Zydis是一个反汇编库,可以解析机器指令将其转为汇编代码,下面是使用方法

下载

zyantific/zydis: Fast and lightweight x86/x86-64 disassembler and code generation library

可以直接下载releases也可以直接clone

编译

标准的编译方法:

1
2
3
4
git clone --recursive 'https://github.com/zyantific/zydis.git'
cd zydis
cmake -B build
cmake --build build -j4

配置

如果使用的是msvc,可以直接进入msvc目录使用vs编译,配置为release MT,直接生成。

如果是上面的方法,输出文件在build文件的debug目录下和Zycore\debug目录,如果是下面的方法,输出文件在bin\releaseX64下

取得生成的Zydis.lib和Zycore.lib,放在项目目录的lib文件夹下(新建),然后在最外面的zydis目录下找到include复制到项目文件夹,在dependencies\zycore下找到include文件夹复制到项目文件夹

在项目属性中:

  • C/C++
    • 常规:附加包含目录添加:$(ProjectDir)include
    • 预处理器:预处理器定义添加:ZYDIS_STATIC_DEFINE
  • 链接器
    • 常规:附加库目录包含添加:$(ProjectDir)lib
    • 输入:附加依赖项添加:Zycore.lib;Zydis.lib

写代码

引用头文件:#include <Zydis/Zydis.h>

解析器

1
ZydisDecoderDecodeFull(&decoder, buffer.data() + offset, length - offset,&instruction, operands)

decoder是ZydisDecoder类型
instruction是ZydisDecodedInstruction保存基本指令数据
operands是ZydisDecodedOperand类型数组,保存一条指令的操作数

data是存放机器码的缓冲区

每次执行一次这个指令,就会对instruction和operands赋值,表示一条指令的解析

  • instruction.mnemonic 助记符
  • instruction.length 指令总长度
  • instruction.opcode 机器码
  • instruction.operand_count_visible 显式操作数数量
  • operand.type 这个操作数的类型
    • 立即数(ZYDIS_OPERAND_TYPE_IMMEDIATE):
      operand.imm.value数值
    • 寄存器(ZYDIS_OPERAND_TYPE_REGISTER):
      operand.reg.value寄存器名称
    • 内存地址(ZYDIS_OPERAND_TYPE_MEMORY):
      operand.mem.base表示内存的基址寄存器
      operand.mem.index表示索引寄存器
      operand.mem.disp地址偏移值

使用模板可以参考example和下面这个

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
#include <cinttypes>
#include <iostream>
#include <fstream>
#include <vector>
#include <Zydis/Zydis.h>

bool readFileToBuffer(const std::string& filepath, std::vector<unsigned char>& buffer)
{
	std::ifstream file(filepath, std::ios::binary | std::ios::ate);
	if (!file.is_open())
	{
		std::cerr << "Failed to open file: " << filepath << std::endl;
		return false;
	}
	std::streamsize fSize = file.tellg();
	file.seekg(0, std::ios::beg);
	buffer.resize(fSize);
	if (!file.read(reinterpret_cast<char*>(buffer.data()), fSize))
	{
		std::cerr << "Failed to read file: " << filepath << std::endl;
		return false;
	}
	file.close();
	return true;
}

void printInstructionStructure(const ZydisDecodedInstruction& instruction, const ZydisDecodedOperand operands[])
{
	std::cout << "Instruction Structure:\n";
	std::cout << "Mnemonic: " << ZydisMnemonicGetString(instruction.mnemonic) << "\n";
	std::cout << "Length: " << static_cast<int>(instruction.length) << " bytes\n";
	std::cout << "Opcode: 0x" << std::hex << static_cast<int>(instruction.opcode) << "\n";
	std::cout << "Operand Count Visible: " << static_cast<int>(instruction.operand_count_visible) << "\n";

	for (ZyanU8 i = 0; i < instruction.operand_count_visible; ++i)
	{
		const ZydisDecodedOperand& operand = operands[i];
		std::cout << "Operand " << static_cast<int>(i) << ": \n";
		switch (operand.type)
		{
		case ZYDIS_OPERAND_TYPE_REGISTER:
			std::cout << "  Type: Register\n";
			std::cout << "  Register: " << ZydisRegisterGetString(operand.reg.value) << "\n";
			break;
		case ZYDIS_OPERAND_TYPE_IMMEDIATE:
			std::cout << "  Type: Immediate\n";
			std::cout << "  Value: 0x" << std::hex << operand.imm.value.u << "\n";
			break;
		case ZYDIS_OPERAND_TYPE_MEMORY:
			std::cout << "  Type: Memory\n";
			std::cout << "  Base: " << ZydisRegisterGetString(operand.mem.base) << "\n";
			std::cout << "  Index: " << ZydisRegisterGetString(operand.mem.index) << "\n";
			std::cout << "  Displacement: 0x" << std::hex << operand.mem.disp.value << "(" << (operand.mem.disp.value >= 0 ? operand.mem.disp.value : -operand.mem.disp.value) << ")" << "\n";
			break;
		default:
			std::cout << "  Type: Unknown\n";
		}
	}
	std::cout << "-----------------------------------\n";
}


int main(int argc, char* argv[])
{
	ZydisDecoder decoder;
	ZydisDecoderInit(&decoder, ZYDIS_MACHINE_MODE_LONG_64, ZYDIS_STACK_WIDTH_64);

	ZydisFormatter formatter;
	ZydisFormatterInit(&formatter, ZYDIS_FORMATTER_STYLE_INTEL);

	std::string filePath = "shellcode.bin";
	std::vector<unsigned char> buffer;
	if (!readFileToBuffer(filePath, buffer))
	{
		return 0;
	}

	ZyanU64 runtime_address = 0;
	ZyanUSize offset = 0;
	const ZyanUSize length = buffer.size();
	ZydisDecodedInstruction instruction;
	ZydisDecodedOperand operands[ZYDIS_MAX_OPERAND_COUNT];

	while (ZYAN_SUCCESS(ZydisDecoderDecodeFull(&decoder, buffer.data() + offset, length - offset,
		&instruction, operands)))
	{
		printf("%016" PRIX64 "  ", runtime_address);
		char tmp[256];
		ZydisFormatterFormatInstruction(&formatter, &instruction, operands,
			instruction.operand_count_visible, tmp, sizeof(tmp),
			runtime_address, ZYAN_NULL);
		puts(tmp);

		printInstructionStructure(instruction, operands);

		offset += instruction.length;
		runtime_address += instruction.length;
	}

	return 0;
}