Need some help with x86 assembly
MODRM_EAX_06 MACRO ;/* [EAX], with reg/opcode: /6 */
BYTE 030h
ENDM
What does byte 030h do ?
For additional info this macro is used in
void vmxPtrld(u64 addr)
VmxPtrld PROC StdCall _ad开发者_如何转开发dr_low,_addr_high
mov eax,8
add eax,ebp
vmx_ptrld
MODRM_EAX_06
ret
VmxPtrld ENDP
I just want to understand what the macro does in the following code?
Many opcodes are followed by a ModR/M byte, which is split into 3 portions: the top two bits are "Mod", the next three are "Reg", and the bottom three are "R/M".
The combination of the "Mod" and "R/M" portions specify a register and addressing mode; the "Reg" portion may specify another register, or, in some cases, may specify a further extension to the opcode.
In this case, the ModR/M byte looks like this:
0 0 1 1 0 0 0 0 \_/ \___/ \___/ Mod Reg R/M
Mod bits of 00
and R/M bits of 000
mean an addressing mode of [EAX]
(in 32-bit mode).
The remaining Reg bits are 6
in decimal. Hence MODRM_EAX_06
.
To fully understand what is going on in your example, you need to know what the vmx_ptrld
macro does. Assuming that this is indeed what @sixlettervariables found, vmx_ptrld
produces bytes 0F C7
.
0F
is the first byte of a two-byte opcode. In many cases, the next byte will complete the opcode; but C7
indicates that further bits must be read from the Reg field of the ModR/M byte to determine what the opcode is. So the final opcode is 0F
followed by C7
followed by the 6
from the Reg field of the ModR/M byte, written as 0F C7 /6
in Intel's manuals (which can be found here).
0F C7 /6
is VMPTRLD
, so the real meaning of your routine is:
mov eax,8
add eax,ebp
vmptrld [eax]
ret
Presumably it has been written like this for the benefit of old assemblers which do not understand the (relatively recent) VMX instructions.
It looks like they're using this to generate instructions, and this is a mod r/m byte of an instruction.
Looking at bluepill (which I guess is the code the OP is asking about), vmx_ptrld
is also a macro, so
vmx_ptrld
MODRM_EAX_06
is a single instruction, MODRM_EAX_06
being the data for the instruction.
Rationale: bluepill is a PoC exploit for virtualization. When it was written, apparently the assembler that was used didn't yet support virtualization-related instructions, so they got coded inline via macros.
精彩评论