Python distorm3.Decode32Bits() Examples

The following are 30 code examples for showing how to use distorm3.Decode32Bits(). These examples are extracted from open source projects. You can vote up the ones you like or vote down the ones you don't like, and go to the original project or source file by following the links above each example.

You may check out the related API usage on the sidebar.

You may also want to check out all available functions/classes of the module distorm3 , or try the search function .

Example 1
Project: VMAttack   Author: anatolikalysch   File: Instruction.py    License: MIT License 6 votes vote down vote up
def __init__(self, offset, code, type = distorm3.Decode32Bits, feature = 0):
        """
        @param offset Address of the instruction
        @param code Opcode bytes of the instruction
        @param type Dissassemble 32 or 64 bit code
        @param feature Possible settings for distrom3
        not used at the moment
        """
        self.valid = False
        if SV.dissassm_type == 64:
            type = distorm3.Decode64Bits
        else:
            type = distorm3.Decode32Bits
        inst = distorm3.Decompose(offset, code, type, feature)
        if len(inst) == 1:
            self.Instruction = inst[0]
            if self.Instruction.valid:
                self.valid = True
        self.opcode_len = len(code)
        self.opcode_bytes = []
        self.addr = offset
        for x in code:
            self.opcode_bytes.append(ord(x))
        self._len = len(self.Instruction.operands) + 1 
Example 2
Project: aumfor   Author: virtualrealitysystems   File: process_stack.py    License: GNU General Public License v3.0 6 votes vote down vote up
def __init__(self, config, *args, **kwargs):
        linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
        self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
        self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')

        self.symbols = None
        self.undefined = None
        self.dump_file = None
        # self.symbols = \
        #     {
        #         'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
        #     }
        # print(self.symbols)
        if distorm_loaded:
            self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
        else:
            debug.error("You really need the distorm3 python module for this plugin to function properly.") 
Example 3
Project: PyDev.Debugger   Author: fabioz   File: disasm.py    License: Eclipse Public License 1.0 6 votes vote down vote up
def _import_dependencies(self):

        # Load the distorm bindings.
        global distorm3
        if distorm3 is None:
            try:
                import distorm3
            except ImportError:
                import distorm as distorm3

        # Load the decoder function.
        self.__decode = distorm3.Decode

        # Load the bits flag.
        self.__flag = {
            win32.ARCH_I386:  distorm3.Decode32Bits,
            win32.ARCH_AMD64: distorm3.Decode64Bits,
        }[self.arch] 
Example 4
Project: shecodject   Author: TaroballzChen   File: x86obf.py    License: GNU General Public License v3.0 6 votes vote down vote up
def print_disasm(sl):

	ni = 0
	ioff = 0
	for i in sl:
		if i.is_data == 0:
			#if i.label >= 0 or i.jmp_label >= 0:
			#	print 'label:', i.label, 'jmp_label:', i.jmp_label
			l = distorm3.Decode(ioff, i.bytes, distorm3.Decode32Bits)
			for (offset, size, instr, hexdump) in l:
				print ('%-4i %.8x: %-32s %s' % (ni, offset, hexdump, instr))
				ni += 1
				ioff += size
		else:
			print ('%-4i %.8x:' % (ni, ioff),)
			print_string_hex(i.bytes)
			print ('')
			ioff += i.size 
Example 5
Project: volatility   Author: volatilityfoundation   File: process_stack.py    License: GNU General Public License v2.0 6 votes vote down vote up
def __init__(self, config, *args, **kwargs):
        linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
        self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
        self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')

        self.symbols = None
        self.undefined = None
        self.dump_file = None
        # self.symbols = \
        #     {
        #         'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
        #     }
        # print(self.symbols)
        if distorm_loaded:
            self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
        else:
            debug.error("You really need the distorm3 python module for this plugin to function properly.") 
Example 6
Project: vortessence   Author: vortessence   File: utils.py    License: GNU General Public License v2.0 6 votes vote down vote up
def disassemble(data, start, bits='32bit', stoponret=False):
    """Dissassemble code with distorm3.

    @param data: python byte str to decode
    @param start: address where `data` is found in memory
    @param bits: use 32bit or 64bit decoding
    @param stoponret: stop disasm when function end is reached

    @returns: tuple of (offset, instruction, hex bytes)
    """

    if bits == '32bit':
        mode = distorm3.Decode32Bits
    else:
        mode = distorm3.Decode64Bits

    for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
        if stoponret and i.startswith("RET"):
            raise StopIteration
        yield o, i, h


# copied from volatility 
Example 7
Project: vortessence   Author: vortessence   File: process_stack.py    License: GNU General Public License v2.0 6 votes vote down vote up
def __init__(self, config, *args, **kwargs):
        linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
        self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
        self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')

        self.symbols = None
        self.undefined = None
        self.dump_file = None
        # self.symbols = \
        #     {
        #         'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
        #     }
        # print(self.symbols)
        if distorm_loaded:
            self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
        else:
            debug.error("You really need the distorm3 python module for this plugin to function properly.") 
Example 8
Project: DAMM   Author: 504ensicsLabs   File: process_stack.py    License: GNU General Public License v2.0 6 votes vote down vote up
def __init__(self, config, *args, **kwargs):
        linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
        self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
        self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')

        self.symbols = None
        self.undefined = None
        self.dump_file = None
        # self.symbols = \
        #     {
        #         'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
        #     }
        # print(self.symbols)
        if distorm_loaded:
            self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
        else:
            debug.error("You really need the distorm3 python module for this plugin to function properly.") 
Example 9
Project: python-x86-obfuscator   Author: kgretzky   File: x86obf.py    License: MIT License 6 votes vote down vote up
def print_disasm(sl):

	ni = 0
	ioff = 0
	for i in sl:
		if i.is_data == 0:
			#if i.label >= 0 or i.jmp_label >= 0:
			#	print 'label:', i.label, 'jmp_label:', i.jmp_label
			l = distorm3.Decode(ioff, i.bytes, distorm3.Decode32Bits)
			for (offset, size, instr, hexdump) in l:
				print '%-4i %.8x: %-32s %s' % (ni, offset, hexdump, instr)
				ni += 1
				ioff += size
		else:
			print '%-4i %.8x:' % (ni, ioff),
			print_string_hex(i.bytes)
			print ''
			ioff += i.size 
Example 10
Project: volatility   Author: botherder   File: process_stack.py    License: GNU General Public License v2.0 6 votes vote down vote up
def __init__(self, config, *args, **kwargs):
        linux_process_info.linux_process_info.__init__(self, config, *args, **kwargs)
        self._config.add_option('SYMBOL-DIR', short_option= 's', default = None, help = 'Directory containing files with function symbols', type = 'str')
        self._config.add_option('DUMP-FILE', short_option = 'o', default = None, help = 'Dump an annotated stack to this file', type = 'str')

        self.symbols = None
        self.undefined = None
        self.dump_file = None
        # self.symbols = \
        #     {
        #         'libtestlibrary.so' : {0x6f0 : 'function_one', 0x71e : 'function_two'}
        #     }
        # print(self.symbols)
        if distorm_loaded:
            self.decode_as = distorm3.Decode32Bits if linux_process_info.address_size == 4 else distorm3.Decode64Bits
        else:
            debug.error("You really need the distorm3 python module for this plugin to function properly.") 
Example 11
Project: filmkodi   Author: mrknow   File: disasm.py    License: Apache License 2.0 6 votes vote down vote up
def _import_dependencies(self):

        # Load the distorm bindings.
        global distorm3
        if distorm3 is None:
            try:
                import distorm3
            except ImportError:
                import distorm as distorm3

        # Load the decoder function.
        self.__decode = distorm3.Decode

        # Load the bits flag.
        self.__flag = {
            win32.ARCH_I386:  distorm3.Decode32Bits,
            win32.ARCH_AMD64: distorm3.Decode64Bits,
        }[self.arch] 
Example 12
Project: aumfor   Author: virtualrealitysystems   File: check_syscall.py    License: GNU General Public License v3.0 5 votes vote down vote up
def _get_table_info_distorm(self):
        """
        Find the size of the system call table by disassembling functions
        that immediately reference it in their first isntruction
        This is in the form 'cmp reg,NR_syscalls'
        """
        table_size = 0

        if not has_distorm:
            return table_size

        memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')

        if memory_model == '32bit':
            mode = distorm3.Decode32Bits
            func = "sysenter_do_call"
        else:
            mode = distorm3.Decode64Bits
            func = "system_call_fastpath"

        func_addr = self.addr_space.profile.get_symbol(func)

