You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1539 lines
43 KiB

* Copyright (c) 2021 Bitdefender
* SPDX-License-Identifier: Apache-2.0
//! Decodes instructions.
extern crate bddisasm_sys as ffi;
pub use crate::cpu_modes::CpuModes;
pub use crate::cpuid::Cpuid;
pub use crate::decode_error::DecodeError;
pub use crate::fpu_flags::FpuFlags;
pub use crate::instruction_category::Category;
pub use crate::isa_set::IsaSet;
pub use crate::mnemonic::Mnemonic;
pub use crate::operand;
pub use crate::operand::{OpAccess, OpAddr};
pub use crate::rflags;
pub use crate::tuple::Tuple;
use crate::rflags::flags_raw;
use crate::decode_error;
use std::fmt;
use std::mem;
use std::convert::TryFrom;
/// Represents a succesfull instruction decoding, or failure.
pub type DecodeResult = Result<DecodedInstruction, DecodeError>;
/// The decoding mode to use.
#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)]
pub enum DecodeMode {
/// 16-bit.
/// 32-bit.
/// 64-bit.
impl From<DecodeMode> for (u8, u8) {
fn from(mode: DecodeMode) -> Self {
match mode {
DecodeMode::Bits16 => (ffi::ND_CODE_16 as u8, ffi::ND_DATA_16 as u8),
DecodeMode::Bits32 => (ffi::ND_CODE_32 as u8, ffi::ND_DATA_32 as u8),
DecodeMode::Bits64 => (ffi::ND_CODE_64 as u8, ffi::ND_DATA_64 as u8),
/// Encoding mode.
#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)]
pub enum EncodingMode {
/// Legacy encoded instruction.
/// XOP encoded instruction.
/// VEX encoded instruction.
/// EVEX encoded instruction.
impl From<u32> for EncodingMode {
fn from(value: u32) -> EncodingMode {
match value {
ffi::ND_ENCM_LEGACY => EncodingMode::Legacy,
ffi::ND_ENCM_XOP => EncodingMode::Xop,
ffi::ND_ENCM_VEX => EncodingMode::Vex,
ffi::ND_ENCM_EVEX => EncodingMode::Evex,
_ => panic!("Unexpected encoding mode mode {}", value),
/// VEX mode.
#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)]
pub enum VexMode {
/// 2B VEX prefix (0xC5).
/// 3B VEX prefix (0xC4).
impl From<u32> for VexMode {
fn from(value: u32) -> VexMode {
match value {
ffi::ND_VEXM_2B => VexMode::Vex2b,
ffi::ND_VEXM_3B => VexMode::Vex3b,
_ => panic!("Unexpected VEX mode mode {}", value),
/// Addressing mode.
#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)]
pub enum AddressingMode {
/// 16 bit addressing.
/// 32 bit addressing.
/// 64 bit addressing.
impl From<u32> for AddressingMode {
fn from(value: u32) -> AddressingMode {
match value {
ffi::ND_ADDR_16 => AddressingMode::Addr16,
ffi::ND_ADDR_32 => AddressingMode::Addr32,
ffi::ND_ADDR_64 => AddressingMode::Addr64,
_ => panic!("Unexpected addressing mode {}", value),
/// Operand mode/size.
#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)]
pub enum OperandSize {
/// 16 bit operand size.
/// 32 bit operand size.
/// 64 bit operand size.
impl From<u32> for OperandSize {
fn from(value: u32) -> OperandSize {
match value {
ffi::ND_OPSZ_16 => OperandSize::OpSize16,
ffi::ND_OPSZ_32 => OperandSize::OpSize32,
ffi::ND_OPSZ_64 => OperandSize::OpSize64,
_ => panic!("Unexpected operand size {}", value),
/// Operand mode/size.
#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)]
pub enum VectorSize {
/// 128 bit vector size.
/// 256 bit vector size.
/// 512 bit vector size.
impl From<u32> for VectorSize {
fn from(value: u32) -> VectorSize {
match value {
ffi::ND_VECM_128 => VectorSize::VecSize128,
ffi::ND_VECM_256 => VectorSize::VecSize256,
ffi::ND_VECM_512 => VectorSize::VecSize512,
_ => panic!("Unexpected vector size {}", value),
/// Exception classes.
/// Different instruction sets or encodings are covered by different exception classes.
#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)]
pub enum ExceptionClass {
/// SSE/AVX exception class (for legacy encoded SSE instructions and VEX instructions).
/// EVEX exception class (for EVEX encoded AVX* instructions).
/// Opmask instructions exception class.
