rallhook 0.7.5 → 0.8.0

data/AUTHORS

@@ -1,3 +1,5 @@
 rallhook de tario <rseminara@hotmail.com>
 
+Thanks to:
 
+	Gil Dabah for provide distorm, the Ultimate Dissasembler Library (https://code.google.com/p/distorm/)

data/CHANGELOG

@@ -1,3 +1,5 @@
+0.8.0	Added code of diStorm library to make easier the gem install (no previous install of diStorm are required now)
+
 0.7.5	Fixed issue 13 (Segmentation fault in ruby 1.9)
 
 0.7.4	Fixed issue 12 (Compile error for ruby 1.9)

data/README

@@ -10,8 +10,6 @@ This package contains rallhook, a ruby C extension to intercept ruby methods cal
 * ruby debug info ( apt-get install libruby1.8-dbg or libruby1.9-dbg on debian based systems)
 * ruby development package ( apt-get install ruby1.8-dev or ruby1.9-dev on debian based systems)
 * objdump
-* distorm ( found at https://code.google.com/p/distorm/ )
-
 
 === Installation
 

data/Rakefile

@@ -6,7 +6,7 @@ require 'rake/gempackagetask'
 
 spec = Gem::Specification.new do |s|
   s.name = 'rallhook'
-  s.version = '0.7.5'
+  s.version = '0.8.0'
   s.author = 'Dario Seminara'
   s.email = 'robertodarioseminara@gmail.com'
   s.platform = Gem::Platform::RUBY

data/TODO

@@ -1,4 +1,3 @@
-* Threading support
 * Tests cases for 1.0.0 interface
 * More integrity testcases (with use of ruby core methods)
 * Security testcases (hook bypass checks,  security tests)

