x64dbg/x64dbg
x64dbg
/
x64dbg
1
0
Fork 0
Code Releases 5 Activity

DBG: some capstone stuff (command to get instruction infoz)

This commit is contained in:
Mr. eXoDia 2015-04-17 02:32:34 +02:00
parent cab3ebf263
commit 530bec3cd5
14 changed files with 392 additions and 171 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
x64_dbg_dbg/capstone/arm.h
View File

@ -100,16 +100,39 @@ typedef enum arm_sysreg
ARM_SYSREG_CONTROL,
} arm_sysreg;
//> The memory barrier constants map directly to the 4-bit encoding of
//> the option field for Memory Barrier operations.
typedef enum arm_mem_barrier
{
ARM_MB_INVALID = 0,
ARM_MB_RESERVED_0,
ARM_MB_OSHLD,
ARM_MB_OSHST,
ARM_MB_OSH,
ARM_MB_RESERVED_4,
ARM_MB_NSHLD,
ARM_MB_NSHST,
ARM_MB_NSH,
ARM_MB_RESERVED_8,
ARM_MB_ISHLD,
ARM_MB_ISHST,
ARM_MB_ISH,
ARM_MB_RESERVED_12,
ARM_MB_LD,
ARM_MB_ST,
ARM_MB_SY,
} arm_mem_barrier;
//> Operand type for instruction's operands
typedef enum arm_op_type
{
ARM_OP_INVALID = 0, // Uninitialized.
ARM_OP_REG, // Register operand.
ARM_OP_CIMM, // C-Immediate (coprocessor registers)
ARM_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized).
ARM_OP_REG, // = CS_OP_REG (Register operand).
ARM_OP_IMM, // = CS_OP_IMM (Immediate operand).
ARM_OP_MEM, // = CS_OP_MEM (Memory operand).
ARM_OP_FP, // = CS_OP_FP (Floating-Point operand).
ARM_OP_CIMM = 64, // C-Immediate (coprocessor registers)
ARM_OP_PIMM, // P-Immediate (coprocessor registers)
ARM_OP_IMM, // Immediate operand.
ARM_OP_FP, // Floating-Point immediate operand.
ARM_OP_MEM, // Memory operand
ARM_OP_SETEND, // operand for SETEND instruction
ARM_OP_SYSREG, // MSR/MSR special register operand
} arm_op_type;
@ -240,6 +263,7 @@ typedef struct cs_arm
arm_cc cc; // conditional code for this insn
bool update_flags; // does this insn update flags?
bool writeback; // does this insn write-back?
arm_mem_barrier mem_barrier; // Option for some memory barrier instructions
// Number of operands of this instruction,
// or 0 when instruction has no operand.
@ -824,8 +848,14 @@ typedef enum arm_insn
//> Group of ARM instructions
typedef enum arm_insn_group
{
ARM_GRP_INVALID = 0,
ARM_GRP_CRYPTO,
ARM_GRP_INVALID = 0, // = CS_GRP_INVALID
//> Generic groups
// all jump instructions (conditional+direct+indirect jumps)
ARM_GRP_JUMP, // = CS_GRP_JUMP
//> Architecture-specific groups
ARM_GRP_CRYPTO = 128,
ARM_GRP_DATABARRIER,
ARM_GRP_DIVIDE,
ARM_GRP_FPARMV8,
@ -857,8 +887,6 @@ typedef enum arm_insn_group
ARM_GRP_DPVFP,
ARM_GRP_V6M,
ARM_GRP_JUMP, // all jump instructions (conditional+direct+indirect jumps)
ARM_GRP_ENDING,
} arm_insn_group;

25
x64_dbg_dbg/capstone/arm64.h
View File

@ -242,12 +242,12 @@ typedef enum arm64_barrier_op
//> Operand type for instruction's operands
typedef enum arm64_op_type
{
ARM64_OP_INVALID = 0, // Uninitialized.
ARM64_OP_REG, // Register operand.
ARM64_OP_CIMM, // C-Immediate
ARM64_OP_IMM, // Immediate operand.
ARM64_OP_FP, // Floating-Point immediate operand.
ARM64_OP_MEM, // Memory operand
ARM64_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized).
ARM64_OP_REG, // = CS_OP_REG (Register operand).
ARM64_OP_IMM, // = CS_OP_IMM (Immediate operand).
ARM64_OP_MEM, // = CS_OP_MEM (Memory operand).
ARM64_OP_FP, // = CS_OP_FP (Floating-Point operand).
ARM64_OP_CIMM = 64, // C-Immediate
ARM64_OP_REG_MRS, // MRS register operand.
ARM64_OP_REG_MSR, // MSR register operand.
ARM64_OP_PSTATE, // PState operand.
@ -383,7 +383,7 @@ typedef struct cs_arm64_op
union
{
unsigned int reg; // register value for REG operand
int32_t imm; // immediate value, or index for C-IMM or IMM operand
int64_t imm; // immediate value, or index for C-IMM or IMM operand
double fp; // floating point value for FP operand
arm64_op_mem mem; // base/index/scale/disp value for MEM operand
arm64_pstate pstate; // PState field of MSR instruction.
@ -1152,15 +1152,18 @@ typedef enum arm64_insn
//> Group of ARM64 instructions
typedef enum arm64_insn_group
{
ARM64_GRP_INVALID = 0,
ARM64_GRP_INVALID = 0, // = CS_GRP_INVALID
ARM64_GRP_CRYPTO,
//> Generic groups
// all jump instructions (conditional+direct+indirect jumps)
ARM64_GRP_JUMP, // = CS_GRP_JUMP
//> Architecture-specific groups
ARM64_GRP_CRYPTO = 128,
ARM64_GRP_FPARMV8,
ARM64_GRP_NEON,
ARM64_GRP_CRC,
ARM64_GRP_JUMP, // all jump instructions (conditional+direct+indirect jumps)
ARM64_GRP_ENDING, // <-- mark the end of the list of groups
} arm64_insn_group;