/// AMX exception class type (for VEX encoded AMX instructions).
impl From<ffi::ND_EX_CLASS> for ExceptionClass {
fn from(value: ffi::ND_EX_CLASS) -> ExceptionClass {
match value {
ffi::_ND_EX_CLASS::ND_EXC_None => ExceptionClass::None,
ffi::_ND_EX_CLASS::ND_EXC_SSE_AVX => ExceptionClass::SseAvx,
ffi::_ND_EX_CLASS::ND_EXC_EVEX => ExceptionClass::Evex,
ffi::_ND_EX_CLASS::ND_EXC_OPMASK => ExceptionClass::Opmask,
ffi::_ND_EX_CLASS::ND_EXC_AMX => ExceptionClass::Amx,
// NOTE: when updating this take care to also update the `From<u8>` implementation!
// TODO: any way of keeping these in sync automagically?
impl From<u8> for ExceptionClass {
fn from(value: u8) -> ExceptionClass {
if value == ffi::_ND_EX_CLASS::ND_EXC_None as u8 {
} else if value == ffi::_ND_EX_CLASS::ND_EXC_SSE_AVX as u8 {
} else if value == ffi::_ND_EX_CLASS::ND_EXC_EVEX as u8 {
} else if value == ffi::_ND_EX_CLASS::ND_EXC_OPMASK as u8 {
} else if value == ffi::_ND_EX_CLASS::ND_EXC_AMX as u8 {
} else {
panic!("Unknown exception class {}", value)
/// Describes the way an instruction accesses the flags register.
/// Individual bits can be checked using the [rflags](rflags) module.
#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)]
pub struct FlagsAccess {
/// RFLAGS access mode, as per the entire register.
pub mode: OpAccess,
/// Tested flags.
pub tested: u32,
/// Modified (according to the result) flags.
pub modified: u32,
/// Flags that are always set to 1.
pub set: u32,
/// Flags that are always cleared to 0.
pub cleared: u32,
/// Undefined flags.
pub undefined: u32,
/// EVEX rounding mode.
#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)]
pub enum EvexRounding {
/// Round to nearest equal.
/// Round down.
/// Round up.
/// round to zero.
impl From<ffi::ND_ROUNDING> for EvexRounding {
fn from(value: ffi::ND_ROUNDING) -> EvexRounding {
match value {
ffi::_ND_ROUNDING::ND_RND_RNE => EvexRounding::NearestEqual,
ffi::_ND_ROUNDING::ND_RND_RD => EvexRounding::Down,
ffi::_ND_ROUNDING::ND_RND_RU => EvexRounding::Up,
ffi::_ND_ROUNDING::ND_RND_RZ => EvexRounding::Zero,
// NOTE: when updating this take care to also update the `From<u8>` implementation!
// TODO: any way of keeping these in sync automagically?
impl From<u8> for EvexRounding {
fn from(value: u8) -> EvexRounding {
if value == ffi::_ND_ROUNDING::ND_RND_RNE as u8 {
} else if value == ffi::_ND_ROUNDING::ND_RND_RD as u8 {
} else if value == ffi::_ND_ROUNDING::ND_RND_RU as u8 {
} else if value == ffi::_ND_ROUNDING::ND_RND_RZ as u8 {
} else {
panic!("Unknown EVEX rounding: {}", value)
/// Indicates which prefixes are valid for an instruction.
#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)]
pub struct ValidPrefixes {
/// The instruction supports REP prefix.
pub rep: bool,
/// The instruction supports REPZ/REPNZ prefixes.
pub rep_cond: bool,
/// The instruction supports LOCK prefix.
pub lock: bool,
/// The instruction supports XACQUIRE/XRELEASE prefixes.
pub hle: bool,
/// The instruction supports only XACQUIRE.
pub xacquire: bool,
/// The instruction supports only XRELEASE.
pub xrelease: bool,
/// The instruction supports BND prefix.
pub bnd: bool,
/// The instruction supports branch hints.
pub bhint: bool,
/// HLE prefix is accepted without LOCK.
pub hle_no_lock: bool,
/// The instruction supports the DNT (Do Not Track) CET prefix.
pub dnt: bool,
impl From<ffi::ND_VALID_PREFIXES> for ValidPrefixes {
fn from(value: ffi::ND_VALID_PREFIXES) -> ValidPrefixes {
let raw = unsafe { value.__bindgen_anon_1 };
ValidPrefixes {
rep: raw.Rep() != 0,
rep_cond: raw.RepCond() != 0,
lock: raw.Lock() != 0,
hle: raw.Hle() != 0,
xacquire: raw.Xacquire() != 0,
xrelease: raw.Xrelease() != 0,
bnd: raw.Bnd() != 0,
bhint: raw.Bhint() != 0,
hle_no_lock: raw.HleNoLock() != 0,
dnt: raw.Dnt() != 0,
/// Indicates which decorators are valid for an instruction.
