├── ReadMe.md ├── capstone ├── dll │ ├── 32 │ │ └── capstone.dll │ └── 64 │ │ └── capstone.dll ├── include │ ├── arm.h │ ├── arm64.h │ ├── capstone.h │ ├── m68k.h │ ├── mips.h │ ├── platform.h │ ├── ppc.h │ ├── sparc.h │ ├── systemz.h │ ├── x86.h │ └── xcore.h └── lib │ ├── capstone_x64.lib │ └── capstone_x86.lib ├── unicorn ├── unicorn_wscript.sln └── unicorn_wscript ├── Capstone.cpp ├── Capstone.h ├── PeEmu.cpp ├── PeEmu.h ├── WinDllJson.cpp ├── WinDllJson.h ├── emuwindows.cpp ├── emuwindows.h ├── main.cpp ├── mem.cpp ├── mem.h ├── nativestructs.h ├── puPEinfoData.cpp ├── puPEinfoData.h ├── unicorn_wscript.vcxproj ├── unicorn_wscript.vcxproj.filters ├── unicorn_wscript.vcxproj.user ├── windows.cpp └── windows.h /ReadMe.md: -------------------------------------------------------------------------------- 1 | ### Unicorn : 2 | 3 |   学习笔记,基于Unicorn封装一套PE分析环境,Unicorn提供了Cpu仿真能力。 4 | 5 | ### 代码思路: 6 | 7 |   仿真和传统概念os有诸多不同,代码访问os所需要资源数据,都要虚拟内存中构造,包括Peb/Teb/Ldr/线程管理/堆管理/句柄管理/文件管理/多线程/异步同步/Api模拟等等,经过几周的踩坑做了轮子demo,基础环境执行需要如下几个模块: 8 | 9 | 1. 进程空间栈/堆空间/GDT/代码映射。 10 | 2. 初始化PEB/TEB/PEB_LDR__DATA/Register。 11 | 3. 加载导入SystemDLL - 修复IAT重定位(虚拟地址) 12 | 4. 样本自身的Iat/重定位。 13 | 5. 设置函数回调,处理Api执行。 14 | 6. 异常处理 15 | 16 | ###### 代码不完善,还不能运行到oep,近期补齐。 17 | 18 | ### 参考源码: 19 | 20 | unicorn: https://github.com/unicorn-engine/unicorn 21 | 22 | unicorn_pe: https://github.com/hzqst/unicorn_pe 23 | 24 | -------------------------------------------------------------------------------- /capstone/dll/32/capstone.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/unicorn_peEmu/4cb5a9ec77588c0468091ee661a9e091f6757cbe/capstone/dll/32/capstone.dll -------------------------------------------------------------------------------- /capstone/dll/64/capstone.dll: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/unicorn_peEmu/4cb5a9ec77588c0468091ee661a9e091f6757cbe/capstone/dll/64/capstone.dll -------------------------------------------------------------------------------- /capstone/include/arm.h: -------------------------------------------------------------------------------- 1 | #ifndef CAPSTONE_ARM_H 2 | #define CAPSTONE_ARM_H 3 | 4 | /* Capstone Disassembly Engine */ 5 | /* By Nguyen Anh Quynh , 2013-2015 */ 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | #include "platform.h" 12 | 13 | #ifdef _MSC_VER 14 | #pragma warning(disable:4201) 15 | #endif 16 | 17 | //> ARM shift type 18 | typedef enum arm_shifter 19 | { 20 | ARM_SFT_INVALID = 0, 21 | ARM_SFT_ASR, // shift with immediate const 22 | ARM_SFT_LSL, // shift with immediate const 23 | ARM_SFT_LSR, // shift with immediate const 24 | ARM_SFT_ROR, // shift with immediate const 25 | ARM_SFT_RRX, // shift with immediate const 26 | ARM_SFT_ASR_REG, // shift with register 27 | ARM_SFT_LSL_REG, // shift with register 28 | ARM_SFT_LSR_REG, // shift with register 29 | ARM_SFT_ROR_REG, // shift with register 30 | ARM_SFT_RRX_REG, // shift with register 31 | } arm_shifter; 32 | 33 | //> ARM condition code 34 | typedef enum arm_cc 35 | { 36 | ARM_CC_INVALID = 0, 37 | ARM_CC_EQ, // Equal Equal 38 | ARM_CC_NE, // Not equal Not equal, or unordered 39 | ARM_CC_HS, // Carry set >, ==, or unordered 40 | ARM_CC_LO, // Carry clear Less than 41 | ARM_CC_MI, // Minus, negative Less than 42 | ARM_CC_PL, // Plus, positive or zero >, ==, or unordered 43 | ARM_CC_VS, // Overflow Unordered 44 | ARM_CC_VC, // No overflow Not unordered 45 | ARM_CC_HI, // Unsigned higher Greater than, or unordered 46 | ARM_CC_LS, // Unsigned lower or same Less than or equal 47 | ARM_CC_GE, // Greater than or equal Greater than or equal 48 | ARM_CC_LT, // Less than Less than, or unordered 49 | ARM_CC_GT, // Greater than Greater than 50 | ARM_CC_LE, // Less than or equal <, ==, or unordered 51 | ARM_CC_AL // Always (unconditional) Always (unconditional) 52 | } arm_cc; 53 | 54 | typedef enum arm_sysreg 55 | { 56 | //> Special registers for MSR 57 | ARM_SYSREG_INVALID = 0, 58 | 59 | // SPSR* registers can be OR combined 60 | ARM_SYSREG_SPSR_C = 1, 61 | ARM_SYSREG_SPSR_X = 2, 62 | ARM_SYSREG_SPSR_S = 4, 63 | ARM_SYSREG_SPSR_F = 8, 64 | 65 | // CPSR* registers can be OR combined 66 | ARM_SYSREG_CPSR_C = 16, 67 | ARM_SYSREG_CPSR_X = 32, 68 | ARM_SYSREG_CPSR_S = 64, 69 | ARM_SYSREG_CPSR_F = 128, 70 | 71 | // independent registers 72 | ARM_SYSREG_APSR = 256, 73 | ARM_SYSREG_APSR_G, 74 | ARM_SYSREG_APSR_NZCVQ, 75 | ARM_SYSREG_APSR_NZCVQG, 76 | 77 | ARM_SYSREG_IAPSR, 78 | ARM_SYSREG_IAPSR_G, 79 | ARM_SYSREG_IAPSR_NZCVQG, 80 | ARM_SYSREG_IAPSR_NZCVQ, 81 | 82 | ARM_SYSREG_EAPSR, 83 | ARM_SYSREG_EAPSR_G, 84 | ARM_SYSREG_EAPSR_NZCVQG, 85 | ARM_SYSREG_EAPSR_NZCVQ, 86 | 87 | ARM_SYSREG_XPSR, 88 | ARM_SYSREG_XPSR_G, 89 | ARM_SYSREG_XPSR_NZCVQG, 90 | ARM_SYSREG_XPSR_NZCVQ, 91 | 92 | ARM_SYSREG_IPSR, 93 | ARM_SYSREG_EPSR, 94 | ARM_SYSREG_IEPSR, 95 | 96 | ARM_SYSREG_MSP, 97 | ARM_SYSREG_PSP, 98 | ARM_SYSREG_PRIMASK, 99 | ARM_SYSREG_BASEPRI, 100 | ARM_SYSREG_BASEPRI_MAX, 101 | ARM_SYSREG_FAULTMASK, 102 | ARM_SYSREG_CONTROL, 103 | 104 | // Banked Registers 105 | ARM_SYSREG_R8_USR, 106 | ARM_SYSREG_R9_USR, 107 | ARM_SYSREG_R10_USR, 108 | ARM_SYSREG_R11_USR, 109 | ARM_SYSREG_R12_USR, 110 | ARM_SYSREG_SP_USR, 111 | ARM_SYSREG_LR_USR, 112 | ARM_SYSREG_R8_FIQ, 113 | ARM_SYSREG_R9_FIQ, 114 | ARM_SYSREG_R10_FIQ, 115 | ARM_SYSREG_R11_FIQ, 116 | ARM_SYSREG_R12_FIQ, 117 | ARM_SYSREG_SP_FIQ, 118 | ARM_SYSREG_LR_FIQ, 119 | ARM_SYSREG_LR_IRQ, 120 | ARM_SYSREG_SP_IRQ, 121 | ARM_SYSREG_LR_SVC, 122 | ARM_SYSREG_SP_SVC, 123 | ARM_SYSREG_LR_ABT, 124 | ARM_SYSREG_SP_ABT, 125 | ARM_SYSREG_LR_UND, 126 | ARM_SYSREG_SP_UND, 127 | ARM_SYSREG_LR_MON, 128 | ARM_SYSREG_SP_MON, 129 | ARM_SYSREG_ELR_HYP, 130 | ARM_SYSREG_SP_HYP, 131 | 132 | ARM_SYSREG_SPSR_FIQ, 133 | ARM_SYSREG_SPSR_IRQ, 134 | ARM_SYSREG_SPSR_SVC, 135 | ARM_SYSREG_SPSR_ABT, 136 | ARM_SYSREG_SPSR_UND, 137 | ARM_SYSREG_SPSR_MON, 138 | ARM_SYSREG_SPSR_HYP, 139 | } arm_sysreg; 140 | 141 | //> The memory barrier constants map directly to the 4-bit encoding of 142 | //> the option field for Memory Barrier operations. 143 | typedef enum arm_mem_barrier 144 | { 145 | ARM_MB_INVALID = 0, 146 | ARM_MB_RESERVED_0, 147 | ARM_MB_OSHLD, 148 | ARM_MB_OSHST, 149 | ARM_MB_OSH, 150 | ARM_MB_RESERVED_4, 151 | ARM_MB_NSHLD, 152 | ARM_MB_NSHST, 153 | ARM_MB_NSH, 154 | ARM_MB_RESERVED_8, 155 | ARM_MB_ISHLD, 156 | ARM_MB_ISHST, 157 | ARM_MB_ISH, 158 | ARM_MB_RESERVED_12, 159 | ARM_MB_LD, 160 | ARM_MB_ST, 161 | ARM_MB_SY, 162 | } arm_mem_barrier; 163 | 164 | //> Operand type for instruction's operands 165 | typedef enum arm_op_type 166 | { 167 | ARM_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). 168 | ARM_OP_REG, // = CS_OP_REG (Register operand). 169 | ARM_OP_IMM, // = CS_OP_IMM (Immediate operand). 170 | ARM_OP_MEM, // = CS_OP_MEM (Memory operand). 171 | ARM_OP_FP, // = CS_OP_FP (Floating-Point operand). 172 | ARM_OP_CIMM = 64, // C-Immediate (coprocessor registers) 173 | ARM_OP_PIMM, // P-Immediate (coprocessor registers) 174 | ARM_OP_SETEND, // operand for SETEND instruction 175 | ARM_OP_SYSREG, // MSR/MRS special register operand 176 | } arm_op_type; 177 | 178 | //> Operand type for SETEND instruction 179 | typedef enum arm_setend_type 180 | { 181 | ARM_SETEND_INVALID = 0, // Uninitialized. 182 | ARM_SETEND_BE, // BE operand. 183 | ARM_SETEND_LE, // LE operand 184 | } arm_setend_type; 185 | 186 | typedef enum arm_cpsmode_type 187 | { 188 | ARM_CPSMODE_INVALID = 0, 189 | ARM_CPSMODE_IE = 2, 190 | ARM_CPSMODE_ID = 3 191 | } arm_cpsmode_type; 192 | 193 | //> Operand type for SETEND instruction 194 | typedef enum arm_cpsflag_type 195 | { 196 | ARM_CPSFLAG_INVALID = 0, 197 | ARM_CPSFLAG_F = 1, 198 | ARM_CPSFLAG_I = 2, 199 | ARM_CPSFLAG_A = 4, 200 | ARM_CPSFLAG_NONE = 16, // no flag 201 | } arm_cpsflag_type; 202 | 203 | //> Data type for elements of vector instructions. 204 | typedef enum arm_vectordata_type 205 | { 206 | ARM_VECTORDATA_INVALID = 0, 207 | 208 | // Integer type 209 | ARM_VECTORDATA_I8, 210 | ARM_VECTORDATA_I16, 211 | ARM_VECTORDATA_I32, 212 | ARM_VECTORDATA_I64, 213 | 214 | // Signed integer type 215 | ARM_VECTORDATA_S8, 216 | ARM_VECTORDATA_S16, 217 | ARM_VECTORDATA_S32, 218 | ARM_VECTORDATA_S64, 219 | 220 | // Unsigned integer type 221 | ARM_VECTORDATA_U8, 222 | ARM_VECTORDATA_U16, 223 | ARM_VECTORDATA_U32, 224 | ARM_VECTORDATA_U64, 225 | 226 | // Data type for VMUL/VMULL 227 | ARM_VECTORDATA_P8, 228 | 229 | // Floating type 230 | ARM_VECTORDATA_F32, 231 | ARM_VECTORDATA_F64, 232 | 233 | // Convert float <-> float 234 | ARM_VECTORDATA_F16F64, // f16.f64 235 | ARM_VECTORDATA_F64F16, // f64.f16 236 | ARM_VECTORDATA_F32F16, // f32.f16 237 | ARM_VECTORDATA_F16F32, // f32.f16 238 | ARM_VECTORDATA_F64F32, // f64.f32 239 | ARM_VECTORDATA_F32F64, // f32.f64 240 | 241 | // Convert integer <-> float 242 | ARM_VECTORDATA_S32F32, // s32.f32 243 | ARM_VECTORDATA_U32F32, // u32.f32 244 | ARM_VECTORDATA_F32S32, // f32.s32 245 | ARM_VECTORDATA_F32U32, // f32.u32 246 | ARM_VECTORDATA_F64S16, // f64.s16 247 | ARM_VECTORDATA_F32S16, // f32.s16 248 | ARM_VECTORDATA_F64S32, // f64.s32 249 | ARM_VECTORDATA_S16F64, // s16.f64 250 | ARM_VECTORDATA_S16F32, // s16.f64 251 | ARM_VECTORDATA_S32F64, // s32.f64 252 | ARM_VECTORDATA_U16F64, // u16.f64 253 | ARM_VECTORDATA_U16F32, // u16.f32 254 | ARM_VECTORDATA_U32F64, // u32.f64 255 | ARM_VECTORDATA_F64U16, // f64.u16 256 | ARM_VECTORDATA_F32U16, // f32.u16 257 | ARM_VECTORDATA_F64U32, // f64.u32 258 | } arm_vectordata_type; 259 | 260 | //> ARM registers 261 | typedef enum arm_reg 262 | { 263 | ARM_REG_INVALID = 0, 264 | ARM_REG_APSR, 265 | ARM_REG_APSR_NZCV, 266 | ARM_REG_CPSR, 267 | ARM_REG_FPEXC, 268 | ARM_REG_FPINST, 269 | ARM_REG_FPSCR, 270 | ARM_REG_FPSCR_NZCV, 271 | ARM_REG_FPSID, 272 | ARM_REG_ITSTATE, 273 | ARM_REG_LR, 274 | ARM_REG_PC, 275 | ARM_REG_SP, 276 | ARM_REG_SPSR, 277 | ARM_REG_D0, 278 | ARM_REG_D1, 279 | ARM_REG_D2, 280 | ARM_REG_D3, 281 | ARM_REG_D4, 282 | ARM_REG_D5, 283 | ARM_REG_D6, 284 | ARM_REG_D7, 285 | ARM_REG_D8, 286 | ARM_REG_D9, 287 | ARM_REG_D10, 288 | ARM_REG_D11, 289 | ARM_REG_D12, 290 | ARM_REG_D13, 291 | ARM_REG_D14, 292 | ARM_REG_D15, 293 | ARM_REG_D16, 294 | ARM_REG_D17, 295 | ARM_REG_D18, 296 | ARM_REG_D19, 297 | ARM_REG_D20, 298 | ARM_REG_D21, 299 | ARM_REG_D22, 300 | ARM_REG_D23, 301 | ARM_REG_D24, 302 | ARM_REG_D25, 303 | ARM_REG_D26, 304 | ARM_REG_D27, 305 | ARM_REG_D28, 306 | ARM_REG_D29, 307 | ARM_REG_D30, 308 | ARM_REG_D31, 309 | ARM_REG_FPINST2, 310 | ARM_REG_MVFR0, 311 | ARM_REG_MVFR1, 312 | ARM_REG_MVFR2, 313 | ARM_REG_Q0, 314 | ARM_REG_Q1, 315 | ARM_REG_Q2, 316 | ARM_REG_Q3, 317 | ARM_REG_Q4, 318 | ARM_REG_Q5, 319 | ARM_REG_Q6, 320 | ARM_REG_Q7, 321 | ARM_REG_Q8, 322 | ARM_REG_Q9, 323 | ARM_REG_Q10, 324 | ARM_REG_Q11, 325 | ARM_REG_Q12, 326 | ARM_REG_Q13, 327 | ARM_REG_Q14, 328 | ARM_REG_Q15, 329 | ARM_REG_R0, 330 | ARM_REG_R1, 331 | ARM_REG_R2, 332 | ARM_REG_R3, 333 | ARM_REG_R4, 334 | ARM_REG_R5, 335 | ARM_REG_R6, 336 | ARM_REG_R7, 337 | ARM_REG_R8, 338 | ARM_REG_R9, 339 | ARM_REG_R10, 340 | ARM_REG_R11, 341 | ARM_REG_R12, 342 | ARM_REG_S0, 343 | ARM_REG_S1, 344 | ARM_REG_S2, 345 | ARM_REG_S3, 346 | ARM_REG_S4, 347 | ARM_REG_S5, 348 | ARM_REG_S6, 349 | ARM_REG_S7, 350 | ARM_REG_S8, 351 | ARM_REG_S9, 352 | ARM_REG_S10, 353 | ARM_REG_S11, 354 | ARM_REG_S12, 355 | ARM_REG_S13, 356 | ARM_REG_S14, 357 | ARM_REG_S15, 358 | ARM_REG_S16, 359 | ARM_REG_S17, 360 | ARM_REG_S18, 361 | ARM_REG_S19, 362 | ARM_REG_S20, 363 | ARM_REG_S21, 364 | ARM_REG_S22, 365 | ARM_REG_S23, 366 | ARM_REG_S24, 367 | ARM_REG_S25, 368 | ARM_REG_S26, 369 | ARM_REG_S27, 370 | ARM_REG_S28, 371 | ARM_REG_S29, 372 | ARM_REG_S30, 373 | ARM_REG_S31, 374 | 375 | ARM_REG_ENDING, // <-- mark the end of the list or registers 376 | 377 | //> alias registers 378 | ARM_REG_R13 = ARM_REG_SP, 379 | ARM_REG_R14 = ARM_REG_LR, 380 | ARM_REG_R15 = ARM_REG_PC, 381 | 382 | ARM_REG_SB = ARM_REG_R9, 383 | ARM_REG_SL = ARM_REG_R10, 384 | ARM_REG_FP = ARM_REG_R11, 385 | ARM_REG_IP = ARM_REG_R12, 386 | } arm_reg; 387 | 388 | // Instruction's operand referring to memory 389 | // This is associated with ARM_OP_MEM operand type above 390 | typedef struct arm_op_mem 391 | { 392 | arm_reg base; // base register 393 | arm_reg index; // index register 394 | int scale; // scale for index register (can be 1, or -1) 395 | int disp; // displacement/offset value 396 | int lshift; // left-shift on index register, or 0 if irrelevant. 397 | } arm_op_mem; 398 | 399 | // Instruction operand 400 | typedef struct cs_arm_op 401 | { 402 | int vector_index; // Vector Index for some vector operands (or -1 if irrelevant) 403 | 404 | struct 405 | { 406 | arm_shifter type; 407 | unsigned int value; 408 | } shift; 409 | 410 | arm_op_type type; // operand type 411 | 412 | union 413 | { 414 | int reg; // register value for REG/SYSREG operand 415 | int32_t imm; // immediate value for C-IMM, P-IMM or IMM operand 416 | double fp; // floating point value for FP operand 417 | arm_op_mem mem; // base/index/scale/disp value for MEM operand 418 | arm_setend_type setend; // SETEND instruction's operand type 419 | }; 420 | 421 | // in some instructions, an operand can be subtracted or added to 422 | // the base register, 423 | bool subtracted; // if TRUE, this operand is subtracted. otherwise, it is added. 424 | 425 | // How is this operand accessed? (READ, WRITE or READ|WRITE) 426 | // This field is combined of cs_ac_type. 427 | // NOTE: this field is irrelevant if engine is compiled in DIET mode. 428 | uint8_t access; 429 | 430 | // Neon lane index for NEON instructions (or -1 if irrelevant) 431 | int8_t neon_lane; 432 | } cs_arm_op; 433 | 434 | // Instruction structure 435 | typedef struct cs_arm 436 | { 437 | bool usermode; // User-mode registers to be loaded (for LDM/STM instructions) 438 | int vector_size; // Scalar size for vector instructions 439 | arm_vectordata_type vector_data; // Data type for elements of vector instructions 440 | arm_cpsmode_type cps_mode; // CPS mode for CPS instruction 441 | arm_cpsflag_type cps_flag; // CPS mode for CPS instruction 442 | arm_cc cc; // conditional code for this insn 443 | bool update_flags; // does this insn update flags? 444 | bool writeback; // does this insn write-back? 445 | arm_mem_barrier mem_barrier; // Option for some memory barrier instructions 446 | 447 | // Number of operands of this instruction, 448 | // or 0 when instruction has no operand. 449 | uint8_t op_count; 450 | 451 | cs_arm_op operands[36]; // operands for this instruction. 452 | } cs_arm; 453 | 454 | //> ARM instruction 455 | typedef enum arm_insn 456 | { 457 | ARM_INS_INVALID = 0, 458 | 459 | ARM_INS_ADC, 460 | ARM_INS_ADD, 461 | ARM_INS_ADR, 462 | ARM_INS_AESD, 463 | ARM_INS_AESE, 464 | ARM_INS_AESIMC, 465 | ARM_INS_AESMC, 466 | ARM_INS_AND, 467 | ARM_INS_BFC, 468 | ARM_INS_BFI, 469 | ARM_INS_BIC, 470 | ARM_INS_BKPT, 471 | ARM_INS_BL, 472 | ARM_INS_BLX, 473 | ARM_INS_BX, 474 | ARM_INS_BXJ, 475 | ARM_INS_B, 476 | ARM_INS_CDP, 477 | ARM_INS_CDP2, 478 | ARM_INS_CLREX, 479 | ARM_INS_CLZ, 480 | ARM_INS_CMN, 481 | ARM_INS_CMP, 482 | ARM_INS_CPS, 483 | ARM_INS_CRC32B, 484 | ARM_INS_CRC32CB, 485 | ARM_INS_CRC32CH, 486 | ARM_INS_CRC32CW, 487 | ARM_INS_CRC32H, 488 | ARM_INS_CRC32W, 489 | ARM_INS_DBG, 490 | ARM_INS_DMB, 491 | ARM_INS_DSB, 492 | ARM_INS_EOR, 493 | ARM_INS_ERET, 494 | ARM_INS_VMOV, 495 | ARM_INS_FLDMDBX, 496 | ARM_INS_FLDMIAX, 497 | ARM_INS_VMRS, 498 | ARM_INS_FSTMDBX, 499 | ARM_INS_FSTMIAX, 500 | ARM_INS_HINT, 501 | ARM_INS_HLT, 502 | ARM_INS_HVC, 503 | ARM_INS_ISB, 504 | ARM_INS_LDA, 505 | ARM_INS_LDAB, 506 | ARM_INS_LDAEX, 507 | ARM_INS_LDAEXB, 508 | ARM_INS_LDAEXD, 509 | ARM_INS_LDAEXH, 510 | ARM_INS_LDAH, 511 | ARM_INS_LDC2L, 512 | ARM_INS_LDC2, 513 | ARM_INS_LDCL, 514 | ARM_INS_LDC, 515 | ARM_INS_LDMDA, 516 | ARM_INS_LDMDB, 517 | ARM_INS_LDM, 518 | ARM_INS_LDMIB, 519 | ARM_INS_LDRBT, 520 | ARM_INS_LDRB, 521 | ARM_INS_LDRD, 522 | ARM_INS_LDREX, 523 | ARM_INS_LDREXB, 524 | ARM_INS_LDREXD, 525 | ARM_INS_LDREXH, 526 | ARM_INS_LDRH, 527 | ARM_INS_LDRHT, 528 | ARM_INS_LDRSB, 529 | ARM_INS_LDRSBT, 530 | ARM_INS_LDRSH, 531 | ARM_INS_LDRSHT, 532 | ARM_INS_LDRT, 533 | ARM_INS_LDR, 534 | ARM_INS_MCR, 535 | ARM_INS_MCR2, 536 | ARM_INS_MCRR, 537 | ARM_INS_MCRR2, 538 | ARM_INS_MLA, 539 | ARM_INS_MLS, 540 | ARM_INS_MOV, 541 | ARM_INS_MOVT, 542 | ARM_INS_MOVW, 543 | ARM_INS_MRC, 544 | ARM_INS_MRC2, 545 | ARM_INS_MRRC, 546 | ARM_INS_MRRC2, 547 | ARM_INS_MRS, 548 | ARM_INS_MSR, 549 | ARM_INS_MUL, 550 | ARM_INS_MVN, 551 | ARM_INS_ORR, 552 | ARM_INS_PKHBT, 553 | ARM_INS_PKHTB, 554 | ARM_INS_PLDW, 555 | ARM_INS_PLD, 556 | ARM_INS_PLI, 557 | ARM_INS_QADD, 558 | ARM_INS_QADD16, 559 | ARM_INS_QADD8, 560 | ARM_INS_QASX, 561 | ARM_INS_QDADD, 562 | ARM_INS_QDSUB, 563 | ARM_INS_QSAX, 564 | ARM_INS_QSUB, 565 | ARM_INS_QSUB16, 566 | ARM_INS_QSUB8, 567 | ARM_INS_RBIT, 568 | ARM_INS_REV, 569 | ARM_INS_REV16, 570 | ARM_INS_REVSH, 571 | ARM_INS_RFEDA, 572 | ARM_INS_RFEDB, 573 | ARM_INS_RFEIA, 574 | ARM_INS_RFEIB, 575 | ARM_INS_RSB, 576 | ARM_INS_RSC, 577 | ARM_INS_SADD16, 578 | ARM_INS_SADD8, 579 | ARM_INS_SASX, 580 | ARM_INS_SBC, 581 | ARM_INS_SBFX, 582 | ARM_INS_SDIV, 583 | ARM_INS_SEL, 584 | ARM_INS_SETEND, 585 | ARM_INS_SHA1C, 586 | ARM_INS_SHA1H, 587 | ARM_INS_SHA1M, 588 | ARM_INS_SHA1P, 589 | ARM_INS_SHA1SU0, 590 | ARM_INS_SHA1SU1, 591 | ARM_INS_SHA256H, 592 | ARM_INS_SHA256H2, 593 | ARM_INS_SHA256SU0, 594 | ARM_INS_SHA256SU1, 595 | ARM_INS_SHADD16, 596 | ARM_INS_SHADD8, 597 | ARM_INS_SHASX, 598 | ARM_INS_SHSAX, 599 | ARM_INS_SHSUB16, 600 | ARM_INS_SHSUB8, 601 | ARM_INS_SMC, 602 | ARM_INS_SMLABB, 603 | ARM_INS_SMLABT, 604 | ARM_INS_SMLAD, 605 | ARM_INS_SMLADX, 606 | ARM_INS_SMLAL, 607 | ARM_INS_SMLALBB, 608 | ARM_INS_SMLALBT, 609 | ARM_INS_SMLALD, 610 | ARM_INS_SMLALDX, 611 | ARM_INS_SMLALTB, 612 | ARM_INS_SMLALTT, 613 | ARM_INS_SMLATB, 614 | ARM_INS_SMLATT, 615 | ARM_INS_SMLAWB, 616 | ARM_INS_SMLAWT, 617 | ARM_INS_SMLSD, 618 | ARM_INS_SMLSDX, 619 | ARM_INS_SMLSLD, 620 | ARM_INS_SMLSLDX, 621 | ARM_INS_SMMLA, 622 | ARM_INS_SMMLAR, 623 | ARM_INS_SMMLS, 624 | ARM_INS_SMMLSR, 625 | ARM_INS_SMMUL, 626 | ARM_INS_SMMULR, 627 | ARM_INS_SMUAD, 628 | ARM_INS_SMUADX, 629 | ARM_INS_SMULBB, 630 | ARM_INS_SMULBT, 631 | ARM_INS_SMULL, 632 | ARM_INS_SMULTB, 633 | ARM_INS_SMULTT, 634 | ARM_INS_SMULWB, 635 | ARM_INS_SMULWT, 636 | ARM_INS_SMUSD, 637 | ARM_INS_SMUSDX, 638 | ARM_INS_SRSDA, 639 | ARM_INS_SRSDB, 640 | ARM_INS_SRSIA, 641 | ARM_INS_SRSIB, 642 | ARM_INS_SSAT, 643 | ARM_INS_SSAT16, 644 | ARM_INS_SSAX, 645 | ARM_INS_SSUB16, 646 | ARM_INS_SSUB8, 647 | ARM_INS_STC2L, 648 | ARM_INS_STC2, 649 | ARM_INS_STCL, 650 | ARM_INS_STC, 651 | ARM_INS_STL, 652 | ARM_INS_STLB, 653 | ARM_INS_STLEX, 654 | ARM_INS_STLEXB, 655 | ARM_INS_STLEXD, 656 | ARM_INS_STLEXH, 657 | ARM_INS_STLH, 658 | ARM_INS_STMDA, 659 | ARM_INS_STMDB, 660 | ARM_INS_STM, 661 | ARM_INS_STMIB, 662 | ARM_INS_STRBT, 663 | ARM_INS_STRB, 664 | ARM_INS_STRD, 665 | ARM_INS_STREX, 666 | ARM_INS_STREXB, 667 | ARM_INS_STREXD, 668 | ARM_INS_STREXH, 669 | ARM_INS_STRH, 670 | ARM_INS_STRHT, 671 | ARM_INS_STRT, 672 | ARM_INS_STR, 673 | ARM_INS_SUB, 674 | ARM_INS_SVC, 675 | ARM_INS_SWP, 676 | ARM_INS_SWPB, 677 | ARM_INS_SXTAB, 678 | ARM_INS_SXTAB16, 679 | ARM_INS_SXTAH, 680 | ARM_INS_SXTB, 681 | ARM_INS_SXTB16, 682 | ARM_INS_SXTH, 683 | ARM_INS_TEQ, 684 | ARM_INS_TRAP, 685 | ARM_INS_TST, 686 | ARM_INS_UADD16, 687 | ARM_INS_UADD8, 688 | ARM_INS_UASX, 689 | ARM_INS_UBFX, 690 | ARM_INS_UDF, 691 | ARM_INS_UDIV, 692 | ARM_INS_UHADD16, 693 | ARM_INS_UHADD8, 694 | ARM_INS_UHASX, 695 | ARM_INS_UHSAX, 696 | ARM_INS_UHSUB16, 697 | ARM_INS_UHSUB8, 698 | ARM_INS_UMAAL, 699 | ARM_INS_UMLAL, 700 | ARM_INS_UMULL, 701 | ARM_INS_UQADD16, 702 | ARM_INS_UQADD8, 703 | ARM_INS_UQASX, 704 | ARM_INS_UQSAX, 705 | ARM_INS_UQSUB16, 706 | ARM_INS_UQSUB8, 707 | ARM_INS_USAD8, 708 | ARM_INS_USADA8, 709 | ARM_INS_USAT, 710 | ARM_INS_USAT16, 711 | ARM_INS_USAX, 712 | ARM_INS_USUB16, 713 | ARM_INS_USUB8, 714 | ARM_INS_UXTAB, 715 | ARM_INS_UXTAB16, 716 | ARM_INS_UXTAH, 717 | ARM_INS_UXTB, 718 | ARM_INS_UXTB16, 719 | ARM_INS_UXTH, 720 | ARM_INS_VABAL, 721 | ARM_INS_VABA, 722 | ARM_INS_VABDL, 723 | ARM_INS_VABD, 724 | ARM_INS_VABS, 725 | ARM_INS_VACGE, 726 | ARM_INS_VACGT, 727 | ARM_INS_VADD, 728 | ARM_INS_VADDHN, 729 | ARM_INS_VADDL, 730 | ARM_INS_VADDW, 731 | ARM_INS_VAND, 732 | ARM_INS_VBIC, 733 | ARM_INS_VBIF, 734 | ARM_INS_VBIT, 735 | ARM_INS_VBSL, 736 | ARM_INS_VCEQ, 737 | ARM_INS_VCGE, 738 | ARM_INS_VCGT, 739 | ARM_INS_VCLE, 740 | ARM_INS_VCLS, 741 | ARM_INS_VCLT, 742 | ARM_INS_VCLZ, 743 | ARM_INS_VCMP, 744 | ARM_INS_VCMPE, 745 | ARM_INS_VCNT, 746 | ARM_INS_VCVTA, 747 | ARM_INS_VCVTB, 748 | ARM_INS_VCVT, 749 | ARM_INS_VCVTM, 750 | ARM_INS_VCVTN, 751 | ARM_INS_VCVTP, 752 | ARM_INS_VCVTT, 753 | ARM_INS_VDIV, 754 | ARM_INS_VDUP, 755 | ARM_INS_VEOR, 756 | ARM_INS_VEXT, 757 | ARM_INS_VFMA, 758 | ARM_INS_VFMS, 759 | ARM_INS_VFNMA, 760 | ARM_INS_VFNMS, 761 | ARM_INS_VHADD, 762 | ARM_INS_VHSUB, 763 | ARM_INS_VLD1, 764 | ARM_INS_VLD2, 765 | ARM_INS_VLD3, 766 | ARM_INS_VLD4, 767 | ARM_INS_VLDMDB, 768 | ARM_INS_VLDMIA, 769 | ARM_INS_VLDR, 770 | ARM_INS_VMAXNM, 771 | ARM_INS_VMAX, 772 | ARM_INS_VMINNM, 773 | ARM_INS_VMIN, 774 | ARM_INS_VMLA, 775 | ARM_INS_VMLAL, 776 | ARM_INS_VMLS, 777 | ARM_INS_VMLSL, 778 | ARM_INS_VMOVL, 779 | ARM_INS_VMOVN, 780 | ARM_INS_VMSR, 781 | ARM_INS_VMUL, 782 | ARM_INS_VMULL, 783 | ARM_INS_VMVN, 784 | ARM_INS_VNEG, 785 | ARM_INS_VNMLA, 786 | ARM_INS_VNMLS, 787 | ARM_INS_VNMUL, 788 | ARM_INS_VORN, 789 | ARM_INS_VORR, 790 | ARM_INS_VPADAL, 791 | ARM_INS_VPADDL, 792 | ARM_INS_VPADD, 793 | ARM_INS_VPMAX, 794 | ARM_INS_VPMIN, 795 | ARM_INS_VQABS, 796 | ARM_INS_VQADD, 797 | ARM_INS_VQDMLAL, 798 | ARM_INS_VQDMLSL, 799 | ARM_INS_VQDMULH, 800 | ARM_INS_VQDMULL, 801 | ARM_INS_VQMOVUN, 802 | ARM_INS_VQMOVN, 803 | ARM_INS_VQNEG, 804 | ARM_INS_VQRDMULH, 805 | ARM_INS_VQRSHL, 806 | ARM_INS_VQRSHRN, 807 | ARM_INS_VQRSHRUN, 808 | ARM_INS_VQSHL, 809 | ARM_INS_VQSHLU, 810 | ARM_INS_VQSHRN, 811 | ARM_INS_VQSHRUN, 812 | ARM_INS_VQSUB, 813 | ARM_INS_VRADDHN, 814 | ARM_INS_VRECPE, 815 | ARM_INS_VRECPS, 816 | ARM_INS_VREV16, 817 | ARM_INS_VREV32, 818 | ARM_INS_VREV64, 819 | ARM_INS_VRHADD, 820 | ARM_INS_VRINTA, 821 | ARM_INS_VRINTM, 822 | ARM_INS_VRINTN, 823 | ARM_INS_VRINTP, 824 | ARM_INS_VRINTR, 825 | ARM_INS_VRINTX, 826 | ARM_INS_VRINTZ, 827 | ARM_INS_VRSHL, 828 | ARM_INS_VRSHRN, 829 | ARM_INS_VRSHR, 830 | ARM_INS_VRSQRTE, 831 | ARM_INS_VRSQRTS, 832 | ARM_INS_VRSRA, 833 | ARM_INS_VRSUBHN, 834 | ARM_INS_VSELEQ, 835 | ARM_INS_VSELGE, 836 | ARM_INS_VSELGT, 837 | ARM_INS_VSELVS, 838 | ARM_INS_VSHLL, 839 | ARM_INS_VSHL, 840 | ARM_INS_VSHRN, 841 | ARM_INS_VSHR, 842 | ARM_INS_VSLI, 843 | ARM_INS_VSQRT, 844 | ARM_INS_VSRA, 845 | ARM_INS_VSRI, 846 | ARM_INS_VST1, 847 | ARM_INS_VST2, 848 | ARM_INS_VST3, 849 | ARM_INS_VST4, 850 | ARM_INS_VSTMDB, 851 | ARM_INS_VSTMIA, 852 | ARM_INS_VSTR, 853 | ARM_INS_VSUB, 854 | ARM_INS_VSUBHN, 855 | ARM_INS_VSUBL, 856 | ARM_INS_VSUBW, 857 | ARM_INS_VSWP, 858 | ARM_INS_VTBL, 859 | ARM_INS_VTBX, 860 | ARM_INS_VCVTR, 861 | ARM_INS_VTRN, 862 | ARM_INS_VTST, 863 | ARM_INS_VUZP, 864 | ARM_INS_VZIP, 865 | ARM_INS_ADDW, 866 | ARM_INS_ASR, 867 | ARM_INS_DCPS1, 868 | ARM_INS_DCPS2, 869 | ARM_INS_DCPS3, 870 | ARM_INS_IT, 871 | ARM_INS_LSL, 872 | ARM_INS_LSR, 873 | ARM_INS_ORN, 874 | ARM_INS_ROR, 875 | ARM_INS_RRX, 876 | ARM_INS_SUBW, 877 | ARM_INS_TBB, 878 | ARM_INS_TBH, 879 | ARM_INS_CBNZ, 880 | ARM_INS_CBZ, 881 | ARM_INS_POP, 882 | ARM_INS_PUSH, 883 | 884 | // special instructions 885 | ARM_INS_NOP, 886 | ARM_INS_YIELD, 887 | ARM_INS_WFE, 888 | ARM_INS_WFI, 889 | ARM_INS_SEV, 890 | ARM_INS_SEVL, 891 | ARM_INS_VPUSH, 892 | ARM_INS_VPOP, 893 | 894 | ARM_INS_ENDING, // <-- mark the end of the list of instructions 895 | } arm_insn; 896 | 897 | //> Group of ARM instructions 898 | typedef enum arm_insn_group 899 | { 900 | ARM_GRP_INVALID = 0, // = CS_GRP_INVALID 901 | 902 | //> Generic groups 903 | // all jump instructions (conditional+direct+indirect jumps) 904 | ARM_GRP_JUMP, // = CS_GRP_JUMP 905 | ARM_GRP_CALL, // = CS_GRP_CALL 906 | ARM_GRP_INT = 4, // = CS_GRP_INT 907 | ARM_GRP_PRIVILEGE = 6, // = CS_GRP_PRIVILEGE 908 | 909 | //> Architecture-specific groups 910 | ARM_GRP_CRYPTO = 128, 911 | ARM_GRP_DATABARRIER, 912 | ARM_GRP_DIVIDE, 913 | ARM_GRP_FPARMV8, 914 | ARM_GRP_MULTPRO, 915 | ARM_GRP_NEON, 916 | ARM_GRP_T2EXTRACTPACK, 917 | ARM_GRP_THUMB2DSP, 918 | ARM_GRP_TRUSTZONE, 919 | ARM_GRP_V4T, 920 | ARM_GRP_V5T, 921 | ARM_GRP_V5TE, 922 | ARM_GRP_V6, 923 | ARM_GRP_V6T2, 924 | ARM_GRP_V7, 925 | ARM_GRP_V8, 926 | ARM_GRP_VFP2, 927 | ARM_GRP_VFP3, 928 | ARM_GRP_VFP4, 929 | ARM_GRP_ARM, 930 | ARM_GRP_MCLASS, 931 | ARM_GRP_NOTMCLASS, 932 | ARM_GRP_THUMB, 933 | ARM_GRP_THUMB1ONLY, 934 | ARM_GRP_THUMB2, 935 | ARM_GRP_PREV8, 936 | ARM_GRP_FPVMLX, 937 | ARM_GRP_MULOPS, 938 | ARM_GRP_CRC, 939 | ARM_GRP_DPVFP, 940 | ARM_GRP_V6M, 941 | ARM_GRP_VIRTUALIZATION, 942 | 943 | ARM_GRP_ENDING, 944 | } arm_insn_group; 945 | 946 | #ifdef __cplusplus 947 | } 948 | #endif 949 | 950 | #endif 951 | -------------------------------------------------------------------------------- /capstone/include/capstone.h: -------------------------------------------------------------------------------- 1 | #ifndef CAPSTONE_ENGINE_H 2 | #define CAPSTONE_ENGINE_H 3 | 4 | /* Capstone Disassembly Engine */ 5 | /* By Nguyen Anh Quynh , 2013-2015 */ 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | #include 12 | 13 | #if defined(CAPSTONE_HAS_OSXKERNEL) 14 | #include 15 | #else 16 | #include 17 | #include 18 | #endif 19 | 20 | #include "platform.h" 21 | 22 | #ifdef _MSC_VER 23 | #pragma warning(disable:4201) 24 | #pragma warning(disable:4100) 25 | #define CAPSTONE_API __cdecl 26 | #ifdef CAPSTONE_SHARED 27 | #define CAPSTONE_EXPORT __declspec(dllexport) 28 | #else // defined(CAPSTONE_STATIC) 29 | #define CAPSTONE_EXPORT 30 | #endif 31 | #else 32 | #define CAPSTONE_API 33 | #ifdef __GNUC__ 34 | #define CAPSTONE_EXPORT __attribute__((visibility("default"))) 35 | #else 36 | #define CAPSTONE_EXPORT 37 | #endif 38 | #endif 39 | 40 | #ifdef __GNUC__ 41 | #define CAPSTONE_DEPRECATED __attribute__((deprecated)) 42 | #elif defined(_MSC_VER) 43 | #define CAPSTONE_DEPRECATED __declspec(deprecated) 44 | #else 45 | #pragma message("WARNING: You need to implement CAPSTONE_DEPRECATED for this compiler") 46 | #define CAPSTONE_DEPRECATED 47 | #endif 48 | 49 | // Capstone API version 50 | #define CS_API_MAJOR 4 51 | #define CS_API_MINOR 0 52 | 53 | // Version for bleeding edge code of the Github's "next" branch. 