Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

missing number features due to compiler using LEA to load constants

See original GitHub issue

Summary

Compilers may setup API call constants via offsets instead of numbers (see examples below). I’ve seen this especially in 64-bit code using the LEA instruction.

It’s not ideal to manually account for things like this in rules as seen in https://github.com/fireeye/capa-rules/pull/122.

With some more research we can also come up with better ways to recognize such cases and only report number features accordingly.

Motivation

Per https://github.com/fireeye/capa-rules/pull/122#discussion_r489615545:

xor     edx, edx        ; pszRootPath
xor     ecx, ecx        ; hwnd
lea     r8d, [rdx+7]    ; dwFlags <-------
call    cs:SHEmptyRecycleBinW

Another example:

.text:000000018000F0D1 lea     r9d, [rsi+40h]  ; flProtect <-------
.text:000000018000F0D5 xor     ecx, ecx        ; lpAddress
.text:000000018000F0D7 mov     [rsp+0A8h+arg_0], rbp
.text:000000018000F0DF mov     r8d, 3000h      ; flAllocationType
.text:000000018000F0E5 mov     edx, [rbp+50h]  ; dwSize
.text:000000018000F0E8 call    cs:VirtualAlloc

Describe alternatives you’ve considered

Ignore edge cases like these

Issue Analytics

State:
Created 3 years ago
Comments:5

Top GitHub Comments

1reaction

re-foxcommented, Sep 17, 2020

I encountered this when I was working on Luhn variations. https://github.com/fireeye/capa-rules/pull/52/files

We ended up merging the rule with 2 conditions, 1 account for the LEA and the other accounting for the regular numeric operation.

      - basic block:
        - or:
          - and:
            - number: 0x30
            - mnemonic: sub
            description: Conversion of chr to int (SUB 0x30) 
          - and:
            - mnemonic: lea
            - offset: -0x30
            description: Conversion of chr to int (LEA REG,[REG+ -0x30])

I think you have an interesting question, but I’m not sure what the best answer is.

This is just to contribute more data to the issue so it can help steer a decision.

0reactions

williballenthincommented, Apr 6, 2022

this proposal was agreed to verbally by @mr-tz @mike-hunhoff during our weekly call

Top Results From Across the Web

What's the purpose of the LEA instruction? - Stack Overflow

As others have pointed out, LEA (load effective address) is often used as a "trick" to do certain computations, but that's not its...

Using the LEA instruction for arbitrary arithmetic

This is the Load Effective Address instruction, which the documentation says is used to "compute an effective memory address". But your code ...

Sigma16 User Guide

Registers, constants, and arithmetic ; The architecture has a register file ; A computer program is a sequence of instructions ; Sigma16 performs ......

22C:60 Notes, Chapter 5 - University of Iowa

In fact, we now have two ways to load a 32-bit constant into a register. We can either assemble that constant in memory,...

2. Optimizing subroutines in assembly language - Agner Fog

8 Making function libraries compatible with multiple compilers ... loads the address of array A into register RBX by using a LEA instruction....