/
x86win_patterns.xml
181 lines (165 loc) · 7.04 KB
/
x86win_patterns.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
<patternlist>
<patternpairs totalbits="32" postbits="16"> <!-- Main patterns -->
<prepatterns>
<data>0xcc</data> <!-- CC debug filler -->
<data>0xcccc</data> <!-- multiple CC filler bytes -->
<data>0x90</data> <!-- NOP filler -->
<data>0xc3</data> <!-- RET filler -->
<data>0xc9c3</data> <!-- LEAVE RET -->
<data>0xc2 ......00 0x00</data> <!-- RET longform -->
</prepatterns>
<postpatterns>
<data>0x558bec</data> <!-- PUSH EBP : MOV EBP,ESP -->
<data>0x83ec 0.....00 </data> <!-- SUBESP#small -->
<data>0x6aff68........64a100000000 </data> <!-- PUSH-1 PUSHFUNC MOVEAXFS[0] -->
<data>0x568bf1 </data> <!-- PUSHESI MOVESIECX -->
<data>0xb8........e8........ 100000.1 0xec</data> <!-- MOVEAX CALL SUB ESP -->
<data>0xb8........e8</data> <!-- MOVEAX CALL -->
<data>0x8bff558bec</data> <!-- MOV EDI,EDI : PUSH EBP : MOV EBP,ESP -->
<data>0x538b 110110..</data> <!-- PUSH EBX : MOV EBX,E*X -->
<data>0x535657</data> <!-- PUSH EBX : PUSH ESI : PUSH EDI -->
<data>0x535556</data> <!-- PUSH EBX : PUSH EBP : PUSH ESI -->
<data>0x535651</data> <!-- PUSH EBX : PUSH ESI : PUSH ECX -->
<data>0x53568bf2</data> <!-- PUSH EBX : PUSH ESI : MOV ESI,EDX -->
<data>0x53568bd8</data> <!-- PUSH EBX : PUSH ESI : MOV EBX,EAX -->
<data>0x53568bf1</data> <!-- PUSH EBX : PUSH ESI : MOV ESI,ECX -->
<data>0x53568bda</data> <!-- PUSH EBX : PUSH ESI : MOV EBX,EDX -->
<data>0x53568bf0</data> <!-- PUSH EBX : PUSH ESI : MOV ESI,EAX -->
<data>0x56578bf9</data> <!-- PUSH ESI : PUSH EDI : MOV EDI,ECX -->
<data>0x56578bf1</data> <!-- PUSH ESI : PUSH EDI : MOV ESI,ECX -->
<funcstart/>
</postpatterns>
</patternpairs>
<patternpairs totalbits="32" postbits="16"> <!-- Starts we trust to come after jump instructions -->
<prepatterns>
<data>0xe9........</data> <!-- JMP big -->
<data>0xeb..</data> <!-- JMP small -->
</prepatterns>
<postpatterns>
<data>0x558bec</data> <!-- PUSH EBP : MOV EBP,ESP -->
<data>0x568bf1 </data> <!-- PUSHESI MOVESIECX -->
<data>0xb8........e8........ 100000.1 0xec</data> <!-- MOVEAX CALL SUB ESP -->
<data>0xb8........e8</data> <!-- MOVEAX CALL -->
<data>0x8bff558bec</data> <!-- MOV EDI,EDI : PUSH EBP : MOV EBP,ESP -->
<funcstart/>
</postpatterns>
</patternpairs>
<pattern>
<data>0x558bec</data> <!-- PUSH EBP : MOV EBP,ESP -->
<funcstart after="data" /> <!-- must be something defined right before this, or no memory -->
</pattern>
<pattern>
<data>0x8bff558bec</data> <!-- MOV EDI,EDI : PUSH EBP : MOV EBP,ESP -->
<funcstart after="data" /> <!-- must be something defined right before this, or no memory -->
</pattern>
<patternpairs totalbits="32" postbits="16">
<prepatterns>
<data>0xcccc</data> <!-- CC debug filler -->
