mirror of
https://dev.lirent.ru/Vatrog/vm-introspection-engine.git
synced 2026-06-18 02:06:36 +03:00
lirent
3199fbf258
The reversing keystone: a length-disassembly decoder with control-flow and RIP-relative target extraction (x86dec.h), pure over a byte buffer - no vmie_mem, no cr3, no Windows. Table-driven length over the 1-byte / 0F / 0F38 / 0F3A maps, legacy + REX + VEX prefixes, ModRM/SIB, displacements and immediates (66 and REX.W operand-size aware). It reports the instruction length plus the rel and RIP-relative targets of near call/jmp/jcc and any RIP-relative memory operand. EVEX is a documented gap (decodes as length 0). This is the primitive the rest of the static-reversing layer builds on (function inventory, call graph, xref). gva_code_xref now brute-scans with the decoder instead of its own ad-hoc E8/E9 and REX.W-lea heuristic, which is removed - one decoder in the tree. Because a brute scan can re-enter a prefixed instruction one byte in and decode a shorter aliased form with the same target, the scan drops a match that starts inside the extent of an already-accepted one; real, non-overlapping instructions are unaffected.