bddisasm is a fast, lightweight, x86/x64 instruction decoder. The project also features a fast, basic, x86/x64 instruction emulator, designed specifically to detect shellcode-like behavior.
It looks like bddisasm currently treats CEh as a valid decoding for INTO (i.e., interrupt level 4 if FLAGS.OF=1) in 64-bit mode. This is incorrect -- CEh is only INTO in 32-bit mode, and is invalid in 64-bit mode.
Some examples (the first two columns are XED and Zydis reporting that the decoding is invalid; the third is bddisasm incorrectly reporting a valid decoding):
ce
(0 / 0)
(0 / 0)
INTO (1 / 4)
Similarly, prefixed versions should also be treated as invalid in 64-bit mode:
Hi there, mishegos maintainer here.
It looks like bddisasm currently treats
CEhas a valid decoding forINTO(i.e., interrupt level 4 ifFLAGS.OF=1) in 64-bit mode. This is incorrect --CEhis onlyINTOin 32-bit mode, and is invalid in 64-bit mode.Some examples (the first two columns are XED and Zydis reporting that the decoding is invalid; the third is bddisasm incorrectly reporting a valid decoding):
Similarly, prefixed versions should also be treated as invalid in 64-bit mode:
From the AMD developer's manual: