def assemble(asm_code, mode):
"""
Helper function to assemble code receive in parameter `asm_code` using Keystone.
@param asm_code : bytearray of N instructions, separated by ';'
@param mode : defines the mode to use Keystone with
@return a tuple of bytecodes as bytearray, along with the number of instruction compiled. If failed, the
bytearray will be empty, the count of instruction will be the negative number for the faulty line.
"""
arch, mode, endian = get_arch_mode("keystone", mode)
ks = keystone.Ks(arch, mode | endian)
if is_x86(mode) and mode.syntax == Syntax.ATT:
ks.syntax = keystone.KS_OPT_SYNTAX_ATT
bytecode = []
insns = asm_code.split(b';')
for i, insn in enumerate(insns):
try:
code, cnt = ks.asm(insn)
if cnt == 0:
return (b'', -(i + 1))
bytecode.append(bytearray(code))
except keystone.keystone.KsError as kse:
return (b'', -(i + 1))
return (b''.join(bytecode), i + 1)
def disassemble(raw_data, mode):
arch, mode, endian = get_arch_mode("capstone", mode)
cs = capstone.Cs(arch, mode | endian)
if is_x86(mode) and mode.syntax == Syntax.ATT:
cs.syntax = capstone.CS_OPT_SYNTAX_ATT
insns = ["{:s} {:s}".format(i.mnemonic, i.op_str) for i in cs.disasm(bytes(raw_data), 0x4000)]
return "\n".join(insns)
def disassemble_one_instruction(self, code, addr):
curarch = self.parent.arch
arch, mode, endian = get_arch_mode("capstone", curarch)
cs = capstone.Cs(arch, mode | endian)
if is_x86(curarch) and curarch.syntax == Syntax.ATT:
cs.syntax = capstone.CS_OPT_SYNTAX_ATT
for i in cs.disasm(bytes(code), addr):
return i
def create_new_vm(self):
arch, mode, endian = get_arch_mode("unicorn", self.parent.arch)
self.vm = unicorn.Uc(arch, mode | endian)
self.vm.hook_add(unicorn.UC_HOOK_BLOCK, self.hook_block)
self.vm.hook_add(unicorn.UC_HOOK_CODE, self.hook_code)
self.vm.hook_add(unicorn.UC_HOOK_INTR, self.hook_interrupt)
self.vm.hook_add(unicorn.UC_HOOK_MEM_WRITE, self.hook_mem_access)
self.vm.hook_add(unicorn.UC_HOOK_MEM_READ, self.hook_mem_access)
if is_x86(self.parent.arch):
self.vm.hook_add(unicorn.UC_HOOK_INSN, self.hook_syscall, None, 1,
0, unicorn.x86_const.UC_X86_INS_SYSCALL)
return
def assemble(asm_code, mode):
arch, mode, endian = get_arch_mode("keystone", mode)
ks = keystone.Ks(arch, mode | endian)
if is_x86(mode) and mode.syntax == Syntax.ATT:
ks.syntax = keystone.KS_OPT_SYNTAX_ATT
try:
code, cnt = ks.asm(asm_code)
if cnt == 0:
code = b""
code = bytes(bytearray(code))
except keystone.keystone.KsError:
code, cnt = (b"", -1)
return (code, cnt)
def assemble(asm_code, mode):
"""
Helper function to assemble code receive in parameter `asm_code` using Keystone.
@param asm_code : assembly code in bytes (multiple instructions must be separated by ';')
@param mode : defines the mode to use Keystone with
@return a tuple of bytecodes as bytearray, along with the number of instruction compiled. If failed, the
bytearray will be empty, the count of instruction will be the negative number for the faulty line.
"""
arch, mode, endian = get_arch_mode("keystone", mode)
ks = keystone.Ks(arch, mode | endian)
if is_x86(mode) and mode.syntax == Syntax.ATT:
ks.syntax = keystone.KS_OPT_SYNTAX_ATT
try:
bytecode, cnt = ks.asm(asm_code, as_bytes=True)
except keystone.keystone.KsError as kse:
return (b'', kse.get_asm_count())
return (bytecode, cnt)
def unicorn_register(self, reg):
curarch = self.parent.arch
if is_x86(curarch):
return getattr(unicorn.x86_const, "UC_X86_REG_%s" % reg.upper())
if is_arm(curarch) or is_arm_thumb(curarch):
return getattr(unicorn.arm_const, "UC_ARM_REG_%s" % reg.upper())
if is_aarch64(curarch):
return getattr(unicorn.arm64_const,
"UC_ARM64_REG_%s" % reg.upper())
# if is_ppc(curarch):
# return getattr(unicorn.ppc_const, "UC_PPC_REG_%s" % reg.upper())
if is_mips(curarch) or is_mips64(curarch):
return getattr(unicorn.mips_const, "UC_MIPS_REG_%s" % reg.upper())
if is_sparc(curarch) or is_sparc64(curarch):
return getattr(unicorn.sparc_const,
"UC_SPARC_REG_%s" % reg.upper())
raise Exception("Cannot find register '%s' for arch '%s'" %
(reg, curarch))