/*
* SMPStaticAnalyzer.cpp - <see below>.
*
* Copyright (c) 2000, 2001, 2010 - University of Virginia
*
* This file is part of the Memory Error Detection System (MEDS) infrastructure.
* This file may be used and modified for non-commercial purposes as long as
* all copyright, permission, and nonwarranty notices are preserved.
* Redistribution is prohibited without prior written consent from the University
* of Virginia.
*
* Please contact the authors for restrictions applying to commercial use.
*
* THIS SOURCE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* Author: University of Virginia
* e-mail: jwd@virginia.com
* URL : http://www.cs.virginia.edu/
*
* Additional copyrights 2010, 2011 by Zephyr Software LLC
* e-mail: {clc,jwd}@zephyr-software.com
* URL : http://www.zephyr-software.com/
*/
//
// SMPStaticAnalyzer.cpp
//
// This plugin performs the static analyses needed for the SMP project
// (Software Memory Protection).
//
using namespace std;
#include <list>
#include <vector>
#include <set>
#include <string>
#include <ctime>
#include <pro.h>
#include <ida.hpp>
#include <idp.hpp>
#include <auto.hpp>
#include <bytes.hpp>
#include <funcs.hpp>
#include <intel.hpp>
#include <loader.hpp>
#include <lines.hpp>
#include <nalt.hpp>
#include <name.hpp>
#include <ua.hpp>
#include "SMPStaticAnalyzer.h"
#include "SMPDBInterface.h"
#include "SMPDataFlowAnalysis.h"
#include "SMPProgram.h"
#include "SMPFunction.h"
#include "SMPInstr.h"
#include "ProfilerInformation.h"
// Set to 1 for debugging output
#define SMP_DEBUG 1
#define SMP_DEBUG2 0 // verbose
#define SMP_DEBUG3 0 // verbose
#define SMP_DEBUG_MEM 0 // print memory operands
#define SMP_DEBUG_TYPE0 0 // Output instr info for OptType = 0
#define SMP_DEBUG_CHUNKS 0 // restructuring tail chunks, shared chunks, etc.
#define SMP_DEBUG_DATA_ONLY 0 // Find & fix data addresses in code segments
// Set to 1 when doing a binary search using SMP_DEBUG_COUNT to find
// which function is causing a problem.
#define SMP_BINARY_DEBUG 0
#define SMP_DEBUG_COUNT 356 // How many funcs to process in problem search
int FuncsProcessed = 0;
#define SMP_FIXUP_IDB 0 // Try to fix the IDA database?
#define SMP_DEBUG_FIXUP_IDB 0 // debugging output for FixupIDB chain
#define SMP_FIND_ORPHANS 1 // find code outside of functions
#define SMP_DEBUG_CODE_ORPHANS 1 // Detect whether we are causing code to be orphaned
#define SMP_IDAP_RUN_DELAY 0 // Delay in IDAP_run() so we can attach debugger to process.
#define STARS_GENERATE_ASM_FILE 1 // Generate ASM file at end of processing?
#if SMP_DEBUG_CODE_ORPHANS
set<ea_t> CodeOrphans;
#endif
// Lock prefix for x86 code; jumping around this prefix conditionally looks like jumping
// into the middle of an instruction to IDA Pro, causing it to not collect instructions
// into a procedure. We replace these bytes with no-op opcodes because none of our analyses
// care about LOCK prefices. We store the addresses where we have done the replacement in a
// set in case we ever care.
#define X86_LOCK_PREFIX 0xF0
set<ea_t> LockPreficesRemoved; // Addresses where x86 LOCK prefix byte was turned into a no-op by STARS_custom_ana() callback.
static unsigned long CustomAnaCallCount = 0;
// Define optimization categories for instructions.
int OptCategory[NN_last + 1];
// Initialize the OptCategory[] array.
void InitOptCategory(void);
// Record which opcodes change the stack pointer, and by how many
// bytes up (reduction in stack size for stacks that grow downward)
// or down (increase in stack size for stacks that grow downward).
sval_t StackAlteration[NN_last + 1];
// Initialize the StackAlteration[] array.
void InitStackAlteration(void);
// Keep statistics on how many instructions we saw in each optimization
// category, and how many optimizing annotations were emitted for
// each category.
int OptCount[LAST_OPT_CATEGORY + 1];
int AnnotationCount[LAST_OPT_CATEGORY + 1];
// Unique data referent number to use in data annotations.
unsigned long DataReferentID;
// Debugging counters for analyzing memory usage.
unsigned long UnusedInstrCount;
unsigned long UnusedBlockCount;
unsigned long UnusedStructCount;
unsigned long UnusedIntCount;
#if SMP_COUNT_MEMORY_ALLOCATIONS
// Counters for analyzing memory use for allocated and used objects.
unsigned long SMPInstCount;
unsigned long SMPBlockCount;
unsigned long SMPFuncCount;
unsigned long SMPGlobalVarCount;
unsigned long SMPLocalVarCount;
unsigned long SMPDefUseChainCount;
unsigned long SMPInstBytes;
unsigned long SMPDefUseChainBytes;
#endif
#if SMP_MEASURE_NUMERIC_ANNOTATIONS
unsigned long NumericAnnotationsCount12; // cases 1 and 2
unsigned long NumericAnnotationsCount3; // case 3
unsigned long TruncationAnnotationsCount; // case 4
unsigned long SignednessWithoutTruncationCount; // case 5
unsigned long LeaInstOverflowCount; // case 6
unsigned long WidthDoublingTruncationCount; // case 7
unsigned long BenignOverflowInstCount;
unsigned long BenignOverflowDefCount;
unsigned long SuppressStackPtrOverflowCount;
unsigned long SuppressLiveFlagsOverflowCount;
unsigned long LiveMultiplyBitsCount;
unsigned long BenignTruncationCount;
unsigned long SuppressTruncationRegPiecesAllUsed;
unsigned long SuppressSignednessOnTruncation;
#endif
// The types of data objects based on their first operand flags.
const char *DataTypes[] = { "VOID", "NUMHEX", "NUMDEC", "CHAR",
"SEG", "OFFSET", "NUMBIN", "NUMOCT", "ENUM", "FORCED",
"STRUCTOFFSET", "STACKVAR", "NUMFLOAT", "UNKNOWN",
"UNKNOWN", "UNKNOWN", 0};
// Filename (not including path) of executable being analyzed.
static char RootFileName[MAXSTR];
// strings for printing ZST_SysCallType
const char *CallTypeNames[4] = { "Unrestricted", "High-Privilege", "File-Access", "Network-Access" };
DisAsmString DisAsmText;
// Operand type that can have all fields initialized to o_void and zero
// values, to be used to copy-initialize operands that we are adding to
// RTLs and DEF and USE lists.
op_t InitOp;
// File foo.exe.alarms for Zephyr Security Toolkit security alarm messages.
FILE *ZST_AlarmFile;
// Code addresses identified by a disassembler, such as objdump on
// Linux. These can be used to improve the code vs. data identification
// of IDA Pro.
vector<ea_t> DisasmLocs;
// Code addresses as identified by IDA Pro, to be compared to DisasmLocs.
vector<ea_t> IDAProLocs;
// Bit masks for extracting bits from a STARSBitSet unsigned char.
const unsigned char STARSBitMasks[8] = { 1, 2, 4, 8, 16, 32, 64, 128 };
// Function start and end addresses (for function entry chunks only).
// Kept here because IDA Pro 5.1 seems to have a memory overwriting
// problem when iterating through all functions in the program. An existing
// func_t *ChunkInfo data structure was getting overwritten by one of the
// function func_t data structures, causing changes of startEA and endEA among
// other things.
struct SMP_bounds_t {
ea_t startEA;
ea_t endEA;
};
vector<SMP_bounds_t> FuncBounds;
// List of functions that need to be reanalyzed after all the code fixup
// and code discovery is complete. Kept as a list of addresses; any address
// within the function is good enough to designate it.
list<ea_t> FuncReanalyzeList;
// A code region that has been converted from data but has code addresses that
// need to be reanalyzed. This is usually because a former data address is
// now a jump to a code target that is still a data address. We have to wait
// until the target has become code before IDA will accept the jump as valid.
class FixupRegion {
public:
FixupRegion(SMP_bounds_t);
inline ea_t GetStart(void) const { return CodeRegion.startEA; };
inline ea_t GetEnd(void) const { return CodeRegion.endEA; };
inline void SetStart(ea_t addr) { CodeRegion.startEA = addr; };
list<ea_t> FixupInstrs; // easier to expose than to encapsulate
private:
SMP_bounds_t CodeRegion;
};
FixupRegion::FixupRegion(SMP_bounds_t Range) {
this->CodeRegion = Range;
return;
}
// List of code regions that were not completely analysed because of jump to
// data considerations.
list<FixupRegion> CodeReanalyzeList;
// Map library function names to their system call type.
map<string, ZST_SysCallType> ZST_FuncTypeMap;
// Map system call types to their Zephyr Security Toolkit security policy.
map<ZST_SysCallType, ZST_Policy> ZST_TypePolicyMap;
// Set of whitelisted file locations.
set<string> ZST_FileLocWhitelist;
// Set of whitelisted network locations.
set<string> ZST_NetworkLocWhitelist;
// Set of blacklisted file locations.
set<string> ZST_FileLocBlacklist;
// Set of blacklisted network locations.
set<string> ZST_NetworkLocBlacklist;
void IDAP_run(int);
// Functions for diagnosing and/or fixing problems in the IDA database.
void FixupIDB(void); // Driver for all other fixing functions.
void FindDataInCode(void);
void AuditTailChunkOwnership(void);
void FindOrphanedCode(segment_t *, FILE *, FILE *);
void Debug_FindOrphanedCode(segment_t *, bool);
void FixCodeIdentification(void);
int FixupNewCodeChunks(void);
void AuditCodeTargets(void);
ea_t FindNewFuncLimit(ea_t);
void SpecialDebugOutput(void);
void RemoveIDACodeAddr(ea_t);
void ZST_InitPolicies(const char *);
static unsigned long DebugCounter = 0;
// Turn LOCK prefix into no-op when detected. Each is one byte in length.
bool STARS_custom_ana(ea_t CurrentAddr) {
int code = get_byte(CurrentAddr);
++CustomAnaCallCount;
if (X86_LOCK_PREFIX != code) {
return false;
}
else {
#define STARS_ANA_DEBUG_DELAY 0
#if STARS_ANA_DEBUG_DELAY
if (DebugCounter == 0) {
time_t start;
time_t current;
time(&start);
printf("delay for 15 seconds.\n");
do {
time(¤t);
} while(difftime(current,start) < 15.0);
++DebugCounter;
}
#endif
pair<set<ea_t>::iterator, bool> InsertResult;
InsertResult = LockPreficesRemoved.insert(CurrentAddr);
cmd.itype = NN_nop; // make it a no-op
cmd.size = 1; // one-byte no-op
#if 0
cmd.auxpref = 0; // clear prefix and flags fields
cmd.segpref = 0;
cmd.insnpref = 0;
cmd.flags = 0;
#endif
return true;
}
} // end of STARS_custom_ana()
static int idaapi idp_callback(void *, int event_id, va_list va) {
#if STARS_REMOVE_LOCK_PREFIX
if (event_id == processor_t::custom_ana) {
ea_t CurrentAddr = cmd.ea;
#if 1
int code = ua_next_byte();
++CustomAnaCallCount;
if (X86_LOCK_PREFIX == code) {
pair<set<ea_t>::iterator, bool> InsertResult;
InsertResult = LockPreficesRemoved.insert(CurrentAddr);
cmd.itype = NN_nop; // make it a no-op
return (int) (cmd.size + 1);
}
else {
return 0;
}
#else
if (STARS_custom_ana(CurrentAddr)) {
return 1; // handled event
}
#endif
}
#endif // STARS_REMOVE_LOCK_PREFIX
if (event_id == ph.auto_empty_finally) { // IDA analysis is done
// Ensure correct working environment.
if ((inf.filetype != f_ELF) && (inf.filetype != f_PE)) {
error("Executable format must be PE or ELF.");
return 0;
}
IDAP_run(0);
#if STARS_REMOVE_LOCK_PREFIX
SMP_msg("INFO: Calls to STARS_custom_ana: %lu \n", CustomAnaCallCount);
SMP_msg("INFO: Number of LOCK prefices eliminated: %zu \n", LockPreficesRemoved.size());
LockPreficesRemoved.clear();
#endif // STARS_REMOVE_LOCK_PREFIX
qexit(0);
}
return 0; // did not process any event
} // end of idp_callback()
int IDAP_init(void) {
#if 0 // We are now calling from the SMP.idc script.
// Skip this plugin if it was not specified by the user on the
// command line.
if (get_plugin_options("SMPStaticAnalyzer") == NULL) {
SMP_msg("IDAP_init point 2.\n");
return PLUGIN_SKIP;
}
#endif
// Ensure correct working environment.
if (ph.id != PLFM_386) {
error("Processor must be x86.");
return PLUGIN_SKIP;
}
hook_to_notification_point(HT_IDP, idp_callback, NULL);
DataReferentID = 1;
UnusedStructCount = 0;
UnusedIntCount = 0;
#if SMP_COUNT_MEMORY_ALLOCATIONS
SMPInstCount = 0;
SMPBlockCount = 0;
SMPDefUseChainCount = 0;
SMPFuncCount = 0;
SMPGlobalVarCount = 0;
SMPLocalVarCount = 0;
SMPInstBytes = 0;
SMPDefUseChainBytes = 0;
#endif
#if SMP_MEASURE_NUMERIC_ANNOTATIONS
NumericAnnotationsCount12 = 0;
NumericAnnotationsCount3 = 0;
TruncationAnnotationsCount = 0;
SignednessWithoutTruncationCount = 0;
LeaInstOverflowCount = 0;
WidthDoublingTruncationCount = 0;
BenignOverflowInstCount = 0;
BenignOverflowDefCount = 0;
SuppressStackPtrOverflowCount = 0;
SuppressLiveFlagsOverflowCount = 0;
LiveMultiplyBitsCount = 0;
BenignTruncationCount = 0;
SuppressTruncationRegPiecesAllUsed = 0;
SuppressSignednessOnTruncation = 0;
#endif
InitOp.type = o_void;
InitOp.addr = 0;
InitOp.dtyp = dt_dword;
InitOp.flags = 0;
InitOp.n = 0;
InitOp.offb = 0;
InitOp.offo = 0;
InitOp.reg = R_none;
InitOp.specflag1 = 0;
InitOp.specflag2 = 0;
InitOp.specflag3 = 0;
InitOp.specflag4 = 0;
InitOp.specval = 0;
InitOp.value = 0;
InitOp.set_showed();
ZST_AlarmFile = NULL;
#ifdef STARS_IRDB_INTERFACE
SMPLogFile = NULL;
#endif
InitOptCategory();
InitDFACategory();
InitTypeCategory();
InitSMPDefsFlags();
InitSMPUsesFlags();
InitLibFuncFGInfoMaps();
InitIntegerErrorCallSinkMap();
InitStackAlteration();
return PLUGIN_KEEP;
} // end of IDAP_init
void IDAP_term(void) {
unhook_from_notification_point(HT_IDP, idp_callback, NULL);
return;
}
void IDAP_run(int arg) {
FILE *AnnotFile;
FILE *InfoAnnotFile;
FILE *AsmFile;
#ifdef STARS_IRDB_INTERFACE
string ZSTLogFileName(RootFileName);
string LogFileSuffix(".STARSlog");
ZSTLogFileName += LogFileSuffix;
SMPLogFile = SMP_fopen(ZSTLogFileName.c_str(), "w");
if (NULL == SMPLogFile) {
error("ERROR: Cannot open STARS log file %s\n", ZSTLogFileName.c_str());
error("Redirecting to stderr.\n");
SMPLogFile = stderr;
}
#endif
#if SMP_DEBUG
SMP_msg("Beginning IDAP_run.\n");
#endif
SMP_msg("IDA SDK version: %d \n", IDA_SDK_VERSION);
// Open the output file.
ssize_t FileLen;
FileLen = get_root_filename(RootFileName, sizeof(RootFileName) - 1);
string AnnotFileName(RootFileName);
string FileSuffix(".annot");
AnnotFileName += FileSuffix;
string InfoAnnotFileName(RootFileName);
string InfoFileSuffix(".infoannot");
InfoAnnotFileName += InfoFileSuffix;
string ZSTPolicyFileName(RootFileName);
string PolicyFileSuffix(".policy");
ZSTPolicyFileName += PolicyFileSuffix;
string ZSTAlarmFileName(RootFileName);
string AlarmFileSuffix(".alarms");
ZSTAlarmFileName += AlarmFileSuffix;
string AsmFileName(RootFileName);
string AsmFileSuffix(".asm");
AsmFileName += AsmFileSuffix;
// For debugging, we can add a delay loop so we have time to attach gdb to the
// running process and set a breakpoint.
#if SMP_IDAP_RUN_DELAY
time_t start;
time_t current;
time(&start);
printf("delay for 15 seconds.\n");
do {
time(¤t);
} while(difftime(current,start) < 15.0);
#endif
ea_t RecentAddr;
#if SMP_DEBUG_CODE_ORPHANS
CodeOrphans.clear();
RecentAddr = BADADDR;
#if IDA_SDK_VERSION < 600
for (int SegIndex = 0; SegIndex < SMP_get_segm_qty(); ++SegIndex) {
segment_t *seg = SMP_getnseg(SegIndex);
#else
for (segment_t *seg = SMP_get_first_seg(); NULL != seg; seg = SMP_get_next_seg(RecentAddr)) {
RecentAddr = seg->startEA;
#endif
if (seg->type == SEG_CODE)
Debug_FindOrphanedCode(seg, true);
}
#endif
SMPProgram *CurrProg = new SMPProgram();
CurrProg->AnalyzeData(); // Analyze static data in the executable
// read the Profiler generated information into a new prof_info class
ProfilerInformation *prof_info = new ProfilerInformation(AnnotFileName.c_str(), CurrProg);
AnnotFile = SMP_fopen(AnnotFileName.c_str(), "w");
if (NULL == AnnotFile) {
error("FATAL ERROR: Cannot open output file %s\n", AnnotFileName.c_str());
delete prof_info;
return;
}
InfoAnnotFile = SMP_fopen(InfoAnnotFileName.c_str(), "w");
if (NULL == InfoAnnotFile) {
error("FATAL ERROR: Cannot open output file %s\n", InfoAnnotFileName.c_str());
SMP_fclose(AnnotFile);
delete prof_info;
return;
}
ZST_AlarmFile = SMP_fopen(ZSTAlarmFileName.c_str(), "w");
if (NULL == ZST_AlarmFile) {
error("FATAL ERROR: Cannot open security alarms file %s\n", ZSTAlarmFileName.c_str());
SMP_fclose(AnnotFile);
SMP_fclose(InfoAnnotFile);
delete prof_info;
return;
}
// Read the Zephyr Security Toolkit system call security policies, if available.
