本文共 7725 字,大约阅读时间需要 25 分钟。
The AMD64 architecture introduces these new features:
Register Extensions - 8 new general-purpose registers (GPRs). - All 16 GPRs are 64 bits wide. - 8 new 128-bit XMM registers. - Uniform byte-register addressing for all GPRs. - A new instruction prefix (REX) accesses the extended(0x48,表示强制64位指令,表示访问64位扩展寄存器) registers. Long Mode (长模式,所有指令都是64位寻址64位): - Up to 64 bits of virtual address. - 64-bit instruction pointer (RIP). - New instruction-pointer-relative data-addressing mode. - Flat address space.(平摊模式)32的sys不能在64位下跑,因为微软在64位内核下做了限制
Memory Management
64位下基地址都是0,直接通过分页。
Registers
Sixteen 8-bit low-byte registers (AL, BL, CL, DL, SIL, DIL,
BPL, SPL, R8B, R9B, R10B, R11B, R12B, R13B, R14B, R15B).高八位没有增加 Four 8-bit high-byte registers (AH, BH, CH, DH), Sixteen 16-bit registers (AX, BX, CX, DX, DI, SI, BP, SP, R8W, R9W, R10W, R11W, R12W, R13W, R14W, R15W). Sixteen 32-bit registers (EAX, EBX, ECX, EDX, EDI, ESI, EBP, ESP, R8D, R9D, R10D, R11D, R12D, R13D, R14D, R15D). Sixteen 64-bit registers (RAX, RBX, RCX, RDX, RDI, RSI, RBP, RSP, R8, R9, R10, R11, R12, R13, R14, R15).Data Transfer
The data-transfer instructions copy data between registers and memory.
Move. MOV—Move MOVSX—Move with Sign-Extend(符号扩展指的是0xffffff80,0x00000070) MOVZX—Move with Zero-Extend(0扩展指的是0x00000080, 0x00000070 ) MOVD—Move Doubleword or Quadword to MMX register.POP—Pop Stack
POPA—Pop All to GPR Words POPAD—Pop All to GPR Doublewords(有一定顺序,push eax,ecx,edx,ebx,esp,ebp,esi,edi,如果改了eax,popad不被覆盖,可以,就可以通过(mov [esp+4*8],所要改的数)。改变堆栈里的值,pushfd是否可以不用?不能,因为影响jcc) PUSH—Push onto Stack PUSHA—Push All GPR Words onto Stack PUSHAD—Push All GPR Doublewords onto Stack ENTER—Create Procedure Stack Frame(push ebp,mov ebp,esp,sub esp)前面这个是enter ,xxxx,后面这个是leave(mov esp,ebp,pop ebp ret, )leave就相当于离开这些,enter就等于开始的指令,不常见是因为微软编译器不常用) LEAVE—Delete Procedure Stack Frame 不利用寄存器可以mov ebx,eax,换成成push eax,pop ebx BSWAP—Byte Swap(这个是4字节交换,如下图) The BSWAP instruction changes the byte order of a doubleword or quadword operand in a register, as shown in Figure . In a doubleword, bits 7–0 are exchanged with bits 31–24, and bits 15–8 are exchanged with bits 23–16. In a quadword, bits 7–0 are exchanged with bits 63–56, bits 15–8 with bits 55–48, bits 23–16 with bits 47–40, and bits 31–24 with bits 39–32. See the following illustration.地址都是0,直接通过分页。Load Effective Address
LEA—Load Effective Address
The LEA instruction calculates and loads the effective address (offset within a given segment) of a source operand and places it in a general-purpose register. LEA is related to MOV, which copies data from a memory location to a register, but LEA takes the address of the source operand, whereas MOV takes the contents of the memory location specified by the source operand. In the simplest cases, LEA can be replaced with MOV. For example: lea eax, [ebx] has the same effect as: mov eax, ebx However, LEA allows software to use any valid addressing mode for the source operand. For example: lea eax, [ebx+edi] loads the sum of EBX and EDI registers into the EAX register. This could not be accomplished by a single MOV instruction. LEA has a limited capability to perform multiplication of operands in general-purpose registers using scaled-index addressing. For example: lea eax, [ebx+ebx*8] loads the value of the EBX register, multiplied by 9, into the EAX register.Arithmetic
Add and Subtract.
ADC—Add with Carry ADD—Signed or Unsigned Add SBB—Subtract with Borrow SUB—Subtract Multiply and Divide. MUL—Multiply Unsigned IMUL—Signed Multiply DIV—Unsigned Divide IDIV—Signed Divide Increment and Decrement. DEC—Decrement by 1 INC—Increment by 1Compare.