183
x64_dbg_dbg/capstone/capstone.h
View File

@ -24,8 +24,12 @@ extern "C" {
#define CAPSTONE_EXPORT
#endif
#else
#ifdef __GNUC__
#define CAPSTONE_EXPORT __attribute__((visibility("default")))
#else
#define CAPSTONE_EXPORT
#endif
#endif
#ifdef __GNUC__
#define CAPSTONE_DEPRECATED __attribute__((deprecated))
@ -59,7 +63,7 @@ typedef enum cs_arch
CS_ARCH_SYSZ, // SystemZ architecture
CS_ARCH_XCORE, // XCore architecture
CS_ARCH_MAX,
CS_ARCH_ALL = 0xFFFF,
CS_ARCH_ALL = 0xFFFF, // All architectures - for cs_support()
} cs_arch;
// Support value to verify diet mode of the engine.
@ -75,20 +79,22 @@ typedef enum cs_arch
// Mode type
typedef enum cs_mode
{
CS_MODE_LITTLE_ENDIAN = 0, // little endian mode (default mode)
CS_MODE_LITTLE_ENDIAN = 0, // little-endian mode (default mode)
CS_MODE_ARM = 0, // 32-bit ARM
CS_MODE_16 = 1 << 1, // 16-bit mode
CS_MODE_32 = 1 << 2, // 32-bit mode
CS_MODE_64 = 1 << 3, // 64-bit mode
CS_MODE_16 = 1 << 1, // 16-bit mode (X86)
CS_MODE_32 = 1 << 2, // 32-bit mode (X86)
CS_MODE_64 = 1 << 3, // 64-bit mode (X86, PPC)
CS_MODE_THUMB = 1 << 4, // ARM's Thumb mode, including Thumb-2
CS_MODE_MCLASS = 1 << 5, // ARM's Cortex-M series
CS_MODE_MICRO = 1 << 4, // MicroMips mode (MIPS architecture)
CS_MODE_N64 = 1 << 5, // Nintendo-64 mode (MIPS architecture)
CS_MODE_MIPS3 = 1 << 6, // Mips III ISA
CS_MODE_MIPS32R6 = 1 << 7, // Mips32r6 ISA
CS_MODE_MIPSGP64 = 1 << 8, // General Purpose Registers are 64-bit wide (MIPS arch)
CS_MODE_V9 = 1 << 4, // SparcV9 mode (Sparc architecture)
CS_MODE_BIG_ENDIAN = 1 << 31 // big endian mode
CS_MODE_V8 = 1 << 6, // ARMv8 A32 encodings for ARM
CS_MODE_MICRO = 1 << 4, // MicroMips mode (MIPS)
CS_MODE_MIPS3 = 1 << 5, // Mips III ISA
CS_MODE_MIPS32R6 = 1 << 6, // Mips32r6 ISA
CS_MODE_MIPSGP64 = 1 << 7, // General Purpose Registers are 64-bit wide (MIPS)
CS_MODE_V9 = 1 << 4, // SparcV9 mode (Sparc)
CS_MODE_BIG_ENDIAN = 1 << 31, // big-endian mode
CS_MODE_MIPS32 = CS_MODE_32, // Mips32 ISA (Mips)
CS_MODE_MIPS64 = CS_MODE_64, // Mips64 ISA (Mips)
} cs_mode;
typedef void* (*cs_malloc_t)(size_t size);
@ -131,15 +137,41 @@ typedef enum cs_opt_value
CS_OPT_SYNTAX_NOREGNAME, // Prints register name with only number (CS_OPT_SYNTAX)
} cs_opt_value;
// User-defined callback function for SKIPDATA option
// @code: the input buffer containing code to be disassembled. This is the
// same buffer passed to cs_disasm().
// @code_size: size (in bytes) of the above @code buffer.
// @offset: the position of the currently-examining byte in the input
// buffer @code mentioned above.
// @user_data: user-data passed to cs_option() via @user_data field in
// cs_opt_skipdata struct below.
// @return: return number of bytes to skip, or 0 to immediately stop disassembling.
//> Common instruction operand types - to be consistent across all architectures.
typedef enum cs_op_type
{
CS_OP_INVALID = 0, // uninitialized/invalid operand.
CS_OP_REG, // Register operand.
CS_OP_IMM, // Immediate operand.
CS_OP_MEM, // Memory operand.
CS_OP_FP, // Floating-Point operand.
} cs_op_type;
//> Common instruction groups - to be consistent across all architectures.
typedef enum cs_group_type
{
CS_GRP_INVALID = 0, // uninitialized/invalid group.
CS_GRP_JUMP, // all jump instructions (conditional+direct+indirect jumps)
CS_GRP_CALL, // all call instructions
CS_GRP_RET, // all return instructions
CS_GRP_INT, // all interrupt instructions (int+syscall)
CS_GRP_IRET, // all interrupt return instructions
} cs_group_type;
/*
User-defined callback function for SKIPDATA option.
See tests/test_skipdata.c for sample code demonstrating this API.
@code: the input buffer containing code to be disassembled.
This is the same buffer passed to cs_disasm().
@code_size: size (in bytes) of the above @code buffer.
@offset: the position of the currently-examining byte in the input
buffer @code mentioned above.
@user_data: user-data passed to cs_option() via @user_data field in
cs_opt_skipdata struct below.
@return: return number of bytes to skip, or 0 to immediately stop disassembling.
*/
typedef size_t (*cs_skipdata_cb_t)(const uint8_t* code, size_t code_size, size_t offset, void* user_data);
// User-customized setup for SKIPDATA option
@ -214,6 +246,7 @@ typedef struct cs_insn
// Find the instruction id from header file of corresponding architecture,
// such as arm.h for ARM, x86.h for X86, etc...
// This information is available even when CS_OPT_DETAIL = CS_OPT_OFF
// NOTE: in Skipdata mode, "data" instruction has 0 for this id field.
unsigned int id;
// Address (EIP) of this instruction
@ -236,10 +269,12 @@ typedef struct cs_insn
char op_str[160];
// Pointer to cs_detail.
// NOTE: detail pointer is only valid (not NULL) when both requirements below are met:
// NOTE: detail pointer is only valid when both requirements below are met:
// (1) CS_OP_DETAIL = CS_OPT_ON
// (2) If engine is in Skipdata mode (CS_OP_SKIPDATA option set to CS_OPT_ON), then
// the current instruction is not the "data" instruction (which clearly has no detail).
// (2) Engine is not in Skipdata mode (CS_OP_SKIPDATA option set to CS_OPT_ON)
//
// NOTE 2: when in Skipdata mode, or when detail mode is OFF, even if this pointer
// is not NULL, its content is still irrelevant.
cs_detail* detail;
} cs_insn;
@ -255,7 +290,7 @@ typedef struct cs_insn
typedef enum cs_err
{
CS_ERR_OK = 0, // No error: everything was fine
CS_ERR_MEM, // Out-Of-Memory error: cs_open(), cs_disasm()
CS_ERR_MEM, // Out-Of-Memory error: cs_open(), cs_disasm(), cs_disasm_iter()
CS_ERR_ARCH, // Unsupported architecture: cs_open()
CS_ERR_HANDLE, // Invalid handle: cs_op_count(), cs_op_index()
CS_ERR_CSH, // Invalid csh argument: cs_close(), cs_errno(), cs_option()
@ -344,7 +379,7 @@ cs_err cs_close(csh* handle);
@type: type of option to be set
@value: option value corresponding with @type
@return CS_ERR_OK on success, or other value on failure.
@return: CS_ERR_OK on success, or other value on failure.
Refer to cs_err enum for detailed error.
NOTE: in the case of CS_OPT_MEM, handle's value can be anything,
@ -378,21 +413,33 @@ CAPSTONE_EXPORT
const char* cs_strerror(cs_err code);
/*
Dynamicly allocate memory to contain disasm insn
Disassembled instructions will be put into @*insn
Disassemble binary code, given the code buffer, size, address and number
of instructions to be decoded.
This API dynamicly allocate memory to contain disassembled instruction.
Resulted instructions will be put into @*insn
NOTE 1: this API will automatically determine memory needed to contain
output disassembled instructions in @insn.
NOTE 2: caller must free() the allocated memory itself to avoid memory leaking
