Python idautils.DecodeInstruction() Examples
The following are 13
code examples of idautils.DecodeInstruction().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
idautils
, or try the search function
.
.
Example #1
| Source File: ida_utilities.py From ida_kernelcache with MIT License | 6 votes |
|
def Instructions(start, end=None, count=None):
"""A generator to iterate over instructions.
Instructions are decoded using IDA's DecodeInstruction(). If an address range is specified and
the end of the address range does not fall on an instruction boundary, raises an
AlignmentError.
Arguments:
start: The linear address from which to start decoding instructions.
Options:
end: The linear address at which to stop, exclusive.
count: The number of instructions to decode.
Notes:
Exactly one of end and count must be specified.
"""
if (end is not None and count is not None) or (end is None and count is None):
raise ValueError('Invalid arguments: end={}, count={}'.format(end, count))
if end is not None:
return _instructions_by_range(start, end)
else:
return _instructions_by_count(start, count)
Example #2
| Source File: gadgetfinder.py From DrGadget with MIT License | 6 votes |
|
def get_disasm(ea, maxinstr=5):
result = ""
delim = "\n"
i = 0
while i<maxinstr:
ins = DecodeInstruction(ea)
if not ins:
break
disasm = GetDisasmEx(ea, GENDSM_FORCE_CODE)
if not disasm:
break
result += disasm + delim
ea += ins.size
i += 1
return result
Example #3
| Source File: util.py From mcsema with Apache License 2.0 | 5 votes |
|
def decode_instruction(ea):
"""Read the bytes of an x86/amd64 instruction. This handles things like
combining the bytes of an instruction with its prefix. IDA Pro sometimes
treats these as separate."""
global _NOT_INST_EAS, _BAD_INSTRUCTION, PREFIX_ITYPES
if ea in _NOT_INST_EAS:
return _BAD_INSTRUCTION
decoded_inst = idautils.DecodeInstruction(ea)
if not decoded_inst:
_NOT_INST_EAS.add(ea)
return _BAD_INSTRUCTION
assert decoded_inst.ea == ea
end_ea = ea + decoded_inst.size
decoded_bytes = read_bytes_slowly(ea, end_ea)
# We've got an instruction with a prefix, but the prefix is treated as
# independent.
if 1 == decoded_inst.size and decoded_inst.itype in PREFIX_ITYPES:
decoded_inst, extra_bytes = decode_instruction(end_ea)
decoded_bytes += extra_bytes
return decoded_inst, decoded_bytes
Example #4
| Source File: base.py From Sark with MIT License | 5 votes |
|
def is_ea_call(ea):
inst = idautils.DecodeInstruction(ea)
feature = inst.get_canon_feature()
return feature & idaapi.CF_CALL
Example #5
| Source File: instruction.py From Sark with MIT License | 5 votes |
|
def __init__(self, ea):
self._ea = ea
self._insn = idautils.DecodeInstruction(ea)
if self._insn is None:
raise exceptions.SarkNoInstruction("No Instruction at 0x{:08X}.".format(ea))
self._operands = self._make_operands()
Example #6
| Source File: structure.py From Sark with MIT License | 5 votes |
|
def apply_struct(start, end, reg_name, struct_name):
offsets, operands = infer_struct_offsets(start, end, reg_name)
sid = get_struct(struct_name)
for ea, n in operands:
insn = idautils.DecodeInstruction(ea)
idc.op_stroff(insn, n, sid, 0)
Example #7
| Source File: ida_utilities.py From ida_kernelcache with MIT License | 5 votes |
|
def _instructions_by_count(pc, count):
"""A generator to iterate over a specified number of instructions."""
for i in xrange(count):
insn = idautils.DecodeInstruction(pc)
if insn is None:
break
yield insn
pc += insn.size
Example #8
| Source File: class_struct.py From ida_kernelcache with MIT License | 5 votes |
|
def _convert_operands_to_struct_offsets(access_addresses):
"""Convert the operands that generated struct accesses into struct offsets."""
for classname, addresses_and_deltas in access_addresses.items():
sid = idau.struct_open(classname)
if sid is not None:
for ea, delta in addresses_and_deltas:
insn = idautils.DecodeInstruction(ea)
if insn:
for op in insn.Operands:
if op.type == idaapi.o_displ:
if not idau.insn_op_stroff(insn, op.n, sid, delta):
_log(1, 'Could not convert {:#x} to struct offset for class {} '
'delta {}', ea, classname, delta)
Example #9
| Source File: payload.py From DrGadget with MIT License | 5 votes |
|
def disasm_single_ins(self, ea):
result = None
i = DecodeInstruction(ea)
if i != None:
flags = GetSegmentAttr(ea, SEGATTR_FLAGS)
use_dbg = flags & SFL_DEBUG != 0
stream = GetManyBytes(ea, i.size, use_dbg)
result = (ea, i, GetDisasmEx(ea, GENDSM_FORCE_CODE), self.is_ret(ea), stream)
return result
Example #10
| Source File: IdaInterface.py From smda with BSD 2-Clause "Simplified" License | 5 votes |
|
def getInstructionBytes(self, offset):
ins = idautils.DecodeInstruction(offset)
ins_bytes = ida_bytes.get_bytes(offset, ins.size)
return ins_bytes
Example #11
| Source File: IdaInterface.py From smda with BSD 2-Clause "Simplified" License | 5 votes |
|
def getInstructionBytes(self, offset):
ins = idautils.DecodeInstruction(offset)
ins_bytes = idc.get_bytes(offset, ins.size)
return ins_bytes
Example #12
| Source File: disassembler.py From vt-ida-plugin with Apache License 2.0 | 4 votes |
|
def get_opcodes(addr, strict):
"""Get current bytes of the instruction pointed at addr.
Args:
addr: address of the current instruction
strict: be more restrictive when applying wildcards (True) or not (False)
Returns:
String: hex-encoded representation of the bytes obtained at addr
"""
if strict:
offsets_types = {idaapi.o_far, idaapi.o_mem, idaapi.o_imm}
else:
offsets_types = {idaapi.o_far, idaapi.o_mem}
pattern = ''
mnem = idautils.DecodeInstruction(addr)
if mnem is not None:
op1_type = mnem.Op1.type
op2_type = mnem.Op2.type
logging.debug(
'[VTGREP] Instruction: %s [%d, %d, %d]',
idc.generate_disasm_line(addr, 0),
mnem.itype,
op1_type,
op2_type
)
inst_len = idc.get_item_size(addr)
drefs = [x for x in idautils.DataRefsFrom(addr)]
# Checks if any operand constains a memory address
if (drefs and
((op1_type == idaapi.o_imm) or (op2_type == idaapi.o_imm)) or
op1_type in offsets_types or op2_type in offsets_types):
pattern = Disassembler.wildcard_instruction(addr)
# Checks if the instruction is a CALL (near or far) or
# if it's a JMP (excluding near jumps)
else:
if ((mnem.itype == idaapi.NN_call) or
(mnem.itype == idaapi.NN_jmp and op1_type != idaapi.o_near)):
pattern = Disassembler.wildcard_instruction(addr)
# In any other case, concatenate the raw bytes to the current string
else:
pattern = binascii.hexlify(idc.get_bytes(addr, inst_len))
pattern = pattern.decode('utf-8')
return pattern
else: return 0
Example #13
| Source File: ida_utilities.py From ida_kernelcache with MIT License | 4 votes |
|
def _instructions_by_range(start, end):
"""A generator to iterate over instructions in a range."""
pc = start
while pc < end:
insn = idautils.DecodeInstruction(pc)
if insn is None:
break
next_pc = pc + insn.size
if next_pc > end:
raise AlignmentError(end)
yield insn
pc = next_pc
