Detecting an illegal instruction opcode on Intel P

2019-09-18 00:16发布

问题:

I am writing a Pin tool where I want to detect an instruction with a particular opcode. I have an executable from a sample C program where I am printing hello world. The architecture used is x86_64 and I have the trace of assembly instructions in the program. I am giving this program's assembly instruction trace to the Intel PIN tool, on which I am running the instruction trace and performing operations.

My goal here is to detect a particular opcode from my original program. For example I have added the following line in my C program-

asm(".byte 0x17");   // pop ss in 32-bit mode, but illegal in x86-64

Due to this 0x17 is an instruction in my C program trace. In my Intel PIN tool I have an instruction trace like this-

VOID Instruction(INS ins, VOID *v) 
{
   if(INS_Opcode(ins)==0x17)
   {
        //Do something
   }
}

However when I run my instruction trace, my Pin tool fails due to the illegal instruction 0x17 I have placed.

When I print the instruction opcodes as they come, I see that they have different opcodes from the x86_64 ones. For example the instruction AND has opcode 0x17 when I print. Do I have to do some kind of decoding or I am I detecting the opcodes in the wrong way?