Reputation: 65
How to get the value in RSP register using c++ libcapstone?
I'm trying to write a library(call mylib.so) using capstone c++ library and LD_PRELOAD to find where are the syscall instructions located in a binary(this binary contains some syscall writing in inline assembly), and what syscall are those(i.e. SYS_open, SYS_read, etc).
I use command LD_PRELOAD=mylib.so <target_program> to run a binary and do this binary analysis in "runtime" but not statically.
I'm already able to find and disassemble the syscall instructions using libcapstone:
...
/* pseudo code */
csh handle;
cs_insn *insn;
cs_open(CS_ARCH_X86, CS_MODE_64, &handle);
cs_option(handle, CS_OPT_DETAIL, CS_OPT_ON);
cs_disasm_iter(handle, &code, &size, &addr, insn);
/* then get operand information from 'insn->detail->x86.operands' */
But the problem is I cannot identify what kind of syscall it is if the value moves into %rax is not an IMM operand. For example, if the disassembled result is:
/* result is printed by printf(), the syntax may not be correct */
...
mov rax, 39 --> store value 39 to rax
syscall
I can know this syscall is a getpid() since __NR_getpid == 39. But if the disassembled result is:
...
// the assembly syntax here may not correct, capstone returns:
// op[0]->type == X86_OP_REG, op[0]->reg == X86_REG_RAX
// op[1]->type == X86_OP_MEM, op[1]->mem.base == X86_REG_RSP, op[1]->mem.disp == 8
mov rax, 0x8(rsp) --> store value at address sp+8 to rax
syscall
(sorry about the confusion in the assembly code above, I'm still learning assembly)
Here is my thought, please correct me if I'm wrong. I think it should be possible to get the value in this %rsp since the target binray should be already mapped in memory(but not yet running becasue of LD_PRELOAD).
I also assume the value of the %rsp in 0x8(%rsp) above is not the value of "current" stack pointer when my capstone code are executing.
Am I understand correctly? How should I get the address that the RSP register is going to contain during the execution of this mov %rax, 0x8(%rsp) instruction?
Big Thanks for any help!
Upvotes: 0
Views: 405
Answers (0)
Related Questions
- The value contained in %rsp register
- why rsp register starts at 0x7FFFFFFFDFD0
- Get userspace RBP register from kernel syscall
- Can I use rsp as a general purpose register?
- Using __builtin_extract_return_addr() function to find the RSP value of ret instruction
- Using ASM to retrieve register values
- How to get Control Register (CR2) value?
- How to register native routines with Rcpp?
- I'm trying to translate x86-64 assembly code into equivalent C code. How can I get the value contained in %rsp?
- how can i read value from register using C++