You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
197 lines
5.3 KiB
197 lines
5.3 KiB
VERSION 1.0 CLASS |
|
BEGIN |
|
MultiUse = -1 'True |
|
Persistable = 0 'NotPersistable |
|
DataBindingBehavior = 0 'vbNone |
|
DataSourceBehavior = 0 'vbNone |
|
MTSTransactionMode = 0 'NotAnMTSObject |
|
END |
|
Attribute VB_Name = "CX86Inst" |
|
Attribute VB_GlobalNameSpace = False |
|
Attribute VB_Creatable = True |
|
Attribute VB_PredeclaredId = False |
|
Attribute VB_Exposed = False |
|
Option Explicit |
|
|
|
'Capstone Disassembly Engine bindings for VB6 |
|
'Contributed by FireEye FLARE Team |
|
'Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com> |
|
'License: Apache |
|
'Copyright: FireEye 2017 |
|
|
|
|
|
'// Instruction structure sizeof() = 432 bytes |
|
'typedef struct cs_x86 { |
|
' // Instruction prefix, which can be up to 4 bytes. |
|
' // A prefix byte gets value 0 when irrelevant. |
|
' // prefix[0] indicates REP/REPNE/LOCK prefix (See X86_PREFIX_REP/REPNE/LOCK above) |
|
' // prefix[1] indicates segment override (irrelevant for x86_64): |
|
' // See X86_PREFIX_CS/SS/DS/ES/FS/GS above. |
|
' // prefix[2] indicates operand-size override (X86_PREFIX_OPSIZE) |
|
' // prefix[3] indicates address-size override (X86_PREFIX_ADDRSIZE) |
|
' uint8_t prefix[4]; |
|
' |
|
' // Instruction opcode, wich can be from 1 to 4 bytes in size. |
|
' // This contains VEX opcode as well. |
|
' // An trailing opcode byte gets value 0 when irrelevant. |
|
' uint8_t opcode[4]; |
|
' |
|
' // REX prefix: only a non-zero value is relavant for x86_64 |
|
' uint8_t rex; |
|
' |
|
' // Address size, which can be overrided with above prefix[5]. |
|
' uint8_t addr_size; |
|
' |
|
' // ModR/M byte |
|
' uint8_t modrm; |
|
' |
|
' // SIB value, or 0 when irrelevant. |
|
' uint8_t sib; |
|
' |
|
' // Displacement value, or 0 when irrelevant. |
|
' int32_t disp; |
|
' |
|
' /* SIB state */ |
|
' // SIB index register, or X86_REG_INVALID when irrelevant. |
|
' x86_reg sib_index; |
|
' // SIB scale. only applicable if sib_index is relavant. |
|
' int8_t sib_scale; |
|
' // SIB base register, or X86_REG_INVALID when irrelevant. |
|
' x86_reg sib_base; |
|
' |
|
' // SSE Code Condition |
|
' x86_sse_cc sse_cc; |
|
' |
|
' // AVX Code Condition |
|
' x86_avx_cc avx_cc; |
|
' |
|
' // AVX Suppress all Exception |
|
' bool avx_sae; |
|
' |
|
' // AVX static rounding mode |
|
' x86_avx_rm avx_rm; |
|
' |
|
' // Number of operands of this instruction, |
|
' // or 0 when instruction has no operand. |
|
' uint8_t op_count; |
|
' |
|
' cs_x86_op operands[8]; // operands for this instruction. |
|
'} cs_x86; |
|
|
|
Private m_prefix() As Byte |
|
Private m_opcode() As Byte |
|
Public rex As Byte |
|
Public addr_size As Byte |
|
Public modrm As Byte |
|
Public sib As Byte |
