Only discard int3 instructions that are in between other 2 int3 instr…

…uctions Int3 instructions at the end of a sequence could be being used (seen in 94/76/97/StringIntegration.exe) of the assemblage dataset.
GrammaTech · Oct 8, 2024 · d9fd2b6 · d9fd2b6
1 parent ec829e1
commit d9fd2b6
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 2 deletions.
diff --git a/src/datalog/binary/pe/pe_binaries.dl b/src/datalog/binary/pe/pe_binaries.dl
@@ -119,7 +119,8 @@ symbol(EA,0,"NOTYPE","GLOBAL","DEFAULT",0,"export",as(Ordinal,unsigned),Function
 is_padding(EA+1):-
     binary_format("PE"),
     instruction_get_operation(EA,"INT3"),
-    instruction_get_operation(EA+1,"INT3").
+    instruction_get_operation(EA+1,"INT3"),
+    instruction_get_operation(EA+2,"INT3").
 
 /**
 Non-destructive multi-byte NOPs used by the MSVC compiler. (See `listing.inc'.)

diff --git a/src/datalog/code_inference.dl b/src/datalog/code_inference.dl
@@ -286,7 +286,8 @@ invalid(EA+1,"INT3"):-
          binary_isa("X64")
     ),
     instruction_get_operation(EA,"INT3"),
-    instruction_get_operation(EA+1,"INT3").
+    instruction_get_operation(EA+1,"INT3"),
+    instruction_get_operation(EA+2,"INT3").
 
 .decl possible_ea(EA:address) inline