        if func_addr:
            data = self.addr_space.read(func_addr, 6)
            
            for op in distorm3.Decompose(func_addr, data, mode):
                if not op.valid:
                    continue

                if op.mnemonic == 'CMP':
                    table_size = (op.operands[1].value) & 0xffffffff
                    break

        return table_size 
Example 13
Project: aumfor   Author: virtualrealitysystems   File: check_syscall_shadow.py    License: GNU General Public License v3.0 5 votes vote down vote up
def calculate(self):
        common.set_plugin_members(self)

        model = self.addr_space.profile.metadata.get('memory_model', 0)

        if model == '32bit':
            distorm_mode = distorm3.Decode32Bits
        else:
            distorm_mode = distorm3.Decode64Bits
        
        for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
            yield (shadowtbl_addr, func, op) 
Example 14
Project: aumfor   Author: virtualrealitysystems   File: apihooks.py    License: GNU General Public License v3.0 5 votes vote down vote up
def __init__(self, hook_type, hook_mode, function_name,
                        function_address = None, hook_address = None,
                        hook_module = None, victim_module = None,
                        decode_bits = distorm3.Decode32Bits):
        """
        Initalize a hook class instance. 

        @params hook_type: one of the HOOK_TYPE_* constants 
        @params hook_mode: one of the HOOK_MODE_* constants

        @params function_name: name of the function being hooked 

        @params function_address: address of the hooked function in 
            process or kernel memory. 

        @params hook_address: address where the hooked function 
            actually points. 

        @params hook_module: the _LDR_DATA_TABLE_ENTRY of the 
            hooking module (owner of the hook_address). note: 
            this can be None if the module cannot be identified. 

        @params victim_module: the _LDR_DATA_TABLE_ENTRY of the 
            module being hooked (contains the function_address).
            note: this can be a string if checking IAT hooks. 

        """
        self.hook_mode = hook_mode
        self.hook_type = hook_type
        self.function_name = function_name
        self.function_address = function_address
        self.hook_address = hook_address
        self.hook_module = hook_module
        self.victim_module = victim_module
        self.decode_bits = decode_bits
        # List of tuples: address, data pairs
        self.disassembled_hops = [] 
Example 15
Project: aumfor   Author: virtualrealitysystems   File: apihooks.py    License: GNU General Public License v3.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for process, module, hook in data:

            outfd.write("*" * 72 + "\n")
            outfd.write("Hook mode: {0}\n".format(hook.Mode))
            outfd.write("Hook type: {0}\n".format(hook.Type))

            if process:
                outfd.write('Process: {0} ({1})\n'.format(
                    process.UniqueProcessId, process.ImageFileName))

            outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
                str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
                module.DllBase, module.DllBase + module.SizeOfImage))

            outfd.write("Function: {0}\n".format(hook.Detail))
            outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
            outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))

            for n, info in enumerate(hook.disassembled_hops):
                (address, data) = info
                s = ["{0:#x} {1:<16} {2}".format(o, h, i)
                        for o, i, h in
                        malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
                    ]
                outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
                outfd.write("\n\n") 
Example 16
Project: aumfor   Author: virtualrealitysystems   File: malfind.py    License: GNU General Public License v3.0 5 votes vote down vote up
def Disassemble(data, start, bits = '32bit', stoponret = False):
    """Dissassemble code with distorm3. 

    @param data: python byte str to decode
    @param start: address where `data` is found in memory
    @param bits: use 32bit or 64bit decoding 
    @param stoponret: stop disasm when function end is reached
    
    @returns: tuple of (offset, instruction, hex bytes)
    """

    if not has_distorm3:
        raise StopIteration

    if bits == '32bit':
        mode = distorm3.Decode32Bits
    else:
        mode = distorm3.Decode64Bits

    for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
        if stoponret and i.startswith("RET"):
            raise StopIteration
        yield o, i, h

#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has 
# some shortcomings that don't allow us to integrate yara easily. 
#
# FIXME: these may need updating after resolving issue 310 which aims to 
# enhance the scan.BaseScanner to better support things like this
#-------------------------------------------------------------------------------- 
Example 17
def __init__(self, hook_type, function_name,
                        function_address = None, hook_address = None,
                        hook_module = None, victim_module = None,
                        decode_bits = distorm3.Decode32Bits):
        """
        Initalize a hook class instance.

