IDA and vmread/vmwrite x64 [Archive] - RCE Messageboard's Regroupment

deroko

May 20th, 2008, 19:01

These 2 instructions are defined as:

Code:

VMREAD  Ed/q, Gd/q

VMWRITE Gd/q, Ed/q

where d is for 32 bit environment, and q for 64 bit environment, which means that in 32 bit environment operands are always 32bit, and in 64bit environment those are 64bit, and operand size prefix can't affect size.

But IDA displays wrong info:

Code:

.text:0000000000011010                 mov     [rsp+arg_8], rdx

.text:0000000000011015                 mov     [rsp+arg_0], rcx

.text:000000000001101A                 sub     rsp, 38h

.text:000000000001101E                 mov     edx, 1

.text:0000000000011023                 mov     rcx, 1234567812345678h

.text:000000000001102D                 call    VmWrite_proc

.text:0000000000011032                 mov     rcx, 1234567812345678h

.text:000000000001103C                 call    VmRead_proc

.text:0000000000011041                 mov     [rsp+38h+var_18], rax

.text:0000000000011046                 xor     eax, eax

.text:0000000000011048                 add     rsp, 38h

.text:000000000001104C                 retn

.text:000000000001104C DriverEntry     endp



.text:0000000000011060 VmWrite_proc    proc near               

.text:0000000000011060                 vmwrite ecx, edx    <----- 32bit operands, which is not possible

.text:0000000000011063                 retn

.text:0000000000011063 VmWrite_proc    endp

.text:0000000000011063

.text:0000000000011064

.text:0000000000011064 VmRead_proc     proc near              

.text:0000000000011064                 vmread  eax, ecx    <----- again 32 bit operands

.text:0000000000011067                 retn

.text:0000000000011067 VmRead_proc     endp

Instead this should be displayed as vmwrite rcx, rdx and vmread rax, rcx. This is also verified by looking at intel documentation (CHAPTER 5 VMX INSTRUCTION REFERENCE - Volume 2B):

Code:

VMREAD—Read Field from Virtual-Machine Control Structure



Opcode Instruction Description

0F 78 VMREAD r/m64, r64 Reads a specified VMCS field (in 64-bit mode).

0F 78 VMREAD r/m32, r32 Reads a specified VMCS field (outside 64-bit mode).

and

Code:

VMWRITE—Write Field to Virtual-Machine Control Structure



Opcode Instruction Description

0F 79 VMWRITE r64, r/m64 Writes a specified VMCS field (in 64-bit mode)

0F 79 VMWRITE r32, r/m32 Writes a specified VMCS field (outside 64-bit mode)

Nothing spectacular, but still, wrong disassembly

dELTA

May 21st, 2008, 04:01

Cool, did you report it to the DataRescue/Hex-Rays guys?

ZaiRoN

May 21st, 2008, 06:22

Quote:

.text:0000000000011060 vmwrite ecx, edx
.text:0000000000011064 vmread eax, ecx

Can you tell me the ModR/M bytes? thx.

deroko

May 21st, 2008, 06:40

@dELTA: no

@ZaiRoN: modrm for vmwrite is CA and for vmread C8