lirent/vatrog-vm-introspection-engine
1
0
Fork 0
mirror of https://dev.lirent.ru/Vatrog/vm-introspection-engine.git synced 2026-06-18 03:06:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add function inventory (.pdata), signature generation, and export/PDB symbols

Browse Source 
Three reversing capabilities on the win32 surface plus a pure sig-gen handler:

- vmie_win32_functions enumerates a module's functions from the exception
  directory (.pdata RUNTIME_FUNCTION), folding unwind chain continuations into
  their primary - authoritative non-leaf boundaries, not prologue heuristics.
- vmie_win32_exports resolves the export table to {name, rva, ordinal,
  forwarded}: named functions with no PDB or network. vmie_win32_pdb_ref pulls
  the CodeView/RSDS {guid, age, pdb} from the debug directory - the symbol-server
  key for any module (full PDB parsing stays out of scope).
- sig_generate (siggen.h) builds a unique masked signature for a code span,
  wildcarding the rel/RIP-relative displacement bytes the x86 decoder locates and
  growing until it matches the scope exactly once - the dual of sigscan.

The decoder now also reports disp_off/disp_len so a caller can mask the floating
bytes. The MZ/PE walk gains one shared data-directory accessor and one shared
CodeView/RSDS parser; the kernel bootstrap is moved onto both, removing its
private copies - one PE parser in the tree.
This commit is contained in:
Gregory Lirent
2026-06-16 19:27:42 +03:00
parent 06230ac680
commit c4419964aa
9 changed files with 542 additions and 67 deletions
Download Patch File Download Diff File Expand all files Collapse all files
include/x86dec.h
+15 -1
View File
@@ -38,6 +38,14 @@ typedef struct {
int32_t rel; /* sign-extended branch displacement (if has_rel) */
int has_riprel; /* 1: RIP-relative memory operand (ModRM mod=00,rm=101) */
int32_t riprel; /* sign-extended RIP-relative disp32 (if has_riprel) */
uint8_t disp_off; /* byte offset within the instruction of the rel/RIP-rel
* displacement field, or 0 if the instruction has
* neither (has_rel == 0 && has_riprel == 0). This is the
* field that "floats" with the load address / relocation,
* so a signature generator wildcards exactly these bytes. */
uint8_t disp_len; /* displacement length: 1 (rel8), 4 (rel32 or RIP-rel
* disp32), else 0 (no displacement). The wildcard span is
* [disp_off, disp_off + disp_len). */
} x86_insn;
/* Decode ONE 64-bit-mode instruction at `code` (`avail` readable bytes). Fills
@@ -45,7 +53,13 @@ typedef struct {
* exceed min(avail,15). Length-correct over: legacy prefixes (66/67/F0/F2/F3/
* seg), REX, 1-byte / 0F two-byte / 0F38 / 0F3A maps, ModRM+SIB, disp8/disp32,
* imm8/16/32/64 (66 and REX.W operand-size effects), and VEX (C4/C5). EVEX
* (0x62) is a documented gap: len=0. */
* (0x62) is a documented gap: len=0.
*
* On a decoded instruction it also reports out->disp_off / out->disp_len: the
* byte position and length of the rel/RIP-relative displacement field within the
* instruction (0/0 when there is none). These are exactly the bytes that float
* with the load address / relocation, so a signature generator wildcards
* [disp_off, disp_off+disp_len) and keeps the rest as must-match. */
int x86_decode(const uint8_t* code, size_t avail, x86_insn* out);
/* Absolute target of a rel branch: ip + insn->len + insn->rel (0 unless has_rel). */