|
|
/*++
Copyright (c) 1990-2001 Microsoft Corporation
Module Name:
kdcpuapi.c
Abstract:
This module implements CPU specific remote debug APIs.
Author:
Mark Lucovsky (markl) 04-Sep-1990
Revision History:
24-sep-90 bryanwi
Port to the x86.
--*/
#include <stdio.h>
#include "kdp.h"
#define END_OF_CONTROL_SPACE
extern ULONG KdpCurrentSymbolStart, KdpCurrentSymbolEnd;extern ULONG KdSpecialCalls[];extern ULONG KdNumberOfSpecialCalls;
LONGKdpLevelChange ( ULONG Pc, PCONTEXT ContextRecord, PBOOLEAN SpecialCall );
LONGregValue( UCHAR reg, PCONTEXT ContextRecord );
BOOLEANKdpIsSpecialCall ( ULONG Pc, PCONTEXT ContextRecord, UCHAR opcode, UCHAR ModRM );
ULONGKdpGetReturnAddress ( PCONTEXT ContextRecord );
ULONGKdpGetCallNextOffset ( ULONG Pc, PCONTEXT ContextRecord );
#ifdef ALLOC_PRAGMA
#pragma alloc_text(PAGEKD, KdpLevelChange)
#pragma alloc_text(PAGEKD, regValue)
#pragma alloc_text(PAGEKD, KdpIsSpecialCall)
#pragma alloc_text(PAGEKD, KdpGetReturnAddress)
#pragma alloc_text(PAGEKD, KdpSetContextState)
#pragma alloc_text(PAGEKD, KdpSetStateChange)
#pragma alloc_text(PAGEKD, KdpGetStateChange)
#pragma alloc_text(PAGEKD, KdpSysReadControlSpace)
#pragma alloc_text(PAGEKD, KdpSysWriteControlSpace)
#pragma alloc_text(PAGEKD, KdpSysReadIoSpace)
#pragma alloc_text(PAGEKD, KdpSysWriteIoSpace)
#pragma alloc_text(PAGEKD, KdpSysReadMsr)
#pragma alloc_text(PAGEKD, KdpSysWriteMsr)
#pragma alloc_text(PAGEKD, KdpGetCallNextOffset)
#endif
/**** KdpIsTryFinallyReturn - detect finally optimization
** Input:* pc - program counter of instruction to check* ContextRecord - machine specific context** Output:* returns TRUE if this is a try-finally returning to the same* scope***************************************************************************/
BOOLEANKdpIsTryFinallyReturn ( ULONG Pc, PCONTEXT ContextRecord ){ ULONG retaddr; ULONG calldisp; UCHAR inst;
//
// The complier generates code for a try-finally that involves having
// a ret instruction that does not match with a call instruction.
// This ret never returns a value (ie, it's a c3 return and not a
// c2). It always returns into the current symbol scope. It is never
// preceeded by a leave, which (hopefully) should differentiate it
// from recursive returns. Check for this, and if we find it count
// it as *0* level change.
//
// As an optimization, the compiler will often change:
// CALL
// RET
// into:
// JMP
// In either case, we figure out the return address. It's the first 4 bytes
// on the stack.
//
if (!NT_SUCCESS(KdpCopyFromPtr(&retaddr, ContextRecord->Esp, 4, NULL))) { return FALSE; }
// DPRINT(( "Start %x return %x end %x\n", KdpCurrentSymbolStart, retaddr, KdpCurrentSymbolEnd ));
if ( (KdpCurrentSymbolStart < retaddr) && (retaddr < KdpCurrentSymbolEnd) ) {
//
// Well, things aren't this nice. We may have transferred but not yet
// updated the start/end. This case occurs in a call to a thunk. We
// look to see if the instruction before the return address is a call.
// Gross and not 100% reliable.
//
if (!NT_SUCCESS(KdpCopyFromPtr(&inst, (PCHAR)retaddr - 5, 1, NULL))) { return FALSE; } if (!NT_SUCCESS(KdpCopyFromPtr(&calldisp, (PCHAR)retaddr - 4, 4, NULL))) { return FALSE; }
if (inst == 0xe8 && calldisp + retaddr == Pc) {// DPRINT(( "call to thunk @ %x\n", Pc ));
return FALSE; }
//
// returning to the current function. Either a finally
// or a recursive return. Check for a leave. This is not 100%
// reliable since we are betting on an instruction longer than a byte
// and not ending with 0xc9.
