rallhook 0.7.5 → 0.8.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,62 @@
1
+ /*
2
+ pydistorm.h
3
+
4
+ diStorm3 - Powerful disassembler for X86/AMD64
5
+ http://ragestorm.net/distorm/
6
+ distorm at gmail dot com
7
+ Copyright (C) 2010 Gil Dabah
8
+
9
+ This program is free software: you can redistribute it and/or modify
10
+ it under the terms of the GNU General Public License as published by
11
+ the Free Software Foundation, either version 3 of the License, or
12
+ (at your option) any later version.
13
+
14
+ This program is distributed in the hope that it will be useful,
15
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
16
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
+ GNU General Public License for more details.
18
+
19
+ You should have received a copy of the GNU General Public License
20
+ along with this program. If not, see <http://www.gnu.org/licenses/>
21
+ */
22
+
23
+
24
+ #ifndef PYDISTORM_H
25
+ #define PYDISTORM_H
26
+
27
+ #ifdef SUPPORT_64BIT_OFFSET
28
+ /*
29
+ * PyArg_ParseTuple/Py_BuildValue uses a format string in order to parse/build the offset.
30
+ * type: int 64
31
+ */
32
+ #define _PY_OFF_INT_SIZE_ "K"
33
+ #else
34
+ #define _PY_OFF_INT_SIZE_ "k"
35
+ #endif
36
+
37
+ #include "decoder.h"
38
+
39
+ #include <Python.h>
40
+
41
+ PyObject* distorm_Decompose(PyObject* pSelf, PyObject* pArgs);
42
+
43
+ char distorm_Decompose_DOCSTR[] =
44
+ "Disassemble a given buffer to a list of structures that each describes an instruction.\r\n"
45
+ #ifdef SUPPORT_64BIT_OFFSET
46
+ "Decompose(INT64 offset, string code, int type)\r\n"
47
+ #else
48
+ "Decompose(unsigned long offset, string code, int type)\r\n"
49
+ #endif
50
+ "type:\r\n"
51
+ " Decode16Bits - 16 bits decoding.\r\n"
52
+ " Decode32Bits - 32 bits decoding.\r\n"
53
+ " Decode64Bits - AMD64 decoding.\r\n"
54
+ "Returns a list of decomposed objects. Refer to diStorm3 documentation for learning how to use it.\r\n";
55
+
56
+ static PyMethodDef distormModulebMethods[] = {
57
+ {"Decode", distorm_Decompose, METH_VARARGS, distorm_Decompose_DOCSTR},
58
+ {NULL, NULL, 0, NULL}
59
+ };
60
+
61
+ #endif /* PYDISTORM_H */
62
+
@@ -0,0 +1,180 @@
1
+ /*
2
+ textdefs.c
3
+
4
+ diStorm3 - Powerful disassembler for X86/AMD64
5
+ http://ragestorm.net/distorm/
6
+ distorm at gmail dot com
7
+ Copyright (C) 2010 Gil Dabah
8
+
9
+ This program is free software: you can redistribute it and/or modify
10
+ it under the terms of the GNU General Public License as published by
11
+ the Free Software Foundation, either version 3 of the License, or
12
+ (at your option) any later version.
13
+
14
+ This program is distributed in the hope that it will be useful,
15
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
16
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
+ GNU General Public License for more details.
