From 19e7cec8cce4a0068f6db04b6d3680c078183002 Mon Sep 17 00:00:00 2001 From: Stephen Eckels Date: Wed, 31 Jul 2024 23:04:27 -0400 Subject: [PATCH] Update ZydisDisassembler.hpp --- polyhook2/ZydisDisassembler.hpp | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/polyhook2/ZydisDisassembler.hpp b/polyhook2/ZydisDisassembler.hpp index e597af1..e5e4726 100644 --- a/polyhook2/ZydisDisassembler.hpp +++ b/polyhook2/ZydisDisassembler.hpp @@ -58,24 +58,11 @@ class ZydisDisassembler { } static bool isFuncEnd(const PLH::Instruction& instruction, const bool firstFunc = false) { - // TODO: more? - /* - * 0xABABABAB : Used by Microsoft's HeapAlloc() to mark "no man's land" guard bytes after allocated heap memory - * 0xABADCAFE : A startup to this value to initialize all free memory to catch errant pointers - * 0xBAADF00D : Used by Microsoft's LocalAlloc(LMEM_FIXED) to mark uninitialised allocated heap memory - * 0xBADCAB1E : Error Code returned to the Microsoft eVC debugger when connection is severed to the debugger - * 0xBEEFCACE : Used by Microsoft .NET as a magic number in resource files - * 0xCCCCCCCC : Used by Microsoft's C++ debugging runtime library to mark uninitialised stack memory - * 0xCDCDCDCD : Used by Microsoft's C++ debugging runtime library to mark uninitialised heap memory - * 0xDDDDDDDD : Used by Microsoft's C++ debugging heap to mark freed heap memory - * 0xDEADDEAD : A Microsoft Windows STOP Error code used when the user manually initiates the crash. - * 0xFDFDFDFD : Used by Microsoft's C++ debugging heap to mark "no man's land" guard bytes before and after allocated heap memory - * 0xFEEEFEEE : Used by Microsoft's HeapFree() to mark freed heap memory - */ std::string mnemonic = instruction.getMnemonic(); auto bytes = instruction.getBytes(); return (instruction.size() == 1 && bytes[0] == 0xCC) || - (instruction.size() >= 2 && bytes[0] == 0xf3 && bytes[1] == 0xc3) || + (instruction.size() >= 2 && bytes[0] == 0xf3 && bytes[1] == 0xc3) || // rep ret + (instruction.size() >= 2 && bytes[0] == 0xf2 && bytes[1] == 0xc3) || // bnd ret for Intel mpx (mnemonic == "jmp" && !firstFunc) || // Jump to tranlslation mnemonic == "ret" || mnemonic.find("iret") == 0; }