-
Notifications
You must be signed in to change notification settings - Fork 112
-
Notifications
You must be signed in to change notification settings - Fork 112
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Questions about the project #12
Comments
Hello, In terms of completeness, our aim is to support all valid x86/x64 instructions, which (except for possible bugs, which you can never exclude fully) we do - including the latest AMX instruction set. Mishegos is a great tool to identify issues which you would not normally see in regular code - a very simple example, the fact that the REX prefix is ignored if it's not preceding the opcode byte, or that segment prefixes (except for fs & gs) are ignored in 64 bit mode - these kind of instructions you would not see in normal code, and only by fuzzing, or by manually generating them would you end up with them.
The fact that it was tested against fuzzers, Mishegos and other internal tools makes it resilient; I think it's obvious that bugs were found (and there's always the possibility that bugs still exist - it's software, after all) and fixed - after all, testing and fuzzing is part of our development process. We we are continuously making sure that bddisasm is properly tested - both manually, and automatically (as you can probably see in https://github.com/bitdefender/bddisasm/tree/master/bddisasm_test). We are also glad to implement any other new ideas you and the community might have, to improve bddisasm and make it as appealing as possible to others! |
Hello, Thank you for your comment.
|
That is known (and normal), because bddisasm always decodes instructions as if MPX is on (decoding the same instruction with mpx option in Xed will yield the same result as bddisasm - invalid opcode). |
Starting with the latest commit (ed564db), by using the NdDecodeWithContext API, the caller can specify whether to decode MPX/CET/CLDEMOTE instructions or NOPs. The default behavior remains the current one - bddisasm will optimistically decode MPX/CET/CLDEMOTE instructions instead of NOPs, but now you can disable this by using ND_FEAT_NONE in ND_CONTEXT when calling NdDecodeWithContext. |
Thanks for your work that helped a lot! Does ND_CONTEXT also allow for filtering on CPU Modes and extensions? I saw them being defined in bddisasm.h but couldn't see how to use them. With this most of the sandsifter output has become either SIGILL caused by invalid operands (but it can still recover what the instruction's length should be) or some SIGTRAP, but after a closer look it seems that there is a bug somewhere since no trap signals are generated when I run those findings in a patched binary. |
The ND_CONTEXT only allows you to filter based on mode (16, 32 or 64 bit), preferred vendor and features that are mapped on the NOP space (MPX, CET, CLDEMOTE - the reason for this is that these instructions are NOP, unless the feature is enabled).
Thanks again for reaching out! If there are any more questions, we are glad to address them. |
Some minor things I came across while trying to understand the projects a bit more: Is there a difference between nd_decode and nd_decode_ex in pydism, since these are identical? Are there differences feature-wise between disasmtool and disasmtool_lix? |
I build and install rapidjson locally exactly like it is done for GitHub actions (see Build dependencies). On my machine, this installs the headers in |
No, there is no functional difference.
Right now, disasmtool is more advanced compared to disasmtool_lix, but we plan to align the features (or perhaps even create a single tool) to eliminate differences. |
@sabastiaan , we have a public Slack - you can join here: https://kvm-vmi.herokuapp.com; there is a public bddisasm channel on that Slack, so we'd be glad if you'd join, and post your questions and feedback there. In the meantime, I will close this, as there is no outstanding issue attached to this for the moment. |
Hi there, I couldn't really find a proper avenue to ask these questions, so sorry for the inconvenience.
How does this project compare to for example XED in terms of completeness and accuracy?
In the readme you included the following:
Mishegos, while great, gives little insight into it's coverage. Did you not encounter any wrongly disassembled instructions while fuzzing, if not how do are you sure that you did miss critical instructions, and if did encounter errors, how should we view it's resilience in light of those results?
The text was updated successfully, but these errors were encountered: