filter out lib calls

2025-12-06 10:46:42 +01:00 · 2025-02-20 02:14:00 +02:00 · 2025-02-20 02:14:00 +02:00 · 48da19f7d5
commit 48da19f7d5
parent e5baca6c31
1 changed files with 31 additions and 22 deletions
--- a/crates/vestal/src/main.rs
+++ b/crates/vestal/src/main.rs
@ -56,33 +56,42 @@ impl Vestal {
                ep_off);
            if dll_path.as_ref() == path {
                let buf          = dll.get_buffer();
-                //println!("{:?}\n", &buf[0..128]);
-                //println!("{:?}\n", &buf[0x000c8900..0x000c8900+128].hex_dump());
-                //println!("{:?}",   &buf[0x000c9500..0x000c9500+128].hex_dump());
                let section      = dll.get_section_by_name(".text")?;
                let section_ptr  = section.pointer_to_raw_data.0 as usize;
                let section_len  = section.size_of_raw_data as usize;
-                //println!("{section:?}");
-                //println!("{:?}\n", &buf[section_ptr..section_ptr+128].hex_dump());
-                //println!("{:?}", &buf[ep_off.0 as usize..ep_off.0 as usize+128].hex_dump());
                let section_data = &buf[section_ptr..section_ptr+section_len];
-                println!("0x{:x}", section_data.len());
                let mut decoder  = iced_x86::Decoder::with_ip(64, section_data, 0, 0);
                while decoder.can_decode() {
                    let position = decoder.position();
                    let instruction = decoder.decode();
-                    let opcodes = &section_data[position..position+instruction.len()].iter().map(|x|format!("{x:>02x}")).collect::<Vec<_>>().join(" ");
+                    let opcodes = &section_data[position..position+instruction.len()];
                    //println!("0x{position:08x} {opcodes:32} {instruction}");
-                    if instruction.is_call_far() {
+                    if (instruction.flow_control() == iced_x86::FlowControl::IndirectBranch
+                    || instruction.flow_control() == iced_x86::FlowControl::IndirectCall)
+                    && instruction.op0_kind() == iced_x86::OpKind::Memory {
+                        match opcodes[0] {
+                            0xff => match opcodes[1] {
+                                0x10 | 0x12 | 0x13 | 0x50 | 0x52 | 0x53 | 0x55 | 0x56 | 0x57 |
+                                0x60 | 0x90 | 0x92 | 0x93 | 0x94 | 0x97 => continue,
+                                _ => {},
+                            },
+                            0x41 | 0x42 | 0x43 | 0x49 => match opcodes[1] {
+                                0xff => continue,
+                                _ => {},
+                            },
+                            0x48 => match opcodes[2] {
+                                0x20 | 0x60 | 0x62 | 0xa0 | 0xa2 => continue,
+                                _ => {},
+                            },
+                            _ => {}
+                        }
+                        let offset = (position + section_ptr) as u32;
+                        println!("0x{:08x} (0x{:08x}) {:32} {instruction}",
+                            position + section_ptr,
+                            dll.offset_to_rva(Offset(offset))?.0,
+                            opcodes.iter().map(|x|format!("{x:>02x}")).collect::<Vec<_>>().join(" "));
                        //println!("0x{:08x} {}", decoder.position(), instruction);
-                    } else if instruction.is_call_far_indirect() {
-                        //println!("0x{:08x} {}", decoder.position(), instruction);
-                    } else if instruction.is_call_near() {
-                        //println!("0x{:08x} {}", decoder.position(), instruction);
-                    } else if instruction.is_call_near_indirect() {
-                        println!("0x{:08x} {opcodes:32} {instruction}", position+section_ptr);
-                        //println!("0x{:08x} {}", decoder.position(), instruction);
-                        return Ok(())
+                        //return Ok(())
                    }
                }
            }