DBG+GUI: replace Capstone with Zydis in trace record

2024-11-26 22:30:22 +00:00 · 2018-03-04 22:32:08 +01:00 · 2018-03-04 22:32:08 +01:00 · 55d99b5647
commit 55d99b5647
parent 0343280cb5
3 changed files with 21 additions and 25 deletions
--- a/src/dbg/TraceRecord.cpp
+++ b/src/dbg/TraceRecord.cpp
@ -1,5 +1,4 @@
 #include "TraceRecord.h"
-#include "capstone_wrapper.h"
 #include "module.h"
 #include "memory.h"
 #include "threading.h"
@ -200,9 +199,9 @@ void TraceRecordManager::TraceExecute(duint address, duint size)
 }


-static void HandleCapstoneOperand(const Capstone & cp, int opindex, DISASM_ARGTYPE* argType, duint* value, unsigned char* memoryContent, unsigned char* memorySize)
+static void HandleCapstoneOperand(const Zydis & cp, int opindex, DISASM_ARGTYPE* argType, duint* value, unsigned char* memoryContent, unsigned char* memorySize)
 {
-    *value = cp.ResolveOpValue(opindex, [&cp](x86_reg reg)
+    *value = cp.ResolveOpValue(opindex, [&cp](ZydisRegister reg)
    {
        auto regName = cp.RegName(reg);
        return regName ? getregister(nullptr, regName) : 0; //TODO: temporary needs enums + caching
@ -210,23 +209,19 @@ static void HandleCapstoneOperand(const Capstone & cp, int opindex, DISASM_ARGTY
    const auto & op = cp[opindex];
    switch(op.type)
    {
-    case X86_OP_REG:
+    case ZYDIS_OPERAND_TYPE_REGISTER:
        *argType = arg_normal;
        break;

-    case X86_OP_IMM:
+    case ZYDIS_OPERAND_TYPE_IMMEDIATE:
        *argType = arg_normal;
        break;

-    case X86_OP_MEM:
+    case ZYDIS_OPERAND_TYPE_MEMORY:
    {
        *argType = arg_memory;
-        const x86_op_mem & mem = op.mem;
-#ifdef _WIN64
-        if(mem.segment == X86_REG_GS)
-#else //x86
-        if(mem.segment == X86_REG_FS)
-#endif
+        const auto & mem = op.mem;
+        if(mem.segment == ArchValue(ZYDIS_REGISTER_FS, ZYDIS_REGISTER_GS))
        {
            *value += ThreadGetLocalBase(ThreadGetId(hActiveThread));
        }
@ -243,7 +238,7 @@ static void HandleCapstoneOperand(const Capstone & cp, int opindex, DISASM_ARGTY
    }
 }

