Find Two-byte Illegal Opcodes for x86-64

1. #define _CRT_SECURE_NO_WARNINGS
2. #include <windows.h>
3. #include <stdio.h>
4.  
5. // Array of illegal single-byte opcodes
6. int IllegalSingleByteOpcodes[] = { 0x06 ,0x07, 0x0e, 0x16, 0x17, 0x1e, 0x1f, 0x27, 0x2f, 0x37, 0x3f, 0x60, 0x61, 0xce, 0xd6 };
7.  
8. // Check if a given opcode is illegal
9. bool is_illegal_opcode(int opcode) {
10.     for (size_t i = 0; i < sizeof(IllegalSingleByteOpcodes) / sizeof(IllegalSingleByteOpcodes[0]); i++) {
11.         if (IllegalSingleByteOpcodes[i] == opcode) {
12.             return true;
13.         }
14.     }
15.     return false;
16. }
17.  
18. // Create and wait for a process with the given opcodes
19. void create_and_wait_for_process(int opcode1, int opcode2) {
20.     // Set up startup and process info
21.     STARTUPINFO si;
22.     PROCESS_INFORMATION pi;
23.     ZeroMemory(&si, sizeof(si));
24.     si.cb = sizeof(si);
25.     ZeroMemory(&pi, sizeof(pi));
26.  
27.     // Create command line string
28.     char cmdline[256];
29.     snprintf(cmdline, sizeof(cmdline), "IllegalOpcodes.exe %d %d", opcode1, opcode2);
30.  
31.     // Create process
32.     if (!CreateProcess(NULL, cmdline, NULL, NULL, FALSE, 0, NULL, NULL, &si, &pi)) {
33.         printf("CreateProcess failed (%d).\n", GetLastError());
34.         exit(1);
35.     }
36.  
37.     // Wait for process to finish
38.     if (WaitForSingleObject(pi.hProcess, 1000) != WAIT_OBJECT_0) {
39.         TerminateProcess(pi.hProcess, 0);
40.     }
41.  
42.     // Clean up handles
43.     CloseHandle(pi.hProcess);
44.     CloseHandle(pi.hThread);
45. }
46.  
47. int main() {
48.     // Iterate through all possible opcode pairs
49.     for (int opcode1 = 0; opcode1 <= 255; opcode1++) {
50.         // Skip illegal opcodes
51.         if (is_illegal_opcode(opcode1)) {
52.             printf("\nSkipping Illegal Opcode 0x%02x ...\n", opcode1);
53.             continue;
54.         }
55.         printf("\nChecking Opcode 0x%02x ...\n", opcode1);
56.  
57.         for (int opcode2 = 0; opcode2 <= 255; opcode2++) {
58.             create_and_wait_for_process(opcode1, opcode2);
59.         }
60.     }
61.  
62.     return 0;
63. }
64.  
65.  
66. ------------------- IllegalOpcodes.cpp -------------------
67.  
68.  
69. #include <windows.h>
70. #include <stdio.h>
71.  
72. // Offset to write opcodes at the 4K page end
73. #define CODE_PAGE_END_OFFSET 0xFFE
74.  
75. // Write two byte opcodes at the 4K page end and execute them
76. void write_and_execute_opcodes(LPVOID code_page_mem, int opcode1, int opcode2)
77. {
78.     *((unsigned char*)code_page_mem + CODE_PAGE_END_OFFSET) = opcode1;
79.     *((unsigned char*)code_page_mem + CODE_PAGE_END_OFFSET + 1) = opcode2;
80.  
81.     __try
82.     {
83.         // Execute opcodes...
84.         ((void(*)())((unsigned char*)code_page_mem + CODE_PAGE_END_OFFSET))();
85.     }
86.     __except (EXCEPTION_EXECUTE_HANDLER)
87.     {
88.         switch (GetExceptionCode()) {
89.             case EXCEPTION_ILLEGAL_INSTRUCTION:
90.                 printf("{0x%02x,0x%02x},", opcode1, opcode2);
91.                 break;
92.             default:
93.                 // Ignore other exceptions
94.                 break;
95.         }
96.     }
97. }
98.  
99. int main(int argc, char* const argv[])
100. {
101.     int opcode1 = atoi(argv[1]);
102.     int opcode2 = atoi(argv[2]);
103.  
104.     LPVOID code_page_mem = VirtualAlloc(NULL, 2, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
105.  
106.     DWORD old_protect = VirtualProtect(code_page_mem, 2, PAGE_EXECUTE_READWRITE, &old_protect);
107.  
108.     write_and_execute_opcodes(code_page_mem, opcode1, opcode2);
109.  
110.     VirtualFree(code_page_mem, 0, MEM_RELEASE);
111.  
112.     return 0;
113. }
114.