CMP—Compare(cmp eax,ebx mov ecx,edx jxx.中间插一条指令是因为cpu乱序执行,有时候先执行第二条) The CMP instruction performs subtraction of the second operand (source) from the first operand (destination), like the SUB instruction, but it does not store the resulting value in the destination operand. It leaves both operands intact. The only effect of the CMP instruction is to set or clear the arithmetic flags (OF, SF, ZF, AF, CF, PF) according to the result of subtraction.Test.
TEST—Test Bits The TEST instruction is in many ways similar to the AND instruction: it performs logical conjunction of the corresponding bits of both operands, but unlike the AND instruction it leaves the operands unchanged. The purpose of this instruction is to update flags for further testing. The TEST instruction is often used to test whether one or more bits in an operand are zero. In this case, one of the instruction operands would contain a mask in which all bits are cleared to zero except the bits being tested.Logical
The logical instructions perform bitwise operations.
AND—Logical AND(把某位置0) OR—Logical OR(置1) XOR—Exclusive OR NOT—One’s Complement NegationString
Compare Strings.
CMPS—Compare Strings CMPSB—Compare Strings by Byte CMPSW—Compare Strings by Word CMPSD—Compare Strings by Doubleword CMPSQ—Compare Strings by Quadword The CMPSx instructions compare the values of two implicit operands of the same size located at seg:[rSI] and ES:[rDI]. After the copy, both the rSI and rDI registers are autoincremented (if the DF flag is 0) or auto-decremented (if the DF flag is 1).MOVS—Move String
MOVSB—Move String Byte MOVSW—Move String Word MOVSD—Move String Doubleword MOVSQ—Move String QuadwordJump
JMP performs an unconditional jump to the specified address. There are several ways to specify the target address.
Relative Short Jump and Relative Near Jump—The target address is determined by adding an 8-bit (short jump) or 16-bit or 32-bit (near jump) signed displacement to the rIP of the instruction following the JMP. The jump is performedwithin the current code segment (CS).Register-Indirect and Memory-Indirect Near Jump—The target rIP value is contained in a register or in a memory location. The jump is performed within the current CS.(mov edi,edi这个指令出现在系统函数,是给hook用的,凑5个字节,jmp[]相对跳转,mov eax,xxx,jmp eax ,因为一种是64位hook,32位是为了防止工具检测到被谁hook了,push xxxxxx,ret也是32位hook防止被检测)
Jmp xxxxxx ep+偏移+5 Push xxxxxx ret直接就是目的地址 Direct Far Jump—For all far jumps, the target address is outside the current code segment. Here, the instruction specifies the 16-bit target-address code segment and the 16- bit or 32-bit offset as an immediate value. The direct far jump form is invalid in 64-bit mode. Memory-Indirect Far Jump—For this form, the target address (CS:rIP) is in a address outside the current code segment. A 32-bit or 48-bit far pointer in a specified memory location points to the target address.Ret 4 相当于mov eip,[esp],add esp,4
Cdecl stdcall fastcallSet and Clear Flags
CLC—Clear Carry Flag
CMC—Complement Carry Flag STC—Set Carry Flag CLD—Clear Direction Flag STD—Set Direction Flag CLI—Clear Interrupt Flag(关中断) STI—Set Interrupt FlagCPUID 检测cpu某些特性
NOP 内存补丁
System Call and Return
SYSENTER—System Call(32)
SYSEXIT—System Return(32) SYSCALL—Fast System Call(64) SYSRET—Fast System Return(64) Ring3到ring0用到,前2是32位用,后两64位,前两条intel声明实现amd抄的,后面反过来 The SYSENTER and SYSCALL instructions perform a call to a routine running at current privilege level (CPL) 0—for example, a kernel procedure—from a user level program (CPL3). The addresses of the target procedure and (for SYSENTER) the target stack are specified implicitly through the model specific registers (MSRs). Control returns from the operating system to the callee when the operating system executes a SYSEXIT or SYSRET instruction. SYSEXIT are SYSRET are privileged instructions and thus can be issued only by a privilege-level-0 procedure. The SYSENTER and SYSEXIT instructions form a complementary pair, as do SYSCALL and SYSRET. SYSENTER and SYSEXIT are invalid in 64-bit mode. In this case, use the faster SYSCALL and SYSRET instructions.
转载地址:https://blog.csdn.net/youyou519/article/details/93599366 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!