From 87b890a0e5bb273578177229fe539dc0372aa9e3 Mon Sep 17 00:00:00 2001
From: gaa-cifasis <gg@cifasis-conicet.gov.ar>
Date: Mon, 29 Aug 2016 01:12:09 +0000
Subject: [PATCH] preliminary x86_64 support

---
 vdiscover/Event.py   | 39 +++++++++++++++++++++++++++++----------
 vdiscover/Process.py | 10 +++++-----
 2 files changed, 34 insertions(+), 15 deletions(-)

diff --git a/vdiscover/Event.py b/vdiscover/Event.py
index 57d6408..dd33ea2 100644
--- a/vdiscover/Event.py
+++ b/vdiscover/Event.py
@@ -50,18 +50,33 @@ def __init__(self, name, module):
   def __str__(self):
     return str(self.name)
 
-  def _detect_return_address(self):
-    addr = self.process.getreg("esp")
-    bytes = self.process.readBytes(addr, 4)
-    return RefinePType(Type("Ptr32",4),bytes2word(bytes), self.process, self.mm)
-    #return bytes2word(bytes)
+  #def _detect_return_address(self):
+  #  addr = self.process.getreg("esp")
+  #  bytes = self.process.readBytes(addr, 4)
+  #  return RefinePType(Type("Ptr32",4),bytes2word(bytes), self.process, self.mm)
+  #  #return bytes2word(bytes)
 
-  def _detect_parameter(self, ptype, offset):
+  def _detect_parameter_x86_64(self, ptype, index):
+
+    if index > 4:
+      return None   
+
+    reg = ["rdi","rsi","rdx","rcx","r8"][index]
+    val = self.process.getreg(reg)
+
+    #print "bs value", repr(bs), hex(bytes2word(bs))
+
+    return RefinePType(GetPtype(ptype),val, self.process, self.mm)
+
+
+
+
+  def _detect_parameter_x86(self, ptype, offset):
     addr = self.process.getStackPointer()+offset
     bs = self.process.readBytes(addr, 4)
 
-    if CPU_X86_64:
-      bs = bs + (4*'\00')
+    #if CPU_X86_64:
+    #  bs = bs + (4*'\00')
 
     #print "bs value", repr(bs), hex(bytes2word(bs))
 
@@ -79,9 +94,13 @@ def detect_parameters(self, process, mm):
     offset = 4
     #print self.mm
     #print self.name
-    for ctype in self.param_types:
+    for index,ctype in enumerate(self.param_types):
+
+      if CPU_X86_64:
+        (ptype, value) = self._detect_parameter_x86_64(ctype, index)
+      else:
+        (ptype, value) = self._detect_parameter_x86(ctype, offset)
 
-      (ptype, value) = self._detect_parameter(ctype, offset)
       self.param_values.append(value)
       self.param_ptypes.append(ptype)
       offset += ptype.getSize()
diff --git a/vdiscover/Process.py b/vdiscover/Process.py
index 332ed53..3fd580a 100644
--- a/vdiscover/Process.py
+++ b/vdiscover/Process.py
@@ -69,9 +69,9 @@ def __init__(self, program, envs, timeout, included_mods = [], ignored_mods = []
         # Parse ELF
         self.elf = ELF(self.program, plt = False)
 
-        if self.elf.GetType() <> "ELF 32-bit":
-          print "Only ELF 32-bit are supported to be executed."
-          exit(-1)
+        #if self.elf.GetType() <> "ELF 32-bit":
+        #  print "Only ELF 32-bit are supported to be executed."
+        #  exit(-1)
 
         self.modules = dict()
 
@@ -86,10 +86,10 @@ def __init__(self, program, envs, timeout, included_mods = [], ignored_mods = []
     def setBreakpoints(self, elf):
       #print elf.GetFunctions()
       for func_name in elf.GetFunctions():
-        #print elf.GetModname(), hex(elf.FindFuncInPlt(func_name))
+        #print "func_name", elf.GetModname(), hex(elf.FindFuncInPlt(func_name))
 
         if func_name in specs:
-          #print elf.GetModname(), func_name, hex(elf.FindFuncInPlt(func_name))
+          #print "func_name in spec",elf.GetModname(), func_name, hex(elf.FindFuncInPlt(func_name))
           addr = elf.FindFuncInPlt(func_name)
           self.binfo[addr] = elf.GetModname(),func_name
           self.breakpoint(addr)