github.com/eh-steve/goloader@v0.0.0-20240111193454-90ff3cfdae39/asm_bytes.go (about) 1 package goloader 2 3 const ( 4 x86amd64MOVcode byte = 0x8B 5 x86amd64LEAcode byte = 0x8D 6 x86amd64CMPLcode byte = 0x83 7 x86amd64CALLcode byte = 0xE8 8 x86amd64CALL2code byte = 0xFF 9 x86amd64JMPcode byte = 0xE9 10 ) 11 12 // arm/arm64 13 var ( 14 armcode = []byte{0x04, 0xF0, 0x1F, 0xE5} //LDR PC, [PC, #-4] 15 arm64CALLCode = []byte{ 16 // X16 and X17 are the IP0 and IP1 intra-procedure-call corruptible registers - 17 // since Go only uses them for the stack prologue and epilogue calculations, 18 // and we should already be clear of that by the time we hit a R_CALLARM64, 19 // so we should be able to safely use them for far jumps 20 0x51, 0x00, 0x00, 0x58, // LDR X17 [PC+8] - read 64 bit address from PC+8 into X17 21 0x20, 0x02, 0x1f, 0xd6, // BR X17 - jump to address in X17 22 } 23 arm64Bcode = []byte{0x00, 0x00, 0x00, 0x14} // B [PC+0x0] 24 arm64NopCode = []byte{0x1f, 0x20, 0x03, 0xd5} 25 ) 26 27 const ( 28 armLDRCode8Bytes = uint32(0x58000040) // LDR PC+8 29 armLDRCode12Bytes = uint32(0x58000060) // LDR PC+12 30 ) 31 32 // x86/amd64 33 var ( 34 x86amd64NOPcode = byte(0x90) 35 x86amd64JMPLcode = []byte{0xff, 0x25, 0x00, 0x00, 0x00, 0x00} // JMPL *ADDRESS 36 x86amd64JMPNearCode = []byte{0xE9, 0x00, 0x00, 0x00, 0x00} // JMP (PCREL offset)+4 37 x86amd64JMPShortCode = []byte{0xEB, 0x00} // JMP (PCREL offset)+1 38 x86amd64CALLFarCode = []byte{ 39 0xff, 0x15, 0x00, 0x00, 0x00, 0x00, // CALL ptr [RIP] 40 } 41 x86amd64replaceCMPLcode = []byte{ 42 0x50, // PUSH RAX 43 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // MOVABS RAX, imm64 (64 bit) 44 0x48, 0x83, 0x38, 0x00, // CMPL [RAX] x(8bits) 45 0x58, // POP RAX 46 } 47 x86amd64replaceMOVQcodeRAX = []byte{ 48 0x48, 0xa1, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // MOVABS RAX, [addr64] (64 bit) 49 } 50 x86amd64replaceMOVQcode = []byte{ 51 0x50, // PUSH RAX 52 0x48, 0xb8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, // MOVABS RAX, imm64 (64 bit) 53 0x48, 0x8b, 0x00, // MOV RxX, [RAX] (64 bit) 54 0x58, // POP RAX 55 } 56 )