git-svn: trunk@4002
aCaB authored on 2008/07/28 01:27:29... | ... |
@@ -1664,21 +1664,58 @@ uint8_t *disasm_x86(uint8_t *command, unsigned int len, struct DISASMED *s) { |
1664 | 1664 |
|
1665 | 1665 |
|
1666 | 1666 |
void disasmbuf(uint8_t *buff, unsigned int len, int fd) { |
1667 |
- char hr[128]; |
|
1668 | 1667 |
uint8_t *next = buff; |
1669 | 1668 |
unsigned int counter=0; |
1670 | 1669 |
struct DISASMED s; |
1670 |
+ struct MARIO { |
|
1671 |
+ uint16_t real_op; |
|
1672 |
+ uint8_t opsize; |
|
1673 |
+ uint8_t adsize; |
|
1674 |
+ uint8_t segment; |
|
1675 |
+ |
|
1676 |
+ uint8_t arg[3][11]; |
|
1677 |
+ |
|
1678 |
+ uint8_t extra[26]; |
|
1679 |
+ } w; |
|
1680 |
+ |
|
1681 |
+ memset(&w.extra[0], 0, sizeof(w.extra)); |
|
1671 | 1682 |
|
1672 | 1683 |
while(len && counter++<200) { |
1684 |
+ int i; |
|
1673 | 1685 |
if(!(next = disasm_x86(next, len, &s))) { |
1674 | 1686 |
/* TODO: invd opcode or buff over */ |
1675 | 1687 |
return; |
1676 | 1688 |
} |
1677 |
- spam_x86(&s, hr); |
|
1678 |
- /* TODO: save stuff here */ |
|
1689 |
+ if(cli_debug_flag) { |
|
1690 |
+ char hr[128]; |
|
1691 |
+ spam_x86(&s, hr); |
|
1692 |
+ cli_dbgmsg("%s\n", hr); |
|
1693 |
+ } |
|
1694 |
+ |
|
1679 | 1695 |
len -= next-buff; |
1680 | 1696 |
buff=next; |
1681 |
- } |
|
1682 | 1697 |
|
1698 |
+ cli_writeint32(&w.real_op, s.real_op); |
|
1699 |
+ w.opsize = s.opsize; |
|
1700 |
+ w.adsize = s.adsize; |
|
1701 |
+ w.segment = s.segment; |
|
1702 |
+ |
|
1703 |
+ for (i=0; i<3; i++) { |
|
1704 |
+ w.arg[i][0] = s.args[i].access; |
|
1705 |
+ w.arg[i][1] = s.args[i].size; |
|
1706 |
+ w.arg[i][2] = s.args[i].reg; |
|
1707 |
+ if(s.args[i].access==ACCESS_MEM) { |
|
1708 |
+ w.arg[i][3]=s.args[i].arg.marg.r1; |
|
1709 |
+ w.arg[i][4]=s.args[i].arg.marg.r1; |
|
1710 |
+ w.arg[i][5]=s.args[i].arg.marg.scale; |
|
1711 |
+ cli_writeint32(&w.arg[i][6], s.args[i].arg.marg.disp); |
|
1712 |
+ w.arg[i][10]=0; |
|
1713 |
+ } else { |
|
1714 |
+ cli_writeint32(&w.arg[i][3], s.args[i].arg.d); |
|
1715 |
+ cli_writeint32(&w.arg[i][7], s.args[i].arg.q>>32); |
|
1716 |
+ } |
|
1717 |
+ } |
|
1718 |
+ cli_writen(fd, &w, sizeof(w)); |
|
1719 |
+ } |
|
1683 | 1720 |
} |
1684 | 1721 |
|
... | ... |
@@ -892,6 +892,10 @@ int cli_scanpe(int desc, cli_ctx *ctx) |
892 | 892 |
lseek(desc, ep, SEEK_SET); |
893 | 893 |
epsize = cli_readn(desc, epbuff, 4096); |
894 | 894 |
|
895 |
+ CLI_UNPTEMP("DISASM",(exe_sections,0)); |
|
896 |
+ disasmbuf(epbuff, epsize, ndesc); |
|
897 |
+ CLI_TMPUNLK(); |
|
898 |
+ |
|
895 | 899 |
/* Attempt to detect some popular polymorphic viruses */ |
896 | 900 |
|
897 | 901 |
/* W32.Parite.B */ |