18
+
19
+ You should have received a copy of the GNU General Public License
20
+ along with this program. If not, see <http://www.gnu.org/licenses/>
21
+ */
22
+
23
+
24
+ #include "textdefs.h"
25
+
26
+ static uint8_t Nibble2ChrTable[16] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
27
+ #define NIBBLE_TO_CHR Nibble2ChrTable[t]
28
+
29
+ void _FASTCALL_ str_hex_b(_WString* s, unsigned int x)
30
+ {
31
+ /*
32
+ * def prebuilt():
33
+ * s = ""
34
+ * for i in xrange(256):
35
+ * if ((i % 0x10) == 0):
36
+ * s += "\r\n"
37
+ * s += "\"%02x\", " % (i)
38
+ * return s
39
+ */
40
+ static int8_t TextBTable[256][3] = {
41
+ "00", "01", "02", "03", "04", "05", "06", "07", "08", "09", "0a", "0b", "0c", "0d", "0e", "0f",
42
+ "10", "11", "12", "13", "14", "15", "16", "17", "18", "19", "1a", "1b", "1c", "1d", "1e", "1f",
43
+ "20", "21", "22", "23", "24", "25", "26", "27", "28", "29", "2a", "2b", "2c", "2d", "2e", "2f",
44
+ "30", "31", "32", "33", "34", "35", "36", "37", "38", "39", "3a", "3b", "3c", "3d", "3e", "3f",
45
+ "40", "41", "42", "43", "44", "45", "46", "47", "48", "49", "4a", "4b", "4c", "4d", "4e", "4f",
46
+ "50", "51", "52", "53", "54", "55", "56", "57", "58", "59", "5a", "5b", "5c", "5d", "5e", "5f",
47
+ "60", "61", "62", "63", "64", "65", "66", "67", "68", "69", "6a", "6b", "6c", "6d", "6e", "6f",
48
+ "70", "71", "72", "73", "74", "75", "76", "77", "78", "79", "7a", "7b", "7c", "7d", "7e", "7f",
49
+ "80", "81", "82", "83", "84", "85", "86", "87", "88", "89", "8a", "8b", "8c", "8d", "8e", "8f",
50
+ "90", "91", "92", "93", "94", "95", "96", "97", "98", "99", "9a", "9b", "9c", "9d", "9e", "9f",
51
+ "a0", "a1", "a2", "a3", "a4", "a5", "a6", "a7", "a8", "a9", "aa", "ab", "ac", "ad", "ae", "af",
52
+ "b0", "b1", "b2", "b3", "b4", "b5", "b6", "b7", "b8", "b9", "ba", "bb", "bc", "bd", "be", "bf",
53
+ "c0", "c1", "c2", "c3", "c4", "c5", "c6", "c7", "c8", "c9", "ca", "cb", "cc", "cd", "ce", "cf",
54
+ "d0", "d1", "d2", "d3", "d4", "d5", "d6", "d7", "d8", "d9", "da", "db", "dc", "dd", "de", "df",
55
+ "e0", "e1", "e2", "e3", "e4", "e5", "e6", "e7", "e8", "e9", "ea", "eb", "ec", "ed", "ee", "ef",
56
+ "f0", "f1", "f2", "f3", "f4", "f5", "f6", "f7", "f8", "f9", "fa", "fb", "fc", "fd", "fe", "ff"
57
+ };
58
+
59
+ /*
60
+ * Fixed length of 3 including null terminate character.
61
+ */
62
+ memcpy(&s->p[s->length], TextBTable[x & 255], 3);
63
+ s->length += 2;
64
+ }
65
+
66
+ void _FASTCALL_ str_code_hb(_WString* s, unsigned int x)
67
+ {
68
+ static int8_t TextHBTable[256][5] = {
69
+ /*
70
+ * def prebuilt():
71
+ * s = ""
72
+ * for i in xrange(256):
73
+ * if ((i % 0x10) == 0):
74
+ * s += "\r\n"
75
+ * s += "\"0x%x\", " % (i)
76
+ * return s
77
+ */
78
+ "0x0", "0x1", "0x2", "0x3", "0x4", "0x5", "0x6", "0x7", "0x8", "0x9", "0xa", "0xb", "0xc", "0xd", "0xe", "0xf",
79
+ "0x10", "0x11", "0x12", "0x13", "0x14", "0x15", "0x16", "0x17", "0x18", "0x19", "0x1a", "0x1b", "0x1c", "0x1d", "0x1e", "0x1f",
80
+ "0x20", "0x21", "0x22", "0x23", "0x24", "0x25", "0x26", "0x27", "0x28", "0x29", "0x2a", "0x2b", "0x2c", "0x2d", "0x2e", "0x2f",
81
+ "0x30", "0x31", "0x32", "0x33", "0x34", "0x35", "0x36", "0x37", "0x38", "0x39", "0x3a", "0x3b", "0x3c", "0x3d", "0x3e", "0x3f",
82
+ "0x40", "0x41", "0x42", "0x43", "0x44", "0x45", "0x46", "0x47", "0x48", "0x49", "0x4a", "0x4b", "0x4c", "0x4d", "0x4e", "0x4f",
83
+ "0x50", "0x51", "0x52", "0x53", "0x54", "0x55", "0x56", "0x57", "0x58", "0x59", "0x5a", "0x5b", "0x5c", "0x5d", "0x5e", "0x5f",
84
+ "0x60", "0x61", "0x62", "0x63", "0x64", "0x65", "0x66", "0x67", "0x68", "0x69", "0x6a", "0x6b", "0x6c", "0x6d", "0x6e", "0x6f",
85
