xed icon indicating copy to clipboard operation
xed copied to clipboard
verified publisher icon intelxed

Direct vs. Indirect branches

Open hlitz opened this issue 8 years ago • 10 comments

How can I find out wether a branch/call is direct or indirect? There seems to be no API nor ICLASS which lets us do it.

hlitz avatar Aug 01 '17 16:08 hlitz

All branches are in the "xed_category_enum_t" of COND_BR or UNCOND_BR. Without my adding an attribute to the grammar, you'd just have to look for the existence RELBR operand to see if the thing was relative (direct) or indirect. I think the easiest way you can do that with xed3_operand_get_brdisp_width(). But an attribute or API would make this more obvious, I agree.

markcharney avatar Aug 01 '17 19:08 markcharney

Thanks! What does xed3_operand_get_brdisp_width() precisely do? What is a displacement width?

I assume I could also iterate over the operands and check whether one is of type XED_OPERAND_RELBR?

How can I find out whether calls are direct/indirect?

thanks again

hlitz avatar Aug 02 '17 08:08 hlitz

I think it gives the number of bytes to encode the displacement (usually 1, 2 or 4 bytes) and probably 0 if this instruct has no brdisp (indirect call). All of that is wild guess though.

hlide avatar Aug 02 '17 12:08 hlide

yes, that right, but it bits, not bytes.

markcharney avatar Aug 07 '17 20:08 markcharney

what if I have the full target address encoded as immediate? There should be no displacement but it is still a direct branch. Or do all branches with an immediate ptr still have an additional displacement?

hlitz avatar Jun 11 '20 19:06 hlitz

Hi. What instruction are you referring to? The conditional branches all jump to an address encoded in a displacement whose value is relative to the location of the instruction. There are e a variety of unconditional "near" jumps. The indirect near jumps jump to an address specified in a memory location or a register. There are relative near jumps that work like the conditional branches mentioned first. Finally there are far jumps that jump through a specific segment:offset but those don't see much use these days.

markcharney avatar Jun 12 '20 03:06 markcharney

I thought that direct far jumps can jump to an address encoded as an immediate operand and do not use displacement. (e.g. opcode "EA cd")

hlitz avatar Jun 12 '20 16:06 hlitz

EA cd is a far jmp; it takes a 2B pointer and a 2B segment. Far jumps take a segment:offset. I'm guessing most people would not want to do that these days.

markcharney avatar Jun 12 '20 17:06 markcharney

Would checking the return value of xed_decoded_inst_get_attribute(&insn, XED_ATTRIBUTE_INDIRECT_BRANCH) work, or does that have a different meaning than xed3_operand_get_brdisp_width?

nlbrown2 avatar Mar 08 '21 02:03 nlbrown2

yes you can check XED_ATTRIBUTE_INDIRECT_BRANCH for indirect branches.

markcharney avatar Mar 08 '21 15:03 markcharney