ZST_InitPolicies(ZSTPolicyFileName.c_str());
(void) memset(OptCount, 0, sizeof(OptCount));
(void) memset(AnnotationCount, 0, sizeof(AnnotationCount));
try { // We will catch memory exhaustion errors.
// Record the start and end addresses for all function entry
// chunks in the program.
FuncBounds.reserve(10 + get_func_qty());
for (size_t FuncIndex = 0; FuncIndex < get_func_qty(); ++FuncIndex) {
func_t *FuncInfo = getn_func(FuncIndex);
SMP_bounds_t temp;
temp.startEA = FuncInfo->startEA;
temp.endEA = FuncInfo->endEA;
FuncBounds.push_back(temp);
}
#if SMP_DEBUG_DATA_ONLY
FindDataInCode();
FixCodeIdentification();
SMP_fclose(SymsFile);
delete prof_info;
return;
#endif
// Pre-audit the IDA database by seeing if the distinction
// between code and data can be improved, and if all branches
// and calls have proper code targets and code cross references.
#if SMP_FIXUP_IDB
FixupIDB();
#endif
if (0 < prof_info->GetProfilerAnnotationCount()) {
SMP_msg("Calling InferDataGranularity\n");
SMP_msg("ptr to MemoryAccessInfo: %p\n", prof_info->GetMemoryAccessInfo());
prof_info->GetMemoryAccessInfo()->InferDataGranularity();
SMP_msg("Returned from InferDataGranularity\n");
}
CurrProg->ProfGranularityFinished(AnnotFile, InfoAnnotFile);
CurrProg->Analyze(prof_info);
CurrProg->EmitAnnotations(AnnotFile, InfoAnnotFile);
#if SMP_DEBUG_CODE_ORPHANS
RecentAddr = BADADDR;
#if IDA_SDK_VERSION < 600
for (int SegIndex = 0; SegIndex < SMP_get_segm_qty(); ++SegIndex) {
segment_t *seg = SMP_getnseg(SegIndex);
#else
for (segment_t *seg = SMP_get_first_seg(); NULL != seg; seg = SMP_get_next_seg(RecentAddr)) {
RecentAddr = seg->startEA;
#endif
if (seg->type == SEG_CODE)
Debug_FindOrphanedCode(seg, true);
}
#endif
#if SMP_FIND_ORPHANS
RecentAddr = BADADDR;
#if IDA_SDK_VERSION < 600
for (int SegIndex = 0; SegIndex < SMP_get_segm_qty(); ++SegIndex) {
segment_t *seg = SMP_getnseg(SegIndex);
#else
for (segment_t *seg = SMP_get_first_seg(); NULL != seg; seg = SMP_get_next_seg(RecentAddr)) {
RecentAddr = seg->startEA;
#endif
if (seg->type == SEG_CODE)
FindOrphanedCode(seg, AnnotFile, InfoAnnotFile);
}
#endif
for (int OptType = 0; OptType <= LAST_OPT_CATEGORY; ++OptType) {
SMP_msg("Optimization Category Count %d: %d Annotations: %d\n",
OptType, OptCount[OptType], AnnotationCount[OptType]);
}
SMP_fclose(AnnotFile);
SMP_fprintf(InfoAnnotFile, " 8000000 2 SUCCESS ANALYSISCOMPLETED\n");
SMP_fclose(InfoAnnotFile);
SMP_fclose(ZST_AlarmFile);
#if STARS_GENERATE_ASM_FILE
AsmFile = SMP_fopen(AsmFileName.c_str(), "w");
if (NULL == AsmFile) {
error("FATAL ERROR: Cannot open ASM file %s\n", AsmFileName.c_str());
}
else {
int FileResult = gen_file(OFILE_ASM, AsmFile, LowestCodeAddress, 0xffffffff, (GENFLG_MAPSEG | GENFLG_ASMTYPE));
if (0 >= FileResult) {
SMP_msg("ERROR: Could not generate ASM file.\n");
}
SMP_fclose(AsmFile);
}
#endif
delete CurrProg;
delete prof_info;
return;
}
catch (std::bad_alloc) {
delete CurrProg;
delete prof_info;
error("FATAL ERROR: Memory exhausted.\n");
SMP_fprintf(InfoAnnotFile, " 8000000 2 ERROR MEMORYEXHAUSTED\n");
SMP_fclose(AnnotFile);
SMP_fclose(InfoAnnotFile);
SMP_fclose(ZST_AlarmFile);
return;
}
} // end IDAP_run()
char IDAP_comment[] = "ZephyrSoftware STARS (Static Analyzer for Reliability and Security)";
char IDAP_help[] = "Good luck";
char IDAP_name[] = "SMPStaticAnalyzer";
char IDAP_hotkey[] = "Alt-J";
plugin_t PLUGIN = {
IDP_INTERFACE_VERSION,
PLUGIN_PROC | PLUGIN_MOD,
IDAP_init,
IDAP_term,
IDAP_run,
IDAP_comment,
IDAP_help,
IDAP_name,
IDAP_hotkey
};
// Find all code addresses in the IDA database and enter them into
// IDAProLocs. Find all code addresses identified by the external
// disassembler (e.g. objdump) and enter them into DisasmLocs.
void FindCodeAddresses(void) {
// Read in code addresses as found by an external disassembler.
ea_t CurrDisasmAddr;
string DisasmFileName(RootFileName);
string FileSuffix(".SMPobjdump");
DisasmFileName += FileSuffix;
FILE *DisasmFile = SMP_fopen(DisasmFileName.c_str(), "r");
if (NULL == DisasmFile) {
error("FATAL: Cannot open input file %s\n", DisasmFileName.c_str());
return;
}
#define DISASM_RESERVE_SIZE 50000
DisasmLocs.reserve(DISASM_RESERVE_SIZE);
int ScanReturn = qfscanf(DisasmFile, "%x", &CurrDisasmAddr);
while (1 == ScanReturn) {
int NextChar;
DisasmLocs.push_back(CurrDisasmAddr);
// Swallow the rest of the input line and get the next address.
do {
NextChar = qfgetc(DisasmFile);
} while ((EOF != NextChar) && ('\n' != NextChar));
ScanReturn = qfscanf(DisasmFile, "%x", &CurrDisasmAddr);
} // end while (1 == ScanReturn)
if (0 >= DisasmLocs.size()) {
SMP_msg("ERROR: No addresses read from %s\n", DisasmFileName.c_str());
SMP_fclose(DisasmFile);
DisasmLocs.clear();
return;
}
else {
SMP_msg("%zu Disasm addresses read from %s\n", DisasmLocs.size(),
DisasmFileName.c_str());
SMP_fclose(DisasmFile);
}
// Find all the code locs in the IDA Pro database. As we find
// them, store them in IDAProLocs.
ea_t RecentAddr = BADADDR;
#if IDA_SDK_VERSION < 600
for (int SegIndex = 0; SegIndex < SMP_get_segm_qty(); ++SegIndex) {
segment_t *seg = SMP_getnseg(SegIndex);
#else
for (segment_t *seg = SMP_get_first_seg(); NULL != seg; seg = SMP_get_next_seg(RecentAddr)) {
RecentAddr = seg->startEA;
#endif
if (SEG_CODE != seg->type)
continue;
for (ea_t addr = seg->startEA; addr < seg->endEA; addr = get_item_end(addr)) {
flags_t InstrFlags = getFlags(addr);
if (isHead(InstrFlags) && isCode(InstrFlags)) {
IDAProLocs.push_back(addr);
#if 0
if ((0x806cda4 <= addr) && (0x806cf99 >= addr))
SMP_msg("IDA code addr: %x\n", addr);
#endif
} // end if (isHead(addr) && isCode(addr)
#if SMP_DEBUG_FIXUP_IDB
else if ((0x806cda4 <= addr) && (0x806cf99 >= addr)) {
if (!isHead(InstrFlags))
SMP_msg("Weirdness: not isHead at %x\n", addr);
if (isUnknown(InstrFlags)) {
SMP_msg("Weirdness: isUnknown at %x\n", addr);
}
}
#endif
} // end for (ea_t addr = seg->startEA; ...)
} // end for all segments
return;
} // end FindCodeAddresses()
// Return true if addr is not a proper beginning address for an instruction.
// Return false otherwise.
// Currently, we claim that an instruction is misaligned if DisasmLocs does
// not contain it. This function is useful for dealing with errors in IDA
// code identification, in which a large code section is identified as data,
// but some instructions in the middle of the "data" are identified as
// code but IDA often starts on the wrong boundary in these cases.
bool IsCodeMisaligned(ea_t addr) {
// Do a binary search for addr within DisasmLocs, which is sorted
// in ascending address order because of the way in which it was
// generated.
size_t min = 0;
size_t max = DisasmLocs.size(); // don't access DisasmLocs[max]
size_t index = (min + max) / 2;
while (addr != DisasmLocs[index]) {
if (min >= (max - 1))
return true;
#if 0
SMP_msg("min: %d max: %d index: %d\n", min, max, index);
#endif
if (addr < DisasmLocs[index])
max = index;
else // must be addr > DisasmLocs[index];
min = index;
index = (min + max) / 2;
}
return false;
} // end of IsCodeMisaligned()
void RemoveIDACodeAddr(ea_t addr) {
// Do a binary search for addr within IDAProLocs, which is sorted
// in ascending address order because of the way in which it was
// generated. Delete the element of IDAProLocs if found.
size_t min = 0;
size_t max = IDAProLocs.size(); // don't access IDAProLocs[max]
size_t index = (min + max) / 2;
while (addr != IDAProLocs[index]) {
if (min >= (max - 1))
return;
#if 0
SMP_msg("min: %d max: %d index: %d\n", min, max, index);
#endif
if (addr < IDAProLocs[index])
max = index;
else // must be addr > IDAProLocs[index];
min = index;
index = (min + max) / 2;
}
// IDAProLocs[index] contains addr.
vector<ea_t>::iterator RemovalIterator = IDAProLocs.begin();
RemovalIterator += index;
RemovalIterator = IDAProLocs.erase(RemovalIterator);
return;
} // end of RemoveIDACodeAddr()
// Driver for all other fixing functions. Upon its return, the IDA
// database (IDB file) should be fixed up as much as we can fix it.
void FixupIDB(void) {
FindCodeAddresses();
#if SMP_DEBUG_FIXUP_IDB
SpecialDebugOutput();
#endif
AuditCodeTargets();
FindDataInCode();
AuditTailChunkOwnership();
if (DisasmLocs.size() > 0) {
FixCodeIdentification();
int fixes = FixupNewCodeChunks();
#if SMP_DEBUG_FIXUP_IDB
SpecialDebugOutput();
#endif
}
DisasmLocs.clear();
IDAProLocs.clear();
} // end of FixupIDB()
// Find and print all data head addresses in code segments.
// If an isolated code instruction is found in the midst of a run
// of data bytes and has no code xrefs jumping to it, it is not
// reachable as code and is undoubtedly a mixup by IDA. Possibly
// the whole data region will be converted to code later, in which
// case the isolated code is not necessarily properly aligned and
// parsed at its present address, so we are glad to convert it into
// data anyway so that FindDataToConvert() will succeed on it later.
// Data to code conversion, and isolated code detection, are inhibited
// by IDA identifying several consecutive instructions in the midst
// of a data region, with the code addresses not agreeing with the
// external disassembler's code addresses. We will convert these
// misaligned instructions to data as we detect them. We will also
// convert unexplored bytes (isUnknown(flags) == true) into data if
// they are in the midst of a data sequence.
#define MIN_DATARUN_LEN 24 // #bytes on either side of "isolated" code
void FindDataInCode(void) {
size_t DataRunLen = 0; // How many data bytes in a row have we seen?
bool IsolatedCodeTrigger = false; // Have seen data, then isolated code
// Now looking for data
ea_t IsolatedCodeAddr;
int IsolatedCodeLen;
int InstrLen;
bool InstOK;
insn_t LocalCmd;
ulong LocalFeatures;
ea_t RecentAddr = BADADDR;
#if IDA_SDK_VERSION < 600
for (int SegIndex = 0; SegIndex < SMP_get_segm_qty(); ++SegIndex) {
segment_t *seg = SMP_getnseg(SegIndex);
#else
for (segment_t *seg = SMP_get_first_seg(); NULL != seg; seg = SMP_get_next_seg(RecentAddr)) {
RecentAddr = seg->startEA;
#endif
if (SEG_CODE != seg->type)
continue;
#if SMP_DEBUG_FIXUP_IDB
char SegName[MAXSTR];
ssize_t SegNameSize = SMP_get_segm_name(seg, SegName, sizeof(SegName) - 1);
SMP_msg("Non-code addresses for code segment %s from %x to %x\n",
SegName, seg->startEA, seg->endEA);
#endif
for (ea_t addr = seg->startEA; addr < seg->endEA; addr = get_item_end(addr)) {
flags_t AddrFlags = getFlags(addr);
if (isHead(AddrFlags)) {
if (isData(AddrFlags)) {
DataRunLen += get_item_size(addr);
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Data: %x\n", addr);
#endif
if (MIN_DATARUN_LEN <= DataRunLen) {
if (IsolatedCodeTrigger) {
// Saw data, then one isolated code, then data
do_unknown_range(IsolatedCodeAddr, IsolatedCodeLen, DOUNK_SIMPLE);
RemoveIDACodeAddr(IsolatedCodeAddr);
if (do_data_ex(IsolatedCodeAddr, byteflag(),
IsolatedCodeLen, BADNODE)) {
SMP_msg("Converted isolated code to data: %x\n",
IsolatedCodeAddr);
}
else {
SMP_msg("Failed to convert isolated code to data: %x len: %x\n",
IsolatedCodeAddr, IsolatedCodeLen);
}
IsolatedCodeTrigger = false;
} // end if (IsolatedCodeTrigger)
} // end if (MIN_DATARUN_LEN <= DataRunLen)
} // end if (isData(AddrFlags)
else if (isUnknown(AddrFlags)) {
// Just in case; unknown usually means not head or tail
// If in a data run, convert to data.
InstrLen = get_item_size(addr);
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Unknown: %x len: %x\n", addr, InstrLen);
#endif
if (0 < DataRunLen) {
if (do_data_ex(addr, byteflag(), InstrLen, BADNODE)) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Converted unknown to data at %x len: %x\n", addr, InstrLen);
#endif
DataRunLen += InstrLen;
}
else {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Failed to convert unknown to data at %x len: %x\n", addr, InstrLen);
#endif
DataRunLen = 0;
IsolatedCodeTrigger = false;
}
}
}
else if (isCode(AddrFlags)) { // must be true
if (MIN_DATARUN_LEN <= DataRunLen) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("DataRunLen: %d at %x\n", DataRunLen, addr);
#endif
InstOK = SMPGetCmd(addr, LocalCmd, LocalFeatures);
assert(InstOK);
InstrLen = (int) LocalCmd.size;
// We don't check the returned InstrLen for validity because IsCodeMisaligned()
// will check for validity immediately below.
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Calling IsCodeMisaligned: len %d\n", InstrLen);
#endif
if (IsCodeMisaligned(addr)) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Code was misaligned.\n");
#endif
do_unknown_range(addr, InstrLen, DOUNK_SIMPLE);
RemoveIDACodeAddr(addr);
if (do_data_ex(addr, byteflag(), InstrLen, BADNODE)) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Converted misaligned code to data at %x : len: %x\n",
addr, InstrLen);
#endif
// Step back so data gets processed.
DataRunLen += get_item_size(addr);
continue; // skip reset of DataRunLen
}
else {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Misaligned code left as unknown at %x : len: %x\n",
addr, InstrLen);
#endif
IsolatedCodeTrigger = false;
}
} // end if (IsCodeMisaligned() ...)
else if (!hasRef(AddrFlags)) {
// No references at all --> isolated code.
IsolatedCodeTrigger = true;
IsolatedCodeAddr = addr;
IsolatedCodeLen = InstrLen;
}
else {
SMP_xref_t xb;
bool ok = xb.SMP_first_to(addr, XREF_ALL);
if (!ok) {
// No code xrefs to this target addr.
IsolatedCodeTrigger = true;
IsolatedCodeAddr = addr;
IsolatedCodeLen = InstrLen;
}
}
} // end if (MIN_DATARUN_LEN <= DataRunLen)
else if (IsolatedCodeTrigger) {
// Two instructions in a row does not fit the pattern.
IsolatedCodeTrigger = false;
}
DataRunLen = 0;
} // end if (isData) ... else if (isUnknown) ... else isCode
} // end if (isHead)
else if (isUnknown(AddrFlags)) {
// If in a data run, convert to data.
InstrLen = get_item_size(addr);
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Unknown: %x len: %x\n", addr, InstrLen);
#endif
if (0 < DataRunLen) {
if (do_data_ex(addr, byteflag(), InstrLen, BADNODE)) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Converted unknown to data at %x len: %x\n", addr, InstrLen);
#endif
DataRunLen += InstrLen;
}
else {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Failed to convert unknown to data at %x len: %x\n", addr, InstrLen);
#endif
DataRunLen = 0;
IsolatedCodeTrigger = false;
}
}
}
} // end for (ea_t addr = seg->startEA; ...)
} // end for all segments
return;
} // end of FindDataInCode()
// The choices that IDA makes for deciding which parent function of a
// TAIL chunk is the primary owner of the tail can be counterintuitive.
// A function entry can both fall into and jump to a tail chunk that
// is contiguous with it, yet the "owner" might be a function that is
// far below it in the executable address space. This function will
// change the ownership to a more sensible arrangement.
void AuditTailChunkOwnership(void) {
char FuncName[MAXSTR];
// Iterate through all chunks in the program.
size_t NumChunks = get_fchunk_qty();
for (size_t ChunkIndex = 0; ChunkIndex < NumChunks; ++ChunkIndex) {
func_t *ChunkInfo = getn_fchunk((int) ChunkIndex);
if (is_func_tail(ChunkInfo)) {
// For each TAIL chunk, find all the parent chunks. Find the last
// parent chunk with an address less than the TAIL chunk address.
ea_t BestCandidate = 0;
func_parent_iterator_t FuncParent(ChunkInfo);
#if SMP_DEBUG_CHUNKS
SMP_msg("Tail chunk: %x ", ChunkInfo->startEA);
#endif
for (bool ok = FuncParent.first(); ok; ok = FuncParent.next()) {
ea_t parent = FuncParent.parent();
#if SMP_DEBUG_CHUNKS
SMP_msg(" parent: %x ", parent);
#endif
if ((parent > BestCandidate) && (parent < ChunkInfo->startEA))
BestCandidate = parent;
}
#if SMP_DEBUG_CHUNKS
SMP_msg("\n");
#endif
// Make the best parent chunk the owner of the TAIL chunk if it is
// not already the owner.
if (ChunkInfo->owner != BestCandidate) {
if (0 < BestCandidate) {
if (set_tail_owner(ChunkInfo, BestCandidate)) {
func_t *FuncInfo = get_func(BestCandidate);
SMP_msg("Set %x as new owner of tail %x\n",
BestCandidate, ChunkInfo->startEA);
// Reanalyze the parent function (and all its
// tail chunks) now that the structure has changed.
reanalyze_function(FuncInfo);
}
else {
SMP_msg("set_tail_owner failed for tail %x and parent %x\n",
ChunkInfo->startEA, BestCandidate);
}
}
else {
func_t *FuncInfo = get_func(ChunkInfo->owner);
get_func_name(FuncInfo->startEA, FuncName, sizeof(FuncName) - 1);
#if SMP_DEBUG_CHUNKS
SMP_msg("No good parent candidate before tail at %x\n",
ChunkInfo->startEA);
SMP_msg("Current parent is %x: %s\n", FuncInfo->startEA, FuncName);
#endif
// Find out if a function entry chunk that comes before the
// tail is a better candidate for the owner (i.e. it falls
// through to the tail, or jumps to it).