<data>0xcccccc</data> <!-- multiple CC filler bytes -->
<data>0xcccccccc</data> <!-- CC debug filler -->
<data>0xcccccc</data> <!-- multiple CC filler bytes -->
</prepatterns>
<postpatterns>
<data>0x6a.. 0x68........ 0xe8 </data> <!-- PUSH, PUSH, CALL -->
<possiblefuncstart/>
</postpatterns>
</patternpairs>
<patternpairs totalbits="32" postbits="16">
<prepatterns>
<data>0xcc</data> <!-- CC debug filler -->
<data>0xcccc</data> <!-- multiple CC filler bytes -->
<data>0x90</data> <!-- NOP filler -->
<data>0xc3</data> <!-- RET filler -->
<data>0xc9c3</data> <!-- LEAVE RET -->
<data>0xc2 ......00 0x00</data> <!-- RET longform -->
<data>0xe9........</data> <!-- JMP big -->
<data>0xeb..</data> <!-- JMP small -->
</prepatterns>
<postpatterns>
<data>01010... 0x8b 01...100 ..100100 000...00 </data> <!-- PUSH MOV-[ESP,#] With small offset-->
<possiblefuncstart after="defined" /> <!-- must be something defined right before this -->
</postpatterns>
</patternpairs>
<pattern>
<data> 0x518d4c24042bc81bc0f7d023c88bc42500f0ffff3bc8720a8bc159948b00890424c32d001000008500ebe9 </data> <!-- alloca_probe -->
<funcstart label="__alloca_probe"/>
</pattern>
<pattern>
<data> 0x518d4c24082bc883e10f03c11bc90bc159e9........ </data> <!-- alloca_probe_16 -->
<funcstart label="__alloca_probe_16"/>
</pattern>
<pattern>
<data> 0x518d4c24082bc883e10703c11bc90bc159e9........ </data> <!-- alloca_probe_8 -->
<funcstart label="__alloca_probe_8"/>
</pattern>
<pattern>
<data>
0x8bff
0x55
0x8bec
0x83ec20
0x8b4508
0x56
0x57
0x6a08
0x59
0xbe........
0x8d7de0
0xf3a5
0x8945f8
0x8b450c
0x5f
0x8945fc
0x5e
0x85c0
0x740c
0xf60008
0x7407
0xc745f4........
0x8d45f4
0x50
0xff75f0
0xff75e4
0xff75e0
0xff15........
0xc9
0xc20800 </data> <!-- __CxxThrowException@8 -->
<funcstart label="__CxxThrowException@8" noreturn="true"/>
</pattern>
<pattern>
<data>
0x8b4df4 <!-- MOV ECX,[EBP + -0xC] -->
0x64890d 0x00000000 <!-- MOV FS:[0x0],ECX -->
0x59 <!-- POP ECX -->
0x5f <!-- POP EDI -->
0x5f <!-- POP EDI -->
0x5e <!-- POP ESI -->
0x5b <!-- POP EBX -->
0x8be5 <!-- MOV ESP,EBP -->
0x5d <!-- POP EBP -->
0x51 <!-- PUSH ECX -->
0xc3 <!-- RET -->
</data> <!-- __EH_epilog3 -->
<funcstart label="__EH_epilog3"/>
</pattern>
<pattern>
<data>
0x8b4df0 <!-- MOV ECX,[EBP + -0x10] -->
0x64890d 0x00000000 <!-- MOV FS:[0x0],ECX -->
0x59 <!-- POP ECX -->
0x5f <!-- POP EDI -->
0x5f <!-- POP EDI -->
0x5e <!-- POP ESI -->
0x5b <!-- POP EBX -->
0x8be5 <!-- MOV ESP,EBP -->
0x5d <!-- POP EBP -->
0x51 <!-- PUSH ECX -->
0xc3 <!-- RET -->
</data> <!-- __SEH_epilog4 -->
<funcstart label="__SEH_epilog4"/>
</pattern>
<pattern>
<data> 0xcc </data> <!-- int 3 function break -->
<funcstart label="__break" validcode="function" noreturn="true"/> <!-- must be defined at an existing function -->
</pattern>
</patternlist>