Python distorm3.Decode32Bits() Examples
The following are 30
code examples of distorm3.Decode32Bits().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
distorm3
, or try the search function
.
.
Example #1
| Source File: disasm.py From filmkodi with Apache License 2.0 | 6 votes |
|
def _import_dependencies(self):
# Load the distorm bindings.
global distorm3
if distorm3 is None:
try:
import distorm3
except ImportError:
import distorm as distorm3
# Load the decoder function.
self.__decode = distorm3.Decode
# Load the bits flag.
self.__flag = {
win32.ARCH_I386: distorm3.Decode32Bits,
win32.ARCH_AMD64: distorm3.Decode64Bits,
}[self.arch]
Example #2
| Source File: process_stack.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs):
linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')
self.symbols = None
self.undefined = None
self.dump_file = None
# self.symbols = \
# {
# 'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
# }
# print(self.symbols)
if distorm_loaded:
self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
else:
debug.error("You really need the distorm3 python module for this plugin to function properly.")
Example #3
| Source File: Instruction.py From VMAttack with MIT License | 6 votes |
|
def __init__(self, offset, code, type = distorm3.Decode32Bits, feature = 0):
"""
@param offset Address of the instruction
@param code Opcode bytes of the instruction
@param type Dissassemble 32 or 64 bit code
@param feature Possible settings for distrom3
not used at the moment
"""
self.valid = False
if SV.dissassm_type == 64:
type = distorm3.Decode64Bits
else:
type = distorm3.Decode32Bits
inst = distorm3.Decompose(offset, code, type, feature)
if len(inst) == 1:
self.Instruction = inst[0]
if self.Instruction.valid:
self.valid = True
self.opcode_len = len(code)
self.opcode_bytes = []
self.addr = offset
for x in code:
self.opcode_bytes.append(ord(x))
self._len = len(self.Instruction.operands) + 1
Example #4
| Source File: utils.py From vortessence with GNU General Public License v2.0 | 6 votes |
|
def disassemble(data, start, bits='32bit', stoponret=False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
# copied from volatility
Example #5
| Source File: process_stack.py From DAMM with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs):
linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')
self.symbols = None
self.undefined = None
self.dump_file = None
# self.symbols = \
# {
# 'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
# }
# print(self.symbols)
if distorm_loaded:
self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
else:
debug.error("You really need the distorm3 python module for this plugin to function properly.")
Example #6
| Source File: process_stack.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs):
linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')
self.symbols = None
self.undefined = None
self.dump_file = None
# self.symbols = \
# {
# 'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
# }
# print(self.symbols)
if distorm_loaded:
self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
else:
debug.error("You really need the distorm3 python module for this plugin to function properly.")
Example #7
| Source File: x86obf.py From shecodject with GNU General Public License v3.0 | 6 votes |
|
def print_disasm(sl):
ni = 0
ioff = 0
for i in sl:
if i.is_data == 0:
#if i.label >= 0 or i.jmp_label >= 0:
# print 'label:', i.label, 'jmp_label:', i.jmp_label
l = distorm3.Decode(ioff, i.bytes, distorm3.Decode32Bits)
for (offset, size, instr, hexdump) in l:
print ('%-4i %.8x: %-32s %s' % (ni, offset, hexdump, instr))
ni += 1
ioff += size
else:
print ('%-4i %.8x:' % (ni, ioff),)
print_string_hex(i.bytes)
print ('')
ioff += i.size
Example #8
| Source File: disasm.py From PyDev.Debugger with Eclipse Public License 1.0 | 6 votes |
|
def _import_dependencies(self):
# Load the distorm bindings.
global distorm3
if distorm3 is None:
try:
import distorm3
except ImportError:
import distorm as distorm3
# Load the decoder function.
self.__decode = distorm3.Decode
# Load the bits flag.
self.__flag = {
win32.ARCH_I386: distorm3.Decode32Bits,
win32.ARCH_AMD64: distorm3.Decode64Bits,
}[self.arch]
Example #9
| Source File: x86obf.py From python-x86-obfuscator with MIT License | 6 votes |
|
def print_disasm(sl): ni = 0 ioff = 0 for i in sl: if i.is_data == 0: #if i.label >= 0 or i.jmp_label >= 0: # print 'label:', i.label, 'jmp_label:', i.jmp_label l = distorm3.Decode(ioff, i.bytes, distorm3.Decode32Bits) for (offset, size, instr, hexdump) in l: print '%-4i %.8x: %-32s %s' % (ni, offset, hexdump, instr) ni += 1 ioff += size else: print '%-4i %.8x:' % (ni, ioff), print_string_hex(i.bytes) print '' ioff += i.size
Example #10
| Source File: process_stack.py From volatility with GNU General Public License v2.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs):
linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')
self.symbols = None
self.undefined = None
self.dump_file = None
# self.symbols = \
# {
# 'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
# }
# print(self.symbols)
if distorm_loaded:
self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
else:
debug.error("You really need the distorm3 python module for this plugin to function properly.")