BestCandidate = 0;
#if SMP_DEBUG_CHUNKS
SMP_msg("Finding parent func candidates for %x:", ChunkInfo->startEA);
#endif
SMP_bounds_t CurrFunc;
for (size_t FuncIndex = 0; FuncIndex < FuncBounds.size(); ++FuncIndex) {
CurrFunc = FuncBounds[FuncIndex];
if ((CurrFunc.startEA < ChunkInfo->startEA)
&& (CurrFunc.startEA > BestCandidate)) {
BestCandidate = CurrFunc.startEA;
#if SMP_DEBUG_CHUNKS
SMP_msg(" candidate: %x tail: %x", BestCandidate,
ChunkInfo->startEA);
#endif
}
else {
#if SMP_DEBUG_CHUNKS
SMP_msg(" not a candidate: %x tail: %x best: %x\n",
CurrFunc.startEA, ChunkInfo->startEA, BestCandidate);
#endif
break;
}
} // end for (size_t FuncIndex = 0; ...)
if (0 >= BestCandidate) { // highly unlikely
SMP_msg("No good func entry parent candidate.\n");
}
else {
FuncInfo = get_func(BestCandidate);
get_func_name(FuncInfo->startEA, FuncName, sizeof(FuncName) - 1);
#if SMP_DEBUG_CHUNKS
SMP_msg("Best func entry parent candidate: %s at %x",
FuncName, BestCandidate);
if (FuncInfo->endEA == ChunkInfo->startEA)
SMP_msg(" Function endEA == tail chunk startEA");
SMP_msg("\n");
#endif
}
}
} // end if (ChunkInfo->owner != BestCandidate)
#if SMP_DEBUG_CHUNKS
else {
SMP_msg("Already best parent for %x is %x\n", ChunkInfo->startEA,
ChunkInfo->owner);
}
#endif
} // end if (is_func_tail(ChunkInfo))
} // end for (size_t ChunkIndex = 0; ...)
return;
} // end of AuditTailChunkOwnership()
// If the addresses signified from DisasmIndex to IDAProIndex are
// all considered data and do NOT follow a return instruction,
// return false and update AreaSize to reflect the area to be
// converted.
// Return value: true -> skip to IDAProIndex; false -> convert AreaSize bytes.
bool FindDataToConvert(size_t IDAProIndex, size_t DisasmIndex, int &AreaSize) {
ea_t PrevIDAAddr;
ea_t NextIDAAddr;
size_t ShadowDisasmIndex = DisasmIndex - 1;
ea_t DisasmAddr = DisasmLocs[ShadowDisasmIndex];
bool CannotConvert = false; // return value
bool DebugAddress = false;
#if SMP_DEBUG_FIXUP_IDB
DebugAddress = (DisasmAddr == 0x806c19a);
#endif
if (DebugAddress) {
SMP_msg("IDAProIndex: %zu DisasmIndex: %zu\n", IDAProIndex, DisasmIndex);
SMP_msg("IDA locs size %zu Disasm locs size %zu\n", IDAProLocs.size(),
DisasmLocs.size());
}
if (IDAProIndex >= IDAProLocs.size()) {
// Have already processed the last IDA address.
if (DebugAddress) SMP_msg(" Already done with IDAProLocs.\n");
return true;
}
else if (DisasmIndex >= DisasmLocs.size()) {
// Strange. Last Disasm address is only one to convert, and
// IDA still has addresses after that?
if (DebugAddress) SMP_msg(" Already done with DisasmLocs.\n");
return true;
}
else if (IDAProIndex < 2) {
// We have Disasm addrs before the very first IDA addr. We
// don't trust this boundary case.
if (DebugAddress) SMP_msg(" Boundary case with IDAProLocs.\n");
return true;
}
NextIDAAddr = IDAProLocs[IDAProIndex - 1];
PrevIDAAddr = IDAProLocs[IDAProIndex - 2];
if (DebugAddress) SMP_msg(" PrevIDAAddr: %x NextIDAAddr: %x\n", PrevIDAAddr, NextIDAAddr);
// See if previous IDA address was a return.
flags_t PrevFlags = getFlags(PrevIDAAddr);
if (!isCode(PrevFlags) || !isHead(PrevFlags)) {
SMP_msg("PrevIDAAddr %x not isCode or not isHead.\n", PrevIDAAddr);
return true;
}
SMPInstr PrevInstr(PrevIDAAddr);
PrevInstr.Analyze();
if (DebugAddress) SMP_msg("Finished PrevInstr.Analyze()\n");
if (PrevInstr.MDIsReturnInstr()) {
// Right after a return come no-ops and 2-byte no-ops
// that are just for alignment. IDA does not seem to be
// happy when we convert all those to code.
if (DebugAddress) SMP_msg(" Data followed a return instruction.\n");
return true;
}
// Now, see if the area from DisasmAddr to NextIDAAddr is all data
// according to IDA.
while (DisasmAddr < NextIDAAddr) {
flags_t DataFlags = getFlags(DisasmAddr);
if (isTail(DataFlags)) {
if (DebugAddress) SMP_msg(" tail byte: %x\n", DisasmAddr);
DisasmAddr = get_item_end(DisasmAddr);
}
else if (isData(DataFlags)) {
if (DebugAddress) SMP_msg(" data byte: %x\n", DisasmAddr);
DisasmAddr = get_item_end(DisasmAddr);
}
else if (isCode(DataFlags)) {
// How could this ever happen?
if (DebugAddress) SMP_msg(" isCode: %x\n", DisasmAddr);
return true;
}
else { // must be isUnknown()
// Very conservative here; only want to convert when the whole
// region is data, because that is a symptom of IDA missing
// a piece of code within a function (usually a piece of code
// that is only reachable via an indirect jump).
if (DebugAddress) SMP_msg(" Not isData: %x\n", DisasmAddr);
return true;
}
if (DebugAddress) SMP_msg(" new DisasmAddr: %x\n", DisasmAddr);
} // end while (DisasmAddr < NextIDAAddr)
if (DebugAddress) SMP_msg(" loop exit CannotConvert: %d\n", CannotConvert);
if (!CannotConvert) {
// Success.
DisasmAddr = DisasmLocs[ShadowDisasmIndex];
AreaSize = NextIDAAddr - DisasmAddr;
if (DebugAddress) {
SMP_msg(" Success! AreaSize: %x Old index: %zu new index: %zu\n",
AreaSize, ShadowDisasmIndex, DisasmIndex);
SMP_msg(" exiting FindDataToConvert()\n");
SMP_msg("\n");
}
} // end if (!CannotConvert)
return CannotConvert;
} // end of FindDataToConvert()
// Does a converted code region look like a function prologue? If so,
// we should not include it in the previous function.
bool IsFunctionPrologue(ea_t StartAddr, ea_t EndAddr) {
return false; // **!!** TODO
} // end of IsFunctionPrologue()
// Patch program bytes that could not be converted from
// data to code, if it can be determined that the bytes represent code
// that IDA has a hard time with.
// Currently limited to finding "call near ptr 0" instructions, which
// often are found in optimized glibc code because gcc was able to
// determine that a function pointer was zero and did constant propagation,
// but unfortunately was not able to determine that the code was unreachable.
// IDA will not succeed in ua_code() for "call 0", but there is no danger
// of a working program ever executing this code. Replacing the call with
// no-ops permits us to continue converting a contiguous range of data to
// code, and permits IDA to reanalyze the function later.
// Returns true if program bytes were patched.
bool MDPatchUnconvertedBytes(ea_t CurrDisasmAddr) {
flags_t AddrFlags = getFlags(CurrDisasmAddr);
if (isData(AddrFlags) || isTail(AddrFlags)) {
// Bytes should have been converted to unknown already.
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Cannot patch data bytes or tail bytes at %x\n", CurrDisasmAddr);
#endif
return false;
}
SMPInstr PatchInstr(CurrDisasmAddr);
PatchInstr.Analyze();
int InstrLen = PatchInstr.GetCmd().size;
if (0 >= InstrLen) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("decode_insn() failed on patch location %x\n", CurrDisasmAddr);
#endif
return false;
}
else {
if (PatchInstr.GetCmd().itype != NN_call) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Cannot patch non-call instruction at %x\n", CurrDisasmAddr);
#endif
return false;
}
PatchInstr.PrintOperands();
op_t CallDest = PatchInstr.GetFirstUse()->GetOp();
if ((o_near != CallDest.type) || (0 != CallDest.addr)) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Cannot patch call unless it is call near ptr 0 at %x",
CurrDisasmAddr);
#endif
return false;
}
ea_t PatchAddr = CurrDisasmAddr;
for (int i = 0; i < InstrLen; ++i) {
bool ok = patch_byte(PatchAddr, 0x90); // x86 no-op
if (!ok) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("patch_byte() failed at %x\n", PatchAddr);
#endif
return false;
}
++PatchAddr;
}
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Patched %d bytes successfully at %x\n", InstrLen, CurrDisasmAddr);
#endif
#if IDA_SDK_VERSION < 600
InstrLen = ua_code(CurrDisasmAddr);
#else
InstrLen = create_insn(CurrDisasmAddr);
#endif
if (0 >= InstrLen) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg(" ... but ua_code() still failed!\n");
#endif
return false;
}
} // end if (0 >= InstrLen) ... else ...
return true;
} // end of MDPatchUnconvertedBytes()
// Use the lists of code addresses identified by IDA Pro (in IDAProLocs)
// and an external disassembler (in DisasmLocs). Compare the lists and
// try to convert addresses to code that are found in DisasmLocs but
// not in IDAProLocs. Emit warnings when IDAProLocs has a code address
// not found in DisasmLocs.
void FixCodeIdentification(void) {
size_t DisasmIndex = 0;
ea_t CurrDisasmAddr = DisasmLocs[DisasmIndex++];
size_t IDAProIndex = 0;
ea_t CurrAddr = IDAProLocs[IDAProIndex++];
while (DisasmIndex <= DisasmLocs.size()) {
// If the current address is less than the current
// external disasm address, we have the rare case in
// which IDA Pro has identified an address as code
// but the external disasm has not. Emit a warning
// message and go on to the next IDA address.
if (CurrAddr < CurrDisasmAddr) {
SMPInstr TempInstr(CurrAddr);
TempInstr.Analyze();
SMP_msg("Address %x is code in IDB but not in external disassembler: %s\n",
CurrAddr, TempInstr.GetDisasm());
if (IDAProIndex < IDAProLocs.size())
CurrAddr = IDAProLocs[IDAProIndex++];
else {
// Last IDA addr; might still process Disasm addrs
// after loop exit.
break;
}
}
else if (CurrAddr == CurrDisasmAddr) {
// If equal, no problem, we are moving through the
// code addresses in lockstep. Grab the next address
// from each source.
if (DisasmIndex < DisasmLocs.size()) {
CurrDisasmAddr = DisasmLocs[DisasmIndex++];
}
else {
++DisasmIndex; // cause loop exit; skip cleanup loop
}
if (IDAProIndex < IDAProLocs.size())
CurrAddr = IDAProLocs[IDAProIndex++];
else {
// Last IDA addr; might still process Disasm addrs
// after loop exit in cleanup loop.
break;
}
}
else {
// We must have CurrAddr > CurrDisasmAddr. That means
// IDA has jumped over some code addresses in
// DisasmLocs. We need to try to convert addresses
// to code until we can reach the current addr.
// For now, we will address only the case in which IDA
// has identified addresses as data bytes, and the
// external disassembler(e.g. objdump) has identified
// the same addresses as code. We only want to deal with
// contiguous areas of data-to-code conversion that do NOT
// follow a return statement.
int AreaSize = 0;
ea_t AreaStart = CurrDisasmAddr;
ea_t AreaEnd;
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("CurrDisasmAddr: %x CurrAddr: %x\n", CurrDisasmAddr, CurrAddr);
#endif
bool SkipArea = FindDataToConvert(IDAProIndex, DisasmIndex, AreaSize);
if (SkipArea) {
// Skip over the extra external disasm addresses.
while (CurrDisasmAddr < CurrAddr)
CurrDisasmAddr = DisasmLocs[DisasmIndex++];
}
else {
// Convert the overlooked code region to unexplored.
AreaEnd = CurrDisasmAddr + AreaSize;
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Found data to convert: %x to %x\n", AreaStart, AreaEnd);
#endif
do_unknown_range(AreaStart, AreaSize, DOUNK_SIMPLE);
SMP_bounds_t ConvertRegion;
ConvertRegion.startEA = AreaStart;
ConvertRegion.endEA = AreaEnd;
FixupRegion CurrRegion(ConvertRegion);
CodeReanalyzeList.push_back(CurrRegion);
bool AllConverted = true;
bool AllNops = true;
do {
flags_t InstrFlags = getFlags(CurrDisasmAddr);
if (!isUnknown(InstrFlags)) {
SMP_msg("Sync problem in FixCodeID: %x\n", CurrDisasmAddr);
}
else {
#if IDA_SDK_VERSION < 600
int InstrLen = ua_code(CurrDisasmAddr);
#else
int InstrLen = create_insn(CurrDisasmAddr);
#endif
if (InstrLen > 0) { // Successfully converted to code
SMPInstr NewInstr(CurrDisasmAddr);
NewInstr.Analyze();
if (!NewInstr.IsNop())
AllNops = false;
#if SMP_DEBUG_FIXUP_IDB
#if 0
SMP_msg("FixCodeID success at %x: len: %d %s\n", CurrDisasmAddr,
InstrLen, NewInstr.GetDisasm());
#endif
#endif
}
else {
if (MDPatchUnconvertedBytes(CurrDisasmAddr)) {
;
#if SMP_DEBUG_FIXUP_IDB
SMP_msg(" Patched bytes at %x\n", CurrDisasmAddr);
#endif
}
else {
CurrRegion.FixupInstrs.push_back(CurrDisasmAddr);
AllConverted = false;
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("FixCodeID failure at %x\n", CurrDisasmAddr);
#endif
}
}
} // end if (isCode(InstrFlags) ... else ...
if (DisasmIndex < DisasmLocs.size()) {
CurrDisasmAddr = DisasmLocs[DisasmIndex++];
}
else {
// cause loops to exit
CurrDisasmAddr = CurrAddr;
++DisasmIndex; // skip cleanup loop
}
} while (CurrDisasmAddr < CurrAddr);
if (AllConverted && AllNops) {
// We want to convert the region back to unexplored bytes
// and take it off the work list. Regions that are all nops
// create data flow analysis problems sometimes. The region
// is often unreachable code and produces a basic block with
// no predecessors within a function. This often happens when
// an optimizing compiler uses nops as padding to align jump
// targets on cache line bounaries. With no fall through into
// the nops, they are unreachable and should be left as unknown.
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("FixCodeID nops region from %x to %x\n", CurrRegion.GetStart(),
CurrRegion.GetEnd());
#endif
do_unknown_range(CurrRegion.GetStart(),
CurrRegion.GetEnd() - CurrRegion.GetStart(), DOUNK_SIMPLE);
CodeReanalyzeList.pop_back();
}
} // end if (SkipArea) ... else ...
} // end if (addr < CurrDisasmAddr) .. else if ... else ...
} // end while (DisasmIndex <= DisasmLocs.size()
#if 0 // Make this code use FindDataToConvert() **!!**
// Cleanup loop:
// If there are still Disasm addrs to process, try to turn them
// into code in the IDB.
while (DisasmIndex <= DisasmLocs.size()) {
flags_t InstrFlags = getFlags(CurrDisasmAddr);
if (isCode(InstrFlags)) {
SMP_msg("Sync problem in FixCodeID: %x\n", CurrDisasmAddr);
}
else {
// Clear bytes to unexplored.
segment_t *seg = SMP_getseg(CurrDisasmAddr);
if (SEG_CODE == seg->type) {
do_unknown_range(CurrDisasmAddr, seg->endEA - CurrDisasmAddr, DOUNK_SIMPLE);
}
else {
// Might be safest to just discontinue processing
// if we wander into a non-code segment.
// DisasmLocs should not have an entire code segment
// that IDA Pro missed.
break;
}
int InstrLen = ua_code(CurrDisasmAddr);
if (InstrLen > 0) { // Successfully converted to code
SMPInstr NewInstr(CurrDisasmAddr);
NewInstr.Analyze();
SMP_msg("FixCodeID success at %x: %s\n", CurrDisasmAddr,
NewInstr.GetDisasm());
}
else {
SMP_msg("FixCodeID failure at %x\n", CurrDisasmAddr);
}
} // end if (isCode(InstrFlags) ... else ...
if (DisasmIndex < DisasmLocs.size()) {
CurrDisasmAddr = DisasmLocs[DisasmIndex++];
}
else {
++DisasmIndex; // cause loop to exit
}
} // end while (DisasmIndex <= DisasmLocs.size()
#endif
return;
} // end of FixCodeIdentification()
// Analyze instructions that could not be analyzed earlier and were placed on the CodeReanalyzeList.
// Earlier failures are usually because the instruction branches to an address that has not
// yet been converted from data to code, so ua_code() failed. Now that all data to code
// conversions have completed, ua_code() should succeed.
// Return the number of instructions successfully analyzed.
int FixupNewCodeChunks(void) {
list<FixupRegion>::iterator CurrRegion;
int changes = 0;
for (CurrRegion = CodeReanalyzeList.begin(); CurrRegion != CodeReanalyzeList.end(); ++CurrRegion) {
bool AllConverted = true;
bool AllNops = true;
bool NoFixups = (0 == CurrRegion->FixupInstrs.size());
if (NoFixups) {
CurrRegion->SetStart(BADADDR); // mark for removal
continue; // skip to next region
}
list<ea_t>::iterator CurrInstr;
for (CurrInstr = CurrRegion->FixupInstrs.begin(); CurrInstr != CurrRegion->FixupInstrs.end(); ++CurrInstr) {
#if IDA_SDK_VERSION < 600
int InstrLen = ua_code(*CurrInstr);
#else
int InstrLen = create_insn(*CurrInstr);
#endif
if (InstrLen > 0) { // Successfully converted to code
SMPInstr NewInstr(*CurrInstr);
NewInstr.Analyze();
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("FixupNewCodeChunks success at %x: len: %d\n", *CurrInstr, InstrLen);
#endif
if (!NewInstr.IsNop()) {
AllNops = false;
*CurrInstr = BADADDR; // mark for removal
}
}
else {
AllConverted = false;
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("FixupNewCodeChunks failure at %x\n", *CurrInstr);
#endif
}
} // end for all instrs in CurrRegion
if (AllConverted && !AllNops) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("FixupNewCodeChunks success for region from %x to %x\n",
CurrRegion->GetStart(), CurrRegion->GetEnd());
#endif
CurrRegion->SetStart(BADADDR); // mark for removal
}
else if (AllConverted && AllNops) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("FixupNewCodeChunks re-converting nops region from %x to %x\n",
CurrRegion->GetStart(), CurrRegion->GetEnd());
#endif
do_unknown_range(CurrRegion->GetStart(),
CurrRegion->GetEnd() - CurrRegion->GetStart(), DOUNK_SIMPLE);
CurrRegion->SetStart(BADADDR); // mark for removal
}
else {
// Remove only the instructions that were fixed up.
