Example #1
        public static unsafe DecomposedResult Decompose(CodeInfo nci, int maxInstructions)
            CodeInfoStruct *ci = null;
            DecomposedInstructionStruct *insts = null;
            var gch = new GCHandle();
            var usedInstructionsCount = 0;

            try {
                if ((ci = AcquireCodeInfoStruct(nci, out gch)) == null)
                    throw new OutOfMemoryException();

                var dr = new DecomposedResult(maxInstructions);

                distorm_decompose64(ci, dr.InstructionsPointer, maxInstructions, &usedInstructionsCount);
                dr.UsedInstructions = usedInstructionsCount;
                if (gch.IsAllocated)
                if (ci != null)
Example #2
    private static unsafe void Main(string[] args)
      var buf = new byte[4];
      buf[0] = (byte) 0xc3;
      buf[1] = (byte) 0x33;
      buf[2] = (byte) 0xc0;
      buf[3] = (byte) 0xc3;
      var ci = new CodeInfo((long) 0x1000, buf, DecodeType.Decode32Bits, 0);
      var dr = new DecodedResult(10);
      diStorm3.Decode(ci, dr);

      foreach (var x in dr.Instructions) {
        var s = String.Format("{0:X} {1} {2}", x.Offset, x.Mnemonic, x.Operands);

      var dr2 = new DecomposedResult(10);
      diStorm3.Decompose(ci, dr2);

      foreach (var y in dr2.Instructions) {
        if (y.Opcode != Opcode.RET)
          var x = diStorm3.Format(ci, y);
          var s = String.Format("{0:X} {1} {2}", x.Offset, x.Mnemonic, x.Operands);

Example #3
        public static unsafe void Decompose(CodeInfo nci, DecomposedResult ndr)
            _CodeInfo *ci    = null;
            _DInst *   insts = null;
            var        gch   = new GCHandle();
            var        usedInstructionsCount = 0;

                if ((ci = AcquireCodeInfoStruct(nci, out gch)) == null)
                    throw new OutOfMemoryException();

                var maxInstructions = ndr.MaxInstructions;

                if ((insts = (_DInst *)Malloc(maxInstructions * sizeof(_DInst))) == null)
                    throw new OutOfMemoryException();

                distorm_decompose64(ci, insts, maxInstructions, &usedInstructionsCount);

                var dinsts = new DecomposedInst[usedInstructionsCount];

                for (var i = 0; i < usedInstructionsCount; i++)
                    var di = new DecomposedInst {
                        Address            = insts[i].addr,
                        Flags              = insts[i].flags,
                        Size               = insts[i].size,
                        _segment           = insts[i].segment,
                        Base               = insts[i].ibase,
                        Scale              = insts[i].scale,
                        Opcode             = (Opcode)insts[i].opcode,
                        UnusedPrefixesMask = insts[i].unusedPrefixesMask,
                        Meta               = insts[i].meta,
                        RegistersMask      = insts[i].usedRegistersMask,
                        ModifiedFlagsMask  = insts[i].modifiedFlagsMask,
                        TestedFlagsMask    = insts[i].testedFlagsMask,
                        UndefinedFlagsMask = insts[i].undefinedFlagsMask

                    /* Simple fields: */

                    /* Immediate variant. */
                    var immVariant = new DecomposedInst.ImmVariant {
                        Imm  = insts[i].imm.qword,
                        Size = 0
                    /* The size of the immediate is in one of the operands, if at all. Look for it below. Zero by default. */

                    /* Count operands. */
                    var operandsNo = 0;
                    for (operandsNo = 0; operandsNo < _DInst.OPERANDS_NO; operandsNo++)
                        if (insts[i].ops[operandsNo].type == OperandType.None)

                    var ops = new Operand[operandsNo];

                    for (var j = 0; j < operandsNo; j++)
                        if (insts[i].ops[j].type == OperandType.Imm)
                            /* Set the size of the immediate operand. */
                            immVariant.Size = insts[i].ops[j].size;

                        var op = new Operand {
                            Type  = insts[i].ops[j].type,
                            Index = insts[i].ops[j].index,
                            Size  = insts[i].ops[j].size

