Description: diStorm64 is a professional quality open source disassembler library for AMD64, licensed under the BSD license.
diStorm is a binary stream disassembler. It's capable of disassembling 80x86 instructions in 64 bits (AMD64, X86-64) and both in 16 and 32 bits. In addition, it disassembles FPU, MMX, SSE, SSE2, SSE3, SSSE3, 3DNow! (w/ extensions), new x86-64 instruction sets, VMX, and AMD's SVM! diStorm was written to decode quickly every instruction as accurately as possible. Robust decoding, while taking special care for valid or unused prefixes, is what makes this disassembler powerful, especially for research. Another benefit that might come in handy is that the module was written as multi-threaded, which means you could disassemble several streams or more simultaneously. For rapidly use, diStorm is compiled for Python and is easily used in C as well. diStorm was originally written under Windows and ported later to Linux. The source code is portable and platform independent (supports both little and big endianity). It also can be used as a ring0 disassembler (tested as a kernel driver using the DDK under Windows)!
Note that there are currently no known bugs. Please visit this page periodically in order to get an updated version if available.
The output consists of a few fields: 1)Offset of the disassembled instruction. 2)Size of the disassembled instruction. 3)Hex dump of the disassembled instruction in little-endian format (separated respectively to instruction elements). 4)Textual reprensentation of the disassembled instruction in Intel format.
More details about the decoding phase:
Unused/extra prefixes are dropped (output as DB'ed). Lock prefix works only on lockable instructions if the first operand is in the form of memory indirection. REPn/z prefix works only on repeatable string instructions as well as I/O instructions. Segment Override prefixes are possible where memory indirection address is being used (and specially treated with string and I/O instructions). Some SSE2 instructions support pseudo opcodes (CMP family). Waitable instructions are supported (FINIT etc.). "Native" instructions, those which have the same mnemonic in different decoding modes, unless there's an operand size prefix, which then a suffix letter is concatenated to the mnemonic in order to indicate the operation size (instructions like: PUSHA, IRET, RETF, etc.). XLAT instruction is treated specially when prefixed. Some instructions which have two mnemonics according to the decoding modes are supported. Truncates instructions when reaches end of stream. Drops invalid instructions when their operands are invalid. Won't decode instructions which are longer than 15 bytes. CR8 register is now accessible using the Lock prefix in 32 bits decoding mode. In 64 bits decoding mode the Segment Override prefixes CS, DS, ES and SS are ignored. Segment pushes can be prefixed by operand size prefix. Instructions such as: JMP FAR, CALL FAR, CMPXCHG8/16B, SIDT, LIDT, SGDT and others with complex memory indirection types are fully supported with size indication. In 64 bits decoding mode ARPL is actually MOVZXD, and when it's prefixed with REX it becomes MOVSXD.
Future Updates: Code analysis related material. IGEN will be published to the public domain. SSE4 instructions set support.
