本文整理汇总了Python中distorm3.Decode64Bits方法的典型用法代码示例。如果您正苦于以下问题:Python distorm3.Decode64Bits方法的具体用法?Python distorm3.Decode64Bits怎么用?Python distorm3.Decode64Bits使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类distorm3的用法示例。
在下文中一共展示了distorm3.Decode64Bits方法的13个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: __init__
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def __init__(self, offset, code, type = distorm3.Decode32Bits, feature = 0):
"""
@param offset Address of the instruction
@param code Opcode bytes of the instruction
@param type Dissassemble 32 or 64 bit code
@param feature Possible settings for distrom3
not used at the moment
"""
self.valid = False
if SV.dissassm_type == 64:
type = distorm3.Decode64Bits
else:
type = distorm3.Decode32Bits
inst = distorm3.Decompose(offset, code, type, feature)
if len(inst) == 1:
self.Instruction = inst[0]
if self.Instruction.valid:
self.valid = True
self.opcode_len = len(code)
self.opcode_bytes = []
self.addr = offset
for x in code:
self.opcode_bytes.append(ord(x))
self._len = len(self.Instruction.operands) + 1 示例2: __init__
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def __init__(self, config, *args, **kwargs):
linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')
self.symbols = None
self.undefined = None
self.dump_file = None
# self.symbols = \
# {
# 'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
# }
# print(self.symbols)
if distorm_loaded:
self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
else:
debug.error("You really need the distorm3 python module for this plugin to function properly.") 示例3: _import_dependencies
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def _import_dependencies(self):
# Load the distorm bindings.
global distorm3
if distorm3 is None:
try:
import distorm3
except ImportError:
import distorm as distorm3
# Load the decoder function.
self.__decode = distorm3.Decode
# Load the bits flag.
self.__flag = {
win32.ARCH_I386: distorm3.Decode32Bits,
win32.ARCH_AMD64: distorm3.Decode64Bits,
}[self.arch] 示例4: disassemble
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def disassemble(data, start, bits='32bit', stoponret=False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
# copied from volatility 示例5: find_rr_writes_distorm3
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def find_rr_writes_distorm3(address, data):
writes = []
for insn in distorm3.Decompose(address, data, type=distorm3.Decode64Bits):
if insn.mnemonic[:3] == 'RET':
break
if insn.mnemonic[:3] != 'MOV':
continue
# potential write
opnd = insn.operands[0]
if opnd.type != 'AbsoluteMemory' or opnd.index is None:
continue
# Absolute mov, with target that is register-based
if distorm3.Registers[opnd.index] != 'RIP':
continue
# RIP-relative write, this is what we are looking for
# distorm3 opnd.size is measured in bits, need to adjust to bytes
writes.append((insn.address + insn.size + opnd.disp, opnd.size / 8))
return writes
# Find rip-relative mov using capstone 示例6: get_distorm_info
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def get_distorm_info(inst_addr):
"""
@brief Prints whole distrom3 info of the given instruction
@param inst_addr Address of instruction
"""
size = ItemSize(inst_addr)
inst_bytes = GetManyBytes(inst_addr, size)
inst = distorm3.Decompose(inst_addr,
inst_bytes, distorm3.Decode64Bits, 0)
print inst[0]
i = inst[0]
print 'InstBytes ', i.instructionBytes
print 'Opcode ', i.opcode
for o in i.operands:
print 'operand ', o
print 'operand type', o.type
for f in i.flags:
print 'flag ', f
print 'raw_flags ', i.rawFlags
print 'inst_class ', i.instructionClass
print 'flow_control ', i.flowControl
print 'address ', i.address
print 'size ', i.size
print 'dt ', i.dt
print 'valid ', i.valid
print 'segment ', i.segment
print 'unused_Prefixes ', i.unusedPrefixesMask
print 'mnemonic ', i.mnemonic
print 'inst_class ', i.instructionClass 示例7: _get_table_info_distorm
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def _get_table_info_distorm(self):
"""
Find the size of the system call table by disassembling functions
that immediately reference it in their first isntruction
This is in the form 'cmp reg,NR_syscalls'
"""
table_size = 0
if not has_distorm:
return table_size
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
mode = distorm3.Decode32Bits
func = "sysenter_do_call"
else:
mode = distorm3.Decode64Bits
func = "system_call_fastpath"
func_addr = self.addr_space.profile.get_symbol(func)
if func_addr:
data = self.addr_space.read(func_addr, 6)
for op in distorm3.Decompose(func_addr, data, mode):
if not op.valid:
continue
if op.mnemonic == 'CMP':
table_size = (op.operands[1].value) & 0xffffffff
break
return table_size 示例8: calculate
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def calculate(self):
common.set_plugin_members(self)
model = self.addr_space.profile.metadata.get('memory_model', 0)
if model == '32bit':
distorm_mode = distorm3.Decode32Bits
else:
distorm_mode = distorm3.Decode64Bits
for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
yield (shadowtbl_addr, func, op) 示例9: Disassemble
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def Disassemble(data, start, bits = '32bit', stoponret = False):
"""Dissassemble code with distorm3.
