Move Zydis bridge into external package

YinMo19 · YinMo19 · commit ba1c9cd7a747 · 2026-03-20T02:05:25.000+08:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -44,6 +44,9 @@ jobs:
       - name: Zig test
         run: zig build test
 
+      - name: Resolve Zydis bridge path
+        run: echo "ZYDIS_BRIDGE_C=$(./scripts/zydis-package-path.sh bridge-c)" >> "$GITHUB_ENV"
+
       - name: Cross compile Linux AArch64 core and payload
         run: |
           set -euo pipefail
@@ -63,13 +66,11 @@ jobs:
           set -euo pipefail
           zig build-lib -dynamic -target x86_64-macos -OReleaseFast \
             -femit-bin=/tmp/libzighook_macos_x86_64.dylib \
-            src/root.zig c_deps/x86_64/decoder_zydis.c \
-            -I c_deps/zydis \
+            src/root.zig "$ZYDIS_BRIDGE_C" \
             -lc
           zig build-lib -dynamic -target x86_64-macos -OReleaseFast \
             -femit-bin=/tmp/inline_hook_signal_macos_x86_64.dylib \
-            c_deps/x86_64/decoder_zydis.c \
-            -I c_deps/zydis \
+            "$ZYDIS_BRIDGE_C" \
             --dep zighook \
             -Mroot=examples/inline_hook_signal/hook.zig \
             -Mzighook=src/root.zig \
@@ -193,6 +194,9 @@ jobs:
       - name: Zig test
         run: zig build test
 
+      - name: Resolve Zydis bridge path
+        run: echo "ZYDIS_BRIDGE_C=$(./scripts/zydis-package-path.sh bridge-c)" >> "$GITHUB_ENV"
+
       - name: Example inline_hook_signal
         working-directory: examples/inline_hook_signal
         run: |
@@ -300,8 +304,7 @@ jobs:
           set -euo pipefail
           cc -O3 -DNDEBUG -rdynamic -o target target.c -ldl
           zig build-lib -dynamic -OReleaseFast -femit-bin=hook.so \
-            ../../c_deps/x86_64/decoder_zydis.c \
-            -I ../../c_deps/zydis \
+            "$ZYDIS_BRIDGE_C" \
             --dep zighook \
             -Mroot=hook.zig \
             -Mzighook=../../src/root.zig \
@@ -315,8 +318,7 @@ jobs:
           set -euo pipefail
           cc -O3 -DNDEBUG -rdynamic -o target target.c -ldl
           zig build-lib -dynamic -OReleaseFast -femit-bin=hook.so \
-            ../../c_deps/x86_64/decoder_zydis.c \
-            -I ../../c_deps/zydis \
+            "$ZYDIS_BRIDGE_C" \
             --dep zighook \
             -Mroot=hook.zig \
             -Mzighook=../../src/root.zig \
@@ -330,8 +332,7 @@ jobs:
           set -euo pipefail
           cc -O3 -DNDEBUG -rdynamic -o target target.c -ldl
           zig build-lib -dynamic -OReleaseFast -femit-bin=hook.so \
-            ../../c_deps/x86_64/decoder_zydis.c \
-            -I ../../c_deps/zydis \
+            "$ZYDIS_BRIDGE_C" \
             --dep zighook \
             -Mroot=hook.zig \
             -Mzighook=../../src/root.zig \
@@ -345,8 +346,7 @@ jobs:
           set -euo pipefail
           cc -O3 -DNDEBUG -rdynamic -o target target.c -ldl
           zig build-lib -dynamic -OReleaseFast -femit-bin=hook.so \
-            ../../c_deps/x86_64/decoder_zydis.c \
-            -I ../../c_deps/zydis \
+            "$ZYDIS_BRIDGE_C" \
             --dep zighook \
             -Mroot=hook.zig \
             -Mzighook=../../src/root.zig \
@@ -361,8 +361,7 @@ jobs:
           set -euo pipefail
           cc -O3 -DNDEBUG -rdynamic -o target target.c -ldl
           zig build-lib -dynamic -OReleaseFast -femit-bin=hook.so \
-            ../../c_deps/x86_64/decoder_zydis.c \
-            -I ../../c_deps/zydis \
+            "$ZYDIS_BRIDGE_C" \
             --dep zighook \
             -Mroot=hook.zig \
             -Mzighook=../../src/root.zig \
diff --git a/README.md b/README.md
@@ -141,13 +141,15 @@ zig build-lib -dynamic -OReleaseFast -femit-bin=hook.dylib \
 DYLD_INSERT_LIBRARIES=$PWD/hook.dylib ./target
 ```
 
-When you build a hook payload for `x86_64` directly with `zig build-lib`,
-include the vendored Zydis shim C file as well:
+When you build a hook payload for `x86_64` directly with `zig build-lib`, fetch
+the pinned `zydis-zig` package once and then compile its bridge C file:
 