#[derive(Copy, Clone, Eq, PartialEq, Hash, Debug)]
pub struct ValidDecorators {
/// The instruction supports embedded rounding mode.
pub er: bool,
/// The instruction supports suppress all exceptions mode.
pub sae: bool,
/// The instruction supports zeroing.
pub zero: bool,
/// The instruction supports mask registers.
pub mask: bool,
/// The instruction supports broadcast.
pub broadcast: bool,
impl From<ffi::ND_VALID_DECORATORS> for ValidDecorators {
fn from(value: ffi::ND_VALID_DECORATORS) -> ValidDecorators {
let raw = unsafe { value.__bindgen_anon_1 };
ValidDecorators {
er: raw.Er() != 0,
sae: raw.Sae() != 0,
zero: raw.Zero() != 0,
mask: raw.Mask() != 0,
broadcast: raw.Broadcast() != 0,
/// A decoded instruction.
#[derive(Copy, Clone, Debug)]
pub struct DecodedInstruction {
inner: ffi::INSTRUX,
ip: u64,
instruction: Mnemonic,
length: usize,
impl DecodedInstruction {
/// Decodes an array of bytes.
/// # Arguments
/// * `code` - An [u8](u8) slice that holds the code to be decoded. Note that decoding is attempted only from offset
/// 0 inside this code chunk.
/// * `mode` - The mode in which to decode the instruction.
/// * `ip` - The instruction pointer value to use when formatting the decoded instruction. Does not affect the
/// decoding process in any way. If not needed, use [decode](DecodedInstruction::decode) instead.
/// # Errors
/// This function reports back errors returned by the bddisasm library, as well as internal errors that usually
/// signal a bug in this implementation.
/// Note that [`DecodeError::UnknownStatus`] and [`DecodeError::UnknownInstruction`] should never be encountered,
/// unless this crate has fallen out if sync with `bddisasm-sys`, thus they signal a bug in this crate.
/// # Examples
/// ```
/// # use std::error::Error;
/// #
/// # fn main() -> Result<(), Box<dyn Error>> {
/// use bddisasm::decoder::{DecodedInstruction, DecodeMode, Mnemonic};
/// let code = vec![0x48, 0x8b, 0x05, 0xf9, 0xff, 0xff, 0xff];
/// let instruction = DecodedInstruction::decode_with_ip(&code, DecodeMode::Bits64, 0)?;
/// // Will print `MOV rax, qword ptr [rel 0x0]`
/// println!("{}", instruction);
/// let instruction = DecodedInstruction::decode_with_ip(&code, DecodeMode::Bits64, 0x100)?;
/// // Will print `MOV rax, qword ptr [rel 0x100]`
/// println!("{}", instruction);
/// # Ok(())
/// # }
/// ```
pub fn decode_with_ip(code: &[u8], mode: DecodeMode, ip: u64) -> DecodeResult {
let mut instrux: mem::MaybeUninit<ffi::INSTRUX> = mem::MaybeUninit::uninit();
let instrux = instrux.as_mut_ptr();
let (code_def, data_def) = mode.into();
let status = unsafe {
code.len() as u64,
let instrux = unsafe { *instrux };
Ok(DecodedInstruction {
inner: instrux,
instruction: Mnemonic::try_from(unsafe { instrux.__bindgen_anon_2.Instruction })?,
length: instrux.Length as usize,
/// Decodes an array of bytes.
/// This function is a thin wrapper over [decode_with_ip](DecodedInstruction::decode_with_ip) and behaves exactly
/// the same. It sets `ip` to 0.
pub fn decode(code: &[u8], mode: DecodeMode) -> DecodeResult {
Self::decode_with_ip(code, mode, 0)
/// Get the mnemonic of the instruction.
pub fn mnemonic(self) -> Mnemonic {
/// Get the instruction length, in bytes.
/// It is guaranteed that no instruction will exceed a length of 15 bytes.
pub fn length(self) -> usize {
/// Get the instruction operands.
/// The number of elements in the returned vector will always be equal to
/// [`operands_count`](DecodedInstruction::operands_count).
/// # Examples
/// See [`operand`] for more in-depth examples on how to work with instruction operands.
/// ```
/// # use std::error::Error;
/// #
/// # fn main() -> Result<(), Box<dyn Error>> {
/// use bddisasm::decoder::{DecodedInstruction, DecodeMode, Mnemonic};
/// // `MOV ebx, dword ptr [ecx+edi]`
/// let instruction = DecodedInstruction::decode(b"\x8b\x1c\x39", DecodeMode::Bits32)?; ///
/// let operands = instruction.operands();
/// // The first operand is the destination
/// let dst = operands[0];
/// // The second operand is the source
/// let src = operands[0];
/// // Print information about the operands
/// println!("{:#?} {:#?}",,;
/// # Ok(())
/// # }
/// ```
pub fn operands(self) -> Vec<operand::Operand> {
let mut ops = Vec::new();
for op_index in 0..self.inner.OperandsCount {
self.inner.Operands[op_index as usize],
/// Returns the CPUID support flag.