data/ext/rallhook_base/deps/distorm/config.h

@@ -0,0 +1,170 @@
+/*
+config.h
+
+diStorm3 - Powerful disassembler for X86/AMD64
+http://ragestorm.net/distorm/
+distorm at gmail dot com
+Copyright (C) 2010  Gil Dabah
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>
+*/
+
+
+#ifndef CONFIG_H
+#define CONFIG_H
+
+/* diStorm version number. */
+#define __DISTORMV__ 0x030000
+
+#include <string.h> /* strlen, memset, memcpy - can be easily self implemented for libc independency. */
+
+#include "distorm.h"
+
+/*
+ * 64 bit offsets support:
+ * This macro should be defined from compiler command line flags, e.g: -DSUPPORT_64BIT_OFFSET
+ * Note: make sure that the caller (library user) defines it too!
+ */
+/* #define SUPPORT_64BIT_OFFSET */
+
+/*
+ * If you compile diStorm as a .DLL file, make sure you uncomment the next line.
+ * So the interface functions will be exported, otherwise they are useable only as a library.
+ * For example, this macro is being set for the Python extension module.
+ */
+/* #define _DLL */
+
+/*
+ * diStorm now supports little/big endian CPU's.
+ * It should detect the endianness according to predefined macro's of the compiler.
+ * If you don't use GCC/MSVC you will have to define it on your own.
+ */
+
+/* These macros are used in order to make the code portable. */
+#ifdef __GNUC__
+
+#include <stdint.h>
+
+#define _DLLEXPORT_
+#define _FASTCALL_
+#define _INLINE_ static
+/* GCC ignores this directive... */
+//#define _FASTCALL_ __attribute__((__fastcall__))
+
+/* Set endianity (supposed to be LE though): */
+#ifdef __BIG_ENDIAN__
+	#define BE_SYSTEM
+#endif
+
+/* End of __GCC__ */
+
+#elif __WATCOMC__
+
+#include <stdint.h>
+
+#define _DLLEXPORT_
+#define _FASTCALL_
+#define _INLINE_ __inline
+
+/* End of __WATCOMC__ */
+
+#elif __DMC__
+
+#include <stdint.h>
+
+#define _DLLEXPORT_
+#define _FASTCALL_
+#define _INLINE_ __inline
+
+/* End of __DMC__ */
+
+#elif __TINYC__
+
+#include <stdint.h>
+
+#define _DLLEXPORT_
+#define _FASTCALL_
+#define _INLINE_
+
+/* End of __TINYC__ */
+
+#elif _MSC_VER
+
+/* stdint alternative is defined in distorm.h */
+
+#define _DLLEXPORT_ __declspec(dllexport)
+#define _FASTCALL_ __fastcall
+#define _INLINE_ __inline
+
+/* Set endianity (supposed to be LE though): */
+#ifndef _M_IX86
+	#define BE_SYSTEM
+#endif
+
+#endif /* #elif _MSC_VER */
+
+/* If the library isn't compiled as a .DLL don't export functions. */
+#ifndef _DLL
+#undef _DLLEXPORT_
+#define _DLLEXPORT_
+#endif
+
+#ifndef FALSE
+#define FALSE 0
+#endif
+#ifndef TRUE
+#define TRUE 1
+#endif
+
+/* Define stream read functions for big endian systems. */
+#ifdef BE_SYSTEM
+/*
+ * These functions can read from the stream safely!
+ * Swap endianity of input to little endian.
+ */
+static _INLINE_ int16_t RSHORT(const uint8_t *s)
+{
+	return s[0] | (s[1] << 8);
+}
+static _INLINE_ uint16_t RUSHORT(const uint8_t *s)
+{
+	return s[0] | (s[1] << 8);
+}
+static _INLINE_ int32_t RLONG(const uint8_t *s)
+{
+	return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24);
+}
+static _INLINE_ uint32_t RULONG(const uint8_t *s)
+{
+	return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24);
+}
+static _INLINE_ int64_t RLLONG(const uint8_t *s)
+{
+	return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24) | ((uint64_t)s[4] << 32) | ((uint64_t)s[5] << 40) | ((uint64_t)s[6] << 48) | ((uint64_t)s[7] << 56);
+}
+static _INLINE_ uint64_t RULLONG(const uint8_t *s)
+{
+	return s[0] | (s[1] << 8) | (s[2] << 16) | (s[3] << 24) | ((uint64_t)s[4] << 32) | ((uint64_t)s[5] << 40) | ((uint64_t)s[6] << 48) | ((uint64_t)s[7] << 56);
+}
+#else
+/* Little endian macro's will just make the cast. */
+#define RSHORT(x) *(int16_t *)x
+#define RUSHORT(x) *(uint16_t *)x
+#define RLONG(x) *(int32_t *)x
+#define RULONG(x) *(uint32_t *)x
+#define RLLONG(x) *(int64_t *)x
+#define RULLONG(x) *(uint64_t *)x
+#endif
+
+#endif /* CONFIG_H */