Example #11
| Source File: process_stack.py From aumfor with GNU General Public License v3.0 | 6 votes |
|
def __init__(self, config, *args, **kwargs):
linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')
self.symbols = None
self.undefined = None
self.dump_file = None
# self.symbols = \
# {
# 'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
# }
# print(self.symbols)
if distorm_loaded:
self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
else:
debug.error("You really need the distorm3 python module for this plugin to function properly.")
Example #12
| Source File: x86obf.py From python-x86-obfuscator with MIT License | 5 votes |
|
def shell_insert_bytes(sl, ni, bytes, label = -1, jmp_label = -1): l = distorm3.Decode(0, bytes, distorm3.Decode32Bits) tsize = 0 for (offset, size, instr, hexdump) in l: i = _instr(bytes[offset:offset+size], size, 0) i.label = label i.jmp_label = jmp_label sl.insert(ni, i) ni += 1 tsize += size recalc_jmps(sl, ni)
Example #13
| Source File: check_syscall.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def _get_table_info_distorm(self):
"""
Find the size of the system call table by disassembling functions
that immediately reference it in their first isntruction
This is in the form 'cmp reg,NR_syscalls'
"""
table_size = 0
if not has_distorm:
return table_size
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
mode = distorm3.Decode32Bits
func = "sysenter_do_call"
else:
mode = distorm3.Decode64Bits
func = "system_call_fastpath"
func_addr = self.addr_space.profile.get_symbol(func)
if func_addr:
data = self.addr_space.read(func_addr, 6)
for op in distorm3.Decompose(func_addr, data, mode):
if not op.valid:
continue
if op.mnemonic == 'CMP':
table_size = (op.operands[1].value) & 0xffffffff
break
return table_size
Example #14
| Source File: malfind.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def Disassemble(data, start, bits = '32bit', stoponret = False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if not has_distorm3:
raise StopIteration
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has
# some shortcomings that don't allow us to integrate yara easily.
#
# FIXME: these may need updating after resolving issue 310 which aims to
# enhance the scan.BaseScanner to better support things like this
#--------------------------------------------------------------------------------
Example #15
| Source File: apihooks.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, hook_type, hook_mode, function_name,
function_address = None, hook_address = None,
hook_module = None, victim_module = None,
decode_bits = distorm3.Decode32Bits):
"""
Initalize a hook class instance.
@params hook_type: one of the HOOK_TYPE_* constants
@params hook_mode: one of the HOOK_MODE_* constants
@params function_name: name of the function being hooked
@params function_address: address of the hooked function in
process or kernel memory.
@params hook_address: address where the hooked function
actually points.
@params hook_module: the _LDR_DATA_TABLE_ENTRY of the
hooking module (owner of the hook_address). note:
this can be None if the module cannot be identified.
@params victim_module: the _LDR_DATA_TABLE_ENTRY of the
module being hooked (contains the function_address).
note: this can be a string if checking IAT hooks.
"""
self.hook_mode = hook_mode
self.hook_type = hook_type
self.function_name = function_name
self.function_address = function_address
self.hook_address = hook_address
self.hook_module = hook_module
self.victim_module = victim_module
self.decode_bits = decode_bits
# List of tuples: address, data pairs
self.disassembled_hops = []
Example #16
| Source File: check_syscall_shadow.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
model = self.addr_space.profile.metadata.get('memory_model', 0)
if model == '32bit':
distorm_mode = distorm3.Decode32Bits
else:
distorm_mode = distorm3.Decode64Bits
for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
yield (shadowtbl_addr, func, op)
Example #17
| Source File: check_syscall_shadow.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
model = self.addr_space.profile.metadata.get('memory_model', 0)
if model == '32bit':
distorm_mode = distorm3.Decode32Bits
else:
distorm_mode = distorm3.Decode64Bits
for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
yield (shadowtbl_addr, func, op)
Example #18
| Source File: apihooks.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, hook_type, hook_mode, function_name,
function_address = None, hook_address = None,
hook_module = None, victim_module = None,
decode_bits = distorm3.Decode32Bits):
"""
Initalize a hook class instance.