/// If [None](None), the instruction is supported on any CPU, and no CPUID flag exists.
/// # Examples
/// See [cpuid](crate::cpuid) for more in-depth examples on how to use the CPUID information.
/// ```
/// # use std::error::Error;
/// #
/// # fn main() -> Result<(), Box<dyn Error>> {
/// use bddisasm::decoder::{DecodedInstruction, DecodeMode, Mnemonic};
/// // `RDMSR`
/// let instruction = DecodedInstruction::decode(b"\x0f\x32", DecodeMode::Bits64)?;
/// let cpuid = instruction.cpuid();
/// // Will print `leaf: 0x1 sub-leaf: - register: 2 bit to test: 0x5`
/// if let Some(cpuid) = cpuid {
/// println!("{}", cpuid);
/// }
/// # Ok(())
/// # }
/// ```
pub fn cpuid(self) -> Option<Cpuid> {
let cpuid = unsafe { self.inner.CpuidFlag.__bindgen_anon_1 };
let leaf = cpuid.Leaf;
if leaf == ffi::ND_CFF_NO_LEAF {
} else {
let sub_leaf = cpuid.SubLeaf();
let sub_leaf = if sub_leaf == ffi::ND_CFF_NO_SUBLEAF {
} else {
let register = cpuid.Reg() as u8;
let bit = cpuid.Bit() as u64;
Some(Cpuid {
/// Get the encoding mode used.
pub fn encoding_mode(self) -> EncodingMode {
EncodingMode::from(self.inner.EncMode() as u32)
/// Get the VEX mode, if any.
pub fn vex_mode(self) -> Option<VexMode> {
if self.has_vex() {
Some(VexMode::from(self.inner.VexMode() as u32))
} else {
/// Get the addressing mode.
pub fn addr_mode(self) -> AddressingMode {
AddressingMode::from(self.inner.AddrMode() as u32)
/// Get the operand mode/size.
/// This is computed based on the passed-in [DecodeMode](DecodeMode) and instruction prefixes.
/// # Remarks
/// The effective mode can be different (see [effective_op_mode](DecodedInstruction::effective_op_mode)).
/// # Examples
/// Using [DecodeMode::Bits64](DecodeMode::Bits64), `0x50` encodes a `PUSH rax` instruction with an operand size of
/// 32 because it has no prefix that promotes it, but the effective size is 64 because the instruction always
/// operates on 64 bits.
/// ```
/// # use std::error::Error;
/// #
/// # fn main() -> Result<(), Box<dyn Error>> {
/// use bddisasm::decoded_instruction::{DecodedInstruction, DecodeMode, Mnemonic, OperandSize};
/// let ins =
/// DecodedInstruction::decode(&[0x50], DecodeMode::Bits64)?;
/// assert_eq!(ins.mnemonic(), Mnemonic::Push);
/// assert_eq!(ins.op_mode(), OperandSize::OpSize32);
/// assert_eq!(ins.effective_op_mode(), OperandSize::OpSize64);
/// let ins =
/// DecodedInstruction::decode(&[0x48, 0x50], DecodeMode::Bits64)?;
/// assert_eq!(ins.mnemonic(), Mnemonic::Push);
/// assert_eq!(ins.op_mode(), OperandSize::OpSize64);
/// assert_eq!(ins.effective_op_mode(), OperandSize::OpSize64);
/// # Ok(())
/// # }
pub fn op_mode(self) -> OperandSize {
OperandSize::from(self.inner.OpMode() as u32)
/// Get the effective operand mode/size.
/// Unlike [op_mode](DecodedInstruction::op_mode), this takes into account the actual instruction.
pub fn effective_op_mode(self) -> OperandSize {
OperandSize::from(self.inner.EfOpMode() as u32)
/// Get the Vector mode/size, if any.
/// This is computed based on the passed-in [DecodeMode](DecodeMode) and instruction prefixes.
/// # Remarks
/// The effective mode can be different (see [effective_vec_mode](DecodedInstruction::effective_vec_mode)).
pub fn vec_mode(self) -> Option<VectorSize> {
if self.has_vector() {
Some(VectorSize::from(self.inner.VecMode() as u32))
} else {
/// Get the Vector mode/size, if any.
