/* * Copyright (C) 2013-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved. * Copyright (C) 2008-2013 Sourcefire, Inc. * * Authors: Török Edvin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, * MA 02110-1301, USA. */ #ifndef DISASM_BC_H #define DISASM_BC_H /** @file */ /** X86 opcode */ enum X86OPS { OP_INVALID, OP_AAA, /**< Ascii Adjust after Addition */ OP_AAD, /**< Ascii Adjust AX before Division */ OP_AAM, /**< Ascii Adjust AX after Multiply */ OP_AAS, /**< Ascii Adjust AL after Subtraction */ OP_ADD, /**< Add */ OP_ADC, /**< Add with Carry */ OP_AND, /**< Logical And */ OP_ARPL, /**< Adjust Requested Privilege Level */ OP_BOUND, /**< Check Array Index Against Bounds */ OP_BSF, /**< Bit Scan Forward */ OP_BSR, /**< Bit Scan Reverse */ OP_BSWAP, /**< Byte Swap */ OP_BT, /**< Bit Test */ OP_BTC, /**< Bit Test and Complement */ OP_BTR, /**< Bit Test and Reset */ OP_BTS, /**< Bit Test and Set */ OP_CALL, /**< Call */ OP_CDQ, /**< Convert DoubleWord to QuadWord*/ OP_CWD, OP_CWDE, /**< Convert Word to DoubleWord */ OP_CBW, /**< Convert Byte to Word */ OP_CLC, /**< Clear Carry Flag */ OP_CLD, /**< Clear Direction Flag */ OP_CLI, /**< Clear Interrupt Flag */ OP_CLTS, /**< Clear Task-Switched Flag in CR0 */ OP_CMC, /**< Complement Carry Flag */ OP_CMOVO, /**< Conditional Move if Overflow */ OP_CMOVNO, /**< Conditional Move if Not Overflow */ OP_CMOVC, /**< Conditional Move if Carry */ OP_CMOVNC, /**< Conditional Move if Not Carry */ OP_CMOVZ, /**< Conditional Move if Zero */ OP_CMOVNZ, /**< Conditional Move if Non-Zero */ OP_CMOVBE, /**< Conditional Move if Below or Equal */ OP_CMOVA, /**< Conditional Move if Above */ OP_CMOVS, /**< Conditional Move if Sign */ OP_CMOVNS, /**< Conditional Move if Not Sign */ OP_CMOVP, /**< Conditional Move if Parity */ OP_CMOVNP, /**< Conditional Move if Not Parity */ OP_CMOVL, /**< Conditional Move if Less */ OP_CMOVGE, /**< Conditional Move if Greater or Equal */ OP_CMOVLE, /**< Conditional Move if Less than or Equal */ OP_CMOVG, /**< Conditional Move if Greater */ OP_CMP, /**< Compare */ OP_CMPSD, /**< Compare String DoubleWord */ OP_CMPSW, /**< Compare String Word */ OP_CMPSB, /**< Compare String Byte */ OP_CMPXCHG, /**< Compare and Exchange */ OP_CMPXCHG8B, /**< Compare and Exchange Bytes */ OP_CPUID, /**< CPU Identification */ OP_DAA, /**< Decimal Adjust AL after Addition */ OP_DAS, /**< Decimal Adjust AL after Subtraction */ OP_DEC, /**< Decrement by 1 */ OP_DIV, /**< Unsigned Divide */ OP_ENTER, /**< Make Stack Frame for Procedure Parameters */ OP_FWAIT, /**< Wait */ OP_HLT, /**< Halt */ OP_IDIV, /**< Signed Divide */ OP_IMUL, /**< Signed Multiply */ OP_INC, /**< Increment by 1 */ OP_IN, /**< INput from port */ OP_INSD, /**< INput from port to String Doubleword */ OP_INSW, /**< INput from port to String Word */ OP_INSB, /**< INput from port to String Byte */ OP_INT, /**< INTerrupt */ OP_INT3, /**< INTerrupt 3 (breakpoint) */ OP_INTO, /**< INTerrupt 4 if Overflow */ OP_INVD, /**< Invalidate Internal Caches */ OP_INVLPG, /**< Invalidate TLB Entry */ OP_IRET, /**< Interrupt Return */ OP_JO, /**< Jump if Overflow */ OP_JNO, /**< Jump if Not Overflow */ OP_JC, /**< Jump if Carry */ OP_JNC, /**< Jump if Not Carry */ OP_JZ, /**< Jump if Zero */ OP_JNZ, /**< Jump if Not Zero */ OP_JBE, /**< Jump if Below or Equal */ OP_JA, /**< Jump if Above */ OP_JS, /**< Jump if Sign */ OP_JNS, /**< Jump if Not