def jmp_parser(instruction_data, opcode_id, capstone_instance, d, pc):
if not u_li32(instruction_data[5:9]):
handler = idaapi.get_imagebase() + u_li32(instruction_data[9:13])
jmp_id = Instruction64.parse_handler(handler, capstone_instance)
vm_offset = d.find_instruction_by_id(jmp_id)
if jmp_id and not (vm_offset is None):
mnemonic = "vcall"
operand1 = InsOperand(vm_offset, is_vm_offset=True, mode=64)
operand2 = None
i = Instruction64(opcode_id,
instruction_data,
operand1,
operand2,
mnemonic,
is_call=True,
is_virtual_call=True,
call_handler=handler,
virtual_call_id=jmp_id)
return i
mnemonic = "jmp"
offset = (pc + u_li32(instruction_data[5:9])) & 0xFFFFFFFF
operand1 = InsOperand(offset, is_vm_offset=True, mode=64)
operand2 = None
i = Instruction64(opcode_id,
instruction_data,
operand1,
operand2,
mnemonic,
is_branch=True,
branch_target=offset)
return i
def shlr0imm8(instruction_data, opcode_id, capstone_instance, d, pc):
imm8 = u_li32(instruction_data[4:8]) & 0xff
mnem = "shl"
operand1 = InsOperand(0, is_tmp_reg=True)
operand2 = InsOperand(imm8, is_const=True)
i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem)
return i
def movr0refr0_parser(instruction_data, opcode_id, capstone_instance, d, pc):
mnem = "mov"
operand1 = InsOperand(0, is_tmp_reg=True)
operand2 = InsOperand(0, is_ref_tmp_reg=True)
i = Instruction32(opcode_id,
instruction_data,
operand1,
operand2,
mnem,
is_data_transfer=True)
return i
def addr0imm32_parser(instruction_data, opcode_id, capstone_instance, d, pc):
mnem = "add"
operand1 = InsOperand(0, is_tmp_reg=True)
operand2 = InsOperand(u_li32(instruction_data[4:8]), is_const=True)
i = Instruction32(opcode_id,
instruction_data,
operand1,
operand2,
mnem,
is_data_transfer=True)
return i
def bmovr0reg_parser(instruction_data, opcode_id, capstone_instance, d, pc):
mnem = "bmov"
operand1 = InsOperand(0, is_tmp_reg=True)
r_index = u_li32(instruction_data[4:8])
operand2 = InsOperand(r_index, is_reg=True)
i = Instruction32(opcode_id,
instruction_data,
operand1,
operand2,
mnem,
is_data_transfer=True)
return i
def movregrefr0_parser(instruction_data, opcode_id, capstone_instance, d, pc):
mnem = "mov"
r_index = u_li32(instruction_data[4:8]) / 8
operand1 = InsOperand(r_index, is_reg=True, mode=64)
operand2 = InsOperand(0, is_ref_tmp_reg=True, mode=64)
i = Instruction64(opcode_id,
instruction_data,
operand1,
operand2,
mnem,
is_data_transfer=True)
return i
def exmi_parser(instruction_data, opcode_id, capstone_instance, d, pc):
mi_size = ord(instruction_data[1])
mi = instruction_data[4:4 + mi_size]
dl = list(capstone_instance.disasm(mi, 0))
if len(dl) > 1:
for d in dl:
print "%s %s" % (str(d.mnemonic), str(d.op_str))
raise Exception("1")
if len(dl) == 0:
print hex(pc)
hexdump(instruction_data)
raise Exception("2")
dl = dl[0]
mi_str = "%s %s" % (str(dl.mnemonic), str(dl.op_str))
mnem = "exmi"
operand1 = InsOperand(mi_str, is_machine_disassm=True)
operand2 = None
i = Instruction32(opcode_id,
instruction_data,
operand1,
operand2,
mnem,
is_machine_code_exec=True)
return i
def unknown_parser(instruction_data, opcode_id, capstone_instance, d, pc):
mnem = "Unknown INS: "
operand1 = InsOperand(hex(ord(instruction_data[0])), is_clean_str=True)
operand2 = None
i = Instruction32(opcode_id,
instruction_data,
operand1,
operand2,
mnem,
is_bad_instruction=True)
return i
def jge_parser(instruction_data, opcode_id, capstone_instance, d, pc):
mnem = "rmf.jge"
offset = (pc + u_li32(instruction_data[5:9])) & 0xFFFFFFFF
operand1 = InsOperand(offset, is_vm_offset=True)
operand2 = None
