far Pointer into SS / OP_LTR, /*< Load Task Register / OP_MOV, /*< Move / OP_MOVSD, /*< Move Data from String to String Doubleword / OP_MOVSW, /*< Move Data from String to String Word / OP_MOVSB, /*< Move Data from String to String Byte / OP_MOVSX, /*< Move with Sign-Extension / OP_MOVZX, /*< Move with Zero-Extension / OP_MUL, /*< Unsigned Multiply / OP_NEG, /*< Two's Complement Negation / OP_NOP, /*< No Operation / OP_NOT, /*< One's Complement Negation / OP_OR, /*< Logical Inclusive OR / OP_OUT, /*< Output to Port / OP_OUTSD, /*< Output String to Port Doubleword / OP_OUTSW, /*< Output String to Port Word / OP_OUTSB, /*< Output String to Port Bytes / OP_PUSH, /*< Push Onto the Stack / OP_PUSHAD, /*< Push All Double General Purpose Registers / OP_PUSHA, OP_PUSHFD, /*< Push EFLAGS Register onto the Stack / OP_PUSHF, OP_POP, /*< Pop a Value from the Stack / OP_POPAD, /*< Pop All Double General Purpose Registers from the Stack / OP_POPFD, /*< Pop Stack into EFLAGS Register / OP_POPF, OP_RCL, /*< Rotate Carry Left / OP_RCR, /*< Rotate Carry Right / OP_RDMSR, /*< Read from Model Specific Register / OP_RDPMC, /*< Read Performance Monitoring Counters / OP_RDTSC, /*< Read Time-Stamp Counter / OP_PREFIX_REPE, /*< Repeat String Operation Prefix while Equal / OP_PREFIX_REPNE, /*< Repeat String Operation Prefix while Not Equal / OP_RETF, /*< Return from Far Procedure / OP_RETN, /*< Return from Near Procedure / OP_ROL, /*< Rotate Left / OP_ROR, /*< Rotate Right / OP_RSM, /*< Resume from System Management Mode / OP_SAHF, /*< Store AH into Flags / OP_SAR, /*< Shift Arithmetic Right / OP_SBB, /*< Subtract with Borrow / OP_SCASD, /*< Scan String Doubleword / OP_SCASW, /*< Scan String Word / OP_SCASB, /*< Scan String Byte / OP_SETO, /*< Set Byte on Overflow / OP_SETNO, /*< Set Byte on Not Overflow / OP_SETC, /*< Set Byte on Carry / OP_SETNC, /*< Set Byte on Not Carry / OP_SETZ, /*< Set Byte on Zero / OP_SETNZ, /*< Set Byte on Not Zero / OP_SETBE, /*< Set Byte on Below or Equal / OP_SETA, /*< Set Byte on Above / OP_SETS, /*< Set Byte on Sign / OP_SETNS, /*< Set Byte on Not Sign / OP_SETP, /*< Set Byte on Parity / OP_SETNP, /*< Set Byte on Not Parity / OP_SETL, /*< Set Byte on Less / OP_SETGE, /*< Set Byte on Greater or Equal / OP_SETLE, /*< Set Byte on Less or Equal / OP_SETG, /*< Set Byte on Greater / OP_SGDT, /*< Store Global Descriptor Table Register / OP_SIDT, /*< Store Interrupt Descriptor Table Register / OP_SHL, /*< Shift Left / OP_SHLD, /*< Double Precision Shift Left / OP_SHR, /*< Shift Right / OP_SHRD, /*< Double Precision Shift Right / OP_SLDT, /*< Store Local Descriptor Table Register / OP_STOSD, /*< Store String Doubleword / OP_STOSW, /*< Store String Word / OP_STOSB, /*< Store String Byte / OP_STR, /*< Store Task Register / OP_STC, /*< Set Carry Flag / OP_STD, /*< Set Direction Flag / OP_STI, /*< Set Interrupt Flag / OP_SUB, /*< Subtract / OP_SYSCALL, /*< Fast System Call / OP_SYSENTER, /*< Fast System Call / OP_SYSEXIT, /*< Fast Return from Fast System Call / OP_SYSRET, /*< Return from Fast System Call / OP_TEST, /*< Logical Compare / OP_UD2, /*< Undefined Instruction / OP_VERR, /*< Verify a Segment for Reading / OP_VERRW, /*< Verify a Segment for Writing / OP_WBINVD, /*< Write Back and Invalidate Cache / OP_WRMSR, /*< Write to Model Specific Register / OP_XADD, /*< Exchange and Add / OP_XCHG, /*< Exchange Register/Memory with Register / OP_XLAT, /*< Table Look-up Translation / OP_XOR, /*< Logical Exclusive OR / OP_PREFIX_OPSIZE, OP_PREFIX_ADDRSIZE, OP_PREFIX_SEGMENT, OP_2BYTE,
b54e540e
288057e9	OP_FPU, /*< FPU operation /
b54e540e
288057e9	OP_F2XM1, /*< Compute 2x-1 / OP_FABS, /*< Absolute Value / OP_FADD, /*< Floating Point Add / OP_FADDP, /*< Floating Point Add, Pop / OP_FBLD, /*< Load Binary Coded Decimal / OP_FBSTP, /*< Store BCD Integer and Pop / OP_FCHS, /*< Change Sign / OP_FCLEX, /*< Clear Exceptions / OP_FCMOVB, /*< Floating Point Move on Below / OP_FCMOVBE, /*< Floating Point Move on Below or Equal / OP_FCMOVE, /*< Floating Point Move on Equal / OP_FCMOVNB, /*< Floating Point Move on Not Below / OP_FCMOVNBE, /*< Floating Point Move on Not Below or Equal / OP_FCMOVNE, /*< Floating Point Move on Not Equal / OP_FCMOVNU, /*< Floating Point Move on Not Unordered / OP_FCMOVU, /*< Floating Point Move on Unordered / OP_FCOM, /*< Compare Floating Pointer Values and Set FPU Flags / OP_FCOMI, /*< Compare Floating Pointer Values and Set EFLAGS / OP_FCOMIP, /*< Compare Floating Pointer Values and Set EFLAGS, Pop / OP_FCOMP, /*< Compare Floating Pointer Values and Set FPU Flags, Pop / OP_FCOMPP, /*< Compare Floating Pointer Values and Set FPU Flags, Pop Twice / OP_FCOS, /*< Cosine / OP_FDECSTP, /*< Decrement Stack Top Pointer / OP_FDIV, /*< Floating Point Divide / OP_FDIVP, /*< Floating Point Divide, Pop / OP_FDIVR, /*< Floating Point Reverse Divide / OP_FDIVRP, /*< Floating Point Reverse Divide, Pop / OP_FFREE, /*< Free Floating Point Register / OP_FIADD, /*< Floating Point Add / OP_FICOM, /*< Compare Integer / OP_FICOMP, /*< Compare Integer, Pop / OP_FIDIV, /*< Floating Point Divide by Integer / OP_FIDIVR, /*< Floating Point Reverse Divide by Integer / OP_FILD, /*< Load Integer / OP_FIMUL, /*< Floating Point Multiply with Integer / OP_FINCSTP, /*< Increment Stack-Top Pointer / OP_FINIT, /*< Initialize Floating-Point Unit / OP_FIST, /*< Store Integer / OP_FISTP, /*< Store Integer, Pop / OP_FISTTP, /*< Store Integer with Truncation / OP_FISUB, /*< Floating Point Integer Subtract / OP_FISUBR, /*< Floating Point Reverse Integer Subtract / OP_FLD, /*< Load Floating Point Value / OP_FLD1, /*< Load Constant 1 / OP_FLDCW, /*< Load x87 FPU Control Word / OP_FLDENV, /*< Load x87 FPU Environment / OP_FLDL2E, /*< Load Constant log_2(e) / OP_FLDL2T, /*< Load Constant log_2(10) / OP_FLDLG2, /*< Load Constant log_10(2) / OP_FLDLN2, /*< Load Constant