        @params hook_type: one of the HOOK_TYPE_* constants

        @params function_name: name of the function being hooked

        @params function_address: address of the hooked function in
            process or kernel memory.

        @params hook_address: address where the hooked function
            actually points.

        @params hook_module: the _LDR_DATA_TABLE_ENTRY of the
            hooking module (owner of the hook_address). note:
            this can be None if the module cannot be identified.

        @params victim_module: the _LDR_DATA_TABLE_ENTRY of the
            module being hooked (contains the function_address).
            note: this can be a string if checking IAT hooks.

        """
        self.hook_type = hook_type
        self.function_name = function_name
        self.function_address = function_address
        self.hook_address = hook_address
        self.hook_module = hook_module
        self.victim_module = victim_module
        self.decode_bits = decode_bits
        # List of tuples: address, data pairs
        self.disassembled_hops = [] 
Example 18
def get_wow64_hooks(self, process):
        decode_bits = distorm3.Decode32Bits

        modules = self.get_wow64_modules(process)
        for module_start, module_end, module_path in modules:
            if "chrome.dll" not in module_path:
                continue

            print module_path 
Example 19
Project: shecodject   Author: TaroballzChen   File: x86obf.py    License: GNU General Public License v3.0 5 votes vote down vote up
def shell_insert_bytes(sl, ni, bytes, label = -1, jmp_label = -1):
	l = distorm3.Decode(0, bytes, distorm3.Decode32Bits)
	tsize = 0
	for (offset, size, instr, hexdump) in l:
		i = _instr(bytes[offset:offset+size], size, 0)
		i.label = label
		i.jmp_label = jmp_label

		sl.insert(ni, i)
		ni += 1
		tsize += size
	recalc_jmps(sl, ni) 
Example 20
Project: volatility   Author: volatilityfoundation   File: check_syscall.py    License: GNU General Public License v2.0 5 votes vote down vote up
def _get_table_info_distorm(self):
        """
        Find the size of the system call table by disassembling functions
        that immediately reference it in their first isntruction
        This is in the form 'cmp reg,NR_syscalls'
        """
        table_size = 0

        if not has_distorm:
            return table_size

        memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')

        if memory_model == '32bit':
            mode = distorm3.Decode32Bits
            funcs = ["sysenter_do_call"]
        else:
            mode = distorm3.Decode64Bits
            funcs = ["system_call_fastpath", "do_int80_syscall_32"]

        for func in funcs:
            func_addr = self.addr_space.profile.get_symbol(func)
            if func_addr:
                data = self.addr_space.read(func_addr, 64)

                for op in distorm3.Decompose(func_addr, data, mode):
                    if not op.valid:
                        continue

                    if op.mnemonic == 'CMP':
                        table_size = (op.operands[1].value) & 0xffffffff
                        break

                break

        return table_size 
Example 21
Project: volatility   Author: volatilityfoundation   File: check_syscall_shadow.py    License: GNU General Public License v2.0 5 votes vote down vote up
def calculate(self):
        common.set_plugin_members(self)

        model = self.addr_space.profile.metadata.get('memory_model', 0)

        if model == '32bit':
            distorm_mode = distorm3.Decode32Bits
        else:
            distorm_mode = distorm3.Decode64Bits
        
        for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
            yield (shadowtbl_addr, func, op) 
Example 22
Project: volatility   Author: volatilityfoundation   File: apihooks.py    License: GNU General Public License v2.0 5 votes vote down vote up
def __init__(self, hook_type, hook_mode, function_name,
                        function_address = None, hook_address = None,
                        hook_module = None, victim_module = None,
                        decode_bits = distorm3.Decode32Bits):
        """
        Initalize a hook class instance. 

        @params hook_type: one of the HOOK_TYPE_* constants 
        @params hook_mode: one of the HOOK_MODE_* constants

        @params function_name: name of the function being hooked 

        @params function_address: address of the hooked function in 
            process or kernel memory. 

        @params hook_address: address where the hooked function 
            actually points. 

        @params hook_module: the _LDR_DATA_TABLE_ENTRY of the 
            hooking module (owner of the hook_address). note: 
            this can be None if the module cannot be identified. 

        @params victim_module: the _LDR_DATA_TABLE_ENTRY of the 
            module being hooked (contains the function_address).
            note: this can be a string if checking IAT hooks. 