                        ops[j] = op;
                    di.Operands = ops;

                    /* Attach the immediate variant. */
                    di.Imm = immVariant;

                    /* Displacement variant. */
                    var disp = new DecomposedInst.DispVariant {
                        Displacement = insts[i].disp,
                        Size         = insts[i].dispSize

                    di.Disp   = disp;
                    dinsts[i] = di;

                ndr.Instructions = dinsts;
                if (gch.IsAllocated)
                if (ci != null)
                if (insts != null)
Example #4
        public static unsafe DecomposedResult Decompose(CodeInfo nci, int maxInstructions)
            CodeInfoStruct* ci = null;
              DecomposedInstructionStruct* insts = null;
              var gch = new GCHandle();
              var usedInstructionsCount = 0;

              try {
            if ((ci = AcquireCodeInfoStruct(nci, out gch)) == null)
              throw new OutOfMemoryException();

            var dr = new DecomposedResult(maxInstructions);

            distorm_decompose64(ci, dr.InstructionsPointer, maxInstructions, &usedInstructionsCount);
            dr.UsedInstructions = usedInstructionsCount;
            return dr;
            if (gch.IsAllocated)
            if (ci != null)
Example #5
    public static unsafe void Decompose(CodeInfo nci, DecomposedResult ndr)
	    _CodeInfo* ci = null;
      _DInst* insts = null;
      var gch = new GCHandle();
      var usedInstructionsCount = 0;

        if ((ci = AcquireCodeInfoStruct(nci, out gch)) == null)        
          throw new OutOfMemoryException();

        var maxInstructions = ndr.MaxInstructions;

        if ((insts = (_DInst*) Malloc(maxInstructions*sizeof (_DInst))) == null)
          throw new OutOfMemoryException();

        distorm_decompose64(ci, insts, maxInstructions, &usedInstructionsCount);

        var dinsts = new DecomposedInst[usedInstructionsCount];

        for (var i = 0; i < usedInstructionsCount; i++) {
          var di = new DecomposedInst {
            Address = insts[i].addr,
            Flags = insts[i].flags,
            Size = insts[i].size,
            _segment = insts[i].segment,
            Base = insts[i].ibase,
            Scale = insts[i].scale,
            Opcode = (Opcode) insts[i].opcode,
            UnusedPrefixesMask = insts[i].unusedPrefixesMask,
            Meta = insts[i].meta,
            RegistersMask = insts[i].usedRegistersMask,
            ModifiedFlagsMask = insts[i].modifiedFlagsMask,
            TestedFlagsMask = insts[i].testedFlagsMask,
            UndefinedFlagsMask = insts[i].undefinedFlagsMask

          /* Simple fields: */

          /* Immediate variant. */
          var immVariant = new DecomposedInst.ImmVariant {
            Imm = insts[i].imm.qword, 
            Size = 0
          /* The size of the immediate is in one of the operands, if at all. Look for it below. Zero by default. */

          /* Count operands. */
          var operandsNo = 0;
          for (operandsNo = 0; operandsNo < _DInst.OPERANDS_NO; operandsNo++)
            if (insts[i].ops[operandsNo].type == OperandType.None)

          var ops = new Operand[operandsNo];

          for (var j = 0; j < operandsNo; j++)
            if (insts[i].ops[j].type == OperandType.Imm) {
              /* Set the size of the immediate operand. */
              immVariant.Size = insts[i].ops[j].size;

            var op = new Operand {
              Type = insts[i].ops[j].type,
              Index = insts[i].ops[j].index,
              Size = insts[i].ops[j].size

            ops[j] = op;
          di.Operands = ops;

          /* Attach the immediate variant. */
          di.Imm = immVariant;

          /* Displacement variant. */
          var disp = new DecomposedInst.DispVariant {
            Displacement = insts[i].disp,
            Size = insts[i].dispSize

          di.Disp = disp;
          dinsts[i] = di;

        ndr.Instructions = dinsts;
        if (gch.IsAllocated)
        if (ci != null)
        if (insts != null)