log_e(2) / OP_FLDPI, /*< Load Constant PI / OP_FLDZ, /*< Load Constant Zero / OP_FMUL, /*< Floating Point Multiply / OP_FMULP, /*< Floating Point Multiply, Pop / OP_FNOP, /*< No Operation / OP_FPATAN, /*< Partial Arctangent / OP_FPREM, /*< Partial Remainder / OP_FPREM1, /*< Partial Remainder / OP_FPTAN, /*< Partial Tangent / OP_FRNDINT, /*< Round to Integer / OP_FRSTOR, /*< Restore x86 FPU State / OP_FSCALE, /*< Scale / OP_FSIN, /* Sine / OP_FSINCOS, /< Sine and Cosine / OP_FSQRT, /*< Square Root / OP_FSAVE, /*< Store x87 FPU State / OP_FST, /*< Store Floating Point Value / OP_FSTCW, /*< Store x87 FPU Control Word / OP_FSTENV, /*< Store x87 FPU Environment / OP_FSTP, /*< Store Floating Point Value, Pop / OP_FSTSW, /*< Store x87 FPU Status Word / OP_FSUB, /*< Floating Point Subtract / OP_FSUBP, /*< Floating Point Subtract, Pop / OP_FSUBR, /*< Floating Point Reverse Subtract / OP_FSUBRP, /*< Floating Point Reverse Subtract, Pop / OP_FTST, /*< Floating Point Test / OP_FUCOM, /*< Floating Point Unordered Compare / OP_FUCOMI, /*< Floating Point Unordered Compare with Integer / OP_FUCOMIP, /*< Floating Point Unorder Compare with Integer, Pop / OP_FUCOMP, /*< Floating Point Unorder Compare, Pop / OP_FUCOMPP, /*< Floating Point Unorder Compare, Pop Twice / OP_FXAM, /*< Examine ModR/M / OP_FXCH, /*< Exchange Register Contents / OP_FXTRACT, /*< Extract Exponent and Significand / OP_FYL2X, /*< Compute ylog2x / OP_FYL2XP1 /< Compute ylog2(x+1) */
b54e540e	}; /** Access type */ enum DIS_ACCESS {
288057e9	ACCESS_NOARG, /*< arg not present / ACCESS_IMM, /*< immediate / ACCESS_REL, /*< +/- immediate / ACCESS_REG, /*< register / ACCESS_MEM /*< [memory] /
b54e540e	}; /** for mem access, immediate and relative */ enum DIS_SIZE {
288057e9	SIZEB, /*< Byte size access / SIZEW, /*< Word size access / SIZED, /*< Doubleword size access / SIZEF, /*< 6-byte access (seg+reg pair)/ SIZEQ, /*< Quadword access / SIZET, /*< 10-byte access / SIZEPTR /** ptr */
b54e540e	}; /** X86 registers */ enum X86REGS {
288057e9	X86_REG_EAX, X86_REG_ECX, X86_REG_EDX, X86_REG_EBX, X86_REG_ESP, X86_REG_EBP, X86_REG_ESI, X86_REG_EDI, X86_REG_AX, X86_REG_CX, X86_REG_DX, X86_REG_BX, X86_REG_SP, X86_REG_BP, X86_REG_SI, X86_REG_DI, X86_REG_AH, X86_REG_CH, X86_REG_DH, X86_REG_BH, X86_REG_AL, X86_REG_CL, X86_REG_DL, X86_REG_BL, X86_REG_ES, X86_REG_CS, X86_REG_SS, X86_REG_DS, X86_REG_FS, X86_REG_GS, X86_REG_CR0, X86_REG_CR1, X86_REG_CR2, X86_REG_CR3, X86_REG_CR4, X86_REG_CR5, X86_REG_CR6, X86_REG_CR7, X86_REG_DR0, X86_REG_DR1, X86_REG_DR2, X86_REG_DR3, X86_REG_DR4, X86_REG_DR5, X86_REG_DR6, X86_REG_DR7, X86_REG_ST0, X86_REG_ST1, X86_REG_ST2, X86_REG_ST3, X86_REG_ST4, X86_REG_ST5, X86_REG_ST6, X86_REG_ST7, X86_REG_INVALID
b54e540e	}; /** disassembly result, 64-byte, matched by type-8 signatures */ struct DISASM_RESULT { uint16_t real_op; uint8_t opsize; uint8_t adsize; uint8_t segment; uint8_t arg[3][10]; uint8_t extra[29]; }; #endif