Monitoring opcode

0
votes

I am trying to monitor the assembly instructions of a functions opcode. I get the functions size in bytes by subtracting a stub address from the functions in memory. I am currently only looking for the mov instruction. When I display the currentByte, it outputs only Ú, which has a hex value of 0xDA, which is FIADD in assembly http://ref.x86asm.net/coder32.html#xDA Why does no mov instruction display?

#include <iostream>
#include <Windows.h>
#include <ctime>
#include <vector>

#define PUSH 0x50
#define POP  0x58
#define MOV  0xB8
#define NOP  0x90
#define ADD  0x01
#define AND  0x21
#define XOR  0x31
#define OR   0x09
#define SBB  0x19
#define SUB  0x29

using namespace std;

int add(int x, int y)
{
    int result;
    __asm
    {
        mov eax, x
        add eax, y
        mov result, eax
        xor eax, eax        
    }
    return result;
}

void stub() { return; }

DWORD GetFunctionSize(DWORD* functionStartAddress, DWORD* stub)
{
    DWORD dwOldProtect;
    DWORD *func, *stubAddr;

    func = (DWORD*)functionStartAddress;
    stubAddr = (DWORD*)stub;

    DWORD size = func - stubAddr;
    VirtualProtect(func, size, PAGE_EXECUTE_READWRITE, &dwOldProtect);
    return size;
}

void GetCurrentByte(PVOID function)
{
    vector<PBYTE> currByte;

    PBYTE pCurrentByte = (PBYTE)function;
    if (*pCurrentByte == MOV)
    {
        cout << "MOV instr.\n";
    }
    cout << *pCurrentByte;
    currByte.push_back(pCurrentByte);
}

int main()
{

    DWORD size = GetFunctionSize((DWORD*)&add, (DWORD*)&stub);

    for (int i = 0; i < size; i++)
    {
        GetCurrentByte(add);
    }
    system("pause");
    return 0;
}
2
c++assemblyopcode
I still don't understand what you are trying to accomplish. My understanding is that the opcodes in a function don't change during run-time, so why do they need monitoring? Are you benchmarking or profiling some code?Thomas Matthews
I plan on adding more mutations of mov later. pastebin.com/G8WnSCDYSamLaren

2 Answers

1
votes

Why does no mov instruction display?

If you are in debugging mode, you need to know that you are passing a wrong address to the GetCurrentDate(PVOID), thats mean you are reading bytes from a wrong address and there is another few mistakes, to solve this issue follow those steps :

Firstly, the code bytes generated from :

mov eax, x       // code bytes: 8B 45 08
mov result, eax  // code bytes: 89 45 FC

0x8B and 0x89 are the values that you should look for inside your add(int, int) function.

secondly, to get the address of the first byte of your add(int, int) function i suggest to use this function : 

#define ASM_CALL                0x000000E8
#define ASM_JMP                 0x000000E9
#define ASM_CALL_SIZE           0x00000001
#define ASM_CALL_FULL_SIZE      0x00000005

DWORD GetFuncAddress(DWORD funcAddress)
{
    BYTE calledAddress = *(BYTE*)funcAddress; 

    while (calledAddress == ASM_CALL || calledAddress == ASM_JMP) {
        funcAddress = funcAddress + *(DWORD*)(funcAddress + ASM_CALL_SIZE) + ASM_CALL_FULL_SIZE;
        calledAddress = *(BYTE*)funcAddress;
    }

    return funcAddress; // The address of the first byte of the function.
}

thirdly, i suggest an optimization inside your GetFunctionSize(DOWRD), as you know that your add function ends with a single return :

return result; // code bytes: C3

why not just loop throw the bytes of the add function, so when you find a byte equivalente to 0xC3, you will end up with the exact size of your function (in bytes), this code will make things clear:

#define ASM_RET  0xC3

SIZE_T GetFunctionSize(DWORD functionAddress)
{
    SIZE_T funcSize = 0;
    // Loop thru func's bytes, and breaks when return byte found.
    while (*((PBYTE)functionAddress++) != RET)
        funcSize++; 

    return funcSize;
}

fourthly, the GetCurrentByte(PVOID) function needs some maintenance, so i suggest :

#define ASM_MOV1                0x8B 
#define ASM_MOV2                0x89

VOID GetCurrentByte(DWORD functionAddress, UINT &index)
{
    BYTE tempByte = *((PBYTE)functionAddress + index);
    // search for bytes which contains a mov instruction:
    if (tempByte == ASM_MOV1 || tempByte == ASM_MOV2)
        cout << "MOV instr found at : " << hex << ((DWORD)functionAddress + index) << endl;

}

finally, the full code will be like this :

#include <iostream>
#include <Windows.h>


#define ASM_RET                 0xC3
#define ASM_MOV1                0x8B 
#define ASM_MOV2                0x89
#define ASM_CALL                0xE8
#define ASM_JMP                 0xE9
#define ASM_CALL_SIZE           0x01
#define ASM_CALL_FULL_SIZE      0x05

using namespace std;

INT add(INT x, INT y)
{
    int result;
    __asm
    {
        mov eax, x
        add eax, y
        mov result, eax
        xor eax, eax
    }
    return result;
}

DWORD GetFuncAddress(DWORD funcAddress)
{
    BYTE calledAddress = *(BYTE*)funcAddress;

    while (calledAddress == ASM_CALL || calledAddress == ASM_JMP) {
        funcAddress = funcAddress + *(DWORD*)(funcAddress + ASM_CALL_SIZE) + ASM_CALL_FULL_SIZE;
        calledAddress = *(BYTE*)funcAddress;
    }

    return funcAddress;
}

SIZE_T GetFunctionSize(DWORD functionAddress)
{
    SIZE_T funcSize = 0;

    while (*((PBYTE)functionAddress++) != ASM_RET)
    {
        funcSize++; 
    }

    return funcSize;
}


VOID GetCurrentByte(DWORD functionAddress, UINT &index)
{
    BYTE tempByte = *((PBYTE)functionAddress + index);

    if (tempByte == ASM_MOV1 || tempByte == ASM_MOV2)
        cout << "MOV instr found at : " << hex << ((DWORD)functionAddress + index) << endl;

}


INT main()
{

    DWORD funcAddress = GetFuncAddress((DWORD)add); // Get func address.

    SIZE_T size = GetFunctionSize(funcAddress); // Get func size (bytes).

    for (UINT i = 0; i < size; i++) // loop thru the function memory block.
    {
        GetCurrentByte(funcAddress, i);
    }


    system("pause");
    return 0;
}

Don't be surprised if you found many MOV instructions in your function because the compiler created them.

Amrane Abdelkader.

0
votes

GetCurrentByte() looks at the first byte every time you call it. Looking at the first byte size times doesn't help you.