kali工具箱

diStorm3 Package Description

diStorm is a lightweight, easy-to-use and fast decomposer library. diStorm disassembles instructions in 16, 32 and 64 bit modes. Supported instruction sets: FPU, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, AMD’s SVM and AVX!. The output of new interface of diStorm is a special structure that can describe any x86 instruction, this structure can be later formatted into text for display too. diStorm is written in C, but for rapidly use, diStorm also has wrappers in Python/Ruby/Java and can easily be used in C as well. It is also the fastest disassembler library!. The source code is very clean, readable, portable and platform independent (supports both little and big endianity). diStorm solely depends on the C library, therefore it can be used in embedded or kernel modules. Note that diStorm3 is backward compatible with the interface of diStorm64 (however, make sure you use the newest header files).

Source: https://code.google.com/p/distorm/
diStorm3 Homepage | Kali diStorm3 Repo

Author: Gil Dabah
License: GPLv3

diStorm3 Usage Example

Disassemble a staged reverse shell generated by msfpayload:

[email protected]:~# python

Python 2.7.3 (default, Mar 13 2014, 11:03:55) 

[GCC 4.7.2] on linux2

Type "help", "copyright", "credits" or "license" for more information.

>>> from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bits

>>> l = Decode(0x100, open("stagedrev.bin", "rb").read(), Decode16Bits)

>>> for i in l:

...  print "0x%08x (%02x) %-20s %s" % (i[0],  i[1],  i[3],  i[2])

... 

0x00000100 (02) 7f45                 JG 0x147

0x00000102 (01) 4c                   DEC SP

0x00000103 (01) 46                   INC SI

0x00000104 (02) 0101                 ADD [BX+DI], AX

0x00000106 (02) 0100                 ADD [BX+SI], AX

0x00000108 (02) 0000                 ADD [BX+SI], AL

0x0000010a (02) 0000                 ADD [BX+SI], AL

0x0000010c (02) 0000                 ADD [BX+SI], AL

0x0000010e (02) 0000                 ADD [BX+SI], AL

0x00000110 (02) 0200                 ADD AL, [BX+SI]

0x00000112 (02) 0300                 ADD AX, [BX+SI]

0x00000114 (02) 0100                 ADD [BX+SI], AX

0x00000116 (02) 0000                 ADD [BX+SI], AL

0x00000118 (01) 54                   PUSH SP

0x00000119 (03) 800408               ADD BYTE [SI], 0x8