当前位置: 首页>>代码示例>>Python>>正文


Python distorm3.Decode32Bits方法代码示例

本文整理汇总了Python中distorm3.Decode32Bits方法的典型用法代码示例。如果您正苦于以下问题:Python distorm3.Decode32Bits方法的具体用法?Python distorm3.Decode32Bits怎么用?Python distorm3.Decode32Bits使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在distorm3的用法示例。


在下文中一共展示了distorm3.Decode32Bits方法的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: __init__

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def __init__(self, offset, code, type = distorm3.Decode32Bits, feature = 0):
        """
        @param offset Address of the instruction
        @param code Opcode bytes of the instruction
        @param type Dissassemble 32 or 64 bit code
        @param feature Possible settings for distrom3
        not used at the moment
        """
        self.valid = False
        if SV.dissassm_type == 64:
            type = distorm3.Decode64Bits
        else:
            type = distorm3.Decode32Bits
        inst = distorm3.Decompose(offset, code, type, feature)
        if len(inst) == 1:
            self.Instruction = inst[0]
            if self.Instruction.valid:
                self.valid = True
        self.opcode_len = len(code)
        self.opcode_bytes = []
        self.addr = offset
        for x in code:
            self.opcode_bytes.append(ord(x))
        self._len = len(self.Instruction.operands) + 1 
开发者ID:anatolikalysch,项目名称:VMAttack,代码行数:26,代码来源:Instruction.py

示例2: __init__

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def __init__(self, config, *args, **kwargs):
        linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
        self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
        self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')

        self.symbols = None
        self.undefined = None
        self.dump_file = None
        # self.symbols = \
        #     {
        #         'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
        #     }
        # print(self.symbols)
        if distorm_loaded:
            self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
        else:
            debug.error("You really need the distorm3 python module for this plugin to function properly.") 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:19,代码来源:process_stack.py

示例3: _import_dependencies

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def _import_dependencies(self):

        # Load the distorm bindings.
        global distorm3
        if distorm3 is None:
            try:
                import distorm3
            except ImportError:
                import distorm as distorm3

        # Load the decoder function.
        self.__decode = distorm3.Decode

        # Load the bits flag.
        self.__flag = {
            win32.ARCH_I386:  distorm3.Decode32Bits,
            win32.ARCH_AMD64: distorm3.Decode64Bits,
        }[self.arch] 
开发者ID:fabioz,项目名称:PyDev.Debugger,代码行数:20,代码来源:disasm.py

示例4: print_disasm

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def print_disasm(sl):

	ni = 0
	ioff = 0
	for i in sl:
		if i.is_data == 0:
			#if i.label >= 0 or i.jmp_label >= 0:
			#	print 'label:', i.label, 'jmp_label:', i.jmp_label
			l = distorm3.Decode(ioff, i.bytes, distorm3.Decode32Bits)
			for (offset, size, instr, hexdump) in l:
				print ('%-4i %.8x: %-32s %s' % (ni, offset, hexdump, instr))
				ni += 1
				ioff += size
		else:
			print ('%-4i %.8x:' % (ni, ioff),)
			print_string_hex(i.bytes)
			print ('')
			ioff += i.size 
开发者ID:TaroballzChen,项目名称:shecodject,代码行数:20,代码来源:x86obf.py

示例5: disassemble

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def disassemble(data, start, bits='32bit', stoponret=False):
    """Dissassemble code with distorm3.

    @param data: python byte str to decode
    @param start: address where `data` is found in memory
    @param bits: use 32bit or 64bit decoding
    @param stoponret: stop disasm when function end is reached

    @returns: tuple of (offset, instruction, hex bytes)
    """

    if bits == '32bit':
        mode = distorm3.Decode32Bits
    else:
        mode = distorm3.Decode64Bits

    for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
        if stoponret and i.startswith("RET"):
            raise StopIteration
        yield o, i, h


