Hello_User/XenonRecomp
1
0
Fork 0
mirror of https://github.com/hedge-dev/XenonRecomp.git synced 2025-07-25 22:43:55 +00:00
Code Issues Packages Projects Releases Wiki Activity

Initial Commit

Browse Source
This commit is contained in:
Sajid
2024-09-07 18:00:09 +06:00
commit 0f9a53f75a
3352 changed files with 1563708 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

202
thirdparty/capstone/bindings/vb6/Apache_2.0_License.txt vendored Normal file
View File

@@ -0,0 +1,202 @@
Apache License
Version 2.0, January 2004
http://www.apache.org/licenses/
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
1. Definitions.
"License" shall mean the terms and conditions for use, reproduction,
and distribution as defined by Sections 1 through 9 of this document.
"Licensor" shall mean the copyright owner or entity authorized by
the copyright owner that is granting the License.
"Legal Entity" shall mean the union of the acting entity and all
other entities that control, are controlled by, or are under common
control with that entity. For the purposes of this definition,
"control" means (i) the power, direct or indirect, to cause the
direction or management of such entity, whether by contract or
otherwise, or (ii) ownership of fifty percent (50%) or more of the
outstanding shares, or (iii) beneficial ownership of such entity.
"You" (or "Your") shall mean an individual or Legal Entity
exercising permissions granted by this License.
"Source" form shall mean the preferred form for making modifications,
including but not limited to software source code, documentation
source, and configuration files.
"Object" form shall mean any form resulting from mechanical
transformation or translation of a Source form, including but
not limited to compiled object code, generated documentation,
and conversions to other media types.
"Work" shall mean the work of authorship, whether in Source or
Object form, made available under the License, as indicated by a
copyright notice that is included in or attached to the work
(an example is provided in the Appendix below).
"Derivative Works" shall mean any work, whether in Source or Object
form, that is based on (or derived from) the Work and for which the
editorial revisions, annotations, elaborations, or other modifications
represent, as a whole, an original work of authorship. For the purposes
of this License, Derivative Works shall not include works that remain
separable from, or merely link (or bind by name) to the interfaces of,
the Work and Derivative Works thereof.
"Contribution" shall mean any work of authorship, including
the original version of the Work and any modifications or additions
to that Work or Derivative Works thereof, that is intentionally
submitted to Licensor for inclusion in the Work by the copyright owner
or by an individual or Legal Entity authorized to submit on behalf of
the copyright owner. For the purposes of this definition, "submitted"
means any form of electronic, verbal, or written communication sent
to the Licensor or its representatives, including but not limited to
communication on electronic mailing lists, source code control systems,
and issue tracking systems that are managed by, or on behalf of, the
Licensor for the purpose of discussing and improving the Work, but
excluding communication that is conspicuously marked or otherwise
designated in writing by the copyright owner as "Not a Contribution."
"Contributor" shall mean Licensor and any individual or Legal Entity
on behalf of whom a Contribution has been received by Licensor and
subsequently incorporated within the Work.
2. Grant of Copyright License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
copyright license to reproduce, prepare Derivative Works of,
publicly display, publicly perform, sublicense, and distribute the
Work and such Derivative Works in Source or Object form.
3. Grant of Patent License. Subject to the terms and conditions of
this License, each Contributor hereby grants to You a perpetual,
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
(except as stated in this section) patent license to make, have made,
use, offer to sell, sell, import, and otherwise transfer the Work,
where such license applies only to those patent claims licensable
by such Contributor that are necessarily infringed by their
Contribution(s) alone or by combination of their Contribution(s)
with the Work to which such Contribution(s) was submitted. If You
institute patent litigation against any entity (including a
cross-claim or counterclaim in a lawsuit) alleging that the Work
or a Contribution incorporated within the Work constitutes direct
or contributory patent infringement, then any patent licenses
granted to You under this License for that Work shall terminate
as of the date such litigation is filed.
4. Redistribution. You may reproduce and distribute copies of the
Work or Derivative Works thereof in any medium, with or without
modifications, and in Source or Object form, provided that You
meet the following conditions:
(a) You must give any other recipients of the Work or
Derivative Works a copy of this License; and
(b) You must cause any modified files to carry prominent notices
stating that You changed the files; and
(c) You must retain, in the Source form of any Derivative Works
that You distribute, all copyright, patent, trademark, and
attribution notices from the Source form of the Work,
excluding those notices that do not pertain to any part of
the Derivative Works; and
(d) If the Work includes a "NOTICE" text file as part of its
distribution, then any Derivative Works that You distribute must
include a readable copy of the attribution notices contained
within such NOTICE file, excluding those notices that do not
pertain to any part of the Derivative Works, in at least one
of the following places: within a NOTICE text file distributed
as part of the Derivative Works; within the Source form or
documentation, if provided along with the Derivative Works; or,
within a display generated by the Derivative Works, if and
wherever such third-party notices normally appear. The contents
of the NOTICE file are for informational purposes only and
do not modify the License. You may add Your own attribution
notices within Derivative Works that You distribute, alongside
or as an addendum to the NOTICE text from the Work, provided
that such additional attribution notices cannot be construed
as modifying the License.
You may add Your own copyright statement to Your modifications and
may provide additional or different license terms and conditions
for use, reproduction, or distribution of Your modifications, or
for any such Derivative Works as a whole, provided Your use,
reproduction, and distribution of the Work otherwise complies with
the conditions stated in this License.
5. Submission of Contributions. Unless You explicitly state otherwise,
any Contribution intentionally submitted for inclusion in the Work
by You to the Licensor shall be under the terms and conditions of
this License, without any additional terms or conditions.
Notwithstanding the above, nothing herein shall supersede or modify
the terms of any separate license agreement you may have executed
with Licensor regarding such Contributions.
6. Trademarks. This License does not grant permission to use the trade
names, trademarks, service marks, or product names of the Licensor,
except as required for reasonable and customary use in describing the
origin of the Work and reproducing the content of the NOTICE file.
7. Disclaimer of Warranty. Unless required by applicable law or
agreed to in writing, Licensor provides the Work (and each
Contributor provides its Contributions) on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied, including, without limitation, any warranties or conditions
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
PARTICULAR PURPOSE. You are solely responsible for determining the
appropriateness of using or redistributing the Work and assume any
risks associated with Your exercise of permissions under this License.
8. Limitation of Liability. In no event and under no legal theory,
whether in tort (including negligence), contract, or otherwise,
unless required by applicable law (such as deliberate and grossly
negligent acts) or agreed to in writing, shall any Contributor be
liable to You for damages, including any direct, indirect, special,
incidental, or consequential damages of any character arising as a
result of this License or out of the use or inability to use the
Work (including but not limited to damages for loss of goodwill,
work stoppage, computer failure or malfunction, or any and all
other commercial damages or losses), even if such Contributor
has been advised of the possibility of such damages.
9. Accepting Warranty or Additional Liability. While redistributing
the Work or Derivative Works thereof, You may choose to offer,
and charge a fee for, acceptance of support, warranty, indemnity,
or other liability obligations and/or rights consistent with this
License. However, in accepting such obligations, You may act only
on Your own behalf and on Your sole responsibility, not on behalf
of any other Contributor, and only if You agree to indemnify,
defend, and hold each Contributor harmless for any liability
incurred by, or claims asserted against, such Contributor by reason
of your accepting any such warranty or additional liability.
END OF TERMS AND CONDITIONS
APPENDIX: How to apply the Apache License to your work.
To apply the Apache License to your work, attach the following
boilerplate notice, with the fields enclosed by brackets "[]"
replaced with your own identifying information. (Don't include
the brackets!) The text should be enclosed in the appropriate
comment syntax for the file format. We also recommend that a
file or class name and description of purpose be included on the
same "printed page" as the copyright notice for easier
identification within third-party archives.
Copyright [yyyy] [name of copyright owner]
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.

153
thirdparty/capstone/bindings/vb6/CDisassembler.cls vendored Normal file
View File

@@ -0,0 +1,153 @@
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "CDisassembler"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Option Explicit
'Capstone Disassembly Engine bindings for VB6
'Contributed by FireEye FLARE Team
'Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com>
'License: Apache 2.0
'Copyright: FireEye 2017
'NOTE: the VB code was built and tested against Capstone v3.0 rc4
' if the capstone C structures change, the VB code will have to
' be adjusted to match!
'
' instructions details are currently only implemented for x86
Public arch As cs_arch
Public mode As cs_mode
Public hCapstone As Long
Public hLib As Long
Public version As String
Public vMajor As Long
Public vMinor As Long
Public errMsg As String
Public lastErr As cs_err
Private Function CheckPath(pth As String) As Long
Dim hCap As Long, capPth As String, shimPth As String
shimPth = pth & "\vbCapstone.dll"
capPth = pth & "\capstone.dll"
If Not FileExists(shimPth) Then Exit Function
hCap = LoadLibrary(capPth)
If hCap = 0 Then hCap = LoadLibrary("capstone.dll")
If hCap = 0 Then errMsg = "Could not find capstone.dll"
CheckPath = LoadLibrary(shimPth)
'If CheckPath = 0 Then MsgBox Err.LastDllError
End Function
Public Function init(arch As cs_arch, mode As cs_mode, Optional enableDetails As Boolean = False) As Boolean
errMsg = Empty
hLib = GetModuleHandle("vbCapstone.dll")
If hLib = 0 Then hLib = CheckPath(App.path & "\bin\")
If hLib = 0 Then hLib = CheckPath(App.path & "\")
If hLib = 0 Then hLib = CheckPath(App.path & "\..\")
If hLib = 0 Then hLib = LoadLibrary("vbCapstone.dll")
If hLib = 0 Then
errMsg = errMsg & " Could not load vbCapstone.dll"
Exit Function
End If
Me.arch = arch
Me.mode = mode
cs_version vMajor, vMinor
version = vMajor & "." & vMinor
If cs_support(arch) = 0 Then
errMsg = "specified architecture not supported"
Exit Function
End If
Dim handle As Long 'in vb class a public var is actually a property get/set can not use as byref to api..
lastErr = cs_open(arch, mode, handle)
If lastErr <> CS_ERR_OK Then
errMsg = err2str(lastErr)
Exit Function
End If
hCapstone = handle
If enableDetails Then 'vb bindings currently only support details for x86
If arch = CS_ARCH_X86 Then
cs_option handle, CS_OPT_DETAIL, CS_OPT_ON
End If
End If
init = True
End Function
'base is a variant and currently accepts the following input types:
' x64 number held as currency type (ex. makeCur(&haabbccdd, &h11223344) )
' int/long value (ex. &h1000 or 12345)
' numeric string or 0x/&h prefixed hex string (ex. "12345", "0x1200", "&haabbccdd")
Function disasm(ByVal base, code() As Byte, Optional count As Long = 0) As Collection
Dim c As Long
Dim instAry As Long
Dim ret As New Collection
Dim ci As CInstruction
Dim i As Long
Dim address As Currency
On Error Resume Next
Set disasm = ret
If TypeName(base) = "Currency" Then
address = base
Else
If TypeName(base) = "String" Then base = Replace(Trim(base), "0x", "&h")
address = lng2Cur(CLng(base))
If Err.Number <> 0 Then
errMsg = "Could not convert base address to long"
Exit Function
End If
End If
c = cs_disasm(Me.hCapstone, code(0), UBound(code) + 1, address, count, instAry)
If c = 0 Then Exit Function
For i = 0 To c - 1
Set ci = New CInstruction
ci.LoadInstruction instAry, i, Me
ret.Add ci
Next
cs_free instAry, c
End Function
Private Sub Class_Terminate()
Dim msg As String
If DEBUG_DUMP Then
msg = "CDissembler.Terminate " & Hex(hCapstone)
If hCapstone <> 0 Then lastErr = cs_close(hCapstone)
Debug.Print msg & " : " & lastErr
End If
End Sub