+ "0x70", "0x71", "0x72", "0x73", "0x74", "0x75", "0x76", "0x77", "0x78", "0x79", "0x7a", "0x7b", "0x7c", "0x7d", "0x7e", "0x7f",
86
+ "0x80", "0x81", "0x82", "0x83", "0x84", "0x85", "0x86", "0x87", "0x88", "0x89", "0x8a", "0x8b", "0x8c", "0x8d", "0x8e", "0x8f",
87
+ "0x90", "0x91", "0x92", "0x93", "0x94", "0x95", "0x96", "0x97", "0x98", "0x99", "0x9a", "0x9b", "0x9c", "0x9d", "0x9e", "0x9f",
88
+ "0xa0", "0xa1", "0xa2", "0xa3", "0xa4", "0xa5", "0xa6", "0xa7", "0xa8", "0xa9", "0xaa", "0xab", "0xac", "0xad", "0xae", "0xaf",
89
+ "0xb0", "0xb1", "0xb2", "0xb3", "0xb4", "0xb5", "0xb6", "0xb7", "0xb8", "0xb9", "0xba", "0xbb", "0xbc", "0xbd", "0xbe", "0xbf",
90
+ "0xc0", "0xc1", "0xc2", "0xc3", "0xc4", "0xc5", "0xc6", "0xc7", "0xc8", "0xc9", "0xca", "0xcb", "0xcc", "0xcd", "0xce", "0xcf",
91
+ "0xd0", "0xd1", "0xd2", "0xd3", "0xd4", "0xd5", "0xd6", "0xd7", "0xd8", "0xd9", "0xda", "0xdb", "0xdc", "0xdd", "0xde", "0xdf",
92
+ "0xe0", "0xe1", "0xe2", "0xe3", "0xe4", "0xe5", "0xe6", "0xe7", "0xe8", "0xe9", "0xea", "0xeb", "0xec", "0xed", "0xee", "0xef",
93
+ "0xf0", "0xf1", "0xf2", "0xf3", "0xf4", "0xf5", "0xf6", "0xf7", "0xf8", "0xf9", "0xfa", "0xfb", "0xfc", "0xfd", "0xfe", "0xff"
94
+ };
95
+
96
+ if (x < 0x10) { /* < 0x10 has a fixed length of 4 including null terminate. */
97
+ memcpy(&s->p[s->length], TextHBTable[x & 255], 4);
98
+ s->length += 3;
99
+ } else { /* >= 0x10 has a fixed length of 5 including null terminate. */
100
+ memcpy(&s->p[s->length], TextHBTable[x & 255], 5);
101
+ s->length += 4;
102
+ }
103
+ }
104
+
105
+ void _FASTCALL_ str_code_hdw(_WString* s, uint32_t x)
106
+ {
107
+ int8_t* buf;
108
+ int i = 0, shift = 0;
109
+ unsigned int t = 0;
110
+
111
+ buf = (int8_t*)&s->p[s->length];
112
+
113
+ buf[0] = '0';
114
+ buf[1] = 'x';
115
+ buf += 2;
116
+
117
+ for (shift = 28; shift != 0; shift -= 4) {
118
+ t = (x >> shift) & 0xf;
119
+ if (i | t) buf[i++] = NIBBLE_TO_CHR;
120
+ }
121
+ t = x & 0xf;
122
+ buf[i++] = NIBBLE_TO_CHR;
123
+
124
+ s->length += i + 2;
125
+ buf[i] = '\0';
126
+ }
127
+
128
+ void _FASTCALL_ str_code_hqw(_WString* s, uint8_t src[8])
129
+ {
130
+ int8_t* buf;
131
+ int i = 0, shift = 0;
132
+ uint32_t x = RULONG(&src[sizeof(int32_t)]);
133
+ int t;
134
+
135
+ buf = (int8_t*)&s->p[s->length];
136
+ buf[0] = '0';
137
+ buf[1] = 'x';
138
+ buf += 2;
139
+
140
+ for (shift = 28; shift != -4; shift -= 4) {
141
+ t = (x >> shift) & 0xf;
142
+ if (i | t) buf[i++] = NIBBLE_TO_CHR;
143
+ }
144
+
145
+ x = RULONG(src);
146
+ for (shift = 28; shift != 0; shift -= 4) {
147
+ t = (x >> shift) & 0xf;
148
+ if (i | t) buf[i++] = NIBBLE_TO_CHR;
149
+ }
150
+ t = x & 0xf;
151
+ buf[i++] = NIBBLE_TO_CHR;
152
+
153
+ s->length += i + 2;
154
+ buf[i] = '\0';
155
+ }
156
+
157
+ #ifdef SUPPORT_64BIT_OFFSET
158
+ void _FASTCALL_ str_off64(_WString* s, OFFSET_INTEGER x)
159
+ {
160
+ int8_t* buf;
161
+ int i = 0, shift = 0;
162
+ OFFSET_INTEGER t = 0;
163
+
164
+ buf = (int8_t*)&s->p[s->length];
165
+
166
+ buf[0] = '0';
167
+ buf[1] = 'x';
168
+ buf += 2;
169
+
170
+ for (shift = 60; shift != 0; shift -= 4) {
171
+ t = (x >> shift) & 0xf;
172
+ if (i | t) buf[i++] = NIBBLE_TO_CHR;
173
+ }
174
+ t = x & 0xf;
175
+ buf[i++] = NIBBLE_TO_CHR;
176
+
177
+ s->length += i + 2;
178
+ buf[i] = '\0';
179
+ }
180
+ #endif
@@ -0,0 +1,68 @@
1
+ /*
2
+ textdefs.h
3
+
4
+ diStorm3 - Powerful disassembler for X86/AMD64
5
+ http://ragestorm.net/distorm/
6
+ distorm at gmail dot com
7
+ Copyright (C) 2010 Gil Dabah
8
+
9
+ This program is free software: you can redistribute it and/or modify
10
+ it under the terms of the GNU General Public License as published by
11
+ the Free Software Foundation, either version 3 of the License, or
12
+ (at your option) any later version.