@params hook_type: one of the HOOK_TYPE_* constants
@params hook_mode: one of the HOOK_MODE_* constants
@params function_name: name of the function being hooked
@params function_address: address of the hooked function in
process or kernel memory.
@params hook_address: address where the hooked function
actually points.
@params hook_module: the _LDR_DATA_TABLE_ENTRY of the
hooking module (owner of the hook_address). note:
this can be None if the module cannot be identified.
@params victim_module: the _LDR_DATA_TABLE_ENTRY of the
module being hooked (contains the function_address).
note: this can be a string if checking IAT hooks.
"""
self.hook_mode = hook_mode
self.hook_type = hook_type
self.function_name = function_name
self.function_address = function_address
self.hook_address = hook_address
self.hook_module = hook_module
self.victim_module = victim_module
self.decode_bits = decode_bits
# List of tuples: address, data pairs
self.disassembled_hops = []
Example #19
| Source File: check_syscall.py From DAMM with GNU General Public License v2.0 | 5 votes |
|
def _get_table_info_distorm(self):
"""
Find the size of the system call table by disassembling functions
that immediately reference it in their first isntruction
This is in the form 'cmp reg,NR_syscalls'
"""
table_size = 0
if not has_distorm:
return table_size
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
mode = distorm3.Decode32Bits
func = "sysenter_do_call"
else:
mode = distorm3.Decode64Bits
func = "system_call_fastpath"
func_addr = self.addr_space.profile.get_symbol(func)
if func_addr:
data = self.addr_space.read(func_addr, 6)
for op in distorm3.Decompose(func_addr, data, mode):
if not op.valid:
continue
if op.mnemonic == 'CMP':
table_size = (op.operands[1].value) & 0xffffffff
break
return table_size
Example #20
| Source File: malfind.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def Disassemble(data, start, bits = '32bit', stoponret = False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if not has_distorm3:
raise StopIteration
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has
# some shortcomings that don't allow us to integrate yara easily.
#
# FIXME: these may need updating after resolving issue 310 which aims to
# enhance the scan.BaseScanner to better support things like this
#--------------------------------------------------------------------------------
Example #21
| Source File: apihooks.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def __init__(self, hook_type, hook_mode, function_name,
function_address = None, hook_address = None,
hook_module = None, victim_module = None,
decode_bits = distorm3.Decode32Bits):
"""
Initalize a hook class instance.
@params hook_type: one of the HOOK_TYPE_* constants
@params hook_mode: one of the HOOK_MODE_* constants
@params function_name: name of the function being hooked
@params function_address: address of the hooked function in
process or kernel memory.
@params hook_address: address where the hooked function
actually points.
@params hook_module: the _LDR_DATA_TABLE_ENTRY of the
hooking module (owner of the hook_address). note:
this can be None if the module cannot be identified.
@params victim_module: the _LDR_DATA_TABLE_ENTRY of the
module being hooked (contains the function_address).
note: this can be a string if checking IAT hooks.
"""
self.hook_mode = hook_mode
self.hook_type = hook_type
self.function_name = function_name
self.function_address = function_address
self.hook_address = hook_address
self.hook_module = hook_module
self.victim_module = victim_module
self.decode_bits = decode_bits
# List of tuples: address, data pairs
self.disassembled_hops = []
Example #22
| Source File: check_syscall_shadow.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
model = self.addr_space.profile.metadata.get('memory_model', 0)
if model == '32bit':
distorm_mode = distorm3.Decode32Bits
else:
distorm_mode = distorm3.Decode64Bits
for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
yield (shadowtbl_addr, func, op)
Example #23
| Source File: malfind.py From volatility with GNU General Public License v2.0 | 5 votes |
|
def Disassemble(data, start, bits = '32bit', stoponret = False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if not has_distorm3:
raise StopIteration
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has
# some shortcomings that don't allow us to integrate yara easily.
#
# FIXME: these may need updating after resolving issue 310 which aims to
# enhance the scan.BaseScanner to better support things like this
#--------------------------------------------------------------------------------
Example #24
| Source File: check_syscall.py From vortessence with GNU General Public License v2.0 | 5 votes |
|
def _get_table_info_distorm(self):
"""
Find the size of the system call table by disassembling functions
that immediately reference it in their first isntruction
This is in the form 'cmp reg,NR_syscalls'
"""
table_size = 0
if not has_distorm:
return table_size
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
mode = distorm3.Decode32Bits
func = "sysenter_do_call"
else:
mode = distorm3.Decode64Bits
func = "system_call_fastpath"
func_addr = self.addr_space.profile.get_symbol(func)
if func_addr:
data = self.addr_space.read(func_addr, 6)
for op in distorm3.Decompose(func_addr, data, mode):
if not op.valid:
continue
if op.mnemonic == 'CMP':
table_size = (op.operands[1].value) & 0xffffffff
break
return table_size
Example #25
| Source File: x86obf.py From shecodject with GNU General Public License v3.0 | 5 votes |
|
def shell_insert_bytes(sl, ni, bytes, label = -1, jmp_label = -1): l = distorm3.Decode(0, bytes, distorm3.Decode32Bits) tsize = 0 for (offset, size, instr, hexdump) in l: i = _instr(bytes[offset:offset+size], size, 0) i.label = label i.jmp_label = jmp_label sl.insert(ni, i) ni += 1 tsize += size recalc_jmps(sl, ni)
Example #26
| Source File: check_syscall.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def _get_table_info_distorm(self):
"""
Find the size of the system call table by disassembling functions
that immediately reference it in their first isntruction
This is in the form 'cmp reg,NR_syscalls'
"""
table_size = 0
if not has_distorm:
return table_size
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
mode = distorm3.Decode32Bits
func = "sysenter_do_call"
else:
mode = distorm3.Decode64Bits
func = "system_call_fastpath"
func_addr = self.addr_space.profile.get_symbol(func)
if func_addr:
data = self.addr_space.read(func_addr, 6)
for op in distorm3.Decompose(func_addr, data, mode):
if not op.valid:
continue
if op.mnemonic == 'CMP':
table_size = (op.operands[1].value) & 0xffffffff
break
return table_size
Example #27
| Source File: check_syscall_shadow.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def calculate(self):
common.set_plugin_members(self)
model = self.addr_space.profile.metadata.get('memory_model', 0)
if model == '32bit':
distorm_mode = distorm3.Decode32Bits
else:
distorm_mode = distorm3.Decode64Bits
for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
yield (shadowtbl_addr, func, op)
Example #28
| Source File: apihooks.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def __init__(self, hook_type, hook_mode, function_name,
function_address = None, hook_address = None,
hook_module = None, victim_module = None,
decode_bits = distorm3.Decode32Bits):
"""
Initalize a hook class instance.
@params hook_type: one of the HOOK_TYPE_* constants
@params hook_mode: one of the HOOK_MODE_* constants
@params function_name: name of the function being hooked
@params function_address: address of the hooked function in
process or kernel memory.
@params hook_address: address where the hooked function
actually points.
@params hook_module: the _LDR_DATA_TABLE_ENTRY of the
hooking module (owner of the hook_address). note:
this can be None if the module cannot be identified.
@params victim_module: the _LDR_DATA_TABLE_ENTRY of the
module being hooked (contains the function_address).
note: this can be a string if checking IAT hooks.
"""
self.hook_mode = hook_mode
self.hook_type = hook_type
self.function_name = function_name
self.function_address = function_address
self.hook_address = hook_address
self.hook_module = hook_module
self.victim_module = victim_module
self.decode_bits = decode_bits
# List of tuples: address, data pairs
self.disassembled_hops = []
Example #29
| Source File: apihooks.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def render_text(self, outfd, data):
for process, module, hook in data:
outfd.write("*" * 72 + "\n")
outfd.write("Hook mode: {0}\n".format(hook.Mode))
outfd.write("Hook type: {0}\n".format(hook.Type))
if process:
outfd.write('Process: {0} ({1})\n'.format(
process.UniqueProcessId, process.ImageFileName))
outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
module.DllBase, module.DllBase + module.SizeOfImage))
outfd.write("Function: {0}\n".format(hook.Detail))
outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
s = ["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in
malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
]
outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
outfd.write("\n\n")
Example #30
| Source File: malfind.py From aumfor with GNU General Public License v3.0 | 5 votes |
|
def Disassemble(data, start, bits = '32bit', stoponret = False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if not has_distorm3:
raise StopIteration
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has
# some shortcomings that don't allow us to integrate yara easily.
#
# FIXME: these may need updating after resolving issue 310 which aims to
# enhance the scan.BaseScanner to better support things like this
#--------------------------------------------------------------------------------