|
Public disp As Long |
|
Public sib_index As x86_reg |
|
Public sib_scale As Byte |
|
Public sib_base As x86_reg |
|
Public sse_cc As x86_sse_cc |
|
Public avx_cc As x86_avx_cc |
|
Public avx_sae As Boolean |
|
Public avx_rm As x86_avx_rm |
|
Public operands As New Collection |
|
|
|
Public parent As CDisassembler |
|
Private hEngine As Long |
|
Private m_raw() As Byte |
|
|
|
Property Get prefix() As Byte() |
|
prefix = m_prefix |
|
End Property |
|
|
|
Property Get opcode() As Byte() |
|
opcode = m_opcode |
|
End Property |
|
|
|
Function toString() As String |
|
|
|
Dim r() As String |
|
Dim o As CX86Operand |
|
|
|
push r, "X86 Instruction Details:" |
|
push r, String(40, "-") |
|
|
|
If DEBUG_DUMP Then |
|
push r, "Raw: " |
|
push r, HexDump(m_raw) |
|
End If |
|
|
|
push r, "Prefix: " & b2Str(m_prefix) |
|
push r, "OpCode: " & b2Str(m_opcode) |
|
push r, "Rex: " & rex |
|
push r, "addr_size: " & addr_size |
|
push r, "modrm: " & Hex(modrm) |
|
push r, "disp: " & Hex(disp) |
|
|
|
If parent.mode <> CS_MODE_16 Then |
|
push r, "sib: " & Hex(sib) |
|
push r, "sib_index: " & regName(hEngine, sib_index) |
|
push r, "sib_scale: " & Hex(sib_scale) |
|
push r, "sib_base: " & regName(hEngine, sib_base) |
|
End If |
|
|
|
If sse_cc <> 0 Then push r, "sse_cc: " & x86_sse_cc2str(sse_cc) |
|
If avx_cc <> 0 Then push r, "avx_cc: " & x86_avx_cc2str(avx_cc) |
|
If avx_sae <> 0 Then push r, "avx_sae: " & avx_sae |
|
If avx_rm <> 0 Then push r, "avx_rm: " & x86_avx_rm2str(avx_rm) |
|
|
|
push r, "Operands: " & operands.count |
|
|
|
For Each o In operands |
|
push r, String(40, "-") |
|
push r, o.toString |
|
Next |
|
|
|
toString = Join(r, vbCrLf) |
|
|
|
End Function |
|
|
|
Friend Sub LoadDetails(lpStruct As Long, parent As CDisassembler) |
|
|
|
Dim cs As cs_x86 |
|
Dim o As CX86Operand |
|
Dim ptr As Long |
|
Dim i As Long |
|
|
|
Const sizeOfx86Operand = 48 |
|
|
|
Set Me.parent = parent |
|
hEngine = parent.hCapstone |
|
|
|
CopyMemory ByVal VarPtr(cs), ByVal lpStruct, LenB(cs) |
|
|
|
If DEBUG_DUMP Then |
|
ReDim m_raw(LenB(cs)) |
|
CopyMemory ByVal VarPtr(m_raw(0)), ByVal lpStruct, LenB(cs) |
|
End If |
|
|
|
Me.rex = cs.rex |
|
Me.addr_size = cs.addr_size |
|
Me.modrm = cs.modrm |
|
Me.sib = cs.sib |
|
Me.disp = cs.disp |
|
Me.sib_index = cs.sib_index |
|
Me.sib_scale = cs.sib_scale |
|
Me.sib_base = cs.sib_base |
|
Me.sse_cc = cs.sse_cc |
|
Me.avx_cc = cs.avx_cc |
|
Me.avx_sae = cs.avx_sae |
|
Me.avx_rm = cs.avx_rm |
|
m_prefix = cs.prefix |
|
m_opcode = cs.opcode |
|
|
|
ptr = lpStruct + LenB(cs) 'we dont include the operands in our vb struct.. |
|
For i = 1 To cs.op_count |
|
Set o = New CX86Operand |
|
o.LoadDetails ptr, hEngine |
|
operands.Add o |
|
ptr = ptr + sizeOfx86Operand |
|
Next |
|
|
|
|
|
|
|
End Sub |
|
|
|
|