        """
        self.hook_mode = hook_mode
        self.hook_type = hook_type
        self.function_name = function_name
        self.function_address = function_address
        self.hook_address = hook_address
        self.hook_module = hook_module
        self.victim_module = victim_module
        self.decode_bits = decode_bits
        # List of tuples: address, data pairs
        self.disassembled_hops = [] 
Example 23
Project: volatility   Author: volatilityfoundation   File: apihooks.py    License: GNU General Public License v2.0 5 votes vote down vote up
def render_text(self, outfd, data):
        for process, module, hook in data:

            outfd.write("*" * 72 + "\n")
            outfd.write("Hook mode: {0}\n".format(hook.Mode))
            outfd.write("Hook type: {0}\n".format(hook.Type))

            if process:
                outfd.write('Process: {0} ({1})\n'.format(
                    process.UniqueProcessId, process.ImageFileName))

            outfd.write("Victim module: {0} ({1:#x} - {2:#x})\n".format(
                str(module.BaseDllName or '') or ntpath.basename(str(module.FullDllName or '')),
                module.DllBase, module.DllBase + module.SizeOfImage))

            outfd.write("Function: {0}\n".format(hook.Detail))
            outfd.write("Hook address: {0:#x}\n".format(hook.hook_address))
            outfd.write("Hooking module: {0}\n\n".format(hook.HookModule))

            for n, info in enumerate(hook.disassembled_hops):
                (address, data) = info
                s = ["{0:#x} {1:<16} {2}".format(o, h, i)
                        for o, i, h in
                        malfind.Disassemble(data, int(address), bits = "32bit" if hook.decode_bits == distorm3.Decode32Bits else "64bit")
                    ]
                outfd.write("Disassembly({0}):\n{1}".format(n, "\n".join(s)))
                outfd.write("\n\n") 
Example 24
Project: volatility   Author: volatilityfoundation   File: malfind.py    License: GNU General Public License v2.0 5 votes vote down vote up
def Disassemble(data, start, bits = '32bit', stoponret = False):
    """Dissassemble code with distorm3. 

    @param data: python byte str to decode
    @param start: address where `data` is found in memory
    @param bits: use 32bit or 64bit decoding 
    @param stoponret: stop disasm when function end is reached
    
    @returns: tuple of (offset, instruction, hex bytes)
    """

    if not has_distorm3:
        raise StopIteration

    if bits == '32bit':
        mode = distorm3.Decode32Bits
    else:
        mode = distorm3.Decode64Bits

    for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
        if stoponret and i.startswith("RET"):
            raise StopIteration
        yield o, i, h

#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has 
# some shortcomings that don't allow us to integrate yara easily. 
#
# FIXME: these may need updating after resolving issue 310 which aims to 
# enhance the scan.BaseScanner to better support things like this
#-------------------------------------------------------------------------------- 
Example 25
Project: OpenXMolar   Author: debasishm89   File: disasm.py    License: BSD 3-Clause "New" or "Revised" License 5 votes vote down vote up
def __init__(self, arch = None):
        super(DistormEngine, self).__init__(arch)

        # Load the decoder function.
        self.__decode = distorm3.Decode

        # Load the bits flag.
        self.__flag = {
            win32.ARCH_I386:  distorm3.Decode32Bits,
            win32.ARCH_AMD64: distorm3.Decode64Bits,
        }[self.arch] 
Example 26
Project: vortessence   Author: vortessence   File: check_syscall.py    License: GNU General Public License v2.0 5 votes vote down vote up
def _get_table_info_distorm(self):
        """
        Find the size of the system call table by disassembling functions
        that immediately reference it in their first isntruction
        This is in the form 'cmp reg,NR_syscalls'
        """
        table_size = 0

        if not has_distorm:
            return table_size

        memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')

        if memory_model == '32bit':
            mode = distorm3.Decode32Bits
            func = "sysenter_do_call"
        else:
            mode = distorm3.Decode64Bits
            func = "system_call_fastpath"

        func_addr = self.addr_space.profile.get_symbol(func)

        if func_addr:
            data = self.addr_space.read(func_addr, 6)
            
            for op in distorm3.Decompose(func_addr, data, mode):
                if not op.valid:
                    continue

                if op.mnemonic == 'CMP':
                    table_size = (op.operands[1].value) & 0xffffffff
                    break