CurrInstr = CurrRegion->FixupInstrs.begin();
while (CurrInstr != CurrRegion->FixupInstrs.end()) {
if (BADADDR == *CurrInstr) {
CurrInstr = CurrRegion->FixupInstrs.erase(CurrInstr);
}
else {
++CurrInstr;
}
}
}
} // end for all regions in the CodeReanalyzeList
// Remove completed regions from the CodeReanalyzeList
CurrRegion = CodeReanalyzeList.begin();
while (CurrRegion != CodeReanalyzeList.end()) {
if (BADADDR == CurrRegion->GetStart())
CurrRegion = CodeReanalyzeList.erase(CurrRegion);
else
++CurrRegion;
}
#if 0
if (AllConverted) {
if (IsFunctionPrologue(AreaStart, AreaEnd)) {
// Create a new function entry chunk here.
// **!!** TODO
;
}
else {
// Extend the previous chunk to include the
// converted code.
ea_t PrevIDAAddr = IDAProLocs[IDAProIndex - 2];
func_t *PrevChunk = get_fchunk(PrevIDAAddr);
#if SMP_DEBUG_FIXUP_IDB
SMP_msg(" addr in chunk to extend: %x\n", PrevIDAAddr);
SMP_msg(" func_t pointer for chunk: %x\n", PrevChunk);
#endif
#if 0 // temporary for debugging
if (is_func_entry(PrevChunk)) {
// Extend the func entry to contain the new code.
if (func_setend(PrevIDAAddr, AreaEnd)) {
SMP_msg("Func extended to include code from %x to %x\n",
AreaStart, AreaEnd);
FuncReanalyzeList.push_back(PrevIDAAddr);
}
else {
SMP_msg("Failed to extend func from %x to %x\n",
AreaStart, AreaEnd);
}
}
else { // tail
// See if this works for function tails, also.
// Extend the func entry to contain the new code.
if (func_setend(PrevIDAAddr, AreaEnd)) {
SMP_msg("Tail extended to include code from %x to %x\n",
AreaStart, AreaEnd);
func_t *TailOwner = get_func(PrevChunk->owner);
FuncReanalyzeList.push_back(PrevIDAAddr);
}
else {
SMP_msg("Failed to extend tail from %x to %x\n",
AreaStart, AreaEnd);
}
} // end if (is_func_entry()) ... else ...
#endif
} // end if (IsFunctionPrologue()) ... else ...
} // end if (AllConverted)
else {
SMP_msg("not AllConverted; cannot include new code in previous chunk.\n");
}
#endif
return changes;
} // end of FixupNewCodeChunnks()
// Audit the IDA code database by looking at all instructions in the
// code segment and printing all those that are not contained in a
// function. Emit the context-free annotations that we are able to
// emit on a per-instruction basis.
void FindOrphanedCode(segment_t *CurrSeg, FILE *AnnotFile, FILE *InfoAnnotFile) {
char disasm[MAXSTR];
for (ea_t addr = CurrSeg->startEA; addr < CurrSeg->endEA;
addr = get_item_end(addr)) {
flags_t InstrFlags = getFlags(addr);
if (isTail(InstrFlags))
continue;
if (isHead(InstrFlags) && isCode(InstrFlags)) {
func_t *CurrFunc = get_func(addr);
if (NULL == CurrFunc) {
SMPInstr CurrInst(addr);
CurrInst.Analyze();
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Orphan code at %x : %s\n", addr, CurrInst.GetDisasm());
#endif
// TODO: If there are code xrefs to the orphan code,
// see what kind. If a CALL, and orphan code looks
// like a prologue, make a function. If a JUMP of
// some kind, then make a function chunk and make
// it a tail of all functions that jump to it. **!!**
// Do machine-dependent fixes for DEF and USE lists.
// The fixes can help produce better annotations.
CurrInst.MDFixupDefUseLists();
// If instruction is still not included in a code chunk,
// emit annotations for it in isolation.
CurrInst.EmitAnnotations(true, false, true, AnnotFile, InfoAnnotFile);
}
}
else if (isUnknown(InstrFlags)) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Unanalyzed byte at %x\n", addr);
#endif
// Can IDA analyze this to be code?
int InstrLen;
#if IDA_SDK_VERSION < 600
InstrLen = ua_code(addr);
#else
InstrLen = create_insn(addr);
#endif
if (InstrLen > 0) {
bool IDAsuccess = generate_disasm_line(addr, disasm, sizeof(disasm) - 1);
if (IDAsuccess) {
// Remove interactive color-coding tags.
ssize_t StringLen = tag_remove(disasm, disasm, 0);
if (-1 >= StringLen) {
SMP_msg("ERROR: tag_remove failed at addr %x \n", addr);
}
else {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Successfully analyzed! %s\n", disasm);
#endif
SMPInstr UnknownInstr(addr);
UnknownInstr.Analyze();
// TODO: Get new code into a chunk. **!!**
// If instruction is still not included in a code chunk,
// emit annotations for it in isolation.
UnknownInstr.EmitAnnotations(true, false, true, AnnotFile, InfoAnnotFile);
}
}
else {
SMP_msg("ERROR: generate_disasm_line failed at addr %x \n", addr);
}
}
}
} // end for (ea_t addr = CurrSeg->startEA; ...)
} // end of FindOrphanedCode()
// Version of FindOrphanedCode that does not emit annotations but can be used
// to determine at what point in time code becomes orphaned.
void Debug_FindOrphanedCode(segment_t *CurrSeg, bool FirstRun) {
ea_t DebugAddr = 0x8050db0;
for (ea_t addr = CurrSeg->startEA; addr < CurrSeg->endEA;
addr = get_item_end(addr)) {
flags_t InstrFlags = getFlags(addr);
if (isHead(InstrFlags) && isCode(InstrFlags)) {
func_t *CurrFunc = get_func(addr);
if (NULL == CurrFunc) { // Code not in a func; orphaned
pair<set<ea_t>::iterator, bool> pairib;
pairib = CodeOrphans.insert(addr);
if (DebugAddr == addr) {
SMP_msg("DEBUG: Orphaned code addr %x found.\n", addr);
}
if ((!FirstRun) && (pairib.second)) {
SMP_msg("SERIOUS WARNING: Newly orphaned code at %x \n", addr);
}
}
}
} // end for (ea_t addr = CurrSeg->startEA; ...)
} // end of Debug_FindOrphanedCode()
// Audit the IDA database with respect to branches and calls. They should
// each have valid code targets (not data or unknown bytes) and the code
// cross references should reflect the linkage.
void AuditCodeTargets(void) {
// Cover all the code that IDA has grouped into functions by iterating
// through all function chunks in the program.
size_t NumChunks = get_fchunk_qty();
for (size_t ChunkIndex = 0; ChunkIndex < NumChunks; ++ChunkIndex) {
func_t *ChunkInfo = getn_fchunk((int) ChunkIndex);
char FuncName[MAXSTR];
get_func_name(ChunkInfo->startEA, FuncName, sizeof(FuncName) - 1);
// First, see if any calls to this function (if this chunk is
// an entry point) are not coming from within functions.
if (is_func_entry(ChunkInfo)) {
SMP_xref_t xb;
ea_t addr = ChunkInfo->startEA;
for (bool ok = xb.SMP_first_to(addr, XREF_ALL); ok; ok = xb.SMP_next_to()) {
uchar XrefType = xb.GetType() & XREF_MASK;
if (xb.GetIscode()) {
if ((XrefType == fl_U) || (XrefType == fl_USobsolete)) {
SMP_msg("Bad xref type: %x %s\n", addr, FuncName);
}
#if SMP_DEBUG_FIXUP_IDB
else if ((XrefType == fl_JF) || (XrefType == fl_JN)) {
SMP_msg("Jump to func: %x %s from: %x\n",
addr, FuncName, xb.GetFrom());
}
#endif
else if (XrefType == fl_F) {
SMP_msg("Fall through to func: %x %s from: %x\n",
addr, FuncName, xb.GetFrom());
}
else if ((XrefType == fl_CF) || (XrefType == fl_CN)) {
// Far call or Near call
func_t *CallingFunc = get_func(xb.GetFrom());
if (NULL == CallingFunc) {
;
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Call to %x Func %s from %x not in function.\n",
addr, FuncName, xb.GetFrom());
#endif
}
}
} // end if (xb.GetIscode())
else { // DATA xref
if (XrefType == dr_O) {
#if SMP_DEBUG_FIXUP_IDB
SMP_msg("Data xref to %x Func %s from %x\n",
addr, FuncName, xb.GetFrom());
#endif
}
else {
SMP_msg("Strange data xref %d to %x Func %s from %x\n",
XrefType, addr, FuncName, xb.GetFrom());
}
}
} // end for (bool ok = xb.SMP_first_to(); ...)
} // end if (is_func_entry(ChunkInfo))
// Next, see if any call or branch in this chunk references
// a target address that is not in a function. If so, and the
// callee address code looks like a function prologue, then
// create a function for the contiguous code starting at that
// address and ask IDA to analyze it and store it in the
// IDA database. If it is a branch target, not a call target,
// create a new TAIL chunk for the current parent functions.
for (ea_t addr = ChunkInfo->startEA; addr < ChunkInfo->endEA;
addr = get_item_end(addr)) {
flags_t InstrFlags = getFlags(addr);
if (isCode(InstrFlags) && isHead(InstrFlags)) {
SMPInstr CurrInst(addr);
CurrInst.Analyze();
if ((CALL|JUMP|COND_BRANCH) & CurrInst.GetDataFlowType()) {
SMP_xref_t xb;
for (bool ok = xb.SMP_first_from(addr, XREF_FAR); ok; ok = xb.SMP_next_from()) {
if (xb.GetIscode()) {
ea_t FirstAddr = xb.GetTo();
func_t *FuncInfo = get_func(FirstAddr);
if (NULL == FuncInfo) {
// Found call to addr that is not in a func.
// Find limits of contiguous code starting at FirstAddr.
ea_t LastAddr = FindNewFuncLimit(FirstAddr);
if (CALL == CurrInst.GetDataFlowType())
SMP_msg("Found new func from %x to %x\n",
FirstAddr, LastAddr);
else
SMP_msg("Found new chunk from %x to %x\n",
FirstAddr, LastAddr);
}
}
}
}
}
}
} // end for (size_t ChunkIndex = 0; ... )
return;
} // end of AuditCodeTargets()
// Find the span of contiguous code that is not contained within any
// function, starting at StartAddr, which should already be an example
// of an instruction address that is outside of a function.
ea_t FindNewFuncLimit(ea_t StartAddr) {
ea_t LimitAddr = StartAddr;
segment_t *seg = SMP_getseg(StartAddr);
if (NULL == seg)
return LimitAddr;
ea_t SegLimit = seg->endEA;
for (ea_t addr = get_item_end(StartAddr); addr < SegLimit; addr = get_item_end(addr)) {
flags_t InstrFlags = getFlags(addr);
if (isCode(InstrFlags) && isHead(InstrFlags)) {
LimitAddr = addr;
func_t *FuncInfo = get_func(addr);
if (NULL != FuncInfo)
break; // ran into an existing function
}
else // Not a code head; time to stop.
break;
}
return LimitAddr;
} // end of FindNewFuncLimit()
void SpecialDebugOutput(void) {
char disasm[MAXSTR];
vector<ea_t> ProblemAddrs;
ProblemAddrs.push_back(0x8066d08);
bool IDAsuccess;
int InstLen;
ssize_t StringLen;
insn_t LocalCmd;
ulong LocalFeatures;
for (size_t index = 0; index < ProblemAddrs.size(); ++index) {
ea_t addr = ProblemAddrs[index];
flags_t InstrFlags = getFlags(addr);
if (isCode(InstrFlags) && isHead(InstrFlags)) {
IDAsuccess = SMPGetCmd(addr, LocalCmd, LocalFeatures);
InstLen = (int) LocalCmd.size;
if ((IDAsuccess) && (0 < InstLen)) {
IDAsuccess = generate_disasm_line(addr, disasm, sizeof(disasm) - 1);
if (IDAsuccess) {
StringLen = tag_remove(disasm, disasm, 0);
if (-1 < StringLen)
SMP_msg("Problem addr %x : %s\n", addr, disasm);
else
SMP_msg("ERROR: tag_remove failed at addr %x \n", addr);
}
else {
SMP_msg("ERROR: generate_disasm_line failed at addr %x \n", addr);
}
}
else {
SMP_msg("ERROR: decode_insn failed at addr %x \n", addr);
}
}
}
return;
} // end of SpecialDebugOutput()
// Convert a call type string from the policy file, such as "FILECALLS", to the
// corresponding ZST_SysCallType, such as ZST_FILE_CALL.
ZST_SysCallType ConvertStringToCallType(char *Str2) {
ZST_SysCallType ReturnVal;
if (0 == strcmp("PRIVILEGECALLS", Str2)) {
ReturnVal = ZST_HIGHPRIVILEGE_CALL;
}
else if (0 == strcmp("FILECALLS", Str2)) {
ReturnVal = ZST_FILE_CALL;
}
else if (0 == strcmp("NETWORKCALLS", Str2)) {
ReturnVal = ZST_NETWORK_CALL;
}
else {
ReturnVal = ZST_UNMONITORED_CALL;
}
return ReturnVal;
} // end of ConvertStringToCallType()
// Convert a policy string from the policy file, such as "DISALLOW", to
// the corresponding ZST_Policy value, such as ZST_DISALLOW.
ZST_Policy ConvertStringToPolicy(char *Str3) {
ZST_Policy ReturnVal;
if (0 == strcmp("DISALLOW", Str3)) {
ReturnVal = ZST_DISALLOW;
}
else if (0 == strcmp("WHITELIST", Str3)) {
ReturnVal = ZST_WHITELIST;
}
else if (0 == strcmp("BLACKLIST", Str3)) {
ReturnVal = ZST_BLACKLIST;
}
else { // error handling precedes calls to this function
ReturnVal = ZST_ALLOWALL;
}
return ReturnVal;
} // end of ConvertStringToPolicy()
// Given a function name, return its Zephyr Security Toolkit call type.
ZST_SysCallType GetCallTypeFromFuncName(string SysCallName) {
ZST_SysCallType ReturnVal;
map<string, ZST_SysCallType>::iterator FindIter = ZST_FuncTypeMap.find(SysCallName);
if (FindIter == ZST_FuncTypeMap.end()) { // not found; might not even be system call
ReturnVal = ZST_UNMONITORED_CALL;
}
else {
ReturnVal = FindIter->second;
}
return ReturnVal;
} // end of GetCallTypeFromFuncName()
// Get the user-specified security policy for the given call type.
ZST_Policy GetPolicyFromCallType(ZST_SysCallType CallType) {
ZST_Policy ReturnVal;
map<ZST_SysCallType, ZST_Policy>::iterator FindIter = ZST_TypePolicyMap.find(CallType);
if (FindIter == ZST_TypePolicyMap.end()) {
// Policy not found; default to ALLOW_ALL
ReturnVal = ZST_ALLOWALL;
}
else {
ReturnVal = FindIter->second;
}
return ReturnVal;
} // end of GetPolicyFromCallType()
// Given a call type and called function name, is it on the location whitelist
// for that call type?
// NOTE: HANDLE CASE IN WHICH WHITELISTED LOCATION IS A PREFIX, TERMINATING in a slash.
bool IsLocationWhitelisted(ZST_SysCallType CallType, string LocationName) {
set<string>::iterator FindIter;
bool ReturnVal;
if (CallType == ZST_FILE_CALL) {
FindIter = ZST_FileLocWhitelist.find(LocationName);
ReturnVal = (FindIter != ZST_FileLocWhitelist.end());
}
else if (CallType == ZST_NETWORK_CALL) {
FindIter = ZST_NetworkLocWhitelist.find(LocationName);
ReturnVal = (FindIter != ZST_NetworkLocWhitelist.end());
}
else { // should not be here
ReturnVal = false;
}
return ReturnVal;
} // end of IsLocationWhitelisted()
// Given a call type and called function name, is it on the location blacklist
// for that call type?
// NOTE: HANDLE CASE IN WHICH BLACKLISTED LOCATION IS A PREFIX, TERMINATING in a slash.
bool IsLocationBlacklisted(ZST_SysCallType CallType, string LocationName) {
set<string>::iterator FindIter;
bool ReturnVal;
if (CallType == ZST_FILE_CALL) {
FindIter = ZST_FileLocBlacklist.find(LocationName);
ReturnVal = (FindIter != ZST_FileLocBlacklist.end());
}
else if (CallType == ZST_NETWORK_CALL) {
FindIter = ZST_NetworkLocBlacklist.find(LocationName);
ReturnVal = (FindIter != ZST_NetworkLocBlacklist.end());
}
else { // should not be here
ReturnVal = false;
}
return ReturnVal;
}
// These two constants should agree with their counterparts in ZST-policy.c.
