Open
Description
Work environment
I am dissasembling a driver which attempts to detect hypervisors by catching mishandled instructions. Part of this mechanism is to execute an instruction that looks like this: lock sidt fword ptr [rcx]. Notice the lock prefix making the instruction "Invalid". I am not exactly sure whether this instruction should be decodable as it is not executable on any correctly working cpu.
| Questions | Answers |
|---|---|
| System Capstone runs on OS/arch/bits | Windows x64 (latest Win10) |
| Capstone module affected | x86 |
| Source of Capstone | Vcpkg |
| Version/git commit | Latest Vcpkg (not sure which one) |
Instruction bytes giving faulty results
F0 0F 01 09
Expected results
It should be:
lock sidt fword ptr [rcx] (IDA)
Steps to get the wrong result
Using a compiler compile a binary in which you manually encode a byte sequence that is F0 0F 01 09
This is the assembly sequence I used
__lock_sidt proc
db 0F0h ; lock prefix
sidt qword ptr [rcx]
ret
__lock_sidt endp
Then just open cs in x86 mode and try to disasm it
csh handle;
cs_insn* insn;
if (cs_open(CS_ARCH_X86, CS_MODE_64, &handle) != CS_ERR_OK) {
output_error("Failed to initialize Capstone disassembler.");
return;
}
cs_option(handle, CS_OPT_DETAIL, CS_OPT_ON);