NOTE 2: caller must free the allocated memory itself to avoid memory leaking.
NOTE 3: for system with scarce memory to be dynamically allocated such as
OS kernel or firmware, the API cs_disasm_iter() might be a better choice than
cs_disasm(). The reason is that with cs_disasm(), based on limited available
memory, we have to calculate in advance how many instructions to be disassembled,
which complicates things. This is especially troublesome for the case @count=0,
when cs_disasm() runs uncontrolly (until either end of input buffer, or
when it encounters an invalid instruction).
@handle: handle returned by cs_open()
@code: buffer containing raw binary code to be disassembled
@code_size: size of above code
@address: address of the first insn in given raw code buffer
@insn: array of insn filled in by this function
@code: buffer containing raw binary code to be disassembled.
@code_size: size of the above code buffer.
@address: address of the first instruction in given raw code buffer.
@insn: array of instructions filled in by this API.
NOTE: @insn will be allocated by this function, and should be freed
with cs_free() API.
@count: number of instrutions to be disassembled, or 0 to get all of them
@return: the number of succesfully disassembled instructions,
or 0 if this function failed to disassemble the given code
@ -418,14 +465,67 @@ size_t cs_disasm_ex(csh handle,
cs_insn** insn);
/*
Free memory allocated in @insn by cs_disasm()
Free memory allocated by cs_malloc() or cs_disasm() (argument @insn)
@insn: pointer returned by @insn argument in cs_disasm()
@count: number of cs_insn structures returned by cs_disasm()
@insn: pointer returned by @insn argument in cs_disasm() or cs_malloc()
@count: number of cs_insn structures returned by cs_disasm(), or 1
to free memory allocated by cs_malloc().
*/
CAPSTONE_EXPORT
void cs_free(cs_insn* insn, size_t count);
/*
Allocate memory for 1 instruction to be used by cs_disasm_iter().
@handle: handle returned by cs_open()
NOTE: when no longer in use, you can reclaim the memory allocated for
this instruction with cs_free(insn, 1)
*/
CAPSTONE_EXPORT
cs_insn* cs_malloc(csh handle);
/*
Fast API to disassemble binary code, given the code buffer, size, address
and number of instructions to be decoded.
This API put the resulted instruction into a given cache in @insn.
See tests/test_iter.c for sample code demonstrating this API.
NOTE 1: this API will update @code, @size & @address to point to the next
instruction in the input buffer. Therefore, it is covenient to use
cs_disasm_iter() inside a loop to quickly iterate all the instructions.
While decoding one instruction at a time can also be achieved with
cs_disasm(count=1), some benchmarks shown that cs_disasm_iter() can be 30%
faster on random input.
NOTE 2: the cache in @insn can be created with cs_malloc() API.
NOTE 3: for system with scarce memory to be dynamically allocated such as
OS kernel or firmware, this API is recommended over cs_disasm(), which
allocates memory based on the number of instructions to be disassembled.
The reason is that with cs_disasm(), based on limited available memory,
we have to calculate in advance how many instructions to be disassembled,
which complicates things. This is especially troublesome for the case
@count=0, when cs_disasm() runs uncontrolly (until either end of input
buffer, or when it encounters an invalid instruction).
@handle: handle returned by cs_open()
@code: buffer containing raw binary code to be disassembled
@code_size: size of above code
@address: address of the first insn in given raw code buffer
@insn: pointer to instruction to be filled in by this API.
@return: true if this API successfully decode 1 instruction,
or false otherwise.
On failure, call cs_errno() for error code.
*/
CAPSTONE_EXPORT
bool cs_disasm_iter(csh handle,
const uint8_t** code, size_t* size,
uint64_t* address, cs_insn* insn);
/*
Return friendly name of regiser in a string.
Find the instruction id from header file of corresponding architecture (arm.h for ARM,
@ -436,6 +536,7 @@ void cs_free(cs_insn* insn, size_t count);
@handle: handle returned by cs_open()
@reg_id: register id
@return: string name of the register, or NULL if @reg_id is invalid.
*/
CAPSTONE_EXPORT
@ -482,7 +583,7 @@ const char* cs_group_name(csh handle, unsigned int group_id);
update @groups array.
@handle: handle returned by cs_open()
@insn: disassembled instruction structure received from cs_disasm() or cs_disasm()
@insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter()
@group_id: group that you want to check if this instruction belong to.
@return: true if this instruction indeed belongs to aboved group, or false otherwise.
@ -500,7 +601,7 @@ bool cs_insn_group(csh handle, const cs_insn* insn, unsigned int group_id);
WARN: when in 'diet' mode, this API is irrelevant because the engine does not
update @regs_read array.
@insn: disassembled instruction structure received from cs_disasm() or cs_disasm()
@insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter()
@reg_id: register that you want to check if this instruction used it.
@return: true if this instruction indeed implicitly used aboved register, or false otherwise.
@ -518,7 +619,7 @@ bool cs_reg_read(csh handle, const cs_insn* insn, unsigned int reg_id);
WARN: when in 'diet' mode, this API is irrelevant because the engine does not
update @regs_write array.
@insn: disassembled instruction structure received from cs_disasm() or cs_disasm()
@insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter()
@reg_id: register that you want to check if this instruction modified it.
@return: true if this instruction indeed implicitly modified aboved register, or false otherwise.
@ -533,7 +634,7 @@ bool cs_reg_write(csh handle, const cs_insn* insn, unsigned int reg_id);
NOTE: this API is only valid when detail option is ON (which is OFF by default)
@handle: handle returned by cs_open()
@insn: disassembled instruction structure received from cs_disasm() or cs_disasm()
@insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter()
@op_type: Operand type to be found.
@return: number of operands of given type @op_type in instruction @insn,
@ -550,7 +651,7 @@ int cs_op_count(csh handle, const cs_insn* insn, unsigned int op_type);
NOTE: this API is only valid when detail option is ON (which is OFF by default)
@handle: handle returned by cs_open()
@insn: disassembled instruction structure received from cs_disasm() or cs_disasm()
@insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter()
@op_type: Operand type to be found.
@position: position of the operand to be found. This must be in the range
[1, cs_op_count(handle, insn, op_type)]