data/ext/rallhook_base/deps/distorm/distorm.h

@@ -0,0 +1,401 @@
+/* diStorm3 1.0.0 */
+
+/*
+distorm.h
+
+diStorm3 - Powerful disassembler for X86/AMD64
+http://ragestorm.net/distorm/
+distorm at gmail dot com
+Copyright (C) 2010  Gil Dabah
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program.  If not, see <http://www.gnu.org/licenses/>
+*/
+
+
+#ifndef DISTORM_H
+#define DISTORM_H
+
+/*
+ * 64 bit offsets support:
+ * If the diStorm library you use was compiled with 64 bits offsets,
+ * make sure you compile your own code with the following macro set:
+ * SUPPORT_64BIT_OFFSET
+ * Otherwise comment it out, or you will get a linker error of an unresolved symbol...
+ */
+
+/* TINYC has a problem with some 64bits library functions, so pass. */
+#ifndef __TINYC__
+	#ifndef _LIB /* Used only for library. */
+		/* Comment out the following line to disable 64 bits support */
+		#define SUPPORT_64BIT_OFFSET
+	#endif
+#endif
+
+/* If your compiler doesn't support stdint.h, define your own 64 bits type. */
+#ifdef SUPPORT_64BIT_OFFSET
+	#ifdef _MSC_VER
+		#define OFFSET_INTEGER unsigned __int64
+	#else
+		#include <stdint.h>
+		#define OFFSET_INTEGER uint64_t
+	#endif
+#else
+	/* 32 bit offsets are used. */
+	#define OFFSET_INTEGER unsigned long
+#endif
+
+#ifdef _MSC_VER
+/* Since MSVC isn't shipped with stdint.h, we will have our own: */
+typedef signed __int64		int64_t;
+typedef unsigned __int64	uint64_t;
+typedef signed __int32		int32_t;
+typedef unsigned __int32	uint32_t;
+typedef signed __int16		int16_t;
+typedef unsigned __int16	uint16_t;
+typedef signed __int8		int8_t;
+typedef unsigned __int8		uint8_t;
+#endif
+
+/* Support C++ compilers */
+#ifdef __cplusplus
+ extern "C" {
+#endif
+
+/* Decodes modes of the disassembler, 16 bits or 32 bits or 64 bits for AMD64, x86-64. */
+typedef enum {Decode16Bits = 0, Decode32Bits = 1, Decode64Bits = 2} _DecodeType;
+
+typedef OFFSET_INTEGER _OffsetType;
+
+typedef struct {
+	_OffsetType codeOffset;
+	const uint8_t* code;
+	int codeLen; /* Using signed integer makes it easier to detect an underflow. */
+	_DecodeType dt;
+	unsigned int features;
+} _CodeInfo;
+
+typedef enum { O_NONE, O_REG, O_IMM, O_IMM1, O_IMM2, O_DISP, O_SMEM, O_MEM, O_PC, O_PTR } _OperandType;
+
+typedef union {
+	/* Used by O_IMM: */
+	int8_t sbyte;
+	uint8_t byte;
+	int16_t sword;
+	uint16_t word;
+	int32_t sdword;
+	uint32_t dword;
+	int64_t sqword;
+	uint64_t qword;
+
+	/* Used by O_PC: */
+	_OffsetType addr;
+
+	/* Used by O_PTR: */
+	struct {
+		uint16_t seg;
+		/* Can be 16 or 32 bits, size is in ops[n].size. */
+		uint32_t off;
+	} ptr;
+	/* Used by O_IMM1 (i1) and O_IMM2 (i2). */
+	struct {
+		uint32_t i1;
+		uint32_t i2;
+	} ex;
+} _Value;
+
+typedef struct {
+	/* Type of operand:
+		O_NONE: operand is to be ignored.
+		O_REG: index holds global register index.
+		O_IMM: instruction.imm.
+		O_IMM1: instruction.imm.ex.i1.
+		O_IMM2: instruction.imm.ex.i2.
+		O_DISP: memory dereference with displacement only, instruction.disp.
+		O_SMEM: simple memory dereference with optional displacement (a single register memory dereference).
+		O_MEM: complex memory dereference (optional fields: s/i/b/disp).
+		O_PC: the relative address of a branch instruction (instruction.imm.addr).
+		O_PTR: the absolute target address of a far branch instruction (instruction.imm.ptr.seg/off).
+	*/
+	uint8_t type; /* _OperandType */
+
+	/* Index of:
+		O_REG: holds global register index
+		O_SMEM: holds the 'base' register. E.G: [ECX], [EBX+0x1234] are both in operand.index.
+		O_MEM: holds the 'index' register. E.G: [EAX*4] is in operand.index.
+	*/
+	uint8_t index;
+
+	/* Size of:
+		O_REG: register
+		O_IMM: instruction.imm
+		O_IMM1: instruction.imm.ex.i1
+		O_IMM2: instruction.imm.ex.i2
+		O_DISP: instruction.disp
+		O_SMEM: size of indirection.
+		O_MEM: size of indirection.
