X86: Only The First Prefix Byte is Available

Question

X86: Only The First Prefix Byte is Available

arcusmaximus opened this issue 9 years ago · 1 comments

Consider the following X86 instruction: 66 68 69 09
This is a "push" instruction with a 16-bit immediate value, hence it has the 0x66 "operand size" prefix. Disassembling this byte sequence with capstone correctly places this byte in cs_x86.prefix[2]; however, with Capstone.NET, all values in X86InstructionDetail.Prefix are 0.

The cause of this is the way the Prefix field of NativeX86InstructionDetail is declared:
public fixed byte Prefix [4];

Marshal.PtrToStructure() appears to have a bug (?) due to which only the first item of a fixed array like this is copied; the remaining items are always set to 0. The result is that only the first prefix byte is ever available when using Capstone.NET.

The solution is to use this alternative declaration:

[MarshalAs(UnmanagedType.ByValArray, SizeConst = 4)]
public byte[] Prefix;

Answer 1 · 2019-01-23T23:59:30.000Z

So 2 years later and the bug is finally fixed on V2.0.0. Thank you for your patience.