20
x64_dbg_dbg/capstone/mips.h
View File

@ -22,10 +22,10 @@ extern "C" {
//> Operand type for instruction's operands
typedef enum mips_op_type
{
MIPS_OP_INVALID = 0, // Uninitialized.
MIPS_OP_REG, // Register operand.
MIPS_OP_IMM, // Immediate operand.
MIPS_OP_MEM, // Memory operand
MIPS_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized).
MIPS_OP_REG, // = CS_OP_REG (Register operand).
MIPS_OP_IMM, // = CS_OP_IMM (Immediate operand).
MIPS_OP_MEM, // = CS_OP_MEM (Memory operand).
} mips_op_type;
// Instruction's operand referring to memory
@ -203,7 +203,6 @@ typedef enum mips_reg
MIPS_REG_HI,
MIPS_REG_LO,
MIPS_REG_PC,
MIPS_REG_P0,
MIPS_REG_P1,
@ -861,9 +860,14 @@ typedef enum mips_insn
//> Group of MIPS instructions
typedef enum mips_insn_group
{
MIPS_GRP_INVALID = 0,
MIPS_GRP_INVALID = 0, // = CS_GRP_INVALID
MIPS_GRP_BITCOUNT,
//> Generic groups
// all jump instructions (conditional+direct+indirect jumps)
MIPS_GRP_JUMP, // = CS_GRP_JUMP
//> Architecture-specific groups
MIPS_GRP_BITCOUNT = 128,
MIPS_GRP_DSP,
MIPS_GRP_DSPR2,
MIPS_GRP_FPIDX,
@ -897,8 +901,6 @@ typedef enum mips_insn_group
MIPS_GRP_GP32BIT,
MIPS_GRP_GP64BIT,
MIPS_GRP_JUMP, // all jump instructions (conditional+direct+indirect jumps)
MIPS_GRP_ENDING,
} mips_insn_group;

