Tool Documentation:

diStorm3 Usage Example

Disassemble a staged reverse shell generated by msfpayload:

root@kali:~# python
Python 2.7.3 (default, Mar 13 2014, 11:03:55)
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bits
>>> l = Decode(0x100, open("stagedrev.bin", "rb").read(), Decode16Bits)
>>> for i in l:
...  print "0x%08x (%02x) %-20s %s" % (i[0],  i[1],  i[3],  i[2])
...
0x00000100 (02) 7f45                 JG 0x147
0x00000102 (01) 4c                   DEC SP
0x00000103 (01) 46                   INC SI
0x00000104 (02) 0101                 ADD [BX+DI], AX
0x00000106 (02) 0100                 ADD [BX+SI], AX
0x00000108 (02) 0000                 ADD [BX+SI], AL
0x0000010a (02) 0000                 ADD [BX+SI], AL
0x0000010c (02) 0000                 ADD [BX+SI], AL
0x0000010e (02) 0000                 ADD [BX+SI], AL
0x00000110 (02) 0200                 ADD AL, [BX+SI]
0x00000112 (02) 0300                 ADD AX, [BX+SI]
0x00000114 (02) 0100                 ADD [BX+SI], AX
0x00000116 (02) 0000                 ADD [BX+SI], AL
0x00000118 (01) 54                   PUSH SP
0x00000119 (03) 800408               ADD BYTE [SI], 0x8


Packages and Binaries:

libdistorm3-3

diStorm3 is a binary stream disassembler library project.

With diStorm3, no more parsing strings is needed. diStorm3 is really a decomposer, which means it takes an instruction and returns a binary structure which describes it rather than static text. This is great for advanced binary code analysis.

This package provides the shared library.

Installed size: 89 KB
How to install: sudo apt install libdistorm3-3

Dependencies:
  • libc6

libdistorm3-dev

diStorm3 is a binary stream disassembler library project.

With diStorm3, no more parsing strings is needed. diStorm3 is really a decomposer, which means it takes an instruction and returns a binary structure which describes it rather than static text. This is great for advanced binary code analysis.

This package provides the development files.

Installed size: 285 KB
How to install: sudo apt install libdistorm3-dev

Dependencies:
  • libdistorm3-3

python3-distorm3

diStorm3 is a binary stream disassembler library project.

With diStorm3, no more parsing strings is needed. diStorm3 is really a decomposer, which means it takes an instruction and returns a binary structure which describes it rather than static text. This is great for advanced binary code analysis.

This package provides the Python3 bindings.

Installed size: 71 KB
How to install: sudo apt install python3-distorm3

Dependencies:
  • libdistorm3-3
  • python3

Updated on: 2024-Mar-11