本文整理汇总了Python中distorm3.Registers方法的典型用法代码示例。如果您正苦于以下问题:Python distorm3.Registers方法的具体用法?Python distorm3.Registers怎么用?Python distorm3.Registers使用的例子?那么恭喜您, 这里精选的方法代码示例或许可以为您提供帮助。您也可以进一步了解该方法所在类distorm3的用法示例。
在下文中一共展示了distorm3.Registers方法的7个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Python代码示例。
示例1: is_catch_instr
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Registers [as 别名]
def is_catch_instr(self):
"""
@brief Tests if the instruction fetches
more bytes form the obfuscated code
@return True/False
"""
if len(self.Instruction.operands) != 2:
return False
if (self.is_mov() and
self.Instruction.operands[1].type == distorm3.OPERAND_MEMORY and
self.Instruction.operands[0].type == distorm3.OPERAND_REGISTER):
reg_index = self.Instruction.operands[1].index
if reg_index != None:
reg_name = distorm3.Registers[reg_index]
#change to reverserers input
if('ESI' in reg_name or 'RSI' in reg_name):
return True
else:
return False
else:
return False
else:
return False 示例2: is_write_stack
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Registers [as 别名]
def is_write_stack(self):
"""
@brief Tests if the instruction writes to
the stack
"""
if len(self.Instruction.operands) != 2:
return False
op0 = self.Instruction.operands[0]
if op0.index == None or op0.disp != 0:
return False
if (self.is_mov() and
op0.type == distorm3.OPERAND_MEMORY and
(distorm3.Registers[op0.index] == 'EBP' or
distorm3.Registers[op0.index] == 'RBP')):
return True
else:
return False 示例3: is_read_stack
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Registers [as 别名]
def is_read_stack(self):
"""
@brief Tests if the instruction reads from
the stack
"""
if len(self.Instruction.operands) != 2:
return False
op1 = self.Instruction.operands[1]
if op1.index == None or op1.disp != 0:
return False
if (self.is_mov() and
op1.type == distorm3.OPERAND_MEMORY and
(distorm3.Registers[op1.index] == 'EBP' or
distorm3.Registers[op1.index] == 'RBP')):
return True
else:
return False 示例4: is_isp_mov
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Registers [as 别名]
def is_isp_mov(self):
"""
@brief Tests if the instructionpoiter of the vm
gets a new value
"""
if len(self.Instruction.operands) != 2:
return False
op0 = self.Instruction.operands[0]
if op0.index == None:
return False
if (self.is_mov() and
op0.type == distorm3.OPERAND_REGISTER and
(distorm3.Registers[op0.index] == 'ESI' or
distorm3.Registers[op0.index] == 'RSI')):
return True
else:
return False
#first op is 1 secend 2 and so on 示例5: find_rr_writes_distorm3
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Registers [as 别名]
def find_rr_writes_distorm3(address, data):
writes = []
for insn in distorm3.Decompose(address, data, type=distorm3.Decode64Bits):
if insn.mnemonic[:3] == 'RET':
break
if insn.mnemonic[:3] != 'MOV':
continue
# potential write
opnd = insn.operands[0]
if opnd.type != 'AbsoluteMemory' or opnd.index is None:
continue
# Absolute mov, with target that is register-based
if distorm3.Registers[opnd.index] != 'RIP':
continue
# RIP-relative write, this is what we are looking for
# distorm3 opnd.size is measured in bits, need to adjust to bytes
writes.append((insn.address + insn.size + opnd.disp, opnd.size / 8))
return writes
# Find rip-relative mov using capstone 示例6: is_vinst
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Registers [as 别名]
def is_vinst(self):
"""
@brief Tests if one of the operands of the instruction is
the 'esi' or 'rsi' register
"""
for op in self.Instruction.operands:
if op.type == distorm3.OPERAND_REGISTER:
if op.name == 'ESI' or op.name == 'RSI':
return True
elif op.type == distorm3.OPERAND_MEMORY:
if op.index != None:
if (distorm3.Registers[op.index] == 'ESI' or
distorm3.Registers[op.index] == 'RSI'):
return True
return False 示例7: shadowedSyscalls
# 需要导入模块: import distorm3 [as 别名]
# 或者: from distorm3 import Registers [as 别名]
def shadowedSyscalls(self, model, distorm_mode, sysents_addr):
#looks like these syscall functions end with a call to _thread_exception_return
thread_exc_ret_addr = self.addr_space.profile.get_symbol('_thread_exception_return')
prev_op = None
sysent_funcs = ['_unix_syscall_return', '_unix_syscall64', '_unix_syscall']
for func in sysent_funcs:
func_addr = self.addr_space.profile.get_symbol(func)
content = self.addr_space.read(func_addr, 1024)
for op in distorm3.Decompose(func_addr, content, distorm_mode):
if not op.valid:
break
if op.mnemonic == "CALL" and op.operands[0].value == thread_exc_ret_addr:
break
if model == "64bit":
#callp = &sysent[63] OR &sysent[code] OR callp == sysent
if op.mnemonic in ['ADD','CMP'] and op.operands[0].type == 'Register' and op.operands[0].name in ["RSP","RBX","R12","R13","R14","R15"] and 'FLAG_RIP_RELATIVE' in op.flags:
#compare actual sysent tbl address to the one in the instruction, calculated per distorm3 INSTRUCTION_GET_RIP_TARGET
op_sysent_ptr = obj.Object('Pointer', offset = (op.address + op.operands[1].disp + op.size), vm = self.addr_space)
if sysents_addr != op_sysent_ptr.v():
print "not same: %x | %x" % (sysents_addr, op_sysent_ptr.v())
yield (op_sysent_ptr.v(), func, op)
elif model == "32bit":
#LEA EAX, [EAX*8+0x82ef20]
if op.mnemonic == 'LEA' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and distorm3.Registers[op.operands[1].index] == "EAX" and op.operands[1].scale == 8:
if op.operands[1].disp != sysents_addr:
shadowtbl_addr = op.operands[1].disp
yield (shadowtbl_addr, func, op)
break
#CMP EAX, 0x82ef20
elif op.mnemonic == 'CMP' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and prev_op.mnemonic in ['LEA','MOV'] and self.addr_space.is_valid_address(op.operands[1].value) == True:
if op.operands[1].value != sysents_addr:
shadowtbl_addr = op.operands[1].value
yield (shadowtbl_addr, func, op)
#CMP DWORD [EBP-0x20], 0x82ef20
elif op.mnemonic == 'CMP' and op.operands[0].index != None and distorm3.Registers[op.operands[0].index] == "EBP" and op.operands[0].disp == -32 and op.operands[0].type == "Immediate":
if op.operands[1].value != sysents_addr:
shadowtbl_addr = op.operands[1].value
yield (shadowtbl_addr, func, op)
prev_op = op