32
x64_dbg_dbg/capstone/ppc.h
View File

@ -29,8 +29,8 @@ typedef enum ppc_bc
PPC_BC_NU = (3 << 5) | 4,
// extra conditions
PPC_BC_SO = 4 << 5, // summary overflow
PPC_BC_NS = 4 << 5, // not summary overflow
PPC_BC_SO = (4 << 5) | 12, // summary overflow
PPC_BC_NS = (4 << 5) | 4, // not summary overflow
} ppc_bc;
//> PPC branch hint for some branch instructions
@ -44,10 +44,11 @@ typedef enum ppc_bh
//> Operand type for instruction's operands
typedef enum ppc_op_type
{
PPC_OP_INVALID = 0, // Uninitialized.
PPC_OP_REG, // Register operand.
PPC_OP_IMM, // Immediate operand.
PPC_OP_MEM, // Memory operand
PPC_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized).
PPC_OP_REG, // = CS_OP_REG (Register operand).
PPC_OP_IMM, // = CS_OP_IMM (Immediate operand).
PPC_OP_MEM, // = CS_OP_MEM (Memory operand).
PPC_OP_CRX = 64, // Condition Register field
} ppc_op_type;
// Instruction's operand referring to memory
@ -58,6 +59,13 @@ typedef struct ppc_op_mem
int32_t disp; // displacement/offset value
} ppc_op_mem;
typedef struct ppc_op_crx
{
unsigned int scale;
unsigned int reg;
ppc_bc cond;
} ppc_op_crx;
// Instruction operand
typedef struct cs_ppc_op
{
@ -67,6 +75,7 @@ typedef struct cs_ppc_op
unsigned int reg; // register value for REG operand
int32_t imm; // immediate value for IMM operand
ppc_op_mem mem; // base/disp value for MEM operand
ppc_op_crx crx; // operand with condition register
};
} cs_ppc_op;
@ -1224,9 +1233,14 @@ typedef enum ppc_insn
//> Group of PPC instructions
typedef enum ppc_insn_group
{
PPC_GRP_INVALID = 0,
PPC_GRP_INVALID = 0, // = CS_GRP_INVALID
PPC_GRP_ALTIVEC,
//> Generic groups
// all jump instructions (conditional+direct+indirect jumps)
PPC_GRP_JUMP, // = CS_GRP_JUMP
//> Architecture-specific groups
PPC_GRP_ALTIVEC = 128,
PPC_GRP_MODE32,
PPC_GRP_MODE64,
PPC_GRP_BOOKE,
@ -1237,8 +1251,6 @@ typedef enum ppc_insn_group
PPC_GRP_PPC4XX,
PPC_GRP_PPC6XX,
PPC_GRP_JUMP, // all jump instructions (conditional+direct+indirect jumps)
PPC_GRP_ENDING, // <-- mark the end of the list of groups
} ppc_insn_group;

19
x64_dbg_dbg/capstone/sparc.h
View File

@ -72,10 +72,10 @@ typedef enum sparc_hint
//> Operand type for instruction's operands
typedef enum sparc_op_type
{
SPARC_OP_INVALID = 0, // Uninitialized.
SPARC_OP_REG, // Register operand.
SPARC_OP_IMM, // Immediate operand.
SPARC_OP_MEM, // Memory operand
SPARC_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized).
SPARC_OP_REG, // = CS_OP_REG (Register operand).
SPARC_OP_IMM, // = CS_OP_IMM (Immediate operand).
SPARC_OP_MEM, // = CS_OP_MEM (Memory operand).
} sparc_op_type;
// Instruction's operand referring to memory
@ -504,9 +504,14 @@ typedef enum sparc_insn
//> Group of SPARC instructions
typedef enum sparc_insn_group
{
SPARC_GRP_INVALID = 0,
SPARC_GRP_INVALID = 0, // = CS_GRP_INVALID
SPARC_GRP_HARDQUAD,
//> Generic groups
// all jump instructions (conditional+direct+indirect jumps)
SPARC_GRP_JUMP, // = CS_GRP_JUMP
//> Architecture-specific groups
SPARC_GRP_HARDQUAD = 128,
SPARC_GRP_V9,
SPARC_GRP_VIS,
SPARC_GRP_VIS2,
@ -514,8 +519,6 @@ typedef enum sparc_insn_group
SPARC_GRP_32BIT,
SPARC_GRP_64BIT,
SPARC_GRP_JUMP, // all jump instructions (conditional+direct+indirect jumps)
SPARC_GRP_ENDING, // <-- mark the end of the list of groups
} sparc_insn_group;

22
x64_dbg_dbg/capstone/systemz.h
View File

@ -39,11 +39,11 @@ typedef enum sysz_cc
//> Operand type for instruction's operands
typedef enum sysz_op_type
{
SYSZ_OP_INVALID = 0, // Uninitialized.
SYSZ_OP_REG, // Register operand.
SYSZ_OP_ACREG, // Access register operand.
SYSZ_OP_IMM, // Immediate operand.
SYSZ_OP_MEM, // Memory operand
SYSZ_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized).
SYSZ_OP_REG, // = CS_OP_REG (Register operand).
SYSZ_OP_IMM, // = CS_OP_IMM (Immediate operand).
SYSZ_OP_MEM, // = CS_OP_MEM (Memory operand).
SYSZ_OP_ACREG = 64, // Access register operand.
} sysz_op_type;
// Instruction's operand referring to memory
@ -815,15 +815,19 @@ typedef enum sysz_insn
//> Group of SystemZ instructions
typedef enum sysz_insn_group
{
SYSZ_GRP_INVALID = 0,
SYSZ_GRP_DISTINCTOPS,
SYSZ_GRP_INVALID = 0, // = CS_GRP_INVALID
//> Generic groups
// all jump instructions (conditional+direct+indirect jumps)
SYSZ_GRP_JUMP, // = CS_GRP_JUMP
//> Architecture-specific groups
SYSZ_GRP_DISTINCTOPS = 128,
SYSZ_GRP_FPEXTENSION,
SYSZ_GRP_HIGHWORD,
SYSZ_GRP_INTERLOCKEDACCESS1,
SYSZ_GRP_LOADSTOREONCOND,
SYSZ_GRP_JUMP, // all jump instructions (conditional+direct+indirect jumps)
SYSZ_GRP_ENDING, // <-- mark the end of the list of groups
} sysz_insn_group;

