예제 #1
0
 def dissemble_code(self, code, baseaddr):
     md = Cs(capstone.CS_ARCH_PPC,
             capstone.CS_MODE_32 | capstone.CS_MODE_BIG_ENDIAN)
     md.syntax = capstone.CS_OPT_SYNTAX_INTEL
     for (address, size, mnemonic,
          op_str) in md.disasm_lite(code, baseaddr):
         print "0x%x:\t%s\t%s" % (address, mnemonic, op_str)
예제 #2
0
    def generate_rule(self):
        """ Generate Yara rule. Return a YaraRule object """
        self.yr_rule.rule_name = self.rule_name
        self.yr_rule.metas["generated_by"] = "\"mkYARA - By Jelle Vergeer\""
        self.yr_rule.metas["date"] = "\"{}\"".format(datetime.now().strftime("%Y-%m-%d %H:%M"))
        self.yr_rule.metas["version"] = "\"1.0\""

        md = Cs(self.instruction_set, self.instruction_mode)
        md.detail = True
        md.syntax = CS_OPT_SYNTAX_INTEL
        chunk_nr = 0

        for chunk in self._chunks:
            chunk_nr += 1
            chunk_id = "$chunk_{}".format(chunk_nr)
            chunk_signature = ""
            chunk_comment = ""
            if chunk.is_data is False:
                disasm = md.disasm(chunk.data, chunk.offset)
                for ins in disasm:
                    rule_part, comment = self._process_instruction(ins)
                    rule_part = self.format_hex(rule_part)
                    chunk_signature += rule_part + "\n"
                    chunk_comment += comment + "\n"
                self.yr_rule.add_string(chunk_id, chunk_signature, StringType.HEX)
                if self.do_comment_sig:
                    self.yr_rule.comments.append(chunk_comment)
            else:
                rule_part = self.format_hex(chunk.data.encode("hex"))
                self.yr_rule.add_string(chunk_id, rule_part, StringType.HEX)

        self.yr_rule.condition = "any of them"
        return self.yr_rule
예제 #3
0
def disasm_bytes(bytes, addr):
    md = Cs(CS_ARCH_ARM64, CS_MODE_ARM)
    md.syntax = CS_OPT_SYNTAX_ATT
    md.detail = True
    result = []
    for ins in range(0, len(bytes), 4):
        disasm = list(md.disasm(bytes[ins:ins + 4], addr + ins))
        if len(disasm):
            result += disasm
        else:
            # the instruction is invalid, so we craft a fake "nop" (to make the rest of the code work)
            # and we just overwrite it as data with a comment
            fake_ins = InstructionWrapper(
                list(md.disasm(b"\x1f\x20\x03\xd5",
                               addr + ins))[0])  # bytes for nop
            fake_ins.mnemonic = ".quad 0x%x // invalid instruction" % int.from_bytes(
                bytes[ins:ins + 4],
                byteorder="little")  # are we sure about 'little'?
            result += [fake_ins]
    return result