rallhook 0.7.5 → 0.8.0

data/ext/rallhook_base/deps/distorm/src/pydistorm.h

@@ -0,0 +1,62 @@
+/*
+pydistorm.h
+
+diStorm3 - Powerful disassembler for X86/AMD64
+http://ragestorm.net/distorm/
+distorm at gmail dot com
+Copyright (C) 2010  Gil Dabah
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>
+*/
+
+
+#ifndef PYDISTORM_H
+#define PYDISTORM_H
+
+#ifdef SUPPORT_64BIT_OFFSET
+/*
+ * PyArg_ParseTuple/Py_BuildValue uses a format string in order to parse/build the offset.
+ * type: int 64
+ */
+	#define _PY_OFF_INT_SIZE_ "K"
+#else
+	#define _PY_OFF_INT_SIZE_ "k"
+#endif
+
+#include "decoder.h"
+
+#include <Python.h>
+
+PyObject* distorm_Decompose(PyObject* pSelf, PyObject* pArgs);
+
+char distorm_Decompose_DOCSTR[] =
+"Disassemble a given buffer to a list of structures that each describes an instruction.\r\n"
+#ifdef SUPPORT_64BIT_OFFSET
+	"Decompose(INT64 offset, string code, int type)\r\n"
+#else
+	"Decompose(unsigned long offset, string code, int type)\r\n"
+#endif
+"type:\r\n"
+"	Decode16Bits - 16 bits decoding.\r\n"
+"	Decode32Bits - 32 bits decoding.\r\n"
+"	Decode64Bits - AMD64 decoding.\r\n"
+"Returns a list of decomposed objects. Refer to diStorm3 documentation for learning how to use it.\r\n";
+
+static PyMethodDef distormModulebMethods[] = {
+    {"Decode", distorm_Decompose, METH_VARARGS, distorm_Decompose_DOCSTR},
+    {NULL, NULL, 0, NULL}
+};
+
+#endif /* PYDISTORM_H */
+

