bddisasm is a fast, lightweight, x86/x64 instruction decoder. The project also features a fast, basic, x86/x64 instruction emulator, designed specifically to detect shellcode-like behavior.
APACHE-2.0 License
Bot releases are visible (Hide)
Fixed UBSan warnings + some other warnings.
Published by vlutas 5 months ago
Unaligned load fix, as reported by UBSAN.
Published by vlutas 7 months ago
Published by vlutas 8 months ago
NF
and ZU
indications, using finite set notation for DFV
operands).ZU
indication is appended as a mnemonic suffix, as per recomandations. However, in case of SETcc
instructions, BDDISASM will append the ZU
indication AFTER the condition code (similar to CMPccXADD
and with initial SETcc.ZU
specification).DFV
(default flags value) operand obeys the finite set notation, but it is placed as the last operand of the instruction.Read
access for the rIP
operand for the SYSCALL
instruction.SCS
, rCX
, rDX
operands for the SYSEXIT
instruction.Read
access for the rIP
operand for some CALL
instructions.Published by vlutas 8 months ago
Added support in BDDISASM for multiple new Intel extensions: REX2, APX, USERMSR.
Added support in BDSHEMU for some REX2 and APX instructions.
Added support in BDSHEMU for loop tracking & direct shellcode emulation.
Reduced the size of the INSTRUX structure, and improved decoding performance.
New decoding option allow to skip implicit operands from being decoded.
Re-worked the Python isagenerator scripts.
More info about the changes in this version can be consulted in the CHANGELOG.
Published by vlutas over 1 year ago
Added support for Intel AMX-COMPLEX instructions.
Added support for AMD RMPQUERY instruction.
Added support for new Intel instructions, per Intel ISA extensions document #319433-046 (September 2022): PREFETCHITI, RAO-INT, CMPCCXADD, WRMSRNS, MSRLIST, AMX-FP16, AVX-IFMA, AVX-NE-CONVERT, AVX-VNNI-INT8.
Switched to a more parsing-friendly format for the instructions database, where individual components are sepparated by a semicolon.
Improved comments & improved vector length specifiers.
Published by vlutas almost 3 years ago
Published by vlutas almost 3 years ago
Support for RDTSC in bdshemu.
Implemented a reverse operand lookup table. It holds pointers to relevant operands inside INSTRUX, for quick lookup.
Moved helper functions in bdhelpers.c.
Added a dedicated BranchInfo field inside INSTRUX, containing the most relevant branch information.
Published by vlutas about 3 years ago
Multiple improvements
Published by vlutas about 3 years ago
v1.34.2
New shellcode flag - call tot Wow32 reserved.
New shellcode flag - heaven's gate.
New shellcode flag - stack-pivot.
Moved bdshemu tests in a password protected zip file, so it doesn't trigger AV detections.
Fixed an emulation bug for MOVZX and MOVSX instructions (https://github.com/bitdefender/bddisasm/issues/48)
Fixed NEG emulation - make sure flags are set.
Added new shemu flag: SHEMU_FLAG_SUD_ACCESS is raised whenever the code accesses the SharedUserData page.
Published by vlutas over 3 years ago
Published by ianichitei over 3 years ago
nd_vsnprintf_s
and nd_memset
(the old behavior can be enabled at build time)find_package
/add_subdirectory
/FetchContent
and link against bddisasm::bddisasm
or bddisasm::bdshemu
Published by vlutas over 3 years ago
Fixed RFLAGS setting issues for arithmetic and shift instructions.
Published by vlutas over 3 years ago
Added support for AESDEC, AESDECLAST and AESIMC emulation in bdshemu
https://github.com/bitdefender/bddisasm/issues/34
https://github.com/bitdefender/bddisasm/issues/35
https://github.com/bitdefender/bddisasm/issues/36
https://github.com/bitdefender/bddisasm/issues/37
https://github.com/bitdefender/bddisasm/issues/38
Published by vlutas almost 4 years ago
On AMD, operand size is never forced to 64 bit - instead, it only defaults to 64 bit, which means that 0x66 can be used to encode 16 bit version of the instructions. By supplying the ND_VEND_AMD vendor hint, bddisasm will provide the operand size specific to AMD.
Added missing Default 64 flag for the ENTER instruction.
Fixed INTO and DMINT decoding in 64 bit mode (they are invalid).
Published by vlutas almost 4 years ago
Initial bddisasm release.