119
thirdparty/capstone/bindings/vb6/CInstDetails.cls vendored Normal file
View File

@@ -0,0 +1,119 @@
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "CInstDetails"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Option Explicit
'Capstone Disassembly Engine bindings for VB6
'Contributed by FireEye FLARE Team
'Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com>
'License: Apache 2.0
'Copyright: FireEye 2017
'Public Type cs_detail
' regs_read(0 To 15) As Byte ' list of implicit registers read by this insn UNSIGNED
' regs_read_count As Byte ' number of implicit registers read by this insn UNSIGNED
' regs_write(0 To 19) As Byte ' list of implicit registers modified by this insn UNSIGNED
' regs_write_count As Byte ' number of implicit registers modified by this insn UNSIGNED
' groups(0 To 7) As Byte ' list of group this instruction belong to UNSIGNED
' groups_count As Byte ' number of groups this insn belongs to UNSIGNED
'
' // Architecture-specific instruction info
' union {
' cs_x86 x86; // X86 architecture, including 16-bit, 32-bit & 64-bit mode
' cs_arm64 arm64; // ARM64 architecture (aka AArch64)
' cs_arm arm; // ARM architecture (including Thumb/Thumb2)
' cs_mips mips; // MIPS architecture
' cs_ppc ppc; // PowerPC architecture
' cs_sparc sparc; // Sparc architecture
' cs_sysz sysz; // SystemZ architecture
' cs_xcore xcore; // XCore architecture
' };
'} cs_detail;
Public regRead As New Collection
Public regWritten As New Collection
Public groups As New Collection
Public parent As CDisassembler
'this will be set to a class of the specific instruction info type by architecture..
Public info As Object
Private m_raw() As Byte
Function toString() As String
On Error Resume Next
Dim ret() As String
Dim v, tmp
push ret, "Instruction details: "
push ret, String(40, "-")
If DEBUG_DUMP Then
push ret, "Raw: "
push ret, HexDump(m_raw)
End If
push ret, "Registers Read: " & regRead.count & IIf(regRead.count > 0, " Values: " & col2Str(regRead), Empty)
push ret, "Registers Written: " & regWritten.count & IIf(regWritten.count > 0, " Values: " & col2Str(regWritten), Empty)
push ret, "Groups: " & groups.count & IIf(groups.count > 0, " Values: " & col2Str(groups), Empty)
'it is expected that each CXXInst class implements a toString() method..if not we catch the error anyway..
If Not info Is Nothing Then
push ret, info.toString()
End If
toString = Join(ret, vbCrLf)
End Function
Friend Sub LoadDetails(lpDetails As Long, parent As CDisassembler)
Dim cd As cs_detail
Dim i As Long
Dim x86 As CX86Inst
Set Me.parent = parent
'vbdef only contains up to the groups_count field..
CopyMemory ByVal VarPtr(cd), ByVal lpDetails, LenB(cd)
If DEBUG_DUMP Then
ReDim m_raw(LenB(cd))
CopyMemory ByVal VarPtr(m_raw(0)), ByVal lpDetails, LenB(cd)
End If
For i = 1 To cd.regs_read_count
regRead.Add cd.regs_read(i - 1)
Next
For i = 1 To cd.regs_write_count
regWritten.Add cd.regs_write(i - 1)
Next
For i = 1 To cd.groups_count
groups.Add cd.groups(i - 1)
Next
Const align = 5
'each arch needs its own CxxInstr class implemented here...
If parent.arch = CS_ARCH_X86 Then
Set x86 = New CX86Inst
x86.LoadDetails lpDetails + LenB(cd) + align, parent
Set info = x86
End If
End Sub

133
thirdparty/capstone/bindings/vb6/CInstruction.cls vendored Normal file
View File

@@ -0,0 +1,133 @@
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "CInstruction"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Option Explicit
'Capstone Disassembly Engine bindings for VB6
'Contributed by FireEye FLARE Team
'Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com>
'License: Apache 2.0
'Copyright: FireEye 2017
'Public Type cs_insn
' ' Instruction ID (basically a numeric ID for the instruction mnemonic)
' ' Find the instruction id in the '[ARCH]_insn' enum in the header file
' ' of corresponding architecture, such as 'arm_insn' in arm.h for ARM,
' ' 'x86_insn' in x86.h for X86, etc...
' ' available even when CS_OPT_DETAIL = CS_OPT_OFF
' ' NOTE: in Skipdata mode, "data" instruction has 0 for this id field. UNSIGNED
' id As Long '
' align As Long 'not sure why it needs this..but it does..
' address As Currency ' Address (EIP) of this instruction available even when CS_OPT_DETAIL = CS_OPT_OFF UNSIGNED
' size As Integer ' Size of this instruction available even when CS_OPT_DETAIL = CS_OPT_OFF UNSIGNED
' bytes(0 To 23) As Byte ' Machine bytes of this instruction, with number of bytes indicated by @size above available even when CS_OPT_DETAIL = CS_OPT_OFF
' mnemonic(0 To 31) As Byte ' Ascii text of instruction mnemonic available even when CS_OPT_DETAIL = CS_OPT_OFF
' op_str(0 To 159) As Byte ' Ascii text of instruction operands available even when CS_OPT_DETAIL = CS_OPT_OFF
'
' ' Pointer to cs_detail.
' ' NOTE: detail pointer is only valid when both requirements below are met:
' ' (1) CS_OP_DETAIL = CS_OPT_ON
' ' (2) Engine is not in Skipdata mode (CS_OP_SKIPDATA option set to CS_OPT_ON)
' ' NOTE 2: when in Skipdata mode, or when detail mode is OFF, even if this pointer
' ' is not NULL, its content is still irrelevant.
' lpDetail As Long ' points to a cs_detail structure NOTE: only available when CS_OPT_DETAIL = CS_OPT_ON
'
'End Type
Public ID As Long
Public address As Currency
Public size As Long
Private m_bytes() As Byte
Public instruction As String
Public operand As String
Public lpDetails As Long
Public parent As CDisassembler
Public details As CInstDetails 'may be null
Property Get bytes() As Byte()
bytes = Me.bytes()
End Property
Property Get byteDump(Optional padding = 15) As String
Dim b As String, i As Long
For i = 0 To UBound(m_bytes)
b = b & hhex(m_bytes(i)) & " "
Next
byteDump = rpad(b, padding)
End Property
Property Get text() As String
text = cur2str(address) & " " & byteDump & " " & instruction & " " & operand
End Property
Function toString() As String
Dim r() As String
push r, "CInstruction: "
push r, String(40, "-")
push r, "Id: " & Hex(ID)
push r, "address: " & cur2str(address)
push r, "size: " & Hex(size)
push r, "bytes: " & byteDump()
push r, "instruction: " & instruction
push r, "operand: " & operand
push r, "lpDetails: " & Hex(lpDetails)
If Not details Is Nothing Then
push r, details.toString()
End If
toString = Join(r, vbCrLf)
End Function
Friend Sub LoadInstruction(instAry As Long, index As Long, parent As CDisassembler)
Dim inst As cs_insn
Dim i As Long
getInstruction instAry, index, VarPtr(inst), LenB(inst)
ID = inst.ID
address = inst.address
size = inst.size
lpDetails = inst.lpDetail
Set Me.parent = parent
m_bytes() = inst.bytes
ReDim Preserve m_bytes(size - 1)
For i = 0 To UBound(inst.mnemonic)
If inst.mnemonic(i) = 0 Then Exit For
instruction = instruction & Chr(inst.mnemonic(i))
Next
For i = 0 To UBound(inst.op_str)
If inst.op_str(i) = 0 Then Exit For
operand = operand & Chr(inst.op_str(i))
Next
If lpDetails = 0 Then Exit Sub
Set details = New CInstDetails
details.LoadDetails lpDetails, parent
End Sub

