Zydis  master
Functions
Utils

Miscellaneous utility functions. More...

Functions

ZYDIS_EXPORT ZyanStatus ZydisCalcAbsoluteAddress (const ZydisDecodedInstruction *instruction, const ZydisDecodedOperand *operand, ZyanU64 runtime_address, ZyanU64 *result_address)
 Calculates the absolute address value for the given instruction operand. More...
 
ZYDIS_EXPORT ZyanStatus ZydisCalcAbsoluteAddressEx (const ZydisDecodedInstruction *instruction, const ZydisDecodedOperand *operand, ZyanU64 runtime_address, const ZydisRegisterContext *register_context, ZyanU64 *result_address)
 Calculates the absolute address value for the given instruction operand. More...
 

Detailed Description

Miscellaneous utility functions.

Address translation and other helpers.

Function Documentation

◆ ZydisCalcAbsoluteAddress()

ZYDIS_EXPORT ZyanStatus ZydisCalcAbsoluteAddress ( const ZydisDecodedInstruction instruction,
const ZydisDecodedOperand operand,
ZyanU64  runtime_address,
ZyanU64 *  result_address 
)

Calculates the absolute address value for the given instruction operand.

Parameters
instructionA pointer to the ZydisDecodedInstruction struct.
operandA pointer to the ZydisDecodedOperand struct.
runtime_addressThe runtime address of the instruction.
result_addressA pointer to the memory that receives the absolute address.
Returns
A zyan status code.

You should use this function in the following cases:

  • IMM operands with relative address (e.g. JMP, CALL, ...)
  • MEM operands with RIP/EIP-relative address (e.g. MOV RAX, [RIP+0x12345678])
  • MEM operands with absolute address (e.g. MOV RAX, [0x12345678])
    • The displacement needs to get truncated and zero extended

◆ ZydisCalcAbsoluteAddressEx()

ZYDIS_EXPORT ZyanStatus ZydisCalcAbsoluteAddressEx ( const ZydisDecodedInstruction instruction,
const ZydisDecodedOperand operand,
ZyanU64  runtime_address,
const ZydisRegisterContext register_context,
ZyanU64 *  result_address 
)

Calculates the absolute address value for the given instruction operand.

Parameters
instructionA pointer to the ZydisDecodedInstruction struct.
operandA pointer to the ZydisDecodedOperand struct.
runtime_addressThe runtime address of the instruction.
register_contextA pointer to the ZydisRegisterContext struct.
result_addressA pointer to the memory that receives the absolute target-address.
Returns
A zyan status code.

This function behaves like ZydisCalcAbsoluteAddress but takes an additional register-context argument to allow calculation of addresses depending on runtime register values.

Note that IP/EIP/RIP from the register-context will be ignored in favor of the passed runtime-address.