Disassemble multiple instructions at once.

KN4CK3R · KN4CK3R · commit 37f91bb473ee · 2017-11-28T23:14:11.000+01:00
diff --git a/NativeCore/Shared/DistormHelper.cpp b/NativeCore/Shared/DistormHelper.cpp
@@ -7,18 +7,18 @@ extern "C"
 #include <../src/instructions.h>
 }
 
-bool AreOperandsStatic(_DInst *instruction, const int prefixLength)
+bool AreOperandsStatic(const _DInst &instruction, const int prefixLength)
 {
-	const auto fc = META_GET_FC(instruction->meta);
+	const auto fc = META_GET_FC(instruction.meta);
 	if (fc == FC_UNC_BRANCH || fc == FC_CND_BRANCH)
 	{
-		if (instruction->size - prefixLength < 5)
+		if (instruction.size - prefixLength < 5)
 		{
 			return true;
 		}
 	}
 
-	const auto ops = instruction->ops;
+	const auto ops = instruction.ops;
 	for (auto i = 0; i < OPERANDS_NO; i++)
 	{
 		switch (ops[i].type)
@@ -37,7 +37,7 @@ bool AreOperandsStatic(_DInst *instruction, const int prefixLength)
 		case O_DISP:
 		case O_SMEM:
 		case O_MEM:
-			if (instruction->dispSize < 32)
+			if (instruction.dispSize < 32)
 			{
 				continue;
 			}
@@ -58,12 +58,12 @@ bool AreOperandsStatic(_DInst *instruction, const int prefixLength)
 	return true;
 }
 
-int GetStaticInstructionBytes(_DInst *instruction, const uint8_t *data)
+int GetStaticInstructionBytes(const _DInst &instruction, const uint8_t *data)
 {
 	_CodeInfo info = {};
 	info.codeOffset = reinterpret_cast<_OffsetType>(data);
 	info.code = data;
-	info.codeLen = instruction->size;
+	info.codeLen = instruction.size;
 	info.features = DF_NONE;
 #ifdef RECLASSNET32
 	info.dt = Decode32Bits;
@@ -88,13 +88,13 @@ int GetStaticInstructionBytes(_DInst *instruction, const uint8_t *data)
 
 	if (AreOperandsStatic(instruction, prefixLength))
 	{
-		return instruction->size;
+		return instruction.size;
 	}
 
-	return instruction->size - info.codeLen;
+	return instruction.size - info.codeLen;
 }
 
-bool DisassembleCodeImpl(const RC_Pointer address, const RC_Size length, const RC_Pointer virtualAddress, const bool determineStaticInstructionBytes, InstructionData* instruction)
+_CodeInfo CreateCodeInfo(const RC_Pointer address, const RC_Size length, const RC_Pointer virtualAddress)
 {
 	_CodeInfo info = {};
 	info.codeOffset = reinterpret_cast<_OffsetType>(virtualAddress);
@@ -108,50 +108,85 @@ bool DisassembleCodeImpl(const RC_Pointer address, const RC_Size length, const R
 	info.dt = Decode64Bits;
 #endif
 
-	_DInst decodedInstructions[1] = {};
-	unsigned int instructionCount = 0;
-
-	const auto res = distorm_decompose(&info, decodedInstructions, 1, &instructionCount);
-	if (res == DECRES_INPUTERR || !(res == DECRES_SUCCESS || res == DECRES_MEMORYERR) || instructionCount != 1)
-	{
-		return false;
-	}
-
-	_DecodedInst instructionInfo = {};
-	distorm_format(&info, &decodedInstructions[0], &instructionInfo);
+	return info;
+}
 
-	instruction->Length = instructionInfo.size;
-	std::memcpy(instruction->Data, address, instructionInfo.size);
+void FillInstructionData(const RC_Pointer address, const _DInst& instruction, const _DecodedInst& instructionInfo, const bool determineStaticInstructionBytes, InstructionData* data)
+{
+	data->Length = instructionInfo.size;
+	std::memcpy(data->Data, address, instructionInfo.size);
 