54 | // Use this if you want the absolutely latest developement code. 55 | // This version number will be bumped up whenever we have a new major change. 56 | #define CS_NEXT_VERSION 3 57 | 58 | // Macro to create combined version which can be compared to 59 | // result of cs_version() API. 60 | #define CS_MAKE_VERSION(major, minor) ((major << 8) + minor) 61 | 62 | // Maximum size of an instruction mnemonic string. 63 | #define CS_MNEMONIC_SIZE 32 64 | 65 | // Handle using with all API 66 | typedef size_t csh; 67 | 68 | // Architecture type 69 | typedef enum cs_arch 70 | { 71 | CS_ARCH_ARM = 0, // ARM architecture (including Thumb, Thumb-2) 72 | CS_ARCH_ARM64, // ARM-64, also called AArch64 73 | CS_ARCH_MIPS, // Mips architecture 74 | CS_ARCH_X86, // X86 architecture (including x86 & x86-64) 75 | CS_ARCH_PPC, // PowerPC architecture 76 | CS_ARCH_SPARC, // Sparc architecture 77 | CS_ARCH_SYSZ, // SystemZ architecture 78 | CS_ARCH_XCORE, // XCore architecture 79 | CS_ARCH_M68K, // 68K architecture 80 | CS_ARCH_MAX, 81 | CS_ARCH_ALL = 0xFFFF, // All architectures - for cs_support() 82 | } cs_arch; 83 | 84 | // Support value to verify diet mode of the engine. 85 | // If cs_support(CS_SUPPORT_DIET) return True, the engine was compiled 86 | // in diet mode. 87 | #define CS_SUPPORT_DIET (CS_ARCH_ALL + 1) 88 | 89 | // Support value to verify X86 reduce mode of the engine. 90 | // If cs_support(CS_SUPPORT_X86_REDUCE) return True, the engine was compiled 91 | // in X86 reduce mode. 92 | #define CS_SUPPORT_X86_REDUCE (CS_ARCH_ALL + 2) 93 | 94 | // Mode type 95 | typedef enum cs_mode 96 | { 97 | CS_MODE_LITTLE_ENDIAN = 0, // little-endian mode (default mode) 98 | CS_MODE_ARM = 0, // 32-bit ARM 99 | CS_MODE_16 = 1 << 1, // 16-bit mode (X86) 100 | CS_MODE_32 = 1 << 2, // 32-bit mode (X86) 101 | CS_MODE_64 = 1 << 3, // 64-bit mode (X86, PPC) 102 | CS_MODE_THUMB = 1 << 4, // ARM's Thumb mode, including Thumb-2 103 | CS_MODE_MCLASS = 1 << 5, // ARM's Cortex-M series 104 | CS_MODE_V8 = 1 << 6, // ARMv8 A32 encodings for ARM 105 | CS_MODE_MICRO = 1 << 4, // MicroMips mode (MIPS) 106 | CS_MODE_MIPS3 = 1 << 5, // Mips III ISA 107 | CS_MODE_MIPS32R6 = 1 << 6, // Mips32r6 ISA 108 | CS_MODE_V9 = 1 << 4, // SparcV9 mode (Sparc) 109 | CS_MODE_QPX = 1 << 4, // Quad Processing eXtensions mode (PPC) 110 | CS_MODE_M68K_000 = 1 << 1, // M68K 68000 mode 111 | CS_MODE_M68K_010 = 1 << 2, // M68K 68010 mode 112 | CS_MODE_M68K_020 = 1 << 3, // M68K 68020 mode 113 | CS_MODE_M68K_030 = 1 << 4, // M68K 68030 mode 114 | CS_MODE_M68K_040 = 1 << 5, // M68K 68040 mode 115 | CS_MODE_M68K_060 = 1 << 6, // M68K 68060 mode 116 | CS_MODE_BIG_ENDIAN = 1 << 31, // big-endian mode 117 | CS_MODE_MIPS32 = CS_MODE_32, // Mips32 ISA (Mips) 118 | CS_MODE_MIPS64 = CS_MODE_64, // Mips64 ISA (Mips) 119 | } cs_mode; 120 | 121 | typedef void* (CAPSTONE_API* cs_malloc_t)(size_t size); 122 | typedef void* (CAPSTONE_API* cs_calloc_t)(size_t nmemb, size_t size); 123 | typedef void* (CAPSTONE_API* cs_realloc_t)(void* ptr, size_t size); 124 | typedef void (CAPSTONE_API* cs_free_t)(void* ptr); 125 | typedef int (CAPSTONE_API* cs_vsnprintf_t)(char* str, size_t size, const char* format, va_list ap); 126 | 127 | 128 | // User-defined dynamic memory related functions: malloc/calloc/realloc/free/vsnprintf() 129 | // By default, Capstone uses system's malloc(), calloc(), realloc(), free() & vsnprintf(). 130 | typedef struct cs_opt_mem 131 | { 132 | cs_malloc_t malloc; 133 | cs_calloc_t calloc; 134 | cs_realloc_t realloc; 135 | cs_free_t free; 136 | cs_vsnprintf_t vsnprintf; 137 | } cs_opt_mem; 138 | 139 | // Customize mnemonic for instructions with alternative name. 140 | // To reset existing customized instruction to its default mnemonic, 141 | // call cs_option(CS_OPT_MNEMONIC) again with the same @id and NULL value 142 | // for @mnemonic. 143 | typedef struct cs_opt_mnem 144 | { 145 | // ID of instruction to be customized. 146 | unsigned int id; 147 | // Customized instruction mnemonic. 148 | const char* mnemonic; 149 | } cs_opt_mnem; 150 | 151 | // Runtime option for the disassembled engine 152 | typedef enum cs_opt_type 153 | { 154 | CS_OPT_INVALID = 0, // No option specified 155 | CS_OPT_SYNTAX, // Assembly output syntax 156 | CS_OPT_DETAIL, // Break down instruction structure into details 157 | CS_OPT_MODE, // Change engine's mode at run-time 158 | CS_OPT_MEM, // User-defined dynamic memory related functions 159 | CS_OPT_SKIPDATA, // Skip data when disassembling. Then engine is in SKIPDATA mode. 160 | CS_OPT_SKIPDATA_SETUP, // Setup user-defined function for SKIPDATA option 161 | CS_OPT_MNEMONIC, // Customize instruction mnemonic 162 | CS_OPT_UNSIGNED, // print immediate operands in unsigned form 163 | } cs_opt_type; 164 | 165 | // Runtime option value (associated with option type above) 166 | typedef enum cs_opt_value 167 | { 168 | CS_OPT_OFF = 0, // Turn OFF an option - default for CS_OPT_DETAIL, CS_OPT_SKIPDATA, CS_OPT_UNSIGNED. 169 | CS_OPT_ON = 3, // Turn ON an option (CS_OPT_DETAIL, CS_OPT_SKIPDATA). 170 | CS_OPT_SYNTAX_DEFAULT = 0, // Default asm syntax (CS_OPT_SYNTAX). 171 | CS_OPT_SYNTAX_INTEL, // X86 Intel asm syntax - default on X86 (CS_OPT_SYNTAX). 172 | CS_OPT_SYNTAX_ATT, // X86 ATT asm syntax (CS_OPT_SYNTAX). 173 | CS_OPT_SYNTAX_NOREGNAME, // Prints register name with only number (CS_OPT_SYNTAX) 174 | CS_OPT_SYNTAX_MASM, // X86 Intel Masm syntax (CS_OPT_SYNTAX). 175 | } cs_opt_value; 176 | 177 | //> Common instruction operand types - to be consistent across all architectures. 178 | typedef enum cs_op_type 179 | { 180 | CS_OP_INVALID = 0, // uninitialized/invalid operand. 181 | CS_OP_REG, // Register operand. 182 | CS_OP_IMM, // Immediate operand. 183 | CS_OP_MEM, // Memory operand. 184 | CS_OP_FP, // Floating-Point operand. 185 | } cs_op_type; 186 | 187 | //> Common instruction operand access types - to be consistent across all architectures. 188 | //> It is possible to combine access types, for example: CS_AC_READ | CS_AC_WRITE 189 | typedef enum cs_ac_type 190 | { 191 | CS_AC_INVALID = 0, // Uninitialized/invalid access type. 192 | CS_AC_READ = 1 << 0, // Operand read from memory or register. 193 | CS_AC_WRITE = 1 << 1, // Operand write to memory or register. 194 | } cs_ac_type; 195 | 196 | //> Common instruction groups - to be consistent across all architectures. 197 | typedef enum cs_group_type 198 | { 199 | CS_GRP_INVALID = 0, // uninitialized/invalid group. 200 | CS_GRP_JUMP, // all jump instructions (conditional+direct+indirect jumps) 201 | CS_GRP_CALL, // all call instructions 202 | CS_GRP_RET, // all return instructions 203 | CS_GRP_INT, // all interrupt instructions (int+syscall) 204 | CS_GRP_IRET, // all interrupt return instructions 205 | CS_GRP_PRIVILEGE, // all privileged instructions 206 | } cs_group_type; 207 | 208 | /* 209 | User-defined callback function for SKIPDATA option. 210 | See tests/test_skipdata.c for sample code demonstrating this API. 211 | 212 | @code: the input buffer containing code to be disassembled. 213 | This is the same buffer passed to cs_disasm(). 214 | @code_size: size (in bytes) of the above @code buffer. 215 | @offset: the position of the currently-examining byte in the input 216 | buffer @code mentioned above. 217 | @user_data: user-data passed to cs_option() via @user_data field in 218 | cs_opt_skipdata struct below. 219 | 220 | @return: return number of bytes to skip, or 0 to immediately stop disassembling. 221 | */ 222 | typedef size_t (CAPSTONE_API* cs_skipdata_cb_t)(const uint8_t* code, size_t code_size, size_t offset, void* user_data); 223 | 224 | // User-customized setup for SKIPDATA option 225 | typedef struct cs_opt_skipdata 226 | { 227 | // Capstone considers data to skip as special "instructions". 228 | // User can specify the string for this instruction's "mnemonic" here. 229 | // By default (if @mnemonic is NULL), Capstone use ".byte". 230 | const char* mnemonic; 231 | 232 | // User-defined callback function to be called when Capstone hits data. 233 | // If the returned value from this callback is positive (>0), Capstone 234 | // will skip exactly that number of bytes & continue. Otherwise, if 235 | // the callback returns 0, Capstone stops disassembling and returns 236 | // immediately from cs_disasm() 237 | // NOTE: if this callback pointer is NULL, Capstone would skip a number 238 | // of bytes depending on architectures, as following: 239 | // Arm: 2 bytes (Thumb mode) or 4 bytes. 240 | // Arm64: 4 bytes. 241 | // Mips: 4 bytes. 242 | // PowerPC: 4 bytes. 243 | // Sparc: 4 bytes. 244 | // SystemZ: 2 bytes. 245 | // X86: 1 bytes. 246 | // XCore: 2 bytes. 247 | cs_skipdata_cb_t callback; // default value is NULL 248 | 249 | // User-defined data to be passed to @callback function pointer. 250 | void* user_data; 251 | } cs_opt_skipdata; 252 | 253 | 254 | #include "arm.h" 255 | #include "arm64.h" 256 | #include "m68k.h" 257 | #include "mips.h" 258 | #include "ppc.h" 259 | #include "sparc.h" 260 | #include "systemz.h" 261 | #include "x86.h" 262 | #include "xcore.h" 263 | 264 | // NOTE: All information in cs_detail is only available when CS_OPT_DETAIL = CS_OPT_ON 265 | typedef struct cs_detail 266 | { 267 | uint16_t regs_read[12]; // list of implicit registers read by this insn 268 | uint8_t regs_read_count; // number of implicit registers read by this insn 269 | 270 | uint16_t regs_write[20]; // list of implicit registers modified by this insn 271 | uint8_t regs_write_count; // number of implicit registers modified by this insn 272 | 273 | uint8_t groups[8]; // list of group this instruction belong to 274 | uint8_t groups_count; // number of groups this insn belongs to 275 | 276 | // Architecture-specific instruction info 277 | union 278 | { 279 | cs_x86 x86; // X86 architecture, including 16-bit, 32-bit & 64-bit mode 280 | cs_arm64 arm64; // ARM64 architecture (aka AArch64) 281 | cs_arm arm; // ARM architecture (including Thumb/Thumb2) 282 | cs_m68k m68k; // M68K architecture 283 | cs_mips mips; // MIPS architecture 284 | cs_ppc ppc; // PowerPC architecture 285 | cs_sparc sparc; // Sparc architecture 286 | cs_sysz sysz; // SystemZ architecture 287 | cs_xcore xcore; // XCore architecture 288 | }; 289 | } cs_detail; 290 | 291 | // Detail information of disassembled instruction 292 | typedef struct cs_insn 293 | { 294 | // Instruction ID (basically a numeric ID for the instruction mnemonic) 295 | // Find the instruction id in the '[ARCH]_insn' enum in the header file 296 | // of corresponding architecture, such as 'arm_insn' in arm.h for ARM, 297 | // 'x86_insn' in x86.h for X86, etc... 298 | // This information is available even when CS_OPT_DETAIL = CS_OPT_OFF 299 | // NOTE: in Skipdata mode, "data" instruction has 0 for this id field. 300 | unsigned int id; 301 | 302 | // Address (EIP) of this instruction 303 | // This information is available even when CS_OPT_DETAIL = CS_OPT_OFF 304 | uint64_t address; 305 | 306 | // Size of this instruction 307 | // This information is available even when CS_OPT_DETAIL = CS_OPT_OFF 308 | uint16_t size; 309 | 310 | // Machine bytes of this instruction, with number of bytes indicated by @size above 311 | // This information is available even when CS_OPT_DETAIL = CS_OPT_OFF 312 | uint8_t bytes[16]; 313 | 314 | // Ascii text of instruction mnemonic 315 | // This information is available even when CS_OPT_DETAIL = CS_OPT_OFF 316 | char mnemonic[CS_MNEMONIC_SIZE]; 317 | 318 | // Ascii text of instruction operands 319 | // This information is available even when CS_OPT_DETAIL = CS_OPT_OFF 320 | char op_str[160]; 321 | 322 | // Pointer to cs_detail. 323 | // NOTE: detail pointer is only valid when both requirements below are met: 324 | // (1) CS_OP_DETAIL = CS_OPT_ON 325 | // (2) Engine is not in Skipdata mode (CS_OP_SKIPDATA option set to CS_OPT_ON) 326 | // 327 | // NOTE 2: when in Skipdata mode, or when detail mode is OFF, even if this pointer 328 | // is not NULL, its content is still irrelevant. 329 | cs_detail* detail; 330 | } cs_insn; 331 | 332 | 333 | // Calculate the offset of a disassembled instruction in its buffer, given its position 334 | // in its array of disassembled insn 335 | // NOTE: this macro works with position (>=1), not index 336 | #define CS_INSN_OFFSET(insns, post) (insns[post - 1].address - insns[0].address) 337 | 338 | 339 | // All type of errors encountered by Capstone API. 340 | // These are values returned by cs_errno() 341 | typedef enum cs_err 342 | { 343 | CS_ERR_OK = 0, // No error: everything was fine 344 | CS_ERR_MEM, // Out-Of-Memory error: cs_open(), cs_disasm(), cs_disasm_iter() 345 | CS_ERR_ARCH, // Unsupported architecture: cs_open() 346 | CS_ERR_HANDLE, // Invalid handle: cs_op_count(), cs_op_index() 347 | CS_ERR_CSH, // Invalid csh argument: cs_close(), cs_errno(), cs_option() 348 | CS_ERR_MODE, // Invalid/unsupported mode: cs_open() 349 | CS_ERR_OPTION, // Invalid/unsupported option: cs_option() 350 | CS_ERR_DETAIL, // Information is unavailable because detail option is OFF 351 | CS_ERR_MEMSETUP, // Dynamic memory management uninitialized (see CS_OPT_MEM) 352 | CS_ERR_VERSION, // Unsupported version (bindings) 353 | CS_ERR_DIET, // Access irrelevant data in "diet" engine 354 | CS_ERR_SKIPDATA, // Access irrelevant data for "data" instruction in SKIPDATA mode 355 | CS_ERR_X86_ATT, // X86 AT&T syntax is unsupported (opt-out at compile time) 356 | CS_ERR_X86_INTEL, // X86 Intel syntax is unsupported (opt-out at compile time) 357 | CS_ERR_X86_MASM, // X86 Intel syntax is unsupported (opt-out at compile time) 358 | } cs_err; 359 | 360 | /* 361 | Return combined API version & major and minor version numbers. 362 | 363 | @major: major number of API version 364 | @minor: minor number of API version 365 | 366 | @return hexical number as (major << 8 | minor), which encodes both 367 | major & minor versions. 368 | NOTE: This returned value can be compared with version number made 369 | with macro CS_MAKE_VERSION 370 | 371 | For example, second API version would return 1 in @major, and 1 in @minor 372 | The return value would be 0x0101 373 | 374 | NOTE: if you only care about returned value, but not major and minor values, 375 | set both @major & @minor arguments to NULL. 376 | */ 377 | CAPSTONE_EXPORT 378 | unsigned int CAPSTONE_API cs_version(int* major, int* minor); 379 | 380 | 381 | /* 382 | This API can be used to either ask for archs supported by this library, 383 | or check to see if the library was compile with 'diet' option (or called 384 | in 'diet' mode). 385 | 386 | To check if a particular arch is supported by this library, set @query to 387 | arch mode (CS_ARCH_* value). 388 | To verify if this library supports all the archs, use CS_ARCH_ALL. 389 | 390 | To check if this library is in 'diet' mode, set @query to CS_SUPPORT_DIET. 391 | 392 | @return True if this library supports the given arch, or in 'diet' mode. 393 | */ 394 | CAPSTONE_EXPORT 395 | bool CAPSTONE_API cs_support(int query); 396 | 397 | /* 398 | Initialize CS handle: this must be done before any usage of CS. 399 | 400 | @arch: architecture type (CS_ARCH_*) 401 | @mode: hardware mode. This is combined of CS_MODE_* 402 | @handle: pointer to handle, which will be updated at return time 403 | 404 | @return CS_ERR_OK on success, or other value on failure (refer to cs_err enum 405 | for detailed error). 406 | */ 407 | CAPSTONE_EXPORT 408 | cs_err CAPSTONE_API cs_open(cs_arch arch, cs_mode mode, csh* handle); 409 | 410 | /* 411 | Close CS handle: MUST do to release the handle when it is not used anymore. 412 | NOTE: this must be only called when there is no longer usage of Capstone, 413 | not even access to cs_insn array. The reason is the this API releases some 414 | cached memory, thus access to any Capstone API after cs_close() might crash 415 | your application. 416 | 417 | In fact,this API invalidate @handle by ZERO out its value (i.e *handle = 0). 418 | 419 | @handle: pointer to a handle returned by cs_open() 420 | 421 | @return CS_ERR_OK on success, or other value on failure (refer to cs_err enum 422 | for detailed error). 423 | */ 424 | CAPSTONE_EXPORT 425 | cs_err CAPSTONE_API cs_close(csh* handle); 426 | 427 | /* 428 | Set option for disassembling engine at runtime 429 | 430 | @handle: handle returned by cs_open() 431 | @type: type of option to be set 432 | @value: option value corresponding with @type 433 | 434 | @return: CS_ERR_OK on success, or other value on failure. 435 | Refer to cs_err enum for detailed error. 436 | 437 | NOTE: in the case of CS_OPT_MEM, handle's value can be anything, 438 | so that cs_option(handle, CS_OPT_MEM, value) can (i.e must) be called 439 | even before cs_open() 440 | */ 441 | CAPSTONE_EXPORT 442 | cs_err CAPSTONE_API cs_option(csh handle, cs_opt_type type, size_t value); 443 | 444 | /* 445 | Report the last error number when some API function fail. 446 | Like glibc's errno, cs_errno might not retain its old value once accessed. 447 | 448 | @handle: handle returned by cs_open() 449 | 450 | @return: error code of cs_err enum type (CS_ERR_*, see above) 451 | */ 452 | CAPSTONE_EXPORT 453 | cs_err CAPSTONE_API cs_errno(csh handle); 454 | 455 | 456 | /* 457 | Return a string describing given error code. 458 | 459 | @code: error code (see CS_ERR_* above) 460 | 461 | @return: returns a pointer to a string that describes the error code 462 | passed in the argument @code 463 | */ 464 | CAPSTONE_EXPORT 465 | const char* CAPSTONE_API cs_strerror(cs_err code); 466 | 467 | /* 468 | Disassemble binary code, given the code buffer, size, address and number 469 | of instructions to be decoded. 470 | This API dynamically allocate memory to contain disassembled instruction. 471 | Resulted instructions will be put into @*insn 472 | 473 | NOTE 1: this API will automatically determine memory needed to contain 474 | output disassembled instructions in @insn. 475 | 476 | NOTE 2: caller must free the allocated memory itself to avoid memory leaking. 477 | 478 | NOTE 3: for system with scarce memory to be dynamically allocated such as 479 | OS kernel or firmware, the API cs_disasm_iter() might be a better choice than 480 | cs_disasm(). The reason is that with cs_disasm(), based on limited available 481 | memory, we have to calculate in advance how many instructions to be disassembled, 482 | which complicates things. This is especially troublesome for the case @count=0, 483 | when cs_disasm() runs uncontrollably (until either end of input buffer, or 484 | when it encounters an invalid instruction). 485 | 486 | @handle: handle returned by cs_open() 487 | @code: buffer containing raw binary code to be disassembled. 488 | @code_size: size of the above code buffer. 489 | @address: address of the first instruction in given raw code buffer. 490 | @insn: array of instructions filled in by this API. 491 | NOTE: @insn will be allocated by this function, and should be freed 492 | with cs_free() API. 493 | @count: number of instructions to be disassembled, or 0 to get all of them 494 | 495 | @return: the number of successfully disassembled instructions, 496 | or 0 if this function failed to disassemble the given code 497 | 498 | On failure, call cs_errno() for error code. 499 | */ 500 | CAPSTONE_EXPORT 501 | size_t CAPSTONE_API cs_disasm(csh handle, 502 | const uint8_t* code, size_t code_size, 503 | uint64_t address, 504 | size_t count, 505 | cs_insn** insn); 506 | 507 | /* 508 | Deprecated function - to be retired in the next version! 509 | Use cs_disasm() instead of cs_disasm_ex() 510 | */ 511 | CAPSTONE_EXPORT 512 | CAPSTONE_DEPRECATED 513 | size_t CAPSTONE_API cs_disasm_ex(csh handle, 514 | const uint8_t* code, size_t code_size, 515 | uint64_t address, 516 | size_t count, 517 | cs_insn** insn); 518 | 519 | /* 520 | Free memory allocated by cs_malloc() or cs_disasm() (argument @insn) 521 | 522 | @insn: pointer returned by @insn argument in cs_disasm() or cs_malloc() 523 | @count: number of cs_insn structures returned by cs_disasm(), or 1 524 | to free memory allocated by cs_malloc(). 525 | */ 526 | CAPSTONE_EXPORT 527 | void CAPSTONE_API cs_free(cs_insn* insn, size_t count); 528 | 529 | 530 | /* 531 | Allocate memory for 1 instruction to be used by cs_disasm_iter(). 532 | 533 | @handle: handle returned by cs_open() 534 | 535 | NOTE: when no longer in use, you can reclaim the memory allocated for 536 | this instruction with cs_free(insn, 1) 537 | */ 538 | CAPSTONE_EXPORT 539 | cs_insn* CAPSTONE_API cs_malloc(csh handle); 540 | 541 | /* 542 | Fast API to disassemble binary code, given the code buffer, size, address 543 | and number of instructions to be decoded. 544 | This API put the resulted instruction into a given cache in @insn. 545 | See tests/test_iter.c for sample code demonstrating this API. 546 | 547 | NOTE 1: this API will update @code, @size & @address to point to the next 548 | instruction in the input buffer. Therefore, it is convenient to use 549 | cs_disasm_iter() inside a loop to quickly iterate all the instructions. 