#define ZST_MAX_FILE_NAME_LEN 1024
#define ZST_MAX_CALL_NAME_LEN 64
// Read the foo.exe.policy file to initialize our security policies for system calls.
void ZST_InitPolicies(const char *PolicyFileName) {
FILE *PolicyFile = SMP_fopen(PolicyFileName, "r");
char Str1[ZST_MAX_CALL_NAME_LEN], Str2[ZST_MAX_CALL_NAME_LEN], Str3[ZST_MAX_FILE_NAME_LEN];
if (NULL != PolicyFile) {
while (!SMP_feof(PolicyFile)) {
int ItemsRead = qfscanf(PolicyFile, "%63s %63s %1023s", Str1, Str2, Str3);
if (3 != ItemsRead) {
SMP_msg("ERROR: Line in %s had %d items instead of the required 3; line ignored.\n", PolicyFileName, ItemsRead);
}
else {
string FirstStr(Str1), SecondStr(Str2), ThirdStr(Str3);
pair<set<string>::iterator, bool> SetInsertResult;
if (0 == strcmp(Str1, "SECURITYPOLICY")) {
ZST_SysCallType TempCallType = ConvertStringToCallType(Str2);
ZST_Policy TempPolicy = ConvertStringToPolicy(Str3);
pair<map<ZST_SysCallType, ZST_Policy>::iterator, bool> InsertResult;
pair<ZST_SysCallType, ZST_Policy> TempPair(TempCallType, TempPolicy);
InsertResult = ZST_TypePolicyMap.insert(TempPair);
if (!(InsertResult.second)) {
SMP_msg("ERROR: Could not insert security policy %s for %s. Possible duplicate or conflicting policies.\n",
Str3, Str2);
}
}
else if (0 == strcmp(Str1, "FILELOCATION")) {
if (0 == strcmp(Str2, "WHITELIST")) {
SetInsertResult = ZST_FileLocWhitelist.insert(ThirdStr);
if (!(SetInsertResult.second)) {
SMP_msg("WARNING: Duplicate file whitelist location %s ignored.\n", Str3);
}
}
else if (0 == strcmp(Str2, "BLACKLIST")) {
SetInsertResult = ZST_FileLocBlacklist.insert(ThirdStr);
if (!(SetInsertResult.second)) {
SMP_msg("WARNING: Duplicate file blacklist location %s ignored.\n", Str3);
}
}
else {
SMP_msg("ERROR: Unknown second field value in policy line: %s %s %s ; ignored\n", Str1, Str2, Str3);
}
}
else if (0 == strcmp(Str1, "NETWORKLOCATION")) {
if (0 == strcmp(Str2, "WHITELIST")) {
SetInsertResult = ZST_NetworkLocWhitelist.insert(ThirdStr);
if (!(SetInsertResult.second)) {
SMP_msg("WARNING: Duplicate network whitelist location %s ignored.\n", Str3);
}
}
else if (0 == strcmp(Str2, "BLACKLIST")) {
SetInsertResult = ZST_NetworkLocBlacklist.insert(ThirdStr);
if (!(SetInsertResult.second)) {
SMP_msg("WARNING: Duplicate network blacklist location %s ignored.\n", Str3);
}
}
else {
SMP_msg("ERROR: Unknown second field value in policy line: %s %s %s ; ignored\n", Str1, Str2, Str3);
}
}
else {
SMP_msg("ERROR: Unknown first field value in policy line: %s %s %s ; ignored\n", Str1, Str2, Str3);
}
}
}
if (0 == SMP_fclose(PolicyFile)) {
SMP_msg("Policy file %s successfully closed; all policies recorded.\n", PolicyFileName);
}
else {
SMP_msg("ERROR: fclose failed on policy file %s. However, policies should be in effect.\n", PolicyFileName);
}
// Now, initialize the system call name maps.
pair<map<string, ZST_SysCallType>::iterator, bool> FuncInsertResult;
// Do all the high privilege calls first.
string SysFuncName("putenv");
pair<string, ZST_SysCallType> FuncNamePolicyPair(SysFuncName, ZST_HIGHPRIVILEGE_CALL);
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("setenv");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("setegid");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("seteuid");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("setgid");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("setpgid");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("setregid");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("setreuid");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("setuid");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("execl");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("execv");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("execle");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("execve");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("execlp");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("execvp");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("system");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
// Now do all the file operation calls.
FuncNamePolicyPair.second = ZST_FILE_CALL;
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("chdir");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("chmod");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("chown");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("creat");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("creat64");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("fopen");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("freopen");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("open");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("open64");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("mknod");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("remove");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("rmdir");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("unlink");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
// Finally, handle all the network connection calls.
FuncNamePolicyPair.second = ZST_NETWORK_CALL;
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("socket");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("socketpair");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("pipe");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("bind");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("listen");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("accept");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
FuncNamePolicyPair.first.clear();
FuncNamePolicyPair.first.append("connect");
FuncInsertResult = ZST_FuncTypeMap.insert(FuncNamePolicyPair);
assert(FuncInsertResult.second);
}
else {
SMP_msg("WARNING: No policy file %s found. System call policies not in effect.\n", PolicyFileName);
}
return;
} // end of ZST_InitPolicies()
// Initialize the OptCategory[] array to define how we emit
// optimizing annotations.
void InitOptCategory(void) {
// Default category is 0, no optimization without knowing context.
(void) memset(OptCategory, 0, sizeof(OptCategory));
// Category 1 instructions never need updating of their memory
// metadata by the Memory Monitor SDT. Currently, this is because
// these instructions only have effects on registers we do not maintain
// metadata for, such as the EIP and the FLAGS, e.g. jumps, compares,
// or because they are no-ops, including machine-dependent no-op idioms.
// Category 2 instructions always have a result type of 'n' (number).
// Category 3 instructions have a result type of 'n' (number)
// whenever the second source operand is an operand of type 'n'.
// NOTE: MOV is only current example, and this will take some thought if
// other examples arise.
// Category 4 instructions have a result type identical to the 1st source operand type.
// NOTE: This is currently set for single-operand instructions such as
// INC, DEC. As a result, these are treated pretty much as if
// they were category 1 instructions, as there is no metadata update,
// unless the operand is a memory operand (i.e. mem or [reg]).
// If new instructions are added to this category that are not single
// operand and do require some updating, the category should be split.
// Category 5 instructions have a result type identical to the 1st source operand
// type whenever the 2nd source operand is an operand of type 'n'.
// If the destination is memory, metadata still needs to be checked; if
// not, no metadata check is needed, so it becomes category 1.
// Category 6 instructions always have a result type of 'p' (pointer).
// Category 7 instructions are category 2 instructions with two destinations,
// such as multiply and divide instructions that affect EDX:EAX. There are
// forms of these instructions that only have one destination, so they have
// to be distinguished via the operand info.
// Category 8 instructions implicitly write a numeric value to EDX:EAX, but
// EDX and EAX are not listed as operands. RDTSC, RDPMC, RDMSR, and other
// instructions that copy machine registers into EDX:EAX are category 8.
// Category 9 instructions are floating point instructions that either
// have a memory destination (treat as category 0) or a FP reg destination
// (treat as category 1).
// Category 10 instructions are the same as category 8, but also write
// to register ECX in addition to EDX:EAX.
// NOTE: The Memory Monitor SDT needs just three categories, corresponding
// to categories 0, 1, and all others. For all categories > 1, the
// annotation should tell the SDT exactly how to update its metadata.
// For example, a division instruction will write type 'n' (NUM) as
// the metadata for result registers EDX:EAX. So, the annotation should
// list 'n', EDX, EAX, and a terminator of ZZ. CWD (convert word to
// doubleword) should have a list of 'n', EAX, ZZ.
OptCategory[NN_null] = 0; // Unknown Operation
OptCategory[NN_aaa] = 2; // ASCII Adjust after Addition
OptCategory[NN_aad] = 2; // ASCII Adjust AX before Division
OptCategory[NN_aam] = 2; // ASCII Adjust AX after Multiply
OptCategory[NN_aas] = 2; // ASCII Adjust AL after Subtraction
OptCategory[NN_adc] = 5; // Add with Carry
OptCategory[NN_add] = 5; // Add
OptCategory[NN_and] = 0; // Logical AND
OptCategory[NN_arpl] = 1; // Adjust RPL Field of Selector
OptCategory[NN_bound] = 1; // Check Array Index Against Bounds
OptCategory[NN_bsf] = 2; // Bit Scan Forward
OptCategory[NN_bsr] = 2; // Bit Scan Reverse
OptCategory[NN_bt] = 0; // Bit Test
OptCategory[NN_btc] = 0; // Bit Test and Complement
OptCategory[NN_btr] = 0; // Bit Test and Reset
OptCategory[NN_bts] = 0; // Bit Test and Set
OptCategory[NN_call] = 1; // Call Procedure
OptCategory[NN_callfi] = 1; // Indirect Call Far Procedure
OptCategory[NN_callni] = 1; // Indirect Call Near Procedure
OptCategory[NN_cbw] = 2; // AL -> AX (with sign) ** No ops?
OptCategory[NN_cwde] = 2; // AX -> EAX (with sign) **
OptCategory[NN_cdqe] = 2; // EAX -> RAX (with sign) **
OptCategory[NN_clc] = 1; // Clear Carry Flag
OptCategory[NN_cld] = 1; // Clear Direction Flag
OptCategory[NN_cli] = 1; // Clear Interrupt Flag
OptCategory[NN_clts] = 1; // Clear Task-Switched Flag in CR0
OptCategory[NN_cmc] = 1; // Complement Carry Flag
OptCategory[NN_cmp] = 1; // Compare Two Operands
OptCategory[NN_cmps] = 1; // Compare Strings
OptCategory[NN_cwd] = 2; // AX -> DX:AX (with sign)
OptCategory[NN_cdq] = 2; // EAX -> EDX:EAX (with sign)
OptCategory[NN_cqo] = 2; // RAX -> RDX:RAX (with sign)
OptCategory[NN_daa] = 2; // Decimal Adjust AL after Addition
OptCategory[NN_das] = 2; // Decimal Adjust AL after Subtraction
OptCategory[NN_dec] = 4; // Decrement by 1
OptCategory[NN_div] = 7; // Unsigned Divide
OptCategory[NN_enterw] = 0; // Make Stack Frame for Procedure Parameters **
OptCategory[NN_enter] = 0; // Make Stack Frame for Procedure Parameters **
OptCategory[NN_enterd] = 0; // Make Stack Frame for Procedure Parameters **
OptCategory[NN_enterq] = 0; // Make Stack Frame for Procedure Parameters **
OptCategory[NN_hlt] = 0; // Halt
OptCategory[NN_idiv] = 7; // Signed Divide
OptCategory[NN_imul] = 7; // Signed Multiply
OptCategory[NN_in] = 0; // Input from Port **
OptCategory[NN_inc] = 4; // Increment by 1
OptCategory[NN_ins] = 2; // Input Byte(s) from Port to String **
OptCategory[NN_int] = 0; // Call to Interrupt Procedure
OptCategory[NN_into] = 0; // Call to Interrupt Procedure if Overflow Flag = 1
OptCategory[NN_int3] = 0; // Trap to Debugger
OptCategory[NN_iretw] = 0; // Interrupt Return
OptCategory[NN_iret] = 0; // Interrupt Return
OptCategory[NN_iretd] = 0; // Interrupt Return (use32)
OptCategory[NN_iretq] = 0; // Interrupt Return (use64)
OptCategory[NN_ja] = 1; // Jump if Above (CF=0 & ZF=0)
OptCategory[NN_jae] = 1; // Jump if Above or Equal (CF=0)
OptCategory[NN_jb] = 1; // Jump if Below (CF=1)
OptCategory[NN_jbe] = 1; // Jump if Below or Equal (CF=1 | ZF=1)
OptCategory[NN_jc] = 1; // Jump if Carry (CF=1)
OptCategory[NN_jcxz] = 1; // Jump if CX is 0
OptCategory[NN_jecxz] = 1; // Jump if ECX is 0
OptCategory[NN_jrcxz] = 1; // Jump if RCX is 0
OptCategory[NN_je] = 1; // Jump if Equal (ZF=1)
OptCategory[NN_jg] = 1; // Jump if Greater (ZF=0 & SF=OF)
OptCategory[NN_jge] = 1; // Jump if Greater or Equal (SF=OF)
OptCategory[NN_jl] = 1; // Jump if Less (SF!=OF)
OptCategory[NN_jle] = 1; // Jump if Less or Equal (ZF=1 | SF!=OF)
OptCategory[NN_jna] = 1; // Jump if Not Above (CF=1 | ZF=1)
OptCategory[NN_jnae] = 1; // Jump if Not Above or Equal (CF=1)
OptCategory[NN_jnb] = 1; // Jump if Not Below (CF=0)
OptCategory[NN_jnbe] = 1; // Jump if Not Below or Equal (CF=0 & ZF=0)
OptCategory[NN_jnc] = 1; // Jump if Not Carry (CF=0)
OptCategory[NN_jne] = 1; // Jump if Not Equal (ZF=0)
OptCategory[NN_jng] = 1; // Jump if Not Greater (ZF=1 | SF!=OF)
OptCategory[NN_jnge] = 1; // Jump if Not Greater or Equal (ZF=1)
OptCategory[NN_jnl] = 1; // Jump if Not Less (SF=OF)
OptCategory[NN_jnle] = 1; // Jump if Not Less or Equal (ZF=0 & SF=OF)
OptCategory[NN_jno] = 1; // Jump if Not Overflow (OF=0)
OptCategory[NN_jnp] = 1; // Jump if Not Parity (PF=0)
OptCategory[NN_jns] = 1; // Jump if Not Sign (SF=0)
OptCategory[NN_jnz] = 1; // Jump if Not Zero (ZF=0)
OptCategory[NN_jo] = 1; // Jump if Overflow (OF=1)
OptCategory[NN_jp] = 1; // Jump if Parity (PF=1)
OptCategory[NN_jpe] = 1; // Jump if Parity Even (PF=1)
OptCategory[NN_jpo] = 1; // Jump if Parity Odd (PF=0)
OptCategory[NN_js] = 1; // Jump if Sign (SF=1)
OptCategory[NN_jz] = 1; // Jump if Zero (ZF=1)
OptCategory[NN_jmp] = 1; // Jump
OptCategory[NN_jmpfi] = 1; // Indirect Far Jump
OptCategory[NN_jmpni] = 1; // Indirect Near Jump
OptCategory[NN_jmpshort] = 1; // Jump Short (not used)
OptCategory[NN_lahf] = 2; // Load Flags into AH Register
OptCategory[NN_lar] = 2; // Load Access Rights Byte
OptCategory[NN_lea] = 0; // Load Effective Address **
OptCategory[NN_leavew] = 0; // High Level Procedure Exit **
OptCategory[NN_leave] = 0; // High Level Procedure Exit **
OptCategory[NN_leaved] = 0; // High Level Procedure Exit **
OptCategory[NN_leaveq] = 0; // High Level Procedure Exit **
OptCategory[NN_lgdt] = 0; // Load Global Descriptor Table Register
OptCategory[NN_lidt] = 0; // Load Interrupt Descriptor Table Register
OptCategory[NN_lgs] = 6; // Load Full Pointer to GS:xx
OptCategory[NN_lss] = 6; // Load Full Pointer to SS:xx
OptCategory[NN_lds] = 6; // Load Full Pointer to DS:xx
OptCategory[NN_les] = 6; // Load Full Pointer to ES:xx
OptCategory[NN_lfs] = 6; // Load Full Pointer to FS:xx
OptCategory[NN_lldt] = 0; // Load Local Descriptor Table Register
OptCategory[NN_lmsw] = 1; // Load Machine Status Word
OptCategory[NN_lock] = 1; // Assert LOCK# Signal Prefix
OptCategory[NN_lods] = 0; // Load String
OptCategory[NN_loopw] = 1; // Loop while ECX != 0
OptCategory[NN_loop] = 1; // Loop while CX != 0
OptCategory[NN_loopd] = 1; // Loop while ECX != 0
OptCategory[NN_loopq] = 1; // Loop while RCX != 0
OptCategory[NN_loopwe] = 1; // Loop while CX != 0 and ZF=1
OptCategory[NN_loope] = 1; // Loop while rCX != 0 and ZF=1
OptCategory[NN_loopde] = 1; // Loop while ECX != 0 and ZF=1
OptCategory[NN_loopqe] = 1; // Loop while RCX != 0 and ZF=1
OptCategory[NN_loopwne] = 1; // Loop while CX != 0 and ZF=0
OptCategory[NN_loopne] = 1; // Loop while rCX != 0 and ZF=0
OptCategory[NN_loopdne] = 1; // Loop while ECX != 0 and ZF=0
OptCategory[NN_loopqne] = 1; // Loop while RCX != 0 and ZF=0
OptCategory[NN_lsl] = 6; // Load Segment Limit
OptCategory[NN_ltr] = 1; // Load Task Register
OptCategory[NN_mov] = 3; // Move Data
OptCategory[NN_movsp] = 3; // Move to/from Special Registers
OptCategory[NN_movs] = 0; // Move Byte(s) from String to String
OptCategory[NN_movsx] = 3; // Move with Sign-Extend
OptCategory[NN_movzx] = 3; // Move with Zero-Extend
OptCategory[NN_mul] = 7; // Unsigned Multiplication of AL or AX
OptCategory[NN_neg] = 2; // Two's Complement Negation !!!!****!!!! Change this when mmStrata handles NEGATEDPTR type.