197
thirdparty/capstone/bindings/vb6/CX86Inst.cls vendored Normal file
View File

@@ -0,0 +1,197 @@
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "CX86Inst"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Option Explicit
'Capstone Disassembly Engine bindings for VB6
'Contributed by FireEye FLARE Team
'Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com>
'License: Apache 2.0
'Copyright: FireEye 2017
'// Instruction structure sizeof() = 432 bytes
'typedef struct cs_x86 {
' // Instruction prefix, which can be up to 4 bytes.
' // A prefix byte gets value 0 when irrelevant.
' // prefix[0] indicates REP/REPNE/LOCK prefix (See X86_PREFIX_REP/REPNE/LOCK above)
' // prefix[1] indicates segment override (irrelevant for x86_64):
' // See X86_PREFIX_CS/SS/DS/ES/FS/GS above.
' // prefix[2] indicates operand-size override (X86_PREFIX_OPSIZE)
' // prefix[3] indicates address-size override (X86_PREFIX_ADDRSIZE)
' uint8_t prefix[4];
'
' // Instruction opcode, which can be from 1 to 4 bytes in size.
' // This contains VEX opcode as well.
' // An trailing opcode byte gets value 0 when irrelevant.
' uint8_t opcode[4];
'
' // REX prefix: only a non-zero value is relevant for x86_64
' uint8_t rex;
'
' // Address size, which can be overrided with above prefix[5].
' uint8_t addr_size;
'
' // ModR/M byte
' uint8_t modrm;
'
' // SIB value, or 0 when irrelevant.
' uint8_t sib;
'
' // Displacement value, or 0 when irrelevant.
' int32_t disp;
'
' /* SIB state */
' // SIB index register, or X86_REG_INVALID when irrelevant.
' x86_reg sib_index;
' // SIB scale. only applicable if sib_index is relevant.
' int8_t sib_scale;
' // SIB base register, or X86_REG_INVALID when irrelevant.
' x86_reg sib_base;
'
' // SSE Code Condition
' x86_sse_cc sse_cc;
'
' // AVX Code Condition
' x86_avx_cc avx_cc;
'
' // AVX Suppress all Exception
' bool avx_sae;
'
' // AVX static rounding mode
' x86_avx_rm avx_rm;
'
' // Number of operands of this instruction,
' // or 0 when instruction has no operand.
' uint8_t op_count;
'
' cs_x86_op operands[8]; // operands for this instruction.
'} cs_x86;
Private m_prefix() As Byte
Private m_opcode() As Byte
Public rex As Byte
Public addr_size As Byte
Public modrm As Byte
Public sib As Byte
Public disp As Long
Public sib_index As x86_reg
Public sib_scale As Byte
Public sib_base As x86_reg
Public sse_cc As x86_sse_cc
Public avx_cc As x86_avx_cc
Public avx_sae As Boolean
Public avx_rm As x86_avx_rm
Public operands As New Collection
Public parent As CDisassembler
Private hEngine As Long
Private m_raw() As Byte
Property Get prefix() As Byte()
prefix = m_prefix
End Property
Property Get opcode() As Byte()
opcode = m_opcode
End Property
Function toString() As String
Dim r() As String
Dim o As CX86Operand
push r, "X86 Instruction Details:"
push r, String(40, "-")
If DEBUG_DUMP Then
push r, "Raw: "
push r, HexDump(m_raw)
End If
push r, "Prefix: " & b2Str(m_prefix)
push r, "OpCode: " & b2Str(m_opcode)
push r, "Rex: " & rex
push r, "addr_size: " & addr_size
push r, "modrm: " & Hex(modrm)
push r, "disp: " & Hex(disp)
If parent.mode <> CS_MODE_16 Then
push r, "sib: " & Hex(sib)
push r, "sib_index: " & regName(hEngine, sib_index)
push r, "sib_scale: " & Hex(sib_scale)
push r, "sib_base: " & regName(hEngine, sib_base)
End If
If sse_cc <> 0 Then push r, "sse_cc: " & x86_sse_cc2str(sse_cc)
If avx_cc <> 0 Then push r, "avx_cc: " & x86_avx_cc2str(avx_cc)
If avx_sae <> 0 Then push r, "avx_sae: " & avx_sae
If avx_rm <> 0 Then push r, "avx_rm: " & x86_avx_rm2str(avx_rm)
push r, "Operands: " & operands.count
For Each o In operands
push r, String(40, "-")
push r, o.toString
Next
toString = Join(r, vbCrLf)
End Function
Friend Sub LoadDetails(lpStruct As Long, parent As CDisassembler)
Dim cs As cs_x86
Dim o As CX86Operand
Dim ptr As Long
Dim i As Long
Const sizeOfx86Operand = 48
Set Me.parent = parent
hEngine = parent.hCapstone
CopyMemory ByVal VarPtr(cs), ByVal lpStruct, LenB(cs)
If DEBUG_DUMP Then
ReDim m_raw(LenB(cs))
CopyMemory ByVal VarPtr(m_raw(0)), ByVal lpStruct, LenB(cs)
End If
Me.rex = cs.rex
Me.addr_size = cs.addr_size
Me.modrm = cs.modrm
Me.sib = cs.sib
Me.disp = cs.disp
Me.sib_index = cs.sib_index
Me.sib_scale = cs.sib_scale
Me.sib_base = cs.sib_base
Me.sse_cc = cs.sse_cc
Me.avx_cc = cs.avx_cc
Me.avx_sae = cs.avx_sae
Me.avx_rm = cs.avx_rm
m_prefix = cs.prefix
m_opcode = cs.opcode
ptr = lpStruct + LenB(cs) 'we don't include the operands in our vb struct..
For i = 1 To cs.op_count
Set o = New CX86Operand
o.LoadDetails ptr, hEngine
operands.Add o
ptr = ptr + sizeOfx86Operand
Next
End Sub

28
thirdparty/capstone/bindings/vb6/CX86OpMem.cls vendored Normal file
View File

@@ -0,0 +1,28 @@
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "CX86OpMem"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Option Explicit
'Capstone Disassembly Engine bindings for VB6
'Contributed by FireEye FLARE Team
'Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com>
'License: Apache 2.0
'Copyright: FireEye 2017
Public segment As Long ' segment register (or X86_REG_INVALID if irrelevant) UNSIGNED
Public base As Long ' base register (or X86_REG_INVALID if irrelevant) UNSIGNED
Public index As Long ' index register (or X86_REG_INVALID if irrelevant) UNSIGNED
Public scale_ As Long ' scale for index register
Public disp As Currency ' displacement value

202
thirdparty/capstone/bindings/vb6/CX86Operand.cls vendored Normal file
View File

@@ -0,0 +1,202 @@
VERSION 1.0 CLASS
BEGIN
MultiUse = -1 'True
Persistable = 0 'NotPersistable
DataBindingBehavior = 0 'vbNone
DataSourceBehavior = 0 'vbNone
MTSTransactionMode = 0 'NotAnMTSObject
END
Attribute VB_Name = "CX86Operand"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = True
Attribute VB_PredeclaredId = False
Attribute VB_Exposed = False
Option Explicit
'Capstone Disassembly Engine bindings for VB6
'Contributed by FireEye FLARE Team
'Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com>
'License: Apache 2.0
'Copyright: FireEye 2017
'// Instruction operand sizeof() reports 48 bytes
'typedef struct cs_x86_op {
' x86_op_type type; // operand type
'
' union {
' x86_reg reg; // register value for REG operand
' int64_t imm; // immediate value for IMM operand
' double fp; // floating point value for FP operand
' x86_op_mem mem; // base/index/scale/disp value for MEM operand (24bytes max)
' };
'
' // size of this operand (in bytes).
' uint8_t size;
'
' // AVX broadcast type, or 0 if irrelevant
' x86_avx_bcast avx_bcast;
'
' // AVX zero opmask {z}
' bool avx_zero_opmask;
'} cs_x86_op;
'Instruction's operand referring to memory
'This is associated with X86_OP_MEM operand type above
'Public Type x86_op_mem
' segment As Long ' segment register (or X86_REG_INVALID if irrelevant) UNSIGNED
' base As Long ' base register (or X86_REG_INVALID if irrelevant) UNSIGNED
' index As Long ' index register (or X86_REG_INVALID if irrelevant) UNSIGNED
' scale As Long ' scale for index register
' disp As Currency ' displacement value
'End Type
'this shows the alignment padding used by compiler..
' cs_x86_op op;
' op.type = (x86_op_type)1;
' op.reg = (x86_reg)2;
' op.avx_bcast = (x86_avx_bcast)3;
' op.avx_zero_opmask = 4;
' op.size = 0xaa;
' printf("&cs_x86_op = %x", &op);
' _asm int 3
'
'
'0x0012FF34 01 00 00 00 cc cc cc cc 02 00 00 00 cc cc cc cc ....<2E><><EFBFBD><EFBFBD>....<2E><><EFBFBD><EFBFBD>
'0x0012FF44 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
'0x0012FF54 aa cc cc cc 03 00 00 00 01 cc cc cc cc cc cc cc <20><><EFBFBD><EFBFBD>.....<2E><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Public optype As x86_op_type
Public size As Byte
Public avx_bcast As x86_avx_bcast
Public avx_zero_opmask As Boolean
'only one of the following will be set based on type
Public reg As x86_reg
Public fp As Currency
Public imm As Currency
Public mem As CX86OpMem
Private hEngine As Long
Private m_raw() As Byte
Function toString() As String
Dim ret() As String
push ret, "X86 Operand:"
push ret, String(45, "-")
If DEBUG_DUMP Then
push ret, "Raw: "
push ret, HexDump(m_raw)
End If
push ret, "Type: " & opStr()
push ret, "Size: " & size
If avx_bcast <> 0 Then push ret, "BCast: " & bcastStr()
If avx_zero_opmask Then push ret, "AvxOpMask: " & avx_zero_opmask
If optype = X86_OP_FP Then
push ret, "FP: " & cur2str(fp)
ElseIf optype = X86_OP_IMM Then
push ret, "IMM: " & cur2str(imm)
ElseIf optype = x86_op_mem Then
If mem.base <> 0 Then push ret, "Base: " & regName(hEngine, mem.base)
If mem.index <> 0 Then push ret, "Index: " & regName(hEngine, mem.index)
If mem.scale_ <> 1 Then push ret, "Scale: " & Hex(mem.scale_)
If mem.segment <> 0 Then push ret, "Seg: " & regName(hEngine, mem.segment)
If mem.disp <> 0 Then push ret, "Disp: " & cur2str(mem.disp)
ElseIf optype = X86_OP_REG Then
push ret, "Reg: " & regName(hEngine, reg)
End If
toString = Join(ret, vbCrLf)
End Function
Function opStr() As String
If optype = X86_OP_FP Then opStr = "X86_OP_FP"
If optype = x86_op_mem Then opStr = "x86_op_mem"
If optype = X86_OP_IMM Then opStr = "X86_OP_IMM"
If optype = X86_OP_REG Then opStr = "X86_OP_REG"
If optype = X86_OP_INVALID Then opStr = "X86_OP_INVALID"
If Len(opStr) = 0 Then
opStr = "Error: " & Hex(optype)
ElseIf DEBUG_DUMP Then
opStr = opStr & " (" & Hex(optype) & ")"
End If
End Function
Function bcastStr() As String
Dim r As String
If avx_bcast = X86_AVX_BCAST_INVALID Then r = "X86_AVX_BCAST_INVALID"
If avx_bcast = X86_AVX_BCAST_2 Then r = "X86_AVX_BCAST_2"
If avx_bcast = X86_AVX_BCAST_4 Then r = "X86_AVX_BCAST_4"
If avx_bcast = X86_AVX_BCAST_8 Then r = "X86_AVX_BCAST_8"
If avx_bcast = X86_AVX_BCAST_16 Then r = "X86_AVX_BCAST_16"
If Len(r) = 0 Then
r = "Unknown: " & Hex(avx_bcast)
ElseIf DEBUG_DUMP Then
r = r & " (" & Hex(avx_bcast) & ")"
End If
bcastStr = r
End Function
Friend Sub LoadDetails(lpStruct As Long, hCapstone As Long)
Dim opMem As x86_op_mem
Dim ptr As Long
Const align4 = 4
Const align3 = 3
hEngine = hCapstone
If DEBUG_DUMP Then
ReDim m_raw(48)
CopyMemory ByVal VarPtr(m_raw(0)), ByVal lpStruct, 48
End If
optype = readLng(lpStruct)
ptr = lpStruct + 4 + align4
If optype = X86_OP_FP Then
fp = readCur(ptr)
ElseIf optype = X86_OP_IMM Then
imm = readCur(ptr)
ElseIf optype = x86_op_mem Then
CopyMemory ByVal VarPtr(opMem), ByVal ptr, LenB(opMem)
Set mem = New CX86OpMem
mem.base = opMem.base
mem.disp = opMem.disp
mem.index = opMem.index
mem.scale_ = opMem.scale
mem.segment = opMem.segment
ElseIf optype = X86_OP_REG Then
reg = readLng(ptr)
End If
ptr = ptr + LenB(opMem)
size = readByte(ptr)
ptr = ptr + 1 + align3
avx_bcast = readLng(ptr)
ptr = ptr + 4
avx_zero_opmask = (readByte(ptr) = 1)
End Sub
Private Sub Class_Terminate()
'looks like everything is freeing up ok
'Debug.Print "Cx86Operand.Terminate"
End Sub

