本文整理汇总了Python中distorm3.Decode方法的典型用法代码示例。如果您正苦于以下问题:Python distorm3.Decode方法的具体用法?Python distorm3.Decode怎么用?Python distorm3.Decode使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类distorm3
的用法示例。
在下文中一共展示了distorm3.Decode方法的14个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: is_return_address
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def is_return_address(self, address, process_info):
"""
Checks if the address is a return address by checking if the preceding instruction is a 'CALL'.
@param address: An address
@param process_info: process info object
@return True or False
"""
proc_as = process_info.proc_as
size = 5
if distorm_loaded and process_info.is_code_pointer(address):
offset = address - size
instr = distorm3.Decode(offset, proc_as.read(offset, size), self.decode_as)
# last instr, third tuple item (instr string), first 7 letters
# if instr[-1][2][:7] == 'CALL 0x':
# print(instr[-1][2])
if len(instr) > 0:
return instr[-1][2][:4] == 'CALL'
# there's also call <register>
return False
示例2: find_locals_size
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def find_locals_size(self, proc_as, frames):
"""
Find the size of the locals of the function, similar to GDB's prologue analysis.
Buggy and not actually used.
@param proc_as: Process address space
@param frames: a list of stack frames
@return None
"""
if not distorm_loaded: return
for frame in frames:
if frame.function:
instr = distorm3.Decode(frame.function, proc_as.read(frame.function, 8), self.decode_as)
if self.is_function_header(instr) and len(instr) > 2:
test = instr[2][2].split(' ')
if test[0] == 'SUB' and test[1] == 'RSP,':
frame.locals_size = int(test[2][2:], 16)
示例3: _import_dependencies
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def _import_dependencies(self):
# Load the distorm bindings.
global distorm3
if distorm3 is None:
try:
import distorm3
except ImportError:
import distorm as distorm3
# Load the decoder function.
self.__decode = distorm3.Decode
# Load the bits flag.
self.__flag = {
win32.ARCH_I386: distorm3.Decode32Bits,
win32.ARCH_AMD64: distorm3.Decode64Bits,
}[self.arch]
示例4: print_disasm
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def print_disasm(sl):
ni = 0
ioff = 0
for i in sl:
if i.is_data == 0:
#if i.label >= 0 or i.jmp_label >= 0:
# print 'label:', i.label, 'jmp_label:', i.jmp_label
l = distorm3.Decode(ioff, i.bytes, distorm3.Decode32Bits)
for (offset, size, instr, hexdump) in l:
print ('%-4i %.8x: %-32s %s' % (ni, offset, hexdump, instr))
ni += 1
ioff += size
else:
print ('%-4i %.8x:' % (ni, ioff),)
print_string_hex(i.bytes)
print ('')
ioff += i.size
示例5: print_disasm
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def print_disasm(sl):
ni = 0
ioff = 0
for i in sl:
if i.is_data == 0:
#if i.label >= 0 or i.jmp_label >= 0:
# print 'label:', i.label, 'jmp_label:', i.jmp_label
l = distorm3.Decode(ioff, i.bytes, distorm3.Decode32Bits)
for (offset, size, instr, hexdump) in l:
print '%-4i %.8x: %-32s %s' % (ni, offset, hexdump, instr)
ni += 1
ioff += size
else:
print '%-4i %.8x:' % (ni, ioff),
print_string_hex(i.bytes)
print ''
ioff += i.size
示例6: decode
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def decode(self, address, code):
# Decode each instruction in the buffer.
result = []
offset = 0
while offset < len(code):
# Decode the current instruction.
opcode = libdisassemble.Opcode( code[offset:offset+32] )
length = opcode.getSize()
disasm = opcode.printOpcode('INTEL')
hexdump = HexDump.hexadecimal( code[offset:offset+length] )
# Add the decoded instruction to the list.
result.append((
address + offset,
length,
disasm,
hexdump,
))
# Move to the next instruction.
offset += length
# Return the list of decoded instructions.
return result
#==============================================================================
示例7: check_prologue
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def check_prologue(self, address):
try:
from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bits
except:
print '[!] Failed to load distorm3'
print '[!] Inline function hook finder need to distorm3.'
exit();
base_pointer = address + self.base_address
buf = self.x86_mem_pae.read(base_pointer, 12)
code = Decode(base_pointer, buf, Decode64Bits)
# code[0] format : (address, instruction size, instruction, hex string)
call_address = 0
inst_opcode2 = code[1][2].split(' ')[0]
inst_opcode = code[0][2].split(' ')[0]
if inst_opcode == 'MOV':
if inst_opcode2 == 'JMP' or inst_opcode2 == 'CALL' or inst_opcode2 == 'RET':
call_address = code[0][2].split(' ')[2] # operand
elif inst_opcode == 'JMP':
call_address = code[0][2].split(' ')[1] # operand
if call_address == 0:
print 'No Prologue hook'
else:
print 'JMP Address : %x'%(call_address)
return call_address
示例8: find_function_in_code
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def find_function_in_code(self, caller_addr, callee_addr):
try:
from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bits
except:
print '[!] Failed to load distorm3'
print '[!] Inline function hook finder need to distorm3.'