OptCategory[NN_nop] = 1; // No Operation
OptCategory[NN_not] = 2; // One's Complement Negation
OptCategory[NN_or] = 0; // Logical Inclusive OR
OptCategory[NN_out] = 0; // Output to Port
OptCategory[NN_outs] = 0; // Output Byte(s) to Port
OptCategory[NN_pop] = 0; // Pop a word from the Stack
OptCategory[NN_popaw] = 0; // Pop all General Registers
OptCategory[NN_popa] = 0; // Pop all General Registers
OptCategory[NN_popad] = 0; // Pop all General Registers (use32)
OptCategory[NN_popaq] = 0; // Pop all General Registers (use64)
OptCategory[NN_popfw] = 1; // Pop Stack into Flags Register **
OptCategory[NN_popf] = 1; // Pop Stack into Flags Register **
OptCategory[NN_popfd] = 1; // Pop Stack into Eflags Register **
OptCategory[NN_popfq] = 1; // Pop Stack into Rflags Register **
OptCategory[NN_push] = 0; // Push Operand onto the Stack
OptCategory[NN_pushaw] = 0; // Push all General Registers
OptCategory[NN_pusha] = 0; // Push all General Registers
OptCategory[NN_pushad] = 0; // Push all General Registers (use32)
OptCategory[NN_pushaq] = 0; // Push all General Registers (use64)
OptCategory[NN_pushfw] = 0; // Push Flags Register onto the Stack
OptCategory[NN_pushf] = 0; // Push Flags Register onto the Stack
OptCategory[NN_pushfd] = 0; // Push Flags Register onto the Stack (use32)
OptCategory[NN_pushfq] = 0; // Push Flags Register onto the Stack (use64)
OptCategory[NN_rcl] = 2; // Rotate Through Carry Left
OptCategory[NN_rcr] = 2; // Rotate Through Carry Right
OptCategory[NN_rol] = 2; // Rotate Left
OptCategory[NN_ror] = 2; // Rotate Right
OptCategory[NN_rep] = 0; // Repeat String Operation
OptCategory[NN_repe] = 0; // Repeat String Operation while ZF=1
OptCategory[NN_repne] = 0; // Repeat String Operation while ZF=0
OptCategory[NN_retn] = 0; // Return Near from Procedure
OptCategory[NN_retf] = 0; // Return Far from Procedure
OptCategory[NN_sahf] = 1; // Store AH into Flags Register
OptCategory[NN_sal] = 2; // Shift Arithmetic Left
OptCategory[NN_sar] = 2; // Shift Arithmetic Right
OptCategory[NN_shl] = 2; // Shift Logical Left
OptCategory[NN_shr] = 2; // Shift Logical Right
OptCategory[NN_sbb] = 5; // Integer Subtraction with Borrow
OptCategory[NN_scas] = 1; // Compare String
OptCategory[NN_seta] = 2; // Set Byte if Above (CF=0 & ZF=0)
OptCategory[NN_setae] = 2; // Set Byte if Above or Equal (CF=0)
OptCategory[NN_setb] = 2; // Set Byte if Below (CF=1)
OptCategory[NN_setbe] = 2; // Set Byte if Below or Equal (CF=1 | ZF=1)
OptCategory[NN_setc] = 2; // Set Byte if Carry (CF=1)
OptCategory[NN_sete] = 2; // Set Byte if Equal (ZF=1)
OptCategory[NN_setg] = 2; // Set Byte if Greater (ZF=0 & SF=OF)
OptCategory[NN_setge] = 2; // Set Byte if Greater or Equal (SF=OF)
OptCategory[NN_setl] = 2; // Set Byte if Less (SF!=OF)
OptCategory[NN_setle] = 2; // Set Byte if Less or Equal (ZF=1 | SF!=OF)
OptCategory[NN_setna] = 2; // Set Byte if Not Above (CF=1 | ZF=1)
OptCategory[NN_setnae] = 2; // Set Byte if Not Above or Equal (CF=1)
OptCategory[NN_setnb] = 2; // Set Byte if Not Below (CF=0)
OptCategory[NN_setnbe] = 2; // Set Byte if Not Below or Equal (CF=0 & ZF=0)
OptCategory[NN_setnc] = 2; // Set Byte if Not Carry (CF=0)
OptCategory[NN_setne] = 2; // Set Byte if Not Equal (ZF=0)
OptCategory[NN_setng] = 2; // Set Byte if Not Greater (ZF=1 | SF!=OF)
OptCategory[NN_setnge] = 2; // Set Byte if Not Greater or Equal (ZF=1)
OptCategory[NN_setnl] = 2; // Set Byte if Not Less (SF=OF)
OptCategory[NN_setnle] = 2; // Set Byte if Not Less or Equal (ZF=0 & SF=OF)
OptCategory[NN_setno] = 2; // Set Byte if Not Overflow (OF=0)
OptCategory[NN_setnp] = 2; // Set Byte if Not Parity (PF=0)
OptCategory[NN_setns] = 2; // Set Byte if Not Sign (SF=0)
OptCategory[NN_setnz] = 2; // Set Byte if Not Zero (ZF=0)
OptCategory[NN_seto] = 2; // Set Byte if Overflow (OF=1)
OptCategory[NN_setp] = 2; // Set Byte if Parity (PF=1)
OptCategory[NN_setpe] = 2; // Set Byte if Parity Even (PF=1)
OptCategory[NN_setpo] = 2; // Set Byte if Parity Odd (PF=0)
OptCategory[NN_sets] = 2; // Set Byte if Sign (SF=1)
OptCategory[NN_setz] = 2; // Set Byte if Zero (ZF=1)
OptCategory[NN_sgdt] = 0; // Store Global Descriptor Table Register
OptCategory[NN_sidt] = 0; // Store Interrupt Descriptor Table Register
OptCategory[NN_shld] = 2; // Double Precision Shift Left
OptCategory[NN_shrd] = 2; // Double Precision Shift Right
OptCategory[NN_sldt] = 6; // Store Local Descriptor Table Register
OptCategory[NN_smsw] = 2; // Store Machine Status Word
OptCategory[NN_stc] = 1; // Set Carry Flag
OptCategory[NN_std] = 1; // Set Direction Flag
OptCategory[NN_sti] = 1; // Set Interrupt Flag
OptCategory[NN_stos] = 0; // Store String
OptCategory[NN_str] = 6; // Store Task Register
OptCategory[NN_sub] = 5; // Integer Subtraction
OptCategory[NN_test] = 1; // Logical Compare
OptCategory[NN_verr] = 1; // Verify a Segment for Reading
OptCategory[NN_verw] = 1; // Verify a Segment for Writing
OptCategory[NN_wait] = 1; // Wait until BUSY# Pin is Inactive (HIGH)
OptCategory[NN_xchg] = 0; // Exchange Register/Memory with Register
OptCategory[NN_xlat] = 0; // Table Lookup Translation
OptCategory[NN_xor] = 2; // Logical Exclusive OR
//
// 486 instructions
//
OptCategory[NN_cmpxchg] = 0; // Compare and Exchange
OptCategory[NN_bswap] = 2; // Swap bytes in register
OptCategory[NN_xadd] = 0; // t<-dest; dest<-src+dest; src<-t
OptCategory[NN_invd] = 1; // Invalidate Data Cache
OptCategory[NN_wbinvd] = 1; // Invalidate Data Cache (write changes)
OptCategory[NN_invlpg] = 1; // Invalidate TLB entry
//
// Pentium instructions
//
OptCategory[NN_rdmsr] = 8; // Read Machine Status Register
OptCategory[NN_wrmsr] = 1; // Write Machine Status Register
OptCategory[NN_cpuid] = 8; // Get CPU ID
OptCategory[NN_cmpxchg8b] = 0; // Compare and Exchange Eight Bytes
OptCategory[NN_rdtsc] = 8; // Read Time Stamp Counter
OptCategory[NN_rsm] = 1; // Resume from System Management Mode
//
// Pentium Pro instructions
//
OptCategory[NN_cmova] = 0; // Move if Above (CF=0 & ZF=0)
OptCategory[NN_cmovb] = 0; // Move if Below (CF=1)
OptCategory[NN_cmovbe] = 0; // Move if Below or Equal (CF=1 | ZF=1)
OptCategory[NN_cmovg] = 0; // Move if Greater (ZF=0 & SF=OF)
OptCategory[NN_cmovge] = 0; // Move if Greater or Equal (SF=OF)
OptCategory[NN_cmovl] = 0; // Move if Less (SF!=OF)
OptCategory[NN_cmovle] = 0; // Move if Less or Equal (ZF=1 | SF!=OF)
OptCategory[NN_cmovnb] = 0; // Move if Not Below (CF=0)
OptCategory[NN_cmovno] = 0; // Move if Not Overflow (OF=0)
OptCategory[NN_cmovnp] = 0; // Move if Not Parity (PF=0)
OptCategory[NN_cmovns] = 0; // Move if Not Sign (SF=0)
OptCategory[NN_cmovnz] = 0; // Move if Not Zero (ZF=0)
OptCategory[NN_cmovo] = 0; // Move if Overflow (OF=1)
OptCategory[NN_cmovp] = 0; // Move if Parity (PF=1)
OptCategory[NN_cmovs] = 0; // Move if Sign (SF=1)
OptCategory[NN_cmovz] = 0; // Move if Zero (ZF=1)
OptCategory[NN_fcmovb] = 1; // Floating Move if Below
OptCategory[NN_fcmove] = 1; // Floating Move if Equal
OptCategory[NN_fcmovbe] = 1; // Floating Move if Below or Equal
OptCategory[NN_fcmovu] = 1; // Floating Move if Unordered
OptCategory[NN_fcmovnb] = 1; // Floating Move if Not Below
OptCategory[NN_fcmovne] = 1; // Floating Move if Not Equal
OptCategory[NN_fcmovnbe] = 1; // Floating Move if Not Below or Equal
OptCategory[NN_fcmovnu] = 1; // Floating Move if Not Unordered
OptCategory[NN_fcomi] = 1; // FP Compare, result in EFLAGS
OptCategory[NN_fucomi] = 1; // FP Unordered Compare, result in EFLAGS
OptCategory[NN_fcomip] = 1; // FP Compare, result in EFLAGS, pop stack
OptCategory[NN_fucomip] = 1; // FP Unordered Compare, result in EFLAGS, pop stack
OptCategory[NN_rdpmc] = 8; // Read Performance Monitor Counter
//
// FPP instructions
//
OptCategory[NN_fld] = 1; // Load Real ** Infer src is 'n'
OptCategory[NN_fst] = 9; // Store Real
OptCategory[NN_fstp] = 9; // Store Real and Pop
OptCategory[NN_fxch] = 1; // Exchange Registers
OptCategory[NN_fild] = 1; // Load Integer ** Infer src is 'n'
OptCategory[NN_fist] = 0; // Store Integer
OptCategory[NN_fistp] = 0; // Store Integer and Pop
OptCategory[NN_fbld] = 1; // Load BCD
OptCategory[NN_fbstp] = 0; // Store BCD and Pop
OptCategory[NN_fadd] = 1; // Add Real
OptCategory[NN_faddp] = 1; // Add Real and Pop
OptCategory[NN_fiadd] = 1; // Add Integer
OptCategory[NN_fsub] = 1; // Subtract Real
OptCategory[NN_fsubp] = 1; // Subtract Real and Pop
OptCategory[NN_fisub] = 1; // Subtract Integer
OptCategory[NN_fsubr] = 1; // Subtract Real Reversed
OptCategory[NN_fsubrp] = 1; // Subtract Real Reversed and Pop
OptCategory[NN_fisubr] = 1; // Subtract Integer Reversed
OptCategory[NN_fmul] = 1; // Multiply Real
OptCategory[NN_fmulp] = 1; // Multiply Real and Pop
OptCategory[NN_fimul] = 1; // Multiply Integer
OptCategory[NN_fdiv] = 1; // Divide Real
OptCategory[NN_fdivp] = 1; // Divide Real and Pop
OptCategory[NN_fidiv] = 1; // Divide Integer
OptCategory[NN_fdivr] = 1; // Divide Real Reversed
OptCategory[NN_fdivrp] = 1; // Divide Real Reversed and Pop
OptCategory[NN_fidivr] = 1; // Divide Integer Reversed
OptCategory[NN_fsqrt] = 1; // Square Root
OptCategory[NN_fscale] = 1; // Scale: st(0) <- st(0) * 2^st(1)
OptCategory[NN_fprem] = 1; // Partial Remainder
OptCategory[NN_frndint] = 1; // Round to Integer
OptCategory[NN_fxtract] = 1; // Extract exponent and significand
OptCategory[NN_fabs] = 1; // Absolute value
OptCategory[NN_fchs] = 1; // Change Sign
OptCategory[NN_fcom] = 1; // Compare Real
OptCategory[NN_fcomp] = 1; // Compare Real and Pop
OptCategory[NN_fcompp] = 1; // Compare Real and Pop Twice
OptCategory[NN_ficom] = 1; // Compare Integer
OptCategory[NN_ficomp] = 1; // Compare Integer and Pop
OptCategory[NN_ftst] = 1; // Test
OptCategory[NN_fxam] = 1; // Examine
OptCategory[NN_fptan] = 1; // Partial tangent
OptCategory[NN_fpatan] = 1; // Partial arctangent
OptCategory[NN_f2xm1] = 1; // 2^x - 1
OptCategory[NN_fyl2x] = 1; // Y * lg2(X)
OptCategory[NN_fyl2xp1] = 1; // Y * lg2(X+1)
OptCategory[NN_fldz] = 1; // Load +0.0
OptCategory[NN_fld1] = 1; // Load +1.0
OptCategory[NN_fldpi] = 1; // Load PI=3.14...
OptCategory[NN_fldl2t] = 1; // Load lg2(10)
OptCategory[NN_fldl2e] = 1; // Load lg2(e)
OptCategory[NN_fldlg2] = 1; // Load lg10(2)
OptCategory[NN_fldln2] = 1; // Load ln(2)
OptCategory[NN_finit] = 1; // Initialize Processor
OptCategory[NN_fninit] = 1; // Initialize Processor (no wait)
OptCategory[NN_fsetpm] = 1; // Set Protected Mode
OptCategory[NN_fldcw] = 1; // Load Control Word
OptCategory[NN_fstcw] = 0; // Store Control Word
OptCategory[NN_fnstcw] = 0; // Store Control Word (no wait)
OptCategory[NN_fstsw] = 2; // Store Status Word to memory or AX
OptCategory[NN_fnstsw] = 2; // Store Status Word (no wait) to memory or AX
OptCategory[NN_fclex] = 1; // Clear Exceptions
OptCategory[NN_fnclex] = 1; // Clear Exceptions (no wait)
OptCategory[NN_fstenv] = 0; // Store Environment
OptCategory[NN_fnstenv] = 0; // Store Environment (no wait)
OptCategory[NN_fldenv] = 1; // Load Environment
OptCategory[NN_fsave] = 0; // Save State
OptCategory[NN_fnsave] = 0; // Save State (no wait)
OptCategory[NN_frstor] = 1; // Restore State ** infer src is 'n'
OptCategory[NN_fincstp] = 1; // Increment Stack Pointer
OptCategory[NN_fdecstp] = 1; // Decrement Stack Pointer
OptCategory[NN_ffree] = 1; // Free Register
OptCategory[NN_fnop] = 1; // No Operation
OptCategory[NN_feni] = 1; // (8087 only)
OptCategory[NN_fneni] = 1; // (no wait) (8087 only)
OptCategory[NN_fdisi] = 1; // (8087 only)
OptCategory[NN_fndisi] = 1; // (no wait) (8087 only)
//
// 80387 instructions
//
OptCategory[NN_fprem1] = 1; // Partial Remainder ( < half )
OptCategory[NN_fsincos] = 1; // t<-cos(st); st<-sin(st); push t
OptCategory[NN_fsin] = 1; // Sine
OptCategory[NN_fcos] = 1; // Cosine
OptCategory[NN_fucom] = 1; // Compare Unordered Real
OptCategory[NN_fucomp] = 1; // Compare Unordered Real and Pop
OptCategory[NN_fucompp] = 1; // Compare Unordered Real and Pop Twice
//
// Instructions added 28.02.96
//
OptCategory[NN_setalc] = 2; // Set AL to Carry Flag **
OptCategory[NN_svdc] = 0; // Save Register and Descriptor
OptCategory[NN_rsdc] = 0; // Restore Register and Descriptor
OptCategory[NN_svldt] = 0; // Save LDTR and Descriptor
OptCategory[NN_rsldt] = 0; // Restore LDTR and Descriptor
OptCategory[NN_svts] = 1; // Save TR and Descriptor
OptCategory[NN_rsts] = 1; // Restore TR and Descriptor
OptCategory[NN_icebp] = 1; // ICE Break Point
OptCategory[NN_loadall] = 0; // Load the entire CPU state from ES:EDI
//
// MMX instructions
//
OptCategory[NN_emms] = 1; // Empty MMX state
OptCategory[NN_movd] = 9; // Move 32 bits
OptCategory[NN_movq] = 9; // Move 64 bits
OptCategory[NN_packsswb] = 1; // Pack with Signed Saturation (Word->Byte)
OptCategory[NN_packssdw] = 1; // Pack with Signed Saturation (Dword->Word)
OptCategory[NN_packuswb] = 1; // Pack with Unsigned Saturation (Word->Byte)
OptCategory[NN_paddb] = 1; // Packed Add Byte
OptCategory[NN_paddw] = 1; // Packed Add Word
OptCategory[NN_paddd] = 1; // Packed Add Dword
OptCategory[NN_paddsb] = 1; // Packed Add with Saturation (Byte)
OptCategory[NN_paddsw] = 1; // Packed Add with Saturation (Word)
OptCategory[NN_paddusb] = 1; // Packed Add Unsigned with Saturation (Byte)
OptCategory[NN_paddusw] = 1; // Packed Add Unsigned with Saturation (Word)
OptCategory[NN_pand] = 1; // Bitwise Logical And
OptCategory[NN_pandn] = 1; // Bitwise Logical And Not
OptCategory[NN_pcmpeqb] = 1; // Packed Compare for Equal (Byte)
OptCategory[NN_pcmpeqw] = 1; // Packed Compare for Equal (Word)
OptCategory[NN_pcmpeqd] = 1; // Packed Compare for Equal (Dword)
OptCategory[NN_pcmpgtb] = 1; // Packed Compare for Greater Than (Byte)
OptCategory[NN_pcmpgtw] = 1; // Packed Compare for Greater Than (Word)
OptCategory[NN_pcmpgtd] = 1; // Packed Compare for Greater Than (Dword)
OptCategory[NN_pmaddwd] = 1; // Packed Multiply and Add
OptCategory[NN_pmulhw] = 1; // Packed Multiply High
OptCategory[NN_pmullw] = 1; // Packed Multiply Low
OptCategory[NN_por] = 1; // Bitwise Logical Or
OptCategory[NN_psllw] = 1; // Packed Shift Left Logical (Word)
OptCategory[NN_pslld] = 1; // Packed Shift Left Logical (Dword)
OptCategory[NN_psllq] = 1; // Packed Shift Left Logical (Qword)
OptCategory[NN_psraw] = 1; // Packed Shift Right Arithmetic (Word)
OptCategory[NN_psrad] = 1; // Packed Shift Right Arithmetic (Dword)
OptCategory[NN_psrlw] = 1; // Packed Shift Right Logical (Word)
OptCategory[NN_psrld] = 1; // Packed Shift Right Logical (Dword)
OptCategory[NN_psrlq] = 1; // Packed Shift Right Logical (Qword)
OptCategory[NN_psubb] = 1; // Packed Subtract Byte
OptCategory[NN_psubw] = 1; // Packed Subtract Word
OptCategory[NN_psubd] = 1; // Packed Subtract Dword
OptCategory[NN_psubsb] = 1; // Packed Subtract with Saturation (Byte)
OptCategory[NN_psubsw] = 1; // Packed Subtract with Saturation (Word)
OptCategory[NN_psubusb] = 1; // Packed Subtract Unsigned with Saturation (Byte)
OptCategory[NN_psubusw] = 1; // Packed Subtract Unsigned with Saturation (Word)
OptCategory[NN_punpckhbw] = 1; // Unpack High Packed Data (Byte->Word)
OptCategory[NN_punpckhwd] = 1; // Unpack High Packed Data (Word->Dword)
OptCategory[NN_punpckhdq] = 1; // Unpack High Packed Data (Dword->Qword)
OptCategory[NN_punpcklbw] = 1; // Unpack Low Packed Data (Byte->Word)
OptCategory[NN_punpcklwd] = 1; // Unpack Low Packed Data (Word->Dword)
OptCategory[NN_punpckldq] = 1; // Unpack Low Packed Data (Dword->Qword)
OptCategory[NN_pxor] = 1; // Bitwise Logical Exclusive Or
//
// Undocumented Deschutes processor instructions
//
OptCategory[NN_fxsave] = 1; // Fast save FP context ** to where?
OptCategory[NN_fxrstor] = 1; // Fast restore FP context ** from where?