275
thirdparty/capstone/bindings/vb6/Form1.frm vendored Normal file
View File

@@ -0,0 +1,275 @@
VERSION 5.00
Object = "{831FDD16-0C5C-11D2-A9FC-0000F8754DA1}#2.0#0"; "MSCOMCTL.OCX"
Begin VB.Form Form1
Caption = "VB6 Bindings for Capstone Disassembly Engine - Contributed by FireEye FLARE Team"
ClientHeight = 7290
ClientLeft = 60
ClientTop = 345
ClientWidth = 10275
LinkTopic = "Form1"
ScaleHeight = 7290
ScaleWidth = 10275
StartUpPosition = 2 'CenterScreen
Begin VB.CommandButton Command2
Caption = "Save"
Height = 375
Left = 8760
TabIndex = 8
Top = 120
Width = 1455
End
Begin VB.CommandButton Command1
Caption = " Arm 64"
Height = 375
Index = 4
Left = 6840
TabIndex = 7
Top = 120
Width = 1455
End
Begin VB.CommandButton Command1
Caption = "Arm"
Height = 375
Index = 3
Left = 5160
TabIndex = 6
Top = 120
Width = 1455
End
Begin VB.CommandButton Command1
Caption = "x86 64bit"
Height = 375
Index = 2
Left = 3480
TabIndex = 5
Top = 120
Width = 1455
End
Begin VB.CommandButton Command1
Caption = "x86 16bit"
Height = 375
Index = 0
Left = 120
TabIndex = 4
Top = 120
Width = 1455
End
Begin VB.CommandButton Command1
Caption = "x86 32bit"
Height = 375
Index = 1
Left = 1800
TabIndex = 3
Top = 120
Width = 1455
End
Begin MSComctlLib.ListView lv
Height = 2415
Left = 120
TabIndex = 2
Top = 1440
Width = 10095
_ExtentX = 17806
_ExtentY = 4260
View = 3
LabelEdit = 1
LabelWrap = -1 'True
HideSelection = 0 'False
FullRowSelect = -1 'True
_Version = 393217
ForeColor = -2147483640
BackColor = -2147483643
BorderStyle = 1
Appearance = 1
BeginProperty Font {0BE35203-8F91-11CE-9DE3-00AA004BB851}
Name = "Courier"
Size = 9.75
Charset = 0
Weight = 400
Underline = 0 'False
Italic = 0 'False
Strikethrough = 0 'False
EndProperty
NumItems = 1
BeginProperty ColumnHeader(1) {BDD1F052-858B-11D1-B16A-00C0F0283628}
Object.Width = 2540
EndProperty
End
Begin VB.ListBox List1
BeginProperty Font
Name = "Courier"
Size = 9.75
Charset = 0
Weight = 400
Underline = 0 'False
Italic = 0 'False
Strikethrough = 0 'False
EndProperty
Height = 840
Left = 120
TabIndex = 1
Top = 600
Width = 10095
End
Begin VB.TextBox Text1
BeginProperty Font
Name = "Courier"
Size = 9.75
Charset = 0
Weight = 400
Underline = 0 'False
Italic = 0 'False
Strikethrough = 0 'False
EndProperty
Height = 3375
Left = 120
MultiLine = -1 'True
ScrollBars = 3 'Both
TabIndex = 0
Text = "Form1.frx":0000
Top = 3840
Width = 10095
End
End
Attribute VB_Name = "Form1"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = False
Option Explicit
'Capstone Disassembly Engine bindings for VB6
'Contributed by FireEye FLARE Team
'Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com>
'License: Apache 2.0
'Copyright: FireEye 2017
Dim cap As CDisassembler
Dim lastSample As Long
Private Sub Command1_Click(index As Integer)
Dim code() As Byte, arch As cs_arch, mode As cs_mode
lastSample = index
Const x86_code32 As String = "\x8d\x4c\x32\x08\x01\xd8\x81\xc6\x34\x12\x00\x00\x05\x23\x01\x00\x00\x36\x8b\x84\x91\x23\x01\x00\x00\x41\x8d\x84\x39\x89\x67\x00\x00\x8d\x87\x89\x67\x00\x00\xb4\xc6"
Const X86_CODE16 As String = "\x8d\x4c\x32\x08\x01\xd8\x81\xc6\x34\x12\x00\x00\x05\x23\x01\x00\x00\x36\x8b\x84\x91\x23\x01\x00\x00\x41\x8d\x84\x39\x89\x67\x00\x00\x8d\x87\x89\x67\x00\x00\xb4\xc6"
Const X86_CODE64 As String = "\x55\x48\x8b\x05\xb8\x13\x00\x00"
Const ARM_CODE As String = "\xED\xFF\xFF\xEB\x04\xe0\x2d\xe5\x00\x00\x00\x00\xe0\x83\x22\xe5\xf1\x02\x03\x0e\x00\x00\xa0\xe3\x02\x30\xc1\xe7\x00\x00\x53\xe3\x00\x02\x01\xf1\x05\x40\xd0\xe8\xf4\x80\x00\x00"
Const ARM64_CODE As String = "\x09\x00\x38\xd5\xbf\x40\x00\xd5\x0c\x05\x13\xd5\x20\x50\x02\x0e\x20\xe4\x3d\x0f\x00\x18\xa0\x5f\xa2\x00\xae\x9e\x9f\x37\x03\xd5\xbf\x33\x03\xd5\xdf\x3f\x03\xd5\x21\x7c\x02\x9b\x21\x7c\x00\x53\x00\x40\x21\x4b\xe1\x0b\x40\xb9\x20\x04\x81\xda\x20\x08\x02\x8b\x10\x5b\xe8\x3c"
Select Case index
Case 0:
arch = CS_ARCH_X86
mode = CS_MODE_16
code = toBytes(X86_CODE16)
Case 1:
arch = CS_ARCH_X86
mode = CS_MODE_32
code = toBytes(x86_code32)
Case 2:
arch = CS_ARCH_X86
mode = CS_MODE_64
code = toBytes(X86_CODE64)
Case 3:
arch = CS_ARCH_ARM
mode = CS_MODE_ARM
code = toBytes(ARM_CODE)
Case 4:
arch = CS_ARCH_ARM64
mode = CS_MODE_ARM
code = toBytes(ARM64_CODE)
End Select
test code, arch, mode
End Sub
Private Sub test(code() As Byte, arch As cs_arch, mode As cs_mode)
Dim ret As Collection
Dim ci As CInstruction
Dim li As ListItem
clearForm
If Not cap Is Nothing Then Set cap = Nothing
Set cap = New CDisassembler
If Not cap.init(arch, mode, True) Then
List1.AddItem "Failed to init engine: " & cap.errMsg
Exit Sub
End If
List1.AddItem "Capstone loaded @ 0x" & Hex(cap.hLib)
List1.AddItem "hEngine: 0x" & Hex(cap.hCapstone)
List1.AddItem "Version: " & cap.version
If cap.vMajor < 3 Then
List1.AddItem "Sample requires Capstone v3+"
Exit Sub
End If
Set ret = cap.disasm(&H1000, code)
For Each ci In ret
Set li = lv.ListItems.Add(, , ci.text)
Set li.Tag = ci
Next
End Sub
Private Sub Command2_Click()
Dim fName() As String
Dim fPath As String
Dim t() As String
Dim li As ListItem
Dim ci As CInstruction
On Error Resume Next
If lastSample = -1 Then
MsgBox "Run a test first..."
Exit Sub
End If
fName = Split("16b,32b,64b,Arm,Arm64", ",")
fPath = App.path & "\vb" & fName(lastSample) & "Test.txt"
If FileExists(fPath) Then Kill fPath
For Each li In lv.ListItems
push t, li.text
Set ci = li.Tag
push t, ci.toString()
push t, String(60, "-")
Next
WriteFile fPath, Join(t, vbCrLf)
MsgBox FileLen(fPath) & " bytes saved to: " & vbCrLf & vbCrLf & fPath
End Sub
Private Sub lv_ItemClick(ByVal Item As MSComctlLib.ListItem)
Dim ci As CInstruction
Set ci = Item.Tag
Text1 = ci.toString()
End Sub
Function clearForm()
List1.Clear
lv.ListItems.Clear
Text1 = Empty
End Function
Private Sub Form_Load()
lv.ColumnHeaders(1).Width = lv.Width
clearForm
lastSample = -1
End Sub