13
+
14
+ This program is distributed in the hope that it will be useful,
15
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
16
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
+ GNU General Public License for more details.
18
+
19
+ You should have received a copy of the GNU General Public License
20
+ along with this program. If not, see <http://www.gnu.org/licenses/>
21
+ */
22
+
23
+
24
+ #ifndef TEXTDEFS_H
25
+ #define TEXTDEFS_H
26
+
27
+ #include "../config.h"
28
+
29
+ #include "wstring.h"
30
+
31
+ #define PLUS_DISP_CHR '+'
32
+ #define MINUS_DISP_CHR '-'
33
+ #define OPEN_CHR '['
34
+ #define CLOSE_CHR ']'
35
+ #define SP_CHR ' '
36
+ #define SEG_OFF_CHR ':'
37
+
38
+ /*
39
+ Naming Convention:
40
+
41
+ * get - returns a pointer to a string.
42
+ * str - concatenates to string.
43
+
44
+ * hex - means the function is used for hex dump (number is padded to required size) - Little Endian output.
45
+ * code - means the function is used for disassembled instruction - Big Endian output.
46
+ * off - means the function is used for 64bit offset - Big Endian output.
47
+
48
+ * h - '0x' in front of the string.
49
+
50
+ * b - byte
51
+ * dw - double word (can be used for word also)
52
+ * qw - quad word
53
+
54
+ * all numbers are in HEX.
55
+ */
56
+
57
+ extern int8_t TextBTable[256][4];
58
+
59
+ void _FASTCALL_ str_hex_b(_WString* s, unsigned int x);
60
+ void _FASTCALL_ str_code_hb(_WString* s, unsigned int x);
61
+ void _FASTCALL_ str_code_hdw(_WString* s, uint32_t x);
62
+ void _FASTCALL_ str_code_hqw(_WString* s, uint8_t src[8]);
63
+
64
+ #ifdef SUPPORT_64BIT_OFFSET
65
+ void _FASTCALL_ str_off64(_WString* s, OFFSET_INTEGER x);
66
+ #endif
67
+
68
+ #endif /* TEXTDEFS_H */
@@ -0,0 +1,55 @@
1
+ /*
2
+ wstring.c
3
+
4
+ diStorm3 - Powerful disassembler for X86/AMD64
5
+ http://ragestorm.net/distorm/
6
+ distorm at gmail dot com
7
+ Copyright (C) 2010 Gil Dabah
8
+
9
+ This program is free software: you can redistribute it and/or modify
10
+ it under the terms of the GNU General Public License as published by
11
+ the Free Software Foundation, either version 3 of the License, or
12
+ (at your option) any later version.
13
+
14
+ This program is distributed in the hope that it will be useful,
15
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
16
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
+ GNU General Public License for more details.
