Skip to content

Commit 8608856

Browse files
hainesthainest
authored
Update read/written registers for x86 system call instructions (#2820)
* syscall * sysenter * sysexit * sysret
1 parent 8872be6 commit 8608856

File tree

6 files changed

+214
-13
lines changed

6 files changed

+214
-13
lines changed

arch/X86/X86Mapping.c

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1265,6 +1265,77 @@ void X86_get_insn_id(cs_struct *h, cs_insn *insn, unsigned int id)
12651265
break;
12661266
}
12671267
break;
1268+
1269+
case X86_INS_SYSENTER: {
1270+
switch (h->mode) {
1271+
default:
1272+
break;
1273+
case CS_MODE_16:
1274+
arr_replace(
1275+
insn->detail->regs_write,
1276+
insn->detail->regs_write_count,
1277+
X86_REG_EIP, X86_REG_IP);
1278+
arr_replace(
1279+
insn->detail->regs_write,
1280+
insn->detail->regs_write_count,
1281+
X86_REG_ESP, X86_REG_SP);
1282+
break;
1283+
case CS_MODE_64:
1284+
arr_replace(
1285+
insn->detail->regs_write,
1286+
insn->detail->regs_write_count,
1287+
X86_REG_EIP, X86_REG_RIP);
1288+
arr_replace(
1289+
insn->detail->regs_write,
1290+
insn->detail->regs_write_count,
1291+
X86_REG_ESP, X86_REG_RSP);
1292+
break;
1293+
}
1294+
break;
1295+
} break;
1296+
case X86_INS_SYSEXIT: {
1297+
switch (h->mode) {
1298+
default:
1299+
break;
1300+
case CS_MODE_16:
1301+
arr_replace(
1302+
insn->detail->regs_read,
1303+
insn->detail->regs_read_count,
1304+
X86_REG_ECX, X86_REG_CX);
1305+
arr_replace(
1306+
insn->detail->regs_read,
1307+
insn->detail->regs_read_count,
1308+
X86_REG_EDX, X86_REG_DX);
1309+
arr_replace(
1310+
insn->detail->regs_write,
1311+
insn->detail->regs_write_count,
1312+
X86_REG_EIP, X86_REG_IP);
1313+
arr_replace(
1314+
insn->detail->regs_write,
1315+
insn->detail->regs_write_count,
1316+
X86_REG_ESP, X86_REG_SP);
1317+
break;
1318+
case CS_MODE_64:
1319+
arr_replace(
1320+
insn->detail->regs_read,
1321+
insn->detail->regs_read_count,
1322+
X86_REG_ECX, X86_REG_RCX);
1323+
arr_replace(
1324+
insn->detail->regs_read,
1325+
insn->detail->regs_read_count,
1326+
X86_REG_EDX, X86_REG_RDX);
1327+
arr_replace(
1328+
insn->detail->regs_write,
1329+
insn->detail->regs_write_count,
1330+
X86_REG_EIP, X86_REG_RIP);
1331+
arr_replace(
1332+
insn->detail->regs_write,
1333+
insn->detail->regs_write_count,
1334+
X86_REG_ESP, X86_REG_RSP);
1335+
break;
1336+
}
1337+
break;
1338+
} break;
12681339
}
12691340

12701341
memcpy(insn->detail->groups, insns[i].groups,

arch/X86/X86MappingInsn.inc

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18619,42 +18619,42 @@
1861918619
{
1862018620
X86_SYSCALL, X86_INS_SYSCALL, 0,
1862118621
#ifndef CAPSTONE_DIET
18622-
{ 0 }, { 0 }, { X86_GRP_INT, 0 }, 0, 0
18622+
{ 0 }, { X86_REG_RIP, X86_REG_RCX, X86_REG_R11, X86_REG_EFLAGS }, { X86_GRP_INT, X86_GRP_MODE64, 0 }, 0, 0
1862318623
#endif
1862418624
},
1862518625

1862618626
{
1862718627
X86_SYSENTER, X86_INS_SYSENTER, 0,
1862818628
#ifndef CAPSTONE_DIET
18629-
{ 0 }, { 0 }, { X86_GRP_INT, 0 }, 0, 0
18629+
{ 0 }, { X86_REG_EIP, X86_REG_ESP, X86_REG_EFLAGS, 0 }, { X86_GRP_INT, 0 }, 0, 0
1863018630
#endif
1863118631
},
1863218632