550 | While decoding one instruction at a time can also be achieved with 551 | cs_disasm(count=1), some benchmarks shown that cs_disasm_iter() can be 30% 552 | faster on random input. 553 | 554 | NOTE 2: the cache in @insn can be created with cs_malloc() API. 555 | 556 | NOTE 3: for system with scarce memory to be dynamically allocated such as 557 | OS kernel or firmware, this API is recommended over cs_disasm(), which 558 | allocates memory based on the number of instructions to be disassembled. 559 | The reason is that with cs_disasm(), based on limited available memory, 560 | we have to calculate in advance how many instructions to be disassembled, 561 | which complicates things. This is especially troublesome for the case 562 | @count=0, when cs_disasm() runs uncontrollably (until either end of input 563 | buffer, or when it encounters an invalid instruction). 564 | 565 | @handle: handle returned by cs_open() 566 | @code: buffer containing raw binary code to be disassembled 567 | @code_size: size of above code 568 | @address: address of the first insn in given raw code buffer 569 | @insn: pointer to instruction to be filled in by this API. 570 | 571 | @return: true if this API successfully decode 1 instruction, 572 | or false otherwise. 573 | 574 | On failure, call cs_errno() for error code. 575 | */ 576 | CAPSTONE_EXPORT 577 | bool CAPSTONE_API cs_disasm_iter(csh handle, 578 | const uint8_t** code, size_t* size, 579 | uint64_t* address, cs_insn* insn); 580 | 581 | /* 582 | Return friendly name of register in a string. 583 | Find the instruction id from header file of corresponding architecture (arm.h for ARM, 584 | x86.h for X86, ...) 585 | 586 | WARN: when in 'diet' mode, this API is irrelevant because engine does not 587 | store register name. 588 | 589 | @handle: handle returned by cs_open() 590 | @reg_id: register id 591 | 592 | @return: string name of the register, or NULL if @reg_id is invalid. 593 | */ 594 | CAPSTONE_EXPORT 595 | const char* CAPSTONE_API cs_reg_name(csh handle, unsigned int reg_id); 596 | 597 | /* 598 | Return friendly name of an instruction in a string. 599 | Find the instruction id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) 600 | 601 | WARN: when in 'diet' mode, this API is irrelevant because the engine does not 602 | store instruction name. 603 | 604 | @handle: handle returned by cs_open() 605 | @insn_id: instruction id 606 | 607 | @return: string name of the instruction, or NULL if @insn_id is invalid. 608 | */ 609 | CAPSTONE_EXPORT 610 | const char* CAPSTONE_API cs_insn_name(csh handle, unsigned int insn_id); 611 | 612 | /* 613 | Return friendly name of a group id (that an instruction can belong to) 614 | Find the group id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) 615 | 616 | WARN: when in 'diet' mode, this API is irrelevant because the engine does not 617 | store group name. 618 | 619 | @handle: handle returned by cs_open() 620 | @group_id: group id 621 | 622 | @return: string name of the group, or NULL if @group_id is invalid. 623 | */ 624 | CAPSTONE_EXPORT 625 | const char* CAPSTONE_API cs_group_name(csh handle, unsigned int group_id); 626 | 627 | /* 628 | Check if a disassembled instruction belong to a particular group. 629 | Find the group id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) 630 | Internally, this simply verifies if @group_id matches any member of insn->groups array. 631 | 632 | NOTE: this API is only valid when detail option is ON (which is OFF by default). 633 | 634 | WARN: when in 'diet' mode, this API is irrelevant because the engine does not 635 | update @groups array. 636 | 637 | @handle: handle returned by cs_open() 638 | @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter() 639 | @group_id: group that you want to check if this instruction belong to. 640 | 641 | @return: true if this instruction indeed belongs to aboved group, or false otherwise. 642 | */ 643 | CAPSTONE_EXPORT 644 | bool CAPSTONE_API cs_insn_group(csh handle, const cs_insn* insn, unsigned int group_id); 645 | 646 | /* 647 | Check if a disassembled instruction IMPLICITLY used a particular register. 648 | Find the register id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) 649 | Internally, this simply verifies if @reg_id matches any member of insn->regs_read array. 650 | 651 | NOTE: this API is only valid when detail option is ON (which is OFF by default) 652 | 653 | WARN: when in 'diet' mode, this API is irrelevant because the engine does not 654 | update @regs_read array. 655 | 656 | @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter() 657 | @reg_id: register that you want to check if this instruction used it. 658 | 659 | @return: true if this instruction indeed implicitly used aboved register, or false otherwise. 660 | */ 661 | CAPSTONE_EXPORT 662 | bool CAPSTONE_API cs_reg_read(csh handle, const cs_insn* insn, unsigned int reg_id); 663 | 664 | /* 665 | Check if a disassembled instruction IMPLICITLY modified a particular register. 666 | Find the register id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) 667 | Internally, this simply verifies if @reg_id matches any member of insn->regs_write array. 668 | 669 | NOTE: this API is only valid when detail option is ON (which is OFF by default) 670 | 671 | WARN: when in 'diet' mode, this API is irrelevant because the engine does not 672 | update @regs_write array. 673 | 674 | @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter() 675 | @reg_id: register that you want to check if this instruction modified it. 676 | 677 | @return: true if this instruction indeed implicitly modified aboved register, or false otherwise. 678 | */ 679 | CAPSTONE_EXPORT 680 | bool CAPSTONE_API cs_reg_write(csh handle, const cs_insn* insn, unsigned int reg_id); 681 | 682 | /* 683 | Count the number of operands of a given type. 684 | Find the operand type in header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) 685 | 686 | NOTE: this API is only valid when detail option is ON (which is OFF by default) 687 | 688 | @handle: handle returned by cs_open() 689 | @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter() 690 | @op_type: Operand type to be found. 691 | 692 | @return: number of operands of given type @op_type in instruction @insn, 693 | or -1 on failure. 694 | */ 695 | CAPSTONE_EXPORT 696 | int CAPSTONE_API cs_op_count(csh handle, const cs_insn* insn, unsigned int op_type); 697 | 698 | /* 699 | Retrieve the position of operand of given type in .operands[] array. 700 | Later, the operand can be accessed using the returned position. 701 | Find the operand type in header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...) 702 | 703 | NOTE: this API is only valid when detail option is ON (which is OFF by default) 704 | 705 | @handle: handle returned by cs_open() 706 | @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter() 707 | @op_type: Operand type to be found. 708 | @position: position of the operand to be found. This must be in the range 709 | [1, cs_op_count(handle, insn, op_type)] 710 | 711 | @return: index of operand of given type @op_type in .operands[] array 712 | in instruction @insn, or -1 on failure. 713 | */ 714 | CAPSTONE_EXPORT 715 | int CAPSTONE_API cs_op_index(csh handle, const cs_insn* insn, unsigned int op_type, 716 | unsigned int position); 717 | 718 | // Type of array to keep the list of registers 719 | typedef uint16_t cs_regs[64]; 720 | 721 | /* 722 | Retrieve all the registers accessed by an instruction, either explicitly or 723 | implicitly. 724 | 725 | WARN: when in 'diet' mode, this API is irrelevant because engine does not 726 | store registers. 727 | 728 | @handle: handle returned by cs_open() 729 | @insn: disassembled instruction structure returned from cs_disasm() or cs_disasm_iter() 730 | @regs_read: on return, this array contains all registers read by instruction. 731 | @regs_read_count: number of registers kept inside @regs_read array. 732 | @regs_write: on return, this array contains all registers written by instruction. 733 | @regs_write_count: number of registers kept inside @regs_write array. 734 | 735 | @return CS_ERR_OK on success, or other value on failure (refer to cs_err enum 736 | for detailed error). 737 | */ 738 | CAPSTONE_EXPORT 739 | cs_err CAPSTONE_API cs_regs_access(csh handle, const cs_insn* insn, 740 | cs_regs regs_read, uint8_t* regs_read_count, 741 | cs_regs regs_write, uint8_t* regs_write_count); 742 | 743 | #ifdef __cplusplus 744 | } 745 | #endif 746 | 747 | #endif 748 | -------------------------------------------------------------------------------- /capstone/include/m68k.h: -------------------------------------------------------------------------------- 1 | #ifndef CAPSTONE_M68K_H 2 | #define CAPSTONE_M68K_H 3 | 4 | /* Capstone Disassembly Engine */ 5 | /* By Daniel Collin , 2015-2016 */ 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | #include "platform.h" 12 | 13 | #ifdef _MSC_VER 14 | #pragma warning(disable:4201) 15 | #endif 16 | 17 | #define M68K_OPERAND_COUNT 4 18 | 19 | //> M68K registers and special registers 20 | typedef enum m68k_reg 21 | { 22 | M68K_REG_INVALID = 0, 23 | 24 | M68K_REG_D0, 25 | M68K_REG_D1, 26 | M68K_REG_D2, 27 | M68K_REG_D3, 28 | M68K_REG_D4, 29 | M68K_REG_D5, 30 | M68K_REG_D6, 31 | M68K_REG_D7, 32 | 33 | M68K_REG_A0, 34 | M68K_REG_A1, 35 | M68K_REG_A2, 36 | M68K_REG_A3, 37 | M68K_REG_A4, 38 | M68K_REG_A5, 39 | M68K_REG_A6, 40 | M68K_REG_A7, 41 | 42 | M68K_REG_FP0, 43 | M68K_REG_FP1, 44 | M68K_REG_FP2, 45 | M68K_REG_FP3, 46 | M68K_REG_FP4, 47 | M68K_REG_FP5, 48 | M68K_REG_FP6, 49 | M68K_REG_FP7, 50 | 51 | M68K_REG_PC, 52 | 53 | M68K_REG_SR, 54 | M68K_REG_CCR, 55 | M68K_REG_SFC, 56 | M68K_REG_DFC, 57 | M68K_REG_USP, 58 | M68K_REG_VBR, 59 | M68K_REG_CACR, 60 | M68K_REG_CAAR, 61 | M68K_REG_MSP, 62 | M68K_REG_ISP, 63 | M68K_REG_TC, 64 | M68K_REG_ITT0, 65 | M68K_REG_ITT1, 66 | M68K_REG_DTT0, 67 | M68K_REG_DTT1, 68 | M68K_REG_MMUSR, 69 | M68K_REG_URP, 70 | M68K_REG_SRP, 71 | 72 | M68K_REG_FPCR, 73 | M68K_REG_FPSR, 74 | M68K_REG_FPIAR, 75 | 76 | M68K_REG_ENDING, // <-- mark the end of the list of registers 77 | } m68k_reg; 78 | 79 | //> M68K Addressing Modes 80 | typedef enum m68k_address_mode 81 | { 82 | M68K_AM_NONE = 0, // No address mode. 83 | 84 | M68K_AM_REG_DIRECT_DATA, // Register Direct - Data 85 | M68K_AM_REG_DIRECT_ADDR, // Register Direct - Address 86 | 87 | M68K_AM_REGI_ADDR, // Register Indirect - Address 88 | M68K_AM_REGI_ADDR_POST_INC, // Register Indirect - Address with Postincrement 89 | M68K_AM_REGI_ADDR_PRE_DEC, // Register Indirect - Address with Predecrement 90 | M68K_AM_REGI_ADDR_DISP, // Register Indirect - Address with Displacement 91 | 92 | M68K_AM_AREGI_INDEX_8_BIT_DISP, // Address Register Indirect With Index- 8-bit displacement 93 | M68K_AM_AREGI_INDEX_BASE_DISP, // Address Register Indirect With Index- Base displacement 94 | 95 | M68K_AM_MEMI_POST_INDEX, // Memory indirect - Postindex 96 | M68K_AM_MEMI_PRE_INDEX, // Memory indirect - Preindex 97 | 98 | M68K_AM_PCI_DISP, // Program Counter Indirect - with Displacement 99 | 100 | M68K_AM_PCI_INDEX_8_BIT_DISP, // Program Counter Indirect with Index - with 8-Bit Displacement 101 | M68K_AM_PCI_INDEX_BASE_DISP, // Program Counter Indirect with Index - with Base Displacement 102 | 103 | M68K_AM_PC_MEMI_POST_INDEX, // Program Counter Memory Indirect - Postindexed 104 | M68K_AM_PC_MEMI_PRE_INDEX, // Program Counter Memory Indirect - Preindexed 105 | 106 | M68K_AM_ABSOLUTE_DATA_SHORT, // Absolute Data Addressing - Short 107 | M68K_AM_ABSOLUTE_DATA_LONG, // Absolute Data Addressing - Long 108 | M68K_AM_IMMEDIATE, // Immediate value 109 | } m68k_address_mode; 110 | 111 | //> Operand type for instruction's operands 112 | typedef enum m68k_op_type 113 | { 114 | M68K_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). 115 | M68K_OP_REG, // = CS_OP_REG (Register operand). 116 | M68K_OP_IMM, // = CS_OP_IMM (Immediate operand). 117 | M68K_OP_MEM, // = CS_OP_MEM (Memory operand). 118 | M68K_OP_FP_SINGLE, // single precision Floating-Point operand 119 | M68K_OP_FP_DOUBLE, // double precision Floating-Point operand 120 | M68K_OP_REG_BITS, // Register bits move 121 | M68K_OP_REG_PAIR, // Register pair in the same op (upper 4 bits for first reg, lower for second) 122 | } m68k_op_type; 123 | 124 | // Instruction's operand referring to memory 125 | // This is associated with M68K_OP_MEM operand type above 126 | typedef struct m68k_op_mem 127 | { 128 | m68k_reg base_reg; // base register (or M68K_REG_INVALID if irrelevant) 129 | m68k_reg index_reg; // index register (or M68K_REG_INVALID if irrelevant) 130 | m68k_reg in_base_reg; // indirect base register (or M68K_REG_INVALID if irrelevant) 131 | uint32_t in_disp; // indirect displacement 132 | uint32_t out_disp; // other displacement 133 | uint16_t disp; // displacement value 134 | uint8_t scale; // scale for index register 135 | uint8_t bitfield; // set to true if the two values below should be used 136 | uint8_t width; // used for bf* instructions 137 | uint8_t offset; // used for bf* instructions 138 | uint8_t index_size; // 0 = w, 1 = l 139 | } m68k_op_mem; 140 | 141 | // Instruction operand 142 | typedef struct cs_m68k_op 143 | { 144 | union 145 | { 146 | uint64_t imm; // immediate value for IMM operand 147 | double dimm; // double imm 148 | float simm; // float imm 149 | m68k_reg reg; // register value for REG operand 150 | struct // register pair in one operand 151 | { 152 | m68k_reg reg_0; 153 | m68k_reg reg_1; 154 | } reg_pair; 155 | m68k_op_mem mem; // data when operand is targeting memory 156 | uint32_t register_bits; // register bits for movem etc. (always in d0-d7, a0-a7, fp0 - fp7 order) 157 | }; 158 | m68k_op_type type; 159 | m68k_address_mode address_mode; // M68K addressing mode for this op 160 | } cs_m68k_op; 161 | 162 | // Operation size of the CPU instructions 163 | typedef enum m68k_cpu_size 164 | { 165 | M68K_CPU_SIZE_NONE = 0, // unsized or unspecified 166 | M68K_CPU_SIZE_BYTE = 1, // 1 byte in size 167 | M68K_CPU_SIZE_WORD = 2, // 2 bytes in size 168 | M68K_CPU_SIZE_LONG = 4, // 4 bytes in size 169 | } m68k_cpu_size; 170 | 171 | // Operation size of the FPU instructions (Notice that FPU instruction can also use CPU sizes if needed) 172 | typedef enum m68k_fpu_size 173 | { 174 | M68K_FPU_SIZE_NONE = 0, // unsized like fsave/frestore 175 | M68K_FPU_SIZE_SINGLE = 4, // 4 byte in size (single float) 176 | M68K_FPU_SIZE_DOUBLE = 8, // 8 byte in size (double) 177 | M68K_FPU_SIZE_EXTENDED = 12, // 12 byte in size (extended real format) 178 | } m68k_fpu_size; 179 | 180 | // Type of size that is being used for the current instruction 181 | typedef enum m68k_size_type 182 | { 183 | M68K_SIZE_TYPE_INVALID = 0, 184 | 185 | M68K_SIZE_TYPE_CPU, 186 | M68K_SIZE_TYPE_FPU, 187 | } m68k_size_type; 188 | 189 | // Operation size of the current instruction (NOT the actually size of instruction) 190 | typedef struct m68k_op_size 191 | { 192 | m68k_size_type type; 193 | union 194 | { 195 | m68k_cpu_size cpu_size; 196 | m68k_fpu_size fpu_size; 197 | }; 198 | } m68k_op_size; 199 | 200 | // The M68K instruction and it's operands 201 | typedef struct cs_m68k 202 | { 203 | // Number of operands of this instruction or 0 when instruction has no operand. 204 | cs_m68k_op operands[M68K_OPERAND_COUNT]; // operands for this instruction. 205 | m68k_op_size op_size; // size of data operand works on in bytes (.b, .w, .l, etc) 206 | uint8_t op_count; // number of operands for the instruction 207 | } cs_m68k; 208 | 209 | //> M68K instruction 210 | typedef enum m68k_insn 211 | { 212 | M68K_INS_INVALID = 0, 213 | 214 | M68K_INS_ABCD, 215 | M68K_INS_ADD, 216 | M68K_INS_ADDA, 217 | M68K_INS_ADDI, 218 | M68K_INS_ADDQ, 219 | M68K_INS_ADDX, 220 | M68K_INS_AND, 221 | M68K_INS_ANDI, 222 | M68K_INS_ASL, 223 | M68K_INS_ASR, 224 | M68K_INS_BHS, 225 | M68K_INS_BLO, 226 | M68K_INS_BHI, 227 | M68K_INS_BLS, 228 | M68K_INS_BCC, 229 | M68K_INS_BCS, 230 | M68K_INS_BNE, 231 | M68K_INS_BEQ, 232 | M68K_INS_BVC, 233 | M68K_INS_BVS, 234 | M68K_INS_BPL, 235 | M68K_INS_BMI, 236 | M68K_INS_BGE, 237 | M68K_INS_BLT, 238 | M68K_INS_BGT, 239 | M68K_INS_BLE, 240 | M68K_INS_BRA, 241 | M68K_INS_BSR, 242 | M68K_INS_BCHG, 243 | M68K_INS_BCLR, 244 | M68K_INS_BSET, 245 | M68K_INS_BTST, 246 | M68K_INS_BFCHG, 247 | M68K_INS_BFCLR, 248 | M68K_INS_BFEXTS, 249 | M68K_INS_BFEXTU, 250 | M68K_INS_BFFFO, 251 | M68K_INS_BFINS, 252 | M68K_INS_BFSET, 253 | M68K_INS_BFTST, 254 | M68K_INS_BKPT, 255 | M68K_INS_CALLM, 256 | M68K_INS_CAS, 257 | M68K_INS_CAS2, 258 | M68K_INS_CHK, 259 | M68K_INS_CHK2, 260 | M68K_INS_CLR, 261 | M68K_INS_CMP, 262 | M68K_INS_CMPA, 263 | M68K_INS_CMPI, 264 | M68K_INS_CMPM, 265 | M68K_INS_CMP2, 266 | M68K_INS_CINVL, 267 | M68K_INS_CINVP, 268 | M68K_INS_CINVA, 269 | M68K_INS_CPUSHL, 270 | M68K_INS_CPUSHP, 271 | M68K_INS_CPUSHA, 272 | M68K_INS_DBT, 273 | M68K_INS_DBF, 274 | M68K_INS_DBHI, 275 | M68K_INS_DBLS, 276 | M68K_INS_DBCC, 277 | M68K_INS_DBCS, 278 | M68K_INS_DBNE, 279 | M68K_INS_DBEQ, 280 | M68K_INS_DBVC, 281 | M68K_INS_DBVS, 282 | M68K_INS_DBPL, 283 | M68K_INS_DBMI, 284 | M68K_INS_DBGE, 285 | M68K_INS_DBLT, 286 | M68K_INS_DBGT, 287 | M68K_INS_DBLE, 288 | M68K_INS_DBRA, 289 | M68K_INS_DIVS, 290 | M68K_INS_DIVSL, 291 | M68K_INS_DIVU, 292 | M68K_INS_DIVUL, 293 | M68K_INS_EOR, 294 | M68K_INS_EORI, 295 | M68K_INS_EXG, 296 | M68K_INS_EXT, 297 | M68K_INS_EXTB, 298 | M68K_INS_FABS, 299 | M68K_INS_FSABS, 300 | M68K_INS_FDABS, 301 | M68K_INS_FACOS, 302 | M68K_INS_FADD, 303 | M68K_INS_FSADD, 304 | M68K_INS_FDADD, 305 | M68K_INS_FASIN, 306 | M68K_INS_FATAN, 307 | M68K_INS_FATANH, 308 | M68K_INS_FBF, 309 | M68K_INS_FBEQ, 310 | M68K_INS_FBOGT, 311 | M68K_INS_FBOGE, 312 | M68K_INS_FBOLT, 313 | M68K_INS_FBOLE, 314 | M68K_INS_FBOGL, 315 | M68K_INS_FBOR, 316 | M68K_INS_FBUN, 317 | M68K_INS_FBUEQ, 318 | M68K_INS_FBUGT, 319 | M68K_INS_FBUGE, 320 | M68K_INS_FBULT, 321 | M68K_INS_FBULE, 322 | M68K_INS_FBNE, 323 | M68K_INS_FBT, 324 | M68K_INS_FBSF, 325 | M68K_INS_FBSEQ, 326 | M68K_INS_FBGT, 327 | M68K_INS_FBGE, 328 | M68K_INS_FBLT, 329 | M68K_INS_FBLE, 330 | M68K_INS_FBGL, 331 | M68K_INS_FBGLE, 332 | M68K_INS_FBNGLE, 333 | M68K_INS_FBNGL, 334 | M68K_INS_FBNLE, 335 | M68K_INS_FBNLT, 336 | M68K_INS_FBNGE, 337 | M68K_INS_FBNGT, 338 | M68K_INS_FBSNE, 339 | M68K_INS_FBST, 340 | M68K_INS_FCMP, 341 | M68K_INS_FCOS, 342 | M68K_INS_FCOSH, 343 | M68K_INS_FDBF, 344 | M68K_INS_FDBEQ, 345 | M68K_INS_FDBOGT, 346 | M68K_INS_FDBOGE, 347 | M68K_INS_FDBOLT, 348 | M68K_INS_FDBOLE, 349 | M68K_INS_FDBOGL, 350 | M68K_INS_FDBOR, 351 | M68K_INS_FDBUN, 352 | M68K_INS_FDBUEQ, 353 | M68K_INS_FDBUGT, 354 | M68K_INS_FDBUGE, 355 | M68K_INS_FDBULT, 356 | M68K_INS_FDBULE, 357 | M68K_INS_FDBNE, 358 | M68K_INS_FDBT, 359 | M68K_INS_FDBSF, 360 | M68K_INS_FDBSEQ, 361 | M68K_INS_FDBGT, 362 | M68K_INS_FDBGE, 363 | M68K_INS_FDBLT, 364 | M68K_INS_FDBLE, 365 | M68K_INS_FDBGL, 366 | M68K_INS_FDBGLE, 367 | M68K_INS_FDBNGLE, 368 | M68K_INS_FDBNGL, 369 | M68K_INS_FDBNLE, 370 | M68K_INS_FDBNLT, 371 | M68K_INS_FDBNGE, 372 | M68K_INS_FDBNGT, 373 | M68K_INS_FDBSNE, 374 | M68K_INS_FDBST, 375 | M68K_INS_FDIV, 376 | M68K_INS_FSDIV, 377 | M68K_INS_FDDIV, 378 | M68K_INS_FETOX, 379 | M68K_INS_FETOXM1, 380 | M68K_INS_FGETEXP, 381 | M68K_INS_FGETMAN, 382 | M68K_INS_FINT, 383 | M68K_INS_FINTRZ, 384 | M68K_INS_FLOG10, 385 | M68K_INS_FLOG2, 386 | M68K_INS_FLOGN, 387 | M68K_INS_FLOGNP1, 388 | M68K_INS_FMOD, 389 | M68K_INS_FMOVE, 390 | M68K_INS_FSMOVE, 391 | M68K_INS_FDMOVE, 392 | M68K_INS_FMOVECR, 393 | M68K_INS_FMOVEM, 394 | M68K_INS_FMUL, 395 | M68K_INS_FSMUL, 396 | M68K_INS_FDMUL, 397 | M68K_INS_FNEG, 398 | M68K_INS_FSNEG, 399 | M68K_INS_FDNEG, 400 | M68K_INS_FNOP, 401 | M68K_INS_FREM, 402 | M68K_INS_FRESTORE, 403 | M68K_INS_FSAVE, 404 | M68K_INS_FSCALE, 405 | M68K_INS_FSGLDIV, 406 | M68K_INS_FSGLMUL, 407 | M68K_INS_FSIN, 408 | M68K_INS_FSINCOS, 409 | M68K_INS_FSINH, 410 | M68K_INS_FSQRT, 411 | M68K_INS_FSSQRT, 412 | M68K_INS_FDSQRT, 413 | M68K_INS_FSF, 414 | M68K_INS_FSBEQ, 415 | M68K_INS_FSOGT, 416 | M68K_INS_FSOGE, 417 | M68K_INS_FSOLT, 418 | M68K_INS_FSOLE, 419 | M68K_INS_FSOGL, 420 | M68K_INS_FSOR, 421 | M68K_INS_FSUN, 422 | M68K_INS_FSUEQ, 423 | M68K_INS_FSUGT, 424 | M68K_INS_FSUGE, 425 | M68K_INS_FSULT, 426 | M68K_INS_FSULE, 427 | M68K_INS_FSNE, 428 | M68K_INS_FST, 429 | M68K_INS_FSSF, 430 | M68K_INS_FSSEQ, 431 | M68K_INS_FSGT, 432 | M68K_INS_FSGE, 433 | M68K_INS_FSLT, 434 | M68K_INS_FSLE, 435 | M68K_INS_FSGL, 436 | M68K_INS_FSGLE, 437 | M68K_INS_FSNGLE, 438 | M68K_INS_FSNGL, 439 | M68K_INS_FSNLE, 440 | M68K_INS_FSNLT, 441 | M68K_INS_FSNGE, 442 | M68K_INS_FSNGT, 443 | M68K_INS_FSSNE, 444 | M68K_INS_FSST, 445 | M68K_INS_FSUB, 446 | M68K_INS_FSSUB, 447 | M68K_INS_FDSUB, 448 | M68K_INS_FTAN, 449 | M68K_INS_FTANH, 450 | M68K_INS_FTENTOX, 451 | M68K_INS_FTRAPF, 452 | M68K_INS_FTRAPEQ, 453 | M68K_INS_FTRAPOGT, 454 | M68K_INS_FTRAPOGE, 455 | M68K_INS_FTRAPOLT, 456 | M68K_INS_FTRAPOLE, 457 | M68K_INS_FTRAPOGL, 458 | M68K_INS_FTRAPOR, 459 | M68K_INS_FTRAPUN, 460 | M68K_INS_FTRAPUEQ, 461 | M68K_INS_FTRAPUGT, 462 | M68K_INS_FTRAPUGE, 463 | M68K_INS_FTRAPULT, 464 | M68K_INS_FTRAPULE, 465 | M68K_INS_FTRAPNE, 466 | M68K_INS_FTRAPT, 467 | M68K_INS_FTRAPSF, 468 | M68K_INS_FTRAPSEQ, 469 | M68K_INS_FTRAPGT, 470 | M68K_INS_FTRAPGE, 471 | M68K_INS_FTRAPLT, 472 | M68K_INS_FTRAPLE, 473 | M68K_INS_FTRAPGL, 474 | M68K_INS_FTRAPGLE, 475 | M68K_INS_FTRAPNGLE, 476 | M68K_INS_FTRAPNGL, 477 | M68K_INS_FTRAPNLE, 478 | M68K_INS_FTRAPNLT, 479 | M68K_INS_FTRAPNGE, 480 | M68K_INS_FTRAPNGT, 481 | M68K_INS_FTRAPSNE, 482 | M68K_INS_FTRAPST, 483 | M68K_INS_FTST, 484 | M68K_INS_FTWOTOX, 485 | M68K_INS_HALT, 486 | M68K_INS_ILLEGAL, 487 | M68K_INS_JMP, 488 | M68K_INS_JSR, 489 | M68K_INS_LEA, 490 | M68K_INS_LINK, 491 | M68K_INS_LPSTOP, 492 | M68K_INS_LSL, 493 | M68K_INS_LSR, 494 | M68K_INS_MOVE, 495 | M68K_INS_MOVEA, 496 | M68K_INS_MOVEC, 497 | M68K_INS_MOVEM, 498 | M68K_INS_MOVEP, 499 | M68K_INS_MOVEQ, 500 | M68K_INS_MOVES, 501 | M68K_INS_MOVE16, 502 | M68K_INS_MULS, 503 | M68K_INS_MULU, 504 | M68K_INS_NBCD, 505 | M68K_INS_NEG, 506 | M68K_INS_NEGX, 507 | M68K_INS_NOP, 508 | M68K_INS_NOT, 509 | M68K_INS_OR, 510 | M68K_INS_ORI, 511 | M68K_INS_PACK, 512 | M68K_INS_PEA, 513 | M68K_INS_PFLUSH, 514 | M68K_INS_PFLUSHA, 515 | M68K_INS_PFLUSHAN, 516 | M68K_INS_PFLUSHN, 517 | M68K_INS_PLOADR, 518 | M68K_INS_PLOADW, 519 | M68K_INS_PLPAR, 520 | M68K_INS_PLPAW, 521 | M68K_INS_PMOVE, 522 | M68K_INS_PMOVEFD, 523 | M68K_INS_PTESTR, 524 | M68K_INS_PTESTW, 525 | M68K_INS_PULSE, 526 | M68K_INS_REMS, 527 | M68K_INS_REMU, 528 | M68K_INS_RESET, 529 | M68K_INS_ROL, 530 | M68K_INS_ROR, 531 | M68K_INS_ROXL, 532 | M68K_INS_ROXR, 533 | M68K_INS_RTD, 534 | M68K_INS_RTE, 535 | M68K_INS_RTM, 536 | M68K_INS_RTR, 537 | M68K_INS_RTS, 538 | M68K_INS_SBCD, 539 | M68K_INS_ST, 540 | M68K_INS_SF, 541 | M68K_INS_SHI, 542 | M68K_INS_SLS, 543 | M68K_INS_SCC, 544 | M68K_INS_SHS, 545 | M68K_INS_SCS, 546 | M68K_INS_SLO, 547 | M68K_INS_SNE, 548 | M68K_INS_SEQ, 549 | M68K_INS_SVC, 550 | M68K_INS_SVS, 551 | M68K_INS_SPL, 552 | M68K_INS_SMI, 553 | M68K_INS_SGE, 554 | M68K_INS_SLT, 555 | M68K_INS_SGT, 556 | M68K_INS_SLE, 557 | M68K_INS_STOP, 558 | M68K_INS_SUB, 559 | M68K_INS_SUBA, 560 | M68K_INS_SUBI, 561 | M68K_INS_SUBQ, 562 | M68K_INS_SUBX, 563 | M68K_INS_SWAP, 564 | M68K_INS_TAS, 565 | M68K_INS_TRAP, 566 | M68K_INS_TRAPV, 567 | M68K_INS_TRAPT, 568 | M68K_INS_TRAPF, 569 | M68K_INS_TRAPHI, 570 | M68K_INS_TRAPLS, 571 | M68K_INS_TRAPCC, 572 | M68K_INS_TRAPHS, 573 | M68K_INS_TRAPCS, 574 | M68K_INS_TRAPLO, 575 | M68K_INS_TRAPNE, 576 | M68K_INS_TRAPEQ, 577 | M68K_INS_TRAPVC, 578 | M68K_INS_TRAPVS, 579 | M68K_INS_TRAPPL, 580 | M68K_INS_TRAPMI, 581 | M68K_INS_TRAPGE, 582 | M68K_INS_TRAPLT, 583 | M68K_INS_TRAPGT, 584 | M68K_INS_TRAPLE, 585 | M68K_INS_TST, 586 | M68K_INS_UNLK, 587 | M68K_INS_UNPK, 588 | M68K_INS_ENDING, // <-- mark the end of the list of instructions 589 | 590 | } m68k_insn; 591 | 592 | //> Group of M68K instructions 593 | typedef enum m68k_group_type 594 | { 595 | M68K_GRP_INVALID = 0, // CS_GRUP_INVALID 596 | M68K_GRP_JUMP, // = CS_GRP_JUMP 597 | M68K_GRP_RET = 3, // = CS_GRP_RET 598 | M68K_GRP_IRET = 5, // = CS_GRP_IRET 599 | 600 | M68K_GRP_ENDING,// <-- mark the end of the list of groups 601 | } m68k_group_type; 602 | 603 | #ifdef __cplusplus 604 | } 605 | #endif 606 | 607 | #endif 608 | -------------------------------------------------------------------------------- /capstone/include/mips.h: -------------------------------------------------------------------------------- 1 | #ifndef CAPSTONE_MIPS_H 2 | #define CAPSTONE_MIPS_H 3 | 4 | /* Capstone Disassembly Engine */ 5 | /* By Nguyen Anh Quynh , 2013-2015 */ 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | #include "platform.h" 12 | 13 | // GCC MIPS toolchain has a default macro called "mips" which breaks 14 | // compilation 15 | #undef mips 16 | 17 | #ifdef _MSC_VER 18 | #pragma warning(disable:4201) 19 | #endif 20 | 21 | //> Operand type for instruction's operands 22 | typedef enum mips_op_type 23 | { 24 | MIPS_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). 