Ejemplo n.º 1
0
def jmp_parser(instruction_data, opcode_id, capstone_instance, d, pc):
    if not u_li32(instruction_data[5:9]):
        handler = idaapi.get_imagebase() + u_li32(instruction_data[9:13])

        jmp_id = Instruction64.parse_handler(handler, capstone_instance)
        vm_offset = d.find_instruction_by_id(jmp_id)
        if jmp_id and not (vm_offset is None):
            mnemonic = "vcall"
            operand1 = InsOperand(vm_offset, is_vm_offset=True, mode=64)
            operand2 = None

            i = Instruction64(opcode_id,
                              instruction_data,
                              operand1,
                              operand2,
                              mnemonic,
                              is_call=True,
                              is_virtual_call=True,
                              call_handler=handler,
                              virtual_call_id=jmp_id)
            return i

    mnemonic = "jmp"
    offset = (pc + u_li32(instruction_data[5:9])) & 0xFFFFFFFF
    operand1 = InsOperand(offset, is_vm_offset=True, mode=64)
    operand2 = None
    i = Instruction64(opcode_id,
                      instruction_data,
                      operand1,
                      operand2,
                      mnemonic,
                      is_branch=True,
                      branch_target=offset)

    return i
Ejemplo n.º 2
0
def shlr0imm8(instruction_data, opcode_id, capstone_instance, d, pc):
    imm8 = u_li32(instruction_data[4:8]) & 0xff
    mnem = "shl"
    operand1 = InsOperand(0, is_tmp_reg=True)
    operand2 = InsOperand(imm8, is_const=True)
    i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem)
    return i
Ejemplo n.º 3
0
def movr0refr0_parser(instruction_data, opcode_id, capstone_instance, d, pc):
    mnem = "mov"
    operand1 = InsOperand(0, is_tmp_reg=True)
    operand2 = InsOperand(0, is_ref_tmp_reg=True)
    i = Instruction32(opcode_id,
                      instruction_data,
                      operand1,
                      operand2,
                      mnem,
                      is_data_transfer=True)
    return i
Ejemplo n.º 4
0
def addr0imm32_parser(instruction_data, opcode_id, capstone_instance, d, pc):
    mnem = "add"
    operand1 = InsOperand(0, is_tmp_reg=True)
    operand2 = InsOperand(u_li32(instruction_data[4:8]), is_const=True)
    i = Instruction32(opcode_id,
                      instruction_data,
                      operand1,
                      operand2,
                      mnem,
                      is_data_transfer=True)
    return i
Ejemplo n.º 5
0
def bmovr0reg_parser(instruction_data, opcode_id, capstone_instance, d, pc):
    mnem = "bmov"
    operand1 = InsOperand(0, is_tmp_reg=True)
    r_index = u_li32(instruction_data[4:8])
    operand2 = InsOperand(r_index, is_reg=True)
    i = Instruction32(opcode_id,
                      instruction_data,
                      operand1,
                      operand2,
                      mnem,
                      is_data_transfer=True)
    return i
Ejemplo n.º 6
0
def movregrefr0_parser(instruction_data, opcode_id, capstone_instance, d, pc):
    mnem = "mov"
    r_index = u_li32(instruction_data[4:8]) / 8
    operand1 = InsOperand(r_index, is_reg=True, mode=64)
    operand2 = InsOperand(0, is_ref_tmp_reg=True, mode=64)
    i = Instruction64(opcode_id,
                      instruction_data,
                      operand1,
                      operand2,
                      mnem,
                      is_data_transfer=True)
    return i
Ejemplo n.º 7
0
def exmi_parser(instruction_data, opcode_id, capstone_instance, d, pc):
    mi_size = ord(instruction_data[1])
    mi = instruction_data[4:4 + mi_size]

    dl = list(capstone_instance.disasm(mi, 0))
    if len(dl) > 1:
        for d in dl:
            print "%s %s" % (str(d.mnemonic), str(d.op_str))
        raise Exception("1")

    if len(dl) == 0:
        print hex(pc)
        hexdump(instruction_data)
        raise Exception("2")
    dl = dl[0]

    mi_str = "%s %s" % (str(dl.mnemonic), str(dl.op_str))
    mnem = "exmi"
    operand1 = InsOperand(mi_str, is_machine_disassm=True)
    operand2 = None

    i = Instruction32(opcode_id,
                      instruction_data,
                      operand1,
                      operand2,
                      mnem,
                      is_machine_code_exec=True)
    return i
Ejemplo n.º 8
0
def unknown_parser(instruction_data, opcode_id, capstone_instance, d, pc):
    mnem = "Unknown INS: "
    operand1 = InsOperand(hex(ord(instruction_data[0])), is_clean_str=True)
    operand2 = None
    i = Instruction32(opcode_id,
                      instruction_data,
                      operand1,
                      operand2,
                      mnem,
                      is_bad_instruction=True)
    return i
Ejemplo n.º 9
0
def jge_parser(instruction_data, opcode_id, capstone_instance, d, pc):
    mnem = "rmf.jge"
    offset = (pc + u_li32(instruction_data[5:9])) & 0xFFFFFFFF
    operand1 = InsOperand(offset, is_vm_offset=True)
    operand2 = None
    i = Instruction32(opcode_id,
                      instruction_data,
                      operand1,
                      operand2,
                      mnem,
                      is_branch=True,
                      branch_target=offset)
    return i
Ejemplo n.º 10
0
def apicall_parser(instruction_data, opcode_id, capstone_instance, d, pc):
    mi_size = ord(instruction_data[1])
    mi = instruction_data[8:8 + mi_size]
    mi_str = []
    dl = list(capstone_instance.disasm(mi, 0))[0]

