Clik here to view.
crowdstrike
since everyone (including"professional C++ programmers") has already written about so I will also write it down (for memory)This was not first time: proofOfficial report is very vague but we can...
View Articlebpf_verifier_ops
Lets dissect some typical ebpf spyware. It sets up uprobes onSSL_read_exSSL_readSSL_write_exSSL_writegotls_write_register gotls_read_registergotls_exit_read_registerand uses bpf functions...
View ArticleClik here to view.
hidden executable pages in linux kernel
Standard method to find rootkits like this (or like this) is cross-scanning PTEs of memory without NX bit, then extract pages belonging to LKMs - thus in set difference we will gather hidden executable...
View Articlehidden executable pages in linux kernel, part 2
In part 1 I've described how memory managed by hardware. Now lets dig into how kernel sees memory. Not surprisingly that we should check the same structures that malicious drivers update while...
View Articlebug in gcc?
It seems that gcc not always put COMPONENT_REF when access fields of structures passed by reference. For example I add today simple static function append_name(aux_type_clutch&clutch, const char...
View ArticleTracking arguments of functions in gcc
I continuing to improve my gcc plugin for collecting cross-references: 1, 2, 3, 4, 5, 6& 7. On this week I decided to see if I can extract source of complex types like records and most prominent...
View Articlegcc plugin to collect cross-references, part 9
Lets extract some useful results from my gcc plugin for collecting cross-references: 1, 2, 3, 4, 5, 6, 7& 8. I've noticed that plugin worked unbearably slowly on big source files (like compiling...
View ArticleTLS in gcc RTL
Lets check how TLS looks like in RTL. I wrote simple test:(insn 29 8 10 3 (set (reg:SI 0 ax [orig:82 _1 ] [82]) (mem/c:SI (const:DI (unspec:DI [ (symbol_ref:DI...
View Articlebinding c++ objects to perl
Sure there are lots of ways to do this (as usually in Perl: "there's more than one way to do it"), just to name few:swig - result looks not native and clumsy, also you need to make facade-like...
View Articleperl module for DWARF debug info parsing
I've made perl binding of my c++ dwarf dumper. Supports 64/32 bit, no DWO, don't sure if it can load arbitrary object files but at least can parse LKM - I even added relocations processingMaybe one day...
View Articleperl module for powerpc disasm
It seems that there are no good open-source disasm for PPC except Capstone. And it even has perl binding - unfortunately it can extract only basic fields like opcode and text but no operands for...
View Articleptx internals
It seems that syntax of PTX is undocumented - at least I was unable to find actual BNF grammar or reference implementation. Grammar from antlr project is greatly out-dated and don't contain...
View Articlenvidia sass disassembler
Couple weeks ago I made decryptor to extract from nvdisasm so called "machine descriptions" (MD) (btw nvdisasm v12 uses lz4 compression library, so I made yet another decryptor + results). And after...
View Articlenvidia sass disassembler, part 2
Lets continue explore "machine descriptions" - in this time try to understand how to make format output more similar to genuine nvdisasmFor example format for one of variant I2F looks like: FORMAT...
View Articlenvidia sass disassembler, part 3
It looks like this rabbit hole goes much deeperSome const banks does not have ConstBankAddressX:CX:Sb[UniformRegister:URb][UImm(16)*:Sb_offset]BITS_6_37_32_Ra_URb=URbBITS_14_53_40_Sb_offset=Sb_offset...
View ArticleClik here to view.
nvidia sass disassembler, part 4
I've made native sass disasm - just adding c++ codegen (can be produced by ead.pl with -C option). It works via dynamic loading of right disasm module - see list of supported architectures in map...
View Articlenvidia sass disassembler, part 5
Previous parts: 1, 2, 3& 4I've finally add native rendering for instructions - actually just rewrite from perl terrible function make_inst. Because in output typically rendering only small fraction...
View Articleptx instructions emitting by nvidia compiler
I recently became curious what exactly ptx instructions can produce nvidia compiler - like if it uses something totally undocumented or vice versa - some official ptx instructions are never generated...
View Articleptx instructions emitting by nvidia compiler. part 2
Part 1 described v10And today let's check cicc v12. The first thing that catches your eye is its size - almost 76Mb! And it also contains at least 5 different decryptors - Nvidia really wants to hide...
View Articlenvidia sass disassembler, part 6: predicates
Previous parts: 1, 2, 3, 4& 5Lets check how pairs of instructions are chained together - this information stored in MD files with prefix _2.txt - for example from sm90_2.txt: CONNECTOR CONDITIONS...
View Articlenvidia sass disassembler, part 7: dual issued instructions
Previous parts: 1, 2, 3, 4, 5& 6As you could notice genuine nvdisasm put couple of instructions in curly braces for old sm (always 88bits). So I finally realized how those dual issued instructions...
View Articlenvidia sass latency tables
It seems that latency values are the best kept secret - I was able to find only article in internet and author didn't provided any code to decipher those tables. SoDisclaimerAll of the following are...
View Articlenvidia sass assembler
I am very skeptical about patching of existing .cubin files - it requires too much book-keeping. Let's say we want to insert several additional instructions into some function - then we needextend...
View Articlenvdisasm sass parser
Having sass assembler it seems like easy task to make parser for it. So I made parser of nvdisasm output Lets check some samples:SHF.R.S32.HI R209, RZ, 0x2, R209 ;Looks like easy application of LL(1)...
View Articlecurse of IMAD
Found strange case while disassembly some forms of IMAD (btw raison d'être of GPU). Official nvdisasm shows:IMAD.WIDE R2, R7, R6, c[0x0][0x168] ; /* 0x00005a0007027625 */my nvd:; IMAD line 63362 n 1196...
View Article