/* * Copyright (C) 2008 Sourcefire, Inc. * * Authors: Török Edvin * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 as * published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, * MA 02110-1301, USA. */ #ifndef DISASM_BC_H #define DISASM_BC_H /** @file */ /** X86 opcode */ enum X86OPS { OP_INVALID, OP_AAA,/**< Ascii Adjust after Addition */ OP_AAD,/**< Ascii Adjust AX before Division */ OP_AAM,/**< Ascii Adjust AX after Multiply */ OP_AAS,/**< Ascii Adjust AL after Subtraction */ OP_ADD,/**< Add */ OP_ADC,/**< Add with Carry */ OP_AND,/**< Logical And */ OP_ARPL,/**< Adjust Requested Privilege Level */ OP_BOUND,/**< Check Array Index Against Bounds */ OP_BSF,/**< Bit Scan Forward */ OP_BSR,/**< Bit Scan Reverse */ OP_BSWAP,/**< Byte Swap */ OP_BT,/**< Bit Test */ OP_BTC,/**< Bit Test and Complement */ OP_BTR,/**< Bit Test and Reset */ OP_BTS,/**< Bit Test and Set */ OP_CALL,/**< Call */ OP_CDQ,/**< Convert DoubleWord to QuadWord*/ OP_CWD, OP_CWDE,/**< Convert Word to DoubleWord */ OP_CBW,/**< Convert Byte to Word */ OP_CLC,/**< Clear Carry Flag */ OP_CLD,/**< Clear Direction Flag */ OP_CLI,/**< Clear Interrupt Flag */ OP_CLTS,/**< Clear Task-Switched Flag in CR0 */ OP_CMC,/**< Complement Carry Flag */ OP_CMOVO,/**< Conditional Move if Overflow */ OP_CMOVNO,/**< Conditional Move if Not Overflow */ OP_CMOVC,/**< Conditional Move if Carry */ OP_CMOVNC,/**< Conditional Move if Not Carry */ OP_CMOVZ,/**< Conditional Move if Zero */ OP_CMOVNZ,/**< Conditional Move if Non-Zero */ OP_CMOVBE,/**< Conditional Move if Below or Equal */ OP_CMOVA,/**< Conditional Move if Above */ OP_CMOVS,/**< Conditional Move if Sign */ OP_CMOVNS,/**< Conditional Move if Not Sign */ OP_CMOVP,/**< Conditional Move if Parity */ OP_CMOVNP,/**< Conditional Move if Not Parity */ OP_CMOVL,/**< Conditional Move if Less */ OP_CMOVGE,/**< Conditional Move if Greater or Equal */ OP_CMOVLE,/**< Conditional Move if Less than or Equal */ OP_CMOVG,/**< Conditional Move if Greater */ OP_CMP,/**< Compare */ OP_CMPSD,/**< Compare String DoubleWord */ OP_CMPSW,/**< Compare String Word */ OP_CMPSB,/**< Compare String Byte */ OP_CMPXCHG,/**< Compare and Exchange */ OP_CMPXCHG8B,/**< Compare and Exchange Bytes */ OP_CPUID,/**< CPU Identification */ OP_DAA,/**< Decimal Adjust AL after Addition */ OP_DAS,/**< Decimal Adjust AL after Subtraction */ OP_DEC,/**< Decrement by 1 */ OP_DIV,/**< Unsigned Divide */ OP_ENTER,/**< Make Stack Frame for Procedure Parameters */ OP_FWAIT,/**< Wait */ OP_HLT,/**< Halt */ OP_IDIV,/**< Signed Divide */ OP_IMUL,/**< Signed Multiply */ OP_INC,/**< Increment by 1 */ OP_IN,/**< INput from port */ OP_INSD,/**< INput from port to String Doubleword */ OP_INSW,/**< INput from port to String Word */ OP_INSB,/**< INput from port to String Byte */ OP_INT,/**< INTerrupt */ OP_INT3,/**< INTerrupt 3 (breakpoint) */ OP_INTO,/**< INTerrupt 4 if Overflow */ OP_INVD,/**< Invalidate Internal Caches */ OP_INVLPG,/**< Invalidate TLB Entry */ OP_IRET,/**< Interrupt Return */ OP_JO,/**< Jump if Overflow */ OP_JNO,/**< Jump if Not Overflow */ OP_JC,/**< Jump if Carry */ OP_JNC,/**< Jump if Not Carry */ OP_JZ,/**< Jump if Zero */ OP_JNZ,/**< Jump if Not Zero */ OP_JBE,/**< Jump if Below or Equal */ OP_JA,/**< Jump if Above */ OP_JS,/**< Jump