当前位置: 首页>>代码示例>>Python>>正文


Python distorm3.Decode方法代码示例

本文整理汇总了Python中distorm3.Decode方法的典型用法代码示例。如果您正苦于以下问题:Python distorm3.Decode方法的具体用法?Python distorm3.Decode怎么用?Python distorm3.Decode使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在distorm3的用法示例。


在下文中一共展示了distorm3.Decode方法的14个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: is_return_address

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def is_return_address(self, address, process_info):
        """
        Checks if the address is a return address by checking if the preceding instruction is a 'CALL'.
        @param address: An address
        @param process_info: process info object
        @return True or False
        """
        proc_as = process_info.proc_as
        size = 5
        if distorm_loaded and process_info.is_code_pointer(address):
            offset = address - size
            instr = distorm3.Decode(offset, proc_as.read(offset, size), self.decode_as)
            # last instr, third tuple item (instr string), first 7 letters
            # if instr[-1][2][:7] == 'CALL 0x':
            #     print(instr[-1][2])
            if len(instr) > 0:
                return instr[-1][2][:4] == 'CALL'
            # there's also call <register>
        return False 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:21,代码来源:process_stack.py

示例2: find_locals_size

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def find_locals_size(self, proc_as, frames):
        """
        Find the size of the locals of the function, similar to GDB's prologue analysis.
        Buggy and not actually used.

        @param proc_as: Process address space
        @param frames: a list of stack frames
        @return None
        """
        if not distorm_loaded: return

        for frame in frames:
            if frame.function:
                instr = distorm3.Decode(frame.function, proc_as.read(frame.function, 8), self.decode_as)
                if self.is_function_header(instr) and len(instr) > 2:
                    test = instr[2][2].split(' ')
                    if test[0] == 'SUB' and test[1] == 'RSP,':
                        frame.locals_size = int(test[2][2:], 16) 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:20,代码来源:process_stack.py

示例3: _import_dependencies

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def _import_dependencies(self):

        # Load the distorm bindings.
        global distorm3
        if distorm3 is None:
            try:
                import distorm3
            except ImportError:
                import distorm as distorm3

        # Load the decoder function.
        self.__decode = distorm3.Decode

        # Load the bits flag.
        self.__flag = {
            win32.ARCH_I386:  distorm3.Decode32Bits,
            win32.ARCH_AMD64: distorm3.Decode64Bits,
        }[self.arch] 
开发者ID:fabioz,项目名称:PyDev.Debugger,代码行数:20,代码来源:disasm.py

示例4: print_disasm

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def print_disasm(sl):

	ni = 0
	ioff = 0
	for i in sl:
		if i.is_data == 0:
			#if i.label >= 0 or i.jmp_label >= 0:
			#	print 'label:', i.label, 'jmp_label:', i.jmp_label
			l = distorm3.Decode(ioff, i.bytes, distorm3.Decode32Bits)
			for (offset, size, instr, hexdump) in l:
				print ('%-4i %.8x: %-32s %s' % (ni, offset, hexdump, instr))
				ni += 1
				ioff += size
		else:
			print ('%-4i %.8x:' % (ni, ioff),)
			print_string_hex(i.bytes)
			print ('')
			ioff += i.size 
开发者ID:TaroballzChen,项目名称:shecodject,代码行数:20,代码来源:x86obf.py

示例5: print_disasm

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def print_disasm(sl):

	ni = 0
	ioff = 0
	for i in sl:
		if i.is_data == 0:
			#if i.label >= 0 or i.jmp_label >= 0:
			#	print 'label:', i.label, 'jmp_label:', i.jmp_label
			l = distorm3.Decode(ioff, i.bytes, distorm3.Decode32Bits)
			for (offset, size, instr, hexdump) in l:
				print '%-4i %.8x: %-32s %s' % (ni, offset, hexdump, instr)
				ni += 1
				ioff += size
		else:
			print '%-4i %.8x:' % (ni, ioff),
			print_string_hex(i.bytes)
			print ''
			ioff += i.size 
开发者ID:kgretzky,项目名称:python-x86-obfuscator,代码行数:20,代码来源:x86obf.py

示例6: decode

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def decode(self, address, code):

        # Decode each instruction in the buffer.
        result = []
        offset = 0
        while offset < len(code):

            # Decode the current instruction.
            opcode  = libdisassemble.Opcode( code[offset:offset+32] )
            length  = opcode.getSize()
            disasm  = opcode.printOpcode('INTEL')
            hexdump = HexDump.hexadecimal( code[offset:offset+length] )