+		O_PC: size of the relative offset
+		O_PTR: size of instruction.imm.ptr.off (16 or 32)
+	*/
+	uint16_t size;
+} _Operand;
+
+#define OPCODE_ID_NONE 0
+/* Instruction could not be disassembled. */
+#define FLAG_NOT_DECODABLE ((uint16_t)-1)
+/* The instruction locks memory access. */
+#define FLAG_LOCK (1 << 0)
+/* The instruction is prefixed with a REPNZ. */
+#define FLAG_REPNZ (1 << 1)
+/* The instruction is prefixed with a REP, this can be a REPZ, it depends on the specific instruction. */
+#define FLAG_REP (1 << 2)
+/* Indicates there is a hint taken for Jcc instructions only. */
+#define FLAG_HINT_TAKEN (1 << 3)
+/* Indicates there is a hint non-taken for Jcc instructions only. */
+#define FLAG_HINT_NOT_TAKEN (1 << 4)
+/* The Imm value is signed extended. */
+#define FLAG_IMM_SIGNED (1 << 5)
+
+/* No register was defined. */
+#define R_NONE ((uint8_t)-1)
+
+#define REGS64_BASE (0)
+#define REGS32_BASE (16)
+#define REGS16_BASE (32)
+#define REGS8_BASE (48)
+#define REGS8_REX_BASE (64)
+#define SREGS_BASE (68)
+/* #define RIP 74 */
+#define FPUREGS_BASE (75)
+#define MMXREGS_BASE (83)
+#define SSEREGS_BASE (91)
+#define AVXREGS_BASE (107)
+#define CREGS_BASE (123)
+#define DREGS_BASE (132)
+
+/*
+ * Operand Size or Adderss size are stored inside the flags:
+ * 0 - 16 bits
+ * 1 - 32 bits
+ * 2 - 64 bits
+ * 3 - reserved
+ *
+ * If you call these macros more than once, you will have to clean the bits before doing so.
+ */
+#define FLAG_SET_OPSIZE(di, size) ((di->flags) |= (((size) & 3) << 6))
+#define FLAG_SET_ADDRSIZE(di, size) ((di->flags) |= (((size) & 3) << 8))
+#define FLAG_GET_OPSIZE(flags) (((flags) >> 6) & 3)
+#define FLAG_GET_ADDRSIZE(flags) (((flags) >> 8) & 3)
+/* To get the LOCK/REPNZ/REP prefixes. */
+#define FLAG_GET_PREFIX(flags) ((flags) & 7)
+
+/*
+ * Macros to extract segment registers from segmentInfo:
+ */
+#define SEGMENT_DEFAULT 0x80
+#define SEGMENT_SET(di, seg) ((di->segment) |= seg)
+#define SEGMENT_GET(segment) (((segment) == R_NONE) ? R_NONE : ((segment) & 0x7f))
+#define SEGMENT_IS_DEFAULT(segment) (((segment) & SEGMENT_DEFAULT) == SEGMENT_DEFAULT)
+
+#define OPERANDS_NO (4)
+
+typedef struct {
+	/* Virtual address of first byte of instruction. */
+	_OffsetType addr;
+	/* Size of the whole instruction. */
+	uint8_t size;
+	/* General flags of instruction, holds prefixes and more, if FLAG_NOT_DECODABLE, instruction is invalid. */
+	uint16_t flags;
+	/* Segment information of memory indirection, default segment, or overriden one, can be -1. */
+	uint8_t segment;
+	/* Used by ops[n].type == O_MEM. Base global register index (might be R_NONE), scale size (2/4/8), ignored for 0 or 1. */
+	uint8_t base, scale;
+	uint8_t dispSize;
+	/* ID of opcode in the global opcode table. Use for mnemonic look up. */
+	uint16_t opcode;
+	/* Up to four operands per instruction, ignored if ops[n].type == O_NONE. */
+	_Operand ops[OPERANDS_NO];
+	/* Used by ops[n].type == O_SMEM/O_MEM/O_DISP. Its size is dispSize. */
+	uint64_t disp;
+	/* Used by ops[n].type == O_IMM/O_IMM1&O_IMM2/O_PTR/O_PC. Its size is ops[n].size. */
+	_Value imm;
+	/* Unused prefixes mask, for each bit that is set that prefix is not used (LSB is byte [addr + 0]). */
+	uint16_t unusedPrefixesMask;
+	/* Meta defines the instruction set class, and the flow control flags. Use META macros. */
+	uint8_t meta;
+} _DInst;
+
+/* Static size of strings. Do not change this value. */
+#define MAX_TEXT_SIZE (32)
+typedef struct {
+	unsigned int length;
+	unsigned char p[MAX_TEXT_SIZE]; /* p is a null terminated string. */
+} _WString;
+
+/*
+ * Old decoded instruction structure in text format.
+ * Used only for backward compatibility with diStorm64.
+ * This structure holds all information the disassembler generates per instruction.
+ */
+typedef struct {
+	_WString mnemonic; /* Mnemonic of decoded instruction, prefixed if required by REP, LOCK etc. */
