github.com/eh-steve/goloader@v0.0.0-20240111193454-90ff3cfdae39/asm_bytes.go (about)

     1  package goloader
     2  
     3  const (
     4  	x86amd64MOVcode   byte = 0x8B
     5  	x86amd64LEAcode   byte = 0x8D
     6  	x86amd64CMPLcode  byte = 0x83
     7  	x86amd64CALLcode  byte = 0xE8
     8  	x86amd64CALL2code byte = 0xFF
     9  	x86amd64JMPcode   byte = 0xE9
    10  )
    11  
    12  // arm/arm64
    13  var (
    14  	armcode       = []byte{0x04, 0xF0, 0x1F, 0xE5} //LDR PC, [PC, #-4]
    15  	arm64CALLCode = []byte{
    16  		// X16 and X17 are the IP0 and IP1 intra-procedure-call corruptible registers -
    17  		// since Go only uses them for the stack prologue and epilogue calculations,
    18  		// and we should already be clear of that by the time we hit a R_CALLARM64,
    19  		// so we should be able to safely use them for far jumps
    20  		0x51, 0x00, 0x00, 0x58, // LDR X17 [PC+8] - read 64 bit address from PC+8 into X17
    21  		0x20, 0x02, 0x1f, 0xd6, // BR  X17 - jump to address in X17
    22  	}
    23  	arm64Bcode   = []byte{0x00, 0x00, 0x00, 0x14} // B [PC+0x0]
    24  	arm64NopCode = []byte{0x1f, 0x20, 0x03, 0xd5}
    25  )
    26  
    27  const (
    28  	armLDRCode8Bytes  = uint32(0x58000040) // LDR PC+8
    29  	armLDRCode12Bytes = uint32(0x58000060) // LDR PC+12
    30  )
    31  
    32  // x86/amd64
    33  var (
    34  	x86amd64NOPcode      = byte(0x90)
    35  	x86amd64JMPLcode     = []byte{0xff, 0x25, 0x00, 0x00, 0x00, 0x00} // JMPL *ADDRESS
    36  	x86amd64JMPNearCode  = []byte{0xE9, 0x00, 0x00, 0x00, 0x00}       // JMP (PCREL offset)+4
    37  	x86amd64JMPShortCode = []byte{0xEB, 0x00}                         // JMP (PCREL offset)+1
    38  	x86amd64CALLFarCode  = []byte{
    39  		0xff, 0x15, 0x00, 0x00, 0x00, 0x00, // CALL ptr [RIP]
    40  	}
    41  	x86amd64replaceCMPLcode = []byte{
    42  		0x50,                                                       // PUSH RAX
    43  		0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // MOVABS RAX, imm64 (64 bit)
    44  		0x48, 0x83, 0x38, 0x00, // CMPL [RAX] x(8bits)
    45  		0x58, // POP RAX
    46  	}
    47  	x86amd64replaceMOVQcodeRAX = []byte{
    48  		0x48, 0xa1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // MOVABS RAX, [addr64] (64 bit)
    49  	}
    50  	x86amd64replaceMOVQcode = []byte{
    51  		0x50,                                                       // PUSH RAX
    52  		0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // MOVABS RAX, imm64 (64 bit)
    53  		0x48, 0x8b, 0x00, // MOV RxX, [RAX] (64 bit)
    54  		0x58, // POP RAX
    55  	}
    56  )