exit();
#print 'Callie Address : %x'%(callie_addr+self.base_address)
base_pointer = caller_addr + self.base_address
buf = self.x86_mem_pae.read(base_pointer, 256)
code = Decode(base_pointer, buf, Decode64Bits)
findit = []
function_inst = []
for instruction in code:
function_inst.append(instruction)
if instruction[2].split(' ')[0] == 'RET':
break
inst_split = instruction[2].split(' ')
if inst_split[0] == 'CALL':
try:
if int(inst_split[1], 16) == callee_addr+self.base_address:
#print 'Find Function : %x'%instruction[0]
findit.append(instruction)
except ValueError:
continue # bypass 'CALL reg/64'
return findit, function_inst
# Korean comments
# inline_quick - Checking JMP instruction in function prologue considered as MOV-JMP instructions
示例9: shell_insert_bytes
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def shell_insert_bytes(sl, ni, bytes, label = -1, jmp_label = -1):
l = distorm3.Decode(0, bytes, distorm3.Decode32Bits)
tsize = 0
for (offset, size, instr, hexdump) in l:
i = _instr(bytes[offset:offset+size], size, 0)
i.label = label
i.jmp_label = jmp_label
sl.insert(ni, i)
ni += 1
tsize += size
recalc_jmps(sl, ni)
示例10: __init__
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def __init__(self, arch = None):
super(DistormEngine, self).__init__(arch)
# Load the decoder function.
self.__decode = distorm3.Decode
# Load the bits flag.
self.__flag = {
win32.ARCH_I386: distorm3.Decode32Bits,
win32.ARCH_AMD64: distorm3.Decode64Bits,
}[self.arch]
示例11: vbrDisassembly
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def vbrDisassembly(self):
l = Decode(0x000, self.vbr, Decode16Bits)
assemblyCode = ""
for (offset, size, instruction, hexdump) in l:
assemblyCode = assemblyCode + "%.8x: %-32s %s" % (offset, hexdump, instruction) + "\n"
with open(os.path.join(self.dest,"vbr_AssemblyCode.txt"), "w") as f:
f.write(assemblyCode)
示例12: boot_loader_disassembly
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def boot_loader_disassembly(self):
l = Decode(0x000, self.mbrStruct.bootloaderCode, Decode16Bits)
assembly_code = ""
for (offset, size, instruction, hexdump) in l:
assembly_code = assembly_code + "%.8x: %-32s %s" % (offset, hexdump, instruction) + "\n"
h_file = open(self.path + os.path.sep + "bootLoaderAssemblyCode.txt", "w")
h_file.write(assembly_code)
h_file.close()
示例13: find_function_address
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def find_function_address(self, proc_as, ret_addr):
"""
Calculates the function address given a return address. Disassembles code to get through the double indirection
introduced by the Linux PLT.
@param proc_as: Process address space
@param ret_addr: Return address
@return The function address or None
"""
if distorm_loaded:
decode_as = self.decode_as
retaddr_assembly = distorm3.Decode(ret_addr - 5, proc_as.read(ret_addr - 5, 5), decode_as)
if len(retaddr_assembly) == 0:
return None
#print(retaddr_assembly)
retaddr_assembly = retaddr_assembly[0] # We're only getting 1 instruction
# retaddr_assembly[2] = "CALL 0x400620"
instr = retaddr_assembly[2].split(' ')
#print(instr)
if instr[0] == 'CALL':
try:
target = int(instr[1][2:], 16)
except ValueError:
return None
bytes = proc_as.read(target, 6)
if not bytes:
# We're not sure if this is the function address
return target
plt_instructions = distorm3.Decode(target, bytes, decode_as)
plt_assembly = plt_instructions[0] # 1 instruction
#print(plt_assembly)
instr2 = plt_assembly[2].split(' ')
#print(instr2)
if instr2[0] == 'JMP':
final_addr = None
if instr2[1] == 'DWORD':
target2 = int(instr2[2][3:-1], 16)
elif instr2[1] == 'QWORD': # if QWORD
target2 = int(instr2[2][7:-1], 16)
else: # if 0xADDRESS
final_addr = int(instr2[1][2:],16)
if not final_addr:
final_addr = target + 6 + target2
debug.info("Found function address from instruction {} at offset 0x{:016x}".format(instr2, target))
return read_address(proc_as, final_addr)
elif instr2[0] == 'PUSH' and instr2[1] == 'RBP':
# This is an internal function
debug.info("Found function address from instruction {} at offset 0x{:016x}".format(instr, target))
return target
else:
# In case push rbp is removed
debug.info("Found function address from instruction {} at offset 0x{:016x}".format(instr, target))
return target
return None
else:
return None
示例14: load_shell
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode [as 别名]
def load_shell(bin, range):
ret = []
rbin = []
ibin = []
if range != '':
cr = 0
for r in range.split(','):
rr = r.split('-')
br = int(rr[0])
er = int(rr[1])
if br > cr:
rbin.append( bin[cr:br] )
ibin.append(1)
rbin.append(bin[br:er])
ibin.append(0)
cr = er
if cr == 0:
rbin.append(bin[:])
ibin.append(0)
elif cr < len(bin):
rbin.append(bin[cr:])
ibin.append(1)
else:
rbin.append(bin[:])
ibin.append(0)
i=0
for t in rbin:
i+=1
i=0
for rb in rbin:
if ibin[i]==0:
l = distorm3.Decode(0, rb, distorm3.Decode32Bits)
for (offset, size, instr, hexdump) in l:
ret.append( _instr(rb[offset:offset+size], size, 0) )
else:
ret.append( _instr(rb[:], len(rb), 1) )
i+=1
parse_shell(ret)
return ret[:]