Python源码示例:capstone.x86()
示例1
def branchAddress(self):
raise "not implemented"
# represents x86 asm line
示例2
def referencedString(self):
# get referenced string
if self._refString != None:
return self._refString
asm = self._asm
self._refString = ''
# PUSH <imm>
if asm.id == capstone.x86.X86_INS_PUSH:
if len(asm.operands) == 1:
o = asm.operands[0]
if o.type == capstone.x86.X86_OP_IMM:
value = o.imm
self._refString = self._plugin.stringFromVA(value)
# [RIP + <imm>]
if len(asm.operands) > 1:
o = asm.operands[1]
if o.type == capstone.x86.X86_OP_MEM:
if o.mem.base == capstone.x86.X86_REG_RIP:
x = asm.address + asm.size + o.mem.disp
self._refString = self._plugin.stringFromVA(x)
return self._refString
示例3
def symbol(self):
# get symbol from plugin (for API calls for eg.)
if self._symbol != None:
return self._symbol
# get symbol
if self.ingroup([capstone.x86.X86_GRP_CALL]):
value = None
asm = self._asm
for o in asm.operands:
if o.type == capstone.x86.X86_OP_IMM:
value = o.imm
if o.type == capstone.x86.X86_OP_MEM:
# todo: should we consider other reg relative ??
if o.mem.base == capstone.x86.X86_REG_RIP:
value = o.mem.disp + asm.size + asm.address
# mainly 32bit
if o.mem.base == capstone.x86.X86_REG_INVALID:
value = o.mem.disp
if value:
sym = self._plugin.disasmSymbol(value)
if sym:
self._symbol = sym
return self._symbol
示例4
def isBranch(self):
return self.ingroup([capstone.x86.X86_GRP_JUMP, capstone.x86.X86_GRP_CALL])
示例5
def branchAddress(self):
if not self.isBranch():
return None
asm = self.obj
if len(asm.operands) == 1:
o = asm.operands[0]
if o.type == capstone.x86.X86_OP_MEM:
x = asm.address + asm.size + o.mem.disp
return x
if o.type == capstone.x86.X86_OP_IMM:
x = o.imm
return x
示例6
def fill_reg_map():
# TODO: Support more architectures
for attr in dir(capstone.x86):
if attr.startswith('X86_REG_'):
reg_name = attr[8:]
reg_offset = getattr(capstone.x86, attr)
CAPSTONE_REG_MAP['X86'][reg_offset] = reg_name.lower()
for attr in dir(capstone.x86):
if attr.startswith('X86_REG_'):
reg_name = attr[8:]
reg_offset = getattr(capstone.x86, attr)
CAPSTONE_REG_MAP['AMD64'][reg_offset] = reg_name.lower()
示例7
def _checkCode(self, rawCode):
md = capstone.Cs(capstone.CS_ARCH_X86, capstone.CS_MODE_16)
md.detail = True
checkJmp = True
for i in md.disasm(rawCode, 0):
# Check for JUMPs and CALLs before the first PUSH/RET.
if checkJmp and len(i.groups) > 0:
# Group check if available
if hasattr(capstone.x86, 'X86_GRP_CALL') and hasattr(capstone.x86, 'X86_GRP_RET'):
if capstone.x86.X86_GRP_CALL in i.groups or capstone.x86.X86_GRP_JUMP in i.groups:
self._suspiciousBehaviour.append('JMP or CALL before relocation')
checkJmp = False
elif capstone.x86.X86_GRP_RET in i.groups:
# Stop search after the first PUSH/RET
checkJmp = False
# Manual check in case capstone version doesn't support CALL and RET groups
else:
if i.mnemonic[0] == 'j' or i.mnemonic == 'call':
self._suspiciousBehaviour.append('JMP or CALL before relocation')
checkJmp = False
elif i.mnemonic[:3] == 'ret':
# Stop search after the first PUSH/RET
checkJmp = False
# Check for unknown interrupt
if i.mnemonic == 'int' and i.bytes[1] not in (0x10, 0x13, 0x18, 0x1a):
self._suspiciousBehaviour.append('Unknown Interrupt : {0:#x}'.format(i.bytes[1]))
