当前位置: 首页>>代码示例>>Python>>正文


Python distorm3.Decode64Bits方法代码示例

本文整理汇总了Python中distorm3.Decode64Bits方法的典型用法代码示例。如果您正苦于以下问题:Python distorm3.Decode64Bits方法的具体用法?Python distorm3.Decode64Bits怎么用?Python distorm3.Decode64Bits使用的例子?那么, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在distorm3的用法示例。


在下文中一共展示了distorm3.Decode64Bits方法的13个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。

示例1: __init__

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def __init__(self, offset, code, type = distorm3.Decode32Bits, feature = 0):
        """
        @param offset Address of the instruction
        @param code Opcode bytes of the instruction
        @param type Dissassemble 32 or 64 bit code
        @param feature Possible settings for distrom3
        not used at the moment
        """
        self.valid = False
        if SV.dissassm_type == 64:
            type = distorm3.Decode64Bits
        else:
            type = distorm3.Decode32Bits
        inst = distorm3.Decompose(offset, code, type, feature)
        if len(inst) == 1:
            self.Instruction = inst[0]
            if self.Instruction.valid:
                self.valid = True
        self.opcode_len = len(code)
        self.opcode_bytes = []
        self.addr = offset
        for x in code:
            self.opcode_bytes.append(ord(x))
        self._len = len(self.Instruction.operands) + 1 
开发者ID:anatolikalysch,项目名称:VMAttack,代码行数:26,代码来源:Instruction.py

示例2: __init__

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def __init__(self, config, *args, **kwargs):
        linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
        self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
        self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')

        self.symbols = None
        self.undefined = None
        self.dump_file = None
        # self.symbols = \
        #     {
        #         'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
        #     }
        # print(self.symbols)
        if distorm_loaded:
            self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
        else:
            debug.error("You really need the distorm3 python module for this plugin to function properly.") 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:19,代码来源:process_stack.py

示例3: _import_dependencies

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def _import_dependencies(self):

        # Load the distorm bindings.
        global distorm3
        if distorm3 is None:
            try:
                import distorm3
            except ImportError:
                import distorm as distorm3

        # Load the decoder function.
        self.__decode = distorm3.Decode

        # Load the bits flag.
        self.__flag = {
            win32.ARCH_I386:  distorm3.Decode32Bits,
            win32.ARCH_AMD64: distorm3.Decode64Bits,
        }[self.arch] 
开发者ID:fabioz,项目名称:PyDev.Debugger,代码行数:20,代码来源:disasm.py

示例4: disassemble

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def disassemble(data, start, bits='32bit', stoponret=False):
    """Dissassemble code with distorm3.

    @param data: python byte str to decode
    @param start: address where `data` is found in memory
    @param bits: use 32bit or 64bit decoding
    @param stoponret: stop disasm when function end is reached

    @returns: tuple of (offset, instruction, hex bytes)
    """

    if bits == '32bit':
        mode = distorm3.Decode32Bits
    else:
        mode = distorm3.Decode64Bits

    for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
        if stoponret and i.startswith("RET"):
            raise StopIteration
        yield o, i, h


# copied from volatility 
开发者ID:vortessence,项目名称:vortessence,代码行数:25,代码来源:utils.py

示例5: find_rr_writes_distorm3

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def find_rr_writes_distorm3(address, data):
    writes = []
    for insn in distorm3.Decompose(address, data, type=distorm3.Decode64Bits):
        if insn.mnemonic[:3] == 'RET':
            break
        if insn.mnemonic[:3] != 'MOV':
            continue

        # potential write
        opnd = insn.operands[0]
        if opnd.type != 'AbsoluteMemory' or opnd.index is None:
            continue
        # Absolute mov, with target that is register-based
        if distorm3.Registers[opnd.index] != 'RIP':
            continue
        # RIP-relative write, this is what we are looking for
        # distorm3 opnd.size is measured in bits, need to adjust to bytes
        writes.append((insn.address + insn.size + opnd.disp, opnd.size / 8))
    return writes

