x86 disassembler

class malduck.disasm.Disassemble

disassemble(data, addr, x64=False)

Disassembles data from specific address

short: disasm

Parameters

• data (bytes) – Block of data to disasseble

• addr (int) – Virtual address of data

• x64 (bool (default=False)) – Disassemble in x86-64 mode?

Returns

Returns list of instructions

Return type

List[Instruction]

class malduck.disasm.Instruction(mnem=None, op1=None, op2=None, op3=None, addr=None, x64=False)

Represents single instruction in Disassemble

short: insn

Properties correspond to the following elements of instruction:

00400000  imul    ecx,   edx,   0
[addr]    [mnem]  [op1], [op2], [op3]

Usage example:

def get_move_value(self, p, hit, *args):
    # find move value of `mov eax, x`
    for ins in p.disasmv(hit, 0x100):
        if ins.mnem == 'mov' and ins.op1.value == 'eax':
            return ins.op2.value

See also

malduck.procmem.ProcessMemory.disasmv()

property addr

Instruction address

property op1

First operand

property op2

Second operand

property op3

Third operand

class malduck.disasm.Operand(op, x64)

Operand object for single Instruction

property is_imm

Is it immediate operand?

property is_mem

Is it memory operand?

property is_reg

Is it register operand?

property mem

Returns Memory object for memory operands

property reg

Returns register used by operand.

For memory operands, returns base register or index register if base is not used. For immediate operands or displacement-only memory operands returns None.

Return type

str

property value

Returns operand value or displacement value for memory operands

Return type

str or int

class malduck.disasm.Memory(size, base, scale, index, disp)

property base

Alias for field number 1

property disp

Alias for field number 4

property index

Alias for field number 3

property scale

Alias for field number 2

property size

Alias for field number 0