diff options
author | Zeex <zeex@rocketmail.com> | 2020-11-01 12:34:25 +0600 |
---|---|---|
committer | Zeex <zeex@rocketmail.com> | 2020-11-01 12:34:27 +0600 |
commit | 0a60c318843fa88a94adb50acf457f17a05aff25 (patch) | |
tree | feb2009e28437c4662f601711e22c931dfccad7e | |
parent | 499827d15b12aa90de7cb5ba1a2bc6db0fcbec0f (diff) | |
download | subhook-0a60c318843fa88a94adb50acf457f17a05aff25.zip subhook-0a60c318843fa88a94adb50acf457f17a05aff25.tar.gz subhook-0a60c318843fa88a94adb50acf457f17a05aff25.tar.bz2 |
Fix RIP-relative address decoding
Some instructions were detected as using RIP-relative addressing, but in
fact they did not.
Example:
48 89 E5 mov rbp,rsp
-rw-r--r-- | subhook_x86.c | 9 |
1 files changed, 5 insertions, 4 deletions
diff --git a/subhook_x86.c b/subhook_x86.c index b4d3a38..a6eb8bb 100644 --- a/subhook_x86.c +++ b/subhook_x86.c @@ -274,11 +274,11 @@ SUBHOOK_EXPORT int SUBHOOK_API subhook_disasm(void *src, int *reloc_op_offset) { if (opcodes[i].flags & MODRM) { uint8_t modrm = code[len++]; /* +1 for Mod/RM byte */ uint8_t mod = modrm >> 6; - uint8_t rm = modrm & 7; + uint8_t rm = modrm & 0x07; if (mod != 3 && rm == 4) { uint8_t sib = code[len++]; /* +1 for SIB byte */ - uint8_t base = sib & 7; + uint8_t base = sib & 0x07; if (base == 5) { /* The SIB is followed by a disp32 with no base if the MOD is 00B. @@ -293,8 +293,9 @@ SUBHOOK_EXPORT int SUBHOOK_API subhook_disasm(void *src, int *reloc_op_offset) { } #ifdef SUBHOOK_X86_64 - if (reloc_op_offset != NULL && rm == 5) { - *reloc_op_offset = (int32_t)len; /* RIP-relative addressing */ + if (reloc_op_offset != NULL && mod == 0 && rm == 5) { + /* RIP-relative addressing: target is at [RIP + disp32]. */ + *reloc_op_offset = (int32_t)len; } #endif |