data/ext/rallhook_base/deps/distorm/src/textdefs.c

@@ -0,0 +1,180 @@
+/*
+textdefs.c
+
+diStorm3 - Powerful disassembler for X86/AMD64
+http://ragestorm.net/distorm/
+distorm at gmail dot com
+Copyright (C) 2010  Gil Dabah
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>
+*/
+
+
+#include "textdefs.h"
+
+static uint8_t Nibble2ChrTable[16] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
+#define NIBBLE_TO_CHR Nibble2ChrTable[t]
+
+void _FASTCALL_ str_hex_b(_WString* s, unsigned int x)
+{
+	/*
+	 * def prebuilt():
+	 * 	s = ""
+	 * 	for i in xrange(256):
+	 * 		if ((i % 0x10) == 0):
+	 * 			s += "\r\n"
+	 * 		s += "\"%02x\", " % (i)
+	 * 	return s
+	 */
+	static int8_t TextBTable[256][3] = {
+		"00", "01", "02", "03", "04", "05", "06", "07", "08", "09", "0a", "0b", "0c", "0d", "0e", "0f",
+		"10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "1a", "1b", "1c", "1d", "1e", "1f",
+		"20", "21", "22", "23", "24", "25", "26", "27", "28", "29", "2a", "2b", "2c", "2d", "2e", "2f",
+		"30", "31", "32", "33", "34", "35", "36", "37", "38", "39", "3a", "3b", "3c", "3d", "3e", "3f",
+		"40", "41", "42", "43", "44", "45", "46", "47", "48", "49", "4a", "4b", "4c", "4d", "4e", "4f",
+		"50", "51", "52", "53", "54", "55", "56", "57", "58", "59", "5a", "5b", "5c", "5d", "5e", "5f",
+		"60", "61", "62", "63", "64", "65", "66", "67", "68", "69", "6a", "6b", "6c", "6d", "6e", "6f",
+		"70", "71", "72", "73", "74", "75", "76", "77", "78", "79", "7a", "7b", "7c", "7d", "7e", "7f",
+		"80", "81", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f",
+		"90", "91", "92", "93", "94", "95", "96", "97", "98", "99", "9a", "9b", "9c", "9d", "9e", "9f",
+		"a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "aa", "ab", "ac", "ad", "ae", "af",
+		"b0", "b1", "b2", "b3", "b4", "b5", "b6", "b7", "b8", "b9", "ba", "bb", "bc", "bd", "be", "bf",
+		"c0", "c1", "c2", "c3", "c4", "c5", "c6", "c7", "c8", "c9", "ca", "cb", "cc", "cd", "ce", "cf",
+		"d0", "d1", "d2", "d3", "d4", "d5", "d6", "d7", "d8", "d9", "da", "db", "dc", "dd", "de", "df",
+		"e0", "e1", "e2", "e3", "e4", "e5", "e6", "e7", "e8", "e9", "ea", "eb", "ec", "ed", "ee", "ef",
+		"f0", "f1", "f2", "f3", "f4", "f5", "f6", "f7", "f8", "f9", "fa", "fb", "fc", "fd", "fe", "ff"
+	};
+
+	/*
+	 * Fixed length of 3 including null terminate character.
+	 */
+	memcpy(&s->p[s->length], TextBTable[x & 255], 3);
+	s->length += 2;
+}
+
+void _FASTCALL_ str_code_hb(_WString* s, unsigned int x)
+{
+	static int8_t TextHBTable[256][5] = {
+	/*
+	 * def prebuilt():
+	 * 	s = ""
+	 * 	for i in xrange(256):
+	 * 		if ((i % 0x10) == 0):
+	 * 			s += "\r\n"
+	 * 		s += "\"0x%x\", " % (i)
+	 * 	return s
+	 */
+		"0x0", "0x1", "0x2", "0x3", "0x4", "0x5", "0x6", "0x7", "0x8", "0x9", "0xa", "0xb", "0xc", "0xd", "0xe", "0xf",
+		"0x10", "0x11", "0x12", "0x13", "0x14", "0x15", "0x16", "0x17", "0x18", "0x19", "0x1a", "0x1b", "0x1c", "0x1d", "0x1e", "0x1f",
+		"0x20", "0x21", "0x22", "0x23", "0x24", "0x25", "0x26", "0x27", "0x28", "0x29", "0x2a", "0x2b", "0x2c", "0x2d", "0x2e", "0x2f",
+		"0x30", "0x31", "0x32", "0x33", "0x34", "0x35", "0x36", "0x37", "0x38", "0x39", "0x3a", "0x3b", "0x3c", "0x3d", "0x3e", "0x3f",
+		"0x40", "0x41", "0x42", "0x43", "0x44", "0x45", "0x46", "0x47", "0x48", "0x49", "0x4a", "0x4b", "0x4c", "0x4d", "0x4e", "0x4f",
+		"0x50", "0x51", "0x52", "0x53", "0x54", "0x55", "0x56", "0x57", "0x58", "0x59", "0x5a", "0x5b", "0x5c", "0x5d", "0x5e", "0x5f",
+		"0x60", "0x61", "0x62", "0x63", "0x64", "0x65", "0x66", "0x67", "0x68", "0x69", "0x6a", "0x6b", "0x6c", "0x6d", "0x6e", "0x6f",
+		"0x70", "0x71", "0x72", "0x73", "0x74", "0x75", "0x76", "0x77", "0x78", "0x79", "0x7a", "0x7b", "0x7c", "0x7d", "0x7e", "0x7f",
+		"0x80", "0x81", "0x82", "0x83", "0x84", "0x85", "0x86", "0x87", "0x88", "0x89", "0x8a", "0x8b", "0x8c", "0x8d", "0x8e", "0x8f",
+		"0x90", "0x91", "0x92", "0x93", "0x94", "0x95", "0x96", "0x97", "0x98", "0x99", "0x9a", "0x9b", "0x9c", "0x9d", "0x9e", "0x9f",
+		"0xa0", "0xa1", "0xa2", "0xa3", "0xa4", "0xa5", "0xa6", "0xa7", "0xa8", "0xa9", "0xaa", "0xab", "0xac", "0xad", "0xae", "0xaf",
+		"0xb0", "0xb1", "0xb2", "0xb3", "0xb4", "0xb5", "0xb6", "0xb7", "0xb8", "0xb9", "0xba", "0xbb", "0xbc", "0xbd", "0xbe", "0xbf",
+		"0xc0", "0xc1", "0xc2", "0xc3", "0xc4", "0xc5", "0xc6", "0xc7", "0xc8", "0xc9", "0xca", "0xcb", "0xcc", "0xcd", "0xce", "0xcf",
+		"0xd0", "0xd1", "0xd2", "0xd3", "0xd4", "0xd5", "0xd6", "0xd7", "0xd8", "0xd9", "0xda", "0xdb", "0xdc", "0xdd", "0xde", "0xdf",
+		"0xe0", "0xe1", "0xe2", "0xe3", "0xe4", "0xe5", "0xe6", "0xe7", "0xe8", "0xe9", "0xea", "0xeb", "0xec", "0xed", "0xee", "0xef",
+		"0xf0", "0xf1", "0xf2", "0xf3", "0xf4", "0xf5", "0xf6", "0xf7", "0xf8", "0xf9", "0xfa", "0xfb", "0xfc", "0xfd", "0xfe", "0xff"
+	};
+
+	if (x < 0x10) {	/* < 0x10 has a fixed length of 4 including null terminate. */
+		memcpy(&s->p[s->length], TextHBTable[x & 255], 4);
+		s->length += 3;
+	} else { /* >= 0x10 has a fixed length of 5 including null terminate. */
+		memcpy(&s->p[s->length], TextHBTable[x & 255], 5);
+		s->length += 4;
+	}
+}
+
+void _FASTCALL_ str_code_hdw(_WString* s, uint32_t x)
+{
+	int8_t* buf;
+	int i = 0, shift = 0;
+	unsigned int t = 0;
+
+	buf = (int8_t*)&s->p[s->length];
+
+	buf[0] = '0';
+	buf[1] = 'x';
+	buf += 2;
+
+	for (shift = 28; shift != 0; shift -= 4) {
+		t = (x >> shift) & 0xf;
+		if (i | t) buf[i++] = NIBBLE_TO_CHR;
+	}
+	t = x & 0xf;
+	buf[i++] = NIBBLE_TO_CHR;
+
+	s->length += i + 2;
+	buf[i] = '\0';
+}
+
+void _FASTCALL_ str_code_hqw(_WString* s, uint8_t src[8])
+{
+	int8_t* buf;
+	int i = 0, shift = 0;
+	uint32_t x = RULONG(&src[sizeof(int32_t)]);
+	int t;
+
+	buf = (int8_t*)&s->p[s->length];
+	buf[0] = '0';
+	buf[1] = 'x';
+	buf += 2;
+
+	for (shift = 28; shift != -4; shift -= 4) {
+		t = (x >> shift) & 0xf;
+		if (i | t) buf[i++] = NIBBLE_TO_CHR;
+	}
+
+	x = RULONG(src);
+	for (shift = 28; shift != 0; shift -= 4) {
+		t = (x >> shift) & 0xf;
+		if (i | t) buf[i++] = NIBBLE_TO_CHR;
+	}
+	t = x & 0xf;
+	buf[i++] = NIBBLE_TO_CHR;
+
+	s->length += i + 2;
+	buf[i] = '\0';
+}
+
+#ifdef SUPPORT_64BIT_OFFSET
+void _FASTCALL_ str_off64(_WString* s, OFFSET_INTEGER x)
+{
+	int8_t* buf;
+	int i = 0, shift = 0;
+	OFFSET_INTEGER t = 0;
+
+	buf = (int8_t*)&s->p[s->length];
+
+	buf[0] = '0';
+	buf[1] = 'x';
+	buf += 2;
+
+	for (shift = 60; shift != 0; shift -= 4) {
+		t = (x >> shift) & 0xf;
+		if (i | t) buf[i++] = NIBBLE_TO_CHR;
+	}
+	t = x & 0xf;
+	buf[i++] = NIBBLE_TO_CHR;
+
+	s->length += i + 2;
+	buf[i] = '\0';
+}
+#endif

