Miscellaneous utility functions. Address translation and other helpers. More...

Functions
ZYDIS_EXPORT ZyanStatus	ZydisCalcAbsoluteAddress (const ZydisDecodedInstruction instruction, const ZydisDecodedOperand operand, ZyanU64 runtime_address, ZyanU64 *result_address)
	Calculates the absolute address value for the given instruction operand. More...

ZYDIS_EXPORT ZyanStatus	ZydisCalcAbsoluteAddressEx (const ZydisDecodedInstruction instruction, const ZydisDecodedOperand operand, ZyanU64 runtime_address, const ZydisRegisterContext register_context, ZyanU64 result_address)
	Calculates the absolute address value for the given instruction operand. More...

ZYDIS_EXPORT ZyanStatus	ZydisGetAccessedFlagsByAction (const ZydisDecodedInstruction instruction, ZydisCPUFlagAction action, ZydisCPUFlags flags)
	Returns a mask of accessed CPU-flags matching the given `action`. More...

ZYDIS_EXPORT ZyanStatus	ZydisGetAccessedFlagsRead (const ZydisDecodedInstruction instruction, ZydisCPUFlags flags)
	Returns a mask of accessed CPU-flags that are read (tested) by the current instruction. More...

ZYDIS_EXPORT ZyanStatus	ZydisGetAccessedFlagsWritten (const ZydisDecodedInstruction instruction, ZydisCPUFlags flags)
	Returns a mask of accessed CPU-flags that are written (modified, undefined) by the current instruction. More...

ZYDIS_EXPORT ZyanStatus	ZydisGetInstructionSegments (const ZydisDecodedInstruction instruction, ZydisInstructionSegments segments)
	Returns offsets and sizes of all logical instruction segments (e.g. `OPCODE`, `MODRM`, ...). More...

Detailed Description

Miscellaneous utility functions. Address translation and other helpers.

Function Documentation

◆ ZydisCalcAbsoluteAddress()

ZYDIS_EXPORT ZyanStatus ZydisCalcAbsoluteAddress	(	const ZydisDecodedInstruction *	instruction,
		const ZydisDecodedOperand *	operand,
		ZyanU64	runtime_address,
		ZyanU64 *	result_address
	)

Calculates the absolute address value for the given instruction operand.

Parameters

instruction	A pointer to the `ZydisDecodedInstruction` struct.
operand	A pointer to the `ZydisDecodedOperand` struct.
runtime_address	The runtime address of the instruction.
result_address	A pointer to the memory that receives the absolute address.

Returns: A zyan status code.

You should use this function in the following cases:

IMM operands with relative address (e.g. JMP, CALL, ...)
MEM operands with RIP/EIP-relative address (e.g. MOV RAX, [RIP+0x12345678])
MEM operands with absolute address (e.g. MOV RAX, [0x12345678])
- The displacement needs to get truncated and zero extended

◆ ZydisCalcAbsoluteAddressEx()

ZYDIS_EXPORT ZyanStatus ZydisCalcAbsoluteAddressEx	(	const ZydisDecodedInstruction *	instruction,
		const ZydisDecodedOperand *	operand,
		ZyanU64	runtime_address,
		const ZydisRegisterContext *	register_context,
		ZyanU64 *	result_address
	)

Calculates the absolute address value for the given instruction operand.

Parameters

instruction	A pointer to the `ZydisDecodedInstruction` struct.
operand	A pointer to the `ZydisDecodedOperand` struct.
runtime_address	The runtime address of the instruction.
register_context	A pointer to the `ZydisRegisterContext` struct.
result_address	A pointer to the memory that receives the absolute target-address.

Returns: A zyan status code.

This function behaves like ZydisCalcAbsoluteAddress but takes an additional register-context argument to allow calculation of addresses depending on runtime register values.

Note that IP/EIP/RIP from the register-context will be ignored in favor of the passed runtime-address.

◆ ZydisGetAccessedFlagsByAction()

ZYDIS_EXPORT ZyanStatus ZydisGetAccessedFlagsByAction	(	const ZydisDecodedInstruction *	instruction,
		ZydisCPUFlagAction	action,
		ZydisCPUFlags *	flags
	)

Returns a mask of accessed CPU-flags matching the given action.

Parameters

instruction	A pointer to the `ZydisDecodedInstruction` struct.
action	The CPU-flag action.
flags	Receives the flag mask.

Returns: A zyan status code.

◆ ZydisGetAccessedFlagsRead()

ZYDIS_EXPORT ZyanStatus ZydisGetAccessedFlagsRead	(	const ZydisDecodedInstruction *	instruction,
		ZydisCPUFlags *	flags
	)

Returns a mask of accessed CPU-flags that are read (tested) by the current instruction.

Parameters

instruction	A pointer to the `ZydisDecodedInstruction` struct.
flags	Receives the flag mask.

Returns: A zyan status code.

◆ ZydisGetAccessedFlagsWritten()

ZYDIS_EXPORT ZyanStatus ZydisGetAccessedFlagsWritten	(	const ZydisDecodedInstruction *	instruction,
		ZydisCPUFlags *	flags
	)

Returns a mask of accessed CPU-flags that are written (modified, undefined) by the current instruction.

Parameters

instruction	A pointer to the `ZydisDecodedInstruction` struct.
flags	Receives the flag mask.

Returns: A zyan status code.

◆ ZydisGetInstructionSegments()

ZYDIS_EXPORT ZyanStatus ZydisGetInstructionSegments	(	const ZydisDecodedInstruction *	instruction,
		ZydisInstructionSegments *	segments
	)

Returns offsets and sizes of all logical instruction segments (e.g. OPCODE, MODRM, ...).

Parameters

instruction	A pointer to the `ZydisDecodedInstruction` struct.
segments	Receives the instruction segments information.

Returns: A zyan status code.

Functions

Detailed Description

Function Documentation

◆ ZydisCalcAbsoluteAddress()

◆ ZydisCalcAbsoluteAddressEx()

◆ ZydisGetAccessedFlagsByAction()

◆ ZydisGetAccessedFlagsRead()

◆ ZydisGetAccessedFlagsWritten()

◆ ZydisGetInstructionSegments()