        return table_size 
Example 27
Project: vortessence   Author: vortessence   File: check_syscall_shadow.py    License: GNU General Public License v2.0 5 votes vote down vote up
def calculate(self):
        common.set_plugin_members(self)

        model = self.addr_space.profile.metadata.get('memory_model', 0)

        if model == '32bit':
            distorm_mode = distorm3.Decode32Bits
        else:
            distorm_mode = distorm3.Decode64Bits
        
        for (shadowtbl_addr, func, op) in self.shadowedSyscalls(model, distorm_mode, self.addr_space.profile.get_symbol("_sysent")):
            yield (shadowtbl_addr, func, op) 
Example 28
Project: vortessence   Author: vortessence   File: apihooks.py    License: GNU General Public License v2.0 5 votes vote down vote up
def __init__(self, hook_type, hook_mode, function_name,
                        function_address = None, hook_address = None,
                        hook_module = None, victim_module = None,
                        decode_bits = distorm3.Decode32Bits):
        """
        Initalize a hook class instance. 

        @params hook_type: one of the HOOK_TYPE_* constants 
        @params hook_mode: one of the HOOK_MODE_* constants

        @params function_name: name of the function being hooked 

        @params function_address: address of the hooked function in 
            process or kernel memory. 

        @params hook_address: address where the hooked function 
            actually points. 

        @params hook_module: the _LDR_DATA_TABLE_ENTRY of the 
            hooking module (owner of the hook_address). note: 
            this can be None if the module cannot be identified. 

        @params victim_module: the _LDR_DATA_TABLE_ENTRY of the 
            module being hooked (contains the function_address).
            note: this can be a string if checking IAT hooks. 

        """
        self.hook_mode = hook_mode
        self.hook_type = hook_type
        self.function_name = function_name
        self.function_address = function_address
        self.hook_address = hook_address
        self.hook_module = hook_module
        self.victim_module = victim_module
        self.decode_bits = decode_bits
        # List of tuples: address, data pairs
        self.disassembled_hops = [] 
Example 29
Project: vortessence   Author: vortessence   File: malfind.py    License: GNU General Public License v2.0 5 votes vote down vote up
def Disassemble(data, start, bits = '32bit', stoponret = False):
    """Dissassemble code with distorm3. 

    @param data: python byte str to decode
    @param start: address where `data` is found in memory
    @param bits: use 32bit or 64bit decoding 
    @param stoponret: stop disasm when function end is reached
    
    @returns: tuple of (offset, instruction, hex bytes)
    """

    if not has_distorm3:
        raise StopIteration

    if bits == '32bit':
        mode = distorm3.Decode32Bits
    else:
        mode = distorm3.Decode64Bits

    for o, _, i, h in distorm3.DecodeGenerator(start, data, mode):
        if stoponret and i.startswith("RET"):
            raise StopIteration
        yield o, i, h

#--------------------------------------------------------------------------------
# scanners by scudette
#
# unfortunately the existing scanning framework (i.e. scan.BaseScanner) has 
# some shortcomings that don't allow us to integrate yara easily. 
#
# FIXME: these may need updating after resolving issue 310 which aims to 
# enhance the scan.BaseScanner to better support things like this
#-------------------------------------------------------------------------------- 
Example 30
Project: DAMM   Author: 504ensicsLabs   File: check_syscall.py    License: GNU General Public License v2.0 5 votes vote down vote up
def _get_table_info_distorm(self):
        """
        Find the size of the system call table by disassembling functions
        that immediately reference it in their first isntruction
        This is in the form 'cmp reg,NR_syscalls'
        """
        table_size = 0

        if not has_distorm:
            return table_size

        memory_model = self.addr_space.profile.metadata.get('memory_model', '32bit')

        if memory_model == '32bit':
            mode = distorm3.Decode32Bits
            func = "sysenter_do_call"
        else:
            mode = distorm3.Decode64Bits
            func = "system_call_fastpath"

        func_addr = self.addr_space.profile.get_symbol(func)

        if func_addr:
            data = self.addr_space.read(func_addr, 6)
            
            for op in distorm3.Decompose(func_addr, data, mode):
                if not op.valid:
                    continue

                if op.mnemonic == 'CMP':
                    table_size = (op.operands[1].value) & 0xffffffff
                    break

        return table_size