+	_WString operands; /* Operands of the decoded instruction, up to 3 operands, comma-seperated. */
+	_WString instructionHex; /* Hex dump - little endian, including prefixes. */
+	unsigned int size; /* Size of decoded instruction. */
+	_OffsetType offset; /* Start offset of the decoded instruction. */
+} _DecodedInst;
+
+/* Get the ISC of the instruction, used with the definitions below. */
+#define META_GET_ISC(meta) (((meta) >> 3) & 0x1f)
+/* Get the flow control flags of the instruction, see 'features for decompose' below. */
+#define META_GET_FC(meta) ((meta) & 0x7)
+
+/*
+ * Instructions Set classes:
+ * if you want a better understanding of the available classes, look at disOps project, file: x86sets.py.
+ */
+/* Indicates the instruction belongs to the General Integer set. */
+#define ISC_INTEGER 1
+/* Indicates the instruction belongs to the 387 FPU set. */
+#define ISC_FPU 2
+/* Indicates the instruction belongs to the P6 set. */
+#define ISC_P6 3
+/* Indicates the instruction belongs to the MMX set. */
+#define ISC_MMX 4
+/* Indicates the instruction belongs to the SSE set. */
+#define ISC_SSE 5
+/* Indicates the instruction belongs to the SSE2 set. */
+#define ISC_SSE2 6
+/* Indicates the instruction belongs to the SSE3 set. */
+#define ISC_SSE3 7
+/* Indicates the instruction belongs to the SSSE3 set. */
+#define ISC_SSSE3 8
+/* Indicates the instruction belongs to the SSE4.1 set. */
+#define ISC_SSE4_1 9
+/* Indicates the instruction belongs to the SSE4.2 set. */
+#define ISC_SSE4_2 10
+/* Indicates the instruction belongs to the AMD's SSE4.A set. */
+#define ISC_SSE4_A 11
+/* Indicates the instruction belongs to the 3DNow! set. */
+#define ISC_3DNOW 12
+/* Indicates the instruction belongs to the 3DNow! Extensions set. */
+#define ISC_3DNOWEXT 13
+/* Indicates the instruction belongs to the VMX (Intel) set. */
+#define ISC_VMX 14
+/* Indicates the instruction belongs to the SVM (AMD) set. */
+#define ISC_SVM 15
+/* Indicates the instruction belongs to the AVX (Intel) set. */
+#define ISC_AVX 16
+/* Indicates the instruction belongs to the FMA (Intel) set. */
+#define ISC_FMA 17
+/* Indicates the instruction belongs to the AES/AVX (Intel) set. */
+#define ISC_AES 18
+/* Indicates the instruction belongs to the CLMUL (Intel) set. */
+#define ISC_CLMUL 19
+
+/* Features for decompose: */
+#define DF_NONE 0
+/* The decoder will limit addresses to a maximum of 16 bits. */
+#define DF_MAXIMUM_ADDR16 1
+/* The decoder will limit addresses to a maximum of 32 bits. */
+#define DF_MAXIMUM_ADDR32 2
+/* The decoder will return only flow control instructions (and filter the others internally). */
+#define DF_RETURN_FC_ONLY 4
+/* The decoder will stop and return to the caller when the instruction 'CALL' (near and far) was decoded. */
+#define DF_STOP_ON_CALL 8
+/* The decoder will stop and return to the caller when the instruction 'RET' (near and far) was decoded. */
+#define DF_STOP_ON_RET 0x10
+/* The decoder will stop and return to the caller when the instruction system-call/ret was decoded. */
+#define DF_STOP_ON_SYS 0x20
+/* The decoder will stop and return to the caller when any of the branch 'JMP', (near and far) instructions were decoded. */
+#define DF_STOP_ON_BRANCH 0x40
+/* The decoder will stop and return to the caller when any of the conditional branch instruction were decoded. */
+#define DF_STOP_ON_COND_BRANCH 0x80
+/* The decoder will stop and return to the caller when the instruction 'INT' (INT, INT1, INTO, INT 3) was decoded. */
+#define DF_STOP_ON_INT 0x100
+/* The decoder will stop and return to the caller when any flow control instruction was decoded. */
+#define DF_STOP_ON_FLOW_CONTROL (DF_STOP_ON_CALL | DF_STOP_ON_RET | DF_STOP_ON_SYS | DF_STOP_ON_BRANCH | DF_STOP_ON_COND_BRANCH | DF_STOP_ON_INT)
+
