Miscellaneous utility functions. More...

Functions
ZYDIS_EXPORT ZyanStatus	ZydisCalcAbsoluteAddress (const ZydisDecodedInstruction instruction, const ZydisDecodedOperand operand, ZyanU64 runtime_address, ZyanU64 *result_address)
	Calculates the absolute address value for the given instruction operand. More...

ZYDIS_EXPORT ZyanStatus	ZydisCalcAbsoluteAddressEx (const ZydisDecodedInstruction instruction, const ZydisDecodedOperand operand, ZyanU64 runtime_address, const ZydisRegisterContext register_context, ZyanU64 result_address)
	Calculates the absolute address value for the given instruction operand. More...

ZYDIS_EXPORT ZyanStatus	ZydisGetAccessedFlagsByAction (const ZydisDecodedInstruction instruction, ZydisCPUFlagAction action, ZydisCPUFlags flags)
	Returns a mask of accessed CPU-flags matching the given `action`. More...

ZYDIS_EXPORT ZyanStatus	ZydisGetAccessedFlagsRead (const ZydisDecodedInstruction instruction, ZydisCPUFlags flags)
	Returns a mask of accessed CPU-flags that are read (tested) by the current instruction. More...

ZYDIS_EXPORT ZyanStatus	ZydisGetAccessedFlagsWritten (const ZydisDecodedInstruction instruction, ZydisCPUFlags flags)
	Returns a mask of accessed CPU-flags that are written (modified, undefined) by the current instruction. More...

ZYDIS_EXPORT ZyanStatus	ZydisGetInstructionSegments (const ZydisDecodedInstruction instruction, ZydisInstructionSegments segments)
	Returns offsets and sizes of all logical instruction segments (e.g. More...

Detailed Description

Miscellaneous utility functions.

Address translation and other helpers.

Function Documentation

◆ ZydisCalcAbsoluteAddress()

ZYDIS_EXPORT ZyanStatus ZydisCalcAbsoluteAddress	(	const ZydisDecodedInstruction *	instruction,
		const ZydisDecodedOperand *	operand,
		ZyanU64	runtime_address,
		ZyanU64 *	result_address
	)

Calculates the absolute address value for the given instruction operand.

Parameters

instruction	A pointer to the `ZydisDecodedInstruction` struct.
operand	A pointer to the `ZydisDecodedOperand` struct.
runtime_address	The runtime address of the instruction.
result_address	A pointer to the memory that receives the absolute address.

Returns: A zyan status code.

You should use this function in the following cases:

IMM operands with relative address (e.g. JMP, CALL, ...)
MEM operands with RIP/EIP-relative address (e.g. MOV RAX, [RIP+0x12345678])
MEM operands with absolute address (e.g. MOV RAX, [0x12345678])
- The displacement needs to get truncated and zero extended

◆ ZydisCalcAbsoluteAddressEx()

ZYDIS_EXPORT ZyanStatus ZydisCalcAbsoluteAddressEx	(	const ZydisDecodedInstruction *	instruction,
		const ZydisDecodedOperand *	operand,
		ZyanU64	runtime_address,
		const ZydisRegisterContext *	register_context,
		ZyanU64 *	result_address
	)

Calculates the absolute address value for the given instruction operand.

Parameters

instruction	A pointer to the `ZydisDecodedInstruction` struct.
operand	A pointer to the `ZydisDecodedOperand` struct.
runtime_address	The runtime address of the instruction.
register_context	A pointer to the `ZydisRegisterContext` struct.
result_address	A pointer to the memory that receives the absolute target-address.

Returns: A zyan status code.

This function behaves like ZydisCalcAbsoluteAddress but takes an additional register-context argument to allow calculation of addresses depending on runtime register values.

Note that IP/EIP/RIP from the register-context will be ignored in favor of the passed runtime-address.

◆ ZydisGetAccessedFlagsByAction()

ZYDIS_EXPORT ZyanStatus ZydisGetAccessedFlagsByAction	(	const ZydisDecodedInstruction *	instruction,
		ZydisCPUFlagAction	action,
		ZydisCPUFlags *	flags
	)

Returns a mask of accessed CPU-flags matching the given action.

Parameters

instruction	A pointer to the `ZydisDecodedInstruction` struct.
action	The CPU-flag action.
flags	Receives the flag mask.

Returns: A zyan status code.

◆ ZydisGetAccessedFlagsRead()

ZYDIS_EXPORT ZyanStatus ZydisGetAccessedFlagsRead	(	const ZydisDecodedInstruction *	instruction,
		ZydisCPUFlags *	flags
	)

Returns a mask of accessed CPU-flags that are read (tested) by the current instruction.

Parameters

instruction	A pointer to the `ZydisDecodedInstruction` struct.
flags	Receives the flag mask.

Returns: A zyan status code.

◆ ZydisGetAccessedFlagsWritten()

ZYDIS_EXPORT ZyanStatus ZydisGetAccessedFlagsWritten	(	const ZydisDecodedInstruction *	instruction,
		ZydisCPUFlags *	flags
	)

Returns a mask of accessed CPU-flags that are written (modified, undefined) by the current instruction.

Parameters

instruction	A pointer to the `ZydisDecodedInstruction` struct.
flags	Receives the flag mask.

Returns: A zyan status code.

◆ ZydisGetInstructionSegments()

ZYDIS_EXPORT ZyanStatus ZydisGetInstructionSegments	(	const ZydisDecodedInstruction *	instruction,
		ZydisInstructionSegments *	segments
	)

Returns offsets and sizes of all logical instruction segments (e.g.

OPCODE, MODRM, ...).

Parameters

instruction	A pointer to the `ZydisDecodedInstruction` struct.
segments	Receives the instruction segments information.

Returns: A zyan status code.

Functions

Detailed Description

Function Documentation

◆ ZydisCalcAbsoluteAddress()

◆ ZydisCalcAbsoluteAddressEx()

◆ ZydisGetAccessedFlagsByAction()

◆ ZydisGetAccessedFlagsRead()

◆ ZydisGetAccessedFlagsWritten()

◆ ZydisGetInstructionSegments()