 	MultiByteToUnicode(
 		reinterpret_cast<const char*>(instructionInfo.mnemonic.p),
-		instruction->Instruction,
+		data->Instruction,
 		instructionInfo.mnemonic.length
 	);
 	if (instructionInfo.operands.length != 0)
 	{
-		instruction->Instruction[instructionInfo.mnemonic.length] = ' ';
+		data->Instruction[instructionInfo.mnemonic.length] = ' ';
 
 		MultiByteToUnicode(
 			reinterpret_cast<const char*>(instructionInfo.operands.p),
 			0,
-			instruction->Instruction,
+			data->Instruction,
 			instructionInfo.mnemonic.length + 1,
 			std::min<int>(64 - 1 - instructionInfo.mnemonic.length, instructionInfo.operands.length)
 		);
 	}
 
 	if (determineStaticInstructionBytes)
 	{
-		instruction->StaticInstructionBytes = GetStaticInstructionBytes(
-			&decodedInstructions[0],
+		data->StaticInstructionBytes = GetStaticInstructionBytes(
+			instruction,
 			reinterpret_cast<const uint8_t*>(address)
 		);
 	}
 	else
 	{
-		instruction->StaticInstructionBytes = -1;
+		data->StaticInstructionBytes = -1;
 	}
+}
 
-	return true;
+bool DisassembleInstructionsImpl(const RC_Pointer address, const RC_Size length, const RC_Pointer virtualAddress, const bool determineStaticInstructionBytes, EnumerateInstructionCallback callback)
+{
+	auto info = CreateCodeInfo(address, length, virtualAddress);
+
+	const unsigned MaxInstructions = 50;
+
+	_DInst decodedInstructions[MaxInstructions] = {};
+	unsigned count = 0;
+
+	while (true)
+	{
+		const auto res = distorm_decompose(&info, decodedInstructions, MaxInstructions, &count);
+		if (res == DECRES_INPUTERR)
+		{
+			return false;
+		}
+
+		for (auto i = 0u; i < count; ++i)
+		{
+			_DecodedInst instructionInfo = {};
+			distorm_format(&info, &decodedInstructions[i], &instructionInfo);
+
+			InstructionData data;
+			FillInstructionData(address, decodedInstructions[i], instructionInfo, determineStaticInstructionBytes, &data);
+
+			if (callback(&data) == false)
+			{
+				return true;
+			}
+		}
+
+		if (res == DECRES_SUCCESS || count == 0)
+		{
+			return true;
+		}
+
+		const auto offset = decodedInstructions[count - 1].addr - info.codeOffset;
+
+		info.codeOffset += offset;
+		info.code += offset;
+		info.codeLen -= offset;
+	}
 }
diff --git a/NativeCore/Shared/DistormHelper.hpp b/NativeCore/Shared/DistormHelper.hpp
@@ -2,4 +2,6 @@
 
 #include "../ReClassNET_Plugin.hpp"
 
-bool DisassembleCodeImpl(const RC_Pointer address, const RC_Size length, const RC_Pointer virtualAddress, const bool determineStaticInstructionBytes, InstructionData* instruction);
+typedef bool(RC_CallConv EnumerateInstructionCallback)(InstructionData* data);
+
+bool DisassembleInstructionsImpl(const RC_Pointer address, const RC_Size length, const RC_Pointer virtualAddress, const bool determineStaticInstructionBytes, EnumerateInstructionCallback callback);
diff --git a/NativeCore/Unix/DisassembleCode.cpp b/NativeCore/Unix/DisassembleCode.cpp
@@ -1,6 +1,6 @@
 #include "../Shared/DistormHelper.hpp"
 