@param data: python byte str to decode
@param start: address where `data` is found in memory
@param bits: use 32bit or 64bit decoding
@param stoponret: stop disasm when function end is reached
@returns: tuple of (offset, instruction, hex bytes)
"""
if not has_distorm3:
raise StopIteration
if bits == '32bit':
mode = distorm3.Decode32Bits
else:
mode = distorm3.Decode64Bits
for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
if stoponret and i.startswith("RET"):
raise StopIteration
yield o, i, h
#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has
# some shortcomings that don't allow us to integrate yara easily.
#
# FIXME: these may need updating after resolving issue 310 which aims to
# enhance the scan.BaseScanner to better support things like this
#-------------------------------------------------------------------------------- 示例10: check_prologue
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def check_prologue(self, address):
try:
from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bits
except:
print '[!] Failed to load distorm3'
print '[!] Inline function hook finder need to distorm3.'
exit();
base_pointer = address + self.base_address
buf = self.x86_mem_pae.read(base_pointer, 12)
code = Decode(base_pointer, buf, Decode64Bits)
# code[0] format : (address, instruction size, instruction, hex string)
call_address = 0
inst_opcode2 = code[1][2].split(' ')[0]
inst_opcode = code[0][2].split(' ')[0]
if inst_opcode == 'MOV':
if inst_opcode2 == 'JMP' or inst_opcode2 == 'CALL' or inst_opcode2 == 'RET':
call_address = code[0][2].split(' ')[2] # operand
elif inst_opcode == 'JMP':
call_address = code[0][2].split(' ')[1] # operand
if call_address == 0:
print 'No Prologue hook'
else:
print 'JMP Address : %x'%(call_address)
return call_address 示例11: find_function_in_code
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def find_function_in_code(self, caller_addr, callee_addr):
try:
from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bits
except:
print '[!] Failed to load distorm3'
print '[!] Inline function hook finder need to distorm3.'
exit();
#print 'Callie Address : %x'%(callie_addr+self.base_address)
base_pointer = caller_addr + self.base_address
buf = self.x86_mem_pae.read(base_pointer, 256)
code = Decode(base_pointer, buf, Decode64Bits)
findit = []
function_inst = []
for instruction in code:
function_inst.append(instruction)
if instruction[2].split(' ')[0] == 'RET':
break
inst_split = instruction[2].split(' ')
if inst_split[0] == 'CALL':
try:
if int(inst_split[1], 16) == callee_addr+self.base_address:
#print 'Find Function : %x'%instruction[0]
findit.append(instruction)
except ValueError:
continue # bypass 'CALL reg/64'
return findit, function_inst
# Korean comments
# inline_quick - Checking JMP instruction in function prologue considered as MOV-JMP instructions 示例12: _get_table_info_distorm
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def _get_table_info_distorm(self):
"""
Find the size of the system call table by disassembling functions
that immediately reference it in their first isntruction
This is in the form 'cmp reg,NR_syscalls'
"""
table_size = 0
if not has_distorm:
return table_size
memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')
if memory_model == '32bit':
mode = distorm3.Decode32Bits
funcs = ["sysenter_do_call"]
else:
mode = distorm3.Decode64Bits
funcs = ["system_call_fastpath", "do_int80_syscall_32"]
for func in funcs:
func_addr = self.addr_space.profile.get_symbol(func)
if func_addr:
data = self.addr_space.read(func_addr, 64)
for op in distorm3.Decompose(func_addr, data, mode):
if not op.valid:
continue
if op.mnemonic == 'CMP':
table_size = (op.operands[1].value) & 0xffffffff
break
break
return table_size 示例13: __init__
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def __init__(self, arch = None):
super(DistormEngine, self).__init__(arch)
# Load the decoder function.
self.__decode = distorm3.Decode
# Load the bits flag.
self.__flag = {
win32.ARCH_I386: distorm3.Decode32Bits,
win32.ARCH_AMD64: distorm3.Decode64Bits,
}[self.arch]