if Sign */ OP_JNS,/**< Jump if Not Sign */ OP_JP,/**< Jump if Parity */ OP_JNP,/**< Jump if Not Parity */ OP_JL,/**< Jump if Less */ OP_JGE,/**< Jump if Greater or Equal */ OP_JLE,/**< Jump if Less or Equal */ OP_JG,/**< Jump if Greater */ OP_JMP,/**< Jump (unconditional) */ OP_LAHF,/**< Load Status Flags into AH Register */ OP_LAR,/**< load Access Rights Byte */ OP_LDS,/**< Load Far Pointer into DS */ OP_LES,/**< Load Far Pointer into ES */ OP_LFS,/**< Load Far Pointer into FS */ OP_LGS,/**< Load Far Pointer into GS */ OP_LEA,/**< Load Effective Address */ OP_LEAVE,/**< High Level Procedure Exit */ OP_LGDT,/**< Load Global Descript Table Register */ OP_LIDT,/**< Load Interrupt Descriptor Table Register */ OP_LLDT,/**< Load Local Descriptor Table Register */ OP_PREFIX_LOCK,/**< Assert LOCK# Signal Prefix */ OP_LODSD,/**< Load String Dword*/ OP_LODSW,/**< Load String Word */ OP_LODSB,/**< Load String Byte */ OP_LOOP,/**< Loop According to ECX Counter */ OP_LOOPE,/**< Loop According to ECX Counter and ZF=1 */ OP_LOOPNE,/**< Looop According to ECX Counter and ZF=0 */ OP_JECXZ,/**< Jump if ECX is Zero */ OP_LSL,/**< Load Segment Limit */ OP_LSS,/**< Load Far Pointer into SS */ OP_LTR,/**< Load Task Register */ OP_MOV,/**< Move */ OP_MOVSD,/**< Move Data from String to String Doubleword */ OP_MOVSW,/**< Move Data from String to String Word */ OP_MOVSB,/**< Move Data from String to String Byte */ OP_MOVSX,/**< Move with Sign-Extension */ OP_MOVZX,/**< Move with Zero-Extension */ OP_MUL,/**< Unsigned Multiply */ OP_NEG,/**< Two's Complement Negation */ OP_NOP,/**< No Operation */ OP_NOT,/**< One's Complement Negation */ OP_OR,/**< Logical Inclusive OR */ OP_OUT,/**< Output to Port */ OP_OUTSD,/**< Output String to Port Doubleword */ OP_OUTSW,/**< Output String to Port Word */ OP_OUTSB,/**< Output String to Port Bytes */ OP_PUSH,/**< Push Onto the Stack */ OP_PUSHAD,/**< Push All Double General Purpose Registers */ OP_PUSHA, OP_PUSHFD,/**< Push EFLAGS Register onto the Stack */ OP_PUSHF, OP_POP,/**< Pop a Value from the Stack */ OP_POPAD,/**< Pop All Double General Purpose Registers from the Stack */ OP_POPFD,/**< Pop Stack into EFLAGS Register */ OP_POPF, OP_RCL,/**< Rotate Carry Left */ OP_RCR,/**< Rotate Carry Right */ OP_RDMSR,/**< Read from Model Specific Register */ OP_RDPMC,/**< Read Performance Monitoring Counters */ OP_RDTSC,/**< Read Time-Stamp Coutner */ OP_PREFIX_REPE,/**< Repeat String Operation Prefix while Equal */ OP_PREFIX_REPNE,/**< Repeat String Operation Prefix while Not Equal */ OP_RETF,/**< Return from Far Procedure */ OP_RETN,/**< Return from Near Procedure */ OP_ROL,/**< Rotate Left */ OP_ROR,/**< Rotate Right */ OP_RSM,/**< Resumse from System Management Mode */ OP_SAHF,/**< Store AH into Flags */ OP_SAR,/**< Shift Arithmetic Right */ OP_SBB,/**< Subtract with Borrow */ OP_SCASD,/**< Scan String Doubleword */ OP_SCASW,/**< Scan String Word */ OP_SCASB,/**< Scan String Byte */ OP_SETO,/**< Set Byte on Overflow */ OP_SETNO,/**< Set Byte on Not Overflow */ OP_SETC,/**< Set Byte on Carry */ OP_SETNC,/**< Set Byte on Not Carry */ OP_SETZ,/**< Set Byte on Zero */ OP_SETNZ,/**< Set Byte on Not Zero */ OP_SETBE,/**< Set Byte on Below or Equal */ OP_SETA,/**< Set Byte on Above */ OP_SETS,/**< Set Byte