//
if (!NT_SUCCESS(KdpCopyFromPtr(&inst, (PCHAR)Pc - 1, 1, NULL))) { return FALSE; }
if ( inst != 0xc9 ) { // not a leave. Assume a try-finally.
// DPRINT(( "transfer at %x is try-finally\n", Pc ));
return TRUE; } }
//
// This appears to be a true RET instruction
//
return FALSE;}
/**** KdpLevelChange - say how the instruction affects the call level
** Input:* pc - program counter of instruction to check* ContextRecord - machine specific context* SpecialCall - pointer to returned boolean indicating if the* instruction is a transfer to a special routine** Output:* returns -1 for a level pop, 1 for a push and 0 if it is* unchanged.* NOTE: This function belongs in some other file. I should move it.***************************************************************************/
LONGKdpLevelChange ( ULONG Pc, PCONTEXT ContextRecord, PBOOLEAN SpecialCall ){ UCHAR membuf[2]; ULONG Addr;
membuf[0] = 0xcc; membuf[1] = 0xcc; KdpCopyFromPtr(membuf, Pc, 2, NULL);
switch (membuf[0]) { case 0xe8: // CALL direct w/32 bit displacement
//
// For try/finally, the compiler may, in addition to the push/ret trick
// below, use a call to the finally thunk. Since we treat a RET to
// within the same symbol scope as not changing levels, we will also
// treat such a call as not changing levels either
//
if (!NT_SUCCESS(KdpCopyFromPtr(&Addr, (PCHAR)Pc + 1, 4, NULL))) { Addr = 0; } else { Addr += Pc + 5; }
if ((KdpCurrentSymbolStart <= Addr) && (Addr < KdpCurrentSymbolEnd)) { *SpecialCall = FALSE; return 0; }
case 0x9a: // CALL segmented 16:32
*SpecialCall = KdpIsSpecialCall( Pc, ContextRecord, membuf[0], membuf[1] ); return 1;
case 0xff: //
// This is a compound instruction. Dispatch on operation
//
switch (membuf[1] & 0x38) { case 0x10: // CALL with mod r/m
*SpecialCall = KdpIsSpecialCall( Pc, ContextRecord, membuf[0], membuf[1] ); return 1; case 0x20: // JMP with mod r/m
*SpecialCall = KdpIsSpecialCall( Pc, ContextRecord, membuf[0], membuf[1] );
//
// If this is a try/finally, we'd like to treat it as call since the
// return inside the destination will bring us back to this context.
// However, if it is a jmp to a special routine, we must treat it
// as a no-level change operation since we won't see the special
// routines's return.
//
// If it is not a try/finally, we'd like to treat it as a no-level
// change, unless again, it is a transfer to a special call which
// views this as a level up.
//
if (KdpIsTryFinallyReturn( Pc, ContextRecord )) { if (*SpecialCall) { //
// We won't see the return, so pretend it is just
// inline code
//
return 0;
} else { //
// The destinations return will bring us back to this
// context
//
return 1; } } else if (*SpecialCall) { //
// We won't see the return but we are, indeed, doing one.
//
return -1; } else { return 0; }
default: *SpecialCall = FALSE; return 0; }
case 0xc3: // RET
//
// If we are a try/finally ret, then we indicate that it is NOT a level
// change
//
if (KdpIsTryFinallyReturn( Pc, ContextRecord )) { *SpecialCall = FALSE; return 0; }
case 0xc2: // RET w/16 bit esp change
case 0xca: // RETF w/16 bit esp change
case 0xcb: // RETF
*SpecialCall = FALSE; return -1;
default: *SpecialCall = FALSE; return 0; }
} // KdpLevelChange
�LONGregValue( UCHAR reg, PCONTEXT ContextRecord ){ switch (reg) { case 0x0: return(ContextRecord->Eax); break; case 0x1: return(ContextRecord->Ecx); break; case 0x2: return(ContextRecord->Edx); break; case 0x3: return(ContextRecord->Ebx); break; case 0x4: return(ContextRecord->Esp); break; case 0x5: return(ContextRecord->Ebp); break; case 0x6: return(ContextRecord->Esi); break; case 0x7: return(ContextRecord->Edi); break; } return 0;}�BOOLEANKdpIsSpecialCall ( ULONG Pc, PCONTEXT ContextRecord, UCHAR opcode, UCHAR modRM )
/*++
Routine Description:
Check to see if the instruction at pc is a call to one of the SpecialCall routines.
