bitdefender / bddisasm

bddisasm is a fast, lightweight, x86/x64 instruction decoder. The project also features a fast, basic, x86/x64 instruction emulator, designed specifically to detect shellcode-like behavior.
Apache License 2.0
910 stars 117 forks source link

False-positive decoding on AMD64: `FSTDW` #37

Closed woodruffw closed 3 years ago

woodruffw commented 3 years ago

bddisasm currently decodes 4ddfe1 as FSTDW.

FSTDW is a floating point instruction that only existed on the 80387SL. As such, no modern AMD64 CPU supports it, and it can only ever possibly be valid in a 16 or 32-bit mode.

4ddfe1 (0 / 0) (0 / 0) (0 / 0) FSTDW ax (3 / 8) (0 / 0)

References:

vlutas commented 3 years ago

Fixed in https://github.com/bitdefender/bddisasm/commit/98ea9e1d9a74b5e6ed050d2356cceefbc18462d4