Replace Capstone with Zydis

Fix #11

This change also refactors E9Tool so that it is
no longer so dependent on a specific disassembler.
E9Tool now uses its own register and instruction
representation, including:
- A compressed Instr representation
- A detailed InstrInfo representation
The compressed representation is necessary for
disassembling large binaries without running out
of memory.

The plugin interface has also been updated to
remove the Capstone dependency.

Author: GJDuck

Makefile

@@ -1,7 +1,7 @@
 #CC=clang
 #CXX=clang++
 
-CXXFLAGS = -std=c++14 -Wall -Wno-reorder -fPIC -pie
+CXXFLAGS = -std=c++11 -Wall -Wno-reorder -fPIC -pie
 
 E9PATCH_OBJS=\
     src/e9patch/e9alloc.o \
@@ -21,7 +21,8 @@ E9TOOL_SRC=\
     src/e9tool/e9metadata.cpp \
     src/e9tool/e9parser.cpp \
     src/e9tool/e9tool.cpp \
-    src/e9tool/e9types.cpp
+    src/e9tool/e9types.cpp \
+    src/e9tool/e9x86_64.cpp 
 
 release: CXXFLAGS += -O2 -D NDEBUG
 release: $(E9PATCH_OBJS)
@@ -35,16 +36,17 @@ debug: $(E9PATCH_OBJS)
 e9tool.o: $(E9TOOL_SRC)
 	$(CXX) $(CXXFLAGS) -c src/e9tool/e9tool.cpp
 
-tool: CXXFLAGS += -O2 -I src/e9tool/ -I capstone/include/ -Wno-unused-function
+tool: CXXFLAGS += -O2 -I src/e9tool/ -I zydis/include/ \
+    -I zydis/dependencies/zycore/include/ -Wno-unused-function
 tool: e9tool.o
-	$(CXX) $(CXXFLAGS) e9tool.o -o e9tool capstone/libcapstone.a \
+	$(CXX) $(CXXFLAGS) e9tool.o -o e9tool libZydis.a \
         -Wl,--export-dynamic -ldl
 	strip e9tool
 
-tool.debug: CXXFLAGS += -O0 -g -I src/e9tool/ -I capstone/include/ \
-    -Wno-unused-function
+tool.debug: CXXFLAGS += -O0 -g -I src/e9tool/ -I zydis/include/ \
+    -I zydis/dependencies/zycore/include/ -Wno-unused-function
 tool.debug: e9tool.o
-	$(CXX) $(CXXFLAGS) e9tool.o -o e9tool capstone/libcapstone.a \
+	$(CXX) $(CXXFLAGS) e9tool.o -o e9tool libZydis.a \
         -Wl,--export-dynamic -ldl
 
 loader:

build.sh

@@ -15,22 +15,14 @@ else
     OFF=
 fi
 
-VERSION=e3f106739a6ae78d47772dff31062d644ea21078
-
 while [ $# -ge 1 ]
 do
     case "$1" in
-        --capstone)
-            VERSION="$2"
-            shift
-            ;;
         --help|-h)
             echo "usage: $0 [OPTIONS]"
             echo
             echo "OPTIONS:"
             echo
-            echo "    --capstone VERSION"
-            echo "        Build using Capstone VERSION"
             echo "    --help, -h"
             echo "        Print this message"
             echo
@@ -44,25 +36,36 @@ do
     shift
 done
 
-TARGET=`readlink capstone`
-if [ "$TARGET" != "capstone-$VERSION" ]
+TARGET=`readlink zydis`
+if [ ! -d zydis ]
 then
-    if [ ! -f capstone-$VERSION.zip ]
-    then
-        echo -e "${GREEN}$0${OFF}: downloading capstone.zip..."
-        wget -O capstone-$VERSION.zip \
-            https://github.com/aquynh/capstone/archive/$VERSION.zip
-    fi
-
-    echo -e "${GREEN}$0${OFF}: extracting capstone-$VERSION.zip..."
-    unzip capstone-$VERSION.zip
-    rm -rf capstone
-    ln -s capstone-$VERSION capstone
+    echo -e "${GREEN}$0${OFF}: cloning Zydis..."
+    git clone --recursive 'https://github.com/zyantific/zydis.git' 
 