-extern "C" bool RC_CallConv DisassembleCode(RC_Pointer address, RC_Size length, RC_Pointer virtualAddress, bool determineStaticInstructionBytes, InstructionData* instruction)
+extern "C" bool RC_CallConv DisassembleCode(RC_Pointer address, RC_Size length, RC_Pointer virtualAddress, bool determineStaticInstructionBytes, EnumerateInstructionCallback callback)
 {
-	return DisassembleCodeImpl(address, length, virtualAddress, determineStaticInstructionBytes, instruction);
+	return DisassembleInstructionsImpl(address, length, virtualAddress, determineStaticInstructionBytes, callback);
 }
diff --git a/NativeCore/Windows/DisassembleCode.cpp b/NativeCore/Windows/DisassembleCode.cpp
@@ -1,6 +1,6 @@
 #include "../Shared/DistormHelper.hpp"
 
-bool RC_CallConv DisassembleCode(RC_Pointer address, RC_Size length, RC_Pointer virtualAddress, bool determineStaticInstructionBytes, InstructionData* instruction)
+bool RC_CallConv DisassembleCode(RC_Pointer address, RC_Size length, RC_Pointer virtualAddress, bool determineStaticInstructionBytes, EnumerateInstructionCallback callback)
 {
-	return DisassembleCodeImpl(address, length, virtualAddress, determineStaticInstructionBytes, instruction);
+	return DisassembleInstructionsImpl(address, length, virtualAddress, determineStaticInstructionBytes, callback);
 }
diff --git a/ReClass.NET/Core/CoreFunctionsManager.cs b/ReClass.NET/Core/CoreFunctionsManager.cs
@@ -174,9 +174,9 @@ public bool SetHardwareBreakpoint(IntPtr id, IntPtr address, HardwareBreakpointR
 
 		#region Internal Core Functions
 
-		public bool DisassembleCode(IntPtr address, int length, IntPtr virtualAddress, bool determineStaticInstructionBytes, out InstructionData instruction)
+		public bool DisassembleCode(IntPtr address, int length, IntPtr virtualAddress, bool determineStaticInstructionBytes, EnumerateInstructionCallback callback)
 		{
-			return internalCoreFunctions.DisassembleCode(address, length, virtualAddress, determineStaticInstructionBytes, out instruction);
+			return internalCoreFunctions.DisassembleCode(address, length, virtualAddress, determineStaticInstructionBytes, callback);
 		}
 
 		public IntPtr InitializeInput()
diff --git a/ReClass.NET/Core/InternalCoreFunctions.cs b/ReClass.NET/Core/InternalCoreFunctions.cs
@@ -7,6 +7,8 @@
 
 namespace ReClassNET.Core
 {
+	public delegate bool EnumerateInstructionCallback(ref InstructionData data);
+
 	internal class InternalCoreFunctions : NativeCoreWrapper, IDisposable
 	{
 		private const string CoreFunctionsModuleWindows = "NativeCore.dll";
@@ -15,7 +17,7 @@ internal class InternalCoreFunctions : NativeCoreWrapper, IDisposable
 		private readonly IntPtr handle;
 
 		[return: MarshalAs(UnmanagedType.I1)]
-		private delegate bool DisassembleCodeDelegate(IntPtr address, IntPtr length, IntPtr virtualAddress, [MarshalAs(UnmanagedType.I1)] bool determineStaticInstructionBytes, out InstructionData instruction);
+		private delegate bool DisassembleCodeDelegate(IntPtr address, IntPtr length, IntPtr virtualAddress, [MarshalAs(UnmanagedType.I1)] bool determineStaticInstructionBytes, [MarshalAs(UnmanagedType.FunctionPtr)] EnumerateInstructionCallback callback);
 
 		private delegate IntPtr InitializeInputDelegate();
 
@@ -76,9 +78,9 @@ public void Dispose()
 
