def dissemble_code(self, code, baseaddr): md = Cs(capstone.CS_ARCH_PPC, capstone.CS_MODE_32 | capstone.CS_MODE_BIG_ENDIAN) md.syntax = capstone.CS_OPT_SYNTAX_INTEL for (address, size, mnemonic, op_str) in md.disasm_lite(code, baseaddr): print "0x%x:\t%s\t%s" % (address, mnemonic, op_str)
def generate_rule(self): """ Generate Yara rule. Return a YaraRule object """ self.yr_rule.rule_name = self.rule_name self.yr_rule.metas["generated_by"] = "\"mkYARA - By Jelle Vergeer\"" self.yr_rule.metas["date"] = "\"{}\"".format(datetime.now().strftime("%Y-%m-%d %H:%M")) self.yr_rule.metas["version"] = "\"1.0\"" md = Cs(self.instruction_set, self.instruction_mode) md.detail = True md.syntax = CS_OPT_SYNTAX_INTEL chunk_nr = 0 for chunk in self._chunks: chunk_nr += 1 chunk_id = "$chunk_{}".format(chunk_nr) chunk_signature = "" chunk_comment = "" if chunk.is_data is False: disasm = md.disasm(chunk.data, chunk.offset) for ins in disasm: rule_part, comment = self._process_instruction(ins) rule_part = self.format_hex(rule_part) chunk_signature += rule_part + "\n" chunk_comment += comment + "\n" self.yr_rule.add_string(chunk_id, chunk_signature, StringType.HEX) if self.do_comment_sig: self.yr_rule.comments.append(chunk_comment) else: rule_part = self.format_hex(chunk.data.encode("hex")) self.yr_rule.add_string(chunk_id, rule_part, StringType.HEX) self.yr_rule.condition = "any of them" return self.yr_rule
def disasm_bytes(bytes, addr): md = Cs(CS_ARCH_ARM64, CS_MODE_ARM) md.syntax = CS_OPT_SYNTAX_ATT md.detail = True result = [] for ins in range(0, len(bytes), 4): disasm = list(md.disasm(bytes[ins:ins + 4], addr + ins)) if len(disasm): result += disasm else: # the instruction is invalid, so we craft a fake "nop" (to make the rest of the code work) # and we just overwrite it as data with a comment fake_ins = InstructionWrapper( list(md.disasm(b"\x1f\x20\x03\xd5", addr + ins))[0]) # bytes for nop fake_ins.mnemonic = ".quad 0x%x // invalid instruction" % int.from_bytes( bytes[ins:ins + 4], byteorder="little") # are we sure about 'little'? result += [fake_ins] return result