Sign */ OP_JP, /**< Jump if Parity */ OP_JNP, /**< Jump if Not Parity */ OP_JL, /**< Jump if Less */ OP_JGE, /**< Jump if Greater or Equal */ OP_JLE, /**< Jump if Less or Equal */ OP_JG, /**< Jump if Greater */ OP_JMP, /**< Jump (unconditional) */ OP_LAHF, /**< Load Status Flags into AH Register */ OP_LAR, /**< load Access Rights Byte */ OP_LDS, /**< Load Far Pointer into DS */ OP_LES, /**< Load Far Pointer into ES */ OP_LFS, /**< Load Far Pointer into FS */ OP_LGS, /**< Load Far Pointer into GS */ OP_LEA, /**< Load Effective Address */ OP_LEAVE, /**< High Level Procedure Exit */ OP_LGDT, /**< Load Global Descript Table Register */ OP_LIDT, /**< Load Interrupt Descriptor Table Register */ OP_LLDT, /**< Load Local Descriptor Table Register */ OP_PREFIX_LOCK, /**< Assert LOCK# Signal Prefix */ OP_LODSD, /**< Load String Dword*/ OP_LODSW, /**< Load String Word */ OP_LODSB, /**< Load String Byte */ OP_LOOP, /**< Loop According to ECX Counter */ OP_LOOPE, /**< Loop According to ECX Counter and ZF=1 */ OP_LOOPNE, /**< Loop According to ECX Counter and ZF=0 */ OP_JECXZ, /**< Jump if ECX is Zero */ OP_LSL, /**< Load Segment Limit */ OP_LSS, /**< Load Far Pointer into SS */ OP_LTR, /**< Load Task Register */ OP_MOV, /**< Move */ OP_MOVSD, /**< Move Data from String to String Doubleword */ OP_MOVSW, /**< Move Data from String to String Word */ OP_MOVSB, /**< Move Data from String to String Byte */ OP_MOVSX, /**< Move with Sign-Extension */ OP_MOVZX, /**< Move with Zero-Extension */ OP_MUL, /**< Unsigned Multiply */ OP_NEG, /**< Two's Complement Negation */ OP_NOP, /**< No Operation */ OP_NOT, /**< One's Complement Negation */ OP_OR, /**< Logical Inclusive OR */ OP_OUT, /**< Output to Port */ OP_OUTSD, /**< Output String to Port Doubleword */ OP_OUTSW, /**< Output String to Port Word */ OP_OUTSB, /**< Output String to Port Bytes */ OP_PUSH, /**< Push Onto the Stack */ OP_PUSHAD, /**< Push All Double General Purpose Registers */ OP_PUSHA, OP_PUSHFD, /**< Push EFLAGS Register onto the Stack */ OP_PUSHF, OP_POP, /**< Pop a Value from the Stack */ OP_POPAD, /**< Pop All Double General Purpose Registers from the Stack */ OP_POPFD, /**< Pop Stack into EFLAGS Register */ OP_POPF, OP_RCL, /**< Rotate Carry Left */ OP_RCR, /**< Rotate Carry Right */ OP_RDMSR, /**< Read from Model Specific Register */ OP_RDPMC, /**< Read Performance Monitoring Counters */ OP_RDTSC, /**< Read Time-Stamp Counter */ OP_PREFIX_REPE, /**< Repeat String Operation Prefix while Equal */ OP_PREFIX_REPNE, /**< Repeat String Operation Prefix while Not Equal */ OP_RETF, /**< Return from Far Procedure */ OP_RETN, /**< Return from Near Procedure */ OP_ROL, /**< Rotate Left */ OP_ROR, /**< Rotate Right */ OP_RSM, /**< Resume from System Management Mode */ OP_SAHF, /**< Store AH into Flags */ OP_SAR, /**< Shift Arithmetic Right */ OP_SBB, /**< Subtract with Borrow */ OP_SCASD, /**< Scan String Doubleword */ OP_SCASW, /**< Scan String Word */ OP_SCASB, /**< Scan String Byte */ OP_SETO, /**< Set Byte on Overflow */ OP_SETNO, /**< Set Byte on Not Overflow */ OP_SETC, /**< Set Byte on Carry */ OP_SETNC, /**< Set Byte on Not Carry */ OP_SETZ, /**< Set Byte on Zero */ OP_SETNZ, /**< Set Byte on Not Zero */ OP_SETBE, /**< Set Byte on Below or Equal */ OP_SETA, /**< Set Byte on Above */ OP_SETS, /**< Set Byte on Sign */ OP_SETNS, /**< Set Byte on Not Sign */ OP_SETP, /**< Set Byte on Parity */ OP_SETNP, /**< Set Byte on Not Parity */ OP_SETL, /**< Set Byte on Less */ OP_SETGE, /**< Set Byte on Greater or Equal */ OP_SETLE, /**< Set Byte on Less or Equal */ OP_SETG, /**< Set Byte on Greater */ OP_SGDT, /**< Store Global Descriptor Table Register */ OP_SIDT, /**< Store Interrupt Descriptor Table Register */ OP_SHL, /**< Shift Left */ OP_SHLD, /**< Double Precision Shift Left */ OP_SHR, /**< Shift Right */ OP_SHRD, /**< Double Precision Shift Right */ OP_SLDT, /**< Store Local Descriptor Table Register */ OP_STOSD, /**< Store String Doubleword */ OP_STOSW, /**< Store String Word */ OP_STOSB, /**< Store String Byte */ OP_STR, /**< Store Task Register */ OP_STC, /**< Set Carry Flag */ OP_STD, /**< Set Direction Flag */ OP_STI, /**< Set Interrupt Flag */ OP_SUB, /**< Subtract */ OP_SYSCALL, /**< Fast System Call */ OP_SYSENTER, /**< Fast System Call */ OP_SYSEXIT, /**< Fast Return from Fast System Call */ OP_SYSRET, /**< Return from Fast System Call */ OP_TEST, /**< Logical Compare */ OP_UD2, /**< Undefined Instruction */ OP_VERR, /**< Verify a Segment for Reading */ OP_VERRW, /**< Verify a Segment for Writing */ OP_WBINVD, /**< Write Back and Invalidate Cache */ OP_WRMSR, /**< Write to Model Specific Register */ OP_XADD, /**< Exchange and Add */ OP_XCHG, /**< Exchange Register/Memory with Register */ OP_XLAT, /**< Table Look-up Translation */ OP_XOR, /**< Logical Exclusive OR */ OP_PREFIX_OPSIZE, OP_PREFIX_ADDRSIZE, OP_PREFIX_SEGMENT, OP_2BYTE, OP_FPU, /**< FPU operation */ OP_F2XM1, /**< Compute 2x-1 */ OP_FABS, /**< Absolute Value */ OP_FADD, /**< Floating Point Add */ OP_FADDP, /**< Floating Point Add, Pop */ OP_FBLD, /**< Load Binary Coded Decimal */ OP_FBSTP, /**< Store BCD Integer and Pop */ OP_FCHS, /**< Change Sign */ OP_FCLEX, /**< Clear Exceptions */ OP_FCMOVB, /**< Floating Point Move on Below */ OP_FCMOVBE, /**< Floating Point Move on Below or Equal */ OP_FCMOVE, /**< Floating Point Move on Equal */ OP_FCMOVNB, /**< Floating Point Move on Not Below */ OP_FCMOVNBE, /**< Floating Point Move on Not Below or Equal */ OP_FCMOVNE, /**< Floating Point Move on Not Equal */ OP_FCMOVNU, /**< Floating Point Move on Not Unordered */ OP_FCMOVU, /**< Floating Point Move on Unordered */ OP_FCOM, /**< Compare Floating Pointer Values and Set FPU Flags */ OP_FCOMI, /**< Compare Floating Pointer Values and Set EFLAGS */ OP_FCOMIP, /**< Compare Floating Pointer Values and Set EFLAGS, Pop */ OP_FCOMP, /**< Compare Floating Pointer Values and Set FPU Flags, Pop */ OP_FCOMPP, /**< Compare Floating Pointer Values and Set FPU Flags, Pop Twice */ OP_FCOS, /**< Cosine */ OP_FDECSTP, /**< Decrement Stack Top Pointer */ OP_FDIV, /**< Floating Point Divide */ OP_FDIVP, /**< Floating Point Divide, Pop */ OP_FDIVR, /**< Floating Point Reverse Divide */ OP_FDIVRP, /**< Floating Point Reverse Divide, Pop */ OP_FFREE, /**< Free Floating Point Register */ OP_FIADD, /**< Floating Point Add */ OP_FICOM, /**< Compare Integer */ OP_FICOMP, /**< Compare Integer, Pop */ OP_FIDIV, /**< Floating Point Divide by Integer */ OP_FIDIVR, /**< Floating Point Reverse Divide by Integer */ OP_FILD, /**< Load Integer */ OP_FIMUL, /**< Floating Point Multiply with Integer */ OP_FINCSTP, /**< Increment Stack-Top Pointer */ OP_FINIT, /**< Initialize Floating-Point Unit */ OP_FIST, /**< Store Integer */ OP_FISTP, /**< Store Integer, Pop */ OP_FISTTP, /**< Store Integer with Truncation */ OP_FISUB, /**< Floating Point Integer Subtract */ OP_FISUBR, /**< Floating Point Reverse Integer Subtract */ OP_FLD, /**< Load Floating Point Value */ OP_FLD1, /**< Load Constant 1 */ OP_FLDCW, /**< Load x87 FPU Control Word */ OP_FLDENV, /**< Load x87 FPU Environment */ OP_FLDL2E, /**< Load Constant log_2(e) */ OP_FLDL2T, /**< Load Constant log_2(10) */ OP_FLDLG2, /**< Load Constant log_10(2) */ OP_FLDLN2, /**< Load Constant log_e(2) */ OP_FLDPI, /**< Load Constant PI */ OP_FLDZ, /**< Load Constant Zero */ OP_FMUL, /**< Floating Point Multiply */ OP_FMULP, /**< Floating Point Multiply, Pop */ OP_FNOP, /**< No Operation */ OP_FPATAN, /**< Partial Arctangent */ OP_FPREM, /**< Partial Remainder */ OP_FPREM1, /**< Partial Remainder */ OP_FPTAN, /**< Partial Tangent */ OP_FRNDINT, /**< Round to Integer */ OP_FRSTOR, /**< Restore x86 FPU State */ OP_FSCALE, /**< Scale */ OP_FSIN, /* Sine */ OP_FSINCOS, /**< Sine and Cosine */ OP_FSQRT, /**< Square Root */ OP_FSAVE, /**< Store x87 FPU State */ OP_FST, /**< Store Floating Point Value */ OP_FSTCW, /**< Store x87 FPU Control Word */ OP_FSTENV, /**< Store x87 FPU Environment */ OP_FSTP, /**< Store Floating Point Value, Pop */ OP_FSTSW, /**< Store x87 FPU Status Word */ OP_FSUB, /**< Floating Point Subtract */ OP_FSUBP, /**< Floating Point Subtract, Pop */ OP_FSUBR, /**< Floating Point Reverse Subtract */ OP_FSUBRP, /**< Floating Point Reverse Subtract, Pop */ OP_FTST, /**< Floating Point Test */ OP_FUCOM, /**< Floating Point Unordered Compare */ OP_FUCOMI, /**< Floating Point Unordered Compare with Integer */ OP_FUCOMIP, /**< Floating Point Unorder Compare with Integer, Pop */ OP_FUCOMP, /**< Floating Point Unorder Compare, Pop */ OP_FUCOMPP, /**< Floating Point Unorder Compare, Pop Twice */ OP_FXAM, /**< Examine ModR/M */ OP_FXCH, /**< Exchange Register Contents */ OP_FXTRACT, /**< Extract Exponent and Significand */ OP_FYL2X, /**< Compute y*log2x */ OP_FYL2XP1 /**< Compute y*log2(x+1) */ }; /** Access type */ enum DIS_ACCESS { ACCESS_NOARG, /**< arg not present */ ACCESS_IMM, /**< immediate */ ACCESS_REL, /**< +/- immediate */ ACCESS_REG, /**< register */ ACCESS_MEM /**< [memory] */ }; /** for mem access, immediate and relative */ enum DIS_SIZE { SIZEB, /**< Byte size access */ SIZEW, /**< Word size access */ SIZED, /**< Doubleword size access */ SIZEF, /**< 6-byte access (seg+reg pair)*/ SIZEQ, /**< Quadword access */ SIZET, /**< 10-byte access */ SIZEPTR /** ptr */ }; /** X86 registers */ enum X86REGS { X86_REG_EAX, X86_REG_ECX, X86_REG_EDX, X86_REG_EBX, X86_REG_ESP, X86_REG_EBP, X86_REG_ESI, X86_REG_EDI, X86_REG_AX, X86_REG_CX, X86_REG_DX, X86_REG_BX, X86_REG_SP, X86_REG_BP, X86_REG_SI, X86_REG_DI, X86_REG_AH, X86_REG_CH, X86_REG_DH, X86_REG_BH, X86_REG_AL, X86_REG_CL, X86_REG_DL, X86_REG_BL, X86_REG_ES, X86_REG_CS, X86_REG_SS, X86_REG_DS, X86_REG_FS, X86_REG_GS, X86_REG_CR0, X86_REG_CR1, X86_REG_CR2, X86_REG_CR3, X86_REG_CR4, X86_REG_CR5, X86_REG_CR6, X86_REG_CR7, X86_REG_DR0, X86_REG_DR1, X86_REG_DR2, X86_REG_DR3, X86_REG_DR4, X86_REG_DR5, X86_REG_DR6, X86_REG_DR7, X86_REG_ST0, X86_REG_ST1, X86_REG_ST2, X86_REG_ST3, X86_REG_ST4, X86_REG_ST5, X86_REG_ST6, X86_REG_ST7, X86_REG_INVALID }; /** disassembly result, 64-byte, matched by type-8 signatures */ struct DISASM_RESULT { uint16_t real_op; uint8_t opsize; uint8_t adsize; uint8_t segment; uint8_t arg[3][10]; uint8_t extra[29]; }; #endif