 ```bash
+(cd ../.. && zig build --fetch)
+ZYDIS_BRIDGE_C="$(../../scripts/zydis-package-path.sh bridge-c)"
+
 zig build-lib -dynamic -OReleaseFast -femit-bin=hook.so \
-  ../../c_deps/x86_64/decoder_zydis.c \
-  -I ../../c_deps/zydis \
+  "$ZYDIS_BRIDGE_C" \
   --dep zighook \
   -Mroot=hook.zig \
   -Mzighook=../../src/root.zig \
diff --git a/build.zig b/build.zig
@@ -1,11 +1,19 @@
 const std = @import("std");
 
-fn addX86DecoderIfNeeded(module: *std.Build.Module, b: *std.Build, target: std.Build.ResolvedTarget) void {
+fn addX86DecoderIfNeeded(
+    module: *std.Build.Module,
+    b: *std.Build,
+    target: std.Build.ResolvedTarget,
+    optimize: std.builtin.OptimizeMode,
+) void {
     if (target.result.cpu.arch != .x86_64) return;
 
-    module.addIncludePath(b.path("c_deps/zydis"));
+    const zydis_dep = b.dependency("zydis_zig", .{
+        .target = target,
+        .optimize = optimize,
+    });
     module.addCSourceFile(.{
-        .file = b.path("c_deps/x86_64/decoder_zydis.c"),
+        .file = zydis_dep.path("c/x86_64/decoder_zydis.c"),
         .flags = &.{"-std=c99"},
     });
 }
@@ -20,7 +28,7 @@ pub fn build(b: *std.Build) void {
         .optimize = optimize,
         .link_libc = true,
     });
-    addX86DecoderIfNeeded(zighook_mod, b, target);
+    addX86DecoderIfNeeded(zighook_mod, b, target, optimize);
 
     const lib = b.addLibrary(.{
         .name = "zighook",
diff --git a/build.zig.zon b/build.zig.zon
@@ -32,35 +32,10 @@
     // Once all dependencies are fetched, `zig build` no longer requires
     // internet connectivity.
     .dependencies = .{
-        // See `zig fetch --save <url>` for a command-line interface for adding dependencies.
-        //.example = .{
-        //    // When updating this field to a new URL, be sure to delete the corresponding
-        //    // `hash`, otherwise you are communicating that you expect to find the old hash at
-        //    // the new URL. If the contents of a URL change this will result in a hash mismatch
-        //    // which will prevent zig from using it.
-        //    .url = "https://example.com/foo.tar.gz",
-        //
-        //    // This is computed from the file contents of the directory of files that is
-        //    // obtained after fetching `url` and applying the inclusion rules given by
-        //    // `paths`.
-        //    //
-        //    // This field is the source of truth; packages do not come from a `url`; they
-        //    // come from a `hash`. `url` is just one of many possible mirrors for how to
-        //    // obtain a package matching this `hash`.
-        //    //
-        //    // Uses the [multihash](https://multiformats.io/multihash/) format.
-        //    .hash = "...",
-        //
-        //    // When this is provided, the package is found in a directory relative to the
-        //    // build root. In this case the package's hash is irrelevant and therefore not
-        //    // computed. This field and `url` are mutually exclusive.
-        //    .path = "foo",
-        //
-        //    // When this is set to `true`, a package is declared to be lazily
-        //    // fetched. This makes the dependency only get fetched if it is
-        //    // actually used.
-        //    .lazy = false,
-        //},
+        .zydis_zig = .{
+            .url = "https://github.com/hookforge/zydis-zig/archive/4fdf1bb02f916e86d7af0f3b0db1caf0b62b1220.tar.gz",
+            .hash = "zydis_zig-0.1.0-QlrbL2VevAAxCMrxvOKC7hfaWBvKJOyxQW8VYA77FbEJ",
+        },
     },
     // Specifies the set of files and directories that are included in this package.
     // Only files and directories listed here are included in the `hash` that
@@ -76,8 +51,8 @@
         "README.md",
         "CHANGELOG.md",
         "LICENSE",
+        "scripts",
         "src",
-        "c_deps",
         "tests",
         "examples",
         "docs",
diff --git a/examples/README.md b/examples/README.md
@@ -39,12 +39,15 @@ DYLD_INSERT_LIBRARIES=$PWD/hook.dylib ./target
 