1
thirdparty/capstone/bindings/vb6/Form1.frx vendored Normal file
View File

@@ -0,0 +1 @@
Text1

635
thirdparty/capstone/bindings/vb6/Module1.bas vendored Normal file
View File

@@ -0,0 +1,635 @@
Attribute VB_Name = "mCapStone"
Option Explicit
'Capstone Disassembly Engine bindings for VB6
'Contributed by FireEye FLARE Team
'Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com>
'License: Apache 2.0
'Copyright: FireEye 2017
'todo: cs_disasm_iter / skipdata
'this is for my vb code and how much info it spits out in tostring methods..
Global Const DEBUG_DUMP = 0
'Architecture type
Public Enum cs_arch
CS_ARCH_ARM = 0 ' ARM architecture (including Thumb, Thumb-2)
CS_ARCH_ARM64 ' ARM-64, also called AArch64
CS_ARCH_MIPS ' Mips architecture
CS_ARCH_X86 ' X86 architecture (including x86 & x86-64)
CS_ARCH_PPC ' PowerPC architecture
CS_ARCH_SPARC ' Sparc architecture
CS_ARCH_SYSZ ' SystemZ architecture
CS_ARCH_XCORE ' XCore architecture
CS_ARCH_MAX
CS_ARCH_ALL = &HFFFF ' All architectures - for cs_support()
End Enum
Public Enum cs_mode
CS_MODE_LITTLE_ENDIAN = 0 ' little-endian mode (default mode)
CS_MODE_ARM = 0 ' 32-bit ARM
CS_MODE_16 = 2 ' 16-bit mode (X86)
CS_MODE_32 = 4 ' 32-bit mode (X86)
CS_MODE_64 = 8 ' 64-bit mode (X86, PPC)
CS_MODE_THUMB = 16 ' ARM's Thumb mode, including Thumb-2
CS_MODE_MCLASS = 32 ' ARM's Cortex-M series
CS_MODE_V8 = 64 ' ARMv8 A32 encodings for ARM
CS_MODE_MICRO = 16 ' MicroMips mode (MIPS)
CS_MODE_MIPS3 = 32 ' Mips III ISA
CS_MODE_MIPS32R6 = 64 ' Mips32r6 ISA
CS_MODE_MIPSGP64 = 128 ' General Purpose Registers are 64-bit wide (MIPS)
CS_MODE_V9 = 16 ' SparcV9 mode (Sparc)
CS_MODE_BIG_ENDIAN = &H80000000 ' big-endian mode
CS_MODE_MIPS32 = CS_MODE_32 ' Mips32 ISA (Mips)
CS_MODE_MIPS64 = CS_MODE_64 ' Mips64 ISA (Mips)
End Enum
'Runtime option for the disassembled engine
Public Enum cs_opt_type
CS_OPT_SYNTAX = 1 ' Assembly output syntax
CS_OPT_DETAIL ' Break down instruction structure into details
CS_OPT_MODE ' Change engine's mode at run-time
CS_OPT_MEM ' User-defined dynamic memory related functions
CS_OPT_SKIPDATA ' Skip data when disassembling. Then engine is in SKIPDATA mode.
CS_OPT_SKIPDATA_SETUP ' Setup user-defined function for SKIPDATA option
End Enum
'Runtime option value (associated with option type above)
Public Enum cs_opt_value
CS_OPT_OFF = 0 ' Turn OFF an option - default option of CS_OPT_DETAIL, CS_OPT_SKIPDATA.
CS_OPT_ON = 3 ' Turn ON an option (CS_OPT_DETAIL, CS_OPT_SKIPDATA).
CS_OPT_SYNTAX_DEFAULT = 0 ' Default asm syntax (CS_OPT_SYNTAX).
CS_OPT_SYNTAX_INTEL ' X86 Intel asm syntax - default on X86 (CS_OPT_SYNTAX).
CS_OPT_SYNTAX_ATT ' X86 ATT asm syntax (CS_OPT_SYNTAX).
CS_OPT_SYNTAX_NOREGNAME ' Prints register name with only number (CS_OPT_SYNTAX)
End Enum
'Common instruction operand types - to be consistent across all architectures.
Public Enum cs_op_type
CS_OP_INVALID = 0 ' uninitialized/invalid operand.
CS_OP_REG ' Register operand.
CS_OP_IMM ' Immediate operand.
CS_OP_MEM ' Memory operand.
CS_OP_FP ' Floating-Point operand.
End Enum
'Common instruction groups - to be consistent across all architectures.
Public Enum cs_group_type
CS_GRP_INVALID = 0 ' uninitialized/invalid group.
CS_GRP_JUMP ' all jump instructions (conditional+direct+indirect jumps)
CS_GRP_CALL ' all call instructions
CS_GRP_RET ' all return instructions
CS_GRP_INT ' all interrupt instructions (int+syscall)
CS_GRP_IRET ' all interrupt return instructions
End Enum
'NOTE: All information in cs_detail is only available when CS_OPT_DETAIL = CS_OPT_ON
Public Type cs_detail
regs_read(0 To 15) As Byte ' list of implicit registers read by this insn UNSIGNED
regs_read_count As Byte ' number of implicit registers read by this insn UNSIGNED
regs_write(0 To 19) As Byte ' list of implicit registers modified by this insn UNSIGNED
regs_write_count As Byte ' number of implicit registers modified by this insn UNSIGNED
groups(0 To 7) As Byte ' list of group this instruction belong to UNSIGNED
groups_count As Byte ' number of groups this insn belongs to UNSIGNED
End Type
'typedef struct cs_detail {
' uint8_t regs_read[16]; // list of implicit registers read by this insn
' uint8_t regs_read_count; // number of implicit registers read by this insn
'
' uint8_t regs_write[20]; // list of implicit registers modified by this insn
' uint8_t regs_write_count; // number of implicit registers modified by this insn
'
' uint8_t groups[8]; // list of group this instruction belong to
' uint8_t groups_count; // number of groups this insn belongs to
'
' // Architecture-specific instruction info
' union {
' cs_x86 x86; // X86 architecture, including 16-bit, 32-bit & 64-bit mode
' cs_arm64 arm64; // ARM64 architecture (aka AArch64)
' cs_arm arm; // ARM architecture (including Thumb/Thumb2)
' cs_mips mips; // MIPS architecture
' cs_ppc ppc; // PowerPC architecture
' cs_sparc sparc; // Sparc architecture
' cs_sysz sysz; // SystemZ architecture
' cs_xcore xcore; // XCore architecture
' };
'} cs_detail;
'Detail information of disassembled instruction
Public Type cs_insn
' Instruction ID (basically a numeric ID for the instruction mnemonic)
' Find the instruction id in the '[ARCH]_insn' enum in the header file
' of corresponding architecture, such as 'arm_insn' in arm.h for ARM,
' 'x86_insn' in x86.h for X86, etc...
' available even when CS_OPT_DETAIL = CS_OPT_OFF
' NOTE: in Skipdata mode, "data" instruction has 0 for this id field. UNSIGNED
ID As Long '
align As Long 'not sure why it needs this..but it does..
address As Currency ' Address (EIP) of this instruction available even when CS_OPT_DETAIL = CS_OPT_OFF UNSIGNED
size As Integer ' Size of this instruction available even when CS_OPT_DETAIL = CS_OPT_OFF UNSIGNED
bytes(0 To 23) As Byte ' Machine bytes of this instruction, with number of bytes indicated by @size above available even when CS_OPT_DETAIL = CS_OPT_OFF
mnemonic(0 To 31) As Byte ' Ascii text of instruction mnemonic available even when CS_OPT_DETAIL = CS_OPT_OFF
op_str(0 To 159) As Byte ' Ascii text of instruction operands available even when CS_OPT_DETAIL = CS_OPT_OFF
' Pointer to cs_detail.
' NOTE: detail pointer is only valid when both requirements below are met:
' (1) CS_OP_DETAIL = CS_OPT_ON
' (2) Engine is not in Skipdata mode (CS_OP_SKIPDATA option set to CS_OPT_ON)
' NOTE 2: when in Skipdata mode, or when detail mode is OFF, even if this pointer
' is not NULL, its content is still irrelevant.
lpDetail As Long ' points to a cs_detail structure NOTE: only available when CS_OPT_DETAIL = CS_OPT_ON
End Type
'All type of errors encountered by Capstone API.
'These are values returned by cs_errno()
Public Enum cs_err
CS_ERR_OK = 0 ' No error: everything was fine
CS_ERR_MEM ' Out-Of-Memory error: cs_open(), cs_disasm(), cs_disasm_iter()
CS_ERR_ARCH ' Unsupported architecture: cs_open()
CS_ERR_HANDLE ' Invalid handle: cs_op_count(), cs_op_index()
CS_ERR_CSH ' Invalid csh argument: cs_close(), cs_errno(), cs_option()
CS_ERR_MODE ' Invalid/unsupported mode: cs_open()
CS_ERR_OPTION ' Invalid/unsupported option: cs_option()
CS_ERR_DETAIL ' Information is unavailable because detail option is OFF
CS_ERR_MEMSETUP ' Dynamic memory management uninitialized (see CS_OPT_MEM)
CS_ERR_VERSION ' Unsupported version (bindings)
CS_ERR_DIET ' Access irrelevant data in "diet" engine
CS_ERR_SKIPDATA ' Access irrelevant data for "data" instruction in SKIPDATA mode
CS_ERR_X86_ATT ' X86 AT&T syntax is unsupported (opt-out at compile time)
CS_ERR_X86_INTEL ' X86 Intel syntax is unsupported (opt-out at compile time)
End Enum
'/*
' Return combined API version & major and minor version numbers.
'
' @major: major number of API version
' @minor: minor number of API version
'
' @return hexical number as (major << 8 | minor), which encodes both
' major & minor versions.
' NOTE: This returned value can be compared with version number made
' with macro CS_MAKE_VERSION
'
' For example, second API version would return 1 in @major, and 1 in @minor
' The return value would be 0x0101
'
' NOTE: if you only care about returned value, but not major and minor values,
' set both @major & @minor arguments to NULL.
'*/
'CAPSTONE_EXPORT
'unsigned int cs_version(int *major, int *minor);
Public Declare Function cs_version Lib "vbCapstone.dll" Alias "bs_version" (ByRef major As Long, ByRef minor As Long) As Long
'
'/*
' This API can be used to either ask for archs supported by this library,
' or check to see if the library was compile with 'diet' option (or called
' in 'diet' mode).
'
' To check if a particular arch is supported by this library, set @query to
' arch mode (CS_ARCH_* value).
' To verify if this library supports all the archs, use CS_ARCH_ALL.
'
' To check if this library is in 'diet' mode, set @query to CS_SUPPORT_DIET.
'
' @return True if this library supports the given arch, or in 'diet' mode.
'*/
'CAPSTONE_EXPORT
'bool cs_support(int query);
Public Declare Function cs_support Lib "vbCapstone.dll" Alias "bs_support" (ByVal query As Long) As Long
'/*
' Initialize CS handle: this must be done before any usage of CS.
'
' @arch: architecture type (CS_ARCH_*)
' @mode: hardware mode. This is combined of CS_MODE_*
' @handle: pointer to handle, which will be updated at return time
'
' @return CS_ERR_OK on success, or other value on failure (refer to cs_err enum
' for detailed error).
'*/
'CAPSTONE_EXPORT
'cs_err cs_open(cs_arch arch, cs_mode mode, csh *handle);
Public Declare Function cs_open Lib "vbCapstone.dll" Alias "bs_open" (ByVal arch As cs_arch, ByVal mode As cs_mode, ByRef hEngine As Long) As cs_err
'/*
' Close CS handle: MUST do to release the handle when it is not used anymore.
' NOTE: this must be only called when there is no longer usage of Capstone,
' not even access to cs_insn array. The reason is the this API releases some
' cached memory, thus access to any Capstone API after cs_close() might crash
' your application.
'
' In fact,this API invalidate @handle by ZERO out its value (i.e *handle = 0).
'
' @handle: pointer to a handle returned by cs_open()
'
' @return CS_ERR_OK on success, or other value on failure (refer to cs_err enum
' for detailed error).
'*/
'CAPSTONE_EXPORT
'cs_err cs_close(csh *handle);
Public Declare Function cs_close Lib "vbCapstone.dll" Alias "bs_close" (ByRef hEngine As Long) As cs_err
'/*
' Set option for disassembling engine at runtime
'
' @handle: handle returned by cs_open()
' @type: type of option to be set
' @value: option value corresponding with @type
'
' @return: CS_ERR_OK on success, or other value on failure.
' Refer to cs_err enum for detailed error.
'
' NOTE: in the case of CS_OPT_MEM, handle's value can be anything,
' so that cs_option(handle, CS_OPT_MEM, value) can (i.e must) be called
' even before cs_open()
'*/
'CAPSTONE_EXPORT
'cs_err cs_option(csh handle, cs_opt_type type, size_t value);
Public Declare Function cs_option Lib "vbCapstone.dll" Alias "bs_option" (ByVal hEngine As Long, ByVal typ As cs_opt_type, ByVal size As Long) As cs_err
'/*
' Report the last error number when some API function fail.
' Like glibc's errno, cs_errno might not retain its old value once accessed.
'
' @handle: handle returned by cs_open()
'
' @return: error code of cs_err enum type (CS_ERR_*, see above)
'*/
'CAPSTONE_EXPORT
'cs_err cs_errno(csh handle);
Public Declare Function cs_errno Lib "vbCapstone.dll" Alias "bs_errno" (ByVal hEngine As Long) As cs_err
'
'/*
' Return a string describing given error code.
'
' @code: error code (see CS_ERR_* above)
'
' @return: returns a pointer to a string that describes the error code
' passed in the argument @code
'*/
'CAPSTONE_EXPORT
'const char *cs_strerror(cs_err code);
Public Declare Function cs_strerror Lib "vbCapstone.dll" Alias "bs_strerror" (ByVal errCode As cs_err) As Long
'/*
' Disassemble binary code, given the code buffer, size, address and number
' of instructions to be decoded.
' This API dynamically allocate memory to contain disassembled instruction.
' Resulting instructions will be put into @*insn
'
' NOTE 1: this API will automatically determine memory needed to contain
' output disassembled instructions in @insn.
'
' NOTE 2: caller must free the allocated memory itself to avoid memory leaking.
'
' NOTE 3: for system with scarce memory to be dynamically allocated such as
' OS kernel or firmware, the API cs_disasm_iter() might be a better choice than