Argument:
Pc - program counter of instruction in question.
--*/{ UCHAR sib; USHORT twoBytes; ULONG callAddr; ULONG addrAddr; LONG offset; ULONG i; char d8;
if ( opcode == 0xe8 ) {
//
// Signed offset from pc
//
if (!NT_SUCCESS(KdpCopyFromPtr(&offset, (PCHAR)Pc + 1, 4, NULL))) { callAddr = 0; } else { callAddr = Pc + offset + 5; // +5 for instr len.
}
} else if ( opcode == 0xff ) {
if ( ((modRM & 0x38) != 0x10) && ((modRM & 0x38) != 0x20) ) { // not call or jump
return FALSE; } if ( (modRM & 0x08) == 0x08 ) { // m16:16 or m16:32 -- we don't handle this
return FALSE; }
if ( (modRM & 0xc0) == 0xc0 ) {
/* Direct register addressing */ callAddr = regValue( (UCHAR)(modRM&0x7), ContextRecord );
} else if ( (modRM & 0xc7) == 0x05 ) { //
// Calls across dll boundaries involve a call into a jump table,
// wherein the jump address is set to the real called routine at DLL
// load time. Check to see if we're calling such an instruction,
// and if so, compute its target address and set callAddr there.
//
// ff15 or ff25 -- call or jump indirect with disp32. Get
// address of address
//
if (!NT_SUCCESS(KdpCopyFromPtr(&addrAddr, (PCHAR)Pc + 2, 4, NULL))) { callAddr = 0; } else { //
// Get real destination address
//
if (!NT_SUCCESS(KdpCopyFromPtr(&callAddr, addrAddr, 4, NULL))) { callAddr = 0; } }// DPRINT(( "Indirect call/jmp @ %x\n", Pc ));
} else if ( (modRM & 0x7) == 0x4 ) {
LONG indexValue;
/* sib byte present */ if (!NT_SUCCESS(KdpCopyFromPtr(&sib, (PCHAR)Pc + 2, 1, NULL))) { sib = 0; } indexValue = regValue( (UCHAR)((sib & 0x31) >> 3), ContextRecord ); switch ( sib&0xc0 ) { case 0x0: /* x1 */ break; case 0x40: indexValue *= 2; break; case 0x80: indexValue *= 4; break; case 0xc0: indexValue *= 8; break; } /* switch */
switch ( modRM & 0xc0 ) {
case 0x0: /* no displacement */ if ( (sib & 0x7) == 0x5 ) {// DPRINT(("funny call #1 at %x\n", Pc));
return FALSE; } callAddr = indexValue + regValue((UCHAR)(sib&0x7), ContextRecord ); break;
case 0x40: if ( (sib & 0x6) == 0x4 ) {// DPRINT(("Funny call #2\n")); /* calling into the stack */
return FALSE; } if (!NT_SUCCESS(KdpCopyFromPtr( &d8, (PCHAR)Pc + 3, 1, NULL))) { d8 = 0; } callAddr = indexValue + d8 + regValue((UCHAR)(sib&0x7), ContextRecord ); break;
case 0x80: if ( (sib & 0x6) == 0x4 ) {// DPRINT(("Funny call #3\n")); /* calling into the stack */
return FALSE; } if (!NT_SUCCESS(KdpCopyFromPtr(&offset, (PCHAR)Pc + 3, 4, NULL))) { offset = 0; } callAddr = indexValue + offset + regValue((UCHAR)(sib&0x7), ContextRecord ); break;
case 0xc0: ASSERT( FALSE ); break;
}
} else { //KdPrint(( "undecoded call at %x\n",
// CONTEXT_TO_PROGRAM_COUNTER(ContextRecord) ));
return FALSE; }
} else if ( opcode == 0x9a ) {
/* Absolute address call (best I can tell, cc doesn't generate this) */ if (!NT_SUCCESS(KdpCopyFromPtr( &callAddr, (PCHAR)Pc + 1, 4, NULL))) { callAddr = 0; }
} else { return FALSE; }
//
// Calls across dll boundaries involve a call into a jump table,
// wherein the jump address is set to the real called routine at DLL
// load time. Check to see if we're calling such an instruction,
// and if so, compute its target address and set callAddr there.
