remill seems does not support CR8 yet

[4B5F5F4B]

While lifting instructions like reading CR8 register, remill fails locating variable or register CR8.

F1223 03:17:21.708014  6463 InstructionLifter.cpp:285] Could not locate variable or register CR8
*** Check failure stack trace: ***
    @     0x55cb693de0fc  google::LogMessageFatal::~LogMessageFatal()
    @     0x55cb68a820f5  remill::InstructionLifter::LoadRegAddress()
    @     0x55cb68a853fa  remill::InstructionLifter::LoadRegValue()
    @     0x55cb68a8863d  remill::InstructionLifter::LiftRegisterOperand()
    @     0x55cb68a8132a  remill::InstructionLifter::LiftOperand()
    @     0x55cb68a833a1  remill::InstructionLifter::LiftIntoBlock()
    @     0x55cb6892df76  mcsema::InstructionLifter::LiftIntoBlock()
    @     0x55cb689231e2  mcsema::(anonymous namespace)::LiftInstIntoBlock()
    @     0x55cb6892ac0d  mcsema::DefineLiftedFunctions()
    @     0x55cb6892ffa7  mcsema::LiftCodeIntoModule()
    @     0x55cb688c5855  main
    @     0x7f6ca93900b3  __libc_start_main
    @     0x55cb688ee87e  _start
    @              (nil)  (unknown)
Aborted (core dumped)

It seems that remill doest add CR8 register in X86/Arch.cpp

//  // Debug registers. No-ops keep them from being stripped off the module.
  //  DR0
  //  DR1
  //  DR2
  //  DR3
  //  DR4
  //  DR5
  //  DR6
  //  DR7

  //  REG(CR0, lat);
  //  REG(CR1, lat);
  //  REG(CR2, lat);
  //  REG(CR3, lat);
  //  REG(CR4, lat);
  //#if 64 == ADDRESS_SIZE_BITS
  //  REG(CR8, lat);
  //#endif

My remill commit 37741957d6d43bcaafac8e316a875a1b7ce4838f

[pgoodman]

I think the way I'd want to go about lifting code operating on CR3 and other privileged registers would be to not treat it as a registr, but instead of embed the register name into the ISEL name, then use hyper calls for all reading/writing.

Are you willing to do any of this work?

[4B5F5F4B]

I think the way I'd want to go about lifting code operating on CR3 and other privileged registers would be to not treat it as a registr, but instead of embed the register name into the ISEL name, then use hyper calls for all reading/writing.

Are you willing to do any of this work?

I want to, but I'm afraid that I'm not familiar with the codebase and how remill works internally:(

[pgoodman]

What's your use case for privileged instructions? If you'd rather not discuss here, then ping my user name "pag" on the Empire Hacking slack.

[4B5F5F4B]

What's your use case for privileged instructions? If you'd rather not discuss here, then ping my user name "pag" on the Empire Hacking slack.

I tried to use mcsema to lift some Windows kernel drivers which contains some priviledged instructions

[arbel03]

+1 Bump Can you give me a clue about where in the code should I look for a quick patch?

[pgoodman]

@arbel03 the simplest / quickest patch would be injecting in either a global variable into here: https://github.com/lifting-bits/remill/blob/master/lib/Arch/X86/Runtime/BasicBlock.cpp#L45 (funny because this is CR8), or:

1) Move this structure to the end of the file, after the various struct CRnReg defintions that follow: https://github.com/lifting-bits/remill/blob/master/include/remill/Arch/X86/Runtime/State.h#L766 2) Add some register fields into the just-moved State structure, e.g. CR8Reg cr8;. You might need to fixup or remove some static asserts on the size of State. 3) Add CR8 here, kind of like what is done for other regs: https://github.com/lifting-bits/remill/blob/master/lib/Arch/X86/Arch.cpp#L1704-L1730

[arbel03]

Oh you're right, CR3 does exist in the state. I pulled an image from here which seems to be outdated: https://hub.docker.com/r/trailofbits/mcsema/tags Now building locally so it should work :) Thank you!

[pgoodman]

Newer remill's won't work with mcsema. McSema isn't actively maintained.