Reputation: 11901
MODRM_EAX_06 MACRO ;/* [EAX], with reg/opcode: /6 */
BYTE 030h
ENDM
What does byte 030h do ?
For additional info this macro is used in
void vmxPtrld(u64 addr)
VmxPtrld PROC StdCall _addr_low,_addr_high
mov eax,8
add eax,ebp
vmx_ptrld
MODRM_EAX_06
ret
VmxPtrld ENDP
I just want to understand what the macro does in the following code?
Upvotes: 2
Views: 261
Reputation: 47058
Many opcodes are followed by a ModR/M byte, which is split into 3 portions: the top two bits are "Mod", the next three are "Reg", and the bottom three are "R/M".
The combination of the "Mod" and "R/M" portions specify a register and addressing mode; the "Reg" portion may specify another register, or, in some cases, may specify a further extension to the opcode.
In this case, the ModR/M byte looks like this:
0 0 1 1 0 0 0 0 \_/ \___/ \___/ Mod Reg R/M
Mod bits of 00
and R/M bits of 000
mean an addressing mode of [EAX]
(in 32-bit mode).
The remaining Reg bits are 6
in decimal. Hence MODRM_EAX_06
.
To fully understand what is going on in your example, you need to know what the vmx_ptrld
macro does. Assuming that this is indeed what @sixlettervariables found, vmx_ptrld
produces bytes 0F C7
.
0F
is the first byte of a two-byte opcode. In many cases, the next byte will complete the opcode; but C7
indicates that further bits must be read from the Reg field of the ModR/M byte to determine what the opcode is. So the final opcode is 0F
followed by C7
followed by the 6
from the Reg field of the ModR/M byte, written as 0F C7 /6
in Intel's manuals (which can be found here).
0F C7 /6
is VMPTRLD
, so the real meaning of your routine is:
mov eax,8
add eax,ebp
vmptrld [eax]
ret
Presumably it has been written like this for the benefit of old assemblers which do not understand the (relatively recent) VMX instructions.
Upvotes: 5
Reputation: 43748
Looking at bluepill (which I guess is the code the OP is asking about), vmx_ptrld
is also a macro, so
vmx_ptrld
MODRM_EAX_06
is a single instruction, MODRM_EAX_06
being the data for the instruction.
Rationale: bluepill is a PoC exploit for virtualization. When it was written, apparently the assembler that was used didn't yet support virtualization-related instructions, so they got coded inline via macros.
Upvotes: 1
Reputation: 490633
It looks like they're using this to generate instructions, and this is a mod r/m byte of an instruction.
Upvotes: 4