Feature Request. Encoder from supplied string.

zyantific / zydis

Fast and lightweight x86/x86-64 disassembler and code generation library

https://zydis.re

MIT License

3.44k stars 438 forks source link

Feature Request. Encoder from supplied string. #335

Open chrisjd20 opened 2 years ago

chrisjd20 commented 2 years ago

Is there a way to take a string instruction and convert that to bytes? The encoder does this but not from a supplied string.

For example, if supplied a string containing inc DWORD PTR [eax], the returned/printed data would be 67 ff 00 (assuming Windows x86_64)

flobernd commented 2 years ago

We can keep it as a feature request :-) I already thought about including a basic parser at some point.

mappzor commented 2 years ago

You can also check out this implementation, perhaps it will be enough for your needs: https://github.com/zyantific/zydis/pull/286/commits/bfd1b12c62c0368c9b792c537cb7d36674a027d9

chrisjd20 commented 2 years ago

You can also check out this implementation, perhaps it will be enough for your needs: bfd1b12

I'm not sure? Can it accept asm string like:

inc DWORD PTR [eax]
mov [rbx+28],eax

And convert that into bytes/hex?

chrisjd20 commented 2 years ago

When I run Formatter01.exe, I get:

C:\Users\chris\Documents\zydis\build\Debug>Formatter01.exe
007FFFFFFF400000   mov rax, qword ptr ds:[<SomeModule.SomeData>]
007FFFFFFF400007   push rax
007FFFFFFF400008   call qword ptr ds:[<SomeModule.SomeFunction>]
007FFFFFFF40000E   test eax, eax
007FFFFFFF400010   jz 0x007FFFFFFF400016
007FFFFFFF400016   jmp <SomeModule.EntryPoint>

I'm wanting the reverse. I want to take assembly code as a string and convert that into bytes. Bytes that can be printed out as hex.

Both in 32 bit and/or in 64 bit.

ZydisDisasm.exe does this perfectly when going from bytes to assembly.

https://github.com/zyantific/zydis/blob/master/tools/ZydisDisasm.c

Basically, a tool that does the same thing only in reverse would be perfect.

mappzor commented 2 years ago

It parses string to encoder request which can be passed directly to the encoder. I've never tried it out and I'm not sure if it's compatible with latest version of the encoder (but I think it should be).

Linked commit for some reason has its example code in place of original Formatter example (bit confusing I know). Your output is clearly from the original.

chrisjd20 commented 2 years ago

I'm not seeing going from asm code (as a string) converted to bytes (printed out as hex) in the code. But maybe your right and I'm just being dense or misunderstanding.

mappzor commented 2 years ago

It seems that example supplied just parses the string, so you would have to call ZydisEncoderEncodeInstruction by yourself and pass parser.encoder_request.

chrisjd20 commented 2 years ago

Sounds like you are probably onto something (I'm just being too air-brained to connect the dots). I'll have to revisit that later when I have some more time to sink my teeth into it.

injertao commented 1 year ago

I just need it. Is there a solution?