Hermes/Dyforge is a program written in c++ allows you to inject a dll that can analyze all processes in a program, can be used for mod and reverse engeneering
| 1 | /* Capstone Disassembly Engine */ |
| 2 | /* BPF Backend by david942j <david942j@gmail.com>, 2019 */ |
| 3 | /* SPDX-FileCopyrightText: 2024 Roee Toledano <roeetoledano10@gmail.com> */ |
| 4 | /* SPDX-License-Identifier: BSD-3 */ |
| 5 | |
| 6 | #ifndef CAPSTONE_BPF_H |
| 7 | #define CAPSTONE_BPF_H |
| 8 | |
| 9 | #ifdef __cplusplus |
| 10 | extern "C" { |
| 11 | #endif |
| 12 | |
| 13 | #include "platform.h" |
| 14 | #include "cs_operand.h" |
| 15 | |
| 16 | #ifdef _MSC_VER |
| 17 | #pragma warning(disable : 4201) |
| 18 | #endif |
| 19 | |
| 20 | #define NUM_BPF_OPS 3 |
| 21 | /// Operand type for instruction's operands |
| 22 | typedef enum bpf_op_type { |
| 23 | BPF_OP_INVALID = CS_OP_INVALID, |
| 24 | BPF_OP_REG = CS_OP_REG, |
| 25 | BPF_OP_IMM = CS_OP_IMM, |
| 26 | BPF_OP_OFF = CS_OP_SPECIAL + 0, |
| 27 | BPF_OP_MSH = CS_OP_SPECIAL + 1, ///< corresponds to cBPF's BPF_MSH mode |
| 28 | BPF_OP_EXT = CS_OP_SPECIAL + 2, ///< cBPF's extension (not eBPF) |
| 29 | BPF_OP_MMEM = CS_OP_MEM | (CS_OP_SPECIAL + 3), ///< M[k] in cBPF |
| 30 | BPF_OP_MEM = CS_OP_MEM, |
| 31 | } bpf_op_type; |
| 32 | |
| 33 | /// BPF registers |
| 34 | typedef enum bpf_reg { |
| 35 | BPF_REG_INVALID = 0, |
| 36 | |
| 37 | ///< cBPF |
| 38 | BPF_REG_A, |
| 39 | BPF_REG_X, |
| 40 | |
| 41 | ///< eBPF |
| 42 | BPF_REG_R0, |
| 43 | BPF_REG_R1, |
| 44 | BPF_REG_R2, |
| 45 | BPF_REG_R3, |
| 46 | BPF_REG_R4, |
| 47 | BPF_REG_R5, |
| 48 | BPF_REG_R6, |
| 49 | BPF_REG_R7, |
| 50 | BPF_REG_R8, |
| 51 | BPF_REG_R9, |
| 52 | BPF_REG_R10, |
| 53 | |
| 54 | BPF_REG_ENDING, |
| 55 | } bpf_reg; |
| 56 | |
| 57 | /// Instruction's operand referring to memory |
| 58 | /// This is associated with BPF_OP_MEM operand type above |
| 59 | typedef struct bpf_op_mem { |
| 60 | bpf_reg base; ///< base register |
| 61 | uint32_t disp; ///< offset value |
| 62 | } bpf_op_mem; |
| 63 | |
| 64 | typedef enum bpf_ext_type { |
| 65 | BPF_EXT_INVALID = 0, |
| 66 | |
| 67 | BPF_EXT_LEN, |
| 68 | } bpf_ext_type; |
| 69 | |
| 70 | /// Instruction operand |
| 71 | typedef struct cs_bpf_op { |
| 72 | bpf_op_type type; |
| 73 | union { |
| 74 | uint8_t reg; ///< register value for REG operand |
| 75 | uint64_t imm; ///< immediate value IMM operand |
| 76 | uint32_t off; ///< offset value, used in jump & call |
| 77 | bpf_op_mem mem; ///< base/disp value for MEM operand |
| 78 | /* cBPF only */ |
| 79 | uint32_t mmem; ///< M[k] in cBPF |
| 80 | uint32_t msh; ///< corresponds to cBPF's BPF_MSH mode |
| 81 | uint32_t ext; ///< cBPF's extension (not eBPF) |
| 82 | }; |
