winappdbg.disasm

Binary code disassembly.

Disassembler loader:

• Disassembler

• Engine

Disassembler engines:

• BeaEngine

• CapstoneEngine

• DistormEngine

class winappdbg.disasm.BeaEngine(arch=None)

Integration with the BeaEngine disassembler by Beatrix.

decode(address, code)

Parameters:

• address (int) – Memory address where the code was read from.

• code (str) – Machine code to disassemble.

Returns:

List of tuples. Each tuple represents an assembly instruction and contains: - Memory address of instruction. - Size of instruction in bytes. - Disassembly line of instruction. - Hexadecimal dump of instruction.

Return type:

list[tuple(int, int, str, str)]

Raises:

NotImplementedError – This disassembler could not be loaded. This may be due to missing dependencies.

class winappdbg.disasm.CapstoneEngine(arch=None)

Integration with the Capstone disassembler by Nguyen Anh Quynh.

decode(address, code)

Parameters:

• address (int) – Memory address where the code was read from.

• code (str) – Machine code to disassemble.

Returns:

List of tuples. Each tuple represents an assembly instruction and contains: - Memory address of instruction. - Size of instruction in bytes. - Disassembly line of instruction. - Hexadecimal dump of instruction.

Return type:

list[tuple(int, int, str, str)]

Raises:

NotImplementedError – This disassembler could not be loaded. This may be due to missing dependencies.

class winappdbg.disasm.Disassembler(arch=None, engine=None)

Generic disassembler. Uses a set of adapters to decide which library to load for which supported platform.

Variables:

engines (tuple(Engine)) –

Set of supported engines. If you implement your own adapter you can add its class here to make it available to Disassembler.

• Miasm - Miasm disassembler by CEA-SEC (https://github.com/cea-sec/miasm)

• Capstone - Capstone disassembler by Nguyen Anh Quynh (http://www.capstone-engine.org/)

• diStorm - diStorm disassembler by Gil Dabah (https://github.com/gdabah/distorm)

• BeaEngine - BeaEngine disassembler by Beatrix (https://github.com/BeaEngine/beaengine)

classmethod get_all_engines()

Get the full list of available disassembly engines for this version of WinAppDbg.

To get the disassembly engines that can actually be used, call get_supported_engines() instead.

Returns:

Tuple of Engine objects.

Return type:

tuple(Engine)

classmethod get_available_engines()

Get the list of supported disassembly engines on this machine.

To get the full list of disassembly engines supported by this version of WinAppDbg, call get_all_engines() instead.

Warning

This call will internally load all the required dependencies for all disassembly engines! This is to ensure they are available.

Returns:

Tuple of Engine objects.

Return type:

tuple(Engine)

class winappdbg.disasm.DistormEngine(arch=None)

Integration with the diStorm disassembler by Gil Dabah.

decode(address, code)

Parameters:

• address (int) – Memory address where the code was read from.

• code (str) – Machine code to disassemble.

Returns:

List of tuples. Each tuple represents an assembly instruction and contains: - Memory address of instruction. - Size of instruction in bytes. - Disassembly line of instruction. - Hexadecimal dump of instruction.

Return type:

list[tuple(int, int, str, str)]

Raises:

NotImplementedError – This disassembler could not be loaded. This may be due to missing dependencies.

class winappdbg.disasm.Engine(arch=None)

Base class for disassembly engine adaptors.

Variables:

• name (str) – Engine name to use with the Disassembler class.

• desc (str) – User friendly name of the disassembler engine.

• url (str) – Download URL.

• supported (set(str)) – Set of supported processor architectures. For more details see winappdbg.win32.arch.

• arch (str) – Name of the processor architecture.

decode(address, code)

Parameters:

• address (int) – Memory address where the code was read from.

• code (str) – Machine code to disassemble.

Returns:

List of tuples. Each tuple represents an assembly instruction and contains: - Memory address of instruction. - Size of instruction in bytes. - Disassembly line of instruction. - Hexadecimal dump of instruction.

Return type:

list[tuple(int, int, str, str)]

Raises:

NotImplementedError – This disassembler could not be loaded. This may be due to missing dependencies.

class winappdbg.disasm.MiasmEngine(arch=None)

Integration with the Miasm disassembler by CEA-SEC.

Note: All Miasm logging is disabled by default to prevent verbose warnings during disassembly. Users can control logging with the set_logging() method.

decode(address, code)

Decode machine code using Miasm.

Parameters:

• address (int) – Memory address where the code was read from.

• code (str) – Machine code to disassemble.

Returns:

List of tuples (address, size, disasm, hexdump)

Return type:

list[tuple(int, int, str, str)]

classmethod set_logging(enabled=True)

Enable or disable Miasm logging.

Parameters:

enabled (bool) – Whether to enable Miasm logging.

Example:

# Enable Miasm logging. MiasmEngine.set_logging(True)

# Disable all Miasm logging (default state). MiasmEngine.set_logging(False)