25 | MIPS_OP_REG, // = CS_OP_REG (Register operand). 26 | MIPS_OP_IMM, // = CS_OP_IMM (Immediate operand). 27 | MIPS_OP_MEM, // = CS_OP_MEM (Memory operand). 28 | } mips_op_type; 29 | 30 | //> MIPS registers 31 | typedef enum mips_reg 32 | { 33 | MIPS_REG_INVALID = 0, 34 | //> General purpose registers 35 | MIPS_REG_PC, 36 | 37 | MIPS_REG_0, 38 | MIPS_REG_1, 39 | MIPS_REG_2, 40 | MIPS_REG_3, 41 | MIPS_REG_4, 42 | MIPS_REG_5, 43 | MIPS_REG_6, 44 | MIPS_REG_7, 45 | MIPS_REG_8, 46 | MIPS_REG_9, 47 | MIPS_REG_10, 48 | MIPS_REG_11, 49 | MIPS_REG_12, 50 | MIPS_REG_13, 51 | MIPS_REG_14, 52 | MIPS_REG_15, 53 | MIPS_REG_16, 54 | MIPS_REG_17, 55 | MIPS_REG_18, 56 | MIPS_REG_19, 57 | MIPS_REG_20, 58 | MIPS_REG_21, 59 | MIPS_REG_22, 60 | MIPS_REG_23, 61 | MIPS_REG_24, 62 | MIPS_REG_25, 63 | MIPS_REG_26, 64 | MIPS_REG_27, 65 | MIPS_REG_28, 66 | MIPS_REG_29, 67 | MIPS_REG_30, 68 | MIPS_REG_31, 69 | 70 | //> DSP registers 71 | MIPS_REG_DSPCCOND, 72 | MIPS_REG_DSPCARRY, 73 | MIPS_REG_DSPEFI, 74 | MIPS_REG_DSPOUTFLAG, 75 | MIPS_REG_DSPOUTFLAG16_19, 76 | MIPS_REG_DSPOUTFLAG20, 77 | MIPS_REG_DSPOUTFLAG21, 78 | MIPS_REG_DSPOUTFLAG22, 79 | MIPS_REG_DSPOUTFLAG23, 80 | MIPS_REG_DSPPOS, 81 | MIPS_REG_DSPSCOUNT, 82 | 83 | //> ACC registers 84 | MIPS_REG_AC0, 85 | MIPS_REG_AC1, 86 | MIPS_REG_AC2, 87 | MIPS_REG_AC3, 88 | 89 | //> COP registers 90 | MIPS_REG_CC0, 91 | MIPS_REG_CC1, 92 | MIPS_REG_CC2, 93 | MIPS_REG_CC3, 94 | MIPS_REG_CC4, 95 | MIPS_REG_CC5, 96 | MIPS_REG_CC6, 97 | MIPS_REG_CC7, 98 | 99 | //> FPU registers 100 | MIPS_REG_F0, 101 | MIPS_REG_F1, 102 | MIPS_REG_F2, 103 | MIPS_REG_F3, 104 | MIPS_REG_F4, 105 | MIPS_REG_F5, 106 | MIPS_REG_F6, 107 | MIPS_REG_F7, 108 | MIPS_REG_F8, 109 | MIPS_REG_F9, 110 | MIPS_REG_F10, 111 | MIPS_REG_F11, 112 | MIPS_REG_F12, 113 | MIPS_REG_F13, 114 | MIPS_REG_F14, 115 | MIPS_REG_F15, 116 | MIPS_REG_F16, 117 | MIPS_REG_F17, 118 | MIPS_REG_F18, 119 | MIPS_REG_F19, 120 | MIPS_REG_F20, 121 | MIPS_REG_F21, 122 | MIPS_REG_F22, 123 | MIPS_REG_F23, 124 | MIPS_REG_F24, 125 | MIPS_REG_F25, 126 | MIPS_REG_F26, 127 | MIPS_REG_F27, 128 | MIPS_REG_F28, 129 | MIPS_REG_F29, 130 | MIPS_REG_F30, 131 | MIPS_REG_F31, 132 | 133 | MIPS_REG_FCC0, 134 | MIPS_REG_FCC1, 135 | MIPS_REG_FCC2, 136 | MIPS_REG_FCC3, 137 | MIPS_REG_FCC4, 138 | MIPS_REG_FCC5, 139 | MIPS_REG_FCC6, 140 | MIPS_REG_FCC7, 141 | 142 | //> AFPR128 143 | MIPS_REG_W0, 144 | MIPS_REG_W1, 145 | MIPS_REG_W2, 146 | MIPS_REG_W3, 147 | MIPS_REG_W4, 148 | MIPS_REG_W5, 149 | MIPS_REG_W6, 150 | MIPS_REG_W7, 151 | MIPS_REG_W8, 152 | MIPS_REG_W9, 153 | MIPS_REG_W10, 154 | MIPS_REG_W11, 155 | MIPS_REG_W12, 156 | MIPS_REG_W13, 157 | MIPS_REG_W14, 158 | MIPS_REG_W15, 159 | MIPS_REG_W16, 160 | MIPS_REG_W17, 161 | MIPS_REG_W18, 162 | MIPS_REG_W19, 163 | MIPS_REG_W20, 164 | MIPS_REG_W21, 165 | MIPS_REG_W22, 166 | MIPS_REG_W23, 167 | MIPS_REG_W24, 168 | MIPS_REG_W25, 169 | MIPS_REG_W26, 170 | MIPS_REG_W27, 171 | MIPS_REG_W28, 172 | MIPS_REG_W29, 173 | MIPS_REG_W30, 174 | MIPS_REG_W31, 175 | 176 | MIPS_REG_HI, 177 | MIPS_REG_LO, 178 | 179 | MIPS_REG_P0, 180 | MIPS_REG_P1, 181 | MIPS_REG_P2, 182 | 183 | MIPS_REG_MPL0, 184 | MIPS_REG_MPL1, 185 | MIPS_REG_MPL2, 186 | 187 | MIPS_REG_ENDING, // <-- mark the end of the list or registers 188 | 189 | // alias registers 190 | MIPS_REG_ZERO = MIPS_REG_0, 191 | MIPS_REG_AT = MIPS_REG_1, 192 | MIPS_REG_V0 = MIPS_REG_2, 193 | MIPS_REG_V1 = MIPS_REG_3, 194 | MIPS_REG_A0 = MIPS_REG_4, 195 | MIPS_REG_A1 = MIPS_REG_5, 196 | MIPS_REG_A2 = MIPS_REG_6, 197 | MIPS_REG_A3 = MIPS_REG_7, 198 | MIPS_REG_T0 = MIPS_REG_8, 199 | MIPS_REG_T1 = MIPS_REG_9, 200 | MIPS_REG_T2 = MIPS_REG_10, 201 | MIPS_REG_T3 = MIPS_REG_11, 202 | MIPS_REG_T4 = MIPS_REG_12, 203 | MIPS_REG_T5 = MIPS_REG_13, 204 | MIPS_REG_T6 = MIPS_REG_14, 205 | MIPS_REG_T7 = MIPS_REG_15, 206 | MIPS_REG_S0 = MIPS_REG_16, 207 | MIPS_REG_S1 = MIPS_REG_17, 208 | MIPS_REG_S2 = MIPS_REG_18, 209 | MIPS_REG_S3 = MIPS_REG_19, 210 | MIPS_REG_S4 = MIPS_REG_20, 211 | MIPS_REG_S5 = MIPS_REG_21, 212 | MIPS_REG_S6 = MIPS_REG_22, 213 | MIPS_REG_S7 = MIPS_REG_23, 214 | MIPS_REG_T8 = MIPS_REG_24, 215 | MIPS_REG_T9 = MIPS_REG_25, 216 | MIPS_REG_K0 = MIPS_REG_26, 217 | MIPS_REG_K1 = MIPS_REG_27, 218 | MIPS_REG_GP = MIPS_REG_28, 219 | MIPS_REG_SP = MIPS_REG_29, 220 | MIPS_REG_FP = MIPS_REG_30, MIPS_REG_S8 = MIPS_REG_30, 221 | MIPS_REG_RA = MIPS_REG_31, 222 | 223 | MIPS_REG_HI0 = MIPS_REG_AC0, 224 | MIPS_REG_HI1 = MIPS_REG_AC1, 225 | MIPS_REG_HI2 = MIPS_REG_AC2, 226 | MIPS_REG_HI3 = MIPS_REG_AC3, 227 | 228 | MIPS_REG_LO0 = MIPS_REG_HI0, 229 | MIPS_REG_LO1 = MIPS_REG_HI1, 230 | MIPS_REG_LO2 = MIPS_REG_HI2, 231 | MIPS_REG_LO3 = MIPS_REG_HI3, 232 | } mips_reg; 233 | 234 | // Instruction's operand referring to memory 235 | // This is associated with MIPS_OP_MEM operand type above 236 | typedef struct mips_op_mem 237 | { 238 | mips_reg base; // base register 239 | int64_t disp; // displacement/offset value 240 | } mips_op_mem; 241 | 242 | // Instruction operand 243 | typedef struct cs_mips_op 244 | { 245 | mips_op_type type; // operand type 246 | union 247 | { 248 | mips_reg reg; // register value for REG operand 249 | int64_t imm; // immediate value for IMM operand 250 | mips_op_mem mem; // base/index/scale/disp value for MEM operand 251 | }; 252 | } cs_mips_op; 253 | 254 | // Instruction structure 255 | typedef struct cs_mips 256 | { 257 | // Number of operands of this instruction, 258 | // or 0 when instruction has no operand. 259 | uint8_t op_count; 260 | cs_mips_op operands[8]; // operands for this instruction. 261 | } cs_mips; 262 | 263 | //> MIPS instruction 264 | typedef enum mips_insn 265 | { 266 | MIPS_INS_INVALID = 0, 267 | 268 | MIPS_INS_ABSQ_S, 269 | MIPS_INS_ADD, 270 | MIPS_INS_ADDIUPC, 271 | MIPS_INS_ADDIUR1SP, 272 | MIPS_INS_ADDIUR2, 273 | MIPS_INS_ADDIUS5, 274 | MIPS_INS_ADDIUSP, 275 | MIPS_INS_ADDQH, 276 | MIPS_INS_ADDQH_R, 277 | MIPS_INS_ADDQ, 278 | MIPS_INS_ADDQ_S, 279 | MIPS_INS_ADDSC, 280 | MIPS_INS_ADDS_A, 281 | MIPS_INS_ADDS_S, 282 | MIPS_INS_ADDS_U, 283 | MIPS_INS_ADDU16, 284 | MIPS_INS_ADDUH, 285 | MIPS_INS_ADDUH_R, 286 | MIPS_INS_ADDU, 287 | MIPS_INS_ADDU_S, 288 | MIPS_INS_ADDVI, 289 | MIPS_INS_ADDV, 290 | MIPS_INS_ADDWC, 291 | MIPS_INS_ADD_A, 292 | MIPS_INS_ADDI, 293 | MIPS_INS_ADDIU, 294 | MIPS_INS_ALIGN, 295 | MIPS_INS_ALUIPC, 296 | MIPS_INS_AND, 297 | MIPS_INS_AND16, 298 | MIPS_INS_ANDI16, 299 | MIPS_INS_ANDI, 300 | MIPS_INS_APPEND, 301 | MIPS_INS_ASUB_S, 302 | MIPS_INS_ASUB_U, 303 | MIPS_INS_AUI, 304 | MIPS_INS_AUIPC, 305 | MIPS_INS_AVER_S, 306 | MIPS_INS_AVER_U, 307 | MIPS_INS_AVE_S, 308 | MIPS_INS_AVE_U, 309 | MIPS_INS_B16, 310 | MIPS_INS_BADDU, 311 | MIPS_INS_BAL, 312 | MIPS_INS_BALC, 313 | MIPS_INS_BALIGN, 314 | MIPS_INS_BBIT0, 315 | MIPS_INS_BBIT032, 316 | MIPS_INS_BBIT1, 317 | MIPS_INS_BBIT132, 318 | MIPS_INS_BC, 319 | MIPS_INS_BC0F, 320 | MIPS_INS_BC0FL, 321 | MIPS_INS_BC0T, 322 | MIPS_INS_BC0TL, 323 | MIPS_INS_BC1EQZ, 324 | MIPS_INS_BC1F, 325 | MIPS_INS_BC1FL, 326 | MIPS_INS_BC1NEZ, 327 | MIPS_INS_BC1T, 328 | MIPS_INS_BC1TL, 329 | MIPS_INS_BC2EQZ, 330 | MIPS_INS_BC2F, 331 | MIPS_INS_BC2FL, 332 | MIPS_INS_BC2NEZ, 333 | MIPS_INS_BC2T, 334 | MIPS_INS_BC2TL, 335 | MIPS_INS_BC3F, 336 | MIPS_INS_BC3FL, 337 | MIPS_INS_BC3T, 338 | MIPS_INS_BC3TL, 339 | MIPS_INS_BCLRI, 340 | MIPS_INS_BCLR, 341 | MIPS_INS_BEQ, 342 | MIPS_INS_BEQC, 343 | MIPS_INS_BEQL, 344 | MIPS_INS_BEQZ16, 345 | MIPS_INS_BEQZALC, 346 | MIPS_INS_BEQZC, 347 | MIPS_INS_BGEC, 348 | MIPS_INS_BGEUC, 349 | MIPS_INS_BGEZ, 350 | MIPS_INS_BGEZAL, 351 | MIPS_INS_BGEZALC, 352 | MIPS_INS_BGEZALL, 353 | MIPS_INS_BGEZALS, 354 | MIPS_INS_BGEZC, 355 | MIPS_INS_BGEZL, 356 | MIPS_INS_BGTZ, 357 | MIPS_INS_BGTZALC, 358 | MIPS_INS_BGTZC, 359 | MIPS_INS_BGTZL, 360 | MIPS_INS_BINSLI, 361 | MIPS_INS_BINSL, 362 | MIPS_INS_BINSRI, 363 | MIPS_INS_BINSR, 364 | MIPS_INS_BITREV, 365 | MIPS_INS_BITSWAP, 366 | MIPS_INS_BLEZ, 367 | MIPS_INS_BLEZALC, 368 | MIPS_INS_BLEZC, 369 | MIPS_INS_BLEZL, 370 | MIPS_INS_BLTC, 371 | MIPS_INS_BLTUC, 372 | MIPS_INS_BLTZ, 373 | MIPS_INS_BLTZAL, 374 | MIPS_INS_BLTZALC, 375 | MIPS_INS_BLTZALL, 376 | MIPS_INS_BLTZALS, 377 | MIPS_INS_BLTZC, 378 | MIPS_INS_BLTZL, 379 | MIPS_INS_BMNZI, 380 | MIPS_INS_BMNZ, 381 | MIPS_INS_BMZI, 382 | MIPS_INS_BMZ, 383 | MIPS_INS_BNE, 384 | MIPS_INS_BNEC, 385 | MIPS_INS_BNEGI, 386 | MIPS_INS_BNEG, 387 | MIPS_INS_BNEL, 388 | MIPS_INS_BNEZ16, 389 | MIPS_INS_BNEZALC, 390 | MIPS_INS_BNEZC, 391 | MIPS_INS_BNVC, 392 | MIPS_INS_BNZ, 393 | MIPS_INS_BOVC, 394 | MIPS_INS_BPOSGE32, 395 | MIPS_INS_BREAK, 396 | MIPS_INS_BREAK16, 397 | MIPS_INS_BSELI, 398 | MIPS_INS_BSEL, 399 | MIPS_INS_BSETI, 400 | MIPS_INS_BSET, 401 | MIPS_INS_BZ, 402 | MIPS_INS_BEQZ, 403 | MIPS_INS_B, 404 | MIPS_INS_BNEZ, 405 | MIPS_INS_BTEQZ, 406 | MIPS_INS_BTNEZ, 407 | MIPS_INS_CACHE, 408 | MIPS_INS_CEIL, 409 | MIPS_INS_CEQI, 410 | MIPS_INS_CEQ, 411 | MIPS_INS_CFC1, 412 | MIPS_INS_CFCMSA, 413 | MIPS_INS_CINS, 414 | MIPS_INS_CINS32, 415 | MIPS_INS_CLASS, 416 | MIPS_INS_CLEI_S, 417 | MIPS_INS_CLEI_U, 418 | MIPS_INS_CLE_S, 419 | MIPS_INS_CLE_U, 420 | MIPS_INS_CLO, 421 | MIPS_INS_CLTI_S, 422 | MIPS_INS_CLTI_U, 423 | MIPS_INS_CLT_S, 424 | MIPS_INS_CLT_U, 425 | MIPS_INS_CLZ, 426 | MIPS_INS_CMPGDU, 427 | MIPS_INS_CMPGU, 428 | MIPS_INS_CMPU, 429 | MIPS_INS_CMP, 430 | MIPS_INS_COPY_S, 431 | MIPS_INS_COPY_U, 432 | MIPS_INS_CTC1, 433 | MIPS_INS_CTCMSA, 434 | MIPS_INS_CVT, 435 | MIPS_INS_C, 436 | MIPS_INS_CMPI, 437 | MIPS_INS_DADD, 438 | MIPS_INS_DADDI, 439 | MIPS_INS_DADDIU, 440 | MIPS_INS_DADDU, 441 | MIPS_INS_DAHI, 442 | MIPS_INS_DALIGN, 443 | MIPS_INS_DATI, 444 | MIPS_INS_DAUI, 445 | MIPS_INS_DBITSWAP, 446 | MIPS_INS_DCLO, 447 | MIPS_INS_DCLZ, 448 | MIPS_INS_DDIV, 449 | MIPS_INS_DDIVU, 450 | MIPS_INS_DERET, 451 | MIPS_INS_DEXT, 452 | MIPS_INS_DEXTM, 453 | MIPS_INS_DEXTU, 454 | MIPS_INS_DI, 455 | MIPS_INS_DINS, 456 | MIPS_INS_DINSM, 457 | MIPS_INS_DINSU, 458 | MIPS_INS_DIV, 459 | MIPS_INS_DIVU, 460 | MIPS_INS_DIV_S, 461 | MIPS_INS_DIV_U, 462 | MIPS_INS_DLSA, 463 | MIPS_INS_DMFC0, 464 | MIPS_INS_DMFC1, 465 | MIPS_INS_DMFC2, 466 | MIPS_INS_DMOD, 467 | MIPS_INS_DMODU, 468 | MIPS_INS_DMTC0, 469 | MIPS_INS_DMTC1, 470 | MIPS_INS_DMTC2, 471 | MIPS_INS_DMUH, 472 | MIPS_INS_DMUHU, 473 | MIPS_INS_DMUL, 474 | MIPS_INS_DMULT, 475 | MIPS_INS_DMULTU, 476 | MIPS_INS_DMULU, 477 | MIPS_INS_DOTP_S, 478 | MIPS_INS_DOTP_U, 479 | MIPS_INS_DPADD_S, 480 | MIPS_INS_DPADD_U, 481 | MIPS_INS_DPAQX_SA, 482 | MIPS_INS_DPAQX_S, 483 | MIPS_INS_DPAQ_SA, 484 | MIPS_INS_DPAQ_S, 485 | MIPS_INS_DPAU, 486 | MIPS_INS_DPAX, 487 | MIPS_INS_DPA, 488 | MIPS_INS_DPOP, 489 | MIPS_INS_DPSQX_SA, 490 | MIPS_INS_DPSQX_S, 491 | MIPS_INS_DPSQ_SA, 492 | MIPS_INS_DPSQ_S, 493 | MIPS_INS_DPSUB_S, 494 | MIPS_INS_DPSUB_U, 495 | MIPS_INS_DPSU, 496 | MIPS_INS_DPSX, 497 | MIPS_INS_DPS, 498 | MIPS_INS_DROTR, 499 | MIPS_INS_DROTR32, 500 | MIPS_INS_DROTRV, 501 | MIPS_INS_DSBH, 502 | MIPS_INS_DSHD, 503 | MIPS_INS_DSLL, 504 | MIPS_INS_DSLL32, 505 | MIPS_INS_DSLLV, 506 | MIPS_INS_DSRA, 507 | MIPS_INS_DSRA32, 508 | MIPS_INS_DSRAV, 509 | MIPS_INS_DSRL, 510 | MIPS_INS_DSRL32, 511 | MIPS_INS_DSRLV, 512 | MIPS_INS_DSUB, 513 | MIPS_INS_DSUBU, 514 | MIPS_INS_EHB, 515 | MIPS_INS_EI, 516 | MIPS_INS_ERET, 517 | MIPS_INS_EXT, 518 | MIPS_INS_EXTP, 519 | MIPS_INS_EXTPDP, 520 | MIPS_INS_EXTPDPV, 521 | MIPS_INS_EXTPV, 522 | MIPS_INS_EXTRV_RS, 523 | MIPS_INS_EXTRV_R, 524 | MIPS_INS_EXTRV_S, 525 | MIPS_INS_EXTRV, 526 | MIPS_INS_EXTR_RS, 527 | MIPS_INS_EXTR_R, 528 | MIPS_INS_EXTR_S, 529 | MIPS_INS_EXTR, 530 | MIPS_INS_EXTS, 531 | MIPS_INS_EXTS32, 532 | MIPS_INS_ABS, 533 | MIPS_INS_FADD, 534 | MIPS_INS_FCAF, 535 | MIPS_INS_FCEQ, 536 | MIPS_INS_FCLASS, 537 | MIPS_INS_FCLE, 538 | MIPS_INS_FCLT, 539 | MIPS_INS_FCNE, 540 | MIPS_INS_FCOR, 541 | MIPS_INS_FCUEQ, 542 | MIPS_INS_FCULE, 543 | MIPS_INS_FCULT, 544 | MIPS_INS_FCUNE, 545 | MIPS_INS_FCUN, 546 | MIPS_INS_FDIV, 547 | MIPS_INS_FEXDO, 548 | MIPS_INS_FEXP2, 549 | MIPS_INS_FEXUPL, 550 | MIPS_INS_FEXUPR, 551 | MIPS_INS_FFINT_S, 552 | MIPS_INS_FFINT_U, 553 | MIPS_INS_FFQL, 554 | MIPS_INS_FFQR, 555 | MIPS_INS_FILL, 556 | MIPS_INS_FLOG2, 557 | MIPS_INS_FLOOR, 558 | MIPS_INS_FMADD, 559 | MIPS_INS_FMAX_A, 560 | MIPS_INS_FMAX, 561 | MIPS_INS_FMIN_A, 562 | MIPS_INS_FMIN, 563 | MIPS_INS_MOV, 564 | MIPS_INS_FMSUB, 565 | MIPS_INS_FMUL, 566 | MIPS_INS_MUL, 567 | MIPS_INS_NEG, 568 | MIPS_INS_FRCP, 569 | MIPS_INS_FRINT, 570 | MIPS_INS_FRSQRT, 571 | MIPS_INS_FSAF, 572 | MIPS_INS_FSEQ, 573 | MIPS_INS_FSLE, 574 | MIPS_INS_FSLT, 575 | MIPS_INS_FSNE, 576 | MIPS_INS_FSOR, 577 | MIPS_INS_FSQRT, 578 | MIPS_INS_SQRT, 579 | MIPS_INS_FSUB, 580 | MIPS_INS_SUB, 581 | MIPS_INS_FSUEQ, 582 | MIPS_INS_FSULE, 583 | MIPS_INS_FSULT, 584 | MIPS_INS_FSUNE, 585 | MIPS_INS_FSUN, 586 | MIPS_INS_FTINT_S, 587 | MIPS_INS_FTINT_U, 588 | MIPS_INS_FTQ, 589 | MIPS_INS_FTRUNC_S, 590 | MIPS_INS_FTRUNC_U, 591 | MIPS_INS_HADD_S, 592 | MIPS_INS_HADD_U, 593 | MIPS_INS_HSUB_S, 594 | MIPS_INS_HSUB_U, 595 | MIPS_INS_ILVEV, 596 | MIPS_INS_ILVL, 597 | MIPS_INS_ILVOD, 598 | MIPS_INS_ILVR, 599 | MIPS_INS_INS, 600 | MIPS_INS_INSERT, 601 | MIPS_INS_INSV, 602 | MIPS_INS_INSVE, 603 | MIPS_INS_J, 604 | MIPS_INS_JAL, 605 | MIPS_INS_JALR, 606 | MIPS_INS_JALRS16, 607 | MIPS_INS_JALRS, 608 | MIPS_INS_JALS, 609 | MIPS_INS_JALX, 610 | MIPS_INS_JIALC, 611 | MIPS_INS_JIC, 612 | MIPS_INS_JR, 613 | MIPS_INS_JR16, 614 | MIPS_INS_JRADDIUSP, 615 | MIPS_INS_JRC, 616 | MIPS_INS_JALRC, 617 | MIPS_INS_LB, 618 | MIPS_INS_LBU16, 619 | MIPS_INS_LBUX, 620 | MIPS_INS_LBU, 621 | MIPS_INS_LD, 622 | MIPS_INS_LDC1, 623 | MIPS_INS_LDC2, 624 | MIPS_INS_LDC3, 625 | MIPS_INS_LDI, 626 | MIPS_INS_LDL, 627 | MIPS_INS_LDPC, 628 | MIPS_INS_LDR, 629 | MIPS_INS_LDXC1, 630 | MIPS_INS_LH, 631 | MIPS_INS_LHU16, 632 | MIPS_INS_LHX, 633 | MIPS_INS_LHU, 634 | MIPS_INS_LI16, 635 | MIPS_INS_LL, 636 | MIPS_INS_LLD, 637 | MIPS_INS_LSA, 638 | MIPS_INS_LUXC1, 639 | MIPS_INS_LUI, 640 | MIPS_INS_LW, 641 | MIPS_INS_LW16, 642 | MIPS_INS_LWC1, 643 | MIPS_INS_LWC2, 644 | MIPS_INS_LWC3, 645 | MIPS_INS_LWL, 646 | MIPS_INS_LWM16, 647 | MIPS_INS_LWM32, 648 | MIPS_INS_LWPC, 649 | MIPS_INS_LWP, 650 | MIPS_INS_LWR, 651 | MIPS_INS_LWUPC, 652 | MIPS_INS_LWU, 653 | MIPS_INS_LWX, 654 | MIPS_INS_LWXC1, 655 | MIPS_INS_LWXS, 656 | MIPS_INS_LI, 657 | MIPS_INS_MADD, 658 | MIPS_INS_MADDF, 659 | MIPS_INS_MADDR_Q, 660 | MIPS_INS_MADDU, 661 | MIPS_INS_MADDV, 662 | MIPS_INS_MADD_Q, 663 | MIPS_INS_MAQ_SA, 664 | MIPS_INS_MAQ_S, 665 | MIPS_INS_MAXA, 666 | MIPS_INS_MAXI_S, 667 | MIPS_INS_MAXI_U, 668 | MIPS_INS_MAX_A, 669 | MIPS_INS_MAX, 670 | MIPS_INS_MAX_S, 671 | MIPS_INS_MAX_U, 672 | MIPS_INS_MFC0, 673 | MIPS_INS_MFC1, 674 | MIPS_INS_MFC2, 675 | MIPS_INS_MFHC1, 676 | MIPS_INS_MFHI, 677 | MIPS_INS_MFLO, 678 | MIPS_INS_MINA, 679 | MIPS_INS_MINI_S, 680 | MIPS_INS_MINI_U, 681 | MIPS_INS_MIN_A, 682 | MIPS_INS_MIN, 683 | MIPS_INS_MIN_S, 684 | MIPS_INS_MIN_U, 685 | MIPS_INS_MOD, 686 | MIPS_INS_MODSUB, 687 | MIPS_INS_MODU, 688 | MIPS_INS_MOD_S, 689 | MIPS_INS_MOD_U, 690 | MIPS_INS_MOVE, 691 | MIPS_INS_MOVEP, 692 | MIPS_INS_MOVF, 693 | MIPS_INS_MOVN, 694 | MIPS_INS_MOVT, 695 | MIPS_INS_MOVZ, 696 | MIPS_INS_MSUB, 697 | MIPS_INS_MSUBF, 698 | MIPS_INS_MSUBR_Q, 699 | MIPS_INS_MSUBU, 700 | MIPS_INS_MSUBV, 701 | MIPS_INS_MSUB_Q, 702 | MIPS_INS_MTC0, 703 | MIPS_INS_MTC1, 704 | MIPS_INS_MTC2, 705 | MIPS_INS_MTHC1, 706 | MIPS_INS_MTHI, 707 | MIPS_INS_MTHLIP, 708 | MIPS_INS_MTLO, 709 | MIPS_INS_MTM0, 710 | MIPS_INS_MTM1, 711 | MIPS_INS_MTM2, 712 | MIPS_INS_MTP0, 713 | MIPS_INS_MTP1, 714 | MIPS_INS_MTP2, 715 | MIPS_INS_MUH, 716 | MIPS_INS_MUHU, 717 | MIPS_INS_MULEQ_S, 718 | MIPS_INS_MULEU_S, 719 | MIPS_INS_MULQ_RS, 720 | MIPS_INS_MULQ_S, 721 | MIPS_INS_MULR_Q, 722 | MIPS_INS_MULSAQ_S, 723 | MIPS_INS_MULSA, 724 | MIPS_INS_MULT, 725 | MIPS_INS_MULTU, 726 | MIPS_INS_MULU, 727 | MIPS_INS_MULV, 728 | MIPS_INS_MUL_Q, 729 | MIPS_INS_MUL_S, 730 | MIPS_INS_NLOC, 731 | MIPS_INS_NLZC, 732 | MIPS_INS_NMADD, 733 | MIPS_INS_NMSUB, 734 | MIPS_INS_NOR, 735 | MIPS_INS_NORI, 736 | MIPS_INS_NOT16, 737 | MIPS_INS_NOT, 738 | MIPS_INS_OR, 739 | MIPS_INS_OR16, 740 | MIPS_INS_ORI, 741 | MIPS_INS_PACKRL, 742 | MIPS_INS_PAUSE, 743 | MIPS_INS_PCKEV, 744 | MIPS_INS_PCKOD, 745 | MIPS_INS_PCNT, 746 | MIPS_INS_PICK, 747 | MIPS_INS_POP, 748 | MIPS_INS_PRECEQU, 749 | MIPS_INS_PRECEQ, 750 | MIPS_INS_PRECEU, 751 | MIPS_INS_PRECRQU_S, 752 | MIPS_INS_PRECRQ, 753 | MIPS_INS_PRECRQ_RS, 754 | MIPS_INS_PRECR, 755 | MIPS_INS_PRECR_SRA, 756 | MIPS_INS_PRECR_SRA_R, 757 | MIPS_INS_PREF, 758 | MIPS_INS_PREPEND, 759 | MIPS_INS_RADDU, 760 | MIPS_INS_RDDSP, 761 | MIPS_INS_RDHWR, 762 | MIPS_INS_REPLV, 763 | MIPS_INS_REPL, 764 | MIPS_INS_RINT, 765 | MIPS_INS_ROTR, 766 | MIPS_INS_ROTRV, 767 | MIPS_INS_ROUND, 768 | MIPS_INS_SAT_S, 769 | MIPS_INS_SAT_U, 770 | MIPS_INS_SB, 771 | MIPS_INS_SB16, 772 | MIPS_INS_SC, 773 | MIPS_INS_SCD, 774 | MIPS_INS_SD, 775 | MIPS_INS_SDBBP, 776 | MIPS_INS_SDBBP16, 777 | MIPS_INS_SDC1, 778 | MIPS_INS_SDC2, 779 | MIPS_INS_SDC3, 780 | MIPS_INS_SDL, 781 | MIPS_INS_SDR, 782 | MIPS_INS_SDXC1, 783 | MIPS_INS_SEB, 784 | MIPS_INS_SEH, 785 | MIPS_INS_SELEQZ, 786 | MIPS_INS_SELNEZ, 787 | MIPS_INS_SEL, 788 | MIPS_INS_SEQ, 789 | MIPS_INS_SEQI, 790 | MIPS_INS_SH, 791 | MIPS_INS_SH16, 792 | MIPS_INS_SHF, 793 | MIPS_INS_SHILO, 794 | MIPS_INS_SHILOV, 795 | MIPS_INS_SHLLV, 796 | MIPS_INS_SHLLV_S, 797 | MIPS_INS_SHLL, 798 | MIPS_INS_SHLL_S, 799 | MIPS_INS_SHRAV, 800 | MIPS_INS_SHRAV_R, 801 | MIPS_INS_SHRA, 802 | MIPS_INS_SHRA_R, 803 | MIPS_INS_SHRLV, 804 | MIPS_INS_SHRL, 805 | MIPS_INS_SLDI, 806 | MIPS_INS_SLD, 807 | MIPS_INS_SLL, 808 | MIPS_INS_SLL16, 809 | MIPS_INS_SLLI, 810 | MIPS_INS_SLLV, 811 | MIPS_INS_SLT, 812 | MIPS_INS_SLTI, 813 | MIPS_INS_SLTIU, 814 | MIPS_INS_SLTU, 815 | MIPS_INS_SNE, 816 | MIPS_INS_SNEI, 817 | MIPS_INS_SPLATI, 818 | MIPS_INS_SPLAT, 819 | MIPS_INS_SRA, 820 | MIPS_INS_SRAI, 821 | MIPS_INS_SRARI, 822 | MIPS_INS_SRAR, 823 | MIPS_INS_SRAV, 824 | MIPS_INS_SRL, 825 | MIPS_INS_SRL16, 826 | MIPS_INS_SRLI, 827 | MIPS_INS_SRLRI, 828 | MIPS_INS_SRLR, 829 | MIPS_INS_SRLV, 830 | MIPS_INS_SSNOP, 831 | MIPS_INS_ST, 832 | MIPS_INS_SUBQH, 833 | MIPS_INS_SUBQH_R, 834 | MIPS_INS_SUBQ, 835 | MIPS_INS_SUBQ_S, 836 | MIPS_INS_SUBSUS_U, 837 | MIPS_INS_SUBSUU_S, 838 | MIPS_INS_SUBS_S, 839 | MIPS_INS_SUBS_U, 840 | MIPS_INS_SUBU16, 841 | MIPS_INS_SUBUH, 842 | MIPS_INS_SUBUH_R, 843 | MIPS_INS_SUBU, 844 | MIPS_INS_SUBU_S, 845 | MIPS_INS_SUBVI, 846 | MIPS_INS_SUBV, 847 | MIPS_INS_SUXC1, 848 | MIPS_INS_SW, 849 | MIPS_INS_SW16, 850 | MIPS_INS_SWC1, 851 | MIPS_INS_SWC2, 852 | MIPS_INS_SWC3, 853 | MIPS_INS_SWL, 854 | MIPS_INS_SWM16, 855 | MIPS_INS_SWM32, 856 | MIPS_INS_SWP, 857 | MIPS_INS_SWR, 858 | MIPS_INS_SWXC1, 859 | MIPS_INS_SYNC, 860 | MIPS_INS_SYNCI, 861 | MIPS_INS_SYSCALL, 862 | MIPS_INS_TEQ, 863 | MIPS_INS_TEQI, 864 | MIPS_INS_TGE, 865 | MIPS_INS_TGEI, 866 | MIPS_INS_TGEIU, 867 | MIPS_INS_TGEU, 868 | MIPS_INS_TLBP, 869 | MIPS_INS_TLBR, 870 | MIPS_INS_TLBWI, 871 | MIPS_INS_TLBWR, 872 | MIPS_INS_TLT, 873 | MIPS_INS_TLTI, 874 | MIPS_INS_TLTIU, 875 | MIPS_INS_TLTU, 876 | MIPS_INS_TNE, 877 | MIPS_INS_TNEI, 878 | MIPS_INS_TRUNC, 879 | MIPS_INS_V3MULU, 880 | MIPS_INS_VMM0, 881 | MIPS_INS_VMULU, 882 | MIPS_INS_VSHF, 883 | MIPS_INS_WAIT, 884 | MIPS_INS_WRDSP, 885 | MIPS_INS_WSBH, 886 | MIPS_INS_XOR, 887 | MIPS_INS_XOR16, 888 | MIPS_INS_XORI, 889 | 890 | //> some alias instructions 891 | MIPS_INS_NOP, 892 | MIPS_INS_NEGU, 893 | 894 | //> special instructions 895 | MIPS_INS_JALR_HB, // jump and link with Hazard Barrier 896 | MIPS_INS_JR_HB, // jump register with Hazard Barrier 897 | 898 | MIPS_INS_ENDING, 899 | } mips_insn; 900 | 901 | //> Group of MIPS instructions 902 | typedef enum mips_insn_group 903 | { 904 | MIPS_GRP_INVALID = 0, // = CS_GRP_INVALID 905 | 906 | //> Generic groups 907 | // all jump instructions (conditional+direct+indirect jumps) 908 | MIPS_GRP_JUMP, // = CS_GRP_JUMP 909 | // all call instructions 910 | MIPS_GRP_CALL, // = CS_GRP_CALL 911 | // all return instructions 912 | MIPS_GRP_RET, // = CS_GRP_RET 913 | // all interrupt instructions (int+syscall) 914 | MIPS_GRP_INT, // = CS_GRP_INT 915 | // all interrupt return instructions 916 | MIPS_GRP_IRET, // = CS_GRP_IRET 917 | // all privileged instructions 918 | MIPS_GRP_PRIVILEGE, // = CS_GRP_PRIVILEGE 919 | 920 | //> Architecture-specific groups 921 | MIPS_GRP_BITCOUNT = 128, 922 | MIPS_GRP_DSP, 923 | MIPS_GRP_DSPR2, 924 | MIPS_GRP_FPIDX, 925 | MIPS_GRP_MSA, 926 | MIPS_GRP_MIPS32R2, 927 | MIPS_GRP_MIPS64, 928 | MIPS_GRP_MIPS64R2, 929 | MIPS_GRP_SEINREG, 930 | MIPS_GRP_STDENC, 931 | MIPS_GRP_SWAP, 932 | MIPS_GRP_MICROMIPS, 933 | MIPS_GRP_MIPS16MODE, 934 | MIPS_GRP_FP64BIT, 935 | MIPS_GRP_NONANSFPMATH, 936 | MIPS_GRP_NOTFP64BIT, 937 | MIPS_GRP_NOTINMICROMIPS, 938 | MIPS_GRP_NOTNACL, 939 | MIPS_GRP_NOTMIPS32R6, 940 | MIPS_GRP_NOTMIPS64R6, 941 | MIPS_GRP_CNMIPS, 942 | MIPS_GRP_MIPS32, 943 | MIPS_GRP_MIPS32R6, 944 | MIPS_GRP_MIPS64R6, 945 | MIPS_GRP_MIPS2, 946 | MIPS_GRP_MIPS3, 947 | MIPS_GRP_MIPS3_32, 948 | MIPS_GRP_MIPS3_32R2, 949 | MIPS_GRP_MIPS4_32, 950 | MIPS_GRP_MIPS4_32R2, 951 | MIPS_GRP_MIPS5_32R2, 952 | MIPS_GRP_GP32BIT, 953 | MIPS_GRP_GP64BIT, 954 | 955 | MIPS_GRP_ENDING, 956 | } mips_insn_group; 957 | 958 | #ifdef __cplusplus 959 | } 960 | #endif 961 | 962 | #endif 963 | -------------------------------------------------------------------------------- /capstone/include/platform.h: -------------------------------------------------------------------------------- 1 | /* Capstone Disassembly Engine */ 2 | /* By Axel Souchet & Nguyen Anh Quynh, 2014 */ 3 | 4 | #ifndef CAPSTONE_PLATFORM_H 5 | #define CAPSTONE_PLATFORM_H 6 | 7 | 8 | // handle C99 issue (for pre-2013 VisualStudio) 9 | #if !defined(__CYGWIN__) && !defined(__MINGW32__) && !defined(__MINGW64__) && (defined (WIN32) || defined (WIN64) || defined (_WIN32) || defined (_WIN64)) 10 | // MSVC 11 | 12 | // stdbool.h 13 | #if (_MSC_VER < 1800) || defined(_KERNEL_MODE) 14 | // this system does not have stdbool.h 15 | #ifndef __cplusplus 16 | typedef unsigned char bool; 17 | #define false 0 18 | #define true 1 19 | #endif // __cplusplus 20 | 21 | #else 22 | // VisualStudio 2013+ -> C99 is supported 23 | #include 24 | #endif // (_MSC_VER < 1800) || defined(_KERNEL_MODE) 25 | 26 | #else 27 | // not MSVC -> C99 is supported 28 | #include 29 | #endif // !defined(__CYGWIN__) && !defined(__MINGW32__) && !defined(__MINGW64__) && (defined (WIN32) || defined (WIN64) || defined (_WIN32) || defined (_WIN64)) 30 | 31 | 32 | // handle inttypes.h / stdint.h compatibility 33 | #if defined(_WIN32_WCE) && (_WIN32_WCE < 0x800) 34 | #include "windowsce/stdint.h" 35 | #endif // defined(_WIN32_WCE) && (_WIN32_WCE < 0x800) 36 | 37 | #if defined(CAPSTONE_HAS_OSXKERNEL) || (defined(_MSC_VER) && (_MSC_VER <= 1700 || defined(_KERNEL_MODE))) 38 | // this system does not have inttypes.h 39 | 40 | #if defined(_MSC_VER) && (_MSC_VER <= 1700 || defined(_KERNEL_MODE)) 41 | // this system does not have stdint.h 42 | typedef signed char int8_t; 43 | typedef signed short int16_t; 44 | typedef signed int int32_t; 45 | typedef unsigned char uint8_t; 46 | typedef unsigned short uint16_t; 47 | typedef unsigned int uint32_t; 48 | typedef signed long long int64_t; 49 | typedef unsigned long long uint64_t; 50 | 51 | #define INT8_MIN (-127i8 - 1) 52 | #define INT16_MIN (-32767i16 - 1) 53 | #define INT32_MIN (-2147483647i32 - 1) 54 | #define INT64_MIN (-9223372036854775807i64 - 1) 55 | #define INT8_MAX 127i8 56 | #define INT16_MAX 32767i16 57 | #define INT32_MAX 2147483647i32 58 | #define INT64_MAX 9223372036854775807i64 59 | #define UINT8_MAX 0xffui8 60 | #define UINT16_MAX 0xffffui16 61 | #define UINT32_MAX 0xffffffffui32 62 | #define UINT64_MAX 0xffffffffffffffffui64 63 | #endif // defined(_MSC_VER) && (_MSC_VER <= 1700 || defined(_KERNEL_MODE)) 64 | 65 | #define __PRI_8_LENGTH_MODIFIER__ "hh" 66 | #define __PRI_64_LENGTH_MODIFIER__ "ll" 67 | 68 | #define PRId8 __PRI_8_LENGTH_MODIFIER__ "d" 69 | #define PRIi8 __PRI_8_LENGTH_MODIFIER__ "i" 70 | #define PRIo8 __PRI_8_LENGTH_MODIFIER__ "o" 71 | #define PRIu8 __PRI_8_LENGTH_MODIFIER__ "u" 72 | #define PRIx8 __PRI_8_LENGTH_MODIFIER__ "x" 73 | #define PRIX8 __PRI_8_LENGTH_MODIFIER__ "X" 74 | 75 | #define PRId16 "hd" 76 | #define PRIi16 "hi" 77 | #define PRIo16 "ho" 78 | #define PRIu16 "hu" 79 | #define PRIx16 "hx" 80 | #define PRIX16 "hX" 81 | 82 | #if defined(_MSC_VER) && _MSC_VER <= 1700 83 | #define PRId32 "ld" 84 | #define PRIi32 "li" 85 | #define PRIo32 "lo" 86 | #define PRIu32 "lu" 87 | #define PRIx32 "lx" 88 | #define PRIX32 "lX" 89 | #else // OSX 90 | #define PRId32 "d" 91 | #define PRIi32 "i" 92 | #define PRIo32 "o" 93 | #define PRIu32 "u" 94 | #define PRIx32 "x" 95 | #define PRIX32 "X" 96 | #endif // defined(_MSC_VER) && _MSC_VER <= 1700 97 | 98 | #define PRId64 __PRI_64_LENGTH_MODIFIER__ "d" 99 | #define PRIi64 __PRI_64_LENGTH_MODIFIER__ "i" 100 | #define PRIo64 __PRI_64_LENGTH_MODIFIER__ "o" 101 | #define PRIu64 __PRI_64_LENGTH_MODIFIER__ "u" 102 | #define PRIx64 __PRI_64_LENGTH_MODIFIER__ "x" 103 | #define PRIX64 __PRI_64_LENGTH_MODIFIER__ "X" 104 | 105 | #else 106 | // this system has inttypes.h by default 107 | #include 108 | #endif // defined(CAPSTONE_HAS_OSXKERNEL) || (defined(_MSC_VER) && (_MSC_VER <= 1700 || defined(_KERNEL_MODE))) 109 | 110 | #endif 111 | -------------------------------------------------------------------------------- /capstone/include/sparc.h: -------------------------------------------------------------------------------- 1 | #ifndef CAPSTONE_SPARC_H 2 | #define CAPSTONE_SPARC_H 3 | 4 | /* Capstone Disassembly Engine */ 5 | /* By Nguyen Anh Quynh , 2014-2015 */ 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | #include "platform.h" 12 | 13 | // GCC SPARC toolchain has a default macro called "sparc" which breaks 14 | // compilation 15 | #undef sparc 16 | 17 | #ifdef _MSC_VER 18 | #pragma warning(disable:4201) 19 | #endif 20 | 21 | //> Enums corresponding to Sparc condition codes, both icc's and fcc's. 22 | typedef enum sparc_cc 23 | { 24 | SPARC_CC_INVALID = 0, // invalid CC (default) 25 | //> Integer condition codes 26 | SPARC_CC_ICC_A = 8 + 256, // Always 27 | SPARC_CC_ICC_N = 0 + 256, // Never 28 | SPARC_CC_ICC_NE = 9 + 256, // Not Equal 29 | SPARC_CC_ICC_E = 1 + 256, // Equal 30 | SPARC_CC_ICC_G = 10 + 256, // Greater 31 | SPARC_CC_ICC_LE = 2 + 256, // Less or Equal 32 | SPARC_CC_ICC_GE = 11 + 256, // Greater or Equal 33 | SPARC_CC_ICC_L = 3 + 256, // Less 34 | SPARC_CC_ICC_GU = 12 + 256, // Greater Unsigned 35 | SPARC_CC_ICC_LEU = 4 + 256, // Less or Equal Unsigned 36 | SPARC_CC_ICC_CC = 13 + 256, // Carry Clear/Great or Equal Unsigned 37 | SPARC_CC_ICC_CS = 5 + 256, // Carry Set/Less Unsigned 38 | SPARC_CC_ICC_POS = 14 + 256, // Positive 39 | SPARC_CC_ICC_NEG = 6 + 256, // Negative 40 | SPARC_CC_ICC_VC = 15 + 256, // Overflow Clear 41 | SPARC_CC_ICC_VS = 7 + 256, // Overflow Set 42 | 43 | //> Floating condition codes 44 | SPARC_CC_FCC_A = 8 + 16 + 256, // Always 45 | SPARC_CC_FCC_N = 0 + 16 + 256, // Never 46 | SPARC_CC_FCC_U = 7 + 16 + 256, // Unordered 47 | SPARC_CC_FCC_G = 6 + 16 + 256, // Greater 48 | SPARC_CC_FCC_UG = 5 + 16 + 256, // Unordered or Greater 49 | SPARC_CC_FCC_L = 4 + 16 + 256, // Less 50 | SPARC_CC_FCC_UL = 3 + 16 + 256, // Unordered or Less 51 | SPARC_CC_FCC_LG = 2 + 16 + 256, // Less or Greater 52 | SPARC_CC_FCC_NE = 1 + 16 + 256, // Not Equal 53 | SPARC_CC_FCC_E = 9 + 16 + 256, // Equal 54 | SPARC_CC_FCC_UE = 10 + 16 + 256, // Unordered or Equal 55 | SPARC_CC_FCC_GE = 11 + 16 + 256, // Greater or Equal 56 | SPARC_CC_FCC_UGE = 12 + 16 + 256, // Unordered or Greater or Equal 57 | SPARC_CC_FCC_LE = 13 + 16 + 256, // Less or Equal 58 | SPARC_CC_FCC_ULE = 14 + 16 + 256, // Unordered or Less or Equal 59 | SPARC_CC_FCC_O = 15 + 16 + 256, // Ordered 60 | } sparc_cc; 61 | 62 | //> Branch hint 63 | typedef enum sparc_hint 64 | { 65 | SPARC_HINT_INVALID = 0, // no hint 66 | SPARC_HINT_A = 1 << 0, // annul delay slot instruction 67 | SPARC_HINT_PT = 1 << 1, // branch taken 68 | SPARC_HINT_PN = 1 << 2, // branch NOT taken 69 | } sparc_hint; 70 | 71 | //> Operand type for instruction's operands 72 | typedef enum sparc_op_type 73 | { 74 | SPARC_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). 75 | SPARC_OP_REG, // = CS_OP_REG (Register operand). 76 | SPARC_OP_IMM, // = CS_OP_IMM (Immediate operand). 77 | SPARC_OP_MEM, // = CS_OP_MEM (Memory operand). 78 | } sparc_op_type; 79 | 80 | //> SPARC registers 81 | typedef enum sparc_reg 82 | { 83 | SPARC_REG_INVALID = 0, 84 | 85 | SPARC_REG_F0, 86 | SPARC_REG_F1, 87 | SPARC_REG_F2, 88 | SPARC_REG_F3, 89 | SPARC_REG_F4, 90 | SPARC_REG_F5, 91 | SPARC_REG_F6, 92 | SPARC_REG_F7, 93 | SPARC_REG_F8, 94 | SPARC_REG_F9, 95 | SPARC_REG_F10, 96 | SPARC_REG_F11, 97 | SPARC_REG_F12, 98 | SPARC_REG_F13, 99 | SPARC_REG_F14, 100 | SPARC_REG_F15, 101 | SPARC_REG_F16, 102 | SPARC_REG_F17, 103 | SPARC_REG_F18, 104 | SPARC_REG_F19, 105 | SPARC_REG_F20, 106 | SPARC_REG_F21, 107 | SPARC_REG_F22, 108 | SPARC_REG_F23, 109 | SPARC_REG_F24, 110 | SPARC_REG_F25, 111 | SPARC_REG_F26, 112 | SPARC_REG_F27, 113 | SPARC_REG_F28, 114 | SPARC_REG_F29, 115 | SPARC_REG_F30, 116 | SPARC_REG_F31, 117 | SPARC_REG_F32, 118 | SPARC_REG_F34, 119 | SPARC_REG_F36, 120 | SPARC_REG_F38, 121 | SPARC_REG_F40, 122 | SPARC_REG_F42, 123 | SPARC_REG_F44, 124 | SPARC_REG_F46, 125 | SPARC_REG_F48, 126 | SPARC_REG_F50, 127 | SPARC_REG_F52, 128 | SPARC_REG_F54, 129 | SPARC_REG_F56, 130 | SPARC_REG_F58, 131 | SPARC_REG_F60, 132 | SPARC_REG_F62, 133 | SPARC_REG_FCC0, // Floating condition codes 134 | SPARC_REG_FCC1, 135 | SPARC_REG_FCC2, 136 | SPARC_REG_FCC3, 137 | SPARC_REG_FP, 138 | SPARC_REG_G0, 139 | SPARC_REG_G1, 140 | SPARC_REG_G2, 141 | SPARC_REG_G3, 142 | SPARC_REG_G4, 143 | SPARC_REG_G5, 144 | SPARC_REG_G6, 145 | SPARC_REG_G7, 146 | SPARC_REG_I0, 147 | SPARC_REG_I1, 148 | SPARC_REG_I2, 149 | SPARC_REG_I3, 150 | SPARC_REG_I4, 151 | SPARC_REG_I5, 152 | SPARC_REG_I7, 153 | SPARC_REG_ICC, // Integer condition codes 154 | SPARC_REG_L0, 155 | SPARC_REG_L1, 156 | SPARC_REG_L2, 157 | SPARC_REG_L3, 158 | SPARC_REG_L4, 159 | SPARC_REG_L5, 160 | SPARC_REG_L6, 161 | SPARC_REG_L7, 162 | SPARC_REG_O0, 163 | SPARC_REG_O1, 164 | SPARC_REG_O2, 165 | SPARC_REG_O3, 166 | SPARC_REG_O4, 167 | SPARC_REG_O5, 168 | SPARC_REG_O7, 169 | SPARC_REG_SP, 170 | SPARC_REG_Y, 171 | 172 | // special register 173 | SPARC_REG_XCC, 174 | 175 | SPARC_REG_ENDING, // <-- mark the end of the list of registers 176 | 177 | // extras 178 | SPARC_REG_O6 = SPARC_REG_SP, 179 | SPARC_REG_I6 = SPARC_REG_FP, 180 | } sparc_reg; 181 | 182 | // Instruction's operand referring to memory 183 | // This is associated with SPARC_OP_MEM operand type above 184 | typedef struct sparc_op_mem 185 | { 186 | uint8_t base; // base register, can be safely interpreted as 187 | // a value of type `sparc_reg`, but it is only 188 | // one byte wide 189 | uint8_t index; // index register, same conditions apply here 190 | int32_t disp; // displacement/offset value 191 | } sparc_op_mem; 192 | 193 | // Instruction operand 194 | typedef struct cs_sparc_op 195 | { 196 | sparc_op_type type; // operand type 197 | union 198 | { 199 | sparc_reg reg; // register value for REG operand 200 | int32_t imm; // immediate value for IMM operand 201 | sparc_op_mem mem; // base/disp value for MEM operand 202 | }; 203 | } cs_sparc_op; 204 | 205 | // Instruction structure 206 | typedef struct cs_sparc 207 | { 208 | sparc_cc cc; // code condition for this insn 209 | sparc_hint hint; // branch hint: encoding as bitwise OR of sparc_hint. 210 | // Number of operands of this instruction, 211 | // or 0 when instruction has no operand. 212 | uint8_t op_count; 213 | cs_sparc_op operands[4]; // operands for this instruction. 214 | } cs_sparc; 215 | 216 | //> SPARC instruction 217 | typedef enum sparc_insn 218 | { 219 | SPARC_INS_INVALID = 0, 220 | 221 | SPARC_INS_ADDCC, 222 | SPARC_INS_ADDX, 223 | SPARC_INS_ADDXCC, 224 | SPARC_INS_ADDXC, 225 | SPARC_INS_ADDXCCC, 226 | SPARC_INS_ADD, 227 | SPARC_INS_ALIGNADDR, 228 | SPARC_INS_ALIGNADDRL, 229 | SPARC_INS_ANDCC, 230 | SPARC_INS_ANDNCC, 231 | SPARC_INS_ANDN, 232 | SPARC_INS_AND, 233 | SPARC_INS_ARRAY16, 234 | SPARC_INS_ARRAY32, 235 | SPARC_INS_ARRAY8, 236 | SPARC_INS_B, 237 | SPARC_INS_JMP, 238 | SPARC_INS_BMASK, 239 | SPARC_INS_FB, 240 | SPARC_INS_BRGEZ, 241 | SPARC_INS_BRGZ, 242 | SPARC_INS_BRLEZ, 243 | SPARC_INS_BRLZ, 244 | SPARC_INS_BRNZ, 245 | SPARC_INS_BRZ, 246 | SPARC_INS_BSHUFFLE, 247 | SPARC_INS_CALL, 248 | SPARC_INS_CASX, 249 | SPARC_INS_CAS, 250 | SPARC_INS_CMASK16, 251 | SPARC_INS_CMASK32, 252 | SPARC_INS_CMASK8, 253 | SPARC_INS_CMP, 254 | SPARC_INS_EDGE16, 255 | SPARC_INS_EDGE16L, 256 | SPARC_INS_EDGE16LN, 257 | SPARC_INS_EDGE16N, 258 | SPARC_INS_EDGE32, 259 | SPARC_INS_EDGE32L, 260 | SPARC_INS_EDGE32LN, 261 | SPARC_INS_EDGE32N, 262 | SPARC_INS_EDGE8, 263 | SPARC_INS_EDGE8L, 264 | SPARC_INS_EDGE8LN, 265 | SPARC_INS_EDGE8N, 266 | SPARC_INS_FABSD, 267 | SPARC_INS_FABSQ, 268 | SPARC_INS_FABSS, 269 | SPARC_INS_FADDD, 270 | SPARC_INS_FADDQ, 271 | SPARC_INS_FADDS, 272 | SPARC_INS_FALIGNDATA, 273 | SPARC_INS_FAND, 274 | SPARC_INS_FANDNOT1, 275 | SPARC_INS_FANDNOT1S, 276 | SPARC_INS_FANDNOT2, 277 | SPARC_INS_FANDNOT2S, 278 | SPARC_INS_FANDS, 279 | SPARC_INS_FCHKSM16, 280 | SPARC_INS_FCMPD, 281 | SPARC_INS_FCMPEQ16, 282 | SPARC_INS_FCMPEQ32, 283 | SPARC_INS_FCMPGT16, 284 | SPARC_INS_FCMPGT32, 285 | SPARC_INS_FCMPLE16, 286 | SPARC_INS_FCMPLE32, 287 | SPARC_INS_FCMPNE16, 288 | SPARC_INS_FCMPNE32, 289 | SPARC_INS_FCMPQ, 290 | SPARC_INS_FCMPS, 291 | SPARC_INS_FDIVD, 292 | SPARC_INS_FDIVQ, 293 | SPARC_INS_FDIVS, 294 | SPARC_INS_FDMULQ, 295 | SPARC_INS_FDTOI, 296 | SPARC_INS_FDTOQ, 297 | SPARC_INS_FDTOS, 298 | SPARC_INS_FDTOX, 299 | SPARC_INS_FEXPAND, 300 | SPARC_INS_FHADDD, 301 | SPARC_INS_FHADDS, 302 | SPARC_INS_FHSUBD, 303 | SPARC_INS_FHSUBS, 304 | SPARC_INS_FITOD, 305 | SPARC_INS_FITOQ, 306 | SPARC_INS_FITOS, 307 | SPARC_INS_FLCMPD, 308 | SPARC_INS_FLCMPS, 309 | SPARC_INS_FLUSHW, 310 | SPARC_INS_FMEAN16, 311 | SPARC_INS_FMOVD, 312 | SPARC_INS_FMOVQ, 313 | SPARC_INS_FMOVRDGEZ, 314 | SPARC_INS_FMOVRQGEZ, 315 | SPARC_INS_FMOVRSGEZ, 316 | SPARC_INS_FMOVRDGZ, 317 | SPARC_INS_FMOVRQGZ, 318 | SPARC_INS_FMOVRSGZ, 319 | SPARC_INS_FMOVRDLEZ, 320 | SPARC_INS_FMOVRQLEZ, 321 | SPARC_INS_FMOVRSLEZ, 322 | SPARC_INS_FMOVRDLZ, 323 | SPARC_INS_FMOVRQLZ, 324 | SPARC_INS_FMOVRSLZ, 325 | SPARC_INS_FMOVRDNZ, 326 | SPARC_INS_FMOVRQNZ, 327 | SPARC_INS_FMOVRSNZ, 328 | SPARC_INS_FMOVRDZ, 329 | SPARC_INS_FMOVRQZ, 330 | SPARC_INS_FMOVRSZ, 331 | SPARC_INS_FMOVS, 332 | SPARC_INS_FMUL8SUX16, 333 | SPARC_INS_FMUL8ULX16, 334 | SPARC_INS_FMUL8X16, 335 | SPARC_INS_FMUL8X16AL, 336 | SPARC_INS_FMUL8X16AU, 337 | SPARC_INS_FMULD, 338 | SPARC_INS_FMULD8SUX16, 339 | SPARC_INS_FMULD8ULX16, 340 | SPARC_INS_FMULQ, 341 | SPARC_INS_FMULS, 342 | SPARC_INS_FNADDD, 343 | SPARC_INS_FNADDS, 344 | SPARC_INS_FNAND, 345 | SPARC_INS_FNANDS, 346 | SPARC_INS_FNEGD, 347 | SPARC_INS_FNEGQ, 348 | SPARC_INS_FNEGS, 349 | SPARC_INS_FNHADDD, 350 | SPARC_INS_FNHADDS, 351 | SPARC_INS_FNOR, 352 | SPARC_INS_FNORS, 353 | SPARC_INS_FNOT1, 354 | SPARC_INS_FNOT1S, 355 | SPARC_INS_FNOT2, 356 | SPARC_INS_FNOT2S, 357 | SPARC_INS_FONE, 358 | SPARC_INS_FONES, 359 | SPARC_INS_FOR, 360 | SPARC_INS_FORNOT1, 361 | SPARC_INS_FORNOT1S, 362 | SPARC_INS_FORNOT2, 363 | SPARC_INS_FORNOT2S, 364 | SPARC_INS_FORS, 365 | SPARC_INS_FPACK16, 366 | SPARC_INS_FPACK32, 367 | SPARC_INS_FPACKFIX, 368 | SPARC_INS_FPADD16, 369 | SPARC_INS_FPADD16S, 370 | SPARC_INS_FPADD32, 371 | SPARC_INS_FPADD32S, 372 | SPARC_INS_FPADD64, 373 | SPARC_INS_FPMERGE, 374 | SPARC_INS_FPSUB16, 375 | SPARC_INS_FPSUB16S, 376 | SPARC_INS_FPSUB32, 377 | SPARC_INS_FPSUB32S, 378 | SPARC_INS_FQTOD, 379 | SPARC_INS_FQTOI, 380 | SPARC_INS_FQTOS, 381 | SPARC_INS_FQTOX, 382 | SPARC_INS_FSLAS16, 383 | SPARC_INS_FSLAS32, 384 | SPARC_INS_FSLL16, 385 | SPARC_INS_FSLL32, 386 | SPARC_INS_FSMULD, 387 | SPARC_INS_FSQRTD, 388 | SPARC_INS_FSQRTQ, 389 | SPARC_INS_FSQRTS, 390 | SPARC_INS_FSRA16, 391 | SPARC_INS_FSRA32, 392 | SPARC_INS_FSRC1, 393 | SPARC_INS_FSRC1S, 394 | SPARC_INS_FSRC2, 395 | SPARC_INS_FSRC2S, 396 | SPARC_INS_FSRL16, 397 | SPARC_INS_FSRL32, 398 | SPARC_INS_FSTOD, 399 | SPARC_INS_FSTOI, 400 | SPARC_INS_FSTOQ, 401 | SPARC_INS_FSTOX, 402 | SPARC_INS_FSUBD, 403 | SPARC_INS_FSUBQ, 404 | SPARC_INS_FSUBS, 405 | SPARC_INS_FXNOR, 406 | SPARC_INS_FXNORS, 407 | SPARC_INS_FXOR, 408 | SPARC_INS_FXORS, 409 | SPARC_INS_FXTOD, 410 | SPARC_INS_FXTOQ, 411 | SPARC_INS_FXTOS, 412 | SPARC_INS_FZERO, 413 | SPARC_INS_FZEROS, 414 | SPARC_INS_JMPL, 415 | SPARC_INS_LDD, 416 | SPARC_INS_LD, 417 | SPARC_INS_LDQ, 418 | SPARC_INS_LDSB, 419 | SPARC_INS_LDSH, 420 | SPARC_INS_LDSW, 421 | SPARC_INS_LDUB, 422 | SPARC_INS_LDUH, 423 | SPARC_INS_LDX, 424 | SPARC_INS_LZCNT, 425 | SPARC_INS_MEMBAR, 426 | SPARC_INS_MOVDTOX, 427 | SPARC_INS_MOV, 428 | SPARC_INS_MOVRGEZ, 429 | SPARC_INS_MOVRGZ, 430 | SPARC_INS_MOVRLEZ, 431 | SPARC_INS_MOVRLZ, 432 | SPARC_INS_MOVRNZ, 433 | SPARC_INS_MOVRZ, 434 | SPARC_INS_MOVSTOSW, 435 | SPARC_INS_MOVSTOUW, 436 | SPARC_INS_MULX, 437 | SPARC_INS_NOP, 438 | SPARC_INS_ORCC, 439 | SPARC_INS_ORNCC, 440 | SPARC_INS_ORN, 441 | SPARC_INS_OR, 442 | SPARC_INS_PDIST, 443 | SPARC_INS_PDISTN, 444 | SPARC_INS_POPC, 445 | SPARC_INS_RD, 446 | SPARC_INS_RESTORE, 447 | SPARC_INS_RETT, 448 | SPARC_INS_SAVE, 449 | SPARC_INS_SDIVCC, 450 | SPARC_INS_SDIVX, 451 | SPARC_INS_SDIV, 452 | SPARC_INS_SETHI, 453 | SPARC_INS_SHUTDOWN, 454 | SPARC_INS_SIAM, 455 | SPARC_INS_SLLX, 456 | SPARC_INS_SLL, 457 | SPARC_INS_SMULCC, 458 | SPARC_INS_SMUL, 459 | SPARC_INS_SRAX, 460 | SPARC_INS_SRA, 461 | SPARC_INS_SRLX, 462 | SPARC_INS_SRL, 463 | SPARC_INS_STBAR, 464 | SPARC_INS_STB, 465 | SPARC_INS_STD, 466 | SPARC_INS_ST, 467 | SPARC_INS_STH, 468 | SPARC_INS_STQ, 469 | SPARC_INS_STX, 470 | SPARC_INS_SUBCC, 471 | SPARC_INS_SUBX, 472 | SPARC_INS_SUBXCC, 473 | SPARC_INS_SUB, 474 | SPARC_INS_SWAP, 475 | SPARC_INS_TADDCCTV, 476 | SPARC_INS_TADDCC, 477 | SPARC_INS_T, 478 | SPARC_INS_TSUBCCTV, 479 | SPARC_INS_TSUBCC, 480 | SPARC_INS_UDIVCC, 481 | SPARC_INS_UDIVX, 482 | SPARC_INS_UDIV, 483 | SPARC_INS_UMULCC, 484 | SPARC_INS_UMULXHI, 485 | SPARC_INS_UMUL, 486 | SPARC_INS_UNIMP, 487 | SPARC_INS_FCMPED, 488 | SPARC_INS_FCMPEQ, 489 | SPARC_INS_FCMPES, 490 | SPARC_INS_WR, 491 | SPARC_INS_XMULX, 492 | SPARC_INS_XMULXHI, 493 | SPARC_INS_XNORCC, 494 | SPARC_INS_XNOR, 495 | SPARC_INS_XORCC, 496 | SPARC_INS_XOR, 497 | 498 | // alias instructions 499 | SPARC_INS_RET, 500 | SPARC_INS_RETL, 501 | 502 | SPARC_INS_ENDING, // <-- mark the end of the list of instructions 503 | } sparc_insn; 504 | 505 | //> Group of SPARC instructions 506 | typedef enum sparc_insn_group 507 | { 508 | SPARC_GRP_INVALID = 0, // = CS_GRP_INVALID 509 | 510 | //> Generic groups 511 | // all jump instructions (conditional+direct+indirect jumps) 512 | SPARC_GRP_JUMP, // = CS_GRP_JUMP 513 | 514 | //> Architecture-specific groups 515 | SPARC_GRP_HARDQUAD = 128, 516 | SPARC_GRP_V9, 517 | SPARC_GRP_VIS, 518 | SPARC_GRP_VIS2, 519 | SPARC_GRP_VIS3, 520 | SPARC_GRP_32BIT, 521 | SPARC_GRP_64BIT, 522 | 523 | SPARC_GRP_ENDING, // <-- mark the end of the list of groups 524 | } sparc_insn_group; 525 | 526 | #ifdef __cplusplus 527 | } 528 | #endif 529 | 530 | #endif 531 | -------------------------------------------------------------------------------- /capstone/include/systemz.h: -------------------------------------------------------------------------------- 1 | #ifndef CAPSTONE_SYSTEMZ_H 2 | #define CAPSTONE_SYSTEMZ_H 3 | 4 | /* Capstone Disassembly Engine */ 5 | /* By Nguyen Anh Quynh , 2014-2015 */ 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | #include "platform.h" 12 | 13 | #ifdef _MSC_VER 14 | #pragma warning(disable:4201) 15 | #endif 16 | 17 | //> Enums corresponding to SystemZ condition codes 18 | typedef enum sysz_cc 19 | { 20 | SYSZ_CC_INVALID = 0, // invalid CC (default) 21 | 22 | SYSZ_CC_O, 23 | SYSZ_CC_H, 24 | SYSZ_CC_NLE, 25 | SYSZ_CC_L, 26 | SYSZ_CC_NHE, 27 | SYSZ_CC_LH, 28 | SYSZ_CC_NE, 29 | SYSZ_CC_E, 30 | SYSZ_CC_NLH, 31 | SYSZ_CC_HE, 32 | SYSZ_CC_NL, 33 | SYSZ_CC_LE, 34 | SYSZ_CC_NH, 35 | SYSZ_CC_NO, 36 | } sysz_cc; 37 | 38 | //> Operand type for instruction's operands 39 | typedef enum sysz_op_type 40 | { 41 | SYSZ_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). 42 | SYSZ_OP_REG, // = CS_OP_REG (Register operand). 43 | SYSZ_OP_IMM, // = CS_OP_IMM (Immediate operand). 44 | SYSZ_OP_MEM, // = CS_OP_MEM (Memory operand). 45 | SYSZ_OP_ACREG = 64, // Access register operand. 46 | } sysz_op_type; 47 | 48 | //> SystemZ registers 49 | typedef enum sysz_reg 50 | { 51 | SYSZ_REG_INVALID = 0, 52 | 53 | SYSZ_REG_0, 54 | SYSZ_REG_1, 55 | SYSZ_REG_2, 56 | SYSZ_REG_3, 57 | SYSZ_REG_4, 58 | SYSZ_REG_5, 59 | SYSZ_REG_6, 60 | SYSZ_REG_7, 61 | SYSZ_REG_8, 62 | SYSZ_REG_9, 63 | SYSZ_REG_10, 64 | SYSZ_REG_11, 65 | SYSZ_REG_12, 66 | SYSZ_REG_13, 67 | SYSZ_REG_14, 68 | SYSZ_REG_15, 69 | SYSZ_REG_CC, 70 | SYSZ_REG_F0, 71 | SYSZ_REG_F1, 72 | SYSZ_REG_F2, 73 | SYSZ_REG_F3, 74 | SYSZ_REG_F4, 75 | SYSZ_REG_F5, 76 | SYSZ_REG_F6, 77 | SYSZ_REG_F7, 78 | SYSZ_REG_F8, 79 | SYSZ_REG_F9, 80 | SYSZ_REG_F10, 81 | SYSZ_REG_F11, 82 | SYSZ_REG_F12, 83 | SYSZ_REG_F13, 84 | SYSZ_REG_F14, 85 | SYSZ_REG_F15, 86 | 87 | SYSZ_REG_R0L, 88 | 89 | SYSZ_REG_ENDING, 90 | } sysz_reg; 91 | 92 | // Instruction's operand referring to memory 93 | // This is associated with SYSZ_OP_MEM operand type above 94 | typedef struct sysz_op_mem 95 | { 96 | uint8_t base; // base register, can be safely interpreted as 97 | // a value of type `sysz_reg`, but it is only 98 | // one byte wide 99 | uint8_t index; // index register, same conditions apply here 100 | uint64_t length; // BDLAddr operand 101 | int64_t disp; // displacement/offset value 102 | } sysz_op_mem; 103 | 104 | // Instruction operand 105 | typedef struct cs_sysz_op 106 | { 107 | sysz_op_type type; // operand type 108 | union 109 | { 110 | sysz_reg reg; // register value for REG operand 111 | int64_t imm; // immediate value for IMM operand 112 | sysz_op_mem mem; // base/disp value for MEM operand 113 | }; 114 | } cs_sysz_op; 115 | 116 | // Instruction structure 117 | typedef struct cs_sysz 118 | { 119 | sysz_cc cc; // Code condition 120 | // Number of operands of this instruction, 121 | // or 0 when instruction has no operand. 122 | uint8_t op_count; 123 | cs_sysz_op operands[6]; // operands for this instruction. 124 | } cs_sysz; 125 | 126 | //> SystemZ instruction 127 | typedef enum sysz_insn 128 | { 129 | SYSZ_INS_INVALID = 0, 130 | 131 | SYSZ_INS_A, 132 | SYSZ_INS_ADB, 133 | SYSZ_INS_ADBR, 134 | SYSZ_INS_AEB, 135 | SYSZ_INS_AEBR, 136 | SYSZ_INS_AFI, 137 | SYSZ_INS_AG, 138 | SYSZ_INS_AGF, 139 | SYSZ_INS_AGFI, 140 | SYSZ_INS_AGFR, 141 | SYSZ_INS_AGHI, 142 | SYSZ_INS_AGHIK, 143 | SYSZ_INS_AGR, 144 | SYSZ_INS_AGRK, 145 | SYSZ_INS_AGSI, 146 | SYSZ_INS_AH, 147 | SYSZ_INS_AHI, 148 | SYSZ_INS_AHIK, 149 | SYSZ_INS_AHY, 150 | SYSZ_INS_AIH, 151 | SYSZ_INS_AL, 152 | SYSZ_INS_ALC, 153 | SYSZ_INS_ALCG, 154 | SYSZ_INS_ALCGR, 155 | SYSZ_INS_ALCR, 156 | SYSZ_INS_ALFI, 157 | SYSZ_INS_ALG, 158 | SYSZ_INS_ALGF, 159 | SYSZ_INS_ALGFI, 160 | SYSZ_INS_ALGFR, 161 | SYSZ_INS_ALGHSIK, 162 | SYSZ_INS_ALGR, 163 | SYSZ_INS_ALGRK, 164 | SYSZ_INS_ALHSIK, 165 | SYSZ_INS_ALR, 166 | SYSZ_INS_ALRK, 167 | SYSZ_INS_ALY, 168 | SYSZ_INS_AR, 169 | SYSZ_INS_ARK, 170 | SYSZ_INS_ASI, 171 | SYSZ_INS_AXBR, 172 | SYSZ_INS_AY, 173 | SYSZ_INS_BCR, 174 | SYSZ_INS_BRC, 175 | SYSZ_INS_BRCL, 176 | SYSZ_INS_CGIJ, 177 | SYSZ_INS_CGRJ, 178 | SYSZ_INS_CIJ, 179 | SYSZ_INS_CLGIJ, 180 | SYSZ_INS_CLGRJ, 181 | SYSZ_INS_CLIJ, 182 | SYSZ_INS_CLRJ, 183 | SYSZ_INS_CRJ, 184 | SYSZ_INS_BER, 185 | SYSZ_INS_JE, 186 | SYSZ_INS_JGE, 187 | SYSZ_INS_LOCE, 188 | SYSZ_INS_LOCGE, 189 | SYSZ_INS_LOCGRE, 190 | SYSZ_INS_LOCRE, 191 | SYSZ_INS_STOCE, 192 | SYSZ_INS_STOCGE, 193 | SYSZ_INS_BHR, 194 | SYSZ_INS_BHER, 195 | SYSZ_INS_JHE, 196 | SYSZ_INS_JGHE, 197 | SYSZ_INS_LOCHE, 198 | SYSZ_INS_LOCGHE, 199 | SYSZ_INS_LOCGRHE, 200 | SYSZ_INS_LOCRHE, 201 | SYSZ_INS_STOCHE, 202 | SYSZ_INS_STOCGHE, 203 | SYSZ_INS_JH, 204 | SYSZ_INS_JGH, 205 | SYSZ_INS_LOCH, 206 | SYSZ_INS_LOCGH, 207 | SYSZ_INS_LOCGRH, 208 | SYSZ_INS_LOCRH, 209 | SYSZ_INS_STOCH, 210 | SYSZ_INS_STOCGH, 211 | SYSZ_INS_CGIJNLH, 212 | SYSZ_INS_CGRJNLH, 213 | SYSZ_INS_CIJNLH, 214 | SYSZ_INS_CLGIJNLH, 215 | SYSZ_INS_CLGRJNLH, 216 | SYSZ_INS_CLIJNLH, 217 | SYSZ_INS_CLRJNLH, 218 | SYSZ_INS_CRJNLH, 219 | SYSZ_INS_CGIJE, 220 | SYSZ_INS_CGRJE, 221 | SYSZ_INS_CIJE, 222 | SYSZ_INS_CLGIJE, 223 | SYSZ_INS_CLGRJE, 224 | SYSZ_INS_CLIJE, 225 | SYSZ_INS_CLRJE, 226 | SYSZ_INS_CRJE, 227 | SYSZ_INS_CGIJNLE, 228 | SYSZ_INS_CGRJNLE, 229 | SYSZ_INS_CIJNLE, 230 | SYSZ_INS_CLGIJNLE, 231 | SYSZ_INS_CLGRJNLE, 232 | SYSZ_INS_CLIJNLE, 233 | SYSZ_INS_CLRJNLE, 234 | SYSZ_INS_CRJNLE, 235 | SYSZ_INS_CGIJH, 236 | SYSZ_INS_CGRJH, 237 | SYSZ_INS_CIJH, 238 | SYSZ_INS_CLGIJH, 239 | SYSZ_INS_CLGRJH, 240 | SYSZ_INS_CLIJH, 241 | SYSZ_INS_CLRJH, 242 | SYSZ_INS_CRJH, 243 | SYSZ_INS_CGIJNL, 244 | SYSZ_INS_CGRJNL, 245 | SYSZ_INS_CIJNL, 246 | SYSZ_INS_CLGIJNL, 247 | SYSZ_INS_CLGRJNL, 248 | SYSZ_INS_CLIJNL, 249 | SYSZ_INS_CLRJNL, 250 | SYSZ_INS_CRJNL, 251 | SYSZ_INS_CGIJHE, 252 | SYSZ_INS_CGRJHE, 253 | SYSZ_INS_CIJHE, 254 | SYSZ_INS_CLGIJHE, 255 | SYSZ_INS_CLGRJHE, 256 | SYSZ_INS_CLIJHE, 257 | SYSZ_INS_CLRJHE, 258 | SYSZ_INS_CRJHE, 259 | SYSZ_INS_CGIJNHE, 260 | SYSZ_INS_CGRJNHE, 261 | SYSZ_INS_CIJNHE, 262 | SYSZ_INS_CLGIJNHE, 263 | SYSZ_INS_CLGRJNHE, 264 | SYSZ_INS_CLIJNHE, 265 | SYSZ_INS_CLRJNHE, 266 | SYSZ_INS_CRJNHE, 267 | SYSZ_INS_CGIJL, 268 | SYSZ_INS_CGRJL, 269 | SYSZ_INS_CIJL, 270 | SYSZ_INS_CLGIJL, 271 | SYSZ_INS_CLGRJL, 272 | SYSZ_INS_CLIJL, 273 | SYSZ_INS_CLRJL, 274 | SYSZ_INS_CRJL, 275 | SYSZ_INS_CGIJNH, 276 | SYSZ_INS_CGRJNH, 277 | SYSZ_INS_CIJNH, 278 | SYSZ_INS_CLGIJNH, 279 | SYSZ_INS_CLGRJNH, 280 | SYSZ_INS_CLIJNH, 281 | SYSZ_INS_CLRJNH, 282 | SYSZ_INS_CRJNH, 283 | SYSZ_INS_CGIJLE, 284 | SYSZ_INS_CGRJLE, 285 | SYSZ_INS_CIJLE, 286 | SYSZ_INS_CLGIJLE, 287 | SYSZ_INS_CLGRJLE, 288 | SYSZ_INS_CLIJLE, 289 | SYSZ_INS_CLRJLE, 290 | SYSZ_INS_CRJLE, 291 | SYSZ_INS_CGIJNE, 292 | SYSZ_INS_CGRJNE, 293 | SYSZ_INS_CIJNE, 294 | SYSZ_INS_CLGIJNE, 295 | SYSZ_INS_CLGRJNE, 296 | SYSZ_INS_CLIJNE, 297 | SYSZ_INS_CLRJNE, 298 | SYSZ_INS_CRJNE, 299 | SYSZ_INS_CGIJLH, 300 | SYSZ_INS_CGRJLH, 301 | SYSZ_INS_CIJLH, 302 | SYSZ_INS_CLGIJLH, 303 | SYSZ_INS_CLGRJLH, 304 | SYSZ_INS_CLIJLH, 305 | SYSZ_INS_CLRJLH, 306 | SYSZ_INS_CRJLH, 307 | SYSZ_INS_BLR, 308 | SYSZ_INS_BLER, 309 | SYSZ_INS_JLE, 310 | SYSZ_INS_JGLE, 311 | SYSZ_INS_LOCLE, 312 | SYSZ_INS_LOCGLE, 