Add Arm support - Use Capstone for disassembling

intel / processwatch

GNU General Public License v2.0

120 stars 9 forks source link

Add Arm support - Use Capstone for disassembling #17

Closed grahamwoodward closed 2 weeks ago

grahamwoodward commented 1 month ago

Main changes are

Use Capstone for aarch64 disassembling
Update build.sh to detect architecture and setup build flags as appropriate
Use compile time define to setup the MNEMONIC_MAX and CATEGORY_MAX values

matthew-olson-intel commented 1 month ago

On paternity leave right now, but right off the bat, can you make Capstone a git submodule? I noticed that you uploaded its source to this repo.

grahamwoodward commented 1 month ago

Meh my mistake, it's meant to be a submodule

Edit: Ah so it was a submodule, I'd just added/committed the full directory doh

Congrats on new born as well, hope all is well.

matthew-olson-intel commented 2 weeks ago

I'd actually like to go a bit further, and switch to Capstone for x86 too. Helps clean things up significantly, and seems to work just fine for me.

I'm working on removing Zydis now.

matthew-olson-intel commented 2 weeks ago

@grahamwoodward Does that still work for you?

grahamwoodward commented 2 weeks ago

I'm away now lol but I'll check Monday when back in office

grahamwoodward commented 2 weeks ago

@grahamwoodward Does that still work for you?

How do the Capstone groups match the Zydis groups? I'm not 100% sure the aarch64 groups, or rather "features" in LLVM speak are useful to developers...some of the HasX features don't actually mean this set of instructions or that set but not sure what to do about that. Maybe for now it's ok

matthew-olson-intel commented 2 weeks ago

Well, it looks like the groups are roughly analogous to the Zydis categories; for example, there's AVX, AVX512, SSE1, SSE2, etc.; all common groups of x86 instructions. On ARM, are those not useful to know? For example, if you're on an ARM system, and want to know if you're using vector instructions, could you do that easily by taking a glance at the instruction groups in Capstone?

matthew-olson-intel commented 2 weeks ago

I largely focus on instruction groups in Process Watch because there are so many instructions in CISC, so they need some kind of organization to simplify scripting. On RISC architectures users might want to primarily use mnemonics directly.

matthew-olson-intel commented 2 weeks ago

All right, let's see if that works nicely on ARM64.

grahamwoodward commented 2 weeks ago

All right, let's see if that works nicely on ARM64.

Couple of compiler issues, which I've addressed. Also (and not sure why) the clang compilation line to build the insn.bpf.o doesn't detect the aarch64 defines...so for that file I'm using the define we pass in the BPF_CFLAGS, e.g __TARGET_ARCH_arm

matthew-olson-intel commented 2 weeks ago

Great, looks good to me.

matthew-olson-intel commented 2 weeks ago

@grahamwoodward Thank you for the contribution! I know it was a bit of work, but Capstone seems to be working quite well at the task.

grahamwoodward commented 2 weeks ago

whoop whoop. Excellent thanks Matthew