/// Unlike [vec_mode](DecodedInstruction::vec_mode), this takes into account the actual instruction.
pub fn effective_vec_mode(self) -> Option<VectorSize> {
if self.has_vector() {
Some(VectorSize::from(self.inner.EfVecMode() as u32))
} else {
/// `true` if REX is present.
pub fn has_rex(self) -> bool {
/// `true` if VEX is present.
pub fn has_vex(self) -> bool {
/// `true` if XOP is present.
pub fn has_xop(self) -> bool {
/// `true` if EVEX is present.
pub fn has_evex(self) -> bool {
/// `true` if MVEX is present.
pub fn has_mvex(self) -> bool {
/// `true` if 0x66 is present.
pub fn has_op_size(self) -> bool {
/// `true` if 0x67 is present.
pub fn has_addr_size(self) -> bool {
/// `true` if 0xF0 is present.
pub fn has_lock(self) -> bool {
/// `true` if 0xF2 is present.
pub fn has_repnz_xacquire_bnd(self) -> bool {
/// `true` if 0xF3 is present.
pub fn has_rep_repz_xrelease(self) -> bool {
/// `true` if segment override is present.
pub fn has_seg(self) -> bool {
/// `true` if the instruction is REPed up to RCX times.
pub fn is_repeated(self) -> bool {
/// `true` if the instruction is XACQUIRE enabled.
pub fn is_xacquire_enabled(self) -> bool {
/// `true` if the instruction is XRELEASE enabled.
pub fn is_xrelease_enabled(self) -> bool {
/// `true` if the instruction uses RIP relative addressing.
pub fn is_rip_relative(self) -> bool {
/// `true` if this is an indirect CALL/JMP that is CET tracked.
pub fn is_cet_tracked(self) -> bool {
/// `true` if we have valid MODRM.
pub fn has_mod_rm(self) -> bool {
/// `true` if we have valid SIB.
pub fn has_sib(self) -> bool {
/// `true` if we have valid DREX.
pub fn has_drex(self) -> bool {
/// `true` if the instruction has displacement.
pub fn has_disp(self) -> bool {
/// `true` if the instruction contains a direct address (ie, `CALL far 0x9A`).
pub fn has_addr(self) -> bool {
/// `true` if the instruction contains a moffset (ie, `MOV al, [mem], 0xA0`).
pub fn has_moffset(self) -> bool {
/// `true` if immediate is present.
pub fn has_imm1(self) -> bool {
/// `true` if second immediate is present.
pub fn has_imm2(self) -> bool {
/// `true` if third immediate is present.
pub fn has_imm3(self) -> bool {
/// `true` if the instruction contains a relative offset (ie, `Jcc 0x7x`).
pub fn has_rel_offs(self) -> bool {
/// `true` if SSE immediate that encodes additional registers is present.
pub fn has_sse_imm(self) -> bool {
/// `true` if the instruction uses compressed displacement.
pub fn has_comp_disp(self) -> bool {
/// `true` if the instruction uses broadcast addressing.
pub fn has_broadcast(self) -> bool {
/// `true` if the instruction has mask.
pub fn has_mask(self) -> bool {
/// `true` if the instruction uses zeroing.
pub fn has_zero(self) -> bool {
/// `true` if the instruction has embedded rounding.
pub fn has_er(self) -> bool {
/// `true` if the instruction has SAE.
pub fn has_sae(self) -> bool {
/// `true` if the instruction ignores embedded rounding.
pub fn has_ign_er(self) -> bool {
/// Displacement sign. `false` if positive, `true` if negative.
pub fn sign_disp(self) -> bool {
/// `true` if changing prefix.
pub fn has_mandatory_66(self) -> bool {
/// 0x66 is mandatory prefix. Does not behave as REP prefix.
pub fn has_mandatory_f2(self) -> bool {
/// 0x66 is mandatory prefix. Does not behave as REP prefix.
pub fn has_mandatory_f3(self) -> bool {
/// The length of the instruction word. 2, 4 or 8.
pub fn word_length(self) -> usize {
self.inner.WordLength() as usize
/// The total number of bytes consumed by prefixes.
/// This will also be the offset to the first opcode. The primary opcode will always be the last one.
pub fn pref_length(self) -> usize {
self.inner.PrefLength() as usize
/// Number of opcode bytes. Max 3.
pub fn op_length(self) -> usize {
self.inner.OpLength() as usize
/// Displacement length, in bytes. Maximum 4.
pub fn disp_length(self) -> usize {
self.inner.DispLength() as usize
/// Absolute address length, in bytes. Maximum 8 bytes.
pub fn addr_length(self) -> usize {
self.inner.AddrLength() as usize
/// Memory offset length, in bytes. Maximum 8 bytes.
pub fn moffset_length(self) -> usize {
self.inner.MoffsetLength() as usize
/// First immediate length, in bytes. Maximum 8 bytes.