//
#if 0
if (!NT_SUCCESS(KdpCopyFromPtr( &twoBytes, (PCHAR)callAddr, 2, NULL))) { twoBytes = 0; } if ( twoBytes == 0x25ff ) { /* i386 is little-Endian; really 0xff25 */
//
// This is a 'jmp dword ptr [mem]' instruction, which is the sort of
// jump used for a dll-boundary crossing call. Fixup callAddr.
//
if (!NT_SUCCESS(KdpCopyFromPtr( &addrAddr, (PCHAR)callAddr + 2, 4, NULL))) { callAddr = 0; } else if (!NT_SUCCESS(KdpCopyFromPtr( &callAddr, addrAddr, 4, NULL))) { callAddr = 0; } }#endif
for ( i = 0; i < KdNumberOfSpecialCalls; i++ ) { if ( KdSpecialCalls[i] == callAddr ) { return TRUE; } } return FALSE;
}�/*
* Find the return address of the current function. Only works when * locals haven't yet been pushed (ie, on the first instruction of the * function). */
ULONGKdpGetReturnAddress ( PCONTEXT ContextRecord ){ ULONG retaddr;
if (!NT_SUCCESS(KdpCopyFromPtr(&retaddr, ContextRecord->Esp, 4, NULL))) { retaddr = 0; } return retaddr;
} // KdpGetReturnAddress
�VOIDKdpSetContextState( IN OUT PDBGKD_ANY_WAIT_STATE_CHANGE WaitStateChange, IN PCONTEXT ContextRecord ){ PKPRCB Prcb;
//
// Special registers for the x86
//
Prcb = KeGetCurrentPrcb();
WaitStateChange->ControlReport.Dr6 = Prcb->ProcessorState.SpecialRegisters.KernelDr6;
WaitStateChange->ControlReport.Dr7 = Prcb->ProcessorState.SpecialRegisters.KernelDr7;
WaitStateChange->ControlReport.SegCs = (USHORT)(ContextRecord->SegCs); WaitStateChange->ControlReport.SegDs = (USHORT)(ContextRecord->SegDs); WaitStateChange->ControlReport.SegEs = (USHORT)(ContextRecord->SegEs); WaitStateChange->ControlReport.SegFs = (USHORT)(ContextRecord->SegFs); WaitStateChange->ControlReport.EFlags = ContextRecord->EFlags;
WaitStateChange->ControlReport.ReportFlags = X86_REPORT_INCLUDES_SEGS;
// If the current code segment is a known flat code
// segment let the debugger know so that it doesn't
// have to retrieve the descriptor.
if (ContextRecord->SegCs == KGDT_R0_CODE || ContextRecord->SegCs == KGDT_R3_CODE + 3) { WaitStateChange->ControlReport.ReportFlags |= X86_REPORT_STANDARD_CS; }}
VOIDKdpSetStateChange( IN OUT PDBGKD_ANY_WAIT_STATE_CHANGE WaitStateChange, IN PEXCEPTION_RECORD ExceptionRecord, IN PCONTEXT ContextRecord, IN BOOLEAN SecondChance )
/*++
Routine Description:
Fill in the Wait_State_Change message record.
Arguments:
WaitStateChange - Supplies pointer to record to fill in
ExceptionRecord - Supplies a pointer to an exception record.
ContextRecord - Supplies a pointer to a context record.
SecondChance - Supplies a boolean value that determines whether this is the first or second chance for the exception.
Return Value:
None.
--*/
{ KdpSetContextState(WaitStateChange, ContextRecord);}
VOIDKdpGetStateChange( IN PDBGKD_MANIPULATE_STATE64 ManipulateState, IN PCONTEXT ContextRecord )
/*++
Routine Description:
Extract continuation control data from Manipulate_State message
Arguments:
ManipulateState - supplies pointer to Manipulate_State packet
ContextRecord - Supplies a pointer to a context record.
Return Value:
None.
--*/
{ PKPRCB Prcb; ULONG Processor;
if (NT_SUCCESS(ManipulateState->u.Continue2.ContinueStatus) == TRUE) {
//
// If NT_SUCCESS returns TRUE, then the debugger is doing a
// continue, and it makes sense to apply control changes.
// Otherwise the debugger is saying that it doesn't know what
// to do with this exception, so control values are ignored.
