forked from pkujhd/goloader
-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathasm_bytes.go
56 lines (52 loc) · 2.04 KB
/
asm_bytes.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
package goloader
const (
x86amd64MOVcode byte = 0x8B
x86amd64LEAcode byte = 0x8D
x86amd64CMPLcode byte = 0x83
x86amd64CALLcode byte = 0xE8
x86amd64CALL2code byte = 0xFF
x86amd64JMPcode byte = 0xE9
)
// arm/arm64
var (
armcode = []byte{0x04, 0xF0, 0x1F, 0xE5} //LDR PC, [PC, #-4]
arm64CALLCode = []byte{
// X16 and X17 are the IP0 and IP1 intra-procedure-call corruptible registers -
// since Go only uses them for the stack prologue and epilogue calculations,
// and we should already be clear of that by the time we hit a R_CALLARM64,
// so we should be able to safely use them for far jumps
0x51, 0x00, 0x00, 0x58, // LDR X17 [PC+8] - read 64 bit address from PC+8 into X17
0x20, 0x02, 0x1f, 0xd6, // BR X17 - jump to address in X17
}
arm64Bcode = []byte{0x00, 0x00, 0x00, 0x14} // B [PC+0x0]
arm64NopCode = []byte{0x1f, 0x20, 0x03, 0xd5}
)
const (
armLDRCode8Bytes = uint32(0x58000040) // LDR PC+8
armLDRCode12Bytes = uint32(0x58000060) // LDR PC+12
)
// x86/amd64
var (
x86amd64NOPcode = byte(0x90)
x86amd64JMPLcode = []byte{0xff, 0x25, 0x00, 0x00, 0x00, 0x00} // JMPL *ADDRESS
x86amd64JMPNearCode = []byte{0xE9, 0x00, 0x00, 0x00, 0x00} // JMP (PCREL offset)+4
x86amd64JMPShortCode = []byte{0xEB, 0x00} // JMP (PCREL offset)+1
x86amd64CALLFarCode = []byte{
0xff, 0x15, 0x00, 0x00, 0x00, 0x00, // CALL ptr [RIP]
}
x86amd64replaceCMPLcode = []byte{
0x50, // PUSH RAX
0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // MOVABS RAX, imm64 (64 bit)
0x48, 0x83, 0x38, 0x00, // CMPL [RAX] x(8bits)
0x58, // POP RAX
}
x86amd64replaceMOVQcodeRAX = []byte{
0x48, 0xa1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // MOVABS RAX, [addr64] (64 bit)
}
x86amd64replaceMOVQcode = []byte{
0x50, // PUSH RAX
0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // MOVABS RAX, imm64 (64 bit)
0x48, 0x8b, 0x00, // MOV RxX, [RAX] (64 bit)
0x58, // POP RAX
}
)