mirrors
/
ghidra
0
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
ghidra/Ghidra/Processors/x86/data/patterns/x86-64gcc_patterns.xml

73 lines
4.8 KiB
XML
Raw Permalink Blame History

<patternlist>
<patternpairs totalbits="40" postbits="24">
<prepatterns>
<data>0x90 0x90</data> <!-- NOP NOP -->
<data>0xc3 0x90</data> <!-- RET NOP -->
<data>0x6690</data> <!-- two-byte nop -->
<data>0xc9 0xc3</data> <!-- LEAVE RET -->
<data>0xe9........</data> <!-- JMP xxx - after a shared jump target -->
<data>0xe9........90</data> <!-- JMP xxx, NOP - after a shared jump target -->
<data>0xeb..</data> <!-- JMP small -->
<data>0xeb..90</data> <!-- JMP small , NOP -->
<data>0x5d 0xc3</data> <!-- POP RBP, RET -->
<data>0x5b 0xc3</data> <!-- POP RBX, RET -->
<data>0x415f 0xc3</data> <!-- POP R15, RET -->
<data>0x415c 0xc3</data> <!-- POP R12, RET -->
<data>0x31c0 0xc3</data> <!-- XOR(EAX,EAX), RET -->
<data>0x415d 0xc3</data> <!-- POP R13, RET -->
<data>0x415e 0xc3</data> <!-- POP R14, RET -->
<data>0x4883c4 ....1000 0xc3</data> <!-- ADD RSP, C; RET -->
<data>0x666690</data> <!-- three-byte NOP -->
<data>0x0f1f00</data> <!-- three-byte NOP -->
<data>0x0f1f4000</data> <!-- four-byte NOP -->
<data>0x0f1f440000</data> <!-- five-byte NOP -->
<data>0x660f1f440000</data> <!-- six-byte NOP -->
<data>0x0f1f8000000000</data> <!-- seven-byte NOP -->
<data>0x0f1f840000000000</data> <!-- eight-byte NOP -->
<data>0x660f1f840000000000</data> <!-- nine-byte NOP -->
</prepatterns>
<postpatterns>
<!-- two-instruction sequences -->
<data>0x48 0x89 0x5c 0x24 11...000 0x48 0x89 0x6c 0x24 11...000</data> <!-- MOV [RSP + C], RBX; MOV [RSP + C], RBP -->
<data>0x48 0x89 0x5c 0x24 11...000 0x4c 0x89 0x64 0x24 111..000</data> <!-- MOV [RSP + C], RBX; MOV [RSP + C], R12 -->
<data>0x48 0x89 0x6c 0x24 11...000 0x4c 0x89 0x64 0x24 111..000</data> <!-- MOV [RSP + C], RBP; MOV [RSP + C], R12 -->
<data>0x5589e5</data> <!-- PUSH RBP; MOV(EBP, ESP) (shared objects) -->
<data>0x554889e5</data> <!-- PUSH RBP; MOV(RBP, RSP) (shared objects) -->
<data>0x534889fb</data> <!-- PUSH RBX; MOV(RBX,RDI) (shared objects) -->
<data>0x554889fd</data> <!-- PUSH (RBP); MOV(RBP, RDI) (kernel objects) -->
<data>0x534889fb</data> <!-- PUSH RBX; MOV(RBX,RDI)-->
<!-- three-instruction sequences -->
<data>0x55 0x48 0x89 0xe5 0x48 0x83 0xec 0...0000</data> <!-- PUSH RBP; MOV RBP, RSP; SUB RSP, C -->
<data>0x554889e553</data> <!-- PUSH RBP; MOV RBP, RSP; PUSH RBX -->
<data>0x554889fd53</data> <!-- PUSH RBP; MOV RBP, RDI; PUSH RBX -->
<data>0x554889e548897df8</data> <!-- PUSH RBP; MOV RBP, RSP; MOV [RBP -0x8], RDI -->
<data>0x53 0x48 0x89 0xfb 0xe8 ........ ........ 0xff 0xff</data> <!-- PUSH RBX; MOV RBX,RDI; CALL -->
<data>0x415741564155</data> <!-- PUSH R15; PUSH R14; PUSH R13-->
<data>0x41544989fc55</data> <!-- PUSH R12; MOV(R12,RDI); PUSH(RBP)-->
<funcstart/>
</postpatterns>
</patternpairs>
<pattern>
<data>0x5589e5</data> <!-- PUSH RBP; MOV(EBP, ESP) (shared objects) -->
<funcstart after="data" /> <!-- must be something defined right before this, or no memory -->
</pattern>
<pattern>
<data>0x554889e5</data> <!-- PUSH RBP; MOV(RBP, RSP) (shared objects) -->
<funcstart after="data" /> <!-- must be something defined right before this, or no memory -->
</pattern>
<pattern>
<data>0x55 0x48 0x89 0xe5 0x48 0x83 0xec 0...0000</data> <!-- PUSH RBP; MOV RBP, RSP; SUB RSP, C --> <!-- PUSH RBP; MOV(RBP, RSP) (shared objects) -->
<funcstart after="data" /> <!-- must be something defined right before this, or no memory -->
</pattern>
<pattern>
<data>0x554889e553</data> <!-- PUSH RBP; MOV RBP, RSP; PUSH RBX --> <!-- PUSH RBP; MOV(RBP, RSP) (shared objects) -->
<funcstart after="data" /> <!-- must be something defined right before this, or no memory -->
</pattern>
</patternlist>
Reference in New Issue View Git Blame Copy Permalink