1863318633
{
1863418634
X86_SYSEXIT, X86_INS_SYSEXIT, 0,
1863518635
#ifndef CAPSTONE_DIET
18636-
{ 0 }, { 0 }, { X86_GRP_PRIVILEGE, X86_GRP_IRET, 0 }, 0, 0
18636+
{ X86_REG_ECX, X86_REG_EDX, 0 }, { X86_REG_EIP, X86_REG_ESP, 0 }, { X86_GRP_PRIVILEGE, X86_GRP_IRET, 0 }, 0, 0
1863718637
#endif
1863818638
},
1863918639

1864018640
{
1864118641
X86_SYSEXIT64, X86_INS_SYSEXITQ, 1,
1864218642
#ifndef CAPSTONE_DIET
18643-
{ 0 }, { 0 }, { X86_GRP_PRIVILEGE, X86_GRP_IRET, X86_GRP_MODE64, 0 }, 0, 0
18643+
{ X86_REG_RCX, X86_REG_RDX, 0 }, { X86_REG_RIP, X86_REG_RSP, 0 }, { X86_GRP_PRIVILEGE, X86_GRP_IRET, X86_GRP_MODE64, 0 }, 0, 0
1864418644
#endif
1864518645
},
1864618646

1864718647
{
1864818648
X86_SYSRET, X86_INS_SYSRET, 0,
1864918649
#ifndef CAPSTONE_DIET
18650-
{ 0 }, { 0 }, { X86_GRP_PRIVILEGE, X86_GRP_IRET, 0 }, 0, 0
18650+
{ X86_REG_RCX, X86_REG_R11, 0 }, { X86_REG_RIP, X86_REG_EFLAGS, 0 }, { X86_GRP_PRIVILEGE, X86_GRP_IRET, X86_GRP_MODE64, 0 }, 0, 0
1865118651
#endif
1865218652
},
1865318653

1865418654
{
1865518655
X86_SYSRET64, X86_INS_SYSRETQ, 1,
1865618656
#ifndef CAPSTONE_DIET
18657-
{ 0 }, { 0 }, { X86_GRP_IRET, X86_GRP_PRIVILEGE, X86_GRP_MODE64, 0 }, 0, 0
18657+
{ X86_REG_RCX, X86_REG_R11, 0 }, { X86_REG_RIP, X86_REG_EFLAGS, 0 }, { X86_GRP_IRET, X86_GRP_PRIVILEGE, X86_GRP_MODE64, 0 }, 0, 0
1865818658
#endif
1865918659
},
1866018660

arch/X86/X86MappingInsnOp.inc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -13304,7 +13304,7 @@
1330413304
},
1330513305

1330613306
{ /* X86_SYSENTER, X86_INS_SYSENTER: sysenter */
13307-
X86_EFLAGS_MODIFY_OF | X86_EFLAGS_MODIFY_SF | X86_EFLAGS_MODIFY_ZF | X86_EFLAGS_MODIFY_AF | X86_EFLAGS_MODIFY_PF | X86_EFLAGS_MODIFY_CF | X86_EFLAGS_MODIFY_TF | X86_EFLAGS_MODIFY_IF | X86_EFLAGS_MODIFY_DF | X86_EFLAGS_MODIFY_NT | X86_EFLAGS_MODIFY_RF,
13307+
X86_EFLAGS_MODIFY_IF,
1330813308
{ 0 }
1330913309
},
1331013310

arch/X86/X86MappingInsnOp_reduce.inc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6864,7 +6864,7 @@
68646864
},
68656865

68666866
{ /* X86_SYSENTER, X86_INS_SYSENTER: sysenter */
6867-
X86_EFLAGS_MODIFY_OF | X86_EFLAGS_MODIFY_SF | X86_EFLAGS_MODIFY_ZF | X86_EFLAGS_MODIFY_AF | X86_EFLAGS_MODIFY_PF | X86_EFLAGS_MODIFY_CF | X86_EFLAGS_MODIFY_TF | X86_EFLAGS_MODIFY_IF | X86_EFLAGS_MODIFY_DF | X86_EFLAGS_MODIFY_NT | X86_EFLAGS_MODIFY_RF,
6867+
X86_EFLAGS_MODIFY_IF,
68686868
{ 0 }
68696869
},
68706870

arch/X86/X86MappingInsn_reduce.inc

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -9603,21 +9603,21 @@
96039603
{
96049604
X86_SYSCALL, X86_INS_SYSCALL, 0,
96059605
#ifndef CAPSTONE_DIET
9606-
{ 0 }, { 0 }, { X86_GRP_INT, 0 }, 0, 0
9606+
{ 0 }, { X86_REG_RIP, X86_REG_RSP, X86_REG_RCX, X86_REG_R11, X86_REG_EFLAGS }, { X86_GRP_INT, X86_GRP_MODE64, 0 }, 0, 0
96079607
#endif
96089608
},
96099609

