Open
Description
Hello,
Hooking the function for ZYDIS_FORMATTER_FUNC_POST_OPERAND does not seem to behave as documented. if the function returns ZYAN_STATUS_SUCCESS then the source operand is dropped from the instruction (not output/printed). if the function returns ZYAN_STATUS_FAILED then the source operand is printed.
The above behavior does not seem consistent with the behavior documented for ZydisFormatterFunc.
The above behavior can be obtained by making the following modifications to the "Formatter01" example.
(1.)
// add the following in the "data" array (as the first line)
0x48, 0x8D, 0x65, 0x00, // lea rsp, [rbp] // the ", [rbp]" will be dropped depending on return value
(2.)
// in DisassembleBuffer add the following statements
default_post_op = (ZydisFormatterFunc) &ZydisFormatterPostOperand;
ZydisFormatterSetHook(&formatter, ZYDIS_FORMATTER_FUNC_POST_OPERAND, (const void**) &default_post_op);
(3.) add the following hook function
static ZyanStatus ZydisFormatterPostOperand(const ZydisFormatter* formatter,
ZydisFormatterBuffer* buffer,
ZydisFormatterContext* context)
{ // breakpoint here - for tracing
// there is no default function, therefore nothing to execute (nil pointer)
// uncomment the statement below and the source operand will be printed
//return ZYAN_STATUS_FAILED; // source operand is printed/output - the formatting process did
// not fail (contrary to what the documentation states)
return ZYAN_STATUS_SUCCESS; // causes the source operand to be omitted
// this behavior is not documented (unintended ??)
}
(4.) declare the variable to pass to the set hook function
ZydisFormatterFunc default_post_op;