            # Add the decoded instruction to the list.
            result.append((
                address + offset,
                length,
                disasm,
                hexdump,
            ))

            # Move to the next instruction.
            offset += length

        # Return the list of decoded instructions.
        return result

#============================================================================== 
开发者ID:fabioz,项目名称:PyDev.Debugger,代码行数:30,代码来源:disasm.py

示例7: check_prologue

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def check_prologue(self, address):
        try:
            from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bits
        except:
            print '[!] Failed to load distorm3'
            print '[!] Inline function hook finder need to distorm3.'
            exit();
        base_pointer = address + self.base_address

        buf = self.x86_mem_pae.read(base_pointer, 12)

        code = Decode(base_pointer, buf, Decode64Bits)

        # code[0] format : (address, instruction size, instruction, hex string)
        call_address = 0
        inst_opcode2 = code[1][2].split(' ')[0]
        inst_opcode = code[0][2].split(' ')[0]

        if inst_opcode == 'MOV':
            if inst_opcode2 == 'JMP' or inst_opcode2 == 'CALL' or inst_opcode2 == 'RET':
                call_address = code[0][2].split(' ')[2]  # operand

        elif inst_opcode == 'JMP':
            call_address = code[0][2].split(' ')[1] # operand

        if call_address == 0:
            print 'No Prologue hook'
        else:
            print 'JMP Address : %x'%(call_address)

        return call_address 
开发者ID:n0fate,项目名称:volafox,代码行数:33,代码来源:inline_hook_finder.py

示例8: find_function_in_code

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def find_function_in_code(self, caller_addr, callee_addr):
        try:
            from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bits
        except:
            print '[!] Failed to load distorm3'
            print '[!] Inline function hook finder need to distorm3.'
            exit();
        #print 'Callie Address : %x'%(callie_addr+self.base_address)
        base_pointer = caller_addr + self.base_address
        buf = self.x86_mem_pae.read(base_pointer, 256)
        code = Decode(base_pointer, buf, Decode64Bits)

        findit = []
        function_inst = []
        for instruction in code:
            function_inst.append(instruction)
            if instruction[2].split(' ')[0] == 'RET':
                break

            inst_split = instruction[2].split(' ')
            if inst_split[0] == 'CALL':
                try:
                    if int(inst_split[1], 16) == callee_addr+self.base_address:
                        #print 'Find Function : %x'%instruction[0]
                        findit.append(instruction)
                except ValueError:
                    continue    # bypass 'CALL reg/64'

        return findit, function_inst


# Korean comments
# inline_quick - Checking JMP instruction in function prologue considered as MOV-JMP instructions 
开发者ID:n0fate,项目名称:volafox,代码行数:35,代码来源:inline_hook_finder.py

示例9: shell_insert_bytes

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def shell_insert_bytes(sl, ni, bytes, label = -1, jmp_label = -1):
	l = distorm3.Decode(0, bytes, distorm3.Decode32Bits)
	tsize = 0
	for (offset, size, instr, hexdump) in l:
		i = _instr(bytes[offset:offset+size], size, 0)
		i.label = label
		i.jmp_label = jmp_label

		sl.insert(ni, i)
		ni += 1
		tsize += size
	recalc_jmps(sl, ni) 
开发者ID:TaroballzChen,项目名称:shecodject,代码行数:14,代码来源:x86obf.py

示例10: __init__

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def __init__(self, arch = None):
        super(DistormEngine, self).__init__(arch)

        # Load the decoder function.
        self.__decode = distorm3.Decode

        # Load the bits flag.
        self.__flag = {
            win32.ARCH_I386:  distorm3.Decode32Bits,
            win32.ARCH_AMD64: distorm3.Decode64Bits,
        }[self.arch] 
开发者ID:debasishm89,项目名称:OpenXMolar,代码行数:13,代码来源:disasm.py

示例11: vbrDisassembly

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def vbrDisassembly(self):
        l = Decode(0x000, self.vbr, Decode16Bits)
        assemblyCode = ""
        for (offset, size, instruction, hexdump) in l:
            assemblyCode = assemblyCode + "%.8x: %-32s %s" % (offset, hexdump, instruction) + "\n"
        with open(os.path.join(self.dest,"vbr_AssemblyCode.txt"), "w") as f:
            f.write(assemblyCode) 
开发者ID:SekoiaLab,项目名称:Fastir_Collector,代码行数:9,代码来源:vbr.py

