0

Looking at PIN's Inspection API Page there is a method called INS_IsLea() which returns true if the current instruction is a LEA isntruction. This is useful, but I need to determine if one of the instruction operands are indirect references. For example:

MOV rax, (%rdi)

I'd like to be able to determine that the second operand is in fact an indirect reference, but there does not seem to be a method available for this.

TypeKazt
  • 318
  • 1
  • 13
  • Have you tried looking at an instruction reference? If you examine the machine code you will detect patterns (in fact they are documented) that can tell you this. – David Hoelzer May 04 '16 at 22:33

3 Answers3

1

INS_OperandIsMemory() if you just want to check if one of the operand is a memory operand.

Note that the second argument, n, indicates the operand number (0-indexed) in Intel syntax, e.g.

; rax = destination op; rdi = source op
mov rax, [rdi] ; rax = op #0 ; rdi = op #1
Neitsa
  • 7,693
  • 1
  • 28
  • 45
  • So even if the operand indirectly calls memory through a register, `INS_OperandIsMemory()` will return true on that operand? – TypeKazt May 05 '16 at 13:44
  • @TypeKazt: `MOV (%rdi), %rax` is as direct a memory reference as it's possible to write. IDK what you mean by "indirect" in this case. Normally the terms direct vs. indirect apply to jumps, where a direct jump has the destination address encoded in the instruction (as a relative offset), while indirect jumps set `RIP = register` (register-indirect `jmp *%rax` aka `jmp rax`) or `RIP = [memory]` (memory-indirect `jmp *(%rsi)` aka `jmp QWORD PTR [rsi]`.) – Peter Cordes May 06 '16 at 02:04
  • If anything, an implicit memory reference is the special case that I'd worry about detecting, like `lodsb` or `MASKMOVDQU xmm1, xmm2` (stores to `(%rdi)`). Or `push`/`pop`. – Peter Cordes May 06 '16 at 02:05
1

It looks like you are looking for two cases:

  1. If the an operand is a register containing a memory address. This is used for indirect jumps or calls. Can be detected via INS_IsIndirectBranchOrCall(ins)
  2. If the second operand is a memory location used for arithmetic or move operations. Can be detected by (!INS_IsBranchOrCall(ins) && (INS_MemoryOperandCount(ins) > 0))

NOTE: lea instruction just loads a memory address into a register. It never actually access the memory address. Read here. INS_IsLea returns true is the instruction opcode is lea. Hence it will return false for MOV rax, (%rdi)

Community
  • 1
  • 1
Nishant
  • 2,571
  • 1
  • 17
  • 29
0

I am just guessing here because I have never heard about this library before reading this question, but...

I think it follows that if one of INS_IsMemoryRead(), INS_IsMemoryWrite() is true, it has to have an indirect memory operand.

Also, from different angle, INS_MemoryOperand*() functions inspects the operands.

wilx
  • 17,697
  • 6
  • 59
  • 114