четверг, 25 октября 2012 г.

wincheck rc8.28

Download mirror
Changelog:
  • add -pp option for printer providers checking. Also add dumping of spoolss!pSpoolSvForwards & spoolss!pWinSpoolForwards (since windows 7)
  • some bugs where fixed

понедельник, 22 октября 2012 г.

AVX/XOP instructions processor extender for IDA Pro

It was very surprising (for me) but even latest IDA Pro 6.3 advanced still does not support AVX and XOP instructions (just try to disasm bytes C5 F1 58 CA for example)
So I wrote a very simple processor extender plugin for decoding this instructions
Sources can be downloaded here

Prerequisites
IDA Pro 6.X with SDK. I think this plugin also can be built on v5.X
Visual Studio 2008

Details 
Since I am too lazy I ripped all disasm tables from Bochs. I added a perl script parse.pl in data directory to generate bochs.inc file. You can generate bochs.inc with commands like
cd bochs-2.6\disasm
grep IA_AVX opcodes.inc > my
grep IA_XOP opcodes.inc >> my
grep IA_BMI opcodes.inc >> my
grep IA_FMA4 opcodes.inc >> my
grep IA_TBM opcodes.inc >> my
perl parse.pl -c my >bochs.inc

Plugin just registers hook_to_notification_point(HT_IDP, ...) and handles the following event_id:
  • custom_ana - uses bochs disasm to fill IDA Pro cmd structure
  • custom_mnem - to supply instruction name
  • custom_outop - it looks like currently IDA Pro doesn't have support for YMM registers, so I made a dirty hack - although comments in intel.hpp claims that XMM stored in op.o_idpspec5 actually they stored like any ordinal register in op->reg. So I added YMM to op->reg too but with op->dtyp == dt_ldbl
Known problems 
  • fourth operand cannot be displayed. I don`t know if this is some internal IDA restriction or I made a mistake somewhere in my code
  • ModRM is being displayed incorrectly sometimes
  • no segment registers support
  • debug version cannot be built
  • vzeroupper & vzeroall both have instruction vzeroupper. Perhaps this is a bug in Bochs disasm
  • probably over 9000 issues were left unnoticed yet

воскресенье, 21 октября 2012 г.

IDA Pro 6.3 SDK is broken ?

I try to build debug version of someplugin.plw and got following from Visual Studio 2008:
Linking...
someplugin.obj : error LNK2001: unresolved external symbol _cmd
someplugin.obj : error LNK2001: unresolved external symbol _callui
someplugin.obj : error LNK2001: unresolved external symbol _ph
Btw release version building sucessfull

среда, 17 октября 2012 г.

pyside for ida pro 6.3

We evaluated both PySide and PyQt and found that both bindings work fine with IDA Pro 6.0
Well, it`s good news
Bad news is that fresh versions of shiboken and pyside from git cannot be built for ida 6.3 and qt-4.8.1 anymore
Assume that we have open-source edition of qt-4.8.1 built using recommended options
configure -release -platform win32-msvc2008 -no-qt3support -qtnamespace QT
I was able to build shiboken (see my patch below) but pyside just don`t work - see my report
Patch for building of shiboken:

понедельник, 15 октября 2012 г.

wincheck rc8.27

Download mirror
Changelog:
  • add PoRegisterPowerSettingCallback callbacks dumping (-pofx option)
  • add checking of storport!StorportExtensionTable
  • add dumping clients of \PowerPort & \PowerMonitorPort ALPC ports (-alpc option, since windows 7)
  • some bugs were fixed

четверг, 11 октября 2012 г.

building dynamorio

Prerequisites
Visual Studio 2008
Cmake 2.8.9
WDK 7.1

Details
It seems that cmake support is broken in SVN source tree so I decided to describe how to build it with Visual Studio 2008 under windows xp 32bit

First you need to change NTDLL_LIBPATH in cmake to %WDKROOT%\lib\wxp\i386
Next you must add CMAKE_ASM_SUPPORTS_INTEL_SYNTAX boolean var to cmake and set it to TRUE
Now you can generate project for vs2008 but it will be broken anyway. So next you must add path to ntdll.lib to your visual studio. Open Tools->Options menu and add path to %WDKROOT%\lib\wxp\i386 in VC++ Directories->Library files

This is not end of story - it seems that custom rules for building .obj files from .s also broken, so you must compile it manually. Run Visual Studio 2008 command prompt and type
cd %dynamorio%\core
ml pre_inject_asm.s
ml x86_core.s
ml x86_noncore.s
copy pre_inject_asm.obj dynamorio.dir\Release
copy x86_core.obj drdecode.dir\Release
copy x86_core.obj dynamorio.dir\Release
copy x86_noncore.obj dynamorio.dir\Release

среда, 10 октября 2012 г.

PoRegisterPowerSettingCallback callbacks

This documented functions was introduced in Vista. Lets check how we can enum all registered callbacks
It seems that all callbacks are stored in linked list PopRegisteredPowerSettingCallbacks and synchronized with fast mutex PopSettingLock
Structure of callback record can be easy recovered from this code (ripped from vista):
  push  34h                             ; size_t
  push  0                               ; int
  push  ebx                             ; void *
  call  _memset
  mov   eax, [ebp+Callback]
  mov   [ebx+8], esi
  mov   esi, [ebp+SettingGuid]
  lea   edi, [ebx+14h]                  ; 0x14 IID
  movsd
  movsd
  movsd
  movsd
  mov   esi, [ebp+SettingGuid]
  mov   [ebx+28h], eax                  ; 0x28 Callback
  mov   eax, [ebp+Context]
  add   esp, 0Ch
  mov   [ebx+2Ch], eax                  ; 0x2C Context
  mov   eax, [ebp+DeviceObject]
  push  esi
  mov   [ebx+30h], eax                  ; 0x30 DeviceObject

вторник, 2 октября 2012 г.