// Pentium II instructions
OptCategory[NN_sysenter] = 1; // Fast Transition to System Call Entry Point
OptCategory[NN_sysexit] = 1; // Fast Transition from System Call Entry Point
// 3DNow! instructions
OptCategory[NN_pavgusb] = 1; // Packed 8-bit Unsigned Integer Averaging
OptCategory[NN_pfadd] = 1; // Packed Floating-Point Addition
OptCategory[NN_pfsub] = 1; // Packed Floating-Point Subtraction
OptCategory[NN_pfsubr] = 1; // Packed Floating-Point Reverse Subtraction
OptCategory[NN_pfacc] = 1; // Packed Floating-Point Accumulate
OptCategory[NN_pfcmpge] = 1; // Packed Floating-Point Comparison, Greater or Equal
OptCategory[NN_pfcmpgt] = 1; // Packed Floating-Point Comparison, Greater
OptCategory[NN_pfcmpeq] = 1; // Packed Floating-Point Comparison, Equal
OptCategory[NN_pfmin] = 1; // Packed Floating-Point Minimum
OptCategory[NN_pfmax] = 1; // Packed Floating-Point Maximum
OptCategory[NN_pi2fd] = 1; // Packed 32-bit Integer to Floating-Point
OptCategory[NN_pf2id] = 1; // Packed Floating-Point to 32-bit Integer
OptCategory[NN_pfrcp] = 1; // Packed Floating-Point Reciprocal Approximation
OptCategory[NN_pfrsqrt] = 1; // Packed Floating-Point Reciprocal Square Root Approximation
OptCategory[NN_pfmul] = 1; // Packed Floating-Point Multiplication
OptCategory[NN_pfrcpit1] = 1; // Packed Floating-Point Reciprocal First Iteration Step
OptCategory[NN_pfrsqit1] = 1; // Packed Floating-Point Reciprocal Square Root First Iteration Step
OptCategory[NN_pfrcpit2] = 1; // Packed Floating-Point Reciprocal Second Iteration Step
OptCategory[NN_pmulhrw] = 1; // Packed Floating-Point 16-bit Integer Multiply with rounding
OptCategory[NN_femms] = 1; // Faster entry/exit of the MMX or floating-point state
OptCategory[NN_prefetch] = 1; // Prefetch at least a 32-byte line into L1 data cache
OptCategory[NN_prefetchw] = 1; // Prefetch processor cache line into L1 data cache (mark as modified)
// Pentium III instructions
OptCategory[NN_addps] = 1; // Packed Single-FP Add
OptCategory[NN_addss] = 1; // Scalar Single-FP Add
OptCategory[NN_andnps] = 1; // Bitwise Logical And Not for Single-FP
OptCategory[NN_andps] = 1; // Bitwise Logical And for Single-FP
OptCategory[NN_cmpps] = 1; // Packed Single-FP Compare
OptCategory[NN_cmpss] = 1; // Scalar Single-FP Compare
OptCategory[NN_comiss] = 1; // Scalar Ordered Single-FP Compare and Set EFLAGS
OptCategory[NN_cvtpi2ps] = 1; // Packed signed INT32 to Packed Single-FP conversion
OptCategory[NN_cvtps2pi] = 1; // Packed Single-FP to Packed INT32 conversion
OptCategory[NN_cvtsi2ss] = 1; // Scalar signed INT32 to Single-FP conversion
OptCategory[NN_cvtss2si] = 2; // Scalar Single-FP to signed INT32 conversion
OptCategory[NN_cvttps2pi] = 1; // Packed Single-FP to Packed INT32 conversion (truncate)
OptCategory[NN_cvttss2si] = 2; // Scalar Single-FP to signed INT32 conversion (truncate)
OptCategory[NN_divps] = 1; // Packed Single-FP Divide
OptCategory[NN_divss] = 1; // Scalar Single-FP Divide
OptCategory[NN_ldmxcsr] = 1; // Load Streaming SIMD Extensions Technology Control/Status Register
OptCategory[NN_maxps] = 1; // Packed Single-FP Maximum
OptCategory[NN_maxss] = 1; // Scalar Single-FP Maximum
OptCategory[NN_minps] = 1; // Packed Single-FP Minimum
OptCategory[NN_minss] = 1; // Scalar Single-FP Minimum
OptCategory[NN_movaps] = 9; // Move Aligned Four Packed Single-FP ** infer memsrc 'n'?
OptCategory[NN_movhlps] = 1; // Move High to Low Packed Single-FP
OptCategory[NN_movhps] = 1; // Move High Packed Single-FP
OptCategory[NN_movlhps] = 1; // Move Low to High Packed Single-FP
OptCategory[NN_movlps] = 1; // Move Low Packed Single-FP
OptCategory[NN_movmskps] = 1; // Move Mask to Register
OptCategory[NN_movss] = 9; // Move Scalar Single-FP
OptCategory[NN_movups] = 9; // Move Unaligned Four Packed Single-FP
OptCategory[NN_mulps] = 1; // Packed Single-FP Multiply
OptCategory[NN_mulss] = 1; // Scalar Single-FP Multiply
OptCategory[NN_orps] = 1; // Bitwise Logical OR for Single-FP Data
OptCategory[NN_rcpps] = 1; // Packed Single-FP Reciprocal
OptCategory[NN_rcpss] = 1; // Scalar Single-FP Reciprocal
OptCategory[NN_rsqrtps] = 1; // Packed Single-FP Square Root Reciprocal
OptCategory[NN_rsqrtss] = 1; // Scalar Single-FP Square Root Reciprocal
OptCategory[NN_shufps] = 1; // Shuffle Single-FP
OptCategory[NN_sqrtps] = 1; // Packed Single-FP Square Root
OptCategory[NN_sqrtss] = 1; // Scalar Single-FP Square Root
OptCategory[NN_stmxcsr] = 0; // Store Streaming SIMD Extensions Technology Control/Status Register ** Infer dest is 'n'
OptCategory[NN_subps] = 1; // Packed Single-FP Subtract
OptCategory[NN_subss] = 1; // Scalar Single-FP Subtract
OptCategory[NN_ucomiss] = 1; // Scalar Unordered Single-FP Compare and Set EFLAGS
OptCategory[NN_unpckhps] = 1; // Unpack High Packed Single-FP Data
OptCategory[NN_unpcklps] = 1; // Unpack Low Packed Single-FP Data
OptCategory[NN_xorps] = 1; // Bitwise Logical XOR for Single-FP Data
OptCategory[NN_pavgb] = 1; // Packed Average (Byte)
OptCategory[NN_pavgw] = 1; // Packed Average (Word)
OptCategory[NN_pextrw] = 2; // Extract Word
OptCategory[NN_pinsrw] = 1; // Insert Word
OptCategory[NN_pmaxsw] = 1; // Packed Signed Integer Word Maximum
OptCategory[NN_pmaxub] = 1; // Packed Unsigned Integer Byte Maximum
OptCategory[NN_pminsw] = 1; // Packed Signed Integer Word Minimum
OptCategory[NN_pminub] = 1; // Packed Unsigned Integer Byte Minimum
OptCategory[NN_pmovmskb] = 1; // Move Byte Mask to Integer
OptCategory[NN_pmulhuw] = 1; // Packed Multiply High Unsigned
OptCategory[NN_psadbw] = 1; // Packed Sum of Absolute Differences
OptCategory[NN_pshufw] = 1; // Packed Shuffle Word
OptCategory[NN_maskmovq] = 0; // Byte Mask write ** Infer dest is 'n'
OptCategory[NN_movntps] = 0; // Move Aligned Four Packed Single-FP Non Temporal * infer dest is 'n'
OptCategory[NN_movntq] = 0; // Move 64 Bits Non Temporal ** Infer dest is 'n'
OptCategory[NN_prefetcht0] = 1; // Prefetch to all cache levels
OptCategory[NN_prefetcht1] = 1; // Prefetch to all cache levels
OptCategory[NN_prefetcht2] = 1; // Prefetch to L2 cache
OptCategory[NN_prefetchnta] = 1; // Prefetch to L1 cache
OptCategory[NN_sfence] = 1; // Store Fence
// Pentium III Pseudo instructions
OptCategory[NN_cmpeqps] = 1; // Packed Single-FP Compare EQ
OptCategory[NN_cmpltps] = 1; // Packed Single-FP Compare LT
OptCategory[NN_cmpleps] = 1; // Packed Single-FP Compare LE
OptCategory[NN_cmpunordps] = 1; // Packed Single-FP Compare UNORD
OptCategory[NN_cmpneqps] = 1; // Packed Single-FP Compare NOT EQ
OptCategory[NN_cmpnltps] = 1; // Packed Single-FP Compare NOT LT
OptCategory[NN_cmpnleps] = 1; // Packed Single-FP Compare NOT LE
OptCategory[NN_cmpordps] = 1; // Packed Single-FP Compare ORDERED
OptCategory[NN_cmpeqss] = 1; // Scalar Single-FP Compare EQ
OptCategory[NN_cmpltss] = 1; // Scalar Single-FP Compare LT
OptCategory[NN_cmpless] = 1; // Scalar Single-FP Compare LE
OptCategory[NN_cmpunordss] = 1; // Scalar Single-FP Compare UNORD
OptCategory[NN_cmpneqss] = 1; // Scalar Single-FP Compare NOT EQ
OptCategory[NN_cmpnltss] = 1; // Scalar Single-FP Compare NOT LT
OptCategory[NN_cmpnless] = 1; // Scalar Single-FP Compare NOT LE
OptCategory[NN_cmpordss] = 1; // Scalar Single-FP Compare ORDERED
// AMD K7 instructions
// Revisit AMD if we port to it.
OptCategory[NN_pf2iw] = 0; // Packed Floating-Point to Integer with Sign Extend
OptCategory[NN_pfnacc] = 0; // Packed Floating-Point Negative Accumulate
OptCategory[NN_pfpnacc] = 0; // Packed Floating-Point Mixed Positive-Negative Accumulate
OptCategory[NN_pi2fw] = 0; // Packed 16-bit Integer to Floating-Point
OptCategory[NN_pswapd] = 0; // Packed Swap Double Word
// Undocumented FP instructions (thanks to norbert.juffa@adm.com)
OptCategory[NN_fstp1] = 9; // Alias of Store Real and Pop
OptCategory[NN_fcom2] = 1; // Alias of Compare Real
OptCategory[NN_fcomp3] = 1; // Alias of Compare Real and Pop
OptCategory[NN_fxch4] = 1; // Alias of Exchange Registers
OptCategory[NN_fcomp5] = 1; // Alias of Compare Real and Pop
OptCategory[NN_ffreep] = 1; // Free Register and Pop
OptCategory[NN_fxch7] = 1; // Alias of Exchange Registers
OptCategory[NN_fstp8] = 9; // Alias of Store Real and Pop
OptCategory[NN_fstp9] = 9; // Alias of Store Real and Pop
// Pentium 4 instructions
OptCategory[NN_addpd] = 1; // Add Packed Double-Precision Floating-Point Values
OptCategory[NN_addsd] = 1; // Add Scalar Double-Precision Floating-Point Values
OptCategory[NN_andnpd] = 1; // Bitwise Logical AND NOT of Packed Double-Precision Floating-Point Values
OptCategory[NN_andpd] = 1; // Bitwise Logical AND of Packed Double-Precision Floating-Point Values
OptCategory[NN_clflush] = 1; // Flush Cache Line
OptCategory[NN_cmppd] = 1; // Compare Packed Double-Precision Floating-Point Values
OptCategory[NN_cmpsd] = 1; // Compare Scalar Double-Precision Floating-Point Values
OptCategory[NN_comisd] = 1; // Compare Scalar Ordered Double-Precision Floating-Point Values and Set EFLAGS
OptCategory[NN_cvtdq2pd] = 1; // Convert Packed Doubleword Integers to Packed Single-Precision Floating-Point Values
OptCategory[NN_cvtdq2ps] = 1; // Convert Packed Doubleword Integers to Packed Double-Precision Floating-Point Values
OptCategory[NN_cvtpd2dq] = 1; // Convert Packed Double-Precision Floating-Point Values to Packed Doubleword Integers
OptCategory[NN_cvtpd2pi] = 1; // Convert Packed Double-Precision Floating-Point Values to Packed Doubleword Integers
OptCategory[NN_cvtpd2ps] = 1; // Convert Packed Double-Precision Floating-Point Values to Packed Single-Precision Floating-Point Values
OptCategory[NN_cvtpi2pd] = 1; // Convert Packed Doubleword Integers to Packed Double-Precision Floating-Point Values
OptCategory[NN_cvtps2dq] = 1; // Convert Packed Single-Precision Floating-Point Values to Packed Doubleword Integers
OptCategory[NN_cvtps2pd] = 1; // Convert Packed Single-Precision Floating-Point Values to Packed Double-Precision Floating-Point Values
OptCategory[NN_cvtsd2si] = 2; // Convert Scalar Double-Precision Floating-Point Value to Doubleword Integer
OptCategory[NN_cvtsd2ss] = 1; // Convert Scalar Double-Precision Floating-Point Value to Scalar Single-Precision Floating-Point Value
OptCategory[NN_cvtsi2sd] = 1; // Convert Doubleword Integer to Scalar Double-Precision Floating-Point Value
OptCategory[NN_cvtss2sd] = 1; // Convert Scalar Single-Precision Floating-Point Value to Scalar Double-Precision Floating-Point Value
OptCategory[NN_cvttpd2dq] = 1; // Convert With Truncation Packed Double-Precision Floating-Point Values to Packed Doubleword Integers
OptCategory[NN_cvttpd2pi] = 1; // Convert with Truncation Packed Double-Precision Floating-Point Values to Packed Doubleword Integers
OptCategory[NN_cvttps2dq] = 1; // Convert With Truncation Packed Single-Precision Floating-Point Values to Packed Doubleword Integers
OptCategory[NN_cvttsd2si] = 2; // Convert with Truncation Scalar Double-Precision Floating-Point Value to Doubleword Integer
OptCategory[NN_divpd] = 1; // Divide Packed Double-Precision Floating-Point Values
OptCategory[NN_divsd] = 1; // Divide Scalar Double-Precision Floating-Point Values
OptCategory[NN_lfence] = 1; // Load Fence
OptCategory[NN_maskmovdqu] = 0; // Store Selected Bytes of Double Quadword ** Infer dest is 'n'
OptCategory[NN_maxpd] = 1; // Return Maximum Packed Double-Precision Floating-Point Values
OptCategory[NN_maxsd] = 1; // Return Maximum Scalar Double-Precision Floating-Point Value
OptCategory[NN_mfence] = 1; // Memory Fence
OptCategory[NN_minpd] = 1; // Return Minimum Packed Double-Precision Floating-Point Values
OptCategory[NN_minsd] = 1; // Return Minimum Scalar Double-Precision Floating-Point Value
OptCategory[NN_movapd] = 9; // Move Aligned Packed Double-Precision Floating-Point Values ** Infer dest is 'n'
OptCategory[NN_movdq2q] = 1; // Move Quadword from XMM to MMX Register
OptCategory[NN_movdqa] = 9; // Move Aligned Double Quadword ** Infer dest is 'n'
OptCategory[NN_movdqu] = 9; // Move Unaligned Double Quadword ** Infer dest is 'n'
OptCategory[NN_movhpd] = 9; // Move High Packed Double-Precision Floating-Point Values ** Infer dest is 'n'
OptCategory[NN_movlpd] = 9; // Move Low Packed Double-Precision Floating-Point Values ** Infer dest is 'n'
OptCategory[NN_movmskpd] = 2; // Extract Packed Double-Precision Floating-Point Sign Mask
OptCategory[NN_movntdq] = 0; // Store Double Quadword Using Non-Temporal Hint
OptCategory[NN_movnti] = 0; // Store Doubleword Using Non-Temporal Hint
OptCategory[NN_movntpd] = 0; // Store Packed Double-Precision Floating-Point Values Using Non-Temporal Hint
OptCategory[NN_movq2dq] = 1; // Move Quadword from MMX to XMM Register
OptCategory[NN_movsd] = 9; // Move Scalar Double-Precision Floating-Point Values
OptCategory[NN_movupd] = 9; // Move Unaligned Packed Double-Precision Floating-Point Values
OptCategory[NN_mulpd] = 1; // Multiply Packed Double-Precision Floating-Point Values
OptCategory[NN_mulsd] = 1; // Multiply Scalar Double-Precision Floating-Point Values
OptCategory[NN_orpd] = 1; // Bitwise Logical OR of Double-Precision Floating-Point Values
OptCategory[NN_paddq] = 1; // Add Packed Quadword Integers
OptCategory[NN_pause] = 1; // Spin Loop Hint
OptCategory[NN_pmuludq] = 1; // Multiply Packed Unsigned Doubleword Integers
OptCategory[NN_pshufd] = 1; // Shuffle Packed Doublewords
OptCategory[NN_pshufhw] = 1; // Shuffle Packed High Words
OptCategory[NN_pshuflw] = 1; // Shuffle Packed Low Words
OptCategory[NN_pslldq] = 1; // Shift Double Quadword Left Logical
OptCategory[NN_psrldq] = 1; // Shift Double Quadword Right Logical
OptCategory[NN_psubq] = 1; // Subtract Packed Quadword Integers
OptCategory[NN_punpckhqdq] = 1; // Unpack High Data
OptCategory[NN_punpcklqdq] = 1; // Unpack Low Data
OptCategory[NN_shufpd] = 1; // Shuffle Packed Double-Precision Floating-Point Values
OptCategory[NN_sqrtpd] = 1; // Compute Square Roots of Packed Double-Precision Floating-Point Values
OptCategory[NN_sqrtsd] = 1; // Compute Square Rootof Scalar Double-Precision Floating-Point Value
OptCategory[NN_subpd] = 1; // Subtract Packed Double-Precision Floating-Point Values
OptCategory[NN_subsd] = 1; // Subtract Scalar Double-Precision Floating-Point Values
OptCategory[NN_ucomisd] = 1; // Unordered Compare Scalar Ordered Double-Precision Floating-Point Values and Set EFLAGS
OptCategory[NN_unpckhpd] = 1; // Unpack and Interleave High Packed Double-Precision Floating-Point Values
OptCategory[NN_unpcklpd] = 1; // Unpack and Interleave Low Packed Double-Precision Floating-Point Values
OptCategory[NN_xorpd] = 1; // Bitwise Logical OR of Double-Precision Floating-Point Values
// AMD syscall/sysret instructions NOTE: not AMD, found in Intel manual
OptCategory[NN_syscall] = 1; // Low latency system call
OptCategory[NN_sysret] = 1; // Return from system call
// AMD64 instructions NOTE: not AMD, found in Intel manual
OptCategory[NN_swapgs] = 1; // Exchange GS base with KernelGSBase MSR
// New Pentium instructions (SSE3)
OptCategory[NN_movddup] = 9; // Move One Double-FP and Duplicate
OptCategory[NN_movshdup] = 9; // Move Packed Single-FP High and Duplicate
OptCategory[NN_movsldup] = 9; // Move Packed Single-FP Low and Duplicate
// Missing AMD64 instructions NOTE: also found in Intel manual
OptCategory[NN_movsxd] = 2; // Move with Sign-Extend Doubleword
OptCategory[NN_cmpxchg16b] = 0; // Compare and Exchange 16 Bytes
// SSE3 instructions
OptCategory[NN_addsubpd] = 1; // Add /Sub packed DP FP numbers
OptCategory[NN_addsubps] = 1; // Add /Sub packed SP FP numbers
OptCategory[NN_haddpd] = 1; // Add horizontally packed DP FP numbers
OptCategory[NN_haddps] = 1; // Add horizontally packed SP FP numbers
OptCategory[NN_hsubpd] = 1; // Sub horizontally packed DP FP numbers