    mnem = "apicall"
    operand1 = InsOperand("%s %s" % (str(dl.mnemonic), str(dl.op_str)),
                          is_machine_disassm=True,
                          mode=64)
    operand2 = None
    i = Instruction64(opcode_id, instruction_data, operand1, operand2, mnem)
    return i
Ejemplo n.º 11
0
def apicall_parser(instruction_data, opcode_id, capstone_instance, d, pc):
    mi_size = ord(instruction_data[1])
    mi = instruction_data[8:8 + mi_size]
    mi_str = []
    dl = list(capstone_instance.disasm(mi, 0))[0]
    if "0x" in dl.op_str:
        m = re.search("0x([ABCDEFabcdef0-9]+)", str(dl.op_str))
        if m:
            api_offset = idaapi.get_imagebase() + int(m.group(1), 16)
            api_name = idc.Name(api_offset)
            if api_name:
                mnem = "apicall"
                operand1 = InsOperand(api_name, is_mf_name=True)
                operand2 = None
                i = Instruction32(opcode_id, instruction_data, operand1,
                                  operand2, mnem)
                return i
    mnem = "apicall"
    operand1 = InsOperand("%s %s" % (str(dl.mnemonic), str(dl.op_str)),
                          is_machine_disassm=True)
    operand2 = None
    i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem)
    return i
Ejemplo n.º 12
0
def jmp_parser(instruction_data, opcode_id, capstone_instance, d, pc):
    offset = u_li32(instruction_data[5:9])
    if offset:
        mnem = "jmp"
        operand1 = InsOperand((offset + pc) & 0xFFFFFFFF, is_vm_offset=True)
        operand2 = None
        i = Instruction32(opcode_id,
                          instruction_data,
                          operand1,
                          operand2,
                          mnem,
                          is_branch=True,
                          branch_target=(offset + pc) & 0xFFFFFFFF)
        return i

    else:
        imm32 = u_li32(instruction_data[9:13])
        mnem = "cmovnae"
        operand2 = InsOperand(0, is_reg=True)
        operand1 = InsOperand(imm32, is_const=True)
        i = Instruction32(opcode_id, instruction_data, operand1, operand2,
                          mnem)
        return i
Ejemplo n.º 13
0
def call_parser(instruction_data, opcode_id, capstone_instance, d, pc):
    handler = idaapi.get_imagebase() + u_li32(instruction_data[8:12])
    handler_name = idc.Name(handler)
    if handler_name:
        mnem = "mcall"
        operand1 = InsOperand(handler_name, is_mf_name=True)
        operand2 = None

        i = Instruction32(opcode_id,
                          instruction_data,
                          operand1,
                          operand2,
                          mnem,
                          is_call=True,
                          call_handler=handler)

        return i

    if idc.GetMnem(handler) in Instruction32.branching_mnemonics and idc.GetOpType(handler, 0) == idc.o_mem \
            and idc.Name(idc.GetOperandValue(handler, 0)):
        handler_name = idc.Name(idc.GetOperandValue(handler, 0))
        mnem = "mcall"
        operand1 = InsOperand(handler_name, is_mf_name=True)
        operand2 = None

        i = Instruction32(opcode_id,
                          instruction_data,
                          operand1,
                          operand2,
                          mnem,
                          is_call=True,
                          call_handler=handler)

        return i

    jmp_id = Instruction32.parse_handler(handler, capstone_instance)
    vm_offset = d.find_instruction_by_id(jmp_id)
    if jmp_id and not (vm_offset is None):
        mnem = "vcall"
        operand1 = InsOperand(vm_offset, is_vm_offset=True)
        operand2 = None
        i = Instruction32(opcode_id,
                          instruction_data,
                          operand1,
                          operand2,
                          mnem,
                          is_call=True,
                          call_handler=handler,
                          is_virtual_call=True,
                          virtual_call_id=jmp_id)
        return i

    mnem = "(d|ic; Handler: %s)jmp" % (hex(handler))
    operand1 = InsOperand("<unparesd>", is_clean_str=True)
    operand2 = None
    i = Instruction32(opcode_id,
                      instruction_data,
                      operand1,
                      operand2,
                      mnem,
                      is_bad_instruction=True)
    return i
Ejemplo n.º 14
0
def xorr0r0_parser(instruction_data, opcode_id, capstone_instance, d, pc):
    mnem = "xor"
    operand1 = InsOperand(0, is_tmp_reg=True)
    operand2 = InsOperand(0, is_tmp_reg=True)
    i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem)
    return i