i = Instruction32(opcode_id,
instruction_data,
operand1,
operand2,
mnem,
is_branch=True,
branch_target=offset)
return i
def apicall_parser(instruction_data, opcode_id, capstone_instance, d, pc):
mi_size = ord(instruction_data[1])
mi = instruction_data[8:8 + mi_size]
mi_str = []
dl = list(capstone_instance.disasm(mi, 0))[0]
mnem = "apicall"
operand1 = InsOperand("%s %s" % (str(dl.mnemonic), str(dl.op_str)),
is_machine_disassm=True,
mode=64)
operand2 = None
i = Instruction64(opcode_id, instruction_data, operand1, operand2, mnem)
return i
def apicall_parser(instruction_data, opcode_id, capstone_instance, d, pc):
mi_size = ord(instruction_data[1])
mi = instruction_data[8:8 + mi_size]
mi_str = []
dl = list(capstone_instance.disasm(mi, 0))[0]
if "0x" in dl.op_str:
m = re.search("0x([ABCDEFabcdef0-9]+)", str(dl.op_str))
if m:
api_offset = idaapi.get_imagebase() + int(m.group(1), 16)
api_name = idc.Name(api_offset)
if api_name:
mnem = "apicall"
operand1 = InsOperand(api_name, is_mf_name=True)
operand2 = None
i = Instruction32(opcode_id, instruction_data, operand1,
operand2, mnem)
return i
mnem = "apicall"
operand1 = InsOperand("%s %s" % (str(dl.mnemonic), str(dl.op_str)),
is_machine_disassm=True)
operand2 = None
i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem)
return i
def jmp_parser(instruction_data, opcode_id, capstone_instance, d, pc):
offset = u_li32(instruction_data[5:9])
if offset:
mnem = "jmp"
operand1 = InsOperand((offset + pc) & 0xFFFFFFFF, is_vm_offset=True)
operand2 = None
i = Instruction32(opcode_id,
instruction_data,
operand1,
operand2,
mnem,
is_branch=True,
branch_target=(offset + pc) & 0xFFFFFFFF)
return i
else:
imm32 = u_li32(instruction_data[9:13])
mnem = "cmovnae"
operand2 = InsOperand(0, is_reg=True)
operand1 = InsOperand(imm32, is_const=True)
i = Instruction32(opcode_id, instruction_data, operand1, operand2,
mnem)
return i
def call_parser(instruction_data, opcode_id, capstone_instance, d, pc):
handler = idaapi.get_imagebase() + u_li32(instruction_data[8:12])
handler_name = idc.Name(handler)
if handler_name:
mnem = "mcall"
operand1 = InsOperand(handler_name, is_mf_name=True)
operand2 = None
i = Instruction32(opcode_id,
instruction_data,
operand1,
operand2,
mnem,
is_call=True,
call_handler=handler)
return i
if idc.GetMnem(handler) in Instruction32.branching_mnemonics and idc.GetOpType(handler, 0) == idc.o_mem \
and idc.Name(idc.GetOperandValue(handler, 0)):
handler_name = idc.Name(idc.GetOperandValue(handler, 0))
mnem = "mcall"
operand1 = InsOperand(handler_name, is_mf_name=True)
operand2 = None
i = Instruction32(opcode_id,
instruction_data,
operand1,
operand2,
mnem,
is_call=True,
call_handler=handler)
return i
jmp_id = Instruction32.parse_handler(handler, capstone_instance)
vm_offset = d.find_instruction_by_id(jmp_id)
if jmp_id and not (vm_offset is None):
mnem = "vcall"
operand1 = InsOperand(vm_offset, is_vm_offset=True)
operand2 = None
i = Instruction32(opcode_id,
instruction_data,
operand1,
operand2,
mnem,
is_call=True,
call_handler=handler,
is_virtual_call=True,
virtual_call_id=jmp_id)
return i
mnem = "(d|ic; Handler: %s)jmp" % (hex(handler))
operand1 = InsOperand("<unparesd>", is_clean_str=True)
operand2 = None
i = Instruction32(opcode_id,
instruction_data,
operand1,
operand2,
mnem,
is_bad_instruction=True)
return i
def xorr0r0_parser(instruction_data, opcode_id, capstone_instance, d, pc):
mnem = "xor"
operand1 = InsOperand(0, is_tmp_reg=True)
operand2 = InsOperand(0, is_tmp_reg=True)
i = Instruction32(opcode_id, instruction_data, operand1, operand2, mnem)
return i