//
if (ManipulateState->u.Continue2.ControlSet.TraceFlag == TRUE) { ContextRecord->EFlags |= 0x100L;
} else { ContextRecord->EFlags &= ~0x100L;
}
for (Processor = 0; Processor < (ULONG)KeNumberProcessors; Processor++) { Prcb = KiProcessorBlock[Processor];
Prcb->ProcessorState.SpecialRegisters.KernelDr7 = ManipulateState->u.Continue2.ControlSet.Dr7;
Prcb->ProcessorState.SpecialRegisters.KernelDr6 = 0L; } if (ManipulateState->u.Continue2.ControlSet.CurrentSymbolStart != 1) { KdpCurrentSymbolStart = ManipulateState->u.Continue2.ControlSet.CurrentSymbolStart; KdpCurrentSymbolEnd = ManipulateState->u.Continue2.ControlSet.CurrentSymbolEnd; } }}
NTSTATUSKdpSysReadControlSpace( ULONG Processor, ULONG64 Address, PVOID Buffer, ULONG Request, PULONG Actual )
/*++
Routine Description:
Reads implementation specific system data.
IMPLEMENTATION NOTE:
On the X86, control space is defined as follows:
0: Base of KPROCESSOR_STATE structure. (KPRCB.ProcessorState) This includes CONTEXT record, followed by a SPECIAL_REGISTERs record
Arguments:
Processor - Processor's information to access.
Address - Offset in control space.
Buffer - Data buffer.
Request - Amount of data to move.
Actual - Amount of data actually moved.
Return Value:
NTSTATUS.
--*/
{ ULONG Length, t; PVOID StartAddr; NTSTATUS Status;
Length = Request; if ((Address < sizeof(KPROCESSOR_STATE)) && (Processor < (ULONG)KeNumberProcessors)) { t = (ULONG)(sizeof(KPROCESSOR_STATE)) - (ULONG)Address; if (t < Length) { Length = t; } StartAddr = (PVOID) ((ULONG)Address + (ULONG)&(KiProcessorBlock[Processor]->ProcessorState)); Status = KdpCopyToPtr(Buffer, StartAddr, Length, Actual); } else { Status = STATUS_UNSUCCESSFUL; *Actual = 0; }
return Status;}
NTSTATUSKdpSysWriteControlSpace( ULONG Processor, ULONG64 Address, PVOID Buffer, ULONG Request, PULONG Actual )
/*++
Routine Description:
Writes implementation specific system data.
Control space for x86 is as defined above.
Arguments:
Processor - Processor's information to access.
Address - Offset in control space.
Buffer - Data buffer.
Request - Amount of data to move.
Actual - Amount of data actually moved.
Return Value:
NTSTATUS.
--*/
{ ULONG Length; PVOID StartAddr; NTSTATUS Status;
if (((Address + Request) <= sizeof(KPROCESSOR_STATE)) && (Processor < (ULONG)KeNumberProcessors)) {
StartAddr = (PVOID) ((ULONG)Address + (ULONG)&(KiProcessorBlock[Processor]->ProcessorState));
Status = KdpCopyFromPtr(StartAddr, Buffer, Request, Actual); } else { Status = STATUS_UNSUCCESSFUL; *Actual = 0; }
return Status;}
NTSTATUSKdpSysReadIoSpace( INTERFACE_TYPE InterfaceType, ULONG BusNumber, ULONG AddressSpace, ULONG64 Address, PVOID Buffer, ULONG Request, PULONG Actual )
/*++
Routine Description:
Reads system I/O locations.
Arguments:
InterfaceType - I/O interface type.
BusNumber - Bus number.
AddressSpace - Address space.
Address - I/O address.
Buffer - Data buffer.
Request - Amount of data to move.
Actual - Amount of data actually moved.
Return Value:
NTSTATUS.
--*/
{ NTSTATUS Status = STATUS_SUCCESS;
if (InterfaceType != Isa || BusNumber != 0 || AddressSpace != 1) { *Actual = 0; return STATUS_UNSUCCESSFUL; } //
// Check Size and Alignment
//
switch ( Request ) { case 1: *(PUCHAR)Buffer = READ_PORT_UCHAR((PUCHAR)(ULONG_PTR)Address); *Actual = 1; break; case 2: if ( Address & 1 ) { Status = STATUS_DATATYPE_MISALIGNMENT; } else { *(PUSHORT)Buffer = READ_PORT_USHORT((PUSHORT)(ULONG_PTR)Address); *Actual = 2; } break; case 4: if ( Address & 3 ) { Status = STATUS_DATATYPE_MISALIGNMENT; } else { *(PULONG)Buffer = READ_PORT_ULONG((PULONG)(ULONG_PTR)Address); *Actual = 4; } break; default: Status = STATUS_INVALID_PARAMETER; *Actual = 0; break; }
return Status;}
NTSTATUSKdpSysWriteIoSpace( INTERFACE_TYPE InterfaceType, ULONG BusNumber, ULONG AddressSpace, ULONG64 Address, PVOID Buffer, ULONG Request, PULONG Actual )
/*++
Routine Description:
Writes system I/O locations.
