Fast and lightweight x86/x86-64 disassembler and code generation library.
## Features
- Supports all x86 and x86-64 (AMD64) instructions and [extensions](https://github.com/zyantific/zydis/blob/master/include/Zydis/Generated/EnumISAExt.h)
- Optimized for high performance
- No dynamic memory allocation ("malloc")
- Thread-safe by design
- Very small file-size overhead compared to other common disassembler libraries
- [Complete doxygen documentation](https://doc.zydis.re/)
- Absolutely no third party dependencies — not even libc
- Should compile on any platform with a working C11 compiler
- Tested on Windows, macOS, FreeBSD, Linux and UEFI, both user and kernel mode
## Examples
### Disassembler
The following example program uses Zydis to disassemble a given memory buffer and prints the output to the console.
```cpp
int main()
{
ZyanU8 data[] =
{
0x51, 0x8D, 0x45, 0xFF, 0x50, 0xFF, 0x75, 0x0C, 0xFF, 0x75,
0x08, 0xFF, 0x15, 0xA0, 0xA5, 0x48, 0x76, 0x85, 0xC0, 0x0F,
0x88, 0xFC, 0xDA, 0x02, 0x00
};
// The runtime address (instruction pointer) was chosen arbitrarily here in order to better
// visualize relative addressing. In your actual program, set this to e.g. the memory address
// that the code being disassembled was read from.
ZyanU64 runtime_address = 0x007FFFFFFF400000;
// Loop over the instructions in our buffer.
ZyanUSize offset = 0;
ZydisDisassembledInstruction instruction;
while (ZYAN_SUCCESS(ZydisDisassembleIntel(
/* machine_mode: */ ZYDIS_MACHINE_MODE_LONG_64,
/* runtime_address: */ runtime_address,
/* buffer: */ data + offset,
/* length: */ sizeof(data) - offset,
/* instruction: */ &instruction
))) {
printf("%016" PRIX64 " %s\n", runtime_address, instruction.text);
offset += instruction.info.length;
runtime_address += instruction.info.length;
}
return 0;
}
```
The above example program generates the following output:
```asm
007FFFFFFF400000 push rcx
007FFFFFFF400001 lea eax, [rbp-0x01]
007FFFFFFF400004 push rax
007FFFFFFF400005 push qword ptr [rbp+0x0C]
007FFFFFFF400008 push qword ptr [rbp+0x08]
007FFFFFFF40000B call [0x008000007588A5B1]
007FFFFFFF400011 test eax, eax
007FFFFFFF400013 js 0x007FFFFFFF42DB15
```
### Encoder
```cpp
int main()
{
ZydisEncoderRequest req;
memset(&req, 0, sizeof(req));
req.mnemonic = ZYDIS_MNEMONIC_MOV;
req.machine_mode = ZYDIS_MACHINE_MODE_LONG_64;
req.operand_count = 2;
req.operands[0].type = ZYDIS_OPERAND_TYPE_REGISTER;
req.operands[0].reg.value = ZYDIS_REGISTER_RAX;
req.operands[1].type = ZYDIS_OPERAND_TYPE_IMMEDIATE;
req.operands[1].imm.u = 0x1337;
ZyanU8 encoded_instruction[ZYDIS_MAX_INSTRUCTION_LENGTH];
ZyanUSize encoded_length = sizeof(encoded_instruction);
if (ZYAN_FAILED(ZydisEncoderEncodeInstruction(&req, encoded_instruction, &encoded_length)))
{
puts("Failed to encode instruction");
return 1;
}
for (ZyanUSize i = 0; i < encoded_length; ++i)
{
printf("%02X ", encoded_instruction[i]);
}
puts("");
return 0;
}
```
The above example program generates the following output:
```
48 C7 C0 37 13 00 00
```
### More Examples
More examples can be found in the [examples](https://github.com/zyantific/zydis/tree/master/examples) directory of Zydis repository.
wroyca
commented
5 months ago
Fast and lightweight x86/x86-64 disassembler and code generation library.
## Features - Supports all x86 and x86-64 (AMD64) instructions and [extensions](https://github.com/zyantific/zydis/blob/master/include/Zydis/Generated/EnumISAExt.h) - Optimized for high performance - No dynamic memory allocation ("malloc") - Thread-safe by design - Very small file-size overhead compared to other common disassembler libraries - [Complete doxygen documentation](https://doc.zydis.re/) - Absolutely no third party dependencies — not even libc - Should compile on any platform with a working C11 compiler - Tested on Windows, macOS, FreeBSD, Linux and UEFI, both user and kernel mode ## Examples ### Disassembler The following example program uses Zydis to disassemble a given memory buffer and prints the output to the console. ```cpp int main() { ZyanU8 data[] = { 0x51, 0x8D, 0x45, 0xFF, 0x50, 0xFF, 0x75, 0x0C, 0xFF, 0x75, 0x08, 0xFF, 0x15, 0xA0, 0xA5, 0x48, 0x76, 0x85, 0xC0, 0x0F, 0x88, 0xFC, 0xDA, 0x02, 0x00 }; // The runtime address (instruction pointer) was chosen arbitrarily here in order to better // visualize relative addressing. In your actual program, set this to e.g. the memory address // that the code being disassembled was read from. ZyanU64 runtime_address = 0x007FFFFFFF400000; // Loop over the instructions in our buffer. ZyanUSize offset = 0; ZydisDisassembledInstruction instruction; while (ZYAN_SUCCESS(ZydisDisassembleIntel( /* machine_mode: */ ZYDIS_MACHINE_MODE_LONG_64, /* runtime_address: */ runtime_address, /* buffer: */ data + offset, /* length: */ sizeof(data) - offset, /* instruction: */ &instruction ))) { printf("%016" PRIX64 " %s\n", runtime_address, instruction.text); offset += instruction.info.length; runtime_address += instruction.info.length; } return 0; } ``` The above example program generates the following output: ```asm 007FFFFFFF400000 push rcx 007FFFFFFF400001 lea eax, [rbp-0x01] 007FFFFFFF400004 push rax 007FFFFFFF400005 push qword ptr [rbp+0x0C] 007FFFFFFF400008 push qword ptr [rbp+0x08] 007FFFFFFF40000B call [0x008000007588A5B1] 007FFFFFFF400011 test eax, eax 007FFFFFFF400013 js 0x007FFFFFFF42DB15 ``` ### Encoder ```cpp int main() { ZydisEncoderRequest req; memset(&req, 0, sizeof(req)); req.mnemonic = ZYDIS_MNEMONIC_MOV; req.machine_mode = ZYDIS_MACHINE_MODE_LONG_64; req.operand_count = 2; req.operands[0].type = ZYDIS_OPERAND_TYPE_REGISTER; req.operands[0].reg.value = ZYDIS_REGISTER_RAX; req.operands[1].type = ZYDIS_OPERAND_TYPE_IMMEDIATE; req.operands[1].imm.u = 0x1337; ZyanU8 encoded_instruction[ZYDIS_MAX_INSTRUCTION_LENGTH]; ZyanUSize encoded_length = sizeof(encoded_instruction); if (ZYAN_FAILED(ZydisEncoderEncodeInstruction(&req, encoded_instruction, &encoded_length))) { puts("Failed to encode instruction"); return 1; } for (ZyanUSize i = 0; i < encoded_length; ++i) { printf("%02X ", encoded_instruction[i]); } puts(""); return 0; } ``` The above example program generates the following output: ``` 48 C7 C0 37 13 00 00 ``` ### More Examples More examples can be found in the [examples](https://github.com/zyantific/zydis/tree/master/examples) directory of Zydis repository.