Zydis  v3.0.0
Utils

Miscellaneous utility functions. More...

Functions

ZYDIS_EXPORT ZyanStatus ZydisCalcAbsoluteAddress (const ZydisDecodedInstruction *instruction, const ZydisDecodedOperand *operand, ZyanU64 runtime_address, ZyanU64 *result_address)
 Calculates the absolute address value for the given instruction operand. More...
 
ZYDIS_EXPORT ZyanStatus ZydisCalcAbsoluteAddressEx (const ZydisDecodedInstruction *instruction, const ZydisDecodedOperand *operand, ZyanU64 runtime_address, const ZydisRegisterContext *register_context, ZyanU64 *result_address)
 Calculates the absolute address value for the given instruction operand. More...
 
ZYDIS_EXPORT ZyanStatus ZydisGetAccessedFlagsByAction (const ZydisDecodedInstruction *instruction, ZydisCPUFlagAction action, ZydisCPUFlags *flags)
 Returns a mask of accessed CPU-flags matching the given action. More...
 
ZYDIS_EXPORT ZyanStatus ZydisGetAccessedFlagsRead (const ZydisDecodedInstruction *instruction, ZydisCPUFlags *flags)
 Returns a mask of accessed CPU-flags that are read (tested) by the current instruction. More...
 
ZYDIS_EXPORT ZyanStatus ZydisGetAccessedFlagsWritten (const ZydisDecodedInstruction *instruction, ZydisCPUFlags *flags)
 Returns a mask of accessed CPU-flags that are written (modified, undefined) by the current instruction. More...
 
ZYDIS_EXPORT ZyanStatus ZydisGetInstructionSegments (const ZydisDecodedInstruction *instruction, ZydisInstructionSegments *segments)
 Returns offsets and sizes of all logical instruction segments (e.g. More...
 

Detailed Description

Miscellaneous utility functions.

Address translation and other helpers.

Function Documentation

◆ ZydisCalcAbsoluteAddress()

ZYDIS_EXPORT ZyanStatus ZydisCalcAbsoluteAddress ( const ZydisDecodedInstruction instruction,
const ZydisDecodedOperand operand,
ZyanU64  runtime_address,
ZyanU64 *  result_address 
)

Calculates the absolute address value for the given instruction operand.

Parameters
instructionA pointer to the ZydisDecodedInstruction struct.
operandA pointer to the ZydisDecodedOperand struct.
runtime_addressThe runtime address of the instruction.
result_addressA pointer to the memory that receives the absolute address.
Returns
A zyan status code.

You should use this function in the following cases:

  • IMM operands with relative address (e.g. JMP, CALL, ...)
  • MEM operands with RIP/EIP-relative address (e.g. MOV RAX, [RIP+0x12345678])
  • MEM operands with absolute address (e.g. MOV RAX, [0x12345678])
    • The displacement needs to get truncated and zero extended

◆ ZydisCalcAbsoluteAddressEx()

ZYDIS_EXPORT ZyanStatus ZydisCalcAbsoluteAddressEx ( const ZydisDecodedInstruction instruction,
const ZydisDecodedOperand operand,
ZyanU64  runtime_address,
const ZydisRegisterContext register_context,
ZyanU64 *  result_address 
)

Calculates the absolute address value for the given instruction operand.

Parameters
instructionA pointer to the ZydisDecodedInstruction struct.
operandA pointer to the ZydisDecodedOperand struct.
runtime_addressThe runtime address of the instruction.
register_contextA pointer to the ZydisRegisterContext struct.
result_addressA pointer to the memory that receives the absolute target-address.
Returns
A zyan status code.

This function behaves like ZydisCalcAbsoluteAddress but takes an additional register-context argument to allow calculation of addresses depending on runtime register values.

Note that IP/EIP/RIP from the register-context will be ignored in favor of the passed runtime-address.

◆ ZydisGetAccessedFlagsByAction()

ZYDIS_EXPORT ZyanStatus ZydisGetAccessedFlagsByAction ( const ZydisDecodedInstruction instruction,
ZydisCPUFlagAction  action,
ZydisCPUFlags flags 
)

Returns a mask of accessed CPU-flags matching the given action.

Parameters
instructionA pointer to the ZydisDecodedInstruction struct.
actionThe CPU-flag action.
flagsReceives the flag mask.
Returns
A zyan status code.

◆ ZydisGetAccessedFlagsRead()

ZYDIS_EXPORT ZyanStatus ZydisGetAccessedFlagsRead ( const ZydisDecodedInstruction instruction,
ZydisCPUFlags flags 
)

Returns a mask of accessed CPU-flags that are read (tested) by the current instruction.

Parameters
instructionA pointer to the ZydisDecodedInstruction struct.
flagsReceives the flag mask.
Returns
A zyan status code.

◆ ZydisGetAccessedFlagsWritten()

ZYDIS_EXPORT ZyanStatus ZydisGetAccessedFlagsWritten ( const ZydisDecodedInstruction instruction,
ZydisCPUFlags flags 
)

Returns a mask of accessed CPU-flags that are written (modified, undefined) by the current instruction.

Parameters
instructionA pointer to the ZydisDecodedInstruction struct.
flagsReceives the flag mask.
Returns
A zyan status code.

◆ ZydisGetInstructionSegments()

ZYDIS_EXPORT ZyanStatus ZydisGetInstructionSegments ( const ZydisDecodedInstruction instruction,
ZydisInstructionSegments segments 
)

Returns offsets and sizes of all logical instruction segments (e.g.

OPCODE, MODRM, ...).

Parameters
instructionA pointer to the ZydisDecodedInstruction struct.
segmentsReceives the instruction segments information.
Returns
A zyan status code.