 		#endregion
 
-		public bool DisassembleCode(IntPtr address, int length, IntPtr virtualAddress, bool determineStaticInstructionBytes, out InstructionData instruction)
+		public bool DisassembleCode(IntPtr address, int length, IntPtr virtualAddress, bool determineStaticInstructionBytes, EnumerateInstructionCallback callback)
 		{
-			return disassembleCodeDelegate(address, (IntPtr)length, virtualAddress, determineStaticInstructionBytes, out instruction);
+			return disassembleCodeDelegate(address, (IntPtr)length, virtualAddress, determineStaticInstructionBytes, callback);
 		}
 
 		public IntPtr InitializeInput()
diff --git a/ReClass.NET/Memory/Disassembler.cs b/ReClass.NET/Memory/Disassembler.cs
@@ -71,7 +71,15 @@ public IEnumerable<DisassembledInstruction> DisassembleCode(IntPtr address, int
 
 			while (eip.CompareTo(end) == -1)
 			{
-				var res = coreFunctions.DisassembleCode(eip, end.Sub(eip).ToInt32() + 1, virtualAddress, false, out var instruction);
+				var instruction = default(InstructionData);
+
+				// Grab only one instruction.
+				var res = coreFunctions.DisassembleCode(eip, end.Sub(eip).ToInt32() + 1, virtualAddress, false, (ref InstructionData data) =>
+				{
+					instruction = data;
+
+					return false;
+				});
 				if (!res)
 				{
 					break;
@@ -170,64 +178,40 @@ public DisassembledInstruction RemoteGetPreviousInstruction(RemoteProcess proces
 		/// <returns>The previous instruction.</returns>
 		private DisassembledInstruction GetPreviousInstruction(IntPtr address, IntPtr virtualAddress)
 		{
-			var end = address + 80;
+			var instruction = default(InstructionData);
 
-			var instruction = new InstructionData();
-
-			var x = GetPreviousInstructionHelper(end, 80, virtualAddress, ref instruction);
-			if (x != end)
+			foreach (var offset in new[] { 80, 40, 20, 10, 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 })
 			{
-				x = GetPreviousInstructionHelper(end, 40, virtualAddress, ref instruction);
-				if (x != end)
+				var currentAddress = address - offset;
+
+				coreFunctions.DisassembleCode(currentAddress, offset + 1, virtualAddress - offset, false, (ref InstructionData data) =>
 				{
-					x = GetPreviousInstructionHelper(end, 20, virtualAddress, ref instruction);
-					if (x != end)
+					var nextAddress = currentAddress + data.Length;
+					if (nextAddress.CompareTo(address) > -1)
 					{
-						x = GetPreviousInstructionHelper(end, 10, virtualAddress, ref instruction);
-						if (x != end)
-						{
-							for (var i = 1; i < 15; ++i)
-							{
-								x = address + 65 + i;
-								if (coreFunctions.DisassembleCode(x, end.Sub(x).ToInt32() + 1, virtualAddress, false, out instruction))
-								{
-									if (x + instruction.Length == end)
-									{
-										break;
-									}
-								}
-							}
-						}
+						return false;
 					}
-				}
-			}
 
-			return new DisassembledInstruction
-			{
-				Address = virtualAddress - instruction.Length,
-				Length = instruction.Length,
-				Data = instruction.Data,
-				Instruction = instruction.Instruction
-			};
-		}
+					instruction = data;
 
-		private IntPtr GetPreviousInstructionHelper(IntPtr address, int distance, IntPtr virtualAddress, ref InstructionData instruction)
-		{
-			var x = address - distance;
-			var y = virtualAddress - distance;
-			while (x.CompareTo(address) == -1) // aka x < address
-			{
-				if (coreFunctions.DisassembleCode(x, address.Sub(x).ToInt32() + 1, y, false, out instruction))
-				{
-					x += instruction.Length;
-					y += instruction.Length;
-				}
-				else
+					currentAddress = nextAddress;
+
+					return true;
+				});
+
+				if (currentAddress == address)
 				{
-					break;
+					return new DisassembledInstruction
+					{
+						Address = virtualAddress - instruction.Length,
+						Length = instruction.Length,
+						Data = instruction.Data,
+						Instruction = instruction.Instruction
+					};
 				}
 			}
-			return x;
+
+			return null;
 		}
 
 		/// <summary>Tries to find the start address of the function <paramref name="address"/> points into.</summary>
diff --git a/ReClass.NET/MemoryScanner/PatternScanner.cs b/ReClass.NET/MemoryScanner/PatternScanner.cs
@@ -2,6 +2,7 @@
 using System.Collections.Generic;
 using System.Diagnostics.Contracts;
 using System.Runtime.InteropServices;
+using ReClassNET.Core;
 using ReClassNET.Memory;
 using ReClassNET.Util;
 