Arguments:
InterfaceType - I/O interface type.
BusNumber - Bus number.
AddressSpace - Address space.
Address - I/O address.
Buffer - Data buffer.
Request - Amount of data to move.
Actual - Amount of data actually moved.
Return Value:
NTSTATUS.
--*/
{ NTSTATUS Status = STATUS_SUCCESS;
if (InterfaceType != Isa || BusNumber != 0 || AddressSpace != 1) { *Actual = 0; return STATUS_UNSUCCESSFUL; } //
// Check Size and Alignment
//
switch ( Request ) { case 1: WRITE_PORT_UCHAR((PUCHAR)(ULONG_PTR)Address, *(PUCHAR)Buffer); *Actual = 1; break; case 2: if ( Address & 1 ) { Status = STATUS_DATATYPE_MISALIGNMENT; } else { WRITE_PORT_USHORT((PUSHORT)(ULONG_PTR)Address, *(PUSHORT)Buffer); *Actual = 2; } break; case 4: if ( Address & 3 ) { Status = STATUS_DATATYPE_MISALIGNMENT; } else { WRITE_PORT_ULONG((PULONG)(ULONG_PTR)Address, *(PULONG)Buffer); *Actual = 4; } break; default: Status = STATUS_INVALID_PARAMETER; *Actual = 0; break; }
return Status;}
NTSTATUSKdpSysReadMsr( ULONG Msr, PULONG64 Data )
/*++
Routine Description:
Reads an MSR.
Arguments:
Msr - MSR index.
Data - Data buffer.
Return Value:
NTSTATUS.
--*/
{ NTSTATUS Status = STATUS_SUCCESS; try { *Data = RDMSR(Msr); } except (EXCEPTION_EXECUTE_HANDLER) { *Data = 0; Status = STATUS_NO_SUCH_DEVICE; }
return Status;}
NTSTATUSKdpSysWriteMsr( ULONG Msr, PULONG64 Data )
/*++
Routine Description:
Writes an MSR.
Arguments:
Msr - MSR index.
Data - Data buffer.
Return Value:
NTSTATUS.
--*/
{ NTSTATUS Status = STATUS_SUCCESS;
try { WRMSR (Msr, *Data); } except (EXCEPTION_EXECUTE_HANDLER) { Status = STATUS_NO_SUCH_DEVICE; }
return Status;}
�/*** KdpGetCallNextOffset - compute "next" instruction on a call-like instruction
** Purpose:* Compute how many bytes are in a call-type instruction* so that a breakpoint can be set upon this instruction's* return. Treat indirect jmps as if they were call/ret/ret** Returns:* offset to "next" instruction, or 0 if it wasn't a call instruction.**************************************************************************/
ULONGKdpGetCallNextOffset ( ULONG Pc, PCONTEXT ContextRecord ){ UCHAR membuf[2]; UCHAR opcode; ULONG sib; ULONG disp;
if (!NT_SUCCESS(KdpCopyFromPtr( membuf, Pc, 2, NULL ))) { return 0; }
opcode = membuf[0];
if ( opcode == 0xe8 ) { // CALL 32 bit disp
return Pc+5; } else if ( opcode == 0x9a ) { // CALL 16:32
return Pc+7; } else if ( opcode == 0xff ) { if ( membuf[1] == 0x25) { // JMP indirect
return KdpGetReturnAddress( ContextRecord ); } sib = ((membuf[1] & 0x07) == 0x04) ? 1 : 0; disp = (membuf[1] & 0xc0) >> 6; switch (disp) { case 0: if ( (membuf[1] & 0x07) == 0x05 ) { disp = 4; // disp32 alone
} else { // disp = 0; // no displacement with reg or sib
} break; case 1: // disp = 1; // disp8 with reg or sib
break; case 2: disp = 4; // disp32 with reg or sib
break; case 3: disp = 0; // direct register addressing (e.g., call esi)
break; } return Pc + 2 + sib + disp; }
return 0;
} // KdpGetCallNextOffset
|