data/ext/rallhook_base/deps/distorm/src/textdefs.h

@@ -0,0 +1,68 @@
+/*
+textdefs.h
+
+diStorm3 - Powerful disassembler for X86/AMD64
+http://ragestorm.net/distorm/
+distorm at gmail dot com
+Copyright (C) 2010  Gil Dabah
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>
+*/
+
+
+#ifndef TEXTDEFS_H
+#define TEXTDEFS_H
+
+#include "../config.h"
+
+#include "wstring.h"
+
+#define PLUS_DISP_CHR '+'
+#define MINUS_DISP_CHR '-'
+#define OPEN_CHR '['
+#define CLOSE_CHR ']'
+#define SP_CHR ' '
+#define SEG_OFF_CHR ':'
+
+/*
+Naming Convention:
+
+* get - returns a pointer to a string.
+* str - concatenates to string.
+
+* hex - means the function is used for hex dump (number is padded to required size) - Little Endian output.
+* code - means the function is used for disassembled instruction - Big Endian output.
+* off - means the function is used for 64bit offset - Big Endian output.
+
+* h - '0x' in front of the string.
+
+* b - byte
+* dw - double word (can be used for word also)
+* qw - quad word
+
+* all numbers are in HEX.
+*/
+
+extern int8_t TextBTable[256][4];
+
+void _FASTCALL_ str_hex_b(_WString* s, unsigned int x);
+void _FASTCALL_ str_code_hb(_WString* s, unsigned int x);
+void _FASTCALL_ str_code_hdw(_WString* s, uint32_t x);
+void _FASTCALL_ str_code_hqw(_WString* s, uint8_t src[8]);
+
+#ifdef SUPPORT_64BIT_OFFSET
+void _FASTCALL_ str_off64(_WString* s, OFFSET_INTEGER x);
+#endif
+
+#endif /* TEXTDEFS_H */