313 | SYSZ_INS_LOCGRLE, 314 | SYSZ_INS_LOCRLE, 315 | SYSZ_INS_STOCLE, 316 | SYSZ_INS_STOCGLE, 317 | SYSZ_INS_BLHR, 318 | SYSZ_INS_JLH, 319 | SYSZ_INS_JGLH, 320 | SYSZ_INS_LOCLH, 321 | SYSZ_INS_LOCGLH, 322 | SYSZ_INS_LOCGRLH, 323 | SYSZ_INS_LOCRLH, 324 | SYSZ_INS_STOCLH, 325 | SYSZ_INS_STOCGLH, 326 | SYSZ_INS_JL, 327 | SYSZ_INS_JGL, 328 | SYSZ_INS_LOCL, 329 | SYSZ_INS_LOCGL, 330 | SYSZ_INS_LOCGRL, 331 | SYSZ_INS_LOCRL, 332 | SYSZ_INS_LOC, 333 | SYSZ_INS_LOCG, 334 | SYSZ_INS_LOCGR, 335 | SYSZ_INS_LOCR, 336 | SYSZ_INS_STOCL, 337 | SYSZ_INS_STOCGL, 338 | SYSZ_INS_BNER, 339 | SYSZ_INS_JNE, 340 | SYSZ_INS_JGNE, 341 | SYSZ_INS_LOCNE, 342 | SYSZ_INS_LOCGNE, 343 | SYSZ_INS_LOCGRNE, 344 | SYSZ_INS_LOCRNE, 345 | SYSZ_INS_STOCNE, 346 | SYSZ_INS_STOCGNE, 347 | SYSZ_INS_BNHR, 348 | SYSZ_INS_BNHER, 349 | SYSZ_INS_JNHE, 350 | SYSZ_INS_JGNHE, 351 | SYSZ_INS_LOCNHE, 352 | SYSZ_INS_LOCGNHE, 353 | SYSZ_INS_LOCGRNHE, 354 | SYSZ_INS_LOCRNHE, 355 | SYSZ_INS_STOCNHE, 356 | SYSZ_INS_STOCGNHE, 357 | SYSZ_INS_JNH, 358 | SYSZ_INS_JGNH, 359 | SYSZ_INS_LOCNH, 360 | SYSZ_INS_LOCGNH, 361 | SYSZ_INS_LOCGRNH, 362 | SYSZ_INS_LOCRNH, 363 | SYSZ_INS_STOCNH, 364 | SYSZ_INS_STOCGNH, 365 | SYSZ_INS_BNLR, 366 | SYSZ_INS_BNLER, 367 | SYSZ_INS_JNLE, 368 | SYSZ_INS_JGNLE, 369 | SYSZ_INS_LOCNLE, 370 | SYSZ_INS_LOCGNLE, 371 | SYSZ_INS_LOCGRNLE, 372 | SYSZ_INS_LOCRNLE, 373 | SYSZ_INS_STOCNLE, 374 | SYSZ_INS_STOCGNLE, 375 | SYSZ_INS_BNLHR, 376 | SYSZ_INS_JNLH, 377 | SYSZ_INS_JGNLH, 378 | SYSZ_INS_LOCNLH, 379 | SYSZ_INS_LOCGNLH, 380 | SYSZ_INS_LOCGRNLH, 381 | SYSZ_INS_LOCRNLH, 382 | SYSZ_INS_STOCNLH, 383 | SYSZ_INS_STOCGNLH, 384 | SYSZ_INS_JNL, 385 | SYSZ_INS_JGNL, 386 | SYSZ_INS_LOCNL, 387 | SYSZ_INS_LOCGNL, 388 | SYSZ_INS_LOCGRNL, 389 | SYSZ_INS_LOCRNL, 390 | SYSZ_INS_STOCNL, 391 | SYSZ_INS_STOCGNL, 392 | SYSZ_INS_BNOR, 393 | SYSZ_INS_JNO, 394 | SYSZ_INS_JGNO, 395 | SYSZ_INS_LOCNO, 396 | SYSZ_INS_LOCGNO, 397 | SYSZ_INS_LOCGRNO, 398 | SYSZ_INS_LOCRNO, 399 | SYSZ_INS_STOCNO, 400 | SYSZ_INS_STOCGNO, 401 | SYSZ_INS_BOR, 402 | SYSZ_INS_JO, 403 | SYSZ_INS_JGO, 404 | SYSZ_INS_LOCO, 405 | SYSZ_INS_LOCGO, 406 | SYSZ_INS_LOCGRO, 407 | SYSZ_INS_LOCRO, 408 | SYSZ_INS_STOCO, 409 | SYSZ_INS_STOCGO, 410 | SYSZ_INS_STOC, 411 | SYSZ_INS_STOCG, 412 | SYSZ_INS_BASR, 413 | SYSZ_INS_BR, 414 | SYSZ_INS_BRAS, 415 | SYSZ_INS_BRASL, 416 | SYSZ_INS_J, 417 | SYSZ_INS_JG, 418 | SYSZ_INS_BRCT, 419 | SYSZ_INS_BRCTG, 420 | SYSZ_INS_C, 421 | SYSZ_INS_CDB, 422 | SYSZ_INS_CDBR, 423 | SYSZ_INS_CDFBR, 424 | SYSZ_INS_CDGBR, 425 | SYSZ_INS_CDLFBR, 426 | SYSZ_INS_CDLGBR, 427 | SYSZ_INS_CEB, 428 | SYSZ_INS_CEBR, 429 | SYSZ_INS_CEFBR, 430 | SYSZ_INS_CEGBR, 431 | SYSZ_INS_CELFBR, 432 | SYSZ_INS_CELGBR, 433 | SYSZ_INS_CFDBR, 434 | SYSZ_INS_CFEBR, 435 | SYSZ_INS_CFI, 436 | SYSZ_INS_CFXBR, 437 | SYSZ_INS_CG, 438 | SYSZ_INS_CGDBR, 439 | SYSZ_INS_CGEBR, 440 | SYSZ_INS_CGF, 441 | SYSZ_INS_CGFI, 442 | SYSZ_INS_CGFR, 443 | SYSZ_INS_CGFRL, 444 | SYSZ_INS_CGH, 445 | SYSZ_INS_CGHI, 446 | SYSZ_INS_CGHRL, 447 | SYSZ_INS_CGHSI, 448 | SYSZ_INS_CGR, 449 | SYSZ_INS_CGRL, 450 | SYSZ_INS_CGXBR, 451 | SYSZ_INS_CH, 452 | SYSZ_INS_CHF, 453 | SYSZ_INS_CHHSI, 454 | SYSZ_INS_CHI, 455 | SYSZ_INS_CHRL, 456 | SYSZ_INS_CHSI, 457 | SYSZ_INS_CHY, 458 | SYSZ_INS_CIH, 459 | SYSZ_INS_CL, 460 | SYSZ_INS_CLC, 461 | SYSZ_INS_CLFDBR, 462 | SYSZ_INS_CLFEBR, 463 | SYSZ_INS_CLFHSI, 464 | SYSZ_INS_CLFI, 465 | SYSZ_INS_CLFXBR, 466 | SYSZ_INS_CLG, 467 | SYSZ_INS_CLGDBR, 468 | SYSZ_INS_CLGEBR, 469 | SYSZ_INS_CLGF, 470 | SYSZ_INS_CLGFI, 471 | SYSZ_INS_CLGFR, 472 | SYSZ_INS_CLGFRL, 473 | SYSZ_INS_CLGHRL, 474 | SYSZ_INS_CLGHSI, 475 | SYSZ_INS_CLGR, 476 | SYSZ_INS_CLGRL, 477 | SYSZ_INS_CLGXBR, 478 | SYSZ_INS_CLHF, 479 | SYSZ_INS_CLHHSI, 480 | SYSZ_INS_CLHRL, 481 | SYSZ_INS_CLI, 482 | SYSZ_INS_CLIH, 483 | SYSZ_INS_CLIY, 484 | SYSZ_INS_CLR, 485 | SYSZ_INS_CLRL, 486 | SYSZ_INS_CLST, 487 | SYSZ_INS_CLY, 488 | SYSZ_INS_CPSDR, 489 | SYSZ_INS_CR, 490 | SYSZ_INS_CRL, 491 | SYSZ_INS_CS, 492 | SYSZ_INS_CSG, 493 | SYSZ_INS_CSY, 494 | SYSZ_INS_CXBR, 495 | SYSZ_INS_CXFBR, 496 | SYSZ_INS_CXGBR, 497 | SYSZ_INS_CXLFBR, 498 | SYSZ_INS_CXLGBR, 499 | SYSZ_INS_CY, 500 | SYSZ_INS_DDB, 501 | SYSZ_INS_DDBR, 502 | SYSZ_INS_DEB, 503 | SYSZ_INS_DEBR, 504 | SYSZ_INS_DL, 505 | SYSZ_INS_DLG, 506 | SYSZ_INS_DLGR, 507 | SYSZ_INS_DLR, 508 | SYSZ_INS_DSG, 509 | SYSZ_INS_DSGF, 510 | SYSZ_INS_DSGFR, 511 | SYSZ_INS_DSGR, 512 | SYSZ_INS_DXBR, 513 | SYSZ_INS_EAR, 514 | SYSZ_INS_FIDBR, 515 | SYSZ_INS_FIDBRA, 516 | SYSZ_INS_FIEBR, 517 | SYSZ_INS_FIEBRA, 518 | SYSZ_INS_FIXBR, 519 | SYSZ_INS_FIXBRA, 520 | SYSZ_INS_FLOGR, 521 | SYSZ_INS_IC, 522 | SYSZ_INS_ICY, 523 | SYSZ_INS_IIHF, 524 | SYSZ_INS_IIHH, 525 | SYSZ_INS_IIHL, 526 | SYSZ_INS_IILF, 527 | SYSZ_INS_IILH, 528 | SYSZ_INS_IILL, 529 | SYSZ_INS_IPM, 530 | SYSZ_INS_L, 531 | SYSZ_INS_LA, 532 | SYSZ_INS_LAA, 533 | SYSZ_INS_LAAG, 534 | SYSZ_INS_LAAL, 535 | SYSZ_INS_LAALG, 536 | SYSZ_INS_LAN, 537 | SYSZ_INS_LANG, 538 | SYSZ_INS_LAO, 539 | SYSZ_INS_LAOG, 540 | SYSZ_INS_LARL, 541 | SYSZ_INS_LAX, 542 | SYSZ_INS_LAXG, 543 | SYSZ_INS_LAY, 544 | SYSZ_INS_LB, 545 | SYSZ_INS_LBH, 546 | SYSZ_INS_LBR, 547 | SYSZ_INS_LCDBR, 548 | SYSZ_INS_LCEBR, 549 | SYSZ_INS_LCGFR, 550 | SYSZ_INS_LCGR, 551 | SYSZ_INS_LCR, 552 | SYSZ_INS_LCXBR, 553 | SYSZ_INS_LD, 554 | SYSZ_INS_LDEB, 555 | SYSZ_INS_LDEBR, 556 | SYSZ_INS_LDGR, 557 | SYSZ_INS_LDR, 558 | SYSZ_INS_LDXBR, 559 | SYSZ_INS_LDXBRA, 560 | SYSZ_INS_LDY, 561 | SYSZ_INS_LE, 562 | SYSZ_INS_LEDBR, 563 | SYSZ_INS_LEDBRA, 564 | SYSZ_INS_LER, 565 | SYSZ_INS_LEXBR, 566 | SYSZ_INS_LEXBRA, 567 | SYSZ_INS_LEY, 568 | SYSZ_INS_LFH, 569 | SYSZ_INS_LG, 570 | SYSZ_INS_LGB, 571 | SYSZ_INS_LGBR, 572 | SYSZ_INS_LGDR, 573 | SYSZ_INS_LGF, 574 | SYSZ_INS_LGFI, 575 | SYSZ_INS_LGFR, 576 | SYSZ_INS_LGFRL, 577 | SYSZ_INS_LGH, 578 | SYSZ_INS_LGHI, 579 | SYSZ_INS_LGHR, 580 | SYSZ_INS_LGHRL, 581 | SYSZ_INS_LGR, 582 | SYSZ_INS_LGRL, 583 | SYSZ_INS_LH, 584 | SYSZ_INS_LHH, 585 | SYSZ_INS_LHI, 586 | SYSZ_INS_LHR, 587 | SYSZ_INS_LHRL, 588 | SYSZ_INS_LHY, 589 | SYSZ_INS_LLC, 590 | SYSZ_INS_LLCH, 591 | SYSZ_INS_LLCR, 592 | SYSZ_INS_LLGC, 593 | SYSZ_INS_LLGCR, 594 | SYSZ_INS_LLGF, 595 | SYSZ_INS_LLGFR, 596 | SYSZ_INS_LLGFRL, 597 | SYSZ_INS_LLGH, 598 | SYSZ_INS_LLGHR, 599 | SYSZ_INS_LLGHRL, 600 | SYSZ_INS_LLH, 601 | SYSZ_INS_LLHH, 602 | SYSZ_INS_LLHR, 603 | SYSZ_INS_LLHRL, 604 | SYSZ_INS_LLIHF, 605 | SYSZ_INS_LLIHH, 606 | SYSZ_INS_LLIHL, 607 | SYSZ_INS_LLILF, 608 | SYSZ_INS_LLILH, 609 | SYSZ_INS_LLILL, 610 | SYSZ_INS_LMG, 611 | SYSZ_INS_LNDBR, 612 | SYSZ_INS_LNEBR, 613 | SYSZ_INS_LNGFR, 614 | SYSZ_INS_LNGR, 615 | SYSZ_INS_LNR, 616 | SYSZ_INS_LNXBR, 617 | SYSZ_INS_LPDBR, 618 | SYSZ_INS_LPEBR, 619 | SYSZ_INS_LPGFR, 620 | SYSZ_INS_LPGR, 621 | SYSZ_INS_LPR, 622 | SYSZ_INS_LPXBR, 623 | SYSZ_INS_LR, 624 | SYSZ_INS_LRL, 625 | SYSZ_INS_LRV, 626 | SYSZ_INS_LRVG, 627 | SYSZ_INS_LRVGR, 628 | SYSZ_INS_LRVR, 629 | SYSZ_INS_LT, 630 | SYSZ_INS_LTDBR, 631 | SYSZ_INS_LTEBR, 632 | SYSZ_INS_LTG, 633 | SYSZ_INS_LTGF, 634 | SYSZ_INS_LTGFR, 635 | SYSZ_INS_LTGR, 636 | SYSZ_INS_LTR, 637 | SYSZ_INS_LTXBR, 638 | SYSZ_INS_LXDB, 639 | SYSZ_INS_LXDBR, 640 | SYSZ_INS_LXEB, 641 | SYSZ_INS_LXEBR, 642 | SYSZ_INS_LXR, 643 | SYSZ_INS_LY, 644 | SYSZ_INS_LZDR, 645 | SYSZ_INS_LZER, 646 | SYSZ_INS_LZXR, 647 | SYSZ_INS_MADB, 648 | SYSZ_INS_MADBR, 649 | SYSZ_INS_MAEB, 650 | SYSZ_INS_MAEBR, 651 | SYSZ_INS_MDB, 652 | SYSZ_INS_MDBR, 653 | SYSZ_INS_MDEB, 654 | SYSZ_INS_MDEBR, 655 | SYSZ_INS_MEEB, 656 | SYSZ_INS_MEEBR, 657 | SYSZ_INS_MGHI, 658 | SYSZ_INS_MH, 659 | SYSZ_INS_MHI, 660 | SYSZ_INS_MHY, 661 | SYSZ_INS_MLG, 662 | SYSZ_INS_MLGR, 663 | SYSZ_INS_MS, 664 | SYSZ_INS_MSDB, 665 | SYSZ_INS_MSDBR, 666 | SYSZ_INS_MSEB, 667 | SYSZ_INS_MSEBR, 668 | SYSZ_INS_MSFI, 669 | SYSZ_INS_MSG, 670 | SYSZ_INS_MSGF, 671 | SYSZ_INS_MSGFI, 672 | SYSZ_INS_MSGFR, 673 | SYSZ_INS_MSGR, 674 | SYSZ_INS_MSR, 675 | SYSZ_INS_MSY, 676 | SYSZ_INS_MVC, 677 | SYSZ_INS_MVGHI, 678 | SYSZ_INS_MVHHI, 679 | SYSZ_INS_MVHI, 680 | SYSZ_INS_MVI, 681 | SYSZ_INS_MVIY, 682 | SYSZ_INS_MVST, 683 | SYSZ_INS_MXBR, 684 | SYSZ_INS_MXDB, 685 | SYSZ_INS_MXDBR, 686 | SYSZ_INS_N, 687 | SYSZ_INS_NC, 688 | SYSZ_INS_NG, 689 | SYSZ_INS_NGR, 690 | SYSZ_INS_NGRK, 691 | SYSZ_INS_NI, 692 | SYSZ_INS_NIHF, 693 | SYSZ_INS_NIHH, 694 | SYSZ_INS_NIHL, 695 | SYSZ_INS_NILF, 696 | SYSZ_INS_NILH, 697 | SYSZ_INS_NILL, 698 | SYSZ_INS_NIY, 699 | SYSZ_INS_NR, 700 | SYSZ_INS_NRK, 701 | SYSZ_INS_NY, 702 | SYSZ_INS_O, 703 | SYSZ_INS_OC, 704 | SYSZ_INS_OG, 705 | SYSZ_INS_OGR, 706 | SYSZ_INS_OGRK, 707 | SYSZ_INS_OI, 708 | SYSZ_INS_OIHF, 709 | SYSZ_INS_OIHH, 710 | SYSZ_INS_OIHL, 711 | SYSZ_INS_OILF, 712 | SYSZ_INS_OILH, 713 | SYSZ_INS_OILL, 714 | SYSZ_INS_OIY, 715 | SYSZ_INS_OR, 716 | SYSZ_INS_ORK, 717 | SYSZ_INS_OY, 718 | SYSZ_INS_PFD, 719 | SYSZ_INS_PFDRL, 720 | SYSZ_INS_RISBG, 721 | SYSZ_INS_RISBHG, 722 | SYSZ_INS_RISBLG, 723 | SYSZ_INS_RLL, 724 | SYSZ_INS_RLLG, 725 | SYSZ_INS_RNSBG, 726 | SYSZ_INS_ROSBG, 727 | SYSZ_INS_RXSBG, 728 | SYSZ_INS_S, 729 | SYSZ_INS_SDB, 730 | SYSZ_INS_SDBR, 731 | SYSZ_INS_SEB, 732 | SYSZ_INS_SEBR, 733 | SYSZ_INS_SG, 734 | SYSZ_INS_SGF, 735 | SYSZ_INS_SGFR, 736 | SYSZ_INS_SGR, 737 | SYSZ_INS_SGRK, 738 | SYSZ_INS_SH, 739 | SYSZ_INS_SHY, 740 | SYSZ_INS_SL, 741 | SYSZ_INS_SLB, 742 | SYSZ_INS_SLBG, 743 | SYSZ_INS_SLBR, 744 | SYSZ_INS_SLFI, 745 | SYSZ_INS_SLG, 746 | SYSZ_INS_SLBGR, 747 | SYSZ_INS_SLGF, 748 | SYSZ_INS_SLGFI, 749 | SYSZ_INS_SLGFR, 750 | SYSZ_INS_SLGR, 751 | SYSZ_INS_SLGRK, 752 | SYSZ_INS_SLL, 753 | SYSZ_INS_SLLG, 754 | SYSZ_INS_SLLK, 755 | SYSZ_INS_SLR, 756 | SYSZ_INS_SLRK, 757 | SYSZ_INS_SLY, 758 | SYSZ_INS_SQDB, 759 | SYSZ_INS_SQDBR, 760 | SYSZ_INS_SQEB, 761 | SYSZ_INS_SQEBR, 762 | SYSZ_INS_SQXBR, 763 | SYSZ_INS_SR, 764 | SYSZ_INS_SRA, 765 | SYSZ_INS_SRAG, 766 | SYSZ_INS_SRAK, 767 | SYSZ_INS_SRK, 768 | SYSZ_INS_SRL, 769 | SYSZ_INS_SRLG, 770 | SYSZ_INS_SRLK, 771 | SYSZ_INS_SRST, 772 | SYSZ_INS_ST, 773 | SYSZ_INS_STC, 774 | SYSZ_INS_STCH, 775 | SYSZ_INS_STCY, 776 | SYSZ_INS_STD, 777 | SYSZ_INS_STDY, 778 | SYSZ_INS_STE, 779 | SYSZ_INS_STEY, 780 | SYSZ_INS_STFH, 781 | SYSZ_INS_STG, 782 | SYSZ_INS_STGRL, 783 | SYSZ_INS_STH, 784 | SYSZ_INS_STHH, 785 | SYSZ_INS_STHRL, 786 | SYSZ_INS_STHY, 787 | SYSZ_INS_STMG, 788 | SYSZ_INS_STRL, 789 | SYSZ_INS_STRV, 790 | SYSZ_INS_STRVG, 791 | SYSZ_INS_STY, 792 | SYSZ_INS_SXBR, 793 | SYSZ_INS_SY, 794 | SYSZ_INS_TM, 795 | SYSZ_INS_TMHH, 796 | SYSZ_INS_TMHL, 797 | SYSZ_INS_TMLH, 798 | SYSZ_INS_TMLL, 799 | SYSZ_INS_TMY, 800 | SYSZ_INS_X, 801 | SYSZ_INS_XC, 802 | SYSZ_INS_XG, 803 | SYSZ_INS_XGR, 804 | SYSZ_INS_XGRK, 805 | SYSZ_INS_XI, 806 | SYSZ_INS_XIHF, 807 | SYSZ_INS_XILF, 808 | SYSZ_INS_XIY, 809 | SYSZ_INS_XR, 810 | SYSZ_INS_XRK, 811 | SYSZ_INS_XY, 812 | 813 | SYSZ_INS_ENDING, // <-- mark the end of the list of instructions 814 | } sysz_insn; 815 | 816 | //> Group of SystemZ instructions 817 | typedef enum sysz_insn_group 818 | { 819 | SYSZ_GRP_INVALID = 0, // = CS_GRP_INVALID 820 | 821 | //> Generic groups 822 | // all jump instructions (conditional+direct+indirect jumps) 823 | SYSZ_GRP_JUMP, // = CS_GRP_JUMP 824 | 825 | //> Architecture-specific groups 826 | SYSZ_GRP_DISTINCTOPS = 128, 827 | SYSZ_GRP_FPEXTENSION, 828 | SYSZ_GRP_HIGHWORD, 829 | SYSZ_GRP_INTERLOCKEDACCESS1, 830 | SYSZ_GRP_LOADSTOREONCOND, 831 | 832 | SYSZ_GRP_ENDING, // <-- mark the end of the list of groups 833 | } sysz_insn_group; 834 | 835 | #ifdef __cplusplus 836 | } 837 | #endif 838 | 839 | #endif 840 | -------------------------------------------------------------------------------- /capstone/include/xcore.h: -------------------------------------------------------------------------------- 1 | #ifndef CAPSTONE_XCORE_H 2 | #define CAPSTONE_XCORE_H 3 | 4 | /* Capstone Disassembly Engine */ 5 | /* By Nguyen Anh Quynh , 2014-2015 */ 6 | 7 | #ifdef __cplusplus 8 | extern "C" { 9 | #endif 10 | 11 | #include "platform.h" 12 | 13 | #ifdef _MSC_VER 14 | #pragma warning(disable:4201) 15 | #endif 16 | 17 | //> Operand type for instruction's operands 18 | typedef enum xcore_op_type 19 | { 20 | XCORE_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized). 21 | XCORE_OP_REG, // = CS_OP_REG (Register operand). 22 | XCORE_OP_IMM, // = CS_OP_IMM (Immediate operand). 23 | XCORE_OP_MEM, // = CS_OP_MEM (Memory operand). 24 | } xcore_op_type; 25 | 26 | //> XCore registers 27 | typedef enum xcore_reg 28 | { 29 | XCORE_REG_INVALID = 0, 30 | 31 | XCORE_REG_CP, 32 | XCORE_REG_DP, 33 | XCORE_REG_LR, 34 | XCORE_REG_SP, 35 | XCORE_REG_R0, 36 | XCORE_REG_R1, 37 | XCORE_REG_R2, 38 | XCORE_REG_R3, 39 | XCORE_REG_R4, 40 | XCORE_REG_R5, 41 | XCORE_REG_R6, 42 | XCORE_REG_R7, 43 | XCORE_REG_R8, 44 | XCORE_REG_R9, 45 | XCORE_REG_R10, 46 | XCORE_REG_R11, 47 | 48 | //> pseudo registers 49 | XCORE_REG_PC, // pc 50 | 51 | // internal thread registers 52 | // see The-XMOS-XS1-Architecture(X7879A).pdf 53 | XCORE_REG_SCP, // save pc 54 | XCORE_REG_SSR, // save status 55 | XCORE_REG_ET, // exception type 56 | XCORE_REG_ED, // exception data 57 | XCORE_REG_SED, // save exception data 58 | XCORE_REG_KEP, // kernel entry pointer 59 | XCORE_REG_KSP, // kernel stack pointer 60 | XCORE_REG_ID, // thread ID 61 | 62 | XCORE_REG_ENDING, // <-- mark the end of the list of registers 63 | } xcore_reg; 64 | 65 | // Instruction's operand referring to memory 66 | // This is associated with XCORE_OP_MEM operand type above 67 | typedef struct xcore_op_mem 68 | { 69 | uint8_t base; // base register, can be safely interpreted as 70 | // a value of type `xcore_reg`, but it is only 71 | // one byte wide 72 | uint8_t index; // index register, same conditions apply here 73 | int32_t disp; // displacement/offset value 74 | int direct; // +1: forward, -1: backward 75 | } xcore_op_mem; 76 | 77 | // Instruction operand 78 | typedef struct cs_xcore_op 79 | { 80 | xcore_op_type type; // operand type 81 | union 82 | { 83 | xcore_reg reg; // register value for REG operand 84 | int32_t imm; // immediate value for IMM operand 85 | xcore_op_mem mem; // base/disp value for MEM operand 86 | }; 87 | } cs_xcore_op; 88 | 89 | // Instruction structure 90 | typedef struct cs_xcore 91 | { 92 | // Number of operands of this instruction, 93 | // or 0 when instruction has no operand. 94 | uint8_t op_count; 95 | cs_xcore_op operands[8]; // operands for this instruction. 96 | } cs_xcore; 97 | 98 | //> XCore instruction 99 | typedef enum xcore_insn 100 | { 101 | XCORE_INS_INVALID = 0, 102 | 103 | XCORE_INS_ADD, 104 | XCORE_INS_ANDNOT, 105 | XCORE_INS_AND, 106 | XCORE_INS_ASHR, 107 | XCORE_INS_BAU, 108 | XCORE_INS_BITREV, 109 | XCORE_INS_BLA, 110 | XCORE_INS_BLAT, 111 | XCORE_INS_BL, 112 | XCORE_INS_BF, 113 | XCORE_INS_BT, 114 | XCORE_INS_BU, 115 | XCORE_INS_BRU, 116 | XCORE_INS_BYTEREV, 117 | XCORE_INS_CHKCT, 118 | XCORE_INS_CLRE, 119 | XCORE_INS_CLRPT, 120 | XCORE_INS_CLRSR, 121 | XCORE_INS_CLZ, 122 | XCORE_INS_CRC8, 123 | XCORE_INS_CRC32, 124 | XCORE_INS_DCALL, 125 | XCORE_INS_DENTSP, 126 | XCORE_INS_DGETREG, 127 | XCORE_INS_DIVS, 128 | XCORE_INS_DIVU, 129 | XCORE_INS_DRESTSP, 130 | XCORE_INS_DRET, 131 | XCORE_INS_ECALLF, 132 | XCORE_INS_ECALLT, 133 | XCORE_INS_EDU, 134 | XCORE_INS_EEF, 135 | XCORE_INS_EET, 136 | XCORE_INS_EEU, 137 | XCORE_INS_ENDIN, 138 | XCORE_INS_ENTSP, 139 | XCORE_INS_EQ, 140 | XCORE_INS_EXTDP, 141 | XCORE_INS_EXTSP, 142 | XCORE_INS_FREER, 143 | XCORE_INS_FREET, 144 | XCORE_INS_GETD, 145 | XCORE_INS_GET, 146 | XCORE_INS_GETN, 147 | XCORE_INS_GETR, 148 | XCORE_INS_GETSR, 149 | XCORE_INS_GETST, 150 | XCORE_INS_GETTS, 151 | XCORE_INS_INCT, 152 | XCORE_INS_INIT, 153 | XCORE_INS_INPW, 154 | XCORE_INS_INSHR, 155 | XCORE_INS_INT, 156 | XCORE_INS_IN, 157 | XCORE_INS_KCALL, 158 | XCORE_INS_KENTSP, 159 | XCORE_INS_KRESTSP, 160 | XCORE_INS_KRET, 161 | XCORE_INS_LADD, 162 | XCORE_INS_LD16S, 163 | XCORE_INS_LD8U, 164 | XCORE_INS_LDA16, 165 | XCORE_INS_LDAP, 166 | XCORE_INS_LDAW, 167 | XCORE_INS_LDC, 168 | XCORE_INS_LDW, 169 | XCORE_INS_LDIVU, 170 | XCORE_INS_LMUL, 171 | XCORE_INS_LSS, 172 | XCORE_INS_LSUB, 173 | XCORE_INS_LSU, 174 | XCORE_INS_MACCS, 175 | XCORE_INS_MACCU, 176 | XCORE_INS_MJOIN, 177 | XCORE_INS_MKMSK, 178 | XCORE_INS_MSYNC, 179 | XCORE_INS_MUL, 180 | XCORE_INS_NEG, 181 | XCORE_INS_NOT, 182 | XCORE_INS_OR, 183 | XCORE_INS_OUTCT, 184 | XCORE_INS_OUTPW, 185 | XCORE_INS_OUTSHR, 186 | XCORE_INS_OUTT, 187 | XCORE_INS_OUT, 188 | XCORE_INS_PEEK, 189 | XCORE_INS_REMS, 190 | XCORE_INS_REMU, 191 | XCORE_INS_RETSP, 192 | XCORE_INS_SETCLK, 193 | XCORE_INS_SET, 194 | XCORE_INS_SETC, 195 | XCORE_INS_SETD, 196 | XCORE_INS_SETEV, 197 | XCORE_INS_SETN, 198 | XCORE_INS_SETPSC, 199 | XCORE_INS_SETPT, 200 | XCORE_INS_SETRDY, 201 | XCORE_INS_SETSR, 202 | XCORE_INS_SETTW, 203 | XCORE_INS_SETV, 204 | XCORE_INS_SEXT, 205 | XCORE_INS_SHL, 206 | XCORE_INS_SHR, 207 | XCORE_INS_SSYNC, 208 | XCORE_INS_ST16, 209 | XCORE_INS_ST8, 210 | XCORE_INS_STW, 211 | XCORE_INS_SUB, 212 | XCORE_INS_SYNCR, 213 | XCORE_INS_TESTCT, 214 | XCORE_INS_TESTLCL, 215 | XCORE_INS_TESTWCT, 216 | XCORE_INS_TSETMR, 217 | XCORE_INS_START, 218 | XCORE_INS_WAITEF, 219 | XCORE_INS_WAITET, 220 | XCORE_INS_WAITEU, 221 | XCORE_INS_XOR, 222 | XCORE_INS_ZEXT, 223 | 224 | XCORE_INS_ENDING, // <-- mark the end of the list of instructions 225 | } xcore_insn; 226 | 227 | //> Group of XCore instructions 228 | typedef enum xcore_insn_group 229 | { 230 | XCORE_GRP_INVALID = 0, // = CS_GRP_INVALID 231 | 232 | //> Generic groups 233 | // all jump instructions (conditional+direct+indirect jumps) 234 | XCORE_GRP_JUMP, // = CS_GRP_JUMP 235 | 236 | XCORE_GRP_ENDING, // <-- mark the end of the list of groups 237 | } xcore_insn_group; 238 | 239 | #ifdef __cplusplus 240 | } 241 | #endif 242 | 243 | #endif 244 | -------------------------------------------------------------------------------- /capstone/lib/capstone_x64.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/unicorn_peEmu/4cb5a9ec77588c0468091ee661a9e091f6757cbe/capstone/lib/capstone_x64.lib -------------------------------------------------------------------------------- /capstone/lib/capstone_x86.lib: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/unicorn_peEmu/4cb5a9ec77588c0468091ee661a9e091f6757cbe/capstone/lib/capstone_x86.lib -------------------------------------------------------------------------------- /unicorn: -------------------------------------------------------------------------------- 1 | [unicorn](https://github.com/unicorn-engine/unicorn) 2 | -------------------------------------------------------------------------------- /unicorn_wscript.sln: -------------------------------------------------------------------------------- 1 |  2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.28307.1209 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unicorn_static", "unicorn\msvc\unicorn\unicorn_static\unicorn_static.vcxproj", "{B6EFD6D7-C2D4-4FBB-B363-2E08CE09CC96}" 7 | ProjectSection(ProjectDependencies) = postProject 8 | {17077E86-AE7C-41AF-86ED-2BAC03B019BC} = {17077E86-AE7C-41AF-86ED-2BAC03B019BC} 9 | EndProjectSection 10 | EndProject 11 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "x86_64-softmmu", "unicorn\msvc\unicorn\x86_64-softmmu\x86_64-softmmu.vcxproj", "{17077E86-AE7C-41AF-86ED-2BAC03B019BC}" 12 | EndProject 13 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "unicorn_wscript", "unicorn_wscript\unicorn_wscript.vcxproj", "{19927C07-C10F-4312-81BF-4D1B74EBAE03}" 14 | ProjectSection(ProjectDependencies) = postProject 15 | {B6EFD6D7-C2D4-4FBB-B363-2E08CE09CC96} = {B6EFD6D7-C2D4-4FBB-B363-2E08CE09CC96} 16 | EndProjectSection 17 | EndProject 18 | Global 19 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 20 | Debug|x64 = Debug|x64 21 | Debug|x86 = Debug|x86 22 | Release|x64 = Release|x64 23 | Release|x86 = Release|x86 24 | EndGlobalSection 25 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 26 | {B6EFD6D7-C2D4-4FBB-B363-2E08CE09CC96}.Debug|x64.ActiveCfg = Debug|x64 27 | {B6EFD6D7-C2D4-4FBB-B363-2E08CE09CC96}.Debug|x64.Build.0 = Debug|x64 28 | {B6EFD6D7-C2D4-4FBB-B363-2E08CE09CC96}.Debug|x86.ActiveCfg = Debug|Win32 29 | {B6EFD6D7-C2D4-4FBB-B363-2E08CE09CC96}.Debug|x86.Build.0 = Debug|Win32 30 | {B6EFD6D7-C2D4-4FBB-B363-2E08CE09CC96}.Release|x64.ActiveCfg = Release|x64 31 | {B6EFD6D7-C2D4-4FBB-B363-2E08CE09CC96}.Release|x64.Build.0 = Release|x64 32 | {B6EFD6D7-C2D4-4FBB-B363-2E08CE09CC96}.Release|x86.ActiveCfg = Release|Win32 33 | {B6EFD6D7-C2D4-4FBB-B363-2E08CE09CC96}.Release|x86.Build.0 = Release|Win32 34 | {17077E86-AE7C-41AF-86ED-2BAC03B019BC}.Debug|x64.ActiveCfg = Debug|x64 35 | {17077E86-AE7C-41AF-86ED-2BAC03B019BC}.Debug|x64.Build.0 = Debug|x64 36 | {17077E86-AE7C-41AF-86ED-2BAC03B019BC}.Debug|x86.ActiveCfg = Debug|Win32 37 | {17077E86-AE7C-41AF-86ED-2BAC03B019BC}.Debug|x86.Build.0 = Debug|Win32 38 | {17077E86-AE7C-41AF-86ED-2BAC03B019BC}.Release|x64.ActiveCfg = Release|x64 39 | {17077E86-AE7C-41AF-86ED-2BAC03B019BC}.Release|x64.Build.0 = Release|x64 40 | {17077E86-AE7C-41AF-86ED-2BAC03B019BC}.Release|x86.ActiveCfg = Release|Win32 41 | {17077E86-AE7C-41AF-86ED-2BAC03B019BC}.Release|x86.Build.0 = Release|Win32 42 | {19927C07-C10F-4312-81BF-4D1B74EBAE03}.Debug|x64.ActiveCfg = Debug|x64 43 | {19927C07-C10F-4312-81BF-4D1B74EBAE03}.Debug|x64.Build.0 = Debug|x64 44 | {19927C07-C10F-4312-81BF-4D1B74EBAE03}.Debug|x86.ActiveCfg = Debug|Win32 45 | {19927C07-C10F-4312-81BF-4D1B74EBAE03}.Debug|x86.Build.0 = Debug|Win32 46 | {19927C07-C10F-4312-81BF-4D1B74EBAE03}.Release|x64.ActiveCfg = Release|x64 47 | {19927C07-C10F-4312-81BF-4D1B74EBAE03}.Release|x64.Build.0 = Release|x64 48 | {19927C07-C10F-4312-81BF-4D1B74EBAE03}.Release|x86.ActiveCfg = Release|Win32 49 | {19927C07-C10F-4312-81BF-4D1B74EBAE03}.Release|x86.Build.0 = Release|Win32 50 | EndGlobalSection 51 | GlobalSection(SolutionProperties) = preSolution 52 | HideSolutionNode = FALSE 53 | EndGlobalSection 54 | GlobalSection(ExtensibilityGlobals) = postSolution 55 | SolutionGuid = {58DDE5E9-118D-490F-9454-D8FAC5A26AAA} 56 | EndGlobalSection 57 | EndGlobal 58 | -------------------------------------------------------------------------------- /unicorn_wscript/Capstone.cpp: -------------------------------------------------------------------------------- 1 | #include "Capstone.h" 2 | #include 3 | 4 | #include 5 | using std::cout; 6 | using std::endl; 7 | 8 | Capstone::Capstone() 9 | { 10 | 11 | } 12 | 13 | Capstone::~Capstone() 14 | { 15 | 16 | } 17 | 18 | void Capstone::InitCapstone( 19 | ) 20 | { 21 | OptMem.free = free; 22 | OptMem.calloc = calloc; 23 | OptMem.malloc = malloc; 24 | OptMem.realloc = realloc; 25 | OptMem.vsnprintf = (cs_vsnprintf_t)vsprintf_s; 26 | cs_option(NULL, CS_OPT_MEM, (size_t)&OptMem); 27 | #ifdef _WIN64 28 | cs_open(CS_ARCH_X86, CS_MODE_64, &Handle); 29 | #else 30 | cs_open(CS_ARCH_X86, CS_MODE_32, &Handle); 31 | #endif 32 | } 33 | 34 | void Capstone::ShowAssembly( 35 | const __int64 mapexecripaddr, 36 | const void* pAddr, 37 | int nLen 38 | ) 39 | { 40 | BYTE* pOpCode = (BYTE *)malloc(nLen * 16); 41 | memset(pOpCode, 0, (sizeof(BYTE) * 16 * nLen) ); 42 | SIZE_T read = 0; 43 | 44 | cs_insn* ins = nullptr; 45 | 46 | RtlMoveMemory(pOpCode, pAddr, nLen * 16); 47 | // SIZE_T dwCount = 0; 48 | // ReadProcessMemory(NULL, pAddr, pOpCode, nLen * 16, &dwCount); 49 | 50 | int count = cs_disasm(Handle, (uint8_t*)pOpCode, nLen * 16, (uint64_t)pAddr, 0, &ins); 51 | 52 | for (int i = 0; i < nLen; ++i) 53 | { 54 | // printf("%08X\t", ins[i].address); 55 | printf("0x%I64X\t", mapexecripaddr); 56 | for (uint16_t j = 0; j < 16; ++j) 57 | { 58 | if (j < ins[i].size) 59 | printf("%02X", ins[i].bytes[j]); 60 | else 61 | printf(" "); 62 | } 63 | printf("\t"); 64 | printf("%s ", ins[i].mnemonic); 65 | cout << ins[i].op_str << endl; 66 | } 67 | printf("\n"); 68 | delete[] pOpCode; 69 | cs_free(ins, count); 70 | } 71 | 72 | void Capstone::Close( 73 | ) 74 | { 75 | if (Handle) 76 | cs_close(&Handle); 77 | } -------------------------------------------------------------------------------- /unicorn_wscript/Capstone.