pub fn imm1_length(self) -> usize {
self.inner.Imm1Length() as usize
/// Second immediate length, in bytes. Maximum 8 bytes.
pub fn imm2_length(self) -> usize {
self.inner.Imm2Length() as usize
/// Third immediate length, in bytes. Maximum 8 bytes.
pub fn imm3_length(self) -> usize {
self.inner.Imm3Length() as usize
/// Relative offset length, in bytes. Maximum 4 bytes.
pub fn rel_offs_length(self) -> usize {
self.inner.RelOffsLength() as usize
/// The offset of the first opcode, inside the instruction.
pub fn op_offset(self) -> usize {
self.inner.OpOffset() as usize
/// The offset of the nominal opcode, inside the instruction.
pub fn main_op_offset(self) -> usize {
self.inner.MainOpOffset() as usize
/// The offset of the displacement, inside the instruction.
pub fn disp_offset(self) -> Option<usize> {
let value = self.inner.DispOffset() as usize;
if value == 0 {
} else {
/// The offset of the hard-coded address.
pub fn addr_offset(self) -> Option<usize> {
let value = self.inner.AddrOffset() as usize;
if value == 0 {
} else {
/// The offset of the absolute address, inside the instruction.
pub fn moffset_offset(self) -> Option<usize> {
let value = self.inner.MoffsetOffset() as usize;
if value == 0 {
} else {
/// The offset of the immediate, inside the instruction.
pub fn imm1_offset(self) -> Option<usize> {
let value = self.inner.Imm1Offset() as usize;
if value == 0 {
} else {
/// The offset of the second immediate, if any, inside the instruction.
pub fn imm2_offset(self) -> Option<usize> {
let value = self.inner.Imm2Offset() as usize;
if value == 0 {
} else {
/// The offset of the third immediate, if any, inside the instruction.
pub fn imm3_offset(self) -> Option<usize> {
let value = self.inner.Imm3Offset() as usize;
if value == 0 {
} else {
/// The offset of the relative offset used in instruction.
pub fn rel_offs_offset(self) -> Option<usize> {
let value = self.inner.RelOffsOffset() as usize;
if value == 0 {
} else {
/// The offset of the SSE immediate, if any, inside the instruction.
pub fn sse_imm_offset(self) -> Option<usize> {
let value = self.inner.SseImmOffset() as usize;
if value == 0 {
} else {
/// The offset of the mod rm byte inside the instruction, if any.
pub fn mod_rm_offset(self) -> Option<usize> {
let value = self.inner.ModRmOffset() as usize;
if value == 0 {
} else {
/// Number of words accessed on/from the stack.
pub fn stack_words(self) -> usize {
self.inner.StackWords as usize
/// The last rep/repz/repnz prefix. if any.
pub fn rep(self) -> Option<u8> {
let value = self.inner.Rep;
if value == 0 {
} else {
/// The last segment override prefix. if none. `FS`/`GS` if 64 bit.
pub fn seg(self) -> Option<u8> {
let value = self.inner.Seg;
if value == 0 {
} else {
/// The last segment override indicating a branch hint.
pub fn bhint(self) -> u8 {
/// Get the REX prefix.
pub fn rex(self) -> Option<u8> {
if self.has_rex() {
Some(unsafe { self.inner.Rex.Rex })
} else {
/// Get the ModRM byte.
pub fn mod_rm(self) -> Option<u8> {
if self.has_mod_rm() {
Some(unsafe { self.inner.ModRm.ModRm })
} else {
/// Get the SIB byte.
pub fn sib(self) -> Option<u8> {
if self.has_sib() {
Some(unsafe { self.inner.Sib.Sib })
} else {
/// Get the 2-bytes VEX.
pub fn vex2(self) -> Option<(u8, u8)> {
if matches!(self.vex_mode(), Some(VexMode::Vex2b)) {
let vex2 = self.inner.__bindgen_anon_1;
let vex2 = unsafe { vex2.Vex2.Vex };
Some((vex2[0], vex2[1]))
} else {
/// Get the 3-bytes VEX.
pub fn vex3(self) -> Option<(u8, u8, u8)> {
if matches!(self.vex_mode(), Some(VexMode::Vex3b)) {
let vex3 = self.inner.__bindgen_anon_1;
let vex3 = unsafe { vex3.Vex3.Vex };
Some((vex3[0], vex3[1], vex3[2]))
} else {
/// Get the XOP bytes.
pub fn xop(self) -> Option<(u8, u8, u8)> {
if self.has_xop() {
let xop = self.inner.__bindgen_anon_1;
let xop = unsafe { xop.Xop.Xop };
Some((xop[0], xop[1], xop[2]))
} else {
/// Get the EVEX bytes.