-void TraceRecordManager::TraceExecuteRecord(const Capstone & newInstruction)
+void TraceRecordManager::TraceExecuteRecord(const Zydis & newInstruction)
 {
    if(!isRunTraceEnabled())
        return;
@ -260,7 +255,7 @@ void TraceRecordManager::TraceExecuteRecord(const Capstone & newInstruction)
    DbgGetRegDumpEx(&newContext.registers, sizeof(REGDUMP));
    newThreadId = ThreadGetId(hActiveThread);
    // Don't try to resolve memory values for lea and nop instructions
-    if(!(newInstruction.IsNop() || newInstruction.GetId() == X86_INS_LEA))
+    if(!(newInstruction.IsNop() || newInstruction.GetId() == ZYDIS_MNEMONIC_LEA))
    {
        DISASM_ARGTYPE argType;
        duint value;
@ -289,16 +284,16 @@ void TraceRecordManager::TraceExecuteRecord(const Capstone & newInstruction)
                    }
            }
        }
-        if(newInstruction.GetId() == X86_INS_PUSH || newInstruction.GetId() == X86_INS_PUSHF || newInstruction.GetId() == X86_INS_PUSHFD
-                || newInstruction.GetId() == X86_INS_PUSHFQ || newInstruction.GetId() == X86_INS_CALL //TODO: far call accesses 2 stack entries
+        if(newInstruction.GetId() == ZYDIS_MNEMONIC_PUSH || newInstruction.GetId() == ZYDIS_MNEMONIC_PUSHF || newInstruction.GetId() == ZYDIS_MNEMONIC_PUSHFD
+                || newInstruction.GetId() == ZYDIS_MNEMONIC_PUSHFQ || newInstruction.GetId() == ZYDIS_MNEMONIC_CALL //TODO: far call accesses 2 stack entries
          )
        {
            MemRead(newContext.registers.regcontext.csp - sizeof(duint), &newMemory[newMemoryArrayCount], sizeof(duint));
            newMemoryAddress[newMemoryArrayCount] = newContext.registers.regcontext.csp - sizeof(duint);
            newMemoryArrayCount++;
        }
-        else if(newInstruction.GetId() == X86_INS_POP || newInstruction.GetId() == X86_INS_POPF || newInstruction.GetId() == X86_INS_POPFD
-                || newInstruction.GetId() == X86_INS_POPFQ || newInstruction.GetId() == X86_INS_RET)
+        else if(newInstruction.GetId() == ZYDIS_MNEMONIC_POP || newInstruction.GetId() == ZYDIS_MNEMONIC_POPF || newInstruction.GetId() == ZYDIS_MNEMONIC_POPFD
+                || newInstruction.GetId() == ZYDIS_MNEMONIC_POPFQ || newInstruction.GetId() == ZYDIS_MNEMONIC_RET)
        {
            MemRead(newContext.registers.regcontext.csp, &newMemory[newMemoryArrayCount], sizeof(duint));
            newMemoryAddress[newMemoryArrayCount] = newContext.registers.regcontext.csp;
@ -541,7 +536,7 @@ bool TraceRecordManager::enableRunTrace(bool enabled, const char* fileName)
            for(size_t i = 0; i < _countof(rtOldContextChanged); i++)
                rtOldContextChanged[i] = true;
            dprintf(QT_TRANSLATE_NOOP("DBG", "Run trace started. File: %s\r\n"), fileName);
-            Capstone cp;
+            Zydis cp;
            unsigned char instr[MAX_DISASM_BUFFER];
            auto cip = GetContextDataEx(hActiveThread, UE_CIP);
            if(MemRead(cip, instr, MAX_DISASM_BUFFER))
@ -699,7 +694,7 @@ void _dbg_dbgtraceexecute(duint CIP)
 {
    if(TraceRecord.getTraceRecordType(CIP) != TraceRecordManager::TraceRecordType::TraceRecordNone)
    {
-        Capstone instruction;
+        Zydis instruction;
        unsigned char data[MAX_DISASM_BUFFER];
        if(MemRead(CIP, data, MAX_DISASM_BUFFER))
        {
@ -719,7 +714,7 @@ void _dbg_dbgtraceexecute(duint CIP)
    {
        if(TraceRecord.isRunTraceEnabled())
        {
-            Capstone instruction;
+            Zydis instruction;
            unsigned char data[MAX_DISASM_BUFFER];
            if(MemRead(CIP, data, MAX_DISASM_BUFFER))
            {
--- a/src/dbg/TraceRecord.h
+++ b/src/dbg/TraceRecord.h
@ -4,6 +4,7 @@
 #include "_dbgfunctions.h"
 #include "debugger.h"
 #include "jansson/jansson_x64dbg.h"
+#include <zydis_wrapper.h>

 class Capstone;

@ -55,7 +56,7 @@ public:

    void TraceExecute(duint address, duint size);
    //void TraceAccess(duint address, unsigned char size, TraceRecordByteType accessType);
-    void TraceExecuteRecord(const Capstone & newInstruction);
+    void TraceExecuteRecord(const Zydis & newInstruction);

    unsigned int getHitCount(duint address);
    TraceRecordByteType getByteType(duint address);
--- a/src/gui/Src/Tracer/TraceFileSearch.cpp
+++ b/src/gui/Src/Tracer/TraceFileSearch.cpp
@ -1,6 +1,6 @@
 #include "TraceFileReader.h"
 #include "TraceFileSearch.h"
-#include "capstone_wrapper.h"
+#include "zydis_wrapper.h"

 static bool inRange(duint value, duint start, duint end)
 {
@ -27,7 +27,7 @@ static QString getIndexText(TraceFileReader* file, duint index)
 int TraceFileSearchConstantRange(TraceFileReader* file, duint start, duint end)
 {
    int count = 0;
-    Capstone cp;
+    Zydis cp;
    QString title;
    if(start == end)
        title = QCoreApplication::translate("TraceFileSearch", "Constant: %1").arg(ToPtrString(start));
@ -91,7 +91,7 @@ int TraceFileSearchConstantRange(TraceFileReader* file, duint start, duint end)
 int TraceFileSearchMemReference(TraceFileReader* file, duint address)
 {
    int count = 0;
-    Capstone cp;
+    Zydis cp;
    GuiReferenceInitialize(QCoreApplication::translate("TraceFileSearch", "Reference").toUtf8().constData());
    GuiReferenceAddColumn(sizeof(duint) * 2, QCoreApplication::translate("TraceFileSearch", "Address").toUtf8().constData());
    GuiReferenceAddColumn(sizeof(duint) * 2, QCoreApplication::translate("TraceFileSearch", "Index").toUtf8().constData());