18
+
19
+ You should have received a copy of the GNU General Public License
20
+ along with this program. If not, see <http://www.gnu.org/licenses/>
21
+ */
22
+
23
+
24
+ #include "wstring.h"
25
+
26
+ void strclear_WS(_WString* s)
27
+ {
28
+ s->p[0] = '\0';
29
+ s->length = 0;
30
+ }
31
+
32
+ void chrcat_WS(_WString* s, uint8_t ch)
33
+ {
34
+ s->p[s->length] = ch;
35
+ s->p[s->length + 1] = '\0';
36
+ s->length += 1;
37
+ }
38
+
39
+ void strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len)
40
+ {
41
+ s->length = len;
42
+ memcpy((int8_t*)s->p, buf, len + 1);
43
+ }
44
+
45
+ void strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len)
46
+ {
47
+ memcpy((int8_t*)&s->p[s->length], buf, len + 1);
48
+ s->length += len;
49
+ }
50
+
51
+ void strcat_WS(_WString* s, const _WString* s2)
52
+ {
53
+ memcpy((int8_t*)&s->p[s->length], s2->p, s2->length + 1);
54
+ s->length += s2->length;
55
+ }
@@ -0,0 +1,43 @@
1
+ /*
2
+ wstring.h
3
+
4
+ diStorm3 - Powerful disassembler for X86/AMD64
5
+ http://ragestorm.net/distorm/
6
+ distorm at gmail dot com
7
+ Copyright (C) 2010 Gil Dabah
8
+
9
+ This program is free software: you can redistribute it and/or modify
10
+ it under the terms of the GNU General Public License as published by
11
+ the Free Software Foundation, either version 3 of the License, or
12
+ (at your option) any later version.
13
+
14
+ This program is distributed in the hope that it will be useful,
15
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
16
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
+ GNU General Public License for more details.
18
+
19
+ You should have received a copy of the GNU General Public License
20
+ along with this program. If not, see <http://www.gnu.org/licenses/>
21
+ */
22
+
23
+
24
+ #ifndef WSTRING_H
25
+ #define WSTRING_H
26
+
27
+ #include "../config.h"
28
+
29
+ void strclear_WS(_WString* s);
30
+ void chrcat_WS(_WString* s, uint8_t ch);
31
+ void strcpylen_WS(_WString* s, const int8_t* buf, unsigned int len);
32
+ void strcatlen_WS(_WString* s, const int8_t* buf, unsigned int len);
33
+ void strcat_WS(_WString* s, const _WString* s2);
34
+
35
+ /*
36
+ * Warning, this macro should be used only when the compiler knows the size of string in advance!
37
+ * This macro is used in order to spare the call to strlen when the strings are known already.
38
+ * Note: sizeof includes NULL terminated character.
39
+ */
40
+ #define strcat_WSN(s, t) strcatlen_WS((s), ((const int8_t*)t), sizeof((t))-1)
41
+ #define strcpy_WSN(s, t) strcpylen_WS((s), ((const int8_t*)t), sizeof((t))-1)
42
+
43
+ #endif /* WSTRING_H */
@@ -0,0 +1,41 @@
1
+ /*
2
+ x86defs.c
3
+
4
+ diStorm3 - Powerful disassembler for X86/AMD64
5
+ http://ragestorm.net/distorm/
6
+ distorm at gmail dot com
7
+ Copyright (C) 2010 Gil Dabah
8
+
9
+ This program is free software: you can redistribute it and/or modify
10
+ it under the terms of the GNU General Public License as published by
11
+ the Free Software Foundation, either version 3 of the License, or
12
+ (at your option) any later version.
13
+
14
+ This program is distributed in the hope that it will be useful,
15
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
16
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
+ GNU General Public License for more details.
18
+
19
+ You should have received a copy of the GNU General Public License
20
+ along with this program. If not, see <http://www.gnu.org/licenses/>
21
+ */
22
+
23
+
24
+ #include "x86defs.h"
25
+ #include "instructions.h"
26
+ #include "../mnemonics.h"
27
+
28
+
29
+ _InstInfo II_arpl = {INT_INFO, ISC_INTEGER << 3, OT_REG16, OT_RM16, I_ARPL, INST_MODRM_REQUIRED};
30
+ /*
31
+ * MOVSXD:
32
+ * This is the worst defined instruction ever. It has so many variations.
33
+ * I decided after a third review, to make it like MOVSXD RAX, EAX when there IS a REX.W.
34
+ * Otherwise it will be MOVSXD EAX, EAX, which really zero extends to RAX.
35
+ * Completely ignoring DB 0x66, which is possible by the docs, BTW.
36
+ */
37
+ _InstInfoEx II_movsxd = {INT_INFO, ISC_INTEGER << 3, OT_RM32, OT_REG32_64, I_MOVSXD, INST_MODRM_REQUIRED | INST_PRE_REX | INST_64BITS, 0, OT_NONE, OT_NONE, 0, 0};
38
+
39
+ _InstInfo II_nop = {INT_INFO, ISC_INTEGER << 3, OT_NONE, OT_NONE, I_NOP, INST_FLAGS_NONE};
40
+
41
+ _InstInfo II_pause = {INT_INFO, ISC_INTEGER << 3, OT_NONE, OT_NONE, I_PAUSE, INST_FLAGS_NONE};