pub fn evex(self) -> Option<(u8, u8, u8, u8)> {
if self.has_evex() {
let evex = self.inner.__bindgen_anon_1;
let evex = unsafe { evex.Evex.Evex };
Some((evex[0], evex[1], evex[2], evex[3]))
} else {
/// Get the `segment:offset` address accessed by the instruction, if any.
pub fn address(self) -> Option<OpAddr> {
if self.has_addr() {
let raw = self.inner.Address;
let raw = unsafe { raw.__bindgen_anon_1 };
Some(OpAddr::new(raw.Cs, raw.Ip as u64))
} else {
/// Get the absolute offset, if any.
pub fn moffset(self) -> Option<u64> {
if self.has_moffset() {
} else {
/// Get the displacement. Max 4 bytes. Used in ModRM instructions.
pub fn disp(self) -> Option<u32> {
if self.has_disp() {
} else {
/// Get the relative offset, used for branches. Max 4 bytes.
pub fn rel_offset(self) -> Option<u32> {
if self.has_rel_offs() {
} else {
/// Get the first immediate.
pub fn immediate1(self) -> Option<u64> {
if self.has_imm1() {
} else {
/// Get the second immediate. Used mainly for [Mnemonic::Enter](Mnemonic::Enter).
pub fn immediate2(self) -> Option<u8> {
if self.has_imm2() {
} else {
/// Get the third additional immediate.
pub fn immediate3(self) -> Option<u8> {
if self.has_imm3() {
} else {
/// Get the SSE immediate. It is used to select a register.
pub fn sse_immediate(self) -> Option<u8> {
if self.has_sse_imm() {
} else {
/// Get the SSE condition byte.
pub fn sse_cond(self) -> Option<u8> {
if (self.inner.Attributes & ffi::ND_FLAG_SSE_CONDB) != 0 {
} else {
/// Get the condition byte.
pub fn cond(self) -> Option<u8> {
if (self.inner.Attributes & ffi::ND_FLAG_COND) != 0 {
} else {
/// Get the number of operands.
pub fn operands_count(self) -> usize {
self.inner.OperandsCount as usize
/// Number of explicit operands.
/// Use this if you want to ignore implicit operands such as stack, flags, etc.
pub fn exp_operands_count(self) -> usize {
self.inner.ExpOperandsCount as usize
/// Get the RIP access mode.
pub fn rip_access(self) -> OpAccess {
OpAccess::from(ffi::ND_OPERAND_ACCESS {
Access: self.inner.RipAccess,
/// Get the stack access mode.
pub fn stack_access(self) -> OpAccess {
OpAccess::from(ffi::ND_OPERAND_ACCESS {
Access: self.inner.StackAccess,
/// Get the memory access mode.
/// This includes the stack or shadow stack access.
pub fn memory_access(self) -> OpAccess {
OpAccess::from(ffi::ND_OPERAND_ACCESS {
Access: self.inner.MemoryAccess,
/// Get the rflags access.
pub fn flags_access(self) -> FlagsAccess {
let facc = self.inner.FlagsAccess;
let mode = OpAccess::from(ffi::ND_OPERAND_ACCESS {
Access: facc.RegAccess,
FlagsAccess {
tested: flags_raw(facc.Tested),
modified: flags_raw(facc.Modified),
set: flags_raw(facc.Set),
cleared: flags_raw(facc.Cleared),
undefined: flags_raw(facc.Undefined),
/// FPU status word C0-C3 bits access.
pub fn fpu_flags_access(self) -> FpuFlags {
// The exception class.
pub fn exception_class(self) -> ExceptionClass {
/// EVEX tuple type.
pub fn evex_tuple(self) -> Option<Tuple> {
if self.has_evex() {
Some(Tuple::from(self.inner.TupleType as u32))
} else {
/// EVEX rounding mode.
pub fn evex_rounding(self) -> Option<EvexRounding> {
if self.has_er() {
} else {
/// Get the instruction category.
/// # Errors
/// This function can return an error if the category of the instruction is not known. This is most likely a bug
/// in the current implementation.
pub fn category(self) -> Result<Category, DecodeError> {
/// Get the ISA set.
/// # Errors
/// This function can return an error if the ISA set of the instruction is not known. This is most likely a bug
/// in the current implementation.
pub fn isa_set(self) -> Result<IsaSet, DecodeError> {
/// Get the CPU modes in which the instruction is valid.
