x86 disassembler

class malduck.disasm.Disassemble[source]
disassemble(data: bytes, addr: int, x64: bool = False, count: int = 0) Iterator[Instruction][source]

Disassembles data from specific address

Changed in version 4.0.0: Returns iterator instead of list of instructions, accepts maximum number of instructions to disassemble

short: disasm

Parameters:

  • data (bytes) – Block of data to disasseble

  • addr (int) – Virtual address of data

  • x64 (bool (default=False)) – Disassemble in x86-64 mode?

  • count (int (default=0)) – Number of instructions to disassemble

Returns:

Returns iterator of instructions

Return type:

Iterator[Instruction]

class malduck.disasm.Instruction(mnem: str | None = None, op1: Operand | None = None, op2: Operand | None = None, op3: Operand | None = None, addr: int | None = None, x64: bool = False)[source]

Represents single instruction in Disassemble

short: insn

Properties correspond to the following elements of instruction:

00400000  imul    ecx,   edx,   0
[addr]    [mnem]  [op1], [op2], [op3]

Usage example:

def get_move_value(self, p, hit, *args):
    # find move value of `mov eax, x`
    for ins in p.disasmv(hit, 0x100):
        if ins.mnem == 'mov' and ins.op1.value == 'eax':
            return ins.op2.value

See also

malduck.procmem.ProcessMemory.disasmv()

property addr: int | None

Instruction address

property op1: Operand | None

First operand

property op2: Operand | None

Second operand

property op3: Operand | None

Third operand

class malduck.disasm.Operand(op: X86Op, x64: bool)[source]

Operand object for single Instruction

property is_imm: bool

Is it immediate operand?

property is_mem: bool

Is it memory operand?

property is_reg: bool

Is it register operand?

property mem: Memory | None

Returns Memory object for memory operands

property reg: str | int | None

Returns register used by operand.

For memory operands, returns base register or index register if base is not used. For immediate operands or displacement-only memory operands returns None.

Return type:

str

property value: str | int

Returns operand value or displacement value for memory operands

Return type:

str or int or None

class malduck.disasm.Memory(size, base, scale, index, disp)
base

Alias for field number 1

disp

Alias for field number 4

index

Alias for field number 3

scale

Alias for field number 2

size

Alias for field number 0