' cs_disasm(). The reason is that with cs_disasm(), based on limited available
' memory, we have to calculate in advance how many instructions to be disassembled,
' which complicates things. This is especially troublesome for the case @count=0,
' when cs_disasm() runs uncontrollably (until either end of input buffer, or
' when it encounters an invalid instruction).
'
' @handle: handle returned by cs_open()
' @code: buffer containing raw binary code to be disassembled.
' @code_size: size of the above code buffer.
' @address: address of the first instruction in given raw code buffer.
' @insn: array of instructions filled in by this API.
' NOTE: @insn will be allocated by this function, and should be freed
' with cs_free() API.
' @count: number of instructions to be disassembled, or 0 to get all of them
'
' @return: the number of successfully disassembled instructions,
' or 0 if this function failed to disassemble the given code
'
' On failure, call cs_errno() for error code.
'*/
'CAPSTONE_EXPORT
'size_t cs_disasm(
' csh handle,
' const uint8_t *code,
' size_t code_size,
' uint64_t address,
' size_t count,
' cs_insn **insn
');
Public Declare Function cs_disasm Lib "vbCapstone.dll" Alias "bs_disasm" ( _
ByVal hEngine As Long, _
ByRef code As Byte, _
ByVal size As Long, _
ByVal address As Currency, _
ByVal count As Long, _
ByRef instAryPtr As Long _
) As Long
'this proto also lets use byte() to get a dump easily..
Public Declare Sub getInstruction Lib "vbCapstone.dll" (ByVal hInstrAry As Long, ByVal index As Long, ByVal insPtr As Long, ByVal size As Long)
'/*
' Deprecated function - to be retired in the next version!
' Use cs_disasm() instead of cs_disasm_ex()
'*/
'CAPSTONE_EXPORT
'CAPSTONE_DEPRECATED
'size_t cs_disasm_ex(csh handle,
' const uint8_t *code, size_t code_size,
' uint64_t address,
' size_t count,
' cs_insn **insn);
'/*
' Free memory allocated by cs_malloc() or cs_disasm() (argument @insn)
'
' @insn: pointer returned by @insn argument in cs_disasm() or cs_malloc()
' @count: number of cs_insn structures returned by cs_disasm(), or 1
' to free memory allocated by cs_malloc().
'*/
'CAPSTONE_EXPORT
'void cs_free(cs_insn *insn, size_t count);
Public Declare Sub cs_free Lib "vbCapstone.dll" Alias "bs_free" (ByVal instr As Long, ByVal count As Long)
'
'/*
' Allocate memory for 1 instruction to be used by cs_disasm_iter().
'
' @handle: handle returned by cs_open()
'
' NOTE: when no longer in use, you can reclaim the memory allocated for
' this instruction with cs_free(insn, 1)
'*/
'CAPSTONE_EXPORT
'cs_insn *cs_malloc(csh handle);
Public Declare Function cs_malloc Lib "vbCapstone.dll" Alias "bs_malloc" (ByVal handle As Long) As Long
'/*
' Fast API to disassemble binary code, given the code buffer, size, address
' and number of instructions to be decoded.
' This API puts the resulting instruction into a given cache in @insn.
' See tests/test_iter.c for sample code demonstrating this API.
'
' NOTE 1: this API will update @code, @size & @address to point to the next
' instruction in the input buffer. Therefore, it is convenient to use
' cs_disasm_iter() inside a loop to quickly iterate all the instructions.
' While decoding one instruction at a time can also be achieved with
' cs_disasm(count=1), some benchmarks shown that cs_disasm_iter() can be 30%
' faster on random input.
'
' NOTE 2: the cache in @insn can be created with cs_malloc() API.
'
' NOTE 3: for system with scarce memory to be dynamically allocated such as
' OS kernel or firmware, this API is recommended over cs_disasm(), which
' allocates memory based on the number of instructions to be disassembled.
' The reason is that with cs_disasm(), based on limited available memory,
' we have to calculate in advance how many instructions to be disassembled,
' which complicates things. This is especially troublesome for the case
' @count=0, when cs_disasm() runs uncontrollably (until either end of input
' buffer, or when it encounters an invalid instruction).
'
' @handle: handle returned by cs_open()
' @code: buffer containing raw binary code to be disassembled
' @code_size: size of above code
' @address: address of the first insn in given raw code buffer
' @insn: pointer to instruction to be filled in by this API.
'
' @return: true if this API successfully decode 1 instruction,
' or false otherwise.
'
' On failure, call cs_errno() for error code.
'*/
'CAPSTONE_EXPORT
'bool cs_disasm_iter(csh handle, const uint8_t **code, size_t *size, uint64_t *address, cs_insn *insn);
'/*
' Return friendly name of register in a string.
' Find the instruction id from header file of corresponding architecture (arm.h for ARM,
' x86.h for X86, ...)
'
' WARN: when in 'diet' mode, this API is irrelevant because engine does not
' store register name.
'
' @handle: handle returned by cs_open()
' @reg_id: register id
'
' @return: string name of the register, or NULL if @reg_id is invalid.
'*/
'CAPSTONE_EXPORT
'const char *cs_reg_name(csh handle, unsigned int reg_id);
Public Declare Function cs_reg_name Lib "vbCapstone.dll" Alias "bs_reg_name" (ByVal handle As Long, ByVal regID As Long) As Long
'/*
' Return friendly name of an instruction in a string.
' Find the instruction id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...)
'
' WARN: when in 'diet' mode, this API is irrelevant because the engine does not
' store instruction name.
'
' @handle: handle returned by cs_open()
' @insn_id: instruction id
'
' @return: string name of the instruction, or NULL if @insn_id is invalid.
'*/
'CAPSTONE_EXPORT
'const char *cs_insn_name(csh handle, unsigned int insn_id);
Public Declare Function cs_insn_name Lib "vbCapstone.dll" Alias "bs_insn_name" (ByVal handle As Long, ByVal insn_id As Long) As Long
'/*
' Return friendly name of a group id (that an instruction can belong to)
' Find the group id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...)
'
' WARN: when in 'diet' mode, this API is irrelevant because the engine does not
' store group name.
'
' @handle: handle returned by cs_open()
' @group_id: group id
'
' @return: string name of the group, or NULL if @group_id is invalid.
'*/
'CAPSTONE_EXPORT
'const char *cs_group_name(csh handle, unsigned int group_id);
Public Declare Function cs_group_name Lib "vbCapstone.dll" Alias "bs_group_name" (ByVal handle As Long, ByVal group_id As Long) As Long
'/*
' Check if a disassembled instruction belong to a particular group.
' Find the group id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...)
' Internally, this simply verifies if @group_id matches any member of insn->groups array.
'
' NOTE: this API is only valid when detail option is ON (which is OFF by default).
'
' WARN: when in 'diet' mode, this API is irrelevant because the engine does not
' update @groups array.
'
' @handle: handle returned by cs_open()
' @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter()
' @group_id: group that you want to check if this instruction belong to.
'
' @return: true if this instruction indeed belongs to the given group, or false otherwise.
'*/
'CAPSTONE_EXPORT
'bool cs_insn_group(csh handle, const cs_insn *insn, unsigned int group_id);
Public Declare Function cs_insn_group Lib "vbCapstone.dll" Alias "bs_insn_group" (ByVal handle As Long, ByVal instruction As Long, ByVal group_id As Long) As Long
'/*
' Check if a disassembled instruction IMPLICITLY used a particular register.
' Find the register id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...)
' Internally, this simply verifies if @reg_id matches any member of insn->regs_read array.
'
' NOTE: this API is only valid when detail option is ON (which is OFF by default)
'
' WARN: when in 'diet' mode, this API is irrelevant because the engine does not
' update @regs_read array.
'
' @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter()
' @reg_id: register that you want to check if this instruction used it.
'
' @return: true if this instruction indeed implicitly used the given register, or false otherwise.
'*/
'CAPSTONE_EXPORT
'bool cs_reg_read(csh handle, const cs_insn *insn, unsigned int reg_id);
Public Declare Function cs_reg_read Lib "vbCapstone.dll" Alias "bs_reg_read" (ByVal handle As Long, ByVal instruction As Long, ByVal reg_id As Long) As Long
'/*
' Check if a disassembled instruction IMPLICITLY modified a particular register.
' Find the register id from header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...)
' Internally, this simply verifies if @reg_id matches any member of insn->regs_write array.
'
' NOTE: this API is only valid when detail option is ON (which is OFF by default)
'
' WARN: when in 'diet' mode, this API is irrelevant because the engine does not
' update @regs_write array.
'
' @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter()
' @reg_id: register that you want to check if this instruction modified it.
'
' @return: true if this instruction indeed implicitly modified the given register, or false otherwise.
'*/
'CAPSTONE_EXPORT
'bool cs_reg_write(csh handle, const cs_insn *insn, unsigned int reg_id);
Public Declare Function cs_reg_write Lib "vbCapstone.dll" Alias "bs_reg_write" (ByVal handle As Long, ByVal instruction As Long, ByVal reg_id As Long) As Long
'/*
' Count the number of operands of a given type.
' Find the operand type in header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...)
'
' NOTE: this API is only valid when detail option is ON (which is OFF by default)
'
' @handle: handle returned by cs_open()
' @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter()
' @op_type: Operand type to be found.
'
' @return: number of operands of given type @op_type in instruction @insn,
' or -1 on failure.
'*/
'CAPSTONE_EXPORT
'int cs_op_count(csh handle, const cs_insn *insn, unsigned int op_type);
Public Declare Function cs_op_count Lib "vbCapstone.dll" Alias "bs_op_count" (ByVal handle As Long, ByVal instruction As Long, ByVal op_type As Long) As Long
'/*
' Retrieve the position of operand of given type in <arch>.operands[] array.
' Later, the operand can be accessed using the returned position.
' Find the operand type in header file of corresponding architecture (arm.h for ARM, x86.h for X86, ...)
'
' NOTE: this API is only valid when detail option is ON (which is OFF by default)
'
' @handle: handle returned by cs_open()
' @insn: disassembled instruction structure received from cs_disasm() or cs_disasm_iter()
' @op_type: Operand type to be found.
' @position: position of the operand to be found. This must be in the range
' [1, cs_op_count(handle, insn, op_type)]
'
' @return: index of operand of given type @op_type in <arch>.operands[] array
' in instruction @insn, or -1 on failure.
'*/
'CAPSTONE_EXPORT
'int cs_op_index(csh handle, const cs_insn *insn, unsigned int op_type, unsigned int position);
Public Declare Function cs_op_index Lib "vbCapstone.dll" Alias "bs_op_index" (ByVal handle As Long, ByVal instruction As Long, ByVal op_type As Long, ByVal position As Long) As Long
Private Declare Function lstrcpy Lib "kernel32" Alias "lstrcpyA" (ByVal lpString1 As String, ByVal lpString2 As String) As Long
Private Declare Function lstrlen Lib "kernel32" Alias "lstrlenA" (ByVal lpString As Long) As Long
Function cstr2vb(lpStr As Long) As String
Dim length As Long
Dim buf() As Byte
If lpStr = 0 Then Exit Function
length = lstrlen(lpStr)
If length < 1 Then Exit Function
ReDim buf(1 To length)
CopyMemory buf(1), ByVal lpStr, length
cstr2vb = StrConv(buf, vbUnicode, &H409)
End Function
Function err2str(e As cs_err) As String
Dim lpStr As Long
lpStr = cs_strerror(e)
err2str = cstr2vb(lpStr)
End Function
Function regName(hEngine As Long, regID As Long) As String
Dim lpStr As Long
lpStr = cs_reg_name(hEngine, regID)
regName = cstr2vb(lpStr)
If Len(regName) = 0 Or DEBUG_DUMP Then regName = regName & " (" & Hex(regID) & ")"
End Function
Function insnName(hEngine As Long, insnID As Long) As String
Dim lpStr As Long
lpStr = cs_insn_name(hEngine, insnID)
insnName = cstr2vb(lpStr)
If Len(insnName) = 0 Or DEBUG_DUMP Then insnName = insnName & " (" & Hex(insnID) & ")"
End Function
Function groupName(hEngine As Long, groupID As Long) As String
Dim lpStr As Long
lpStr = cs_group_name(hEngine, groupID)
groupName = cstr2vb(lpStr)
If Len(groupName) = 0 Or DEBUG_DUMP Then groupName = groupName & " (" & Hex(groupID) & ")"
End Function