62
x64_dbg_dbg/capstone/x86.h
View File

@ -71,11 +71,11 @@ typedef enum x86_reg
//> Operand type for instruction's operands
typedef enum x86_op_type
{
X86_OP_INVALID = 0, // Uninitialized.
X86_OP_REG, // Register operand.
X86_OP_IMM, // Immediate operand.
X86_OP_FP, // Floating-Point immediate operand.
X86_OP_MEM, // Memory operand
X86_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized).
X86_OP_REG, // = CS_OP_REG (Register operand).
X86_OP_IMM, // = CS_OP_IMM (Immediate operand).
X86_OP_MEM, // = CS_OP_MEM (Memory operand).
X86_OP_FP, // = CS_OP_FP (Floating-Point operand).
} x86_op_type;
//> AVX broadcast type
@ -158,6 +158,24 @@ typedef enum x86_avx_rm
X86_AVX_RM_RZ, // Round toward zero
} x86_avx_rm;
//> Instruction prefixes - to be used in cs_x86.prefix[]
typedef enum x86_prefix
{
X86_PREFIX_LOCK = 0xf0, // lock (cs_x86.prefix[0]
X86_PREFIX_REP = 0xf3, // rep (cs_x86.prefix[0]
X86_PREFIX_REPNE = 0xf2, // repne (cs_x86.prefix[0]
X86_PREFIX_CS = 0x2e, // segment override CS (cs_x86.prefix[1]
X86_PREFIX_SS = 0x36, // segment override SS (cs_x86.prefix[1]
X86_PREFIX_DS = 0x3e, // segment override DS (cs_x86.prefix[1]
X86_PREFIX_ES = 0x26, // segment override ES (cs_x86.prefix[1]
X86_PREFIX_FS = 0x64, // segment override FS (cs_x86.prefix[1]
X86_PREFIX_GS = 0x65, // segment override GS (cs_x86.prefix[1]
X86_PREFIX_OPSIZE = 0x66, // operand-size override (cs_x86.prefix[2]
X86_PREFIX_ADDRSIZE = 0x67, // address-size override (cs_x86.prefix[3]
} x86_prefix;
// Instruction's operand referring to memory
// This is associated with X86_OP_MEM operand type above
typedef struct x86_op_mem
@ -196,11 +214,11 @@ typedef struct cs_x86
{
// Instruction prefix, which can be up to 4 bytes.
// A prefix byte gets value 0 when irrelevant.
// prefix[0] indicates REP/REPNE/LOCK prefix (0xf3/0xf2/0xf0 respectively)
// prefix[0] indicates REP/REPNE/LOCK prefix (See X86_PREFIX_REP/REPNE/LOCK above)
// prefix[1] indicates segment override (irrelevant for x86_64):
// 0x2e = CS, 0x36 = SS, 0x3e = DS, 0x26 = ES, 0x64 = FS, 0x65 = GS
// prefix[2] indicates operand-size override (0x66)
// prefix[3] indicates address-size override (0x67)
// See X86_PREFIX_CS/SS/DS/ES/FS/GS above.
// prefix[2] indicates operand-size override (X86_PREFIX_OPSIZE)
// prefix[3] indicates address-size override (X86_PREFIX_ADDRSIZE)
uint8_t prefix[4];
// Instruction opcode, wich can be from 1 to 4 bytes in size.
@ -580,7 +598,6 @@ typedef enum x86_insn
X86_INS_LLDT,
X86_INS_LMSW,
X86_INS_OR,
X86_INS_LOCK,
X86_INS_SUB,
X86_INS_XOR,
X86_INS_LODSB,
@ -853,8 +870,6 @@ typedef enum x86_insn
X86_INS_RDSEED,
X86_INS_RDTSC,
X86_INS_RDTSCP,
X86_INS_REPNE,
X86_INS_REP,
X86_INS_ROL,
X86_INS_ROR,
X86_INS_RORX,
@ -1559,8 +1574,22 @@ typedef enum x86_insn
//> Group of X86 instructions
typedef enum x86_insn_group
{
X86_GRP_INVALID = 0,
X86_GRP_INVALID = 0, // = CS_GRP_INVALID
//> Generic groups
// all jump instructions (conditional+direct+indirect jumps)
X86_GRP_JUMP, // = CS_GRP_JUMP
// all call instructions
X86_GRP_CALL, // = CS_GRP_CALL
// all return instructions
X86_GRP_RET, // = CS_GRP_RET
// all interrupt instructions (int+syscall)
X86_GRP_INT, // = CS_GRP_INT
// all interrupt return instructions
X86_GRP_IRET, // = CS_GRP_IRET
//> Architecture-specific groups
X86_GRP_VM = 128, // all virtualization instructions (VT-x + AMD-V)
X86_GRP_3DNOW,
X86_GRP_AES,
X86_GRP_ADX,
@ -1602,13 +1631,6 @@ typedef enum x86_insn_group
X86_GRP_SMAP,
X86_GRP_NOVLX,
X86_GRP_JUMP, // all jump instructions (conditional+direct+indirect jumps)
X86_GRP_VM, // all virtualization instructions (VT-x + AMD-V)
X86_GRP_INT, // all interrupt instructions (int+syscall)
X86_GRP_IRET, // all interrupt return instructions
X86_GRP_CALL, // all call instructions
X86_GRP_RET, // all call return instructions
X86_GRP_ENDING
} x86_insn_group;

14
x64_dbg_dbg/capstone/xcore.h
View File

@ -18,10 +18,10 @@ extern "C" {
//> Operand type for instruction's operands
typedef enum xcore_op_type
{
XCORE_OP_INVALID = 0, // Uninitialized.
XCORE_OP_REG, // Register operand.
XCORE_OP_IMM, // Immediate operand.
XCORE_OP_MEM, // Memory operand
XCORE_OP_INVALID = 0, // = CS_OP_INVALID (Uninitialized).
XCORE_OP_REG, // = CS_OP_REG (Register operand).
XCORE_OP_IMM, // = CS_OP_IMM (Immediate operand).
XCORE_OP_MEM, // = CS_OP_MEM (Memory operand).
} xcore_op_type;
// Instruction's operand referring to memory
@ -226,9 +226,11 @@ typedef enum xcore_insn
//> Group of XCore instructions
typedef enum xcore_insn_group
{
XCORE_GRP_INVALID = 0,
XCORE_GRP_INVALID = 0, // = CS_GRP_INVALID
XCORE_GRP_JUMP, // all jump instructions (conditional+direct+indirect jumps)
//> Generic groups
// all jump instructions (conditional+direct+indirect jumps)
XCORE_GRP_JUMP, // = CS_GRP_JUMP
XCORE_GRP_ENDING, // <-- mark the end of the list of groups
} xcore_insn_group;

