From d9fd2b61ca6252b65d7bdbbc24f3d919ea102db9 Mon Sep 17 00:00:00 2001
From: Antonio Flores Montoya <afloresmontoya@grammatech.com>
Date: Tue, 8 Oct 2024 10:23:44 -0400
Subject: [PATCH] Only discard int3 instructions that are in between other 2
 int3 instructions

Int3 instructions at the end of a sequence could be being used (seen in 94/76/97/StringIntegration.exe)
of the assemblage dataset.
---
 src/datalog/binary/pe/pe_binaries.dl | 3 ++-
 src/datalog/code_inference.dl        | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/datalog/binary/pe/pe_binaries.dl b/src/datalog/binary/pe/pe_binaries.dl
index 52067e25..1d21d9dd 100644
--- a/src/datalog/binary/pe/pe_binaries.dl
+++ b/src/datalog/binary/pe/pe_binaries.dl
@@ -119,7 +119,8 @@ symbol(EA,0,"NOTYPE","GLOBAL","DEFAULT",0,"export",as(Ordinal,unsigned),Function
 is_padding(EA+1):-
     binary_format("PE"),
     instruction_get_operation(EA,"INT3"),
-    instruction_get_operation(EA+1,"INT3").
+    instruction_get_operation(EA+1,"INT3"),
+    instruction_get_operation(EA+2,"INT3").
 
 /**
 Non-destructive multi-byte NOPs used by the MSVC compiler. (See `listing.inc'.)
diff --git a/src/datalog/code_inference.dl b/src/datalog/code_inference.dl
index c48afb1a..4ead19e6 100644
--- a/src/datalog/code_inference.dl
+++ b/src/datalog/code_inference.dl
@@ -286,7 +286,8 @@ invalid(EA+1,"INT3"):-
          binary_isa("X64")
     ),
     instruction_get_operation(EA,"INT3"),
-    instruction_get_operation(EA+1,"INT3").
+    instruction_get_operation(EA+1,"INT3"),
+    instruction_get_operation(EA+2,"INT3").
 
 .decl possible_ea(EA:address) inline