1*9a0e4156SSadaf EbrahimiVERSION 1.0 CLASS 2*9a0e4156SSadaf EbrahimiBEGIN 3*9a0e4156SSadaf Ebrahimi MultiUse = -1 'True 4*9a0e4156SSadaf Ebrahimi Persistable = 0 'NotPersistable 5*9a0e4156SSadaf Ebrahimi DataBindingBehavior = 0 'vbNone 6*9a0e4156SSadaf Ebrahimi DataSourceBehavior = 0 'vbNone 7*9a0e4156SSadaf Ebrahimi MTSTransactionMode = 0 'NotAnMTSObject 8*9a0e4156SSadaf EbrahimiEND 9*9a0e4156SSadaf EbrahimiAttribute VB_Name = "CInstDetails" 10*9a0e4156SSadaf EbrahimiAttribute VB_GlobalNameSpace = False 11*9a0e4156SSadaf EbrahimiAttribute VB_Creatable = True 12*9a0e4156SSadaf EbrahimiAttribute VB_PredeclaredId = False 13*9a0e4156SSadaf EbrahimiAttribute VB_Exposed = False 14*9a0e4156SSadaf EbrahimiOption Explicit 15*9a0e4156SSadaf Ebrahimi'Capstone Disassembly Engine bindings for VB6 16*9a0e4156SSadaf Ebrahimi'Contributed by FireEye FLARE Team 17*9a0e4156SSadaf Ebrahimi'Author: David Zimmer <[email protected]>, <[email protected]> 18*9a0e4156SSadaf Ebrahimi'License: Apache 19*9a0e4156SSadaf Ebrahimi'Copyright: FireEye 2017 20*9a0e4156SSadaf Ebrahimi 21*9a0e4156SSadaf Ebrahimi'Public Type cs_detail 22*9a0e4156SSadaf Ebrahimi' regs_read(0 To 15) As Byte ' list of implicit registers read by this insn UNSIGNED 23*9a0e4156SSadaf Ebrahimi' regs_read_count As Byte ' number of implicit registers read by this insn UNSIGNED 24*9a0e4156SSadaf Ebrahimi' regs_write(0 To 19) As Byte ' list of implicit registers modified by this insn UNSIGNED 25*9a0e4156SSadaf Ebrahimi' regs_write_count As Byte ' number of implicit registers modified by this insn UNSIGNED 26*9a0e4156SSadaf Ebrahimi' groups(0 To 7) As Byte ' list of group this instruction belong to UNSIGNED 27*9a0e4156SSadaf Ebrahimi' groups_count As Byte ' number of groups this insn belongs to UNSIGNED 28*9a0e4156SSadaf Ebrahimi' 29*9a0e4156SSadaf Ebrahimi' // Architecture-specific instruction info 30*9a0e4156SSadaf Ebrahimi' union { 31*9a0e4156SSadaf Ebrahimi' cs_x86 x86; // X86 architecture, including 16-bit, 32-bit & 64-bit mode 32*9a0e4156SSadaf Ebrahimi' cs_arm64 arm64; // ARM64 architecture (aka AArch64) 33*9a0e4156SSadaf Ebrahimi' cs_arm arm; // ARM architecture (including Thumb/Thumb2) 34*9a0e4156SSadaf Ebrahimi' cs_mips mips; // MIPS architecture 35*9a0e4156SSadaf Ebrahimi' cs_ppc ppc; // PowerPC architecture 36*9a0e4156SSadaf Ebrahimi' cs_sparc sparc; // Sparc architecture 37*9a0e4156SSadaf Ebrahimi' cs_sysz sysz; // SystemZ architecture 38*9a0e4156SSadaf Ebrahimi' cs_xcore xcore; // XCore architecture 39*9a0e4156SSadaf Ebrahimi' }; 40*9a0e4156SSadaf Ebrahimi'} cs_detail; 41*9a0e4156SSadaf Ebrahimi 42*9a0e4156SSadaf EbrahimiPublic regRead As New Collection 43*9a0e4156SSadaf EbrahimiPublic regWritten As New Collection 44*9a0e4156SSadaf EbrahimiPublic groups As New Collection 45*9a0e4156SSadaf EbrahimiPublic parent As CDisassembler 46*9a0e4156SSadaf Ebrahimi 47*9a0e4156SSadaf Ebrahimi'this will be set to a class of the specific instruction info type by architecture.. 