-    echo -e "${GREEN}$0${OFF}: building capstone-$VERSION..."
-    cd capstone
-    CAPSTONE_ARCHS="x86" ./make.sh
-    cd ..
+    echo -e "${GREEN}$0${OFF}: building Zydis..."
+	cat << EOF > zydis/include/ZydisExportConfig.h
+#ifndef ZYDIS_EXPORT_H
+#define ZYDIS_EXPORT_H
+#define ZYDIS_EXPORT
+#define ZYDIS_NO_EXPORT
+#define ZYDIS_DEPRECATED __attribute__ ((__deprecated__))
+#define ZYDIS_DEPRECATED_EXPORT ZYDIS_EXPORT ZYDIS_DEPRECATED
+#define ZYDIS_DEPRECATED_NO_EXPORT ZYDIS_NO_EXPORT ZYDIS_DEPRECATED
+#define ZYDIS_NO_DEPRECATED
+#endif
+EOF
+	cat << EOF > zydis/include/ZycoreExportConfig.h
+#ifndef ZYCORE_EXPORT_H
+#define ZYCORE_EXPORT_H
+#define ZYCORE_EXPORT
+#define ZYCORE_NO_EXPORT
+#define ZYCORE_DEPRECATED __attribute__ ((__deprecated__))
+#define ZYCORE_DEPRECATED_EXPORT ZYCORE_EXPORT ZYCORE_DEPRECATED
+#define ZYCORE_DEPRECATED_NO_EXPORT ZYCORE_NO_EXPORT ZYCORE_DEPRECATED
+#define ZYCORE_NO_DEPRECATED
+#endif
+EOF
+    make -f Makefile.zydis
 fi
 
 echo -e "${GREEN}$0${OFF}: building e9patch and e9tool..."

doc/e9patch-programming-guide.md

@@ -512,14 +512,14 @@ The E9Tool plugin API is very simple and consists of just four functions:
 
 1. `e9_plugin_init_v1(FILE *out, const ELF *in, ...)`:
     Called once before the binary is disassembled.
-2. `e9_plugin_instr_v1(FILE *out, const ELF *in, ...)`:
-    Called once for each disassembled instruction.
-3. `e9_plugin_match_v1(FILE *out, const ELF *in, ...)`:
-    Called once for each matching.
-4. `e9_plugin_patch_v1(FILE *out, const ELF *in, ...)`:
+2. `e9_plugin_match_v1(FILE *out, const ELF *in, ...)`:
+    Called once for each match location.
+3. `e9_plugin_patch_v1(FILE *out, const ELF *in, ...)`:
     Called for each patch location.
-5. `e9_plugin_fini_v1(FILE *out, const ELF *in, ...)`:
+4. `e9_plugin_fini_v1(FILE *out, const ELF *in, ...)`:
     Called once after all instructions have been patched.
+5. `e9_plugin_event_v1(FILE *out, const ELF *in, ...)`:
+    Called once for each event (see the `Event` enum).
 
 Note that each function is optional, and the plugin can choose not to
 define it.  However, The plugin must define at least one of these functions
@@ -534,16 +534,24 @@ Each function takes at least two arguments, namely:
 
 Some functions take additional arguments, including:
 
-* `handle`: Capstone handle.
-* `offset`: File offset of instruction (if applicable).
-* `I`: Instruction (if applicable).
+* `event`: An `Event` enum value.
+* `Is`: An array of all disassembled instructions.
+* `size`: The number of elements in `Is`.
+* `idx`: The index (into `Is`) of the instruction being
+   matched/patched.
+* `info`: The detailed information about the instruction being
+   matched/patched.
 * `context`: An optional plugin-defined context returned by the
   `e9_plugin_init_v1()` function.
 
+Note that the `info` structure is temporary and will be immediately destroyed
+after the API call returns.
+In constrast, the `Is` array is persistent and will remain valid between calls.
+
 Some API function return a value, including:
 
 * `e9_plugin_init_v1()` returns an optional `context` that will be
-  passed to all other API calls.
+   passed to all other API calls.
 * `e9_plugin_match_v1()` returns an integer value of the plugin's
    choosing.  This integer value can be matched using by the `--match`
    E9Tool command-line option, else the value will be ignored.
@@ -564,11 +572,6 @@ the `e9_plugin_init_v1()` function will do the following tasks
 4. Load ELF binaries into the virtual address space
 5. Create and return the context (if necessary)
 
-The `e9_plugin_instr_v1()` function will do the following:
-
-1. Analyze or remember the instruction (if necessary)
-2. Setup additional trampolines (if necessary)
-
 The `e9_plugin_match_v1()` function will do the following:
 
 1. Return a value to be used in a matching.
@@ -598,7 +601,7 @@ The syntax is as follows:
 
 * `--action`: Selects the E9Tool "action" command-line option.
   This tells E9Tool what patching/instrumentation action to do.
-* `plugin(myPlugin).patchh()`: Specifies that instrument the program using the
+* `plugin(myPlugin).patch()`: Specifies that instrument the program using the
   `myPlugin.so` plugin.
 