96109610
{
96119611
X86_SYSENTER, X86_INS_SYSENTER, 0,
96129612
#ifndef CAPSTONE_DIET
9613-
{ 0 }, { 0 }, { X86_GRP_INT, 0 }, 0, 0
9613+
{ 0 }, { X86_REG_EIP, X86_REG_ESP, X86_REG_EFLAGS, 0 }, { X86_GRP_INT, 0 }, 0, 0
96149614
#endif
96159615
},
96169616

96179617
{
96189618
X86_SYSEXIT, X86_INS_SYSEXIT, 0,
96199619
#ifndef CAPSTONE_DIET
9620-
{ 0 }, { 0 }, { X86_GRP_PRIVILEGE, X86_GRP_IRET, 0 }, 0, 0
9620+
{ X86_REG_ECX, X86_REG_EDX, 0 }, { X86_REG_EIP, X86_REG_ESP, 0 }, { X86_GRP_PRIVILEGE, X86_GRP_IRET, 0 }, 0, 0
96219621
#endif
96229622
},
96239623

@@ -9631,14 +9631,14 @@
96319631
{
96329632
X86_SYSRET, X86_INS_SYSRET, 0,
96339633
#ifndef CAPSTONE_DIET
9634-
{ 0 }, { 0 }, { X86_GRP_PRIVILEGE, X86_GRP_IRET, 0 }, 0, 0
9634+
{ X86_REG_RCX, X86_REG_R11, 0 }, { X86_REG_RIP, 0 }, { X86_GRP_PRIVILEGE, X86_GRP_IRET, X86_GRP_MODE64, 0 }, 0, 0
96359635
#endif
96369636
},
96379637

96389638
{
96399639
X86_SYSRET64, X86_INS_SYSRETQ, 1,
96409640
#ifndef CAPSTONE_DIET
9641-
{ 0 }, { 0 }, { X86_GRP_IRET, X86_GRP_PRIVILEGE, X86_GRP_MODE64, 0 }, 0, 0
9641+
{ X86_REG_RCX, X86_REG_R11, 0 }, { X86_REG_RIP, 0 }, { X86_GRP_IRET, X86_GRP_PRIVILEGE, X86_GRP_MODE64, 0 }, 0, 0
96429642
#endif
96439643
},
96449644

