forked from pkujhd/goloader
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathasm_bytes.go
33 lines (30 loc) · 1.05 KB
/
asm_bytes.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
package goloader
const (
x86amd64MOVcode byte = 0x8B
x86amd64LEAcode byte = 0x8D
x86amd64CMPLcode byte = 0x83
)
// arm/arm64
var (
armcode = []byte{0x04, 0xF0, 0x1F, 0xE5} //LDR PC, [PC, #-4]
arm64code = []byte{
0x49, 0x00, 0x00, 0x58, // LDR X9 [PC+8]
0x20, 0x01, 0x1F, 0xD6} // BR X9
arm64BLcode = []byte{0x00, 0x00, 0x00, 0x94} // BL [PC+0x0]
)
// x86/amd64
var (
x86amd64JMPLcode = []byte{0xff, 0x25, 0x00, 0x00, 0x00, 0x00} // JMPL *ADDRESS
x86amd64replaceCMPLcode = []byte{
0x50, // PUSH EAX
0x53, // PUSH EBX
0x48, 0x8b, 0x05, 0x0f, 0x00, 0x00, 0x00, // MOVE EAX x
0x48, 0x8b, 0x18, // MOVE EBX [EAX]
0x48, 0x83, 0xfb, 0x00, // CMPL EBX x(8bits)
0x5b, // POP EBX
0x58, // POP EAX
0xff, 0x25, 0x08, 0x00, 0x00, 0x00} // JMPL *ADDRESS
x86amd64replaceMOVQcode = []byte{
0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, //MOVE RxX x
0xff, 0x25, 0x00, 0x00, 0x00, 0x00} //JMPL *ADDRESS
)