Python distorm3.Registers() Examples
The following are 11
code examples of distorm3.Registers().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
distorm3
, or try the search function
.
.
Example #1
| Source File: Instruction.py From VMAttack with MIT License | 6 votes |
|
def is_catch_instr(self):
"""
@brief Tests if the instruction fetches
more bytes form the obfuscated code
@return True/False
"""
if len(self.Instruction.operands) != 2:
return False
if (self.is_mov() and
self.Instruction.operands[1].type == distorm3.OPERAND_MEMORY and
self.Instruction.operands[0].type == distorm3.OPERAND_REGISTER):
reg_index = self.Instruction.operands[1].index
if reg_index != None:
reg_name = distorm3.Registers[reg_index]
#change to reverserers input
if('ESI' in reg_name or 'RSI' in reg_name):
return True
else:
return False
else:
return False
else:
return False
Example #2
| Source File: Instruction.py From VMAttack with MIT License | 6 votes |
|
def is_write_stack(self):
"""
@brief Tests if the instruction writes to
the stack
"""
if len(self.Instruction.operands) != 2:
return False
op0 = self.Instruction.operands[0]
if op0.index == None or op0.disp != 0:
return False
if (self.is_mov() and
op0.type == distorm3.OPERAND_MEMORY and
(distorm3.Registers[op0.index] == 'EBP' or
distorm3.Registers[op0.index] == 'RBP')):
return True
else:
return False
Example #3
| Source File: Instruction.py From VMAttack with MIT License | 6 votes |
|
def is_read_stack(self):
"""
@brief Tests if the instruction reads from
the stack
"""
if len(self.Instruction.operands) != 2:
return False
op1 = self.Instruction.operands[1]
if op1.index == None or op1.disp != 0:
return False
if (self.is_mov() and
op1.type == distorm3.OPERAND_MEMORY and
(distorm3.Registers[op1.index] == 'EBP' or
distorm3.Registers[op1.index] == 'RBP')):
return True
else:
return False
Example #4
| Source File: Instruction.py From VMAttack with MIT License | 6 votes |
|
def is_isp_mov(self):
"""
@brief Tests if the instructionpoiter of the vm
gets a new value
"""
if len(self.Instruction.operands) != 2:
return False
op0 = self.Instruction.operands[0]
if op0.index == None:
return False
if (self.is_mov() and
op0.type == distorm3.OPERAND_REGISTER and
(distorm3.Registers[op0.index] == 'ESI' or
distorm3.Registers[op0.index] == 'RSI')):
return True
else:
return False
#first op is 1 secend 2 and so on
Example #5
| Source File: code_parser.py From writeups with GNU General Public License v3.0 | 6 votes |
|
def find_rr_writes_distorm3(address, data):
writes = []
for insn in distorm3.Decompose(address, data, type=distorm3.Decode64Bits):
if insn.mnemonic[:3] == 'RET':
break
if insn.mnemonic[:3] != 'MOV':
continue
# potential write
opnd = insn.operands[0]
if opnd.type != 'AbsoluteMemory' or opnd.index is None:
continue
# Absolute mov, with target that is register-based
if distorm3.Registers[opnd.index] != 'RIP':
continue
# RIP-relative write, this is what we are looking for
# distorm3 opnd.size is measured in bits, need to adjust to bytes
writes.append((insn.address + insn.size + opnd.disp, opnd.size / 8))
return writes
# Find rip-relative mov using capstone
Example #6
| Source File: Instruction.py From VMAttack with MIT License | 5 votes |
|
def is_vinst(self):
"""
@brief Tests if one of the operands of the instruction is
the 'esi' or 'rsi' register
"""
for op in self.Instruction.operands:
if op.type == distorm3.OPERAND_REGISTER:
if op.name == 'ESI' or op.name == 'RSI':
return True
elif op.type == distorm3.OPERAND_MEMORY:
if op.index != None:
if (distorm3.Registers[op.index] == 'ESI' or
distorm3.Registers[op.index] == 'RSI'):
return True
return False
Example #7
| Source File: check_syscall_shadow.py From aumfor with GNU General Public License v3.0 | 4 votes |
|
def shadowedSyscalls(self, model, distorm_mode, sysents_addr):