# copied from volatility 
开发者ID:vortessence,项目名称:vortessence,代码行数:25,代码来源:utils.py

示例6: print_disasm

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def print_disasm(sl):

	ni = 0
	ioff = 0
	for i in sl:
		if i.is_data == 0:
			#if i.label >= 0 or i.jmp_label >= 0:
			#	print 'label:', i.label, 'jmp_label:', i.jmp_label
			l = distorm3.Decode(ioff, i.bytes, distorm3.Decode32Bits)
			for (offset, size, instr, hexdump) in l:
				print '%-4i %.8x: %-32s %s' % (ni, offset, hexdump, instr)
				ni += 1
				ioff += size
		else:
			print '%-4i %.8x:' % (ni, ioff),
			print_string_hex(i.bytes)
			print ''
			ioff += i.size 
开发者ID:kgretzky,项目名称:python-x86-obfuscator,代码行数:20,代码来源:x86obf.py

示例7: _get_table_info_distorm

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def _get_table_info_distorm(self):
        """
        Find the size of the system call table by disassembling functions
        that immediately reference it in their first isntruction
        This is in the form 'cmp reg,NR_syscalls'
        """
        table_size = 0

        if not has_distorm:
            return table_size

        memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')

        if memory_model == '32bit':
            mode = distorm3.Decode32Bits
            func = "sysenter_do_call"
        else:
            mode = distorm3.Decode64Bits
            func = "system_call_fastpath"

        func_addr = self.addr_space.profile.get_symbol(func)

        if func_addr:
            data = self.addr_space.read(func_addr, 6)
            
            for op in distorm3.Decompose(func_addr, data, mode):
                if not op.valid:
                    continue

                if op.mnemonic == 'CMP':
                    table_size = (op.operands[1].value) & 0xffffffff
                    break

        return table_size 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:36,代码来源:check_syscall.py

示例8: calculate

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def calculate(self):
        common.set_plugin_members(self)

        model = self.addr_space.profile.metadata.get('memory_model', 0)

        if model == '32bit':
            distorm_mode = distorm3.Decode32Bits
        else:
            distorm_mode = distorm3.Decode64Bits
        
        for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
            yield (shadowtbl_addr, func, op) 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:14,代码来源:check_syscall_shadow.py

示例9: __init__

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def __init__(self, hook_type, hook_mode, function_name,
                        function_address = None, hook_address = None,
                        hook_module = None, victim_module = None,
                        decode_bits = distorm3.Decode32Bits):
        """
        Initalize a hook class instance. 

        @params hook_type: one of the HOOK_TYPE_* constants 
        @params hook_mode: one of the HOOK_MODE_* constants

        @params function_name: name of the function being hooked 

        @params function_address: address of the hooked function in 
            process or kernel memory. 

        @params hook_address: address where the hooked function 
            actually points. 

        @params hook_module: the _LDR_DATA_TABLE_ENTRY of the 
            hooking module (owner of the hook_address). note: 
            this can be None if the module cannot be identified. 

        @params victim_module: the _LDR_DATA_TABLE_ENTRY of the 
            module being hooked (contains the function_address).
            note: this can be a string if checking IAT hooks. 

        """
        self.hook_mode = hook_mode
        self.hook_type = hook_type
        self.function_name = function_name
        self.function_address = function_address
        self.hook_address = hook_address
        self.hook_module = hook_module
        self.victim_module = victim_module
        self.decode_bits = decode_bits
        # List of tuples: address, data pairs
        self.disassembled_hops = [] 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:39,代码来源:apihooks.py

示例10: render_text

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def render_text(self, outfd, data):
        for process, module, hook in data:

            outfd.write("*" * 72 + "\n")
            outfd.write("Hook mode: {0}\n".format(hook.Mode))
            outfd.write("Hook type: {0}\n".format(hook.Type))

            if process:
                outfd.write('Process: {0} ({1})\n'.format(
                    process.UniqueProcessId, process.ImageFileName))

            outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
                str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
                module.DllBase, module.DllBase + module.SizeOfImage))

            outfd.write("Function: {0}\n".format(hook.Detail))
            outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
            outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))

            for n, info in enumerate(hook.disassembled_hops):
                (address, data) = info
                s = ["{0:#x} {1:<16} {2}".format(o, h, i)
                        for o, i, h in
                        malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
                    ]
                outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
                outfd.write("\n\n") 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:29,代码来源:apihooks.py

示例11: Disassemble

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def Disassemble(data, start, bits = '32bit', stoponret = False):
    """Dissassemble code with distorm3. 

