2017-11-24 10:28:31 +08:00
|
|
|
![zydis logo](https://mainframe.pw/u/P94JAqY9XSDdPedv.svg?x)
|
2017-11-24 08:55:55 +08:00
|
|
|
[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT) [![Gitter](https://badges.gitter.im/zyantific/zyan-disassembler-engine.svg)](https://gitter.im/zyantific/zyan-disassembler-engine?utm_source=badge&utm_medium=badge&utm_campaign=pr-badge&utm_content=body_badge) [![Build status](https://ci.appveyor.com/api/projects/status/2tad27q0b9v6qtga/branch/master?svg=true)](https://ci.appveyor.com/project/athre0z/zydis/branch/master)
|
2014-10-25 05:05:43 +08:00
|
|
|
|
|
|
|
Fast and lightweight x86/x86-64 disassembler library.
|
2014-10-25 05:11:16 +08:00
|
|
|
|
2017-08-18 19:34:00 +08:00
|
|
|
## Features
|
2014-10-25 05:11:16 +08:00
|
|
|
|
2017-08-18 19:34:00 +08:00
|
|
|
- Supports all x86 and x86-64 (AMD64) instructions.
|
|
|
|
- Supports pretty much all ISA extensions (list incomplete):
|
2017-04-10 04:54:53 +08:00
|
|
|
- FPU (x87), MMX
|
|
|
|
- SSE, SSE2, SSE3, SSSE3, SSE4.1, SSE4.2, SSE4A, AESNI
|
|
|
|
- AVX, AVX2, AVX512BW, AVX512CD, AVX512DQ, AVX512ER, AVX512F, AVX512PF, AVX512VL
|
|
|
|
- ADX, BMI1, BMI2, FMA, FMA4
|
2014-10-25 05:11:16 +08:00
|
|
|
- Optimized for high performance
|
2017-08-18 19:34:00 +08:00
|
|
|
- No dynamic memory allocation ("malloc")
|
2016-06-20 07:33:29 +08:00
|
|
|
- Very small file-size overhead compared to other common disassembler libraries
|
2017-08-18 19:34:00 +08:00
|
|
|
- [Complete doxygen documentation](https://www.zyantific.com/doc/zydis/index.html)
|
|
|
|
- No dependencies on platform specific APIs
|
|
|
|
- Should compile on any platform with a complete libc and CMake
|
|
|
|
- Tested on Windows, macOS and Linux
|
2014-10-25 05:11:16 +08:00
|
|
|
|
2017-08-18 19:34:00 +08:00
|
|
|
## Roadmap
|
2017-07-25 04:41:08 +08:00
|
|
|
|
|
|
|
- Language bindings [v2.0 final]
|
|
|
|
- Tests [v2.0 final]
|
|
|
|
- Graphical editor for the instruction-database [v2.0 final]
|
|
|
|
- Implement CMake feature gates. Currently, everything is always included. [v2.0 final]
|
|
|
|
- Encoding support [v2.1]
|
|
|
|
|
2017-08-18 19:34:00 +08:00
|
|
|
## Quick Example
|
2014-11-03 22:15:48 +08:00
|
|
|
|
2015-05-16 11:05:17 +08:00
|
|
|
The following example program uses Zydis to disassemble a given memory buffer and prints the output to the console.
|
2014-11-03 22:15:48 +08:00
|
|
|
|
2016-05-26 03:25:48 +08:00
|
|
|
```C
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <Zydis/Zydis.h>
|
2014-11-03 22:15:48 +08:00
|
|
|
|
2016-04-16 04:11:49 +08:00
|
|
|
int main()
|
2014-11-03 22:15:48 +08:00
|
|
|
{
|
|
|
|
uint8_t data[] =
|
|
|
|
{
|
2016-04-16 04:11:49 +08:00
|
|
|
0x51, 0x8D, 0x45, 0xFF, 0x50, 0xFF, 0x75, 0x0C, 0xFF, 0x75,
|
|
|
|
0x08, 0xFF, 0x15, 0xA0, 0xA5, 0x48, 0x76, 0x85, 0xC0, 0x0F,
|
|
|
|
0x88, 0xFC, 0xDA, 0x02, 0x00
|
2014-11-03 22:15:48 +08:00
|
|
|
};
|
2016-04-16 04:11:49 +08:00
|
|
|
|
2017-08-18 19:34:00 +08:00
|
|
|
// Initialize decoder context.
|
2017-07-03 23:36:03 +08:00
|
|
|
ZydisDecoder decoder;
|
2017-08-18 19:34:00 +08:00
|
|
|
ZydisDecoderInit(
|
|
|
|
&decoder,
|
|
|
|
ZYDIS_MACHINE_MODE_LONG_64,
|
|
|
|
ZYDIS_ADDRESS_WIDTH_64);
|
2016-05-26 03:25:48 +08:00
|
|
|
|
2017-08-18 19:34:00 +08:00
|
|
|
// Initialize formatter. Only required when you actually plan to
|
|
|
|
// do instruction formatting ("disassembling"), like we do here.
