1*9a0e4156SSadaf EbrahimiVERSION 1.0 CLASS 2*9a0e4156SSadaf EbrahimiBEGIN 3*9a0e4156SSadaf Ebrahimi MultiUse = -1 'True 4*9a0e4156SSadaf Ebrahimi Persistable = 0 'NotPersistable 5*9a0e4156SSadaf Ebrahimi DataBindingBehavior = 0 'vbNone 6*9a0e4156SSadaf Ebrahimi DataSourceBehavior = 0 'vbNone 7*9a0e4156SSadaf Ebrahimi MTSTransactionMode = 0 'NotAnMTSObject 8*9a0e4156SSadaf EbrahimiEND 9*9a0e4156SSadaf EbrahimiAttribute VB_Name = "CInstruction" 10*9a0e4156SSadaf EbrahimiAttribute VB_GlobalNameSpace = False 11*9a0e4156SSadaf EbrahimiAttribute VB_Creatable = True 12*9a0e4156SSadaf EbrahimiAttribute VB_PredeclaredId = False 13*9a0e4156SSadaf EbrahimiAttribute VB_Exposed = False 14*9a0e4156SSadaf EbrahimiOption Explicit 15*9a0e4156SSadaf Ebrahimi 16*9a0e4156SSadaf Ebrahimi'Capstone Disassembly Engine bindings for VB6 17*9a0e4156SSadaf Ebrahimi'Contributed by FireEye FLARE Team 18*9a0e4156SSadaf Ebrahimi'Author: David Zimmer <[email protected]>, <[email protected]> 19*9a0e4156SSadaf Ebrahimi'License: Apache 20*9a0e4156SSadaf Ebrahimi'Copyright: FireEye 2017 21*9a0e4156SSadaf Ebrahimi 22*9a0e4156SSadaf Ebrahimi 23*9a0e4156SSadaf Ebrahimi'Public Type cs_insn 24*9a0e4156SSadaf Ebrahimi' ' Instruction ID (basically a numeric ID for the instruction mnemonic) 25*9a0e4156SSadaf Ebrahimi' ' Find the instruction id in the '[ARCH]_insn' enum in the header file 26*9a0e4156SSadaf Ebrahimi' ' of corresponding architecture, such as 'arm_insn' in arm.h for ARM, 27*9a0e4156SSadaf Ebrahimi' ' 'x86_insn' in x86.h for X86, etc... 28*9a0e4156SSadaf Ebrahimi' ' available even when CS_OPT_DETAIL = CS_OPT_OFF 29*9a0e4156SSadaf Ebrahimi' ' NOTE: in Skipdata mode, "data" instruction has 0 for this id field. UNSIGNED 30*9a0e4156SSadaf Ebrahimi' id As Long ' 31*9a0e4156SSadaf Ebrahimi' align As Long 'not sure why it needs this..but it does.. 32*9a0e4156SSadaf Ebrahimi' address As Currency ' Address (EIP) of this instruction available even when CS_OPT_DETAIL = CS_OPT_OFF UNSIGNED 33*9a0e4156SSadaf Ebrahimi' size As Integer ' Size of this instruction available even when CS_OPT_DETAIL = CS_OPT_OFF UNSIGNED 34*9a0e4156SSadaf Ebrahimi' bytes(0 To 23) As Byte ' Machine bytes of this instruction, with number of bytes indicated by @size above available even when CS_OPT_DETAIL = CS_OPT_OFF 35*9a0e4156SSadaf Ebrahimi' mnemonic(0 To 31) As Byte ' Ascii text of instruction mnemonic available even when CS_OPT_DETAIL = CS_OPT_OFF 36*9a0e4156SSadaf Ebrahimi' op_str(0 To 159) As Byte ' Ascii text of instruction operands available even when CS_OPT_DETAIL = CS_OPT_OFF 37*9a0e4156SSadaf Ebrahimi' 38*9a0e4156SSadaf Ebrahimi' ' Pointer to cs_detail. 39*9a0e4156SSadaf Ebrahimi' ' NOTE: detail pointer is only valid when both requirements below are met: 40*9a0e4156SSadaf Ebrahimi' ' (1) CS_OP_DETAIL = CS_OPT_ON 41*9a0e4156SSadaf Ebrahimi' ' (2) Engine is not in Skipdata mode (CS_OP_SKIPDATA option set to CS_OPT_ON) 42*9a0e4156SSadaf Ebrahimi' ' NOTE 2: when in Skipdata mode, or when detail mode is OFF, even if this pointer 43*9a0e4156SSadaf Ebrahimi' ' is not NULL, its content is still irrelevant. 44*9a0e4156SSadaf Ebrahimi' lpDetail As Long ' points to a cs_detail structure NOTE: only available when CS_OPT_DETAIL = CS_OPT_ON 45*9a0e4156SSadaf Ebrahimi' 46*9a0e4156SSadaf Ebrahimi'End Type 47*9a0e4156SSadaf Ebrahimi 48*9a0e4156SSadaf EbrahimiPublic ID As Long 49*9a0e4156SSadaf EbrahimiPublic address As Currency 50*9a0e4156SSadaf EbrahimiPublic size As Long 51*9a0e4156SSadaf EbrahimiPrivate m_bytes() As Byte 52*9a0e4156SSadaf EbrahimiPublic instruction As String 53*9a0e4156SSadaf EbrahimiPublic operand As String 54*9a0e4156SSadaf EbrahimiPublic lpDetails As Long 55*9a0e4156SSadaf