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef _CAPSTONE_H_ 3 | #define _CAPSTONE_H_ 4 | #include "../capstone/include/capstone.h" 5 | 6 | #ifdef _WIN64 7 | #pragma comment(lib,"..//capstone//lib//capstone_x64.lib") 8 | #else 9 | #pragma comment(lib,"capstone\\lib\\capstone_x86.lib") 10 | #endif 11 | 12 | class Capstone 13 | { 14 | public: 15 | Capstone(); 16 | virtual ~Capstone(); 17 | 18 | public: 19 | 20 | void InitCapstone(); 21 | void ShowAssembly(const __int64 mapexecripaddr, const void* pAddr, int nLen); 22 | void Close(); 23 | 24 | private: 25 | 26 | csh Handle; 27 | cs_err err; 28 | cs_insn* pInsn; 29 | cs_opt_mem OptMem; 30 | }; 31 | 32 | #endif -------------------------------------------------------------------------------- /unicorn_wscript/PeEmu.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | 10 | using namespace std; 11 | 12 | #include "Capstone.h" 13 | #include "puPEinfoData.h" 14 | 15 | #define EXCP00_DIVZ 0 16 | #define EXCP01_DB 1 17 | #define EXCP02_NMI 2 18 | #define EXCP03_INT3 3 19 | #define EXCP04_INTO 4 20 | #define EXCP05_BOUND 5 21 | #define EXCP06_ILLOP 6 22 | #define EXCP07_PREX 7 23 | #define EXCP08_DBLE 8 24 | #define EXCP09_XERR 9 25 | #define EXCP0A_TSS 10 26 | #define EXCP0B_NOSEG 11 27 | #define EXCP0C_STACK 12 28 | #define EXCP0D_GPF 13 29 | #define EXCP0E_PAGE 14 30 | #define EXCP10_COPR 16 31 | #define EXCP11_ALGN 17 32 | #define EXCP12_MCHK 18 33 | 34 | 35 | typedef struct _ModDLL 36 | { 37 | string DllName; 38 | string DllPath; 39 | uint64_t peImageBase; 40 | uint64_t ImageSize; 41 | uint64_t MapImageBase; // dll map uc mem : mapaddr 42 | uint64_t MapOep; 43 | map dll_functionaddr_map; // dll all iat_iet functionaddr : mapaddr + offset 44 | }ModDLL, *PModDLL; 45 | 46 | class PeEmu 47 | { 48 | public: 49 | PeEmu(wstring name); 50 | ~PeEmu(); 51 | 52 | bool puInitEmu() { return this->prInitEmu(); } 53 | bool puRun() { return this->prRun(); } 54 | bool puGetInitstatus() { return this->m_initerrorstatus; } 55 | void WinApiHandleCallback(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 56 | bool RegisterEmuWinApi(string apiname, uint64_t emuapibase); 57 | 58 | private: 59 | bool prInitEmu(); 60 | bool prRun(); 61 | 62 | bool InitGdtr(); 63 | bool InitTibPeb_PebLdrdata(); 64 | uint64_t InitSysDLL(); 65 | bool MapInsertIat( 66 | IMAGE_IMPORT_DESCRIPTOR * pImportTabe, 67 | DWORD64 dwMoudle, 68 | uint64_t mapBase, 69 | ModDLL* mod 70 | ); 71 | bool MapRelocation( 72 | uint64_t pDos, 73 | uint64_t mapBase 74 | ); 75 | uint64_t MyGetProcess(DWORD64 dwMoudle, uint64_t mapBase, string Name); 76 | bool InitsampleIatRep(); 77 | void InsertTailList( 78 | IN ULONG64 ListHeadAddress, 79 | IN ULONG64 EntryAddress); 80 | BOOL RepairReloCation( 81 | PIMAGE_DOS_HEADER m_studBase); 82 | void RepairTheIAT( 83 | IMAGE_IMPORT_DESCRIPTOR * pImportTabe, 84 | DWORD64 dwMoudle); 85 | bool SamplePeMapImage(); 86 | 87 | 88 | public: 89 | // DLL 90 | map sys_dll_map; 91 | map init_dlls_map; 92 | // 以地址为Ket,每次进入code||block回调,地址判断 93 | vector current_dlls_map; 94 | uint64_t m_ppeb_ldrdata_addr; 95 | PEB_LDR_DATA m_ldrdata_struct; 96 | PPEB_LDR_DATA m_Mem_ldrdat_addr; 97 | 98 | // processos 99 | uint64_t m_stackBaseaddr; 100 | uint64_t m_stackSize; 101 | uint64_t m_heapBaseaddr; 102 | uint64_t m_heapSize; 103 | uint64_t m_PebBase; 104 | uint64_t m_PebEnd; 105 | uint64_t m_TebBase; 106 | uint64_t m_TebEnd; 107 | 108 | 109 | 110 | // peinfo 111 | bool m_x86x64; 112 | wstring m_wsamplename; 113 | uint64_t m_fileBaseaddr; 114 | uint64_t m_oep; 115 | uint64_t m_ImageBase; 116 | uint64_t m_ImageEnd; 117 | uint64_t m_ImageSize; 118 | uint64_t m_ImportBaseAddr; 119 | 120 | // classobj 121 | uc_engine *m_uc; 122 | Capstone m_CapAnasm; 123 | uc_x86_mmr gdtr; 124 | _CONTEXT m_InitReg; 125 | 126 | 127 | bool m_initerrorstatus; 128 | static uint64_t m_LastException; 129 | }; -------------------------------------------------------------------------------- /unicorn_wscript/WinDllJson.cpp: -------------------------------------------------------------------------------- 1 | #include "WinDllJson.h" 2 | 3 | WinDLLJson::WinDLLJson() 4 | { 5 | 6 | } 7 | 8 | WinDLLJson::~WinDLLJson() 9 | { 10 | 11 | } 12 | 13 | bool WinDLLJson::prInitDLLJson() 14 | { 15 | 16 | return true; 17 | } 18 | 19 | bool WinDLLJson::prGetApiParamNumter() 20 | { 21 | return true; 22 | } -------------------------------------------------------------------------------- /unicorn_wscript/WinDllJson.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | /* 3 | 负责Win_dll字段解析 4 | 函数名称-参数-参数个数 5 | */ 6 | 7 | class WinDLLJson 8 | { 9 | public: 10 | WinDLLJson(); 11 | ~WinDLLJson(); 12 | 13 | public: 14 | bool puInitDLLJson() { return this->prInitDLLJson(); } 15 | bool puGetApiParamNumter() { return this->prGetApiParamNumter(); } 16 | 17 | private: 18 | 19 | bool prInitDLLJson(); 20 | bool prGetApiParamNumter(); 21 | 22 | }; -------------------------------------------------------------------------------- /unicorn_wscript/emuwindows.cpp: -------------------------------------------------------------------------------- 1 | #include "../unicorn/include/unicorn/unicorn.h" 2 | 3 | #include "emuwindows.h" 4 | 5 | #include 6 | #include "nativestructs.h" 7 | 8 | 9 | EmuOsWindows::EmuOsWindows() 10 | { 11 | 12 | } 13 | 14 | EmuOsWindows::~EmuOsWindows() 15 | { 16 | 17 | } 18 | 19 | void EmuOsWindows::EmuGetSystemTimeAsFileTime(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 20 | { 21 | uint64_t rcx; 22 | auto err = uc_reg_read(uc, UC_X86_REG_RCX, &rcx); 23 | 24 | FILETIME ft; 25 | RtlSecureZeroMemory(&ft, sizeof(FILETIME)); 26 | 27 | GetSystemTimeAsFileTime(&ft); 28 | 29 | err = uc_mem_write(uc, rcx, &ft, sizeof(FILETIME)); 30 | } 31 | 32 | void EmuOsWindows::EmuGetCurrentThreadId(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 33 | { 34 | DWORD ThreadId = 8888; 35 | uc_reg_write(uc, UC_X86_REG_EAX, &ThreadId); 36 | } 37 | 38 | void EmuOsWindows::EmuGetCurrentProcessId(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 39 | { 40 | DWORD ProcessId = 6666; 41 | uc_reg_write(uc, UC_X86_REG_EAX, &ProcessId); 42 | } 43 | 44 | void EmuOsWindows::EmuQueryPerformanceCounter(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 45 | { 46 | uint64_t rcx; 47 | uc_reg_read(uc, UC_X86_REG_RCX, &rcx); 48 | 49 | LARGE_INTEGER arge_inf; 50 | RtlSecureZeroMemory(&arge_inf, sizeof(LARGE_INTEGER)); 51 | BOOL status = QueryPerformanceCounter(&arge_inf); 52 | 53 | // write rcx 54 | uc_mem_write(uc, rcx, &arge_inf, sizeof(LARGE_INTEGER)); 55 | 56 | // ret 57 | uc_reg_write(uc, UC_X86_REG_EAX, &status); 58 | } 59 | 60 | void EmuOsWindows::EmuLoadLibraryExW(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 61 | { 62 | /* 63 | _In_ LPCWSTR lpLibFileName, 64 | _Reserved_ HANDLE hFile, 65 | _In_ DWORD dwFlags 66 | 67 | // return ModBaseaddr(Map) 68 | */ 69 | 70 | } 71 | 72 | void EmuOsWindows::EmuLoadLibraryA(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 73 | { 74 | 75 | } 76 | 77 | void EmuOsWindows::EmuGetProcAddress(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 78 | { 79 | /* 80 | _In_ HMODULE hModule, 81 | _In_ LPCSTR lpProcName 82 | 83 | // return funadr(Map) 84 | */ 85 | 86 | 87 | } 88 | 89 | void EmuOsWindows::EmuGetModuleHandleA(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 90 | { 91 | 92 | } 93 | 94 | void EmuOsWindows::EmuGetLastError(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 95 | { 96 | // Error 97 | // but callback . Emu 98 | // DWORD dwError = GetLastError(); 99 | DWORD error = 0; 100 | uc_reg_write(uc, UC_X86_REG_RAX, &error); 101 | } 102 | 103 | void EmuOsWindows::EmuInitializeCriticalSectionAndSpinCount(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 104 | { 105 | uint64_t rcx; 106 | auto err = uc_reg_read(uc, UC_X86_REG_RCX, &rcx); 107 | 108 | uint32_t edx; 109 | err = uc_reg_read(uc, UC_X86_REG_EDX, &edx); 110 | 111 | RTL_CRITICAL_SECTION_64 CrtSection; 112 | CrtSection.DebugInfo = 0; 113 | CrtSection.LockCount = 0; 114 | CrtSection.LockSemaphore = 0; 115 | CrtSection.OwningThread = 0; 116 | CrtSection.RecursionCount = 0; 117 | CrtSection.SpinCount = edx; 118 | 119 | uc_mem_write(uc, rcx, &CrtSection, sizeof(RTL_CRITICAL_SECTION_64)); 120 | 121 | uint32_t r = 1; 122 | 123 | err = uc_reg_write(uc, UC_X86_REG_EAX, &r); 124 | 125 | } 126 | 127 | void EmuOsWindows::EmuInitializeCriticalSectionEx(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 128 | { 129 | uint64_t rcx; 130 | auto err = uc_reg_read(uc, UC_X86_REG_RCX, &rcx); 131 | 132 | uint32_t edx; 133 | err = uc_reg_read(uc, UC_X86_REG_EDX, &edx); 134 | 135 | uint32_t r8d; 136 | err = uc_reg_read(uc, UC_X86_REG_R8D, &r8d); 137 | 138 | RTL_CRITICAL_SECTION_64 CrtSection; 139 | CrtSection.DebugInfo = 0; 140 | CrtSection.LockCount = 0; 141 | CrtSection.LockSemaphore = 0; 142 | CrtSection.OwningThread = 0; 143 | CrtSection.RecursionCount = 0; 144 | CrtSection.SpinCount = edx; 145 | 146 | uc_mem_write(uc, rcx, &CrtSection, sizeof(RTL_CRITICAL_SECTION_64)); 147 | 148 | uint32_t r = 1; 149 | 150 | err = uc_reg_write(uc, UC_X86_REG_EAX, &r); 151 | } 152 | 153 | void EmuOsWindows::EmuTlsAlloc(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 154 | { 155 | uint32_t r = 0; 156 | 157 | auto err = uc_reg_write(uc, UC_X86_REG_EAX, &r); 158 | } 159 | 160 | void EmuOsWindows::EmuTlsSetValue(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 161 | { 162 | uint32_t r = 0; 163 | 164 | uint64_t ecx; 165 | auto err = uc_reg_read(uc, UC_X86_REG_ECX, &ecx); 166 | 167 | if (ecx == 0) 168 | { 169 | uint64_t rdx; 170 | err = uc_reg_read(uc, UC_X86_REG_RDX, &rdx); 171 | 172 | r = 1; 173 | 174 | //ctx->m_TlsValue = rdx; 175 | } 176 | 177 | err = uc_reg_write(uc, UC_X86_REG_EAX, &r); 178 | } 179 | 180 | void EmuOsWindows::EmuTlsFree(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 181 | { 182 | uint32_t r = 0; 183 | 184 | uint64_t ecx; 185 | auto err = uc_reg_read(uc, UC_X86_REG_ECX, &ecx); 186 | 187 | if (ecx == 0) 188 | { 189 | r = 1; 190 | } 191 | 192 | err = uc_reg_write(uc, UC_X86_REG_EAX, &r); 193 | } 194 | 195 | void EmuOsWindows::EmuDeleteCriticalSection(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 196 | { 197 | uint64_t rcx; 198 | auto err = uc_reg_read(uc, UC_X86_REG_RCX, &rcx); 199 | 200 | RTL_CRITICAL_SECTION_64 CrtSection; 201 | CrtSection.DebugInfo = 0; 202 | CrtSection.LockCount = 0; 203 | CrtSection.LockSemaphore = 0; 204 | CrtSection.OwningThread = 0; 205 | CrtSection.RecursionCount = 0; 206 | CrtSection.SpinCount = 0; 207 | 208 | uc_mem_write(uc, rcx, &CrtSection, sizeof(RTL_CRITICAL_SECTION_64)); 209 | } 210 | 211 | void EmuOsWindows::EmuLocalAlloc(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 212 | { 213 | } 214 | 215 | void EmuOsWindows::EmuRtlIsProcessorFeaturePresent(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 216 | { 217 | uint8_t al = 0; 218 | 219 | uint32_t ecx; 220 | auto err = uc_reg_read(uc, UC_X86_REG_ECX, &ecx); 221 | 222 | if (ecx == 0x1C) 223 | { 224 | al = 0; 225 | } 226 | else 227 | { 228 | al = IsProcessorFeaturePresent(ecx); 229 | } 230 | err = uc_reg_write(uc, UC_X86_REG_AL, &al); 231 | } 232 | 233 | void EmuOsWindows::EmuNtProtectVirtualMemory(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 234 | { 235 | uint8_t al = 0; 236 | 237 | uint32_t ecx; 238 | auto err = uc_reg_read(uc, UC_X86_REG_ECX, &ecx); 239 | 240 | if (ecx == 0x1C) 241 | { 242 | al = 0; 243 | } 244 | else 245 | { 246 | al = IsProcessorFeaturePresent(ecx); 247 | } 248 | err = uc_reg_write(uc, UC_X86_REG_AL, &al); 249 | } 250 | 251 | void EmuOsWindows::EmuGetProcessAffinityMask(uc_engine *uc, uint64_t address, uint32_t size, void *user_data) 252 | { 253 | uint32_t eax = 0; 254 | 255 | uint64_t rcx; 256 | auto err = uc_reg_read(uc, UC_X86_REG_RCX, &rcx); 257 | 258 | uint64_t rdx; 259 | err = uc_reg_read(uc, UC_X86_REG_RDX, &rdx); 260 | 261 | uint64_t r8; 262 | err = uc_reg_read(uc, UC_X86_REG_R8, &r8); 263 | 264 | if (rcx == (uint64_t)-1) 265 | { 266 | eax = 1; 267 | 268 | DWORD_PTR ProcessAffinityMask = 0; 269 | DWORD_PTR SystemAffinityMask = 0; 270 | 271 | uc_mem_write(uc, rdx, &ProcessAffinityMask, sizeof(ProcessAffinityMask)); 272 | uc_mem_write(uc, r8, &SystemAffinityMask, sizeof(SystemAffinityMask)); 273 | } 274 | 275 | err = uc_reg_write(uc, UC_X86_REG_EAX, &eax); 276 | } -------------------------------------------------------------------------------- /unicorn_wscript/emuwindows.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | class EmuOsWindows 5 | { 6 | public: 7 | EmuOsWindows(); 8 | ~EmuOsWindows(); 9 | public: 10 | static void EmuGetSystemTimeAsFileTime(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 11 | static void EmuGetCurrentThreadId(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 12 | static void EmuGetCurrentProcessId(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 13 | static void EmuQueryPerformanceCounter(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 14 | static void EmuLoadLibraryExW(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 15 | static void EmuLoadLibraryA(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 16 | static void EmuGetProcAddress(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 17 | static void EmuGetModuleHandleA(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 18 | static void EmuGetLastError(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 19 | static void EmuInitializeCriticalSectionAndSpinCount(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 20 | static void EmuInitializeCriticalSectionEx(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 21 | static void EmuTlsAlloc(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 22 | static void EmuTlsSetValue(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 23 | static void EmuTlsFree(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 24 | static void EmuDeleteCriticalSection(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 25 | static void EmuLocalAlloc(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 26 | static void EmuRtlIsProcessorFeaturePresent(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 27 | static void EmuNtProtectVirtualMemory(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 28 | static void EmuGetProcessAffinityMask(uc_engine *uc, uint64_t address, uint32_t size, void *user_data); 29 | 30 | 31 | private: 32 | 33 | }; -------------------------------------------------------------------------------- /unicorn_wscript/main.cpp: -------------------------------------------------------------------------------- 1 | #include "../unicorn/include/unicorn/unicorn.h" 2 | 3 | #include 4 | using namespace std; 5 | #include "PeEmu.h" 6 | 7 | int main(int argv, char** argc) 8 | { 9 | // Check file & other 10 | wstring wSampleName; 11 | wchar_t bufname[MAX_PATH] = { 0, }; 12 | printf("please samlple path: "); 13 | scanf("%ws", bufname); 14 | wSampleName = bufname; 15 | if (0 >= wSampleName.length()) 16 | return 0; 17 | 18 | // x86 or x64 19 | // bool x8664flag = false; 20 | 21 | // Init PeEmu 22 | PeEmu pe(wSampleName); 23 | if (!pe.puGetInitstatus()) 24 | return 0; 25 | pe.puInitEmu(); 26 | 27 | // Run PeEmu 28 | pe.puRun(); 29 | 30 | return 0; 31 | } -------------------------------------------------------------------------------- /unicorn_wscript/mem.cpp: -------------------------------------------------------------------------------- 1 | #include "mem.h" 2 | 3 | #include 4 | #include 5 | std::list g_MemList; 6 | 7 | // allocate mem 8 | void* ExAllocMemory(const int len) 9 | { 10 | if (len) 11 | { 12 | //if (m_pBuffer) 13 | // VirtualFree(m_pBuffer, 0, MEM_RELEASE); 14 | auto m_pBuffer = VirtualAlloc(NULL, len, MEM_COMMIT, PAGE_READWRITE); 15 | if (m_pBuffer) 16 | g_MemList.push_back(m_pBuffer); 17 | else 18 | return NULL; 19 | return m_pBuffer; 20 | // m_cbSize = len; 21 | } 22 | return NULL; 23 | } 24 | 25 | // allocate heap 26 | void* ExAllocHeap(const int len) 27 | { 28 | return HeapAlloc(NULL, PAGE_READWRITE, len); 29 | } -------------------------------------------------------------------------------- /unicorn_wscript/mem.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | void* ExAllocMemory(const int len); 4 | 5 | void* ExAllocHeap(const int len); -------------------------------------------------------------------------------- /unicorn_wscript/nativestructs.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | /// See: MEMORY-MANAGEMENT REGISTERS 3 | #include 4 | struct Idtr { 5 | unsigned short limit; 6 | ULONG_PTR base; 7 | }; 8 | 9 | struct Idtr32 { 10 | unsigned short limit; 11 | ULONG32 base; 12 | }; 13 | static_assert(sizeof(Idtr32) == 6, "Size check"); 14 | 15 | /// @copydoc Idtr 16 | using Gdtr = Idtr; 17 | #if defined(_AMD64_) 18 | static_assert(sizeof(Idtr) == 10, "Size check"); 19 | static_assert(sizeof(Gdtr) == 10, "Size check"); 20 | #else 21 | static_assert(sizeof(Idtr) == 6, "Size check"); 22 | static_assert(sizeof(Gdtr) == 6, "Size check"); 23 | #endif 24 | #include 25 | 26 | /// See: Segment Selectors 27 | #include 28 | union SegmentSelector { 29 | unsigned short all; 30 | struct { 31 | unsigned short rpl : 2; //!< Requested Privilege Level 32 | unsigned short ti : 1; //!< Table Indicator 33 | unsigned short index : 13; 34 | } fields; 35 | }; 36 | static_assert(sizeof(SegmentSelector) == 2, "Size check"); 37 | #include 38 | 39 | /// See: Segment Descriptor 40 | union SegmentDescriptor { 41 | ULONG64 all; 42 | struct { 43 | ULONG64 limit_low : 16; 44 | ULONG64 base_low : 16; 45 | ULONG64 base_mid : 8; 46 | ULONG64 type : 4; 47 | ULONG64 system : 1; 48 | ULONG64 dpl : 2; 49 | ULONG64 present : 1; 50 | ULONG64 limit_high : 4; 51 | ULONG64 avl : 1; 52 | ULONG64 l : 1; //!< 64-bit code segment (IA-32e mode only) 53 | ULONG64 db : 1; 54 | ULONG64 gran : 1; 55 | ULONG64 base_high : 8; 56 | } fields; 57 | }; 58 | static_assert(sizeof(SegmentDescriptor) == 8, "Size check"); 59 | 60 | /// @copydoc SegmentDescriptor 61 | struct SegmentDesctiptorX64 { 62 | SegmentDescriptor descriptor; 63 | ULONG32 base_upper32; 64 | ULONG32 reserved; 65 | }; 66 | static_assert(sizeof(SegmentDesctiptorX64) == 16, "Size check"); 67 | 68 | /// See: MODEL-SPECIFIC REGISTERS (MSRS) 69 | enum class Msr : unsigned int { 70 | kIa32ApicBase = 0x01B, 71 | 72 | kIa32FeatureControl = 0x03A, 73 | 74 | kIa32SysenterCs = 0x174, 75 | kIa32SysenterEsp = 0x175, 76 | kIa32SysenterEip = 0x176, 77 | 78 | kIa32Debugctl = 0x1D9, 79 | 80 | kIa32MtrrCap = 0xFE, 81 | kIa32MtrrDefType = 0x2FF, 82 | kIa32MtrrPhysBaseN = 0x200, 83 | kIa32MtrrPhysMaskN = 0x201, 84 | kIa32MtrrFix64k00000 = 0x250, 85 | kIa32MtrrFix16k80000 = 0x258, 86 | kIa32MtrrFix16kA0000 = 0x259, 87 | kIa32MtrrFix4kC0000 = 0x268, 88 | kIa32MtrrFix4kC8000 = 0x269, 89 | kIa32MtrrFix4kD0000 = 0x26A, 90 | kIa32MtrrFix4kD8000 = 0x26B, 91 | kIa32MtrrFix4kE0000 = 0x26C, 92 | kIa32MtrrFix4kE8000 = 0x26D, 93 | kIa32MtrrFix4kF0000 = 0x26E, 94 | kIa32MtrrFix4kF8000 = 0x26F, 95 | 96 | kIa32VmxBasic = 0x480, 97 | kIa32VmxPinbasedCtls = 0x481, 98 | kIa32VmxProcBasedCtls = 0x482, 99 | kIa32VmxExitCtls = 0x483, 100 | kIa32VmxEntryCtls = 0x484, 101 | kIa32VmxMisc = 0x485, 102 | kIa32VmxCr0Fixed0 = 0x486, 103 | kIa32VmxCr0Fixed1 = 0x487, 104 | kIa32VmxCr4Fixed0 = 0x488, 105 | kIa32VmxCr4Fixed1 = 0x489, 106 | kIa32VmxVmcsEnum = 0x48A, 107 | kIa32VmxProcBasedCtls2 = 0x48B, 108 | kIa32VmxEptVpidCap = 0x48C, 109 | kIa32VmxTruePinbasedCtls = 0x48D, 110 | kIa32VmxTrueProcBasedCtls = 0x48E, 111 | kIa32VmxTrueExitCtls = 0x48F, 112 | kIa32VmxTrueEntryCtls = 0x490, 113 | kIa32VmxVmfunc = 0x491, 114 | 115 | kIa32Efer = 0xC0000080, 116 | kIa32Star = 0xC0000081, 117 | kIa32Lstar = 0xC0000082, 118 | 119 | kIa32Fmask = 0xC0000084, 120 | 121 | kIa32FsBase = 0xC0000100, 122 | kIa32GsBase = 0xC0000101, 123 | kIa32KernelGsBase = 0xC0000102, 124 | kIa32TscAux = 0xC0000103, 125 | }; 126 | 127 | union FlagRegister { 128 | ULONG_PTR all; 129 | struct { 130 | ULONG_PTR cf : 1; //!< [0] Carry flag 131 | ULONG_PTR reserved1 : 1; //!< [1] Always 1 132 | ULONG_PTR pf : 1; //!< [2] Parity flag 133 | ULONG_PTR reserved2 : 1; //!< [3] Always 0 134 | ULONG_PTR af : 1; //!< [4] Borrow flag 135 | ULONG_PTR reserved3 : 1; //!< [5] Always 0 136 | ULONG_PTR zf : 1; //!< [6] Zero flag 137 | ULONG_PTR sf : 1; //!< [7] Sign flag 138 | ULONG_PTR tf : 1; //!< [8] Trap flag 139 | ULONG_PTR intf : 1; //!< [9] Interrupt flag 140 | ULONG_PTR df : 1; //!< [10] Direction flag 141 | ULONG_PTR of : 1; //!< [11] Overflow flag 142 | ULONG_PTR iopl : 2; //!< [12:13] I/O privilege level 143 | ULONG_PTR nt : 1; //!< [14] Nested task flag 144 | ULONG_PTR reserved4 : 1; //!< [15] Always 0 145 | ULONG_PTR rf : 1; //!< [16] Resume flag 146 | ULONG_PTR vm : 1; //!< [17] Virtual 8086 mode 147 | ULONG_PTR ac : 1; //!< [18] Alignment check 148 | ULONG_PTR vif : 1; //!< [19] Virtual interrupt flag 149 | ULONG_PTR vip : 1; //!< [20] Virtual interrupt pending 150 | ULONG_PTR id : 1; //!< [21] Identification flag 151 | ULONG_PTR reserved5 : 10; //!< [22:31] Always 0 152 | } fields; 153 | }; 154 | static_assert(sizeof(FlagRegister) == sizeof(void*), "Size check"); 155 | 156 | #define IRP_MJ_CREATE 0x00 157 | #define IRP_MJ_CREATE_NAMED_PIPE 0x01 158 | #define IRP_MJ_CLOSE 0x02 159 | #define IRP_MJ_READ 0x03 160 | #define IRP_MJ_WRITE 0x04 161 | #define IRP_MJ_QUERY_INFORMATION 0x05 162 | #define IRP_MJ_SET_INFORMATION 0x06 163 | #define IRP_MJ_QUERY_EA 0x07 164 | #define IRP_MJ_SET_EA 0x08 165 | #define IRP_MJ_FLUSH_BUFFERS 0x09 166 | #define IRP_MJ_QUERY_VOLUME_INFORMATION 0x0a 167 | #define IRP_MJ_SET_VOLUME_INFORMATION 0x0b 168 | #define IRP_MJ_DIRECTORY_CONTROL 0x0c 169 | #define IRP_MJ_FILE_SYSTEM_CONTROL 0x0d 170 | #define IRP_MJ_DEVICE_CONTROL 0x0e 171 | #define IRP_MJ_INTERNAL_DEVICE_CONTROL 0x0f 172 | #define IRP_MJ_SHUTDOWN 0x10 173 | #define IRP_MJ_LOCK_CONTROL 0x11 174 | #define IRP_MJ_CLEANUP 0x12 175 | #define IRP_MJ_CREATE_MAILSLOT 0x13 176 | #define IRP_MJ_QUERY_SECURITY 0x14 177 | #define IRP_MJ_SET_SECURITY 0x15 178 | #define IRP_MJ_POWER 0x16 179 | #define IRP_MJ_SYSTEM_CONTROL 0x17 180 | #define IRP_MJ_DEVICE_CHANGE 0x18 181 | #define IRP_MJ_QUERY_QUOTA 0x19 182 | #define IRP_MJ_SET_QUOTA 0x1a 183 | #define IRP_MJ_PNP 0x1b 184 | #define IRP_MJ_PNP_POWER IRP_MJ_PNP // Obsolete.... 185 | #define IRP_MJ_MAXIMUM_FUNCTION 0x1b 186 | 187 | typedef struct _DRIVER_OBJECT { 188 | SHORT Type; 189 | SHORT Size; 190 | 191 | // 192 | // The following links all of the devices created by a single driver 193 | // together on a list, and the Flags word provides an extensible flag 194 | // location for driver objects. 195 | // 196 | 197 | PVOID DeviceObject; 198 | ULONG Flags; 199 | 200 | // 201 | // The following section describes where the driver is loaded. The count 202 | // field is used to count the number of times the driver has had its 203 | // registered reinitialization routine invoked. 204 | // 205 | 206 | PVOID DriverStart; 207 | ULONG DriverSize; 208 | PVOID DriverSection; 209 | PVOID DriverExtension; 210 | 211 | // 212 | // The driver name field is used by the error log thread 213 | // determine the name of the driver that an I/O request is/was bound. 214 | // 215 | 216 | UNICODE_STRING DriverName; 217 | 218 | // 219 | // The following section is for registry support. This is a pointer 220 | // to the path to the hardware information in the registry 221 | // 222 | 223 | PUNICODE_STRING HardwareDatabase; 224 | 225 | // 226 | // The following section contains the optional pointer to an array of 227 | // alternate entry points to a driver for "fast I/O" support. Fast I/O 228 | // is performed by invoking the driver routine directly with separate 229 | // parameters, rather than using the standard IRP call mechanism. Note 230 | // that these functions may only be used for synchronous I/O, and when 231 | // the file is cached. 