#looks like these syscall functions end with a call to _thread_exception_return
thread_exc_ret_addr = self.addr_space.profile.get_symbol('_thread_exception_return')
prev_op = None
sysent_funcs = ['_unix_syscall_return', '_unix_syscall64', '_unix_syscall']
for func in sysent_funcs:
func_addr = self.addr_space.profile.get_symbol(func)
content = self.addr_space.read(func_addr, 1024)
for op in distorm3.Decompose(func_addr, content, distorm_mode):
if not op.valid:
break
if op.mnemonic == "CALL" and op.operands[0].value == thread_exc_ret_addr:
break
if model == "64bit":
#callp = &sysent[63] OR &sysent[code] OR callp == sysent
if op.mnemonic in ['ADD','CMP'] and op.operands[0].type == 'Register' and op.operands[0].name in ["RSP","RBX","R12","R13","R14","R15"] and 'FLAG_RIP_RELATIVE' in op.flags:
#compare actual sysent tbl address to the one in the instruction, calculated per distorm3 INSTRUCTION_GET_RIP_TARGET
op_sysent_ptr = obj.Object('Pointer', offset = (op.address + op.operands[1].disp + op.size), vm = self.addr_space)
if sysents_addr != op_sysent_ptr.v():
print "not same: %x | %x" % (sysents_addr, op_sysent_ptr.v())
yield (op_sysent_ptr.v(), func, op)
elif model == "32bit":
#LEA EAX, [EAX*8+0x82ef20]
if op.mnemonic == 'LEA' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and distorm3.Registers[op.operands[1].index] == "EAX" and op.operands[1].scale == 8:
if op.operands[1].disp != sysents_addr:
shadowtbl_addr = op.operands[1].disp
yield (shadowtbl_addr, func, op)
break
#CMP EAX, 0x82ef20
elif op.mnemonic == 'CMP' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and prev_op.mnemonic in ['LEA','MOV'] and self.addr_space.is_valid_address(op.operands[1].value) == True:
if op.operands[1].value != sysents_addr:
shadowtbl_addr = op.operands[1].value
yield (shadowtbl_addr, func, op)
#CMP DWORD [EBP-0x20], 0x82ef20
elif op.mnemonic == 'CMP' and op.operands[0].index != None and distorm3.Registers[op.operands[0].index] == "EBP" and op.operands[0].disp == -32 and op.operands[0].type == "Immediate":
if op.operands[1].value != sysents_addr:
shadowtbl_addr = op.operands[1].value
yield (shadowtbl_addr, func, op)
prev_op = op
Example #8
| Source File: check_syscall_shadow.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def shadowedSyscalls(self, model, distorm_mode, sysents_addr):
#looks like these syscall functions end with a call to _thread_exception_return
thread_exc_ret_addr = self.addr_space.profile.get_symbol('_thread_exception_return')
prev_op = None
sysent_funcs = ['_unix_syscall_return', '_unix_syscall64', '_unix_syscall']
for func in sysent_funcs:
func_addr = self.addr_space.profile.get_symbol(func)
content = self.addr_space.read(func_addr, 1024)
for op in distorm3.Decompose(func_addr, content, distorm_mode):
if not op.valid:
break
if op.mnemonic == "CALL" and op.operands[0].value == thread_exc_ret_addr:
break
if model == "64bit":
#callp = &sysent[63] OR &sysent[code] OR callp == sysent
if op.mnemonic in ['ADD','CMP'] and op.operands[0].type == 'Register' and op.operands[0].name in ["RSP","RBX","R12","R13","R14","R15"] and 'FLAG_RIP_RELATIVE' in op.flags:
#compare actual sysent tbl address to the one in the instruction, calculated per distorm3 INSTRUCTION_GET_RIP_TARGET
op_sysent_ptr = obj.Object('Pointer', offset = (op.address + op.operands[1].disp + op.size), vm = self.addr_space)
if sysents_addr != op_sysent_ptr.v():
print "not same: %x | %x" % (sysents_addr, op_sysent_ptr.v())
yield (op_sysent_ptr.v(), func, op)
elif model == "32bit":
#LEA EAX, [EAX*8+0x82ef20]
if op.mnemonic == 'LEA' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and distorm3.Registers[op.operands[1].index] == "EAX" and op.operands[1].scale == 8:
if op.operands[1].disp != sysents_addr:
shadowtbl_addr = op.operands[1].disp
yield (shadowtbl_addr, func, op)
break
#CMP EAX, 0x82ef20
