deroko

IDA and vmread/vmwrite x64

Rate this Entry
These 2 instructions are defined as:

Code:
VMREAD  Ed/q, Gd/q
VMWRITE Gd/q, Ed/q
where d is for 32 bit environment, and q for 64 bit environment, which means that in 32 bit environment operands are always 32bit, and in 64bit environment those are 64bit, and operand size prefix can't affect size.

But IDA displays wrong info:

Code:
.text:0000000000011010                 mov     [rsp+arg_8], rdx
.text:0000000000011015                 mov     [rsp+arg_0], rcx
.text:000000000001101A                 sub     rsp, 38h
.text:000000000001101E                 mov     edx, 1
.text:0000000000011023                 mov     rcx, 1234567812345678h
.text:000000000001102D                 call    VmWrite_proc
.text:0000000000011032                 mov     rcx, 1234567812345678h
.text:000000000001103C                 call    VmRead_proc
.text:0000000000011041                 mov     [rsp+38h+var_18], rax
.text:0000000000011046                 xor     eax, eax
.text:0000000000011048                 add     rsp, 38h
.text:000000000001104C                 retn
.text:000000000001104C DriverEntry     endp

.text:0000000000011060 VmWrite_proc    proc near               
.text:0000000000011060                 vmwrite ecx, edx    <----- 32bit operands, which is not possible
.text:0000000000011063                 retn
.text:0000000000011063 VmWrite_proc    endp
.text:0000000000011063
.text:0000000000011064
.text:0000000000011064 VmRead_proc     proc near              
.text:0000000000011064                 vmread  eax, ecx    <----- again 32 bit operands
.text:0000000000011067                 retn
.text:0000000000011067 VmRead_proc     endp

Instead this should be displayed as vmwrite rcx, rdx and vmread rax, rcx. This is also verified by looking at intel documentation (CHAPTER 5 VMX INSTRUCTION REFERENCE - Volume 2B):

Code:
VMREAD—Read Field from Virtual-Machine Control Structure

Opcode Instruction Description
0F 78 VMREAD r/m64, r64 Reads a specified VMCS field (in 64-bit mode).
0F 78 VMREAD r/m32, r32 Reads a specified VMCS field (outside 64-bit mode).
and

Code:
VMWRITE—Write Field to Virtual-Machine Control Structure

Opcode Instruction Description
0F 79 VMWRITE r64, r/m64 Writes a specified VMCS field (in 64-bit mode)
0F 79 VMWRITE r32, r/m32 Writes a specified VMCS field (outside 64-bit mode)
Nothing spectacular, but still, wrong disassembly

Submit "IDA and vmread/vmwrite x64" to Digg Submit "IDA and vmread/vmwrite x64" to del.icio.us Submit "IDA and vmread/vmwrite x64" to StumbleUpon Submit "IDA and vmread/vmwrite x64" to Google

Updated May 20th, 2008 at 18:49 by deroko

Categories
Uncategorized

Comments