+/* Indicates the instruction is not a flow-control instruction. */
+#define FC_NONE 0
+/* Indicates the instruction is one of: CALL, CALL FAR. */
+#define FC_CALL 1
+/* Indicates the instruction is one of: RET, IRET, RETF. */
+#define FC_RET 2
+/* Indicates the instruction is one of: SYSCALL, SYSRET, SYSENTER, SYSEXIT. */
+#define FC_SYS 3
+/* Indicates the instruction is one of: JMP, JMP FAR. */
+#define FC_BRANCH 4
+/*
+ * Indicates the instruction is one of:
+ * JCXZ, JO, JNO, JB, JAE, JZ, JNZ, JBE, JA, JS, JNS, JP, JNP, JL, JGE, JLE, JG, LOOP, LOOPZ, LOOPNZ.
+ */
+#define FC_COND_BRANCH 5
+/* Indiciates the instruction is one of: INT, INT1, INT 3, INTO, UD2. */
+#define FC_INT 6
+
+/* Return code of the decoding function. */
+typedef enum {DECRES_NONE, DECRES_SUCCESS, DECRES_MEMORYERR, DECRES_INPUTERR, DECRES_FILTERED} _DecodeResult;
+
+#ifndef _LIB /* Don't redefine those exports when compiling the library itself, only for library-user project. */
+
+/* distorm_decode
+ * Input:
+ *         offset - Origin of the given code (virtual address that is), NOT an offset in code.
+ *         code - Pointer to the code buffer to be disassembled.
+ *         length - Amount of bytes that should be decoded from the code buffer.
+ *         dt - Decoding mode, 16 bits (Decode16Bits), 32 bits (Decode32Bits) or AMD64 (Decode64Bits).
+ *         result - Array of type _DecodeInst which will be used by this function in order to return the disassembled instructions.
+ *         maxInstructions - The maximum number of entries in the result array that you pass to this function, so it won't exceed its bound.
+ *         usedInstructionsCount - Number of the instruction that successfully were disassembled and written to the result array.
+ * Output: usedInstructionsCount will hold the number of entries used in the result array
+ *         and the result array itself will be filled with the disassembled instructions.
+ * Return: DECRES_SUCCESS on success (no more to disassemble), DECRES_INPUTERR on input error (null code buffer, invalid decoding mode, etc...),
+ *         DECRES_MEMORYERR when there are not enough entries to use in the result array, BUT YOU STILL have to check for usedInstructionsCount!
+ * Side-Effects: Even if the return code is DECRES_MEMORYERR, there might STILL be data in the
+ *               array you passed, this function will try to use as much entries as possible!
+ * Notes:  1)The minimal size of maxInstructions is 15.
+ *         2)You will have to synchronize the offset,code and length by yourself if you pass code fragments and not a complete code block!
+ */
+#ifdef SUPPORT_64BIT_OFFSET
+	_DecodeResult distorm_decompose64(const _CodeInfo* ci, _DInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
+	_DecodeResult distorm_decode64(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
+	void distorm_format64(const _CodeInfo* ci, const _DInst* di, _DecodedInst* result);
+	#define distorm_decompose distorm_decompose64
+	#define distorm_decode distorm_decode64
+	#define distorm_format distorm_format64
+#else
+	_DecodeResult distorm_decompose32(const _CodeInfo* ci, _DInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
+	_DecodeResult distorm_decode32(_OffsetType codeOffset, const unsigned char* code, int codeLen, _DecodeType dt, _DecodedInst result[], unsigned int maxInstructions, unsigned int* usedInstructionsCount);
+	void distorm_format32(const _CodeInfo* ci, const _DInst* di, _DecodedInst* result);
+	#define distorm_decompose distorm_decompose32
+	#define distorm_decode distorm_decode32
+	#define distorm_format distorm_format32
+#endif
+
+/*
+ * distorm_version
+ * Input:
+ *        none
+ *
+ * Output: unsigned int - version of compiled library.
+ */
+extern unsigned int distorm_version();
+
+#endif /* _LIB */
+
+#ifdef __cplusplus
+} /* End Of Extern */
+#endif
+
+#endif /* DISTORM_H */