# Find rip-relative mov using capstone 
开发者ID:eleemosynator,项目名称:writeups,代码行数:23,代码来源:code_parser.py

示例6: get_distorm_info

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def get_distorm_info(inst_addr):
    """
    @brief Prints whole distrom3 info of the given instruction
    @param inst_addr Address of instruction
    """
    size = ItemSize(inst_addr)
    inst_bytes = GetManyBytes(inst_addr, size)
    inst = distorm3.Decompose(inst_addr,
                              inst_bytes, distorm3.Decode64Bits, 0)
    print inst[0]
    i = inst[0]
    print 'InstBytes ', i.instructionBytes
    print 'Opcode ', i.opcode
    for o in i.operands:
        print 'operand ', o
        print 'operand type', o.type
    for f in i.flags:
        print 'flag ', f
        print 'raw_flags ', i.rawFlags
    print 'inst_class ', i.instructionClass
    print 'flow_control ', i.flowControl
    print 'address ', i.address
    print 'size ', i.size
    print 'dt ', i.dt
    print 'valid ', i.valid
    print 'segment ', i.segment
    print 'unused_Prefixes ', i.unusedPrefixesMask
    print 'mnemonic ', i.mnemonic
    print 'inst_class ', i.instructionClass 
开发者ID:anatolikalysch,项目名称:VMAttack,代码行数:31,代码来源:static_deobfuscate.py

示例7: _get_table_info_distorm

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def _get_table_info_distorm(self):
        """
        Find the size of the system call table by disassembling functions
        that immediately reference it in their first isntruction
        This is in the form 'cmp reg,NR_syscalls'
        """
        table_size = 0

        if not has_distorm:
            return table_size

        memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')

        if memory_model == '32bit':
            mode = distorm3.Decode32Bits
            func = "sysenter_do_call"
        else:
            mode = distorm3.Decode64Bits
            func = "system_call_fastpath"

        func_addr = self.addr_space.profile.get_symbol(func)

        if func_addr:
            data = self.addr_space.read(func_addr, 6)
            
            for op in distorm3.Decompose(func_addr, data, mode):
                if not op.valid:
                    continue

                if op.mnemonic == 'CMP':
                    table_size = (op.operands[1].value) & 0xffffffff
                    break

        return table_size 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:36,代码来源:check_syscall.py

示例8: calculate

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def calculate(self):
        common.set_plugin_members(self)

        model = self.addr_space.profile.metadata.get('memory_model', 0)

        if model == '32bit':
            distorm_mode = distorm3.Decode32Bits
        else:
            distorm_mode = distorm3.Decode64Bits
        
        for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
            yield (shadowtbl_addr, func, op) 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:14,代码来源:check_syscall_shadow.py

示例9: Disassemble

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def Disassemble(data, start, bits = '32bit', stoponret = False):
    """Dissassemble code with distorm3. 

    @param data: python byte str to decode
    @param start: address where `data` is found in memory
    @param bits: use 32bit or 64bit decoding 
    @param stoponret: stop disasm when function end is reached
    
    @returns: tuple of (offset, instruction, hex bytes)
    """

    if not has_distorm3:
        raise StopIteration

    if bits == '32bit':
        mode = distorm3.Decode32Bits
    else:
        mode = distorm3.Decode64Bits

    for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
        if stoponret and i.startswith("RET"):
            raise StopIteration
        yield o, i, h

#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has 
# some shortcomings that don't allow us to integrate yara easily. 
#
# FIXME: these may need updating after resolving issue 310 which aims to 
# enhance the scan.BaseScanner to better support things like this
#-------------------------------------------------------------------------------- 
开发者ID:virtualrealitysystems,项目名称:aumfor,代码行数:35,代码来源:malfind.py

示例10: check_prologue

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def check_prologue(self, address):
        try:
            from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bits
        except:
            print '[!] Failed to load distorm3'
            print '[!] Inline function hook finder need to distorm3.'
            exit();
        base_pointer = address + self.base_address

        buf = self.x86_mem_pae.read(base_pointer, 12)

        code = Decode(base_pointer, buf, Decode64Bits)