30
thirdparty/capstone/bindings/vb6/README.txt vendored Normal file
View File

@@ -0,0 +1,30 @@
Capstone Disassembly Engine bindings for VB6
Contributed by FireEye FLARE Team
Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com>
License: Apache 2.0
Copyright: FireEye 2017
This is a sample for using the capstone disassembly engine with VB6.
All of the capstone API are implemented, so this lib supports basic
disassembly of all of the processor architectures that capstone implements.
In the vb code, full instruction details are currently only supported for
the x86 processor family.
This sample was built against Capstone 3.0 rc4. Note that if the capstone
structures change in the future this code will have to be adjusted to match.
The vbCapstone.dll is written in C. Project files are provided for VS2008.
It is a small shim to give VB6 access to a stdcall API to access capstone.
You could also modify capstone itself so its exports were stdcall.
The C project has an additional include directory set to ./../../include/
for <capstone.h>. This is for the /capstone/bindings/vb6/ directory structure

385
thirdparty/capstone/bindings/vb6/mMisc.bas vendored Normal file
View File

@@ -0,0 +1,385 @@
Attribute VB_Name = "mMisc"
Option Explicit
'These are old library functions
Private Type Bit64Currency
value As Currency
End Type
Private Type Bit64Integer
LowValue As Long
HighValue As Long
End Type
Global Const LANG_US = &H409
Public Declare Function LoadLibrary Lib "kernel32" Alias "LoadLibraryA" (ByVal lpLibFileName As String) As Long
Public Declare Function FreeLibrary Lib "kernel32" (ByVal hLibModule As Long) As Long
Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal length As Long)
Public Declare Function GetProcAddress Lib "kernel32" (ByVal hModule As Long, ByVal lpProcName As String) As Long
Public Declare Function GetModuleHandle Lib "kernel32" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Public Declare Function SetDllDirectory Lib "kernel32" Alias "SetDllDirectoryA" (ByVal lpPathName As String) As Long
Function makeCur(high As Long, low As Long) As Currency
Dim c As Bit64Currency
Dim dl As Bit64Integer
dl.LowValue = low
dl.HighValue = high
LSet c = dl
makeCur = c.value
End Function
Function lng2Cur(v As Long) As Currency
Dim c As Bit64Currency
Dim dl As Bit64Integer
dl.LowValue = v
dl.HighValue = 0
LSet c = dl
lng2Cur = c.value
End Function
Function cur2str(v As Currency) As String
Dim c As Bit64Currency
Dim dl As Bit64Integer
c.value = v
LSet dl = c
If dl.HighValue = 0 Then
cur2str = Right("00000000" & Hex(dl.LowValue), 8)
Else
cur2str = Right("00000000" & Hex(dl.HighValue), 8) & "`" & Right("00000000" & Hex(dl.LowValue), 8)
End If
End Function
Function x64StrToCur(ByVal str As String) As Currency
str = Replace(Trim(str), "0x", "")
str = Replace(str, " ", "")
str = Replace(str, "`", "")
Dim low As String, high As String
Dim c As Bit64Currency
Dim dl As Bit64Integer
low = VBA.Right(str, 8)
dl.LowValue = CLng("&h" & low)
If Len(str) > 8 Then
high = Mid(str, 1, Len(str) - 8)
dl.HighValue = CLng("&h" & high)
End If
LSet c = dl
x64StrToCur = c.value
End Function
Function cur2lng(v As Currency) As Long
Dim c As Bit64Currency
Dim dl As Bit64Integer
c.value = v
LSet dl = c
cur2lng = dl.LowValue
End Function
Function readLng(offset As Long) As Long
Dim tmp As Long
CopyMemory ByVal VarPtr(tmp), ByVal offset, 4
readLng = tmp
End Function
Function readByte(offset As Long) As Byte
Dim tmp As Byte
CopyMemory ByVal VarPtr(tmp), ByVal offset, 1
readByte = tmp
End Function
Function readCur(offset As Long) As Currency
Dim tmp As Currency
CopyMemory ByVal VarPtr(tmp), ByVal offset, 8
readCur = tmp
End Function
Function col2Str(c As Collection, Optional emptyVal = "") As String
Dim v, tmp As String
If c.count = 0 Then
col2Str = emptyVal
Else
For Each v In c
col2Str = col2Str & hhex(v) & ", "
Next
col2Str = Mid(col2Str, 1, Len(col2Str) - 2)
End If
End Function
Function regCol2Str(hEngine As Long, c As Collection) As String
Dim v, tmp As String
If c.count = 0 Then Exit Function
For Each v In c
regCol2Str = regCol2Str & regName(hEngine, CLng(v)) & ", "
Next
regCol2Str = Mid(regCol2Str, 1, Len(regCol2Str) - 2)
End Function
Function b2Str(b() As Byte) As String
Dim i As Long
If AryIsEmpty(b) Then
b2Str = "Empty"
Else
For i = 0 To UBound(b)
b2Str = b2Str & hhex(b(i)) & " "
Next
b2Str = Trim(b2Str)
End If
End Function
Function AryIsEmpty(ary) As Boolean
Dim i As Long
On Error GoTo oops
i = UBound(ary) '<- throws error if not initialized
AryIsEmpty = False
Exit Function
oops: AryIsEmpty = True
End Function
Public Function toBytes(ByVal hexstr, Optional strRet As Boolean = False)
'supports:
'11 22 33 44 spaced hex chars
'11223344 run together hex strings
'11,22,33,44 csv hex
'\x11,0x22 misc C source rips
'
'ignores common C source prefixes, operators, delimiters, and whitespace
'
'not supported
'1,2,3,4 all hex chars are must have two chars even if delimited
'
'a version which supports more formats is here:
' https://github.com/dzzie/libs/blob/master/dzrt/globals.cls
Dim ret As String, x As String, str As String
Dim r() As Byte, b As Byte, b1 As Byte
Dim foundDecimal As Boolean, tmp, i, a, a2
Dim pos As Long, marker As String
On Error GoTo nope
str = Replace(hexstr, vbCr, Empty)
str = Replace(str, vbLf, Empty)
str = Replace(str, vbTab, Empty)
str = Replace(str, Chr(0), Empty)
str = Replace(str, "{", Empty)
str = Replace(str, "}", Empty)
str = Replace(str, ";", Empty)
str = Replace(str, "+", Empty)
str = Replace(str, """""", Empty)
str = Replace(str, "'", Empty)
str = Replace(str, " ", Empty)
str = Replace(str, "0x", Empty)
str = Replace(str, "\x", Empty)
str = Replace(str, ",", Empty)
For i = 1 To Len(str) Step 2
x = Mid(str, i, 2)
If Not isHexChar(x, b) Then Exit Function
bpush r(), b
Next
If strRet Then
toBytes = StrConv(r, vbUnicode, LANG_US)
Else
toBytes = r
End If
nope:
End Function
Private Sub bpush(bAry() As Byte, b As Byte) 'this modifies parent ary object
On Error GoTo init
Dim x As Long
x = UBound(bAry) '<-throws Error If Not initialized
ReDim Preserve bAry(UBound(bAry) + 1)
bAry(UBound(bAry)) = b
Exit Sub
init:
ReDim bAry(0)
bAry(0) = b
End Sub
Sub push(ary, value) 'this modifies parent ary object
On Error GoTo init
Dim x
x = UBound(ary)
ReDim Preserve ary(x + 1)
If IsObject(value) Then
Set ary(x + 1) = value
Else
ary(x + 1) = value
End If
Exit Sub
init:
ReDim ary(0)
If IsObject(value) Then
Set ary(0) = value
Else
ary(0) = value
End If
End Sub
Public Function isHexChar(hexValue As String, Optional b As Byte) As Boolean
On Error Resume Next
Dim v As Long
If Len(hexValue) = 0 Then GoTo nope
If Len(hexValue) > 2 Then GoTo nope 'expecting hex char code like FF or 90
v = CLng("&h" & hexValue)
If Err.Number <> 0 Then GoTo nope 'invalid hex code
b = CByte(v)
If Err.Number <> 0 Then GoTo nope 'shouldnt happen.. > 255 cant be with len() <=2 ?
isHexChar = True
Exit Function
nope:
Err.Clear
isHexChar = False
End Function
Function hhex(b) As String
hhex = Right("00" & Hex(b), 2)
End Function
Function rpad(x, i, Optional c = " ")
rpad = Left(x & String(i, c), i)
End Function
Function HexDump(bAryOrStrData, Optional hexOnly = 0, Optional ByVal startAt As Long = 1, Optional ByVal length As Long = -1) As String
Dim s() As String, chars As String, tmp As String
On Error Resume Next
Dim ary() As Byte
Dim offset As Long
Const LANG_US = &H409
Dim i As Long, tt, h, x
offset = 0
If TypeName(bAryOrStrData) = "Byte()" Then
ary() = bAryOrStrData
Else
ary = StrConv(CStr(bAryOrStrData), vbFromUnicode, LANG_US)
End If
If startAt < 1 Then startAt = 1
If length < 1 Then length = -1
While startAt Mod 16 <> 0
startAt = startAt - 1
Wend
startAt = startAt + 1
chars = " "
For i = startAt To UBound(ary) + 1
tt = Hex(ary(i - 1))
If Len(tt) = 1 Then tt = "0" & tt
tmp = tmp & tt & " "
x = ary(i - 1)
'chars = chars & IIf((x > 32 And x < 127) Or x > 191, Chr(x), ".") 'x > 191 causes \x0 problems on non us systems... asc(chr(x)) = 0
chars = chars & IIf((x > 32 And x < 127), Chr(x), ".")
If i > 1 And i Mod 16 = 0 Then
h = Hex(offset)
While Len(h) < 6: h = "0" & h: Wend
If hexOnly = 0 Then
push s, h & " " & tmp & chars
Else
push s, tmp
End If
offset = offset + 16
tmp = Empty
chars = " "
End If
If length <> -1 Then
length = length - 1
If length = 0 Then Exit For
End If
Next
'if read length was not mod 16=0 then
'we have part of line to account for
If tmp <> Empty Then
If hexOnly = 0 Then
h = Hex(offset)
While Len(h) < 6: h = "0" & h: Wend
h = h & " " & tmp
While Len(h) <= 56: h = h & " ": Wend
push s, h & chars
Else
push s, tmp
End If
End If
HexDump = Join(s, vbCrLf)
If hexOnly <> 0 Then
HexDump = Replace(HexDump, " ", "")
HexDump = Replace(HexDump, vbCrLf, "")
End If
End Function
Function FileExists(path As String) As Boolean
On Error GoTo hell
If Len(path) = 0 Then Exit Function
If Right(path, 1) = "\" Then Exit Function
If Dir(path, vbHidden Or vbNormal Or vbReadOnly Or vbSystem) <> "" Then FileExists = True
Exit Function
hell: FileExists = False
End Function
Sub WriteFile(path, it)
Dim f
f = FreeFile
Open path For Output As #f
Print #f, it
Close f
End Sub
Function GetParentFolder(path) As String
Dim tmp() As String, ub As Long
On Error Resume Next
tmp = Split(path, "\")
ub = tmp(UBound(tmp))
If Err.Number = 0 Then
GetParentFolder = Replace(Join(tmp, "\"), "\" & ub, "")
Else
GetParentFolder = path
End If
End Function

