lot of them can be downloaded here
for python 2.6/2.7 & 32/64bit
вторник, 30 октября 2012 г.
четверг, 25 октября 2012 г.
wincheck rc8.28
понедельник, 22 октября 2012 г.
AVX/XOP instructions processor extender for IDA Pro
It was very surprising (for me) but even latest IDA Pro 6.3 advanced still does not support AVX and XOP instructions (just try to disasm bytes C5 F1 58 CA for example)
So I wrote a very simple processor extender plugin for decoding this instructions
Sources can be downloaded here
Prerequisites
IDA Pro 6.X with SDK. I think this plugin also can be built on v5.X
Visual Studio 2008
Details
Since I am too lazy I ripped all disasm tables from Bochs. I added a perl script parse.pl in data directory to generate bochs.inc file. You can generate bochs.inc with commands like
cd bochs-2.6\disasm
grep IA_AVX opcodes.inc > my
grep IA_XOP opcodes.inc >> my
grep IA_BMI opcodes.inc >> my
grep IA_FMA4 opcodes.inc >> my
grep IA_TBM opcodes.inc >> my
perl parse.pl -c my >bochs.inc
Plugin just registers hook_to_notification_point(HT_IDP, ...) and handles the following event_id:
So I wrote a very simple processor extender plugin for decoding this instructions
Sources can be downloaded here
Prerequisites
IDA Pro 6.X with SDK. I think this plugin also can be built on v5.X
Visual Studio 2008
Details
Since I am too lazy I ripped all disasm tables from Bochs. I added a perl script parse.pl in data directory to generate bochs.inc file. You can generate bochs.inc with commands like
cd bochs-2.6\disasm
grep IA_AVX opcodes.inc > my
grep IA_XOP opcodes.inc >> my
grep IA_BMI opcodes.inc >> my
grep IA_FMA4 opcodes.inc >> my
grep IA_TBM opcodes.inc >> my
perl parse.pl -c my >bochs.inc
Plugin just registers hook_to_notification_point(HT_IDP, ...) and handles the following event_id:
- custom_ana - uses bochs disasm to fill IDA Pro cmd structure
- custom_mnem - to supply instruction name
- custom_outop - it looks like currently IDA Pro doesn't have support for YMM registers, so I made a dirty hack - although comments in intel.hpp claims that XMM stored in op.o_idpspec5 actually they stored like any ordinal register in op->reg. So I added YMM to op->reg too but with op->dtyp == dt_ldbl
- fourth operand cannot be displayed. I don`t know if this is some internal IDA restriction or I made a mistake somewhere in my code
- ModRM is being displayed incorrectly sometimes
- no segment registers support
- debug version cannot be built
- vzeroupper & vzeroall both have instruction vzeroupper. Perhaps this is a bug in Bochs disasm
- probably over 9000 issues were left unnoticed yet
воскресенье, 21 октября 2012 г.
IDA Pro 6.3 SDK is broken ?
I try to build debug version of someplugin.plw and got following from Visual Studio 2008:
Linking...Btw release version building sucessfull
someplugin.obj : error LNK2001: unresolved external symbol _cmd
someplugin.obj : error LNK2001: unresolved external symbol _callui
someplugin.obj : error LNK2001: unresolved external symbol _ph
среда, 17 октября 2012 г.
pyside for ida pro 6.3
We evaluated both PySide and PyQt and found that both bindings work fine with IDA Pro 6.0Well, it`s good news
Bad news is that fresh versions of shiboken and pyside from git cannot be built for ida 6.3 and qt-4.8.1 anymore
Assume that we have open-source edition of qt-4.8.1 built using recommended options
I was able to build shiboken (see my patch below) but pyside just don`t work - see my reportconfigure -release -platform win32-msvc2008 -no-qt3support -qtnamespace QT
Patch for building of shiboken:
понедельник, 15 октября 2012 г.
wincheck rc8.27
Download mirror
Changelog:
Changelog:
- add PoRegisterPowerSettingCallback callbacks dumping (-pofx option)
- add checking of storport!StorportExtensionTable
- add dumping clients of \PowerPort & \PowerMonitorPort ALPC ports (-alpc option, since windows 7)
- some bugs were fixed
четверг, 11 октября 2012 г.
building dynamorio
Prerequisites
Visual Studio 2008
Cmake 2.8.9
WDK 7.1
Details
It seems that cmake support is broken in SVN source tree so I decided to describe how to build it with Visual Studio 2008 under windows xp 32bit
First you need to change NTDLL_LIBPATH in cmake to %WDKROOT%\lib\wxp\i386
Next you must add CMAKE_ASM_SUPPORTS_INTEL_SYNTAX boolean var to cmake and set it to TRUE
Now you can generate project for vs2008 but it will be broken anyway. So next you must add path to ntdll.lib to your visual studio. Open Tools->Options menu and add path to %WDKROOT%\lib\wxp\i386 in VC++ Directories->Library files
This is not end of story - it seems that custom rules for building .obj files from .s also broken, so you must compile it manually. Run Visual Studio 2008 command prompt and type
Visual Studio 2008
Cmake 2.8.9
WDK 7.1
Details
It seems that cmake support is broken in SVN source tree so I decided to describe how to build it with Visual Studio 2008 under windows xp 32bit
First you need to change NTDLL_LIBPATH in cmake to %WDKROOT%\lib\wxp\i386
Next you must add CMAKE_ASM_SUPPORTS_INTEL_SYNTAX boolean var to cmake and set it to TRUE
Now you can generate project for vs2008 but it will be broken anyway. So next you must add path to ntdll.lib to your visual studio. Open Tools->Options menu and add path to %WDKROOT%\lib\wxp\i386 in VC++ Directories->Library files
This is not end of story - it seems that custom rules for building .obj files from .s also broken, so you must compile it manually. Run Visual Studio 2008 command prompt and type
cd %dynamorio%\core
ml pre_inject_asm.s
ml x86_core.s
ml x86_noncore.s
copy pre_inject_asm.obj dynamorio.dir\Release
copy x86_core.obj drdecode.dir\Release
copy x86_core.obj dynamorio.dir\Release
copy x86_noncore.obj dynamorio.dir\Release
среда, 10 октября 2012 г.
PoRegisterPowerSettingCallback callbacks
This documented functions was introduced in Vista. Lets check how we can enum all registered callbacks
It seems that all callbacks are stored in linked list PopRegisteredPowerSettingCallbacks and synchronized with fast mutex PopSettingLock
Structure of callback record can be easy recovered from this code (ripped from vista):
It seems that all callbacks are stored in linked list PopRegisteredPowerSettingCallbacks and synchronized with fast mutex PopSettingLock
Structure of callback record can be easy recovered from this code (ripped from vista):
push 34h ; size_t
push 0 ; int
push ebx ; void *
call _memset
mov eax, [ebp+Callback]
mov [ebx+8], esi
mov esi, [ebp+SettingGuid]
lea edi, [ebx+14h] ; 0x14 IID
movsd
movsd
movsd
movsd
mov esi, [ebp+SettingGuid]
mov [ebx+28h], eax ; 0x28 Callback
mov eax, [ebp+Context]
add esp, 0Ch
mov [ebx+2Ch], eax ; 0x2C Context
mov eax, [ebp+DeviceObject]
push esi
mov [ebx+30h], eax ; 0x30 DeviceObject
вторник, 2 октября 2012 г.
wincheck rc8.26
Download mirror
Changelog:
Changelog:
- add -emp option to show EmProviderRegister/EmpProviderRegister callbacks
- add checking of PNP & Power dispatch tables in pci.sys
- more support for windows server 2012
- some bugs was fixed