on Sign */ OP_SETNS,/**< Set Byte on Not Sign */ OP_SETP,/**< Set Byte on Parity */ OP_SETNP,/**< Set Byte on Not Parity */ OP_SETL,/**< Set Byte on Less */ OP_SETGE,/**< Set Byte on Greater or Equal */ OP_SETLE,/**< Set Byte on Less or Equal */ OP_SETG,/**< Set Byte on Greater */ OP_SGDT,/**< Store Global Descriptor Table Register */ OP_SIDT,/**< Store Interrupt Descriptor Table Register */ OP_SHL,/**< Shift Left */ OP_SHLD,/**< Double Precision Shift Left */ OP_SHR,/**< Shift Right */ OP_SHRD,/**< Double Precision Shift Right */ OP_SLDT,/**< Store Local Descriptor Table Register */ OP_STOSD,/**< Store String Doubleword */ OP_STOSW,/**< Store String Word */ OP_STOSB,/**< Store String Byte */ OP_STR,/**< Store Task Register */ OP_STC,/**< Set Carry Flag */ OP_STD,/**< Set Direction Flag */ OP_STI,/**< Set Interrupt Flag */ OP_SUB,/**< Subtract */ OP_SYSCALL,/**< Fast System Call */ OP_SYSENTER,/**< Fast System Call */ OP_SYSEXIT,/**< Fast Return from Fast System Call */ OP_SYSRET,/**< Return from Fast System Call */ OP_TEST,/**< Logical Compare */ OP_UD2,/**< Undefined Instruction */ OP_VERR,/**< Verify a Segment for Reading */ OP_VERRW,/**< Verify a Segment for Writing */ OP_WBINVD,/**< Write Back and Invalidate Cache */ OP_WRMSR,/**< Write to Model Specific Register */ OP_XADD,/**< Exchange and Add */ OP_XCHG,/**< Exchange Register/Memory with Register */ OP_XLAT,/**< Table Look-up Translation */ OP_XOR,/**< Logical Exclusive OR */ OP_PREFIX_OPSIZE, OP_PREFIX_ADDRSIZE, OP_PREFIX_SEGMENT, OP_2BYTE, OP_FPU,/**< FPU operation */ OP_F2XM1,/**< Compute 2x-1 */ OP_FABS,/**< Absolute Value */ OP_FADD,/**< Floating Point Add */ OP_FADDP,/**< Floating Point Add, Pop */ OP_FBLD,/**< Load Binary Coded Decimal */ OP_FBSTP,/**< Store BCD Integer and Pop */ OP_FCHS,/**< Change Sign */ OP_FCLEX,/**< Clear Exceptions */ OP_FCMOVB,/**< Floating Point Move on Below */ OP_FCMOVBE,/**< Floating Point Move on Below or Equal */ OP_FCMOVE,/**< Floating Point Move on Equal */ OP_FCMOVNB,/**< Floating Point Move on Not Below */ OP_FCMOVNBE,/**< Floating Point Move on Not Below or Equal */ OP_FCMOVNE,/**< Floating Point Move on Not Equal */ OP_FCMOVNU,/**< Floating Point Move on Not Unordered */ OP_FCMOVU,/**< Floating Point Move on Unordered */ OP_FCOM,/**< Compare Floating Pointer Values and Set FPU Flags */ OP_FCOMI,/**< Compare Floating Pointer Values and Set EFLAGS */ OP_FCOMIP,/**< Compare Floating Pointer Values and Set EFLAGS, Pop */ OP_FCOMP,/**< Compare Floating Pointer Values and Set FPU Flags, Pop */ OP_FCOMPP,/**< Compare Floating Pointer Values and Set FPU Flags, Pop Twice */ OP_FCOS,/**< Cosine */ OP_FDECSTP,/**< Decrement Stack Top Pointer */ OP_FDIV,/**< Floating Point Divide */ OP_FDIVP,/**< Floating Point Divide, Pop */ OP_FDIVR,/**< Floating Point Reverse Divide */ OP_FDIVRP,/**< Floating Point Reverse Divide, Pop */ OP_FFREE,/**< Free Floating Point Register */ OP_FIADD,/**< Floating Point Add */ OP_FICOM,/**< Compare Integer */ OP_FICOMP,/**< Compare Integer, Pop */ OP_FIDIV,/**< Floating Point Divide by Integer */ OP_FIDIVR,/**< Floating Point Reverse Divide by Integer */ OP_FILD,/**< Load Integer */ OP_FIMUL,/**< Floating Point Multiply with Integer */ OP_FINCSTP,/**< Increment Stack-Top Pointer */ OP_FINIT,/**< Initialize Floating-Point Unit */ OP_FIST,/**< Store Integer */ OP_FISTP,/**< Store Integer, Pop */ OP_FISTTP,/**< Store Integer with Truncation */ OP_FISUB,/**< Floating Point Integer Subtract */ OP_FISUBR,/**< Floating Point Reverse Integer Subtract */ OP_FLD,/**< Load Floating Point Value */ OP_FLD1,/**< Load Constant 1 */ OP_FLDCW,/**< Load x87 FPU Control Word */ OP_FLDENV,/**< Load x87 FPU Environment */ OP_FLDL2E,/**< Load Constant log_2(e) */ OP_FLDL2T,/**< Load Constant log_2(10) */ OP_FLDLG2,/**< Load Constant log_10(2) */ OP_FLDLN2,/**< Load Constant log_e(2) */ OP_FLDPI,/**< Load Constant PI */ OP_FLDZ,/**< Load Constant Zero */ OP_FMUL,/**< Floating Point Multiply */ OP_FMULP,/**< Floating Point Multiply, Pop */ OP_FNOP,/**< No Operation */ OP_FPATAN,/**< Partial Arctangent */ OP_FPREM,/**< Partial Remainder */ OP_FPREM1,/**< Partial Remainder */ OP_FPTAN,/**< Partial Tangent */ OP_FRNDINT,/**< Round to Integer */ OP_FRSTOR,/**< Restore x86 FPU State */ OP_FSCALE,/**< Scale */ OP_FSIN,/* Sine */ OP_FSINCOS,/**< Sine and Cosine */ OP_FSQRT,/**< Square Root */ OP_FSAVE,/**< Store x87 FPU State */ OP_FST,/**< Store Floating Point Value */ OP_FSTCW,/**< Store x87 FPU Control Word */ OP_FSTENV,/**< Store x87 FPU Environment */ OP_FSTP,/**< Store Floating Point Value, Pop */ OP_FSTSW,/**< Store x87 FPU Status Word */ OP_FSUB,/**< Floating Point Subtract */ OP_FSUBP,/**< Floating Point Subtract, Pop */ OP_FSUBR,/**< Floating Point Reverse Subtract */ OP_FSUBRP,/**< Floating Point Reverse Subtract, Pop */ OP_FTST,/**< Floating Point Test */ OP_FUCOM,/**< Floating Point Unordered Compare */ OP_FUCOMI,/**< Floating Point Unordered Compare with Integer */ OP_FUCOMIP,/**< Floating Point Unorder Compare with Integer, Pop */ OP_FUCOMP,/**< Floating Point Unorder Compare, Pop */ OP_FUCOMPP,/**< Floating Point Unorder Compare, Pop Twice */ OP_FXAM,/**< Examine ModR/M */ OP_FXCH,/**< Exchange Register Contents */ OP_FXTRACT,/**< Extract Exponent and Significand */ OP_FYL2X,/**< Compute y*log2x */ OP_FYL2XP1 /**< Compute y*log2(x+1) */ }; /** Access type */ enum DIS_ACCESS { ACCESS_NOARG, /**< arg not present */ ACCESS_IMM, /**< immediate */ ACCESS_REL, /**< +/- immediate */ ACCESS_REG, /**< register */ ACCESS_MEM /**< [memory] */ }; /** for mem access, immediate and relative */ enum DIS_SIZE { SIZEB,/**< Byte size access */ SIZEW,/**< Word size access */ SIZED,/**< Doubleword size access */ SIZEF,/**< 6-byte access (seg+reg pair)*/ SIZEQ,/**< Quadword access */ SIZET,/**< 10-byte access */ SIZEPTR /** ptr */ }; /** X86 registers */ enum X86REGS { REG_EAX, REG_ECX, REG_EDX, REG_EBX, REG_ESP, REG_EBP, REG_ESI, REG_EDI, REG_AX, REG_CX, REG_DX, REG_BX, REG_SP, REG_BP, REG_SI, REG_DI, REG_AH, REG_CH, REG_DH, REG_BH, REG_AL, REG_CL, REG_DL, REG_BL, REG_ES, REG_CS, REG_SS, REG_DS, REG_FS, REG_GS, REG_CR0, REG_CR1, REG_CR2, REG_CR3, REG_CR4, REG_CR5, REG_CR6, REG_CR7, REG_DR0, REG_DR1, REG_DR2, REG_DR3, REG_DR4, REG_DR5, REG_DR6, REG_DR7, REG_ST0, REG_ST1, REG_ST2, REG_ST3, REG_ST4, REG_ST5, REG_ST6, REG_ST7, REG_INVALID }; /** disassembly result, 64-byte, matched by type-8 signatures */ struct DISASM_RESULT { uint16_t real_op; uint8_t opsize; uint8_t adsize; uint8_t segment; uint8_t arg[3][10]; uint8_t extra[29]; }; #endif