elif op.mnemonic == 'CMP' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and prev_op.mnemonic in ['LEA','MOV'] and self.addr_space.is_valid_address(op.operands[1].value) == True:
if op.operands[1].value != sysents_addr:
shadowtbl_addr = op.operands[1].value
yield (shadowtbl_addr, func, op)
#CMP DWORD [EBP-0x20], 0x82ef20
elif op.mnemonic == 'CMP' and op.operands[0].index != None and distorm3.Registers[op.operands[0].index] == "EBP" and op.operands[0].disp == -32 and op.operands[0].type == "Immediate":
if op.operands[1].value != sysents_addr:
shadowtbl_addr = op.operands[1].value
yield (shadowtbl_addr, func, op)
prev_op = op
Example #9
| Source File: check_syscall_shadow.py From vortessence with GNU General Public License v2.0 | 4 votes |
|
def shadowedSyscalls(self, model, distorm_mode, sysents_addr):
#looks like these syscall functions end with a call to _thread_exception_return
thread_exc_ret_addr = self.addr_space.profile.get_symbol('_thread_exception_return')
prev_op = None
sysent_funcs = ['_unix_syscall_return', '_unix_syscall64', '_unix_syscall']
for func in sysent_funcs:
func_addr = self.addr_space.profile.get_symbol(func)
content = self.addr_space.read(func_addr, 1024)
for op in distorm3.Decompose(func_addr, content, distorm_mode):
if not op.valid:
break
if op.mnemonic == "CALL" and op.operands[0].value == thread_exc_ret_addr:
break
if model == "64bit":
#callp = &sysent[63] OR &sysent[code] OR callp == sysent
if op.mnemonic in ['ADD','CMP'] and op.operands[0].type == 'Register' and op.operands[0].name in ["RSP","RBX","R12","R13","R14","R15"] and 'FLAG_RIP_RELATIVE' in op.flags:
#compare actual sysent tbl address to the one in the instruction, calculated per distorm3 INSTRUCTION_GET_RIP_TARGET
op_sysent_ptr = obj.Object('Pointer', offset = (op.address + op.operands[1].disp + op.size), vm = self.addr_space)
if sysents_addr != op_sysent_ptr.v():
print "not same: %x | %x" % (sysents_addr, op_sysent_ptr.v())
yield (op_sysent_ptr.v(), func, op)
elif model == "32bit":
#LEA EAX, [EAX*8+0x82ef20]
if op.mnemonic == 'LEA' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and distorm3.Registers[op.operands[1].index] == "EAX" and op.operands[1].scale == 8:
if op.operands[1].disp != sysents_addr:
shadowtbl_addr = op.operands[1].disp
yield (shadowtbl_addr, func, op)
break
#CMP EAX, 0x82ef20
elif op.mnemonic == 'CMP' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and prev_op.mnemonic in ['LEA','MOV'] and self.addr_space.is_valid_address(op.operands[1].value) == True:
if op.operands[1].value != sysents_addr:
shadowtbl_addr = op.operands[1].value
yield (shadowtbl_addr, func, op)
#CMP DWORD [EBP-0x20], 0x82ef20
elif op.mnemonic == 'CMP' and op.operands[0].index != None and distorm3.Registers[op.operands[0].index] == "EBP" and op.operands[0].disp == -32 and op.operands[0].type == "Immediate":
if op.operands[1].value != sysents_addr:
shadowtbl_addr = op.operands[1].value
yield (shadowtbl_addr, func, op)
prev_op = op
Example #10
| Source File: check_syscall_shadow.py From DAMM with GNU General Public License v2.0 | 4 votes |
|
def shadowedSyscalls(self, model, distorm_mode, sysents_addr):
#looks like these syscall functions end with a call to _thread_exception_return
thread_exc_ret_addr = self.addr_space.profile.get_symbol('_thread_exception_return')
prev_op = None
sysent_funcs = ['_unix_syscall_return', '_unix_syscall64', '_unix_syscall']
for func in sysent_funcs:
func_addr = self.addr_space.profile.get_symbol(func)
content = self.addr_space.read(func_addr, 1024)
for op in distorm3.Decompose(func_addr, content, distorm_mode):
if not op.valid:
break
if op.mnemonic == "CALL" and op.operands[0].value == thread_exc_ret_addr:
break
if model == "64bit":
#callp = &sysent[63] OR &sysent[code] OR callp == sysent