 That exact command sequence is still the canonical **macOS runtime smoke** for
 AArch64. On Linux, CI runs both AArch64 and x86_64 runtime smokes. Direct
-`x86_64` CLI builds also add the vendored Zydis shim:
+`x86_64` CLI builds first fetch the pinned `zydis-zig` package and then compile
+its bridge C source:
 
 ```bash
+(cd ../.. && zig build --fetch)
+ZYDIS_BRIDGE_C="$(../../scripts/zydis-package-path.sh bridge-c)"
+
 zig build-lib -dynamic -OReleaseFast -femit-bin=hook.so \
-  ../../c_deps/x86_64/decoder_zydis.c \
-  -I ../../c_deps/zydis \
+  "$ZYDIS_BRIDGE_C" \
   --dep zighook \
   -Mroot=hook.zig \
   -Mzighook=../../src/root.zig \
diff --git a/examples/inline_hook_signal/README.md b/examples/inline_hook_signal/README.md
@@ -34,12 +34,15 @@ zig build-lib -dynamic -OReleaseFast -femit-bin=hook.dylib \
   -lc
 ```
 
-Linux x86_64 uses the Zydis shim C source as well:
+Linux x86_64 fetches the pinned `zydis-zig` package and compiles its bridge C
+source as well:
 
 ```bash
+(cd ../.. && zig build --fetch)
+ZYDIS_BRIDGE_C="$(../../scripts/zydis-package-path.sh bridge-c)"
+
 zig build-lib -dynamic -OReleaseFast -femit-bin=hook.so \
-  ../../c_deps/x86_64/decoder_zydis.c \
-  -I ../../c_deps/zydis \
+  "$ZYDIS_BRIDGE_C" \
   --dep zighook \
   -Mroot=hook.zig \
   -Mzighook=../../src/root.zig \
diff --git a/examples/instrument_no_original/README.md b/examples/instrument_no_original/README.md
@@ -30,9 +30,11 @@ cc -O3 -DNDEBUG -rdynamic -o target target.c -ldl
 ```
 
 ```bash
+(cd ../.. && zig build --fetch)
+ZYDIS_BRIDGE_C="$(../../scripts/zydis-package-path.sh bridge-c)"
+
 zig build-lib -dynamic -OReleaseFast -femit-bin=hook.so \
-  ../../c_deps/x86_64/decoder_zydis.c \
-  -I ../../c_deps/zydis \
+  "$ZYDIS_BRIDGE_C" \
   --dep zighook \
   -Mroot=hook.zig \
   -Mzighook=../../src/root.zig \
diff --git a/examples/instrument_unhook_restore/README.md b/examples/instrument_unhook_restore/README.md
@@ -31,9 +31,11 @@ cc -O3 -DNDEBUG -rdynamic -o target target.c -ldl
 ```
 
 ```bash
+(cd ../.. && zig build --fetch)
+ZYDIS_BRIDGE_C="$(../../scripts/zydis-package-path.sh bridge-c)"
+
 zig build-lib -dynamic -OReleaseFast -femit-bin=hook.so \
-  ../../c_deps/x86_64/decoder_zydis.c \
-  -I ../../c_deps/zydis \
+  "$ZYDIS_BRIDGE_C" \
   --dep zighook \
   -Mroot=hook.zig \
   -Mzighook=../../src/root.zig \
diff --git a/examples/instrument_with_original/README.md b/examples/instrument_with_original/README.md
@@ -29,9 +29,11 @@ cc -O3 -DNDEBUG -rdynamic -o target target.c -ldl
 ```
 
 ```bash
+(cd ../.. && zig build --fetch)
+ZYDIS_BRIDGE_C="$(../../scripts/zydis-package-path.sh bridge-c)"
+
 zig build-lib -dynamic -OReleaseFast -femit-bin=hook.so \
-  ../../c_deps/x86_64/decoder_zydis.c \
-  -I ../../c_deps/zydis \
+  "$ZYDIS_BRIDGE_C" \
   --dep zighook \
   -Mroot=hook.zig \
   -Mzighook=../../src/root.zig \
diff --git a/examples/prepatched_inline_hook/README.md b/examples/prepatched_inline_hook/README.md
@@ -37,12 +37,15 @@ zig build-lib -dynamic -OReleaseFast -femit-bin=hook.dylib \
   -lc
 ```
 
