RFLAGS Register

RFLAGS is the 64-bit extension of EFLAGS (32-bit) / FLAGS (16-bit). Most bits are reserved; the meaningful bits for userspace reverse engineering are the status flags and the direction flag.

Status flags

Bit	Abbreviation	Name	Set when
0	CF	Carry Flag	Unsigned overflow / borrow; rotate shift-out bit
2	PF	Parity Flag	Low byte of result has even number of 1-bits
4	AF	Auxiliary Carry	Carry out of bit 3 (BCD arithmetic)
6	ZF	Zero Flag	Result is zero
7	SF	Sign Flag	MSB of result is 1 (result is negative)
11	OF	Overflow Flag	Signed arithmetic overflow

Control flag

Bit	Abbreviation	Name	Meaning
10	DF	Direction Flag	0 = string ops auto-increment RSI/RDI; 1 = decrement

Set with STD; cleared with CLD. Should be 0 on function entry per ABI.

System flags (user-mode relevance)

Bit	Abbreviation	Name	Notes
8	TF	Trap Flag	Single-step mode — raises #DB after each instruction
9	IF	Interrupt Flag	Enables hardware interrupts (Ring 0 only)
16	RF	Resume Flag	Suppresses #DB on the instruction resuming after a debug exception
21	ID	ID Flag	CPUID support (writeable = CPUID available)

Instructions that read/write RFLAGS

Instruction	Effect
`PUSHFQ` / `POPFQ`	Push/pop RFLAGS onto the stack
`LAHF`	Load SF/ZF/AF/PF/CF into AH
`SAHF`	Store AH into SF/ZF/AF/PF/CF
`SETcc`	Set byte to 0 or 1 based on condition (e.g. `setz al`)

Reverse-engineering notes

The four most important flags for control flow are ZF, CF, SF, OF — these drive every Jcc you will encounter.
After CMP a, b the state is: ZF=1 if equal; CF=1 if a < b (unsigned); SF≠OF if a < b (signed). This is worth memorising.
TF=1 causes a single-step exception after every instruction — the mechanism behind single-step debugging. Some anti-debug tricks detect TF by catching the resulting SIGTRAP.
LAHF/SAHF are used in performance-sensitive code to save/restore only the low flag byte without a full PUSHFQ.