@@ -105,23 +106,15 @@ public static BytePattern CreatePatternFromCode(RemoteProcess process, IntPtr st
 			try
 			{
 				var eip = handle.AddrOfPinnedObject();
-				var end = eip + size;
 
-				while (eip.CompareTo(end) == -1)
+				process.CoreFunctions.DisassembleCode(eip, size, IntPtr.Zero, true, (ref InstructionData instruction) =>
 				{
-					var res = process.CoreFunctions.DisassembleCode(eip, end.Sub(eip).ToInt32() + 1, IntPtr.Zero, true, out var instruction);
-					if (!res)
-					{
-						break;
-					}
-
 					for (var i = 0; i < instruction.Length; ++i)
 					{
 						data.Add(Tuple.Create(instruction.Data[i], i >= instruction.StaticInstructionBytes));
 					}
-
-					eip += instruction.Length;
-				}
+					return true;
+				});
 			}
 			finally
 			{

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`#include "../Shared/DistormHelper.hpp"`
`2`	`2`
`3`		`-extern "C" bool RC_CallConv DisassembleCode(RC_Pointer address, RC_Size length, RC_Pointer virtualAddress, bool determineStaticInstructionBytes, InstructionData* instruction)`
	`3`	`+extern "C" bool RC_CallConv DisassembleCode(RC_Pointer address, RC_Size length, RC_Pointer virtualAddress, bool determineStaticInstructionBytes, EnumerateInstructionCallback callback)`
`4`	`4`	`{`
`5`		`- return DisassembleCodeImpl(address, length, virtualAddress, determineStaticInstructionBytes, instruction);`
	`5`	`+ return DisassembleInstructionsImpl(address, length, virtualAddress, determineStaticInstructionBytes, callback);`
`6`	`6`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`#include "../Shared/DistormHelper.hpp"`
`2`	`2`
`3`		`-bool RC_CallConv DisassembleCode(RC_Pointer address, RC_Size length, RC_Pointer virtualAddress, bool determineStaticInstructionBytes, InstructionData* instruction)`
	`3`	`+bool RC_CallConv DisassembleCode(RC_Pointer address, RC_Size length, RC_Pointer virtualAddress, bool determineStaticInstructionBytes, EnumerateInstructionCallback callback)`
`4`	`4`	`{`
`5`		`- return DisassembleCodeImpl(address, length, virtualAddress, determineStaticInstructionBytes, instruction);`
	`5`	`+ return DisassembleInstructionsImpl(address, length, virtualAddress, determineStaticInstructionBytes, callback);`
`6`	`6`	`}`
Original file line number	Diff line number	Diff line change
`@@ -174,9 +174,9 @@ public bool SetHardwareBreakpoint(IntPtr id, IntPtr address, HardwareBreakpointR`
`174`	`174`
`175`	`175`	`#region Internal Core Functions`
`176`	`176`
`177`		`- public bool DisassembleCode(IntPtr address, int length, IntPtr virtualAddress, bool determineStaticInstructionBytes, out InstructionData instruction)`
	`177`	`+ public bool DisassembleCode(IntPtr address, int length, IntPtr virtualAddress, bool determineStaticInstructionBytes, EnumerateInstructionCallback callback)`
`178`	`178`	`{`
`179`		`- return internalCoreFunctions.DisassembleCode(address, length, virtualAddress, determineStaticInstructionBytes, out instruction);`
	`179`	`+ return internalCoreFunctions.DisassembleCode(address, length, virtualAddress, determineStaticInstructionBytes, callback);`
`180`	`180`	`}`
`181`	`181`
`182`	`182`	`public IntPtr InitializeInput()`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,8 @@`
