On Fri, 5 Nov 2010 13:56:55 +0200
Amr Thabet <amr.tha...@student.alx.edu.eg> wrote:
> >Why do you need to generate assembly code to compare Thread.ecx with
> >something? Is it that much faster?
> >You could simply put a function pointer in your structure, a pointer
> >to the value you want to compare, and the constant to compare to.
> >Then compare using C code, not assembly.
>
> >.func = compare_values
> >.lhs = (char*)&Thread.ecx - (char*)&Thread
> >.rhs = 0x5678
>
> >Then call ->func(bp->lhs, bp->rhs), and compare_values would
> >do *(uint32_t*)((char*)Thread + bp->lhs) == bp->rhs.
>
> why??
>
> because I don't need to decrease the performance . if you have a
> breakpoint like :
> "eip >=0x00401000 && eip <=0x00405000 && __isdirty(Eip) &&
> (__read(Eip) & 0xFF) != 0xC3"
>
> if I create a parser parses these condition every time you emulate an
> instruction that's will decrease the performance surely.
No, you don't have to parse the condition each time. You parse it once
and create a tree. When you need to evaluate, you evaluate the tree.
> also if you
> try to do something like that :
>
> process->emulatecommand();
>
> if (thread->Eip <= xxxx && Thread-> Eip >= xxx .... ){
> break;
> }
> you will lose many of the features of the emulator and could not
Using assembly like this is not portable. It will only work on x86
(and with some work on x86-64). It won't work on Sparc.
Currently it doesn't seem to work on x86 either. The reason is you
allocate memory with malloc(), and then you execute it. That doesn't
work due to NX protection.
You will have to allocate using mmap and allow execution, but then
SELinux won't allow your code to run (W^X protection).
You're better off not emitting assembly on the fly.
On the other hand, why can't you use the emulator to execute the
assembly instructions you emit? (sure it'll be slower than tree approach
I suggested above).
> emulate the SEH perfectly and will surely decrease the performance
What features does SEH need from the debugger to work?
>
> surely but I only demand from you is to read the Manual of The
> emulator in x86emu-docs.zip it's not so big maybe 5 pages to 10
> maximum I think
OK, I'll read it.
>
> it will make you easy to detect the bug and maybe for small bugs you
> fix it by yourself :)
>
> libemu will take more time for you to add a PE Loader
I already wrote one, one month ago.
Best regards,
--Edwin
_______________________________________________
http://lurker.clamav.net/list/clamav-devel.html
Please submit your patches to our Bugzilla: http://bugs.clamav.net