        # code[0] format : (address, instruction size, instruction, hex string)
        call_address = 0
        inst_opcode2 = code[1][2].split(' ')[0]
        inst_opcode = code[0][2].split(' ')[0]

        if inst_opcode == 'MOV':
            if inst_opcode2 == 'JMP' or inst_opcode2 == 'CALL' or inst_opcode2 == 'RET':
                call_address = code[0][2].split(' ')[2]  # operand

        elif inst_opcode == 'JMP':
            call_address = code[0][2].split(' ')[1] # operand

        if call_address == 0:
            print 'No Prologue hook'
        else:
            print 'JMP Address : %x'%(call_address)

        return call_address 
开发者ID:n0fate,项目名称:volafox,代码行数:33,代码来源:inline_hook_finder.py

示例11: find_function_in_code

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def find_function_in_code(self, caller_addr, callee_addr):
        try:
            from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bits
        except:
            print '[!] Failed to load distorm3'
            print '[!] Inline function hook finder need to distorm3.'
            exit();
        #print 'Callie Address : %x'%(callie_addr+self.base_address)
        base_pointer = caller_addr + self.base_address
        buf = self.x86_mem_pae.read(base_pointer, 256)
        code = Decode(base_pointer, buf, Decode64Bits)

        findit = []
        function_inst = []
        for instruction in code:
            function_inst.append(instruction)
            if instruction[2].split(' ')[0] == 'RET':
                break

            inst_split = instruction[2].split(' ')
            if inst_split[0] == 'CALL':
                try:
                    if int(inst_split[1], 16) == callee_addr+self.base_address:
                        #print 'Find Function : %x'%instruction[0]
                        findit.append(instruction)
                except ValueError:
                    continue    # bypass 'CALL reg/64'

        return findit, function_inst


# Korean comments
# inline_quick - Checking JMP instruction in function prologue considered as MOV-JMP instructions 
开发者ID:n0fate,项目名称:volafox,代码行数:35,代码来源:inline_hook_finder.py

示例12: _get_table_info_distorm

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def _get_table_info_distorm(self):
        """
        Find the size of the system call table by disassembling functions
        that immediately reference it in their first isntruction
        This is in the form 'cmp reg,NR_syscalls'
        """
        table_size = 0

        if not has_distorm:
            return table_size

        memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')

        if memory_model == '32bit':
            mode = distorm3.Decode32Bits
            funcs = ["sysenter_do_call"]
        else:
            mode = distorm3.Decode64Bits
            funcs = ["system_call_fastpath", "do_int80_syscall_32"]

        for func in funcs:
            func_addr = self.addr_space.profile.get_symbol(func)
            if func_addr:
                data = self.addr_space.read(func_addr, 64)

                for op in distorm3.Decompose(func_addr, data, mode):
                    if not op.valid:
                        continue

                    if op.mnemonic == 'CMP':
                        table_size = (op.operands[1].value) & 0xffffffff
                        break

                break

        return table_size 
开发者ID:volatilityfoundation,项目名称:volatility,代码行数:38,代码来源:check_syscall.py

示例13: __init__

# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Decode64Bits [as 别名]
def __init__(self, arch = None):
        super(DistormEngine, self).__init__(arch)

        # Load the decoder function.
        self.__decode = distorm3.Decode

        # Load the bits flag.
        self.__flag = {
            win32.ARCH_I386:  distorm3.Decode32Bits,
            win32.ARCH_AMD64: distorm3.Decode64Bits,
        }[self.arch] 
开发者ID:debasishm89,项目名称:OpenXMolar,代码行数:13,代码来源:disasm.py


注:本文中的distorm3.Decode64Bits方法示例由纯净天空整理自Github/MSDocs等开源代码及文档管理平台,相关代码片段筛选自各路编程大神贡献的开源项目,源码版权归原作者所有,传播和使用请参考对应项目的License;未经允许,请勿转载。