64位下的相对指令地址

寻找64位系统某符号特征码时发现他的MOV指令用的是相对地址，之前32位下从来没听说MOV还能用相对地址，故查阅了下Intel指令手册。

在MOV指令介绍下找到如下介绍：

In 64-bit mode, the instruction’s default operation size is 32 bits. Use of the REX.R prefix permits access to additional

registers (R8-R15). Use of the REX.W prefix promotes operation to 64 bits. See the summary chart at the

beginning of this section for encoding data and limits.

在64位下仍使用32位操作数，REX.R扩展寄存器，REX.W扩展指令。

REX前缀结构：



关于RIP的介绍：

2.2.1.6 RIP-Relative Addressing

A new addressing form, RIP-relative (relative instruction-pointer) addressing, is implemented in 64-bit mode. An

effective address is formed by adding displacement to the 64-bit RIP of the next instruction.

In IA-32 architecture and compatibility mode, addressing relative to the instruction pointer is available only with

control-transfer instructions. In 64-bit mode, instructions that use ModR/M addressing can use RIP-relative

addressing. Without RIP-relative addressing, all ModR/M modes address memory relative to zero.

RIP-relative addressing allows specific ModR/M modes to address memory relative to the 64-bit RIP using a signed

32-bit displacement. This provides an offset range of ±2GB from the RIP. Table 2-7 shows the ModR/M and SIB

encodings for RIP-relative addressing. Redundant forms of 32-bit displacement-addressing exist in the current

ModR/M and SIB encodings. There is one ModR/M encoding and there are several SIB encodings. RIP-relative

addressing is encoded using a redundant form.

In 64-bit mode, the ModR/M Disp32 (32-bit displacement) encoding is re-defined to be RIP+Disp32 rather than

displacement-only. See Table 2-7.



The ModR/M encoding for RIP-relative addressing does not depend on using a prefix. Specifically, the r/m bit field

encoding of 101B (used to select RIP-relative addressing) is not affected by the REX prefix. For example, selecting

R13 (REX.B = 1, r/m = 101B) with mod = 00B still results in RIP-relative addressing. The 4-bit r/m field of REX.B

combined with ModR/M is not fully decoded. In order to address R13 with no displacement, software must encode

R13 + 0 using a 1-byte displacement of zero.

RIP-relative addressing is enabled by 64-bit mode, not by a 64-bit address-size. The use of the address-size prefix

does not disable RIP-relative addressing. The effect of the address-size prefix is to truncate and zero-extend the

computed effective address to 32 bits.

RIP是64位的新特性，在64位下，指令使用特定的Mod\rm来使用RIP，RIP的偏移是32位故寻址范围为上下2GB。RIP的计算时相对于当前指令的下一条指令的地址来计算的，既目标地址=下一条指令地址+偏移。RIP中ModR\M不取决于指令前缀，比如指令前缀与R\M指定了R13寄存器，但mod是00，指令仍然使用RIP而不是r13寄存器。

举个例子，原始指令：4c8b2dedd9eaff

其中4c是REX，打开了W和R，即R和reg联合制定了r13寄存器，但不用SIB，2d则是00101101，就是使用RIP，后面是32位偏移。

在计算MOV指令的地址时可以这样算：

//算出ObpLookupObjectByName的地址
ULONG_PT
4000
R ObpLookupObjectByName = (ULONG_PTR)((PUCHAR)tg1_addr + 0x301 + 5 + offset);

//在ObpLookupObjectByName的偏移62C处是指令MOV R13,ObRootDirectoryObject
//而加7则定位到下一条指令
ULONG_PTR next_code = (ULONG_PTR)((PUCHAR)ObpLookupObjectByName + 0x62C + 7);

//取出偏移值
UINT32 rip = *(PINT32)((PUCHAR)ObpLookupObjectByName + 0x62C + 3);

//用下一条指令地址+偏移值即可得到目标地址
POBJECT_DIRECTORY ObRootDirectoryObject= (POBJECT_DIRECTORY)((ULONG_PTR)next_code+rip);