data/ext/rallhook_base/deps/distorm/src/wstring.c

@@ -0,0 +1,55 @@
+/*
+wstring.c
+
+diStorm3 - Powerful disassembler for X86/AMD64
+http://ragestorm.net/distorm/
+distorm at gmail dot com
+Copyright (C) 2010  Gil Dabah
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>
+*/
+
+
+#include "wstring.h"
+
+void strclear_WS(_WString* s)
+{
+	s->p[0] = '\0';
+	s->length = 0;
+}
+
+void chrcat_WS(_WString* s, uint8_t ch)
+{
+	s->p[s->length] = ch;
+	s->p[s->length + 1] = '\0';
+	s->length += 1;
+}
+
+void strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len)
+{
+	s->length = len;
+	memcpy((int8_t*)s->p, buf, len + 1);
+}
+
+void strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len)
+{
+	memcpy((int8_t*)&s->p[s->length], buf, len + 1);
+	s->length += len;
+}
+
+void strcat_WS(_WString* s, const _WString* s2)
+{
+	memcpy((int8_t*)&s->p[s->length], s2->p, s2->length + 1);
+	s->length += s2->length;
+}

data/ext/rallhook_base/deps/distorm/src/wstring.h

@@ -0,0 +1,43 @@
+/*
+wstring.h
+
+diStorm3 - Powerful disassembler for X86/AMD64
+http://ragestorm.net/distorm/
+distorm at gmail dot com
+Copyright (C) 2010  Gil Dabah
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>
+*/
+
+
+#ifndef WSTRING_H
+#define WSTRING_H
+
+#include "../config.h"
+
+void strclear_WS(_WString* s);
+void chrcat_WS(_WString* s, uint8_t ch);
+void strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len);
+void strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len);
+void strcat_WS(_WString* s, const _WString* s2);
+
+/*
+* Warning, this macro should be used only when the compiler knows the size of string in advance!
+* This macro is used in order to spare the call to strlen when the strings are known already.
+* Note: sizeof includes NULL terminated character.
+*/
+#define strcat_WSN(s, t) strcatlen_WS((s), ((const int8_t*)t), sizeof((t))-1)
+#define strcpy_WSN(s, t) strcpylen_WS((s), ((const int8_t*)t), sizeof((t))-1)
+
+#endif /* WSTRING_H */

data/ext/rallhook_base/deps/distorm/src/x86defs.c

@@ -0,0 +1,41 @@
+/*
+x86defs.c
+
+diStorm3 - Powerful disassembler for X86/AMD64
+http://ragestorm.net/distorm/
+distorm at gmail dot com
+Copyright (C) 2010  Gil Dabah
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>
+*/
+
+
+#include "x86defs.h"
+#include "instructions.h"
+#include "../mnemonics.h"
+
+
+_InstInfo II_arpl = {INT_INFO, ISC_INTEGER << 3, OT_REG16, OT_RM16, I_ARPL, INST_MODRM_REQUIRED};
+/*
+ * MOVSXD:
+ * This is the worst defined instruction ever. It has so many variations.
+ * I decided after a third review, to make it like MOVSXD RAX, EAX when there IS a REX.W.
+ * Otherwise it will be MOVSXD EAX, EAX, which really zero extends to RAX.
+ * Completely ignoring DB 0x66, which is possible by the docs, BTW.
+ */
+_InstInfoEx II_movsxd = {INT_INFO, ISC_INTEGER << 3, OT_RM32, OT_REG32_64, I_MOVSXD, INST_MODRM_REQUIRED | INST_PRE_REX | INST_64BITS, 0, OT_NONE, OT_NONE, 0, 0};
+
+_InstInfo II_nop = {INT_INFO, ISC_INTEGER << 3, OT_NONE, OT_NONE, I_NOP, INST_FLAGS_NONE};
+
+_InstInfo II_pause = {INT_INFO, ISC_INTEGER << 3, OT_NONE, OT_NONE, I_PAUSE, INST_FLAGS_NONE};