Welcome to the zydis-py doc!

Convenience

zydis.decode_and_format_all()

Generator lazily decoding and formatting all instructions in the given bytes object.

Parameters:
  • data (bytes) – The input data
  • runtime_addr (int) – Used to format instructions with relative addressing, such as jumps or calls.
  • decoder (Decoder) – If given, use this decoder. Else, use shared decoder initialized with default settings.
  • formatter (Formatter) – If given, use this formatter. Else, use shared formatter initialized with default settings.
Returns:

Generator yielding (DecodedInstruction, str) pairs.
Example: 
>>> from zydis import decode_and_format_all
>>> for (insn, text) in decode_and_format_all(b'ÌÃ'):
>>>     print(f"Instruction length: {insn.length}, formatted: {text}")
Instruction length: 1, formatted: int3
Instruction length: 1, formatted: ret

Decoding

class zydis.Decoder

Decode byte arrays into machine interpretable structs.

decode_all()

Generator lazily decoding all instructions in the given bytes object, yielding DecodedInstruction instances.

Params bytes data:
 The data to decode, e.g. b"ÌÃñ".
Returns:Generator yielding DecodedInstruction instances.
Raises:ZydisError – When the instruction is invalid, or the trailing instruction is incomplete.
decode_one()

Decode a single instruction, returning a DecodedInstruction struct.

Parameters:data (bytes) – The data to decode, e.g. b"ëþ".
Returns DecodedInstruction:
 The decoded instruction.
Raises:ZydisError – When the instruction is invalid or incomplete.
enable_mode()

En/disable decoder modes.

Please note that DecoderMode.MINIMAL is currently not supported by the Python bindings – trying to use it will result in an assertion error.

Parameters:
  • mode (DecoderMode) – The decoder mode to alter.
  • enabled (bool) – enable / disable.
class zydis.DecodedInstruction

Information about a decoded instruction.

accessed_flags
address_width
attributes
avx
encoding
explicit_operands
get_nth_operand()
length
machine_mode
meta
mnemonic
opcode
operand_width
operands
raw
read_flags
stack_width
written_flags
class zydis.DecodedInstructionRaw

Raw information about an instruction (byte-code information).

disp
evex
imm1
imm2
modrm
mvex
prefixes
rex
sib
vex
xop
class zydis.Operand

Instruction operand, such as eax or [rbp+0x30].

class zydis.ImmOperand

Immediate operand, e.g. 0x1337.

is_relative
is_signed
value
class zydis.PtrOperand

Pointer operand (used in far jumps/calls).

offset
segment
class zydis.MemOperand

Memory operand, such as [rbp+30].

base
disp
index
scale
segment
type
class zydis.RegOperand

Register operand, such as rax.

register

Formatting

class zydis.Formatter

Formats DecodedInstruction to human readable test.

format_instr()

Format a previously decoded instruction to text.

Parameters:
  • instr (DecodedInstruction) – The instruction to be formatted.
  • runtime_addr (int) – The runtime address to assume for formatting. This is used to calculate absolute addresses for instructions that use relative addressing, e.g. most branch instructions (jumps, calls).
Returns:

String containing the formatted instruction.
format_operand()

Format a single operand of a previously decoded instruction.

Parameters:
  • operand (Operand) – The operand to format.
  • runtime_addr (int) – The runtime address to assume for formatting. This is used to calculate absolute addresses for instructions that use relative addressing, e.g. most branch instructions (jumps, calls).
Returns:

String containing the formatted instruction.

Misc

class zydis.StatusCode
code
module
raw_code
success
class zydis.Version
major
minor
patch
rev

Indices and tables