`7`	`7`
`8`	`8`	`namespace ReClassNET.Core`
`9`	`9`	`{`
	`10`	`+ public delegate bool EnumerateInstructionCallback(ref InstructionData data);`
	`11`	`+`
`10`	`12`	`internal class InternalCoreFunctions : NativeCoreWrapper, IDisposable`
`11`	`13`	`{`
`12`	`14`	`private const string CoreFunctionsModuleWindows = "NativeCore.dll";`
`@@ -15,7 +17,7 @@ internal class InternalCoreFunctions : NativeCoreWrapper, IDisposable`
`15`	`17`	`private readonly IntPtr handle;`
`16`	`18`
`17`	`19`	`[return: MarshalAs(UnmanagedType.I1)]`
`18`		`- private delegate bool DisassembleCodeDelegate(IntPtr address, IntPtr length, IntPtr virtualAddress, [MarshalAs(UnmanagedType.I1)] bool determineStaticInstructionBytes, out InstructionData instruction);`
	`20`	`+ private delegate bool DisassembleCodeDelegate(IntPtr address, IntPtr length, IntPtr virtualAddress, [MarshalAs(UnmanagedType.I1)] bool determineStaticInstructionBytes, [MarshalAs(UnmanagedType.FunctionPtr)] EnumerateInstructionCallback callback);`
`19`	`21`
`20`	`22`	`private delegate IntPtr InitializeInputDelegate();`
`21`	`23`
`@@ -76,9 +78,9 @@ public void Dispose()`
`76`	`78`
`77`	`79`	`#endregion`
`78`	`80`
`79`		`- public bool DisassembleCode(IntPtr address, int length, IntPtr virtualAddress, bool determineStaticInstructionBytes, out InstructionData instruction)`
	`81`	`+ public bool DisassembleCode(IntPtr address, int length, IntPtr virtualAddress, bool determineStaticInstructionBytes, EnumerateInstructionCallback callback)`
`80`	`82`	`{`
`81`		`- return disassembleCodeDelegate(address, (IntPtr)length, virtualAddress, determineStaticInstructionBytes, out instruction);`
	`83`	`+ return disassembleCodeDelegate(address, (IntPtr)length, virtualAddress, determineStaticInstructionBytes, callback);`
`82`	`84`	`}`
`83`	`85`
`84`	`86`	`public IntPtr InitializeInput()`
Original file line number	Diff line number	Diff line change
`@@ -2,6 +2,7 @@`
`2`	`2`	`using System.Collections.Generic;`
`3`	`3`	`using System.Diagnostics.Contracts;`
`4`	`4`	`using System.Runtime.InteropServices;`
	`5`	`+using ReClassNET.Core;`
`5`	`6`	`using ReClassNET.Memory;`
`6`	`7`	`using ReClassNET.Util;`
`7`	`8`
`@@ -105,23 +106,15 @@ public static BytePattern CreatePatternFromCode(RemoteProcess process, IntPtr st`
`105`	`106`	`try`
`106`	`107`	`{`
`107`	`108`	`var eip = handle.AddrOfPinnedObject();`
`108`		`- var end = eip + size;`
`109`	`109`
`110`		`- while (eip.CompareTo(end) == -1)`
	`110`	`+ process.CoreFunctions.DisassembleCode(eip, size, IntPtr.Zero, true, (ref InstructionData instruction) =>`
`111`	`111`	`{`
`112`		`- var res = process.CoreFunctions.DisassembleCode(eip, end.Sub(eip).ToInt32() + 1, IntPtr.Zero, true, out var instruction);`
`113`		`- if (!res)`
`114`		`- {`
`115`		`- break;`
`116`		`- }`
`117`		`-`
`118`	`112`	`for (var i = 0; i < instruction.Length; ++i)`
`119`	`113`	`{`
`120`	`114`	`data.Add(Tuple.Create(instruction.Data[i], i >= instruction.StaticInstructionBytes));`
`121`	`115`	`}`
`122`		`-`
`123`		`- eip += instruction.Length;`
`124`		`- }`
	`116`	`+ return true;`
	`117`	`+ });`
`125`	`118`	`}`
`126`	`119`	`finally`
`127`	`120`	`{`