232 | // 233 | 234 | PVOID FastIoDispatch; 235 | 236 | // 237 | // The following section describes the entry points to this particular 238 | // driver. Note that the major function dispatch table must be the last 239 | // field in the object so that it remains extensible. 240 | // 241 | 242 | PVOID DriverInit; 243 | PVOID DriverStartIo; 244 | PVOID DriverUnload; 245 | PVOID MajorFunction[IRP_MJ_MAXIMUM_FUNCTION + 1]; 246 | 247 | } DRIVER_OBJECT; 248 | typedef struct _DRIVER_OBJECT *PDRIVER_OBJECT; 249 | 250 | typedef enum _SYSTEM_INFORMATION_CLASS_EX 251 | { 252 | SystemProcessorInformation = 0x1, 253 | SystemPathInformation = 0x4, 254 | SystemCallCountInformation = 0x6, 255 | SystemDeviceInformation = 0x7, 256 | SystemFlagsInformation = 0x9, 257 | SystemCallTimeInformation = 0xa, 258 | SystemModuleInformation = 0xb, 259 | SystemLocksInformation = 0xc, 260 | SystemStackTraceInformation = 0xd, 261 | SystemPagedPoolInformation = 0xe, 262 | SystemNonPagedPoolInformation = 0xf, 263 | SystemHandleInformation = 0x10, 264 | SystemObjectInformation = 0x11, 265 | SystemPageFileInformation = 0x12, 266 | SystemVdmInstemulInformation = 0x13, 267 | SystemVdmBopInformation = 0x14, 268 | SystemFileCacheInformation = 0x15, 269 | SystemPoolTagInformation = 0x16, 270 | SystemDpcBehaviorInformation = 0x18, 271 | SystemFullMemoryInformation = 0x19, 272 | SystemLoadGdiDriverInformation = 0x1a, 273 | SystemUnloadGdiDriverInformation = 0x1b, 274 | SystemTimeAdjustmentInformation = 0x1c, 275 | SystemSummaryMemoryInformation = 0x1d, 276 | SystemMirrorMemoryInformation = 0x1e, 277 | SystemPerformanceTraceInformation = 0x1f, 278 | SystemObsolete0 = 0x20, 279 | SystemCrashDumpStateInformation = 0x22, 280 | SystemKernelDebuggerInformation = 0x23, 281 | SystemContextSwitchInformation = 0x24, 282 | SystemExtendServiceTableInformation = 0x26, 283 | SystemPrioritySeperation = 0x27, 284 | SystemVerifierAddDriverInformation = 0x28, 285 | SystemVerifierRemoveDriverInformation = 0x29, 286 | SystemProcessorIdleInformation = 0x2a, 287 | SystemLegacyDriverInformation = 0x2b, 288 | SystemCurrentTimeZoneInformation = 0x2c, 289 | SystemTimeSlipNotification = 0x2e, 290 | SystemSessionCreate = 0x2f, 291 | SystemSessionDetach = 0x30, 292 | SystemSessionInformation = 0x31, 293 | SystemRangeStartInformation = 0x32, 294 | SystemVerifierInformation = 0x33, 295 | SystemVerifierThunkExtend = 0x34, 296 | SystemSessionProcessInformation = 0x35, 297 | SystemLoadGdiDriverInSystemSpace = 0x36, 298 | SystemNumaProcessorMap = 0x37, 299 | SystemPrefetcherInformation = 0x38, 300 | SystemExtendedProcessInformation = 0x39, 301 | SystemRecommendedSharedDataAlignment = 0x3a, 302 | SystemComPlusPackage = 0x3b, 303 | SystemNumaAvailableMemory = 0x3c, 304 | SystemProcessorPowerInformation = 0x3d, 305 | SystemEmulationBasicInformation = 0x3e, 306 | SystemEmulationProcessorInformation = 0x3f, 307 | SystemExtendedHandleInformation = 0x40, 308 | SystemLostDelayedWriteInformation = 0x41, 309 | SystemBigPoolInformation = 0x42, 310 | SystemSessionPoolTagInformation = 0x43, 311 | SystemSessionMappedViewInformation = 0x44, 312 | SystemHotpatchInformation = 0x45, 313 | SystemObjectSecurityMode = 0x46, 314 | SystemWatchdogTimerHandler = 0x47, 315 | SystemWatchdogTimerInformation = 0x48, 316 | SystemLogicalProcessorInformation = 0x49, 317 | SystemWow64SharedInformationObsolete = 0x4a, 318 | SystemRegisterFirmwareTableInformationHandler = 0x4b, 319 | SystemFirmwareTableInformation = 0x4c, 320 | SystemModuleInformationEx = 0x4d, 321 | SystemVerifierTriageInformation = 0x4e, 322 | SystemSuperfetchInformation = 0x4f, 323 | SystemMemoryListInformation = 0x50, 324 | SystemFileCacheInformationEx = 0x51, 325 | SystemThreadPriorityClientIdInformation = 0x52, 326 | SystemProcessorIdleCycleTimeInformation = 0x53, 327 | SystemVerifierCancellationInformation = 0x54, 328 | SystemProcessorPowerInformationEx = 0x55, 329 | SystemRefTraceInformation = 0x56, 330 | SystemSpecialPoolInformation = 0x57, 331 | SystemProcessIdInformation = 0x58, 332 | SystemErrorPortInformation = 0x59, 333 | SystemBootEnvironmentInformation = 0x5a, 334 | SystemHypervisorInformation = 0x5b, 335 | SystemVerifierInformationEx = 0x5c, 336 | SystemTimeZoneInformation = 0x5d, 337 | SystemImageFileExecutionOptionsInformation = 0x5e, 338 | SystemCoverageInformation = 0x5f, 339 | SystemPrefetchPatchInformation = 0x60, 340 | SystemVerifierFaultsInformation = 0x61, 341 | SystemSystemPartitionInformation = 0x62, 342 | SystemSystemDiskInformation = 0x63, 343 | SystemProcessorPerformanceDistribution = 0x64, 344 | SystemNumaProximityNodeInformation = 0x65, 345 | SystemDynamicTimeZoneInformation = 0x66, 346 | SystemCodeIntegrityInformation_ = 0x67, 347 | SystemProcessorMicrocodeUpdateInformation = 0x68, 348 | SystemProcessorBrandString = 0x69, 349 | SystemVirtualAddressInformation = 0x6a, 350 | SystemLogicalProcessorAndGroupInformation = 0x6b, 351 | SystemProcessorCycleTimeInformation = 0x6c, 352 | SystemStoreInformation = 0x6d, 353 | SystemRegistryAppendString = 0x6e, 354 | SystemAitSamplingValue = 0x6f, 355 | SystemVhdBootInformation = 0x70, 356 | SystemCpuQuotaInformation = 0x71, 357 | SystemNativeBasicInformation = 0x72, 358 | SystemErrorPortTimeouts = 0x73, 359 | SystemLowPriorityIoInformation = 0x74, 360 | SystemBootEntropyInformation = 0x75, 361 | SystemVerifierCountersInformation = 0x76, 362 | SystemPagedPoolInformationEx = 0x77, 363 | SystemSystemPtesInformationEx = 0x78, 364 | SystemNodeDistanceInformation = 0x79, 365 | SystemAcpiAuditInformation = 0x7a, 366 | SystemBasicPerformanceInformation = 0x7b, 367 | SystemQueryPerformanceCounterInformation = 0x7c, 368 | SystemSessionBigPoolInformation = 0x7d, 369 | SystemBootGraphicsInformation = 0x7e, 370 | SystemScrubPhysicalMemoryInformation = 0x7f, 371 | SystemBadPageInformation = 0x80, 372 | SystemProcessorProfileControlArea = 0x81, 373 | SystemCombinePhysicalMemoryInformation = 0x82, 374 | SystemEntropyInterruptTimingInformation = 0x83, 375 | SystemConsoleInformation = 0x84, 376 | SystemPlatformBinaryInformation = 0x85, 377 | SystemThrottleNotificationInformation = 0x86, 378 | SystemHypervisorProcessorCountInformation = 0x87, 379 | SystemDeviceDataInformation = 0x88, 380 | SystemDeviceDataEnumerationInformation = 0x89, 381 | SystemMemoryTopologyInformation = 0x8a, 382 | SystemMemoryChannelInformation = 0x8b, 383 | SystemBootLogoInformation = 0x8c, 384 | SystemProcessorPerformanceInformationEx = 0x8d, 385 | SystemSpare0 = 0x8e, 386 | SystemSecureBootPolicyInformation = 0x8f, 387 | SystemPageFileInformationEx = 0x90, 388 | SystemSecureBootInformation = 0x91, 389 | SystemEntropyInterruptTimingRawInformation = 0x92, 390 | SystemPortableWorkspaceEfiLauncherInformation = 0x93, 391 | SystemFullProcessInformation = 0x94, 392 | SystemKernelDebuggerInformationEx = 0x95, 393 | SystemBootMetadataInformation = 0x96, 394 | SystemSoftRebootInformation = 0x97, 395 | SystemElamCertificateInformation = 0x98, 396 | SystemOfflineDumpConfigInformation = 0x99, 397 | SystemProcessorFeaturesInformation = 0x9a, 398 | SystemRegistryReconciliationInformation = 0x9b, 399 | 400 | SystemKernelVaShadowInformation = 196, 401 | MaxSystemInfoClass = 0x9c, 402 | } SYSTEM_INFORMATION_CLASS_EX; 403 | 404 | typedef struct _RTL_PROCESS_MODULE_INFORMATION 405 | { 406 | HANDLE Section; // Not filled in 407 | PVOID MappedBase; 408 | PVOID ImageBase; 409 | ULONG ImageSize; 410 | ULONG Flags; 411 | USHORT LoadOrderIndex; 412 | USHORT InitOrderIndex; 413 | USHORT LoadCount; 414 | USHORT OffsetToFileName; 415 | UCHAR FullPathName[256]; 416 | } RTL_PROCESS_MODULE_INFORMATION, *PRTL_PROCESS_MODULE_INFORMATION; 417 | 418 | typedef struct _RTL_USER_PROCESS_PARAMETERS_EX { 419 | ULONG MaximumLength;//+0 420 | ULONG Length;//+4 421 | ULONG Flags;//+8 422 | ULONG DebugFlags;//+12 423 | PVOID ConsoleHandle;//+16 424 | ULONG ConsoleFlags;//+24 425 | HANDLE StdInputHandle;//+32 426 | HANDLE StdOutputHandle;//+40 427 | HANDLE StdErrorHandle;//+48 428 | UNICODE_STRING CurrentDirectoryPath;//+56 429 | HANDLE CurrentDirectoryHandle;//+72 430 | UNICODE_STRING DllPath;//+80 431 | UNICODE_STRING ImagePathName;//Offset=96 in x64 432 | UNICODE_STRING CommandLine; 433 | //MORE 434 | } RTL_USER_PROCESS_PARAMETERS_EX, *PRTL_USER_PROCESS_PARAMETERS_EX; 435 | 436 | typedef struct _RTL_PROCESS_MODULES 437 | { 438 | ULONG NumberOfModules; 439 | RTL_PROCESS_MODULE_INFORMATION Modules[1]; 440 | } RTL_PROCESS_MODULES, *PRTL_PROCESS_MODULES; 441 | 442 | typedef struct _RTL_CRITICAL_SECTION_64 { 443 | uint64_t DebugInfo; 444 | uint32_t LockCount; 445 | uint32_t RecursionCount; 446 | uint64_t OwningThread; 447 | uint64_t LockSemaphore; 448 | uint64_t SpinCount; 449 | } RTL_CRITICAL_SECTION_64, *PRTL_CRITICAL_SECTION_64; 450 | 451 | typedef struct _MDL { 452 | struct _MDL *Next; 453 | SHORT Size; 454 | SHORT MdlFlags; 455 | 456 | PVOID Process; 457 | PVOID MappedSystemVa; /* see creators for field size annotations. */ 458 | PVOID StartVa; /* see creators for validity; could be address 0. */ 459 | ULONG ByteCount; 460 | ULONG ByteOffset; 461 | } MDL, *PMDL; 462 | 463 | typedef struct _SYSTEM_KERNEL_DEBUGGER_INFORMATION 464 | { 465 | BOOLEAN DebuggerEnabled; 466 | BOOLEAN DebuggerNotPresent; 467 | } SYSTEM_KERNEL_DEBUGGER_INFORMATION, *PSYSTEM_KERNEL_DEBUGGER_INFORMATION; 468 | 469 | typedef struct _KLDR_DATA_TABLE_ENTRY { 470 | LIST_ENTRY InLoadOrderLinks; 471 | PVOID ExceptionTable; 472 | ULONG ExceptionTableSize; 473 | // ULONG padding on IA64 474 | PVOID GpValue; 475 | PVOID NonPagedDebugInfo; 476 | PVOID DllBase; 477 | PVOID EntryPoint; 478 | ULONG SizeOfImage; 479 | UNICODE_STRING FullDllName; 480 | UNICODE_STRING BaseDllName; 481 | ULONG Flags; 482 | USHORT LoadCount; 483 | USHORT __Unused5; 484 | PVOID SectionPointer; 485 | ULONG CheckSum; 486 | // ULONG padding on IA64 487 | PVOID LoadedImports; 488 | PVOID PatchInformation; 489 | } KLDR_DATA_TABLE_ENTRY, *PKLDR_DATA_TABLE_ENTRY; 490 | 491 | #define UNWIND_HISTORY_TABLE_NONE 0 492 | #define UNWIND_HISTORY_TABLE_GLOBAL 1 493 | #define UNWIND_HISTORY_TABLE_LOCAL 2 494 | 495 | #define MAXIMUM_INVERTED_FUNCTION_TABLE_SIZE 160 496 | 497 | typedef struct _INVERTED_FUNCTION_TABLE_ENTRY { 498 | PRUNTIME_FUNCTION FunctionTable; 499 | PVOID ImageBase; 500 | ULONG SizeOfImage; 501 | ULONG SizeOfTable; 502 | } INVERTED_FUNCTION_TABLE_ENTRY, *PINVERTED_FUNCTION_TABLE_ENTRY; 503 | 504 | typedef struct _INVERTED_FUNCTION_TABLE { 505 | ULONG CurrentSize; 506 | ULONG MaximumSize; 507 | BOOLEAN Overflow; 508 | INVERTED_FUNCTION_TABLE_ENTRY TableEntry[MAXIMUM_INVERTED_FUNCTION_TABLE_SIZE]; 509 | } INVERTED_FUNCTION_TABLE, *PINVERTED_FUNCTION_TABLE; 510 | 511 | typedef enum _UNWIND_OP_CODES { 512 | UWOP_PUSH_NONVOL = 0, 513 | UWOP_ALLOC_LARGE, 514 | UWOP_ALLOC_SMALL, 515 | UWOP_SET_FPREG, 516 | UWOP_SAVE_NONVOL, 517 | UWOP_SAVE_NONVOL_FAR, 518 | UWOP_SPARE_CODE1, 519 | UWOP_SPARE_CODE2, 520 | UWOP_SAVE_XMM128, 521 | UWOP_SAVE_XMM128_FAR, 522 | UWOP_PUSH_MACHFRAME 523 | } UNWIND_OP_CODES, *PUNWIND_OP_CODES; 524 | 525 | // 526 | // Define unwind code structure. 527 | // 528 | 529 | typedef union _UNWIND_CODE { 530 | struct { 531 | UCHAR CodeOffset; 532 | UCHAR UnwindOp : 4; 533 | UCHAR OpInfo : 4; 534 | }; 535 | 536 | USHORT FrameOffset; 537 | } UNWIND_CODE, *PUNWIND_CODE; 538 | 539 | // 540 | // Define unwind information flags. 541 | // 542 | 543 | #define UNW_FLAG_NHANDLER 0x0 544 | #define UNW_FLAG_EHANDLER 0x1 545 | #define UNW_FLAG_UHANDLER 0x2 546 | #define UNW_FLAG_CHAININFO 0x4 547 | 548 | // 549 | // Define unwind information structure. 550 | // 551 | 552 | typedef struct _UNWIND_INFO { 553 | UCHAR Version : 3; 554 | UCHAR Flags : 5; 555 | UCHAR SizeOfProlog; 556 | UCHAR CountOfCodes; 557 | UCHAR FrameRegister : 4; 558 | UCHAR FrameOffset : 4; 559 | UNWIND_CODE UnwindCode[1]; 560 | 561 | // 562 | // The unwind codes are followed by an optional DWORD aligned field that 563 | // contains the exception handler address or a function table entry if 564 | // chained unwind information is specified. If an exception handler address 565 | // is specified, then it is followed by the language specified exception 566 | // handler data. 567 | // 568 | // union { 569 | // struct { 570 | // ULONG ExceptionHandler; 571 | // ULONG ExceptionData[]; 572 | // }; 573 | // 574 | // RUNTIME_FUNCTION FunctionEntry; 575 | // }; 576 | // 577 | 578 | } UNWIND_INFO, *PUNWIND_INFO; 579 | 580 | typedef struct _KPCR 581 | { 582 | SegmentDesctiptorX64 gdt[8]; 583 | }KPCR; 584 | 585 | typedef struct _LDR_DATA_TABLE_ENTRY_1 { 586 | // Start from Windows XP 587 | LIST_ENTRY InLoadOrderLinks; 588 | LIST_ENTRY InMemoryOrderLinks; 589 | LIST_ENTRY InInitializationOrderLinks; 590 | PVOID DllBase; 591 | PVOID EntryPoint; 592 | ULONG SizeOfImage; 593 | UNICODE_STRING FullDllName; 594 | UNICODE_STRING BaseDllName; 595 | ULONG Flags; 596 | USHORT LoadCount; 597 | USHORT TlsIndex; 598 | union { 599 | LIST_ENTRY HashLinks; 600 | struct { 601 | PVOID SectionPointer; 602 | ULONG CheckSum; 603 | }; 604 | }; 605 | union { 606 | ULONG TimeDateStamp; 607 | PVOID LoadedImports; 608 | }; 609 | PVOID EntryPointActivationContext; //_ACTIVATION_CONTEXT * 610 | PVOID PatchInformation; 611 | 612 | // Start from Windows Vista 613 | LIST_ENTRY ForwarderLinks; 614 | LIST_ENTRY ServiceTagLinks; 615 | LIST_ENTRY StaticLinks; 616 | PVOID ContextInformation; 617 | PVOID OriginalBase; 618 | LARGE_INTEGER LoadTime; 619 | 620 | } LDR_DATA_TABLE_ENTRY_1, *PLDR_DATA_TABLE_ENTRY_1; -------------------------------------------------------------------------------- /unicorn_wscript/puPEinfoData.cpp: -------------------------------------------------------------------------------- 1 | #include "puPEinfoData.h" 2 | 3 | 4 | void* PuPEInfo::m_pFileBase = nullptr; 5 | void* PuPEInfo::m_pNtHeader = nullptr; 6 | UINT64 PuPEInfo::m_ImageBase = 0; 7 | UINT64 PuPEInfo::m_ImportBaseaddr = 0; 8 | void* PuPEInfo::m_SectionHeader = nullptr; 9 | UINT64 PuPEInfo::m_SizeOfImage = 0; 10 | DWORD PuPEInfo::m_FileSize = 0; 11 | bool PuPEInfo::m_x86x64flag = false; 12 | CString PuPEInfo::m_strNamePath; 13 | HANDLE PuPEInfo::m_hFileHandle = nullptr; 14 | DWORD PuPEInfo::m_OldOEP = 0; 15 | int PuPEInfo::m_SectionCount = 0; 16 | 17 | PuPEInfo::PuPEInfo() 18 | { 19 | 20 | } 21 | 22 | PuPEInfo::~PuPEInfo() 23 | { 24 | 25 | } 26 | 27 | BOOL PuPEInfo::IsPEFile() 28 | { 29 | if (IMAGE_DOS_SIGNATURE != ((PIMAGE_DOS_HEADER)PuPEInfo::m_pFileBase)->e_magic) return FALSE; 30 | 31 | if (IMAGE_NT_SIGNATURE != ((PIMAGE_NT_HEADERS)PuPEInfo::m_pNtHeader)->Signature) return FALSE; 32 | 33 | return TRUE; 34 | } 35 | 36 | BOOL PuPEInfo::prOpenFile( 37 | const CString & PathName 38 | ) 39 | { 40 | m_strNamePath = PathName; 41 | HANDLE hFile = CreateFile(PathName, GENERIC_READ | GENERIC_WRITE, FALSE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); 42 | if ((int)hFile <= 0){ 43 | return FALSE; 44 | } 45 | _hMapping = CreateFileMappingW(hFile, NULL, SEC_IMAGE | PAGE_READONLY, 0, 0, NULL); 46 | if (_hMapping) 47 | { 48 | PuPEInfo::m_pFileBase = MapViewOfFile(_hMapping, FILE_MAP_READ, 0, 0, 0); 49 | } 50 | else 51 | { 52 | _hMapping = CreateFileMappingW(hFile, NULL, PAGE_READONLY, 0, 0, NULL); 53 | 54 | if (_hMapping) 55 | PuPEInfo::m_pFileBase = MapViewOfFile(_hMapping, FILE_MAP_READ, 0, 0, 0); 56 | } 57 | if (!PuPEInfo::m_pFileBase) 58 | return false; 59 | PIMAGE_DOS_HEADER pDosHander = (PIMAGE_DOS_HEADER)PuPEInfo::m_pFileBase; 60 | PIMAGE_NT_HEADERS pHeadres = (PIMAGE_NT_HEADERS)(pDosHander->e_lfanew + (DWORD64)m_pFileBase); 61 | m_pNtHeader = pHeadres; 62 | if (!pHeadres) 63 | return false; 64 | // if pe ? true : false 65 | if (!IsPEFile()) 66 | return false; 67 | if (pHeadres->OptionalHeader.Magic == IMAGE_NT_OPTIONAL_HDR64_MAGIC) 68 | m_x86x64flag = true; 69 | else 70 | m_x86x64flag = false; 71 | 72 | CloseHandle(hFile); 73 | UnmapViewOfFile(PuPEInfo::m_pFileBase); 74 | CloseHandle(_hMapping); 75 | return TRUE; 76 | } 77 | 78 | // RVAofFOA 79 | DWORD PuPEInfo::RVAofFOA(const DWORD Rva) 80 | { 81 | DWORD dwSectionCount = (PIMAGE_NT_HEADERS(PuPEInfo::m_pNtHeader))->FileHeader.NumberOfSections; 82 | 83 | PIMAGE_SECTION_HEADER pSection = IMAGE_FIRST_SECTION((PIMAGE_NT_HEADERS)PuPEInfo::m_pNtHeader); 84 | 85 | for (DWORD i = 0; i < dwSectionCount; ++i) 86 | { 87 | if ((Rva >= (pSection->VirtualAddress)) && (Rva < ((pSection->VirtualAddress) + (pSection->SizeOfRawData)))) { 88 | // DWORD offset = Rva - pSection->VirtualAddress; 89 | // DWORD FOA = pSection->PointerToRawData + offset; 90 | return (pSection->VirtualAddress + pSection->PointerToRawData); 91 | } 92 | ++pSection; 93 | } 94 | return 0; 95 | } 96 | 97 | PIMAGE_SECTION_HEADER PuPEInfo::GetSectionAddress(const char* Base, const BYTE* SectionName) 98 | { 99 | PIMAGE_NT_HEADERS pNt = (PIMAGE_NT_HEADERS)(((PIMAGE_DOS_HEADER)Base)->e_lfanew + Base); 100 | 101 | PIMAGE_SECTION_HEADER pSect = IMAGE_FIRST_SECTION(pNt); 102 | 103 | for (int i = 0; i < m_SectionCount; ++i) { 104 | if (0 == _mbscmp(pSect->Name, SectionName)) 105 | return (PIMAGE_SECTION_HEADER)pSect; 106 | ++pSect; 107 | } 108 | 109 | return 0; 110 | } 111 | 112 | BOOL PuPEInfo::SetFileoffsetAndFileSize(const void* Base, const DWORD & offset, const DWORD size, const BYTE* Name) 113 | { 114 | PIMAGE_SECTION_HEADER Address = GetSectionAddress((char*)Base, Name); 115 | 116 | Address->PointerToRawData = offset; 117 | 118 | Address->SizeOfRawData = size; 119 | 120 | return TRUE; 121 | } -------------------------------------------------------------------------------- /unicorn_wscript/puPEinfoData.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | #ifndef PUPEINFODATA_H_ 3 | #define PUPEINFODATA_H_ 4 | 5 | #include 6 | #include 7 | 8 | class PuPEInfo 9 | { 10 | public: 11 | PuPEInfo(); 12 | ~PuPEInfo(); 13 | 14 | public: 15 | void* puCodeMapImageBase(){ return m_pFileBase; } 16 | 17 | void* puGetNtHeadre(){ return m_pNtHeader; } 18 | 19 | void* puGetSection(){ return m_SectionHeader; } 20 | 21 | UINT64 puGetImportBaseAddr() { return m_ImportBaseaddr; } 22 | 23 | UINT64 puGetImageSize() { return m_SizeOfImage; } 24 | 25 | UINT64 puGetImageBase() { return m_ImageBase; } 26 | 27 | bool puGetx86x64() { return m_x86x64flag; }; 28 | 29 | DWORD puFileSize(){ return m_FileSize; } 30 | 31 | BOOL puOpenFileLoad(const CString & PathName){ return prOpenFile(PathName); } 32 | 33 | BOOL puIsPEFile(){ return IsPEFile(); } 34 | 35 | DWORD puRVAofFOA(const DWORD Rva){ return RVAofFOA(Rva); } 36 | 37 | CString puFilePath(){ return m_strNamePath; } 38 | 39 | HANDLE puFileHandle() { return m_hFileHandle; } 40 | 41 | DWORD64 puOldOep(){ return this->m_OldOEP; } 42 | 43 | int puGetSectionCount() { return this->m_SectionCount; } 44 | 45 | PIMAGE_SECTION_HEADER puGetSectionAddress(const char* Base, const BYTE* Name){ return this->GetSectionAddress(Base, Name); } 46 | 47 | BOOL puSetFileoffsetAndFileSize(const void* Base, const DWORD & offset, const DWORD size, const BYTE* Name) 48 | { 49 | return this->SetFileoffsetAndFileSize(Base, offset, size, Name); 50 | } 51 | 52 | private: 53 | 54 | BOOL prOpenFile(const CString & PathName); 55 | BOOL IsPEFile(); 56 | // RVAofFOA 57 | DWORD RVAofFOA(const DWORD Rva); 58 | PIMAGE_SECTION_HEADER GetSectionAddress(const char* Base, const BYTE* SectionName); 59 | BOOL SetFileoffsetAndFileSize(const void* Base, const DWORD & offset, const DWORD size, const BYTE* Name); 60 | 61 | 62 | static bool m_x86x64flag; 63 | static void* m_pFileBase; 64 | static void* m_pNtHeader; 65 | static void* m_SectionHeader; 66 | static UINT64 m_ImportBaseaddr; 67 | static UINT64 m_SizeOfImage; 68 | static UINT64 m_ImageBase; 69 | static DWORD m_FileSize; 70 | static CString m_strNamePath; 71 | static HANDLE m_hFileHandle; 72 | static DWORD m_OldOEP; 73 | static int m_SectionCount; 74 | static BOOL OepFlag; 75 | HANDLE _hMapping; // Memory mapping object 76 | 77 | }; 78 | 79 | #endif 80 | -------------------------------------------------------------------------------- /unicorn_wscript/unicorn_wscript.vcxproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | Win32 7 | 8 | 9 | Release 10 | Win32 11 | 12 | 13 | Debug 14 | x64 15 | 16 | 17 | Release 18 | x64 19 | 20 | 21 | 22 | 15.0 23 | {19927C07-C10F-4312-81BF-4D1B74EBAE03} 24 | Win32Proj 25 | unicornwscript 26 | 10.0.17763.0 27 | 28 | 29 | 30 | Application 31 | true 32 | v141 33 | Unicode 34 | 35 | 36 | Application 37 | false 38 | v141 39 | true 40 | Unicode 41 | 42 | 43 | Application 44 | true 45 | v141 46 | Unicode 47 | false 48 | 49 | 50 | Application 51 | false 52 | v141 53 | true 54 | Unicode 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | true 76 | $(ProjectDir)$(Platform)\$(Configuration)\ 77 | $(VC_LibraryPath_x64);$(WindowsSDK_LibraryPath_x64);$(NETFXKitsDir)Lib\um\x64 78 | 79 | 80 | true 81 | 82 | 83 | false 84 | 85 | 86 | false 87 | 88 | 89 | 90 | Level3 91 | Disabled 92 | false 93 | _DEBUG;_CONSOLE;%(PreprocessorDefinitions) 94 | true 95 | 96 | 97 | Console 98 | true 99 | $(SolutionDir)$(Platform)\$(Configuration)\ 100 | unicorn_static.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;%(AdditionalDependencies) 101 | 102 | 103 | 104 | 105 | Level3 106 | Disabled 107 | true 108 | WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions) 109 | true 110 | 111 | 112 | Console 113 | true 114 | 115 | 116 | 117 | 118 | Level3 119 | MaxSpeed 120 | true 121 | true 122 | true 123 | WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 124 | true 125 | 126 | 127 | Console 128 | true 129 | true 130 | true 131 | 132 | 133 | 134 | 135 | Level3 136 | MaxSpeed 137 | true 138 | true 139 | true 140 | NDEBUG;_CONSOLE;%(PreprocessorDefinitions) 141 | true 142 | 143 | 144 | Console 145 | true 146 | true 147 | true 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | -------------------------------------------------------------------------------- /unicorn_wscript/unicorn_wscript.vcxproj.filters: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | 5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF} 6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx 7 | 8 | 9 | {93995380-89BD-4b04-88EB-625FBE52EBFB} 10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd 11 | 12 | 13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01} 14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms 15 | 16 | 17 | {a594fe07-05db-434f-9196-209e479c991a} 18 | 19 | 20 | {017c222f-8ded-4632-9454-d6ad4a5ca0ba} 21 | 22 | 23 | {068b516e-cb47-4e50-8e3e-f263f2d07f2c} 24 | 25 | 26 | {5f04ca08-02d8-4cfc-b6bb-af99084fa1f6} 27 | 28 | 29 | {f44363a7-e0fd-4aed-a2ae-992735e0a129} 30 | 31 | 32 | 33 | 34 | Source Files 35 | 36 | 37 | os\windows 38 | 39 | 40 | Source Files 41 | 42 | 43 | loader 44 | 45 | 46 | mem 47 | 48 | 49 | capstone 50 | 51 | 52 | 53 | 54 | os\windows 55 | 56 | 57 | Source Files 58 | 59 | 60 | loader 61 | 62 | 63 | loader 64 | 65 | 66 | mem 67 | 68 | 69 | capstone 70 | 71 | 72 | -------------------------------------------------------------------------------- /unicorn_wscript/unicorn_wscript.vcxproj.user: -------------------------------------------------------------------------------- 1 |  2 | 3 | 4 | -------------------------------------------------------------------------------- /unicorn_wscript/windows.cpp: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/TimelifeCzy/unicorn_peEmu/4cb5a9ec77588c0468091ee661a9e091f6757cbe/unicorn_wscript/windows.cpp -------------------------------------------------------------------------------- /unicorn_wscript/windows.h: -------------------------------------------------------------------------------- 1 | #pragma once 2 | 3 | 4 | class EmuOsWindows 5 | { 6 | public: 7 | 8 | 9 | 10 | private: 11 | 12 | }; --------------------------------------------------------------------------------