/// See [cpu_modes](crate::cpu_modes) for examples.
pub fn valid_cpu_modes(self) -> CpuModes {
/// Get the valid prefixes for this instruction.
pub fn valid_prefixes(self) -> ValidPrefixes {
/// Get the decorators accepted by the instruction.
pub fn valid_decorators(self) -> ValidDecorators {
/// Get the main/nominal opcode.
pub fn primary_op_code(self) -> u8 {
/// `true` if the instruction is a SIMD instruction that operates on vector regs.
pub fn has_vector(self) -> bool {
self.inner.Attributes & ffi::ND_FLAG_VECTOR != 0
impl<'a> DecodedInstruction {
/// Get the instruction bytes.
pub fn bytes(&'a self) -> &'a [u8] {
&self.inner.InstructionBytes[..self.inner.Length as usize]
/// Get the opcode bytes (escape codes and main op code).
pub fn op_code_bytes(&'a self) -> &'a [u8] {
impl fmt::Display for DecodedInstruction {
fn fmt(&self, f: &mut fmt::Formatter) -> fmt::Result {
let mut buffer: [i8; ffi::ND_MIN_BUF_SIZE as usize] = [0; ffi::ND_MIN_BUF_SIZE as usize];
let status = unsafe {
buffer.len() as u32,
match decode_error::status_to_error(status) {
Ok(_) => {
let text = String::from_utf8(buffer.iter().map(|&c| c as u8).collect()).unwrap();
write!(f, "{}", text.trim_matches(char::from(0)))
Err(_) => Err(fmt::Error),
mod tests {
use super::*;
fn decode() {
let code = vec![0xb8, 0x00, 0x00, 0x00, 0x00];
let ins = DecodedInstruction::decode(&code, DecodeMode::Bits32).expect("Unable to decode");
assert_eq!(ins.instruction, Mnemonic::Mov);
assert_eq!(ins.bytes(), code);
assert_eq!(format!("{}", ins), "MOV eax, 0x00000000");
fn decode_with_ip() {
let code = b"\x48\x8b\x05\xf9\xff\xff\xff";
let ins = DecodedInstruction::decode_with_ip(code, DecodeMode::Bits64, 0x100)
.expect("Unable to decode");
assert_eq!(ins.instruction, Mnemonic::Mov);
assert_eq!(ins.bytes(), code);
assert_eq!(format!("{}", ins), "MOV rax, qword ptr [rel 0x100]");
fn get_tokens(line: &str, index: usize) -> u32 {
let tokens = line.split(" ").collect::<Vec<&str>>();
let tokens = tokens
.filter(|s| !s.is_empty())
let token = tokens[index];
if token.starts_with("0x") {
u32::from_str_radix(token.trim_start_matches("0x"), 16).unwrap()
} else {
fn constants() {
// These will probably never change, so it is not really worth it to generate the enums and the `From`
// implementations at every build, but these tests should be enough to catch the unlikely situation in which
// a new constant is added.
let bindings = include_str!("../../bddisasm-sys/csrc/inc/bddisasm.h");
let mut exc_count: u8 = 0;
let mut shadow_stack_count: u8 = 0;
let mut tuple_count: u32 = 0;
let mut evex_rounding: u8 = 0;
for line in bindings.lines() {
if line.starts_with("#define ND_ENCM_") {
EncodingMode::from(get_tokens(line, 2));
} else if line.starts_with("#define ND_VEXM_") {
VexMode::from(get_tokens(line, 2));
} else if line.starts_with("#define ND_ADDR_") {
AddressingMode::from(get_tokens(line, 2));
} else if line.starts_with("#define ND_OPSZ_") {
OperandSize::from(get_tokens(line, 2));
} else if line.starts_with("#define ND_VECM_") {
VectorSize::from(get_tokens(line, 2));
} else if line.starts_with(" ND_EXC_") {
exc_count += 1;
} else if line.starts_with("#define ND_SIZE_")
&& !line.starts_with("#define ND_SIZE_TO_MASK(sz)")
// TODO: this test should be in ``, but since we are already parsing `bddisasm.h` here it
// felt wastefull to also parse it there.
operand::OpSize::from(get_tokens(line, 2));
} else if line.starts_with(" ND_SHSTK_") {
// TODO: this test should be in ``, but since we are already parsing `bddisasm.h` here it
// felt wastefull to also parse it there.
shadow_stack_count += 1;
} else if line.starts_with("#define ND_FPU_FLAG_") {
// TODO: this test should be in ``, but since we are already parsing `bddisasm.h` here it
// felt wastefull to also parse it there.
crate::fpu_flags::FpuFlagsAccess::from(get_tokens(line, 2) as u8);
} else if line.starts_with(" ND_TUPLE_") {
// TODO: this test should be in ``, but since we are already parsing `bddisasm.h` here it
// felt wastefull to also parse it there.
tuple_count += 1;
} else if line.starts_with(" ND_RND_") {
// TODO: this test should be in ``, but since we are already parsing `bddisasm.h` here it
// felt wastefull to also parse it there.
evex_rounding += 1;