keystone icon indicating copy to clipboard operation
keystone copied to clipboard

Published 20 hours ago verified publisher icon keystone-engine

new option KS_OPT_SYM_RESOLVER to dynamically resolve symbols

Open aquynh opened this issue 9 years ago • 5 comments
trafficstars

i just added a new setup option for ks_option() named KS_OPT_SYM_RESOLVER, so we can handle missing symbols at run-time.

more information will follow in the next post.

aquynh avatar Oct 02 '16 05:10 aquynh

for example of this new option KS_OPT_SYM_RESOLVER, see this C sample code : https://github.com/keystone-engine/keystone/commit/765dd9f0616ca303a693c822754722e291ef78dc

for Python sample code, see https://github.com/keystone-engine/keystone/commit/40c477a79dfc27726a329f25dd93c2f9e217d1ac.

NOTE: at the moment, only Python binding supports this option. hopefully other bindings will be updated soon for this.

aquynh avatar Oct 02 '16 05:10 aquynh

Just tested this, I have a symbol ZwQueryInformationProcess that resolves to 0x00007FF98A050840 however when assembling call ZwQueryInformationProcess from 0x00007FF98A081A38 the output is E8 07 EE FC FF which disassembles to call 0x00007FF98A050844 the offset is 4 off. When assembling call 0x00007FF98A050840 the result is E8 03 EE FC FF which is correct. Mode is x64.

mrexodia avatar Oct 02 '16 09:10 mrexodia

could you send in a testcase for this, and put it under https://github.com/keystone-engine/keystone/tree/master/suite/regress?

aquynh avatar Oct 02 '16 10:10 aquynh

pull request sent.

mrexodia avatar Oct 02 '16 10:10 mrexodia

Problem mentioned by @mrexodia still persists for me. Any progress on this?

abel1502 avatar Jul 18 '22 12:07 abel1502