    @param data: python byte str to decode
    @param start: address where `data` is found in memory
    @param bits: use 32bit or 64bit decoding 
    @param stoponret: stop disasm when function end is reached
    
    @returns: tuple of (offset, instruction, hex bytes)
    """

    if not has_distorm3:
        raise StopIteration

    if bits == '32bit':
        mode = distorm3.Decode32Bits
    else:
        mode = distorm3.Decode64Bits

    for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
        if stoponret and i.startswith("RET"):
            raise StopIteration
        yield o, i, h

#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has 
# some shortcomings that don't allow us to integrate yara easily. 
#
# FIXME: these may need updating after resolving issue 310 which aims to 
# enhance the scan.BaseScanner to better support things like this
#-------------------------------------------------------------------------------- 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:35,代码来源:malfind.py

示例12: __init__

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def __init__(self, hook_type, function_name,
                        function_address = None, hook_address = None,
                        hook_module = None, victim_module = None,
                        decode_bits = distorm3.Decode32Bits):
        """
        Initalize a hook class instance.

        @params hook_type: one of the HOOK_TYPE_* constants

        @params function_name: name of the function being hooked

        @params function_address: address of the hooked function in
            process or kernel memory.

        @params hook_address: address where the hooked function
            actually points.

        @params hook_module: the _LDR_DATA_TABLE_ENTRY of the
            hooking module (owner of the hook_address). note:
            this can be None if the module cannot be identified.

        @params victim_module: the _LDR_DATA_TABLE_ENTRY of the
            module being hooked (contains the function_address).
            note: this can be a string if checking IAT hooks.

        """
        self.hook_type = hook_type
        self.function_name = function_name
        self.function_address = function_address
        self.hook_address = hook_address
        self.hook_module = hook_module
        self.victim_module = victim_module
        self.decode_bits = decode_bits
        # List of tuples: address, data pairs
        self.disassembled_hops = [] 
开发者ID:eset,项目名称:volatility-browserhooks,代码行数:37,代码来源:browserhooks.py

示例13: get_wow64_hooks

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def get_wow64_hooks(self, process):
        decode_bits = distorm3.Decode32Bits

        modules = self.get_wow64_modules(process)
        for module_start, module_end, module_path in modules:
            if "chrome.dll" not in module_path:
                continue

            print module_path 
开发者ID:eset,项目名称:volatility-browserhooks,代码行数:11,代码来源:browserhooks.py

示例14: shell_insert_bytes

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def shell_insert_bytes(sl, ni, bytes, label = -1, jmp_label = -1):
	l = distorm3.Decode(0, bytes, distorm3.Decode32Bits)
	tsize = 0
	for (offset, size, instr, hexdump) in l:
		i = _instr(bytes[offset:offset+size], size, 0)
		i.label = label
		i.jmp_label = jmp_label

		sl.insert(ni, i)
		ni += 1
		tsize += size
	recalc_jmps(sl, ni) 
开发者ID:TaroballzChen,项目名称:shecodject,代码行数:14,代码来源:x86obf.py

示例15: _get_table_info_distorm

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode32Bits [as 别名]
def _get_table_info_distorm(self):
        """
        Find the size of the system call table by disassembling functions
        that immediately reference it in their first isntruction
        This is in the form 'cmp reg,NR_syscalls'
        """
        table_size = 0

        if not has_distorm:
            return table_size

        memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')

        if memory_model == '32bit':
            mode = distorm3.Decode32Bits
            funcs = ["sysenter_do_call"]
        else:
            mode = distorm3.Decode64Bits
            funcs = ["system_call_fastpath", "do_int80_syscall_32"]

        for func in funcs:
            func_addr = self.addr_space.profile.get_symbol(func)
            if func_addr:
                data = self.addr_space.read(func_addr, 64)

                for op in distorm3.Decompose(func_addr, data, mode):
                    if not op.valid:
                        continue

                    if op.mnemonic == 'CMP':
                        table_size = (op.operands[1].value) & 0xffffffff
                        break

                break

        return table_size 
开发者ID:volatilityfoundation,项目名称:volatility,代码行数:38,代码来源:check_syscall.py


注:本文中的distorm3.Decode32Bits方法示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。