https://github.com/m417z/x64dbg-xfg-marker
An x64dbg plugin which marks XFG call signatures as data
https://github.com/m417z/x64dbg-xfg-marker
reverse-engineering x64dbg x64dbg-plugin
Last synced: 7 months ago
JSON representation
An x64dbg plugin which marks XFG call signatures as data
- Host: GitHub
- URL: https://github.com/m417z/x64dbg-xfg-marker
- Owner: m417z
- License: gpl-3.0
- Created: 2023-04-11T18:18:23.000Z (over 2 years ago)
- Default Branch: main
- Last Pushed: 2023-05-12T13:47:17.000Z (over 2 years ago)
- Last Synced: 2025-04-05T15:11:23.364Z (8 months ago)
- Topics: reverse-engineering, x64dbg, x64dbg-plugin
- Language: C
- Homepage:
- Size: 566 KB
- Stars: 73
- Watchers: 9
- Forks: 13
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# x64dbg XFG Marker Plugin
[Microsoft eXtended Flow Guard
(XFG)](https://en.wikipedia.org/wiki/Control-flow_integrity#Microsoft_eXtended_Flow_Guard)
is a control-flow integrity (CFI) technique that extends CFG with function call
signatures. Each signature is 8 bytes long, and is located right before the
target function. Since the signature is located in the code section, x64dbg gets
confused and shows it as random instructions. This also often makes x64dbg
unable to correctly disassemble the beginning of the function.
The plugin goes over all XFG function call signatures and marks them as 8-byte
integers, creating a clear separation between the signature and the function.
## Xrefs and comments
The plugin also has the options to add comments with the possible indirect call
target functions, and to add xrefs between the indirect call and each target
function for easy navigation.
For more details, refer to the relevant [blog
post](https://m417z.com/Leveraging-XFG-to-help-with-reverse-engineering/).