 If `myPlugin.so` exports the `e9_plugin_match_v1()` function, it is also

examples/plugins/example.cpp

@@ -52,7 +52,7 @@ using namespace e9frontend;
 /*
  * Initialize the counters and the trampoline.
  */
-extern void *e9_plugin_init_v1(FILE *out, const e9frontend::ELF *elf)
+extern void *e9_plugin_init_v1(FILE *out, const ELF *elf)
 {
     /* 
      * This example uses 3 counters (one for calls/jumps/returns).
@@ -147,57 +147,44 @@ extern void *e9_plugin_init_v1(FILE *out, const e9frontend::ELF *elf)
 /*
  * We match all control-flow transfer instructions.
  */
-extern intptr_t e9_plugin_match_v1(FILE *out, const e9frontend::ELF *elf,
-    csh handle, off_t offset, const cs_insn *I, void *context)
+extern intptr_t e9_plugin_match_v1(FILE *out, const ELF *elf, const Instr *Is,
+    size_t size, size_t idx, const InstrInfo *info, void *context)
 {
-    const cs_detail *detail = I->detail;
-    for (uint8_t i = 0; i < detail->groups_count; i++)
+    switch (info->mnemonic)
     {
-        switch (detail->groups[i])
-        {
-            case CS_GRP_CALL:
-            case CS_GRP_JUMP:
-            case CS_GRP_RET:
-                return 1;
-            default:
-                break;
-        }
+        case MNEMONIC_RET:
+            return 1;
+        case MNEMONIC_JB: case MNEMONIC_JBE: case MNEMONIC_JCXZ:
+        case MNEMONIC_JECXZ: case MNEMONIC_JKNZD: case MNEMONIC_JKZD:
+        case MNEMONIC_JL: case MNEMONIC_JLE: case MNEMONIC_JMP:
+        case MNEMONIC_JNB: case MNEMONIC_JNBE: case MNEMONIC_JNL:
+        case MNEMONIC_JNLE: case MNEMONIC_JNO: case MNEMONIC_JNP:
+        case MNEMONIC_JNS: case MNEMONIC_JNZ: case MNEMONIC_JO:
+        case MNEMONIC_JP: case MNEMONIC_JRCXZ: case MNEMONIC_JS:
+        case MNEMONIC_JZ:
+            return 2;
+        case MNEMONIC_CALL:
+            return 3;
+        default:
+            return 0;
     }
-
-    return 0;
 }
 
 /*
  * Patch the selected instructions.
  */
-extern void e9_plugin_patch_v1(FILE *out, const e9frontend::ELF *elf,
-    csh handle, off_t offset, const cs_insn *I, void *context)
+extern void e9_plugin_patch_v1(FILE *out, const ELF *elf, const Instr *Is,
+    size_t size, size_t idx, const InstrInfo *info, void *context)
 {
-    Metadata metadata[2];
-    const cs_detail *detail = I->detail;
-    intptr_t counter = -1;
-    for (uint8_t i = 0; counter < 0 && i < detail->groups_count; i++)
-    {
-        switch (detail->groups[i])
-        {
-            case CS_GRP_CALL:
-                counter = COUNTERS + 0 * sizeof(size_t);
-                break;
-            case CS_GRP_JUMP:
-                counter = COUNTERS + 1 * sizeof(size_t);
-                break;
-            case CS_GRP_RET:
-                counter = COUNTERS + 2 * sizeof(size_t);
-                break;
-            default:
-                break;
-        }
-    }
-    if (counter < 0)
+    intptr_t counter = e9_plugin_match_v1(out, elf, Is, size, idx, info,
+        context);
+    if (counter == 0)
         return;
-
+    counter = COUNTERS + (counter - 1) * sizeof(size_t);
+ 
     // We instantiate the trampoline template with $counter pointing to
     // the counter corresponding to the instruction type:
+    Metadata metadata[2];
     metadata[0].name = "counter";
     std::string buf;
     buf += "{\"rel32\":";
@@ -209,6 +196,6 @@ extern void e9_plugin_patch_v1(FILE *out, const e9frontend::ELF *elf,
     metadata[1].data = nullptr;
 
     // Send a "patch" E9Patch API message.
-    sendPatchMessage(out, "cflimit", offset, metadata);
+    sendPatchMessage(out, "cflimit", Is[idx].offset, metadata);
 }