Re: [Clamav-devel] clamav-devel Digest, Vol 73, Issue 3
On Fri, 5 Nov 2010 13:56:55 +0200 Amr Thabet wrote: > >Why do you need to generate assembly code to compare Thread.ecx with > >something? Is it that much faster? > >You could simply put a function pointer in your structure, a pointer > >to the value you want to compare, and the constant to compare to. > >Then compare using C code, not assembly. > > >.func = compare_values > >.lhs = (char*)&Thread.ecx - (char*)&Thread > >.rhs = 0x5678 > > >Then call ->func(bp->lhs, bp->rhs), and compare_values would > >do *(uint32_t*)((char*)Thread + bp->lhs) == bp->rhs. > > why?? > > because I don't need to decrease the performance . if you have a > breakpoint like : > "eip >=0x00401000 && eip <=0x00405000 && __isdirty(Eip) && > (__read(Eip) & 0xFF) != 0xC3" > > if I create a parser parses these condition every time you emulate an > instruction that's will decrease the performance surely. No, you don't have to parse the condition each time. You parse it once and create a tree. When you need to evaluate, you evaluate the tree. > also if you > try to do something like that : > > process->emulatecommand(); > > if (thread->Eip <= && Thread-> Eip >= xxx ){ > break; > } > you will lose many of the features of the emulator and could not Using assembly like this is not portable. It will only work on x86 (and with some work on x86-64). It won't work on Sparc. Currently it doesn't seem to work on x86 either. The reason is you allocate memory with malloc(), and then you execute it. That doesn't work due to NX protection. You will have to allocate using mmap and allow execution, but then SELinux won't allow your code to run (W^X protection). You're better off not emitting assembly on the fly. On the other hand, why can't you use the emulator to execute the assembly instructions you emit? (sure it'll be slower than tree approach I suggested above). > emulate the SEH perfectly and will surely decrease the performance What features does SEH need from the debugger to work? > > surely but I only demand from you is to read the Manual of The > emulator in x86emu-docs.zip it's not so big maybe 5 pages to 10 > maximum I think OK, I'll read it. > > it will make you easy to detect the bug and maybe for small bugs you > fix it by yourself :) > > libemu will take more time for you to add a PE Loader I already wrote one, one month ago. Best regards, --Edwin ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net
Re: [Clamav-devel] clamav-devel Digest, Vol 73, Issue 3
Hello Mr.Edwin, >OK, so in that sense it is like libemu (they have the exports table >included in their code). it uses only the dlls that you need to emulate its apis but the others (like user32.dll and so on) you don't need them so you can not write a dll for them I don't know many about libemu but it seems good with one exception that it doesn't have a PELoader >Why do you need to generate assembly code to compare Thread.ecx with >something? Is it that much faster? >You could simply put a function pointer in your structure, a pointer to >the value you want to compare, and the constant to compare to. >Then compare using C code, not assembly. >.func = compare_values >.lhs = (char*)&Thread.ecx - (char*)&Thread >.rhs = 0x5678 >Then call ->func(bp->lhs, bp->rhs), and compare_values would >do *(uint32_t*)((char*)Thread + bp->lhs) == bp->rhs. why?? because I don't need to decrease the performance . if you have a breakpoint like : "eip >=0x00401000 && eip <=0x00405000 && __isdirty(Eip) && (__read(Eip) & 0xFF) != 0xC3" if I create a parser parses these condition every time you emulate an instruction that's will decrease the performance surely. also if you try to do something like that : process->emulatecommand(); if (thread->Eip <= && Thread-> Eip >= xxx ){ break; } you will lose many of the features of the emulator and could not emulate the SEH perfectly and will surely decrease the performance you can do that and ignore the debugger breakpoints but it's more faster and more easy to use and also the debugger has up to 10 functions for easy to add your own breakpoint like __isdirty(Eip) execution on Modified Data __islastaccessed() get the last accessed place on memory __isapiequal("GetProcAddress") __isapi() __islastmodified() and many more you will lose them if you try to ignore the debugger breakpoints >The code doesn't crash when run under valgrind (because it prints the >error, and continues). Once you fix the valgrind warnings I'm sure >it'll work better without it too. really we could fix most of the problems together :) >Another hint: valid indexes for Thread::dword Exx[7] are from 0 to 6, >you have for loops that go from 0 to 7 (inclusive). >You should review your code and make sure you declare and use >appropriate bounds. Will be fixed surely :) >I agree about the testing part, but bugfixing should be done by the >emulator's author. surely but I only demand from you is to read the Manual of The emulator in x86emu-docs.zip it's not so big maybe 5 pages to 10 maximum I think it will make you easy to detect the bug and maybe for small bugs you fix it by yourself :) libemu will take more time for you to add a PE Loader and add the functions you need for breakpoints and so on .. also Pokas x86 Emulator will take a time for bug fixing but surely less time I think Best Regards, Amr Thabet ___ http://lurker.clamav.net/list/clamav-devel.html Please submit your patches to our Bugzilla: http://bugs.clamav.net