if op.mnemonic in ['ADD','CMP'] and op.operands[0].type == 'Register' and op.operands[0].name in ["RSP","RBX","R12","R13","R14","R15"] and 'FLAG_RIP_RELATIVE' in op.flags:
#compare actual sysent tbl address to the one in the instruction, calculated per distorm3 INSTRUCTION_GET_RIP_TARGET
op_sysent_ptr = obj.Object('Pointer', offset = (op.address + op.operands[1].disp + op.size), vm = self.addr_space)
if sysents_addr != op_sysent_ptr.v():
print "not same: %x | %x" % (sysents_addr, op_sysent_ptr.v())
yield (op_sysent_ptr.v(), func, op)
elif model == "32bit":
#LEA EAX, [EAX*8+0x82ef20]
if op.mnemonic == 'LEA' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and distorm3.Registers[op.operands[1].index] == "EAX" and op.operands[1].scale == 8:
if op.operands[1].disp != sysents_addr:
shadowtbl_addr = op.operands[1].disp
yield (shadowtbl_addr, func, op)
break
#CMP EAX, 0x82ef20
elif op.mnemonic == 'CMP' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and prev_op.mnemonic in ['LEA','MOV'] and self.addr_space.is_valid_address(op.operands[1].value) == True:
if op.operands[1].value != sysents_addr:
shadowtbl_addr = op.operands[1].value
yield (shadowtbl_addr, func, op)
#CMP DWORD [EBP-0x20], 0x82ef20
elif op.mnemonic == 'CMP' and op.operands[0].index != None and distorm3.Registers[op.operands[0].index] == "EBP" and op.operands[0].disp == -32 and op.operands[0].type == "Immediate":
if op.operands[1].value != sysents_addr:
shadowtbl_addr = op.operands[1].value
yield (shadowtbl_addr, func, op)
prev_op = op
Example #11
| Source File: check_syscall_shadow.py From volatility with GNU General Public License v2.0 | 4 votes |
|
def shadowedSyscalls(self, model, distorm_mode, sysents_addr):
#looks like these syscall functions end with a call to _thread_exception_return
thread_exc_ret_addr = self.addr_space.profile.get_symbol('_thread_exception_return')
prev_op = None
sysent_funcs = ['_unix_syscall_return', '_unix_syscall64', '_unix_syscall']
for func in sysent_funcs:
func_addr = self.addr_space.profile.get_symbol(func)
content = self.addr_space.read(func_addr, 1024)
for op in distorm3.Decompose(func_addr, content, distorm_mode):
if not op.valid:
break
if op.mnemonic == "CALL" and op.operands[0].value == thread_exc_ret_addr:
break
if model == "64bit":
#callp = &sysent[63] OR &sysent[code] OR callp == sysent
if op.mnemonic in ['ADD','CMP'] and op.operands[0].type == 'Register' and op.operands[0].name in ["RSP","RBX","R12","R13","R14","R15"] and 'FLAG_RIP_RELATIVE' in op.flags:
#compare actual sysent tbl address to the one in the instruction, calculated per distorm3 INSTRUCTION_GET_RIP_TARGET
op_sysent_ptr = obj.Object('Pointer', offset = (op.address + op.operands[1].disp + op.size), vm = self.addr_space)
if sysents_addr != op_sysent_ptr.v():
print "not same: %x | %x" % (sysents_addr, op_sysent_ptr.v())
yield (op_sysent_ptr.v(), func, op)
elif model == "32bit":
#LEA EAX, [EAX*8+0x82ef20]
if op.mnemonic == 'LEA' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and distorm3.Registers[op.operands[1].index] == "EAX" and op.operands[1].scale == 8:
if op.operands[1].disp != sysents_addr:
shadowtbl_addr = op.operands[1].disp
yield (shadowtbl_addr, func, op)
break
#CMP EAX, 0x82ef20
elif op.mnemonic == 'CMP' and op.operands[0].type == 'Register' and op.operands[0].name in ['EDI','EAX'] and prev_op.mnemonic in ['LEA','MOV'] and self.addr_space.is_valid_address(op.operands[1].value) == True:
if op.operands[1].value != sysents_addr:
shadowtbl_addr = op.operands[1].value
yield (shadowtbl_addr, func, op)
#CMP DWORD [EBP-0x20], 0x82ef20
elif op.mnemonic == 'CMP' and op.operands[0].index != None and distorm3.Registers[op.operands[0].index] == "EBP" and op.operands[0].disp == -32 and op.operands[0].type == "Immediate":
if op.operands[1].value != sysents_addr:
shadowtbl_addr = op.operands[1].value
yield (shadowtbl_addr, func, op)
prev_op = op