示例12: boot_loader_disassembly

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def boot_loader_disassembly(self):
        l = Decode(0x000, self.mbrStruct.bootloaderCode, Decode16Bits)
        assembly_code = ""
        for (offset, size, instruction, hexdump) in l:
            assembly_code = assembly_code + "%.8x: %-32s %s" % (offset, hexdump, instruction) + "\n"
        h_file = open(self.path + os.path.sep + "bootLoaderAssemblyCode.txt", "w")
        h_file.write(assembly_code)
        h_file.close() 
开发者ID:SekoiaLab,项目名称:Fastir_Collector,代码行数:10,代码来源:mbr.py

示例13: find_function_address

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def find_function_address(self, proc_as, ret_addr):
        """
        Calculates the function address given a return address. Disassembles code to get through the double indirection
        introduced by the Linux PLT.
        @param proc_as: Process address space
        @param ret_addr: Return address
        @return The function address or None
        """
        if distorm_loaded:
            decode_as = self.decode_as
            retaddr_assembly = distorm3.Decode(ret_addr - 5, proc_as.read(ret_addr - 5, 5), decode_as)
            if len(retaddr_assembly) == 0:
                return None
            #print(retaddr_assembly)
            retaddr_assembly = retaddr_assembly[0] # We're only getting 1 instruction
            # retaddr_assembly[2] = "CALL 0x400620"
            instr = retaddr_assembly[2].split(' ')
            #print(instr)
            if instr[0] == 'CALL':
                try:
                    target = int(instr[1][2:], 16)
                except ValueError:
                    return None
                bytes = proc_as.read(target, 6)
                if not bytes:
                    # We're not sure if this is the function address
                    return target
                plt_instructions = distorm3.Decode(target, bytes, decode_as)
                plt_assembly = plt_instructions[0] # 1 instruction
                #print(plt_assembly)
                instr2 = plt_assembly[2].split(' ')
                #print(instr2)
                if instr2[0] == 'JMP':
                    final_addr = None
                    if instr2[1] == 'DWORD':
                        target2 = int(instr2[2][3:-1], 16)
                    elif instr2[1] == 'QWORD': # if QWORD
                        target2 = int(instr2[2][7:-1], 16)
                    else: # if 0xADDRESS
                        final_addr = int(instr2[1][2:],16)
                    if not final_addr:
                        final_addr = target + 6 + target2
                    debug.info("Found function address from instruction {} at offset 0x{:016x}".format(instr2, target))
                    return read_address(proc_as, final_addr)
                elif instr2[0] == 'PUSH' and instr2[1] == 'RBP':
                    # This is an internal function
                    debug.info("Found function address from instruction {} at offset 0x{:016x}".format(instr, target))
                    return target
                else:
                    # In case push rbp is removed
                    debug.info("Found function address from instruction {} at offset 0x{:016x}".format(instr, target))
                    return target
            return None
        else:
            return None 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:57,代码来源:process_stack.py

示例14: load_shell

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def load_shell(bin, range):
	ret = []

	rbin = []
	ibin = []

	if range != '':
		cr = 0
		for r in range.split(','):
			rr = r.split('-')
			br = int(rr[0])
			er = int(rr[1])
			if br > cr:
				rbin.append( bin[cr:br] )
				ibin.append(1)
			rbin.append(bin[br:er])
			ibin.append(0)
			cr = er
		if cr == 0:
			rbin.append(bin[:])
			ibin.append(0)
		elif cr < len(bin):
			rbin.append(bin[cr:])
			ibin.append(1)
	else:
		rbin.append(bin[:])
		ibin.append(0)

	i=0
	for t in rbin:
		i+=1

	i=0
	for rb in rbin:
		if ibin[i]==0:
			l = distorm3.Decode(0, rb, distorm3.Decode32Bits)
			for (offset, size, instr, hexdump) in l:
				ret.append( _instr(rb[offset:offset+size], size, 0) )
		else:
			ret.append( _instr(rb[:], len(rb), 1) )
		i+=1

	parse_shell(ret)
	return ret[:] 
开发者ID:TaroballzChen,项目名称:shecodject,代码行数:46,代码来源:x86obf.py


注:本文中的distorm3.Decode方法示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。