| 83 | |
| 84 | bool is_signed; ///< is this operand signed? It is set for memory, immediate and offset operands. |
| 85 | bool is_pkt; ///< is this operand referring to packet data? It is set for memory operands. |
| 86 | /// How is this operand accessed? (READ, WRITE or READ|WRITE) |
| 87 | /// This field is combined of cs_ac_type. |
| 88 | /// NOTE: this field is irrelevant if engine is compiled in DIET mode. |
| 89 | uint8_t access; |
| 90 | } cs_bpf_op; |
| 91 | |
| 92 | /// Instruction structure |
| 93 | typedef struct cs_bpf { |
| 94 | uint8_t op_count; |
| 95 | cs_bpf_op operands[4]; |
| 96 | } cs_bpf; |
| 97 | |
| 98 | /// BPF instruction |
| 99 | typedef enum bpf_insn { |
| 100 | BPF_INS_INVALID = 0, |
| 101 | |
| 102 | ///< ALU |
| 103 | BPF_INS_ADD, |
| 104 | BPF_INS_SUB, |
| 105 | BPF_INS_MUL, |
| 106 | BPF_INS_DIV, |
| 107 | BPF_INS_SDIV, |
| 108 | BPF_INS_OR, |
| 109 | BPF_INS_AND, |
| 110 | BPF_INS_LSH, |
| 111 | BPF_INS_RSH, |
| 112 | BPF_INS_NEG, |
| 113 | BPF_INS_MOD, |
| 114 | BPF_INS_SMOD, |
| 115 | BPF_INS_XOR, |
| 116 | BPF_INS_MOV, ///< eBPF only |
| 117 | BPF_INS_MOVSB, ///< eBPF only |
| 118 | BPF_INS_MOVSH, ///< eBPF only |
| 119 | BPF_INS_ARSH, ///< eBPF only |
| 120 | |
| 121 | ///< ALU64, eBPF only |
| 122 | BPF_INS_ADD64, |
| 123 | BPF_INS_SUB64, |
| 124 | BPF_INS_MUL64, |
| 125 | BPF_INS_DIV64, |
| 126 | BPF_INS_SDIV64, |
| 127 | BPF_INS_OR64, |
| 128 | BPF_INS_AND64, |
| 129 | BPF_INS_LSH64, |
| 130 | BPF_INS_RSH64, |
| 131 | BPF_INS_NEG64, |
| 132 | BPF_INS_MOD64, |
| 133 | BPF_INS_SMOD64, |
| 134 | BPF_INS_XOR64, |
| 135 | BPF_INS_MOV64, |
| 136 | BPF_INS_MOVSB64, |
| 137 | BPF_INS_MOVSH64, |
| 138 | BPF_INS_MOVSW64, |
| 139 | BPF_INS_ARSH64, |
| 140 | |
| 141 | ///< Byteswap, eBPF only |
| 142 | BPF_INS_LE16, |
| 143 | BPF_INS_LE32, |
| 144 | BPF_INS_LE64, |
| 145 | BPF_INS_BE16, |
| 146 | BPF_INS_BE32, |
| 147 | BPF_INS_BE64, |
| 148 | BPF_INS_BSWAP16, |
| 149 | BPF_INS_BSWAP32, |
| 150 | BPF_INS_BSWAP64, |
| 151 | |
| 152 | ///< Load |
| 153 | BPF_INS_LDW, ///< eBPF only |
| 154 | BPF_INS_LDH, |
| 155 | BPF_INS_LDB, |
| 156 | BPF_INS_LDDW, ///< eBPF only: load 64-bit imm |
| 157 | BPF_INS_LDXW, ///< eBPF only |
| 158 | BPF_INS_LDXH, ///< eBPF only |
| 159 | BPF_INS_LDXB, ///< eBPF only |
| 160 | BPF_INS_LDXDW, ///< eBPF only |
| 161 | ///< Packet data access |
| 162 | BPF_INS_LDABSW, ///< eBPF only |
| 163 | BPF_INS_LDABSH, ///< eBPF only |
| 164 | BPF_INS_LDABSB, ///< eBPF only |
| 165 | BPF_INS_LDINDW, ///< eBPF only |
| 166 | BPF_INS_LDINDH, ///< eBPF only |
| 167 | BPF_INS_LDINDB, ///< eBPF only |
| 168 | |
| 169 | ///< Store |
| 170 | BPF_INS_STW, ///< eBPF only |
| 171 | BPF_INS_STH, ///< eBPF only |