15
x64_dbg_dbg/capstone_wrapper.cpp
View File

@ -16,6 +16,14 @@ Capstone::Capstone()
cs_option(mHandle, CS_OPT_DETAIL, CS_OPT_ON);
}
Capstone::~Capstone()
{
if(mInstr) //free last disassembled instruction
cs_free(mInstr, 1);
if(mHandle) //close handle
cs_close(&mHandle);
}
bool Capstone::Disassemble(uint addr, unsigned char data[MAX_DISASM_BUFFER])
{
if(mInstr) //free last disassembled instruction
@ -36,10 +44,7 @@ const cs_err Capstone::GetError()
return mError;
}
Capstone::~Capstone()
const char* Capstone::RegName(unsigned int reg)
{
if(mInstr) //free last disassembled instruction
cs_free(mInstr, 1);
if(mHandle) //close handle
cs_close(&mHandle);
return cs_reg_name(mHandle, reg);
}

1
x64_dbg_dbg/capstone_wrapper.h
View File

@ -13,6 +13,7 @@ public:
bool Disassemble(uint addr, unsigned char data[MAX_DISASM_BUFFER]);
const cs_insn* GetInstr();
const cs_err GetError();
const char* RegName(unsigned int reg);
private:
csh mHandle;

43
x64_dbg_dbg/instruction.cpp
View File

@ -1817,21 +1817,21 @@ CMDRESULT cbInstrCapstone(int argc, char* argv[])
}
uint addr = 0;
if(!valfromstring(argv[1], &addr) || !memisvalidreadptr(fdProcessInfo->hProcess, addr))
if(!valfromstring(argv[1], &addr) || !MemIsValidReadPtr(addr))
{
dprintf("invalid address \"%s\"\n", argv[1]);
return STATUS_ERROR;
}
unsigned char data[16];
if(!memread(fdProcessInfo->hProcess, (const void*)addr, data, sizeof(data), 0))
if(!MemRead((void*)addr, data, sizeof(data), 0))
{
dprintf("could not read memory at %p\n", addr);
return STATUS_ERROR;
}
Capstone cp;
if(cp.GetError()) //there was an error opening the handle
if(cp.GetError()) //there was an error opening the handle
{
dprintf("cs_open() failed, error code %u\n", cp.GetError());
return STATUS_ERROR;
@ -1839,12 +1839,43 @@ CMDRESULT cbInstrCapstone(int argc, char* argv[])
if(!cp.Disassemble(addr, data))
{
dputs("failed to disassemble!");
dprintf("failed to disassemble, error code %u!", cp.GetError());
return STATUS_ERROR;
}
const cs_insn* instr = cp.GetInstr();
dprintf("%p: %s %s\n", instr->address, instr->mnemonic, instr->op_str);
const cs_x86 & x86 = instr->detail->x86;
int argcount = x86.op_count;
dprintf("%s %s\n", instr->mnemonic, instr->op_str);
for(int i = 0; i < argcount; i++)
{
const cs_x86_op & op = x86.operands[i];
dprintf("operand %d, ", i + 1);
switch(op.type)
{
case X86_OP_REG:
dprintf("register: %s\n", cp.RegName(op.reg));
break;
case X86_OP_IMM:
dprintf("immediate: 0x%p\n", op.imm);
break;
case X86_OP_MEM:
{
//[base + index * scale +/- disp]
const x86_op_mem & mem = op.mem;
dprintf("memory segment: %s, base: %s, index: %s, scale: %d, displacement: 0x%p\n",
cp.RegName(mem.segment),
cp.RegName(mem.base),
cp.RegName(mem.index),
mem.scale,
mem.disp);
}
break;
case X86_OP_FP:
dprintf("float: %f\n", op.fp);
break;
}
}
return STATUS_CONTINUE;
}
}

