本文整理汇总了Python中distorm3.Decode32Bits方法的典型用法代码示例。如果您正苦于以下问题:Python distorm3.Decode32Bits方法的具体用法?Python distorm3.Decode32Bits怎么用?Python distorm3.Decode32Bits使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类distorm3的用法示例。
在下文中一共展示了distorm3.Decode32Bits方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: __init__
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def __init__(self, offset, code, type = distorm3.Decode32Bits, feature = 0):
"""
@param offset Address of the instruction
@param code Opcode bytes of the instruction
@param type Dissassemble 32 or 64 bit code
@param feature Possible settings for distrom3
not used at the moment
"""
self.valid = False
if SV.dissassm_type == 64:
type = distorm3.Decode64Bits
else:
type = distorm3.Decode32Bits
inst = distorm3.Decompose(offset, code, type, feature)
if len(inst) == 1:
self.Instruction = inst[0]
if self.Instruction.valid:
self.valid = True
self.opcode_len = len(code)
self.opcode_bytes = []
self.addr = offset
for x in code:
self.opcode_bytes.append(ord(x))
self._len = len(self.Instruction.operands) + 1 示例2: __init__
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def __init__(self, config, *args, **kwargs):
linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')
self.symbols = None
self.undefined = None
self.dump_file = None
# self.symbols = \
# {
# 'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
# }
# print(self.symbols)
if distorm_loaded:
self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
else:
debug.error("You really need the distorm3 python module for this plugin to function properly.") 示例3: _import_dependencies
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def _import_dependencies(self):
# Load the distorm bindings.
global distorm3
if distorm3 is None:
try:
import distorm3
except ImportError:
import distorm as distorm3
# Load the decoder function.
self.__decode = distorm3.Decode
# Load the bits flag.
self.__flag = {
win32.ARCH_I386: distorm3.Decode32Bits,
win32.ARCH_AMD64: distorm3.Decode64Bits,
}[self.arch] 示例4: print_disasm
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def print_disasm(sl):
ni = 0
ioff = 0
for i in sl:
if i.is_data == 0:
#if i.label >= 0 or i.jmp_label >= 0:
# print 'label:', i.label, 'jmp_label:', i.jmp_label
l = distorm3.Decode(ioff, i.bytes, distorm3.Decode32Bits)
for (offset, size, instr, hexdump) in l:
print ('%-4i %.8x: %-32s %s' % (ni, offset, hexdump, instr))
ni += 1
ioff += size
else:
print ('%-4i %.8x:' % (ni, ioff),)
print_string_hex(i.bytes)
print ('')
ioff += i.size 示例5: disassemble
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def disassemble(data, start, bits='32bit', stoponret=False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
# copied from volatility 示例6: print_disasm
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def print_disasm(sl):
ni = 0
ioff = 0
for i in sl:
if i.is_data == 0:
#if i.label >= 0 or i.jmp_label >= 0:
# print 'label:', i.label, 'jmp_label:', i.jmp_label
l = distorm3.Decode(ioff, i.bytes, distorm3.Decode32Bits)
for (offset, size, instr, hexdump) in l:
print '%-4i %.8x: %-32s %s' % (ni, offset, hexdump, instr)
ni += 1
ioff += size
else:
print '%-4i %.8x:' % (ni, ioff),
print_string_hex(i.bytes)
print ''
ioff += i.size 示例7: _get_table_info_distorm
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def _get_table_info_distorm(self):
"""
Find the size of the system call table by disassembling functions
that immediately reference it in their first isntruction
This is in the form 'cmp reg,NR_syscalls'
"""
table_size = 0
if not has_distorm:
return table_size
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
mode = distorm3.Decode32Bits
func = "sysenter_do_call"
else:
mode = distorm3.Decode64Bits
func = "system_call_fastpath"
func_addr = self.addr_space.profile.get_symbol(func)
if func_addr:
data = self.addr_space.read(func_addr, 6)
for op in distorm3.Decompose(func_addr, data, mode):
if not op.valid:
continue
if op.mnemonic == 'CMP':
table_size = (op.operands[1].value) & 0xffffffff
break
return table_size 示例8: calculate
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def calculate(self):
common.set_plugin_members(self)
model = self.addr_space.profile.metadata.get('memory_model', 0)
if model == '32bit':
distorm_mode = distorm3.Decode32Bits
else:
distorm_mode = distorm3.Decode64Bits
for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
yield (shadowtbl_addr, func, op) 示例9: __init__
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def __init__(self, hook_type, hook_mode, function_name,
function_address = None, hook_address = None,
hook_module = None, victim_module = None,
decode_bits = distorm3.Decode32Bits):
"""
Initalize a hook class instance.
