Recent

Author Topic: Zydis disassembler bindings and utilities  (Read 1626 times)

440bx

  • Hero Member
  • *****
  • Posts: 4310
Zydis disassembler bindings and utilities
« on: June 24, 2024, 10:53:09 am »

Zydis is an open source Intel x86, 32 bit and 64 bit, instruction decoder, commonly referred to as a disassembler.

What is included in this set of posts are the Zydis dlls (32 and 64 bit) along with the majority of the C examples and tools translated from C to FPC.  In addition to that, there are a few additional examples and tools that I made for my personal use in learning Zydis and thought they might be useful to others as well.

The folders/directories, which contain the examples and the tools, are numbered in such a way that lower numbered directories are simpler/easier to understand.  Higher numbered directories almost always require knowledge that was exposed in lower numbered directories.

In addition to that, all files that end with the letter "A" are translations from C programs that are part of the Zydis set of examples and tools.  Files that do not end in "A" are additional files that I created to test and learn Zydis which I felt could be useful to others as well.

The total amount of information exceeds what the forum allows to be uploaded in a single post.  For this reason, the entire set of file is broken into 6 archive files named Zydis(A)..(F)

To obtain a working installation, create a directory, I suggest "Zydis", put all the archives in that directory and tell 7zip to "Extract here".  That will recreate the entire working structure.

ZydisA.7z has the 32bit and 64bit Zydis dlls.
ZydisB.7z has the Pascal (FPC) bindings and the .o, .a and .ppu file needed for linking
ZydisC.7z has Windows API definitions and the related 32 bit  .o, .a and .ppu files
ZydisD.7z has the Windows API related 64 bit .o, .a and .ppu files
ZydisE.7z has the source code and Lazarus projects for all the examples and tools.
ZydisF.7z has data files that are convenient to refer to in the examples and tools.

IMPORTANT: I use my own Windows API definitions and the majority of genuinely useful and interesting examples use those definitions, therefore, to get the most out of the examples, you have to have the definitions in ZydisC.7z and ZydisD.7z.  Also important, these two file contain a rather small subset of my personal definitions, therefore they cannot, unfortunately, be used as a replacement for the definitions included with Lazarus/FPC.

Attached to this post are ZydisA.7z, ZydisE.7z and ZydisF.7z
« Last Edit: June 24, 2024, 11:22:03 am by 440bx »
(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

440bx

  • Hero Member
  • *****
  • Posts: 4310
Re: Zydis disassembler bindings and utilities
« Reply #1 on: June 24, 2024, 10:56:18 am »
The first directory "000_Dependencies" contains a program whose only purpose is to ensure the installation is as it should be.  If the program compiles then the installation is as it should be, if it doesn't compile, there is a problem in the installation.

The Disassemble and DisassembleSimple are the simplest ways Zydis provides to decode some bytes into instructions.  The functions used in those program provide a lot of simplicity and convenience but very little control over the decoding and instruction formatting.

The Formatter series of programs shows how to obtain greater control over the formatting of an instruction.   Formatter04B takes advantage of everything Zydis offers for instruction formatting (the output does _not_ showcase the program's abilities... look at the source)

Attached to this post is ZydisB.7z (the Zydis bindings)
« Last Edit: June 24, 2024, 11:18:52 am by 440bx »
(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

440bx

  • Hero Member
  • *****
  • Posts: 4310
Re: Zydis disassembler bindings and utilities
« Reply #2 on: June 24, 2024, 10:57:26 am »
In addition to decoding bytes into assembly instructions, Zydis also offers an encoder.  Given a description of the instruction, Zydis can produce the bytes that represent it.

This is what the "Encode..." programs and "Rewrite..." demonstrate.

Attached to this post is ZydisC.7z (Windows API definitions)
« Last Edit: June 24, 2024, 11:19:20 am by 440bx »
(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

440bx

  • Hero Member
  • *****
  • Posts: 4310
Re: Zydis disassembler bindings and utilities
« Reply #3 on: June 24, 2024, 10:59:02 am »
The ZydisPerfTest programs are as the name indicates, performance tests to measure Zydis speed in decoding instruction bytes under various conditions.

The diffference between the "A" and "B" version is that the "B" version allows other processes to read the test files while it is using them, the "A" version does not (iow, exclusive access.)

IMPORTANT: on the first run, the program (either "A" or "B") creates a set of test files.  Even on today's (mid-2024) fastest machines this will take several _minutes_, about 10 on a really fast machine.  About an hour on an older machine, e.g, 2.8 ghz.