48*9a0e4156SSadaf EbrahimiPublic info As Object 49*9a0e4156SSadaf Ebrahimi 50*9a0e4156SSadaf EbrahimiPrivate m_raw() As Byte 51*9a0e4156SSadaf Ebrahimi 52*9a0e4156SSadaf EbrahimiFunction toString() As String 53*9a0e4156SSadaf Ebrahimi 54*9a0e4156SSadaf Ebrahimi On Error Resume Next 55*9a0e4156SSadaf Ebrahimi 56*9a0e4156SSadaf Ebrahimi Dim ret() As String 57*9a0e4156SSadaf Ebrahimi Dim v, tmp 58*9a0e4156SSadaf Ebrahimi 59*9a0e4156SSadaf Ebrahimi push ret, "Instruction details: " 60*9a0e4156SSadaf Ebrahimi push ret, String(40, "-") 61*9a0e4156SSadaf Ebrahimi 62*9a0e4156SSadaf Ebrahimi If DEBUG_DUMP Then 63*9a0e4156SSadaf Ebrahimi push ret, "Raw: " 64*9a0e4156SSadaf Ebrahimi push ret, HexDump(m_raw) 65*9a0e4156SSadaf Ebrahimi End If 66*9a0e4156SSadaf Ebrahimi 67*9a0e4156SSadaf Ebrahimi push ret, "Registers Read: " & regRead.count & IIf(regRead.count > 0, " Values: " & col2Str(regRead), Empty) 68*9a0e4156SSadaf Ebrahimi push ret, "Registers Written: " & regWritten.count & IIf(regWritten.count > 0, " Values: " & col2Str(regWritten), Empty) 69*9a0e4156SSadaf Ebrahimi push ret, "Groups: " & groups.count & IIf(groups.count > 0, " Values: " & col2Str(groups), Empty) 70*9a0e4156SSadaf Ebrahimi 71*9a0e4156SSadaf Ebrahimi 'it is expected that each CXXInst class implements a toString() method..if not we catch the error anyway.. 72*9a0e4156SSadaf Ebrahimi If Not info Is Nothing Then 73*9a0e4156SSadaf Ebrahimi push ret, info.toString() 74*9a0e4156SSadaf Ebrahimi End If 75*9a0e4156SSadaf Ebrahimi 76*9a0e4156SSadaf Ebrahimi toString = Join(ret, vbCrLf) 77*9a0e4156SSadaf Ebrahimi 78*9a0e4156SSadaf EbrahimiEnd Function 79*9a0e4156SSadaf Ebrahimi 80*9a0e4156SSadaf EbrahimiFriend Sub LoadDetails(lpDetails As Long, parent As CDisassembler) 81*9a0e4156SSadaf Ebrahimi 82*9a0e4156SSadaf Ebrahimi Dim cd As cs_detail 83*9a0e4156SSadaf Ebrahimi Dim i As Long 84*9a0e4156SSadaf Ebrahimi Dim x86 As CX86Inst 85*9a0e4156SSadaf Ebrahimi 86*9a0e4156SSadaf Ebrahimi Set Me.parent = parent 87*9a0e4156SSadaf Ebrahimi 88*9a0e4156SSadaf Ebrahimi 'vbdef only contains up to the groups_count field.. 89*9a0e4156SSadaf Ebrahimi CopyMemory ByVal VarPtr(cd), ByVal lpDetails, LenB(cd) 90*9a0e4156SSadaf Ebrahimi 91*9a0e4156SSadaf Ebrahimi If DEBUG_DUMP Then 92*9a0e4156SSadaf Ebrahimi ReDim m_raw(LenB(cd)) 93*9a0e4156SSadaf Ebrahimi CopyMemory ByVal VarPtr(m_raw(0)), ByVal lpDetails, LenB(cd) 94*9a0e4156SSadaf Ebrahimi End If 95*9a0e4156SSadaf Ebrahimi 96*9a0e4156SSadaf Ebrahimi For i = 1 To cd.regs_read_count 97*9a0e4156SSadaf Ebrahimi regRead.Add cd.regs_read(i - 1) 98*9a0e4156SSadaf Ebrahimi Next 99*9a0e4156SSadaf Ebrahimi 100*9a0e4156SSadaf Ebrahimi For i = 1 To cd.regs_write_count 101*9a0e4156SSadaf Ebrahimi regWritten.Add cd.regs_write(i - 1) 102*9a0e4156SSadaf Ebrahimi Next 103*9a0e4156SSadaf Ebrahimi 104*9a0e4156SSadaf Ebrahimi For i = 1 To cd.groups_count 105*9a0e4156SSadaf Ebrahimi groups.Add cd.groups(i - 1) 106*9a0e4156SSadaf Ebrahimi Next 107*9a0e4156SSadaf Ebrahimi 108*9a0e4156SSadaf Ebrahimi Const align = 5 109*9a0e4156SSadaf Ebrahimi 110*9a0e4156SSadaf Ebrahimi 'each arch needs its own CxxInstr class implemented here... 111*9a0e4156SSadaf Ebrahimi If parent.arch = CS_ARCH_X86 Then 112*9a0e4156SSadaf Ebrahimi Set x86 = New CX86Inst 113*9a0e4156SSadaf Ebrahimi x86.LoadDetails lpDetails + LenB(cd) + align, parent 114*9a0e4156SSadaf Ebrahimi Set info = x86 115*9a0e4156SSadaf Ebrahimi End If 116*9a0e4156SSadaf Ebrahimi 117*9a0e4156SSadaf Ebrahimi 118*9a0e4156SSadaf Ebrahimi 119*9a0e4156SSadaf EbrahimiEnd Sub 120