tests/details/x86.yaml

Lines changed: 130 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6303,3 +6303,133 @@ test_cases:
63036303
opcode: [ 0xff, 0x00, 0x00, 0x00 ]
63046304
regs_read: [ rax ]
63056305
regs_write: [ rip ]
6306+
6307+
-
6308+
input:
6309+
name: "System call instructions, 16-bit decode"
6310+
bytes: [
6311+
0x0f, 0x34, # sysenter
6312+
0x0f, 0x35, # sysexit
6313+
]
6314+
arch: "x86"
6315+
options: [ CS_OPT_DETAIL, CS_MODE_16 ]
6316+
expected:
6317+
insns:
6318+
-
6319+
asm_text: "sysenter"
6320+
details:
6321+
x86:
6322+
prefix: [ X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0 ]
6323+
opcode: [ 0x0f, 0x34, 0x00, 0x00 ]
6324+
eflags: [ X86_EFLAGS_MODIFY_IF ]
6325+
regs_read: [ ]
6326+
regs_write: [ ip, sp, flags ]
6327+
-
6328+
asm_text: "sysexit"
6329+
details:
6330+
x86:
6331+
prefix: [ X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0 ]
6332+
opcode: [ 0x0f, 0x35, 0x00, 0x00 ]
6333+
eflags: [ ]
6334+
regs_read: [ cx, dx ]
6335+
regs_write: [ ip, sp ]
6336+
6337+
-
6338+
input:
6339+
name: "System call instructions, 32-bit decode"
6340+
bytes: [
6341+
0x0f, 0x34, # sysenter
6342+
0x0f, 0x35, # sysexit
6343+
]
6344+
arch: "x86"
6345+
options: [ CS_OPT_DETAIL, CS_MODE_32 ]
6346+
expected:
6347+
insns:
6348+
-
6349+
asm_text: "sysenter"
6350+
details:
6351+
x86:
6352+
prefix: [ X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0 ]
6353+
opcode: [ 0x0f, 0x34, 0x00, 0x00 ]
6354+
eflags: [ X86_EFLAGS_MODIFY_IF ]
6355+
regs_read: [ ]
6356+
regs_write: [ eip, esp, eflags ]
6357+
-
6358+
asm_text: "sysexit"
6359+
details:
6360+
x86:
6361+
prefix: [ X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0 ]
6362+
opcode: [ 0x0f, 0x35, 0x00, 0x00 ]
6363+
eflags: [ ]
6364+
regs_read: [ ecx, edx ]
6365+
regs_write: [ eip, esp ]
6366+
6367+
-
6368+
input:
6369+
name: "System call instructions, 64-bit decode"
6370+
bytes: [
6371+
0x0f, 0x05, # syscall
6372+
0x0f, 0x34, # sysenter
6373+
0x0f, 0x35, # sysexit
6374+
0x40, 0x0f, 0x35, # REX.W sysexit
6375+
0x0f, 0x07, # sysret
6376+
0x40, 0x0f, 0x07, # REX.W sysret
6377+
]
6378+
arch: "x86"
6379+
options: [ CS_OPT_DETAIL, CS_MODE_64 ]
6380+
expected:
6381+
insns:
6382+
-
6383+
asm_text: "syscall"
6384+
details:
6385+
x86:
6386+
prefix: [ X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0 ]
6387+
opcode: [ 0x0f, 0x05, 0x00, 0x00 ]
6388+
eflags: [ X86_EFLAGS_MODIFY_AF, X86_EFLAGS_MODIFY_CF, X86_EFLAGS_MODIFY_SF, X86_EFLAGS_MODIFY_ZF, X86_EFLAGS_MODIFY_PF, X86_EFLAGS_MODIFY_OF, X86_EFLAGS_MODIFY_TF, X86_EFLAGS_MODIFY_IF, X86_EFLAGS_MODIFY_DF, X86_EFLAGS_MODIFY_NT, X86_EFLAGS_MODIFY_RF ] # should write all flags
6389+
regs_read: [ ]
6390+
regs_write: [ rip, rcx, r11, rflags ]
6391+
-
6392+
asm_text: "sysenter"
6393+
details:
6394+
x86:
6395+
prefix: [ X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0 ]
6396+
opcode: [ 0x0f, 0x34, 0x00, 0x00 ]
6397+
eflags: [ X86_EFLAGS_MODIFY_IF ]
6398+
regs_read: [ ]
6399+
regs_write: [ rip, rsp, rflags ]
6400+
-
6401+
asm_text: "sysexit"
6402+
details:
6403+
x86:
6404+
prefix: [ X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0 ]
6405+
opcode: [ 0x0f, 0x35, 0x00, 0x00 ]
6406+
eflags: [ ]
6407+
regs_read: [ rcx, rdx ]
6408+
regs_write: [ rip, rsp ]
6409+
-
6410+
asm_text: "sysexit"
6411+
details:
6412+
x86:
6413+
prefix: [ X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0 ]
6414+
opcode: [ 0x0f, 0x35, 0x00, 0x00 ]
6415+
eflags: [ ]
6416+
regs_read: [ rcx, rdx ]
6417+
regs_write: [ rip, rsp ]
6418+
-
6419+
asm_text: "sysret"
6420+
details:
6421+
x86:
6422+
prefix: [ X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0 ]
6423+
opcode: [ 0x0f, 0x07, 0x00, 0x00 ]
6424+
eflags: [ X86_EFLAGS_MODIFY_AF, X86_EFLAGS_MODIFY_CF, X86_EFLAGS_MODIFY_SF, X86_EFLAGS_MODIFY_ZF, X86_EFLAGS_MODIFY_PF, X86_EFLAGS_MODIFY_OF, X86_EFLAGS_MODIFY_TF, X86_EFLAGS_MODIFY_IF, X86_EFLAGS_MODIFY_DF, X86_EFLAGS_MODIFY_NT, X86_EFLAGS_MODIFY_RF ]
6425+
regs_read: [ rcx, r11 ]
6426+
regs_write: [ rip, rflags ]
6427+
-
6428+
asm_text: "sysret"
6429+
details:
6430+
x86:
6431+
prefix: [ X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0, X86_PREFIX_0 ]
6432+
opcode: [ 0x0f, 0x07, 0x00, 0x00 ]
6433+
eflags: [ X86_EFLAGS_MODIFY_AF, X86_EFLAGS_MODIFY_CF, X86_EFLAGS_MODIFY_SF, X86_EFLAGS_MODIFY_ZF, X86_EFLAGS_MODIFY_PF, X86_EFLAGS_MODIFY_OF, X86_EFLAGS_MODIFY_TF, X86_EFLAGS_MODIFY_IF, X86_EFLAGS_MODIFY_DF, X86_EFLAGS_MODIFY_NT, X86_EFLAGS_MODIFY_RF ]
6434+
regs_read: [ rcx, r11 ]
6435+
regs_write: [ rip, rflags ]

0 commit comments

Comments
 (0)