EbrahimiPublic parent As CDisassembler 56*9a0e4156SSadaf Ebrahimi 57*9a0e4156SSadaf EbrahimiPublic details As CInstDetails 'may be null 58*9a0e4156SSadaf Ebrahimi 59*9a0e4156SSadaf EbrahimiProperty Get bytes() As Byte() 60*9a0e4156SSadaf Ebrahimi bytes = Me.bytes() 61*9a0e4156SSadaf EbrahimiEnd Property 62*9a0e4156SSadaf Ebrahimi 63*9a0e4156SSadaf EbrahimiProperty Get byteDump(Optional padding = 15) As String 64*9a0e4156SSadaf Ebrahimi Dim b As String, i As Long 65*9a0e4156SSadaf Ebrahimi For i = 0 To UBound(m_bytes) 66*9a0e4156SSadaf Ebrahimi b = b & hhex(m_bytes(i)) & " " 67*9a0e4156SSadaf Ebrahimi Next 68*9a0e4156SSadaf Ebrahimi byteDump = rpad(b, padding) 69*9a0e4156SSadaf EbrahimiEnd Property 70*9a0e4156SSadaf Ebrahimi 71*9a0e4156SSadaf EbrahimiProperty Get text() As String 72*9a0e4156SSadaf Ebrahimi 73*9a0e4156SSadaf Ebrahimi text = cur2str(address) & " " & byteDump & " " & instruction & " " & operand 74*9a0e4156SSadaf Ebrahimi 75*9a0e4156SSadaf EbrahimiEnd Property 76*9a0e4156SSadaf Ebrahimi 77*9a0e4156SSadaf EbrahimiFunction toString() As String 78*9a0e4156SSadaf Ebrahimi 79*9a0e4156SSadaf Ebrahimi Dim r() As String 80*9a0e4156SSadaf Ebrahimi 81*9a0e4156SSadaf Ebrahimi push r, "CInstruction: " 82*9a0e4156SSadaf Ebrahimi push r, String(40, "-") 83*9a0e4156SSadaf Ebrahimi push r, "Id: " & Hex(ID) 84*9a0e4156SSadaf Ebrahimi push r, "address: " & cur2str(address) 85*9a0e4156SSadaf Ebrahimi push r, "size: " & Hex(size) 86*9a0e4156SSadaf Ebrahimi push r, "bytes: " & byteDump() 87*9a0e4156SSadaf Ebrahimi push r, "instruction: " & instruction 88*9a0e4156SSadaf Ebrahimi push r, "operand: " & operand 89*9a0e4156SSadaf Ebrahimi push r, "lpDetails: " & Hex(lpDetails) 90*9a0e4156SSadaf Ebrahimi 91*9a0e4156SSadaf Ebrahimi If Not details Is Nothing Then 92*9a0e4156SSadaf Ebrahimi push r, details.toString() 93*9a0e4156SSadaf Ebrahimi End If 94*9a0e4156SSadaf Ebrahimi 95*9a0e4156SSadaf Ebrahimi toString = Join(r, vbCrLf) 96*9a0e4156SSadaf Ebrahimi 97*9a0e4156SSadaf EbrahimiEnd Function 98*9a0e4156SSadaf Ebrahimi 99*9a0e4156SSadaf EbrahimiFriend Sub LoadInstruction(instAry As Long, index As Long, parent As CDisassembler) 100*9a0e4156SSadaf Ebrahimi 101*9a0e4156SSadaf Ebrahimi Dim inst As cs_insn 102*9a0e4156SSadaf Ebrahimi Dim i As Long 103*9a0e4156SSadaf Ebrahimi 104*9a0e4156SSadaf Ebrahimi getInstruction instAry, index, VarPtr(inst), LenB(inst) 105*9a0e4156SSadaf Ebrahimi 106*9a0e4156SSadaf Ebrahimi ID = inst.ID 107*9a0e4156SSadaf Ebrahimi address = inst.address 108*9a0e4156SSadaf Ebrahimi size = inst.size 109*9a0e4156SSadaf Ebrahimi lpDetails = inst.lpDetail 110*9a0e4156SSadaf Ebrahimi Set Me.parent = parent 111*9a0e4156SSadaf Ebrahimi 112*9a0e4156SSadaf Ebrahimi m_bytes() = inst.bytes 113*9a0e4156SSadaf Ebrahimi ReDim Preserve m_bytes(size - 1) 114*9a0e4156SSadaf Ebrahimi 115*9a0e4156SSadaf Ebrahimi For i = 0 To UBound(inst.mnemonic) 116*9a0e4156SSadaf Ebrahimi If inst.mnemonic(i) = 0 Then Exit For 117*9a0e4156SSadaf Ebrahimi instruction = instruction & Chr(inst.mnemonic(i)) 118*9a0e4156SSadaf Ebrahimi Next 119*9a0e4156SSadaf Ebrahimi 120*9a0e4156SSadaf Ebrahimi For i = 0 To UBound(inst.op_str) 121*9a0e4156SSadaf Ebrahimi If inst.op_str(i) = 0 Then Exit For 122*9a0e4156SSadaf Ebrahimi operand = operand & Chr(inst.op_str(i)) 123*9a0e4156SSadaf Ebrahimi Next 124*9a0e4156SSadaf Ebrahimi 125*9a0e4156SSadaf Ebrahimi If lpDetails = 0 Then Exit Sub 126*9a0e4156SSadaf Ebrahimi Set details = New CInstDetails 127*9a0e4156SSadaf Ebrahimi details.LoadDetails lpDetails, parent 128*9a0e4156SSadaf Ebrahimi 129*9a0e4156SSadaf EbrahimiEnd Sub 130*9a0e4156SSadaf Ebrahimi 131*9a0e4156SSadaf Ebrahimi 132*9a0e4156SSadaf Ebrahimi 133*9a0e4156SSadaf Ebrahimi 134