diStorm3
diStorm3 is a powerful disassembler library for x86/AMD64 binary streams that decomposes instructions into binary structures for advanced analysis. It provides Python bindings and supports 16-bit, 32-bit, and 64-bit decoding.
Description
diStorm3 is a binary stream disassembler library that eliminates the need for parsing strings by returning structured binary representations of instructions. This makes it ideal for advanced binary code analysis tasks such as reverse engineering and malware examination.
The tool supports disassembly of x86 and AMD64 binaries, with specific functions for different architectures including Decode16Bits, Decode32Bits, and Decode64Bits. A practical use case shown is disassembling a staged reverse shell generated by msfpayload, displaying opcodes, mnemonics, and offsets.
Available as multiple packages: the core shared library (libdistorm3-3), development files (libdistorm3-dev), and Python3 bindings (python3-distorm3), it integrates well into custom tools and scripts for binary analysis workflows.
How It Works
diStorm3 operates as a decomposer, taking binary streams and an offset, then returning a list of instruction tuples containing address, size, mnemonic, and operands. Functions like Decode(0x100, data, Decode16Bits) process the input based on specified mode, iterating through results to output formatted disassembly with hex addresses, instruction lengths, mnemonics, and operands.
Installation
sudo apt install libdistorm3-3Examples
from distorm3 import Decode, Decode16Bits, Decode32Bits, Decode64Bitsl = Decode(0x100, open("stagedrev.bin", "rb").read(), Decode16Bits)for i in l: print "0x%08x (%02x) %-20s %s" % (i[0], i[1], i[3], i[2])Decode(0x100, open("stagedrev.bin", "rb").read(), Decode32Bits)Decode(0x100, open("stagedrev.bin", "rb").read(), Decode64Bits)python3 -c "from distorm3 import Decode, Decode16Bits; l=Decode(0x100, open('stagedrev.bin','rb').read(), Decode16Bits); [print('0x%08x (%02x) %-20s %s' % (i[0],i[1],i[3],i[2])) for i in l]"