MHSAssembly

BOOL AutoAssemble(
    const CHAR * pcString)


Auto-assembles and injects the supplied string. The string is the actual auto-assemble text to compile. Returns TRUE if the text is fully auto-assembled and injected into the target process. If the function returns FALSE, the target process remains unmodified.


DIS_DISASM * CreateDisObj()


Creates a disassembly object that can be used in a call to Disasm. DIS_DISASM objects must be created with this function and destroyed with DestroyDisObj. Never create a DIS_DISASM object manually.


VOID DestroyDisObj(
    DIS_DISASM * lpdDestroyMe)


Destroys a DIS_DISASM created with CreateDisObj.


DWORD Disasm(
    BYTE * pbSource,
    DWORD dwSourceSize,
    D_ADDRESS aEip,
    DIS_DISASM * lpddDis,
    INT iMode,
    DWORD dwOpts)


Disassembles the given buffer and returns the size of the found command.
    pbSource points to a buffer containing the actual bytes to disassemble.

    dwSourceSize indicates the length of pbSource.

    aEip indicates the EIP (starting address) of the buffer to which pbSource points.

    lpddDis holds the return information. This object must be created with a call to CreateDisObj. It contains the following information:
        lpddDis->aEIP indicates the address of the disassembled data.
        lpddDis->strDump provides a string representation of the bytes that create the command. Use lpddDis->strDump.dwLength to get the length of the string and lpddDis->strDump.pcText to get the actual text. This is not returned if iMode is DIS_SIZE or DIS_DATA.
        lpddDis->strResult provides a string representation of the disassembled command. Use lpddDis->strResult.dwLength to get the length of the string and lpddDis->strResult.pcText to get the actual text. This is not returned if iMode is DIS_SIZE or DIS_DATA.
        lpddDis->strComment provides extra comments associated with the command. Use lpddDis->strComment.dwLength to get the length of the string and lpddDis->strComment.pcText to get the actual text. This is not returned if iMode is DIS_SIZE or DIS_DATA.
        lpddDis->iCmdType returns the type of command. Use this with the CD_* enumerations. To get the actual type of the command, use (lpddDis->iCmdType & CD_TYPEMASK). For example, to determine if the current command is a jump of any kind, use ((lpddDis->iCmdType & CD_TYPEMASK) == CD_JMP) || (lpddDis->iCmdType & CD_TYPEMASK) == CD_JMC).
        lpddDis->iMemType provides information regarding the memory type of an address. Use this with the MDEC_* enumerations. Similary with iCmdType, use MDEC_TYPEMASK to get the type mask.
        lpddDis->iPrefixes returns the number of prefixes on the command.
        lpddDis->iIndexed returns the number of registers the command operand address contains.
        lpddDis->dwJmpConst returns the constant of a JMP command, if any. If lpddDis->iIndexed is 0, lpddDis->dwJmpConst is the actual target address of the JMP, otherwise the operand is using it in an equation such as 01005334+EAX.
        lpddDis->dwTable returns a possible switch-table address
        lpddDis->dwAddrConst returns the constant of an address-related operand. If lpddDis->iIndexed is 0, this is the actual target address referenced by the operand.
        lpddDis->dwImmConst returns the immediate constant of an operand. An immediate constant is a hard-coded numeric value.
        lpddDis->iArg1, lpddDis->iArg2, and lpddDis->iArg3 specify the types of arguments, if applicable. These will be one of the ARG_* enumerated values.
        lpddDis->iZeroConst indicates if zero-constants appear in the command.
        lpddDis->iFixUpOffset indicates the fix-up offset if applicable.
        lpddDis->iFixUpSize indicates the size of the fix-up.
        lpddDis->iError indicates any errors during processing. The error will be one of the DERR_* enumerated values.
        lpddDis->iWarnings indicates any warnings during processing. This will be one of the DISW_* enumerated values.
        lpddDis->lpcCmdData points to the DIS_CMD structure containing the data related to the found command.

    iMode indicates the level of detail to use when disassembling. This can be one of the following:
        DIS_SIZE: Gets the size of the command only. The data in lpddDis should not be considered valid.
        DIS_DATA: Gets the size and fills in the lpddDis structure, except for strings.
        DIS_FILE: All of the above but also fills in the strings.
        DIS_CODE: Same as DIS_FILE. Symbolic names are not resolved.

    dwOpts indicates the options for decoding. This can be any combination of the following values:
        DOPT_IDEAL: Use IDEAL decoding.
        DOPT_LOWER: Use lower-case output.
        DOPT_TAB_ARGS: Tab after the command before the args.
        DOPT_EXTRASPACE: Put an extra space between arguments.
        DOPT_PUTDEFSEG: Show the default segments.
        DOPT_SHOWMEMSIZE: Show memory sizes.
        DOPT_NEAR: Show NEAR modifiers.
        DOPT_SHRTSTRCMD: Use the short form of string commands.
        DOPT_FARCALLS: FAR calls and returns do not issue warnings.
        DOPT_VXD: VxD calls do not issue warnings.
        DOPT_PRIVILAGED: privilaged commands do not issue warnings.
        DOPT_IOCOMMAND: I/O commands do not issue warnings.
        DOPT_BADSHIFT: Bad shifts do not issue warnings.
        DOPT_EXTRAPREFIX: Extra prefixes do not issue warnings.
        DOPT_LOCKEDBUS: LOCK prefixes do not issue warnings.
        DOPT_STACKALIGN: Commands that misalign the stack do not issue warnings.
        DOPT_SEGMOD: Segment modifications do not issue warnings.
        DOPT_WINDOWSNT: Check for dangers while assuming Windows® NT.


Copyright © 2006 Shawn (L. Spiro) Wilcoxen