OptCategory[NN_hsubps] = 1; // Sub horizontally packed SP FP numbers
OptCategory[NN_monitor] = 1; // Set up a linear address range to be monitored by hardware
OptCategory[NN_mwait] = 1; // Wait until write-back store performed within the range specified by the MONITOR instruction
OptCategory[NN_fisttp] = 0; // Store ST in intXX (chop) and pop
OptCategory[NN_lddqu] = 1; // Load unaligned integer 128-bit
// SSSE3 instructions
OptCategory[NN_psignb] = 1; // Packed SIGN Byte
OptCategory[NN_psignw] = 1; // Packed SIGN Word
OptCategory[NN_psignd] = 1; // Packed SIGN Doubleword
OptCategory[NN_pshufb] = 1; // Packed Shuffle Bytes
OptCategory[NN_pmulhrsw] = 1; // Packed Multiply High with Round and Scale
OptCategory[NN_pmaddubsw] = 1; // Multiply and Add Packed Signed and Unsigned Bytes
OptCategory[NN_phsubsw] = 1; // Packed Horizontal Subtract and Saturate
OptCategory[NN_phaddsw] = 1; // Packed Horizontal Add and Saturate
OptCategory[NN_phaddw] = 1; // Packed Horizontal Add Word
OptCategory[NN_phaddd] = 1; // Packed Horizontal Add Doubleword
OptCategory[NN_phsubw] = 1; // Packed Horizontal Subtract Word
OptCategory[NN_phsubd] = 1; // Packed Horizontal Subtract Doubleword
OptCategory[NN_palignr] = 1; // Packed Align Right
OptCategory[NN_pabsb] = 1; // Packed Absolute Value Byte
OptCategory[NN_pabsw] = 1; // Packed Absolute Value Word
OptCategory[NN_pabsd] = 1; // Packed Absolute Value Doubleword
// VMX instructions
OptCategory[NN_vmcall] = 1; // Call to VM Monitor
OptCategory[NN_vmclear] = 0; // Clear Virtual Machine Control Structure
OptCategory[NN_vmlaunch] = 1; // Launch Virtual Machine
OptCategory[NN_vmresume] = 1; // Resume Virtual Machine
OptCategory[NN_vmptrld] = 6; // Load Pointer to Virtual Machine Control Structure
OptCategory[NN_vmptrst] = 0; // Store Pointer to Virtual Machine Control Structure
OptCategory[NN_vmread] = 0; // Read Field from Virtual Machine Control Structure
OptCategory[NN_vmwrite] = 0; // Write Field from Virtual Machine Control Structure
OptCategory[NN_vmxoff] = 1; // Leave VMX Operation
OptCategory[NN_vmxon] = 1; // Enter VMX Operation
#if 599 < IDA_SDK_VERSION
OptCategory[NN_ud2] = 1; // Undefined Instruction
// Added with x86-64
OptCategory[NN_rdtscp] = 10; // Read Time-Stamp Counter and Processor ID
// Geode LX 3DNow! extensions
OptCategory[NN_pfrcpv] = 1; // Reciprocal Approximation for a Pair of 32-bit Floats
OptCategory[NN_pfrsqrtv] = 1; // Reciprocal Square Root Approximation for a Pair of 32-bit Floats
// SSE2 pseudoinstructions
OptCategory[NN_cmpeqpd] = 1; // Packed Double-FP Compare EQ
OptCategory[NN_cmpltpd] = 1; // Packed Double-FP Compare LT
OptCategory[NN_cmplepd] = 1; // Packed Double-FP Compare LE
OptCategory[NN_cmpunordpd] = 1; // Packed Double-FP Compare UNORD
OptCategory[NN_cmpneqpd] = 1; // Packed Double-FP Compare NOT EQ
OptCategory[NN_cmpnltpd] = 1; // Packed Double-FP Compare NOT LT
OptCategory[NN_cmpnlepd] = 1; // Packed Double-FP Compare NOT LE
OptCategory[NN_cmpordpd] = 1; // Packed Double-FP Compare ORDERED
OptCategory[NN_cmpeqsd] = 1; // Scalar Double-FP Compare EQ
OptCategory[NN_cmpltsd] = 1; // Scalar Double-FP Compare LT
OptCategory[NN_cmplesd] = 1; // Scalar Double-FP Compare LE
OptCategory[NN_cmpunordsd] = 1; // Scalar Double-FP Compare UNORD
OptCategory[NN_cmpneqsd] = 1; // Scalar Double-FP Compare NOT EQ
OptCategory[NN_cmpnltsd] = 1; // Scalar Double-FP Compare NOT LT
OptCategory[NN_cmpnlesd] = 1; // Scalar Double-FP Compare NOT LE
OptCategory[NN_cmpordsd] = 1; // Scalar Double-FP Compare ORDERED
// SSSE4.1 instructions
OptCategory[NN_blendpd] = 1; // Blend Packed Double Precision Floating-Point Values
OptCategory[NN_blendps] = 1; // Blend Packed Single Precision Floating-Point Values
OptCategory[NN_blendvpd] = 1; // Variable Blend Packed Double Precision Floating-Point Values
OptCategory[NN_blendvps] = 1; // Variable Blend Packed Single Precision Floating-Point Values
OptCategory[NN_dppd] = 1; // Dot Product of Packed Double Precision Floating-Point Values
OptCategory[NN_dpps] = 1; // Dot Product of Packed Single Precision Floating-Point Values
OptCategory[NN_extractps] = 2; // Extract Packed Single Precision Floating-Point Value
OptCategory[NN_insertps] = 1; // Insert Packed Single Precision Floating-Point Value
OptCategory[NN_movntdqa] = 0; // Load Double Quadword Non-Temporal Aligned Hint
OptCategory[NN_mpsadbw] = 1; // Compute Multiple Packed Sums of Absolute Difference
OptCategory[NN_packusdw] = 1; // Pack with Unsigned Saturation
OptCategory[NN_pblendvb] = 1; // Variable Blend Packed Bytes
OptCategory[NN_pblendw] = 1; // Blend Packed Words
OptCategory[NN_pcmpeqq] = 1; // Compare Packed Qword Data for Equal
OptCategory[NN_pextrb] = 1; // Extract Byte
OptCategory[NN_pextrd] = 1; // Extract Dword
OptCategory[NN_pextrq] = 1; // Extract Qword
OptCategory[NN_phminposuw] = 1; // Packed Horizontal Word Minimum
OptCategory[NN_pinsrb] = 1; // Insert Byte
OptCategory[NN_pinsrd] = 1; // Insert Dword
OptCategory[NN_pinsrq] = 1; // Insert Qword
OptCategory[NN_pmaxsb] = 1; // Maximum of Packed Signed Byte Integers
OptCategory[NN_pmaxsd] = 1; // Maximum of Packed Signed Dword Integers
OptCategory[NN_pmaxud] = 1; // Maximum of Packed Unsigned Dword Integers
OptCategory[NN_pmaxuw] = 1; // Maximum of Packed Word Integers
OptCategory[NN_pminsb] = 1; // Minimum of Packed Signed Byte Integers
OptCategory[NN_pminsd] = 1; // Minimum of Packed Signed Dword Integers
OptCategory[NN_pminud] = 1; // Minimum of Packed Unsigned Dword Integers
OptCategory[NN_pminuw] = 1; // Minimum of Packed Word Integers
OptCategory[NN_pmovsxbw] = 1; // Packed Move with Sign Extend
OptCategory[NN_pmovsxbd] = 1; // Packed Move with Sign Extend
OptCategory[NN_pmovsxbq] = 1; // Packed Move with Sign Extend
OptCategory[NN_pmovsxwd] = 1; // Packed Move with Sign Extend
OptCategory[NN_pmovsxwq] = 1; // Packed Move with Sign Extend
OptCategory[NN_pmovsxdq] = 1; // Packed Move with Sign Extend
OptCategory[NN_pmovzxbw] = 1; // Packed Move with Zero Extend
OptCategory[NN_pmovzxbd] = 1; // Packed Move with Zero Extend
OptCategory[NN_pmovzxbq] = 1; // Packed Move with Zero Extend
OptCategory[NN_pmovzxwd] = 1; // Packed Move with Zero Extend
OptCategory[NN_pmovzxwq] = 1; // Packed Move with Zero Extend
OptCategory[NN_pmovzxdq] = 1; // Packed Move with Zero Extend
OptCategory[NN_pmuldq] = 1; // Multiply Packed Signed Dword Integers
OptCategory[NN_pmulld] = 1; // Multiply Packed Signed Dword Integers and Store Low Result
OptCategory[NN_ptest] = 1; // Logical Compare
OptCategory[NN_roundpd] = 1; // Round Packed Double Precision Floating-Point Values
OptCategory[NN_roundps] = 1; // Round Packed Single Precision Floating-Point Values
OptCategory[NN_roundsd] = 1; // Round Scalar Double Precision Floating-Point Values
OptCategory[NN_roundss] = 1; // Round Scalar Single Precision Floating-Point Values
// SSSE4.2 instructions
OptCategory[NN_crc32] = 2; // Accumulate CRC32 Value
OptCategory[NN_pcmpestri] = 2; // Packed Compare Explicit Length Strings, Return Index
OptCategory[NN_pcmpestrm] = 2; // Packed Compare Explicit Length Strings, Return Mask
OptCategory[NN_pcmpistri] = 2; // Packed Compare Implicit Length Strings, Return Index
OptCategory[NN_pcmpistrm] = 2; // Packed Compare Implicit Length Strings, Return Mask
OptCategory[NN_pcmpgtq] = 1; // Compare Packed Data for Greater Than
OptCategory[NN_popcnt] = 2; // Return the Count of Number of Bits Set to 1
// AMD SSE4a instructions
OptCategory[NN_extrq] = 1; // Extract Field From Register
OptCategory[NN_insertq] = 1; // Insert Field
OptCategory[NN_movntsd] = 0; // Move Non-Temporal Scalar Double-Precision Floating-Point
OptCategory[NN_movntss] = 0; // Move Non-Temporal Scalar Single-Precision Floating-Point
OptCategory[NN_lzcnt] = 2; // Leading Zero Count
// xsave/xrstor instructions
OptCategory[NN_xgetbv] = 8; // Get Value of Extended Control Register
OptCategory[NN_xrstor] = 0; // Restore Processor Extended States
OptCategory[NN_xsave] = 1; // Save Processor Extended States
OptCategory[NN_xsetbv] = 1; // Set Value of Extended Control Register
// Intel Safer Mode Extensions (SMX)
OptCategory[NN_getsec] = 1; // Safer Mode Extensions (SMX) Instruction
// AMD-V Virtualization ISA Extension
OptCategory[NN_clgi] = 0; // Clear Global Interrupt Flag
OptCategory[NN_invlpga] = 1; // Invalidate TLB Entry in a Specified ASID
OptCategory[NN_skinit] = 1; // Secure Init and Jump with Attestation
OptCategory[NN_stgi] = 0; // Set Global Interrupt Flag
OptCategory[NN_vmexit] = 1; // Stop Executing Guest, Begin Executing Host
OptCategory[NN_vmload] = 0; // Load State from VMCB
OptCategory[NN_vmmcall] = 1; // Call VMM
OptCategory[NN_vmrun] = 1; // Run Virtual Machine
OptCategory[NN_vmsave] = 0; // Save State to VMCB
// VMX+ instructions
OptCategory[NN_invept] = 1; // Invalidate Translations Derived from EPT
OptCategory[NN_invvpid] = 1; // Invalidate Translations Based on VPID
// Intel Atom instructions
OptCategory[NN_movbe] = 3; // Move Data After Swapping Bytes
// Intel AES instructions
OptCategory[NN_aesenc] = 1; // Perform One Round of an AES Encryption Flow
OptCategory[NN_aesenclast] = 1; // Perform the Last Round of an AES Encryption Flow
OptCategory[NN_aesdec] = 1; // Perform One Round of an AES Decryption Flow
OptCategory[NN_aesdeclast] = 1; // Perform the Last Round of an AES Decryption Flow
OptCategory[NN_aesimc] = 1; // Perform the AES InvMixColumn Transformation
OptCategory[NN_aeskeygenassist] = 1; // AES Round Key Generation Assist
// Carryless multiplication
OptCategory[NN_pclmulqdq] = 1; // Carry-Less Multiplication Quadword
#endif // 599 < IDA_SDK_VERSION
OptCategory[NN_last] = 1;
return;
} // end InitOptCategory()
// Initialize the StackAlteration[] array to define how opcodes
// adjust the stack pointer.
void InitStackAlteration(void) {
// Default category is 0; most instructions do not alter the stack pointer.
(void) memset(StackAlteration, 0, sizeof(StackAlteration));
// Many arithmetic instructions could alter the stack pointer. We will have to
// examine each instruction that performs addition, subtraction, logical AND, etc.,
// to determine if the stack pointer was the DEF operand. We cannot use a purely
// table driven approach to compute stack pointer alteration. The table is used for
// the deterministic cases, e.g. push, pop, call, return. Because of variability on
// a few of these instructions, a value of 1 in the table below is a trigger to investigate RTLs
// that might or might not alter the stack pointer, e.g. add, subtract, etc., or that might
// have operand-dependent effects on the stack pointer.
StackAlteration[NN_add] = 1; // Addition; check operands for stack pointer
StackAlteration[NN_adc] = 1; // Addition; check operands for stack pointer ; RARE for stack pointer
StackAlteration[NN_and] = 1; // Logical AND; check operands for stack pointer
StackAlteration[NN_call] = -4; // Call Procedure; -4, but return cancels it to zero
StackAlteration[NN_callfi] = -8; // Indirect Call Far Procedure; -8, but far return cancels it to zero
StackAlteration[NN_callni] = -4; // Indirect Call Near Procedure; -4, but return cancels it to zero
StackAlteration[NN_enterw] = 1; // Make Stack Frame for Procedure Parameters **
StackAlteration[NN_enter] = 1; // Make Stack Frame for Procedure Parameters **
StackAlteration[NN_enterd] = 1; // Make Stack Frame for Procedure Parameters **
StackAlteration[NN_enterq] = 1; // Make Stack Frame for Procedure Parameters **
StackAlteration[NN_int] = 0; // Call to Interrupt Procedure
StackAlteration[NN_into] = 0; // Call to Interrupt Procedure if Overflow Flag = 1
StackAlteration[NN_int3] = 0; // Trap to Debugger
StackAlteration[NN_iretw] = 6; // Interrupt Return
StackAlteration[NN_iret] = 12; // Interrupt Return
StackAlteration[NN_iretd] = 12; // Interrupt Return (use32)
StackAlteration[NN_iretq] = 40; // Interrupt Return (use64) ??? check this when we port to 64-bit
StackAlteration[NN_lea] = 1; // Load Effective Address (can be used for basic arithmetic assignments)
StackAlteration[NN_leavew] = 1; // High Level Procedure Exit **
StackAlteration[NN_leave] = 1; // High Level Procedure Exit **
StackAlteration[NN_leaved] = 1; // High Level Procedure Exit **
StackAlteration[NN_leaveq] = 1; // High Level Procedure Exit **
StackAlteration[NN_mov] = 1; // Move Data ; could be esp := ebp (deallocate stack frame) or esp := ebx (unknown)
StackAlteration[NN_pop] = 1; // Pop a word from the Stack ; could be 16-bit or 32-bit operand, etc.
StackAlteration[NN_popaw] = 14; // Pop all General Registers
StackAlteration[NN_popa] = 28; // Pop all General Registers
StackAlteration[NN_popad] = 28; // Pop all General Registers (use32)
StackAlteration[NN_popaq] = 56; // Pop all General Registers (use64)
StackAlteration[NN_popfw] = 2; // Pop Stack into Flags Register **
StackAlteration[NN_popf] = 4; // Pop Stack into Flags Register **
StackAlteration[NN_popfd] = 4; // Pop Stack into Eflags Register **
StackAlteration[NN_popfq] = 8; // Pop Stack into Rflags Register **
StackAlteration[NN_push] = 1; // Push Operand onto the Stack ; could be 16-bit or 32-bit operand, etc.
StackAlteration[NN_pushaw] = -14; // Push all General Registers
StackAlteration[NN_pusha] = -28; // Push all General Registers
StackAlteration[NN_pushad] = -28; // Push all General Registers (use32)
StackAlteration[NN_pushaq] = -56; // Push all General Registers (use64)
StackAlteration[NN_pushfw] = -2; // Push Flags Register onto the Stack
StackAlteration[NN_pushf] = -4; // Push Flags Register onto the Stack
StackAlteration[NN_pushfd] = -4; // Push Flags Register onto the Stack (use32)
StackAlteration[NN_pushfq] = -8; // Push Flags Register onto the Stack (use64)
StackAlteration[NN_retn] = 1; // Return Near from Procedure (usually 4 bytes)
StackAlteration[NN_retf] = 1; // Return Far from Procedure (usually 8 bytes)
StackAlteration[NN_sub] = 1; // Subtraction; check operands for stack pointer
StackAlteration[NN_sbb] = 1; // Subtraction; check operands for stack pointer ; RARE for stack pointer
//
// 486 instructions
//
//
// Pentium instructions
//
//
// Pentium Pro instructions
//
//
// FPP instructions
//
//
// 80387 instructions
//
//
// Instructions added 28.02.96
//
StackAlteration[NN_loadall] = 0; // Load the entire CPU state from ES:EDI ?? Cannot find in Intel manuals
//
// MMX instructions
//
//
// Undocumented Deschutes processor instructions
//
// Pentium II instructions
StackAlteration[NN_sysenter] = 0; // Fast Transition to System Call Entry Point
StackAlteration[NN_sysexit] = 0; // Fast Transition from System Call Entry Point
// 3DNow! instructions
// Pentium III instructions
// Pentium III Pseudo instructions
// AMD K7 instructions
// Revisit AMD if we port to it.
// Undocumented FP instructions (thanks to norbert.juffa@adm.com)
// Pentium 4 instructions
// AMD syscall/sysret instructions NOTE: not AMD, found in Intel manual
StackAlteration[NN_syscall] = 0; // Low latency system call
StackAlteration[NN_sysret] = 0; // Return from system call
// AMD64 instructions NOTE: not AMD, found in Intel manual
// New Pentium instructions (SSE3)
// Missing AMD64 instructions NOTE: also found in Intel manual
// SSE3 instructions
// SSSE3 instructions
// VMX instructions
#if 599 < IDA_SDK_VERSION
// Added with x86-64
// Geode LX 3DNow! extensions
// SSE2 pseudoinstructions
// SSSE4.1 instructions
// SSSE4.2 instructions
// AMD SSE4a instructions
// xsave/xrstor instructions
// Intel Safer Mode Extensions (SMX)
// AMD-V Virtualization ISA Extension
// VMX+ instructions
// Intel Atom instructions
// Intel AES instructions
// Carryless multiplication
#endif // 599 < IDA_SDK_VERSION
StackAlteration[NN_last] = 0;
return;
} // end InitStackAlteration()