@params hook_type: one of the HOOK_TYPE_* constants
@params hook_mode: one of the HOOK_MODE_* constants
@params function_name: name of the function being hooked
@params function_address: address of the hooked function in
process or kernel memory.
@params hook_address: address where the hooked function
actually points.
@params hook_module: the _LDR_DATA_TABLE_ENTRY of the
hooking module (owner of the hook_address). note:
this can be None if the module cannot be identified.
@params victim_module: the _LDR_DATA_TABLE_ENTRY of the
module being hooked (contains the function_address).
note: this can be a string if checking IAT hooks.
"""
self.hook_mode = hook_mode
self.hook_type = hook_type
self.function_name = function_name
self.function_address = function_address
self.hook_address = hook_address
self.hook_module = hook_module
self.victim_module = victim_module
self.decode_bits = decode_bits
# List of tuples: address, data pairs
self.disassembled_hops = [] 示例10: render_text
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def render_text(self, outfd, data):
for process, module, hook in data:
outfd.write("*" * 72 + "\n")
outfd.write("Hook mode: {0}\n".format(hook.Mode))
outfd.write("Hook type: {0}\n".format(hook.Type))
if process:
outfd.write('Process: {0} ({1})\n'.format(
process.UniqueProcessId, process.ImageFileName))
outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
module.DllBase, module.DllBase + module.SizeOfImage))
outfd.write("Function: {0}\n".format(hook.Detail))
outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))
for n, info in enumerate(hook.disassembled_hops):
(address, data) = info
s = ["{0:#x} {1:<16} {2}".format(o, h, i)
for o, i, h in
malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
]
outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
outfd.write("\n\n") 示例11: Disassemble
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def Disassemble(data, start, bits = '32bit', stoponret = False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if not has_distorm3:
raise StopIteration
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has
# some shortcomings that don't allow us to integrate yara easily.
#
# FIXME: these may need updating after resolving issue 310 which aims to
# enhance the scan.BaseScanner to better support things like this
#-------------------------------------------------------------------------------- 示例12: __init__
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def __init__(self, hook_type, function_name,
function_address = None, hook_address = None,
hook_module = None, victim_module = None,
decode_bits = distorm3.Decode32Bits):
"""
Initalize a hook class instance.
@params hook_type: one of the HOOK_TYPE_* constants
@params function_name: name of the function being hooked
@params function_address: address of the hooked function in
process or kernel memory.
@params hook_address: address where the hooked function
actually points.
@params hook_module: the _LDR_DATA_TABLE_ENTRY of the
hooking module (owner of the hook_address). note:
this can be None if the module cannot be identified.
@params victim_module: the _LDR_DATA_TABLE_ENTRY of the
module being hooked (contains the function_address).
note: this can be a string if checking IAT hooks.
"""
self.hook_type = hook_type
self.function_name = function_name
self.function_address = function_address
self.hook_address = hook_address
self.hook_module = hook_module
self.victim_module = victim_module
self.decode_bits = decode_bits
# List of tuples: address, data pairs
self.disassembled_hops = [] 示例13: get_wow64_hooks
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def get_wow64_hooks(self, process):
decode_bits = distorm3.Decode32Bits
modules = self.get_wow64_modules(process)
for module_start, module_end, module_path in modules:
if "chrome.dll" not in module_path:
continue
print module_path 示例14: shell_insert_bytes
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def shell_insert_bytes(sl, ni, bytes, label = -1, jmp_label = -1):
l = distorm3.Decode(0, bytes, distorm3.Decode32Bits)
tsize = 0
for (offset, size, instr, hexdump) in l:
i = _instr(bytes[offset:offset+size], size, 0)
i.label = label
i.jmp_label = jmp_label
sl.insert(ni, i)
ni += 1
tsize += size
recalc_jmps(sl, ni) 示例15: _get_table_info_distorm
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def _get_table_info_distorm(self):
"""
Find the size of the system call table by disassembling functions
that immediately reference it in their first isntruction
This is in the form 'cmp reg,NR_syscalls'
"""
table_size = 0
if not has_distorm:
return table_size
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
mode = distorm3.Decode32Bits
funcs = ["sysenter_do_call"]
else:
mode = distorm3.Decode64Bits
funcs = ["system_call_fastpath", "do_int80_syscall_32"]
for func in funcs:
func_addr = self.addr_space.profile.get_symbol(func)
if func_addr:
data = self.addr_space.read(func_addr, 64)
for op in distorm3.Decompose(func_addr, data, mode):
if not op.valid:
continue
if op.mnemonic == 'CMP':
table_size = (op.operands[1].value) & 0xffffffff
break
break
return table_size