8
x64_dbg_dbg/x64_dbg_dbg.vcxproj
View File

@ -252,7 +252,7 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>yara\yara_x86.lib;capstone\capstone_x86.lib;lz4\lz4_x86.lib;jansson\jansson_x86.lib;DeviceNameResolver\DeviceNameResolver_x86.lib;XEDParse\XEDParse_x86.lib;$(SolutionDir)bin\x32\x32_bridge.lib;dbghelp\dbghelp_x86.lib;TitanEngine\TitanEngine_x86.lib;BeaEngine\BeaEngine.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>capstone\capstone_x86.lib;yara\yara_x86.lib;lz4\lz4_x86.lib;jansson\jansson_x86.lib;DeviceNameResolver\DeviceNameResolver_x86.lib;XEDParse\XEDParse_x86.lib;$(SolutionDir)bin\x32\x32bridge.lib;dbghelp\dbghelp_x86.lib;TitanEngine\TitanEngine_x86.lib;BeaEngine\BeaEngine.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
@ -273,7 +273,7 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>false</EnableCOMDATFolding>
<OptimizeReferences>false</OptimizeReferences>
<AdditionalDependencies>yara\yara_x86.lib;lz4\lz4_x86.lib;jansson\jansson_x86.lib;DeviceNameResolver\DeviceNameResolver_x86.lib;XEDParse\XEDParse_x86.lib;$(SolutionDir)bin\x32\x32bridge.lib;dbghelp\dbghelp_x86.lib;TitanEngine\TitanEngine_x86.lib;BeaEngine\BeaEngine.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>capstone\capstone_x86.lib;yara\yara_x86.lib;lz4\lz4_x86.lib;jansson\jansson_x86.lib;DeviceNameResolver\DeviceNameResolver_x86.lib;XEDParse\XEDParse_x86.lib;$(SolutionDir)bin\x32\x32bridge.lib;dbghelp\dbghelp_x86.lib;TitanEngine\TitanEngine_x86.lib;BeaEngine\BeaEngine.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
@ -300,7 +300,7 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>true</EnableCOMDATFolding>
<OptimizeReferences>true</OptimizeReferences>
<AdditionalDependencies>yara\yara_x64.lib;capstone\capstone_x64.lib;lz4\lz4_x64.lib;jansson\jansson_x64.lib;DeviceNameResolver\DeviceNameResolver_x64.lib;XEDParse\XEDParse_x64.lib;$(SolutionDir)bin\x64\x64_bridge.lib;dbghelp\dbghelp_x64.lib;TitanEngine\TitanEngine_x64.lib;BeaEngine\BeaEngine_64.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>capstone\capstone_x64.lib;yara\yara_x64.lib;lz4\lz4_x64.lib;jansson\jansson_x64.lib;DeviceNameResolver\DeviceNameResolver_x64.lib;XEDParse\XEDParse_x64.lib;$(SolutionDir)bin\x64\x64bridge.lib;dbghelp\dbghelp_x64.lib;TitanEngine\TitanEngine_x64.lib;BeaEngine\BeaEngine_64.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
@ -324,7 +324,7 @@
<SubSystem>Windows</SubSystem>
<EnableCOMDATFolding>false</EnableCOMDATFolding>
<OptimizeReferences>false</OptimizeReferences>
<AdditionalDependencies>yara\yara_x64.lib;lz4\lz4_x64.lib;jansson\jansson_x64.lib;DeviceNameResolver\DeviceNameResolver_x64.lib;XEDParse\XEDParse_x64.lib;$(SolutionDir)bin\x64\x64bridge.lib;dbghelp\dbghelp_x64.lib;TitanEngine\TitanEngine_x64.lib;BeaEngine\BeaEngine_64.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalDependencies>capstone\capstone_x64.lib;yara\yara_x64.lib;lz4\lz4_x64.lib;jansson\jansson_x64.lib;DeviceNameResolver\DeviceNameResolver_x64.lib;XEDParse\XEDParse_x64.lib;$(SolutionDir)bin\x64\x64bridge.lib;dbghelp\dbghelp_x64.lib;TitanEngine\TitanEngine_x64.lib;BeaEngine\BeaEngine_64.lib;psapi.lib;kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;shlwapi.lib;%(AdditionalDependencies)</AdditionalDependencies>
</Link>
</ItemDefinitionGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />

71
x64_dbg_dbg/x64_dbg_dbg.vcxproj.filters
View File

@ -67,15 +67,15 @@
<Filter Include="Header Files\Information">
<UniqueIdentifier>{b006b04c-d7ea-49cb-b097-0cac1388f98e}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\Third Party\capstone">
<UniqueIdentifier>{95129527-1983-40fd-9844-1ca3481fde26}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\Third Party\yara">
<UniqueIdentifier>{efe5d058-e77c-49e9-a25b-75b90346dbf2}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\Third Party\yara\yara">
<UniqueIdentifier>{f79c5166-e315-44ca-9e93-dabc9f00fa78}</UniqueIdentifier>
</Filter>
<Filter Include="Header Files\Third Party\capstone">
<UniqueIdentifier>{1c3bf89b-90a5-4de7-a96f-e73e4250c274}</UniqueIdentifier>
</Filter>
</ItemGroup>
<ItemGroup>
<ClCompile Include="main.cpp">
@ -153,11 +153,6 @@
<ClCompile Include="debugger.cpp">
<Filter>Source Files\Debugger Core</Filter>
</ClCompile>
<ClCompile Include="log.cpp">
<Filter>Source Files\Utilities</Filter>
</ClCompile>
<ClCompile Include="capstone_wrapper.cpp">
<Filter>Source Files\Utilities</Filter>
<ClCompile Include="stringutils.cpp">
<Filter>Source Files\Utilities</Filter>
</ClCompile>
@ -212,6 +207,9 @@
<ClCompile Include="commandparser.cpp">
<Filter>Source Files\Core</Filter>
</ClCompile>
<ClCompile Include="capstone_wrapper.cpp">
<Filter>Source Files\Utilities</Filter>
</ClCompile>
</ItemGroup>
<ItemGroup>
<ClInclude Include="x64_dbg.h">
@ -346,30 +344,6 @@
<ClInclude Include="msgqueue.h">
<Filter>Header Files\Utilities</Filter>
</ClInclude>
<ClInclude Include="capstone\mips.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\platform.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\ppc.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\sparc.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\systemz.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\x86.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\xcore.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone_wrapper.h">
<Filter>Header Files\Utilities</Filter>
</ClInclude>
<ClInclude Include="module.h">
<Filter>Header Files\Information</Filter>
</ClInclude>
@ -508,5 +482,38 @@
<ClInclude Include="jansson\jansson_x64dbg.h">
<Filter>Header Files\Third Party\jansson</Filter>
</ClInclude>
<ClInclude Include="capstone_wrapper.h">
<Filter>Header Files\Utilities</Filter>
</ClInclude>
<ClInclude Include="capstone\arm.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\arm64.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\capstone.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\mips.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\platform.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\ppc.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\sparc.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\systemz.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\x86.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
<ClInclude Include="capstone\xcore.h">
<Filter>Header Files\Third Party\capstone</Filter>
</ClInclude>
</ItemGroup>
</Project>