| 172 | BPF_INS_STB, ///< eBPF only |
| 173 | BPF_INS_STDW, ///< eBPF only |
| 174 | BPF_INS_STXW, ///< eBPF only |
| 175 | BPF_INS_STXH, ///< eBPF only |
| 176 | BPF_INS_STXB, ///< eBPF only |
| 177 | BPF_INS_STXDW, ///< eBPF only |
| 178 | BPF_INS_XADDW, ///< eBPF only |
| 179 | BPF_INS_XADDDW, ///< eBPF only |
| 180 | |
| 181 | ///< Jump |
| 182 | BPF_INS_JA, |
| 183 | BPF_INS_JEQ, |
| 184 | BPF_INS_JGT, |
| 185 | BPF_INS_JGE, |
| 186 | BPF_INS_JSET, |
| 187 | BPF_INS_JNE, ///< eBPF only |
| 188 | BPF_INS_JSGT, ///< eBPF only |
| 189 | BPF_INS_JSGE, ///< eBPF only |
| 190 | BPF_INS_CALL, ///< eBPF only |
| 191 | BPF_INS_CALLX, ///< eBPF only |
| 192 | BPF_INS_EXIT, ///< eBPF only |
| 193 | BPF_INS_JLT, ///< eBPF only |
| 194 | BPF_INS_JLE, ///< eBPF only |
| 195 | BPF_INS_JSLT, ///< eBPF only |
| 196 | BPF_INS_JSLE, ///< eBPF only |
| 197 | |
| 198 | ///< Jump32, eBPF only |
| 199 | BPF_INS_JAL, |
| 200 | BPF_INS_JEQ32, |
| 201 | BPF_INS_JGT32, |
| 202 | BPF_INS_JGE32, |
| 203 | BPF_INS_JSET32, |
| 204 | BPF_INS_JNE32, |
| 205 | BPF_INS_JSGT32, |
| 206 | BPF_INS_JSGE32, |
| 207 | BPF_INS_JLT32, |
| 208 | BPF_INS_JLE32, |
| 209 | BPF_INS_JSLT32, |
| 210 | BPF_INS_JSLE32, |
| 211 | |
| 212 | ///< Return, cBPF only |
| 213 | BPF_INS_RET, |
| 214 | |
| 215 | ///< Atomic, eBPF only |
| 216 | BPF_INS_AADD, |
| 217 | BPF_INS_AOR, |
| 218 | BPF_INS_AAND, |
| 219 | BPF_INS_AXOR, |
| 220 | BPF_INS_AFADD, |
| 221 | BPF_INS_AFOR, |
| 222 | BPF_INS_AFAND, |
| 223 | BPF_INS_AFXOR, |
| 224 | |
| 225 | ///< Atomic 64-bit, eBPF only |
| 226 | BPF_INS_AXCHG64, |
| 227 | BPF_INS_ACMPXCHG64, |
| 228 | BPF_INS_AADD64, |
| 229 | BPF_INS_AOR64, |
| 230 | BPF_INS_AAND64, |
| 231 | BPF_INS_AXOR64, |
| 232 | BPF_INS_AFADD64, |
| 233 | BPF_INS_AFOR64, |
| 234 | BPF_INS_AFAND64, |
| 235 | BPF_INS_AFXOR64, |
| 236 | |
| 237 | ///< Misc, cBPF only |
| 238 | BPF_INS_TAX, |
| 239 | BPF_INS_TXA, |
| 240 | |
| 241 | BPF_INS_ENDING, |
| 242 | |
| 243 | // alias instructions |
| 244 | BPF_INS_LD = BPF_INS_LDW, ///< cBPF only |
| 245 | BPF_INS_LDX = BPF_INS_LDXW, ///< cBPF only |
| 246 | BPF_INS_ST = BPF_INS_STW, ///< cBPF only |
| 247 | BPF_INS_STX = BPF_INS_STXW, ///< cBPF only |
| 248 | } bpf_insn; |
| 249 | |
| 250 | /// Group of BPF instructions |
| 251 | typedef enum bpf_insn_group { |
| 252 | BPF_GRP_INVALID = 0, ///< = CS_GRP_INVALID |
| 253 | |
| 254 | BPF_GRP_LOAD, |
| 255 | BPF_GRP_STORE, |
| 256 | BPF_GRP_ALU, |
| 257 | BPF_GRP_JUMP, |
| 258 | BPF_GRP_CALL, ///< eBPF only |
| 259 | BPF_GRP_RETURN, |
| 260 | BPF_GRP_MISC, ///< cBPF only |
| 261 | |
| 262 | BPF_GRP_ENDING, |
| 263 | } bpf_insn_group; |
| 264 | |
| 265 | #ifdef __cplusplus |
| 266 | } |
| 267 | #endif |
| 268 | |
| 269 | #endif |
| 270 |