-Linux x86_64 uses the Zydis shim C source as well:
+Linux x86_64 fetches the pinned `zydis-zig` package and compiles its bridge C
+source as well:
 
 ```bash
+(cd ../.. && zig build --fetch)
+ZYDIS_BRIDGE_C="$(../../scripts/zydis-package-path.sh bridge-c)"
+
 zig build-lib -dynamic -OReleaseFast -femit-bin=hook.so \
-  ../../c_deps/x86_64/decoder_zydis.c \
-  -I ../../c_deps/zydis \
+  "$ZYDIS_BRIDGE_C" \
   --dep zighook \
   -Mroot=hook.zig \
   -Mzighook=../../src/root.zig \
diff --git a/scripts/zydis-package-path.sh b/scripts/zydis-package-path.sh
@@ -0,0 +1,57 @@
+#!/bin/sh
+set -eu
+
+usage() {
+    echo "usage: $0 package-dir|bridge-c" >&2
+    exit 1
+}
+
+script_dir=$(CDPATH= cd -- "$(dirname -- "$0")" && pwd)
+repo_root=$(CDPATH= cd -- "$script_dir/.." && pwd)
+
+global_cache_dir=$(
+    zig env | sed -n 's/.*\.global_cache_dir = "\([^"]*\)".*/\1/p'
+)
+
+dep_hash=$(
+    awk '
+        /^[[:space:]]*\.zydis_zig[[:space:]]*=[[:space:]]*\.\{/ { in_dep = 1; next }
+        in_dep && /^[[:space:]]*\.hash[[:space:]]*=[[:space:]]*"/ {
+            line = $0
+            sub(/^[^"]*"/, "", line)
+            sub(/".*$/, "", line)
+            print line
+            exit
+        }
+        in_dep && /^[[:space:]]*\},?[[:space:]]*$/ { in_dep = 0 }
+    ' "$repo_root/build.zig.zon"
+)
+
+[ -n "$global_cache_dir" ] || {
+    echo "failed to resolve Zig global cache directory" >&2
+    exit 1
+}
+
+[ -n "$dep_hash" ] || {
+    echo "failed to resolve zydis_zig dependency hash from build.zig.zon" >&2
+    exit 1
+}
+
+package_dir="$global_cache_dir/p/$dep_hash"
+
+[ -d "$package_dir" ] || {
+    echo "zydis_zig dependency is not fetched; run 'cd $repo_root && zig build --fetch'" >&2
+    exit 1
+}
+
+case "${1:-}" in
+    package-dir)
+        printf '%s\n' "$package_dir"
+        ;;
+    bridge-c)
+        printf '%s\n' "$package_dir/c/x86_64/decoder_zydis.c"
+        ;;
+    *)
+        usage
+        ;;
+esac