Attached to this post is ZydisD.7z (Windows API definitions)
« Last Edit: June 24, 2024, 11:20:28 am by 440bx »
(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

440bx

  • Hero Member
  • *****
  • Posts: 4310
Re: Zydis disassembler bindings and utilities
« Reply #4 on: June 24, 2024, 11:01:00 am »
The ZydisDisasm series are programs that expect a binary file, IOW, a file of binary instructions, i.e, NOT a PE file, just binary instructions.

Each of them produces a listing that get ever closer to what IDA Pro produces for the same input file.  The "B", "C", "D" were created to approximate IDA's output in successive steps.

The "...Template" has the structure needed to format output just about any way it can be done with Zydis.  It is there to be "customized" by adding code to format instructions as desired.

« Last Edit: June 24, 2024, 11:20:50 am by 440bx »
(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

440bx

  • Hero Member
  • *****
  • Posts: 4310
Re: Zydis disassembler bindings and utilities
« Reply #5 on: June 24, 2024, 11:16:19 am »
The ZydisInfo set of programs output almost all of the information Zydis makes the programmer available about an instruction.

The "A" version is parallel to the original C version.  A command line program.

The "B" version is a GUI version.  Accepts input from the command line (as does "A")

The "C" version is a GUI version that takes as input a PE file (by means of drag and drop.) It uses very _basic_ tests to attempt to separate code from data (with varying success depending on the PE file.)
It has a number of interesting features, among them: nice shell icons drag and drop, GUI and PE analysis threads independent of each other and not requiring synchronization objects of any kind, mouse wheel support, multi-monitor recognition (app always starts in the monitor where the cursor is), filtering of binary instructions by uniqueness or not being optimized (as deemed by Zydis, double click the client area to switch indexes), drag the window from the client area (no need to go to the caption), flicker free (because of double buffering.) 
Reasonably fast, analyzes an older 32 bit version of Lazarus (214MB) in about 8 seconds.

The ZydisInfoFileInputB is a console program that takes a binary file (not a PE) as its input.  It provides a way to redirect the output to a text file for later inspection.

ZydisInfoFileInputNoDupsB is the same as ZydisInfoFileInputB above except that it filters out duplicate instructions.  It also offers the possibility of controlling which index to use to produce the output (requires selecting options in code and recompiling.)

The ZydisStructureSizesB.lpr and ZydisStructureSizesB.c are programs to output the sizes of the data structures used by Zydis.  This was used to verify that the Pascal definitions had the same sizes as the C definitions (gives some confidence that the translation might be correct.) 

ExtractPeCode is a utility that extracts the code section from a PE file into a .bin file.  The .bin file can then be fed to one of the Zydis based disassembly utilities and the output compared with the output obtained from IDA Pro.  IOW, it is a way to provide a "level playing field" between a Zydis based utility and IDA Pro.

CleanIdaBinListing is a utility that parses an IDA Pro listing and removes unwanted "ornaments" from the listing so it can be compared with a listing obtained using Zydis functions.

Attached is a screenshot of the GUI version of ZydisInfo.
(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

440bx

  • Hero Member
  • *****
  • Posts: 4310
Re: Zydis disassembler bindings and utilities
« Reply #6 on: June 25, 2024, 12:17:28 pm »
BUGFIX:

Two of the programs have a minor bug.  They are:

ZydisInfoA demanded at least 3 command line arguments in spite of the fact that 2 may in some cases be sufficient.

ZydisInfoB used a 64 bit decorative instruction address which was not appropriate for 32 bit or 16 bit instructions.  The extra bits in the decorative address caused an access violation (out of bounds violation.)

Attached to this post are archives with the corrected source, unzip them in their corresponding directories overwriting the current source code files. 

Thank you and apologies for those oversights.
(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

440bx

  • Hero Member
  • *****
  • Posts: 4310
Re: Zydis disassembler bindings and utilities
« Reply #7 on: June 25, 2024, 03:27:06 pm »
Also, while fixing those two bugs, I noticed that some of the program descriptions, as far as their usage and functionality, are a bit on the meager side.

I will answer any questions anyone may have as to how to get the most out of any one of the programs.  Succinctly: questions are welcome.

(FPC v3.0.4 and Lazarus 1.8.2) or (FPC v3.2.2 and Lazarus v3.2) on Windows 7 SP1 64bit.

 

TinyPortal © 2005-2018