1868
thirdparty/capstone/bindings/vb6/mx86.bas vendored Normal file
View File

File diff suppressed because it is too large Load Diff

BIN
thirdparty/capstone/bindings/vb6/screenshot.png vendored Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 23 KiB

119
thirdparty/capstone/bindings/vb6/vbCapstone.cpp vendored Normal file
View File

@@ -0,0 +1,119 @@
/*
Capstone Disassembly Engine bindings for VB6
Contributed by FireEye FLARE Team
Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com>
License: Apache 2.0
Copyright: FireEye 2017
This dll is a small stdcall shim so VB6 can access the capstone API
*/
#include <stdio.h>
#include <conio.h>
#include <string.h>
#include <capstone.h>
#pragma comment(lib, "capstone.lib")
#define EXPORT comment(linker, "/EXPORT:"__FUNCTION__"="__FUNCDNAME__)
unsigned int __stdcall bs_version(int *major, int *minor){
#pragma EXPORT
return cs_version(major,minor);
}
bool __stdcall bs_support(int query){
#pragma EXPORT
return cs_support(query);
}
cs_err __stdcall bs_open(cs_arch arch, cs_mode mode, csh *handle){
#pragma EXPORT
return cs_open(arch, mode, handle);
}
cs_err __stdcall bs_close(csh *handle){
#pragma EXPORT
return cs_close(handle);
}
cs_err __stdcall bs_option(csh handle, cs_opt_type type, size_t value){
#pragma EXPORT
return cs_option(handle, type, value);
}
cs_err __stdcall bs_errno(csh handle){
#pragma EXPORT
return cs_errno(handle);
}
const char* __stdcall bs_strerror(cs_err code){
#pragma EXPORT
return cs_strerror(code);
}
size_t __stdcall bs_disasm(csh handle, const uint8_t *code, size_t code_size, uint64_t address, size_t count, cs_insn **insn){
#pragma EXPORT
return cs_disasm(handle, code, code_size, address, count, insn);
}
void __stdcall getInstruction(cs_insn *insn, uint32_t index, void* curInst, uint32_t bufSize){
#pragma EXPORT
memcpy(curInst, (void*)&insn[index], bufSize); //size lets us get a partial version of whatever we have implemented in the vbstruct...
}
const char* __stdcall bs_reg_name(csh handle, unsigned int reg_id){
#pragma EXPORT
return cs_reg_name(handle, reg_id);
}
void __stdcall bs_free(cs_insn *insn, size_t count){
#pragma EXPORT
return cs_free(insn, count);
}
cs_insn* __stdcall bs_malloc(csh handle){
#pragma EXPORT
return cs_malloc(handle);
}
int __stdcall bs_op_index(csh handle, const cs_insn *insn, unsigned int op_type, unsigned int position){
#pragma EXPORT
return cs_op_index(handle,insn,op_type,position);
}
int __stdcall bs_op_count(csh handle, const cs_insn *insn, unsigned int op_type){
#pragma EXPORT
return cs_op_count(handle,insn,op_type);
}
bool __stdcall bs_reg_write(csh handle, const cs_insn *insn, unsigned int reg_id){
#pragma EXPORT
return cs_reg_write(handle,insn,reg_id);
}
bool __stdcall bs_reg_read(csh handle, const cs_insn *insn, unsigned int reg_id){
#pragma EXPORT
return cs_reg_read(handle,insn,reg_id);
}
bool __stdcall bs_insn_group(csh handle, const cs_insn *insn, unsigned int group_id){
#pragma EXPORT
return cs_insn_group(handle,insn,group_id);
}
const char* __stdcall bcs_group_name(csh handle, unsigned int group_id){
#pragma EXPORT
return cs_group_name(handle,group_id);
}
const char* __stdcall bs_insn_name(csh handle, unsigned int insn_id){
#pragma EXPORT
return cs_insn_name(handle,insn_id);
}
bool __stdcall bs_disasm_iter(csh handle, const uint8_t **code, size_t *size, uint64_t *address, cs_insn *insn){
#pragma EXPORT
return cs_disasm_iter(handle, code, size, address, insn);
}

20
thirdparty/capstone/bindings/vb6/vbCapstone.sln vendored Normal file
View File

@@ -0,0 +1,20 @@

Microsoft Visual Studio Solution File, Format Version 10.00
# Visual Studio 2008
Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "vbCapstone", "vbCapstone.vcproj", "{B693CA7B-8B91-4413-AAED-14F1947F012A}"
EndProject
Global
GlobalSection(SolutionConfigurationPlatforms) = preSolution
Debug|Win32 = Debug|Win32
Release|Win32 = Release|Win32
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
{B693CA7B-8B91-4413-AAED-14F1947F012A}.Debug|Win32.ActiveCfg = Debug|Win32
{B693CA7B-8B91-4413-AAED-14F1947F012A}.Debug|Win32.Build.0 = Debug|Win32
{B693CA7B-8B91-4413-AAED-14F1947F012A}.Release|Win32.ActiveCfg = Release|Win32
{B693CA7B-8B91-4413-AAED-14F1947F012A}.Release|Win32.Build.0 = Release|Win32
EndGlobalSection
GlobalSection(SolutionProperties) = preSolution
HideSolutionNode = FALSE
EndGlobalSection
EndGlobal

182
thirdparty/capstone/bindings/vb6/vbCapstone.vcproj vendored Normal file
View File

@@ -0,0 +1,182 @@
<?xml version="1.0" encoding="Windows-1252"?>
<VisualStudioProject
ProjectType="Visual C++"
Version="9.00"
Name="vbCapstone"
ProjectGUID="{B693CA7B-8B91-4413-AAED-14F1947F012A}"
RootNamespace="yy"
Keyword="Win32Proj"
TargetFrameworkVersion="196613"
>
<Platforms>
<Platform
Name="Win32"
/>
</Platforms>
<ToolFiles>
</ToolFiles>
<Configurations>
<Configuration
Name="Debug|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="2"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="0"
AdditionalIncludeDirectories="./../../include/"
PreprocessorDefinitions="WIN32;_DEBUG;_CONSOLE"
MinimalRebuild="true"
BasicRuntimeChecks="3"
RuntimeLibrary="1"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="4"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
OutputFile="./vbCapstone.dll"
LinkIncremental="2"
GenerateManifest="false"
GenerateDebugInformation="true"
SubSystem="1"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
EmbedManifest="false"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
<Configuration
Name="Release|Win32"
OutputDirectory="$(SolutionDir)$(ConfigurationName)"
IntermediateDirectory="$(ConfigurationName)"
ConfigurationType="2"
CharacterSet="2"
WholeProgramOptimization="1"
>
<Tool
Name="VCPreBuildEventTool"
/>
<Tool
Name="VCCustomBuildTool"
/>
<Tool
Name="VCXMLDataGeneratorTool"
/>
<Tool
Name="VCWebServiceProxyGeneratorTool"
/>
<Tool
Name="VCMIDLTool"
/>
<Tool
Name="VCCLCompilerTool"
Optimization="2"
EnableIntrinsicFunctions="true"
AdditionalIncludeDirectories="./../../include/"
PreprocessorDefinitions="WIN32;NDEBUG;_CONSOLE"
RuntimeLibrary="0"
EnableFunctionLevelLinking="true"
UsePrecompiledHeader="0"
WarningLevel="3"
DebugInformationFormat="3"
/>
<Tool
Name="VCManagedResourceCompilerTool"
/>
<Tool
Name="VCResourceCompilerTool"
/>
<Tool
Name="VCPreLinkEventTool"
/>
<Tool
Name="VCLinkerTool"
OutputFile="./vbCapstone.dll"
LinkIncremental="1"
GenerateManifest="false"
GenerateDebugInformation="true"
SubSystem="1"
OptimizeReferences="2"
EnableCOMDATFolding="2"
TargetMachine="1"
/>
<Tool
Name="VCALinkTool"
/>
<Tool
Name="VCManifestTool"
/>
<Tool
Name="VCXDCMakeTool"
/>
<Tool
Name="VCBscMakeTool"
/>
<Tool
Name="VCFxCopTool"
/>
<Tool
Name="VCAppVerifierTool"
/>
<Tool
Name="VCPostBuildEventTool"
/>
</Configuration>
</Configurations>
<References>
</References>
<Files>
<File
RelativePath=".\vbCapstone.cpp"
>
</File>
</Files>
<Globals>
</Globals>
</VisualStudioProject>