|
2017-07-03 23:36:03 +08:00
|
|
|
ZydisFormatter formatter;
|
2017-08-18 19:34:00 +08:00
|
|
|
ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);
|
2016-05-26 03:25:48 +08:00
|
|
|
|
2017-08-18 19:34:00 +08:00
|
|
|
// Loop over the instructions in our buffer.
|
2017-07-03 23:36:03 +08:00
|
|
|
uint64_t instructionPointer = 0x007FFFFFFF400000;
|
2017-08-18 19:34:00 +08:00
|
|
|
uint8_t* readPointer = data;
|
|
|
|
size_t length = sizeof(data);
|
2017-07-03 23:36:03 +08:00
|
|
|
ZydisDecodedInstruction instruction;
|
2017-08-18 19:34:00 +08:00
|
|
|
while (ZYDIS_SUCCESS(ZydisDecoderDecodeBuffer(
|
|
|
|
&decoder, readPointer, length, instructionPointer, &instruction)))
|
2014-11-03 22:15:48 +08:00
|
|
|
{
|
2017-08-18 19:34:00 +08:00
|
|
|
// Print current instruction pointer.
|
|
|
|
printf("%016" PRIX64 " ", instructionPointer);
|
|
|
|
|
|
|
|
// Format & print the binary instruction
|
|
|
|
// structure to human readable format.
|
|
|
|
char buffer[256];
|
|
|
|
ZydisFormatterFormatInstruction(
|
|
|
|
&formatter, &instruction, buffer, sizeof(buffer));
|
|
|
|
puts(buffer);
|
|
|
|
|
|
|
|
readPointer += instruction.length;
|
2017-07-03 23:36:03 +08:00
|
|
|
length -= instruction.length;
|
|
|
|
instructionPointer += instruction.length;
|
2014-11-03 22:15:48 +08:00
|
|
|
}
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
2017-08-18 19:34:00 +08:00
|
|
|
## Sample Output
|
2016-04-06 06:15:12 +08:00
|
|
|
|
|
|
|
The above example program generates the following output:
|
|
|
|
|
|
|
|
```
|
2016-05-26 03:25:48 +08:00
|
|
|
007FFFFFFF400000 push rcx
|
2017-08-18 19:34:00 +08:00
|
|
|
007FFFFFFF400001 lea eax, [rbp-0x01]
|
2016-05-26 03:25:48 +08:00
|
|
|
007FFFFFFF400004 push rax
|
2017-08-18 19:34:00 +08:00
|
|
|
007FFFFFFF400005 push qword ptr [rbp+0x0C]
|
|
|
|
007FFFFFFF400008 push qword ptr [rbp+0x08]
|
|
|
|
007FFFFFFF40000B call [0x008000007588A5B1]
|
2016-05-26 03:25:48 +08:00
|
|
|
007FFFFFFF400011 test eax, eax
|
|
|
|
007FFFFFFF400013 js 0x007FFFFFFF42DB15
|
2016-04-06 06:15:12 +08:00
|
|
|
```
|
|
|
|
|
2017-08-18 19:34:00 +08:00
|
|
|
## Compilation
|
2017-07-25 04:46:28 +08:00
|
|
|
|
|
|
|
Zydis builds cleanly on most platforms without any external dependencies. You can use CMake to generate project files for your favorite C99 compiler.
|
|
|
|
|
|
|
|
```bash
|
|
|
|
# Linux and OS X
|
|
|
|
git clone 'https://github.com/zyantific/zydis.git'
|
|
|
|
cd zydis
|
|
|
|
mkdir build && cd build
|
|
|
|
cmake ..
|
|
|
|
make
|
|
|
|
```
|
|
|
|
|
2017-08-18 19:34:00 +08:00
|
|
|
## `ZydisInfo` tool
|
2017-07-25 04:41:08 +08:00
|
|
|
![ZydisInfo](https://raw.githubusercontent.com/zyantific/zydis/master/assets/screenshots/ZydisInfo.png)
|
2017-07-25 03:40:59 +08:00
|
|
|
|
2017-08-18 19:34:00 +08:00
|
|
|
## Credits
|
2018-01-11 15:55:20 +08:00
|
|
|
- Intel (for open-sourcing [XED](https://github.com/intelxed/xed), allowing for automatic comparision of our tables against theirs, improving both)
|
2017-08-18 19:34:00 +08:00
|
|
|
- LLVM (for providing pretty solid instruction data as well)
|
|
|
|
- Christian Ludloff (http://sandpile.org, insanely helpful)
|
2017-11-24 10:28:31 +08:00
|
|
|
- [LekoArts](https://www.lekoarts.de/) (for creating the project logo)
|
2017-08-18 19:34:00 +08:00
|
|
|
- Our [contributors on GitHub](https://github.com/zyantific/zydis/graphs/contributors)
|
|
|
|
|
|
|
|
## License
|
2015-05-22 23:23:32 +08:00
|
|
|
|
2017-08-18 19:34:00 +08:00
|
|
|
Zydis is licensed under the MIT license.
|