zelos.enums module

class zelos.enums.ProtType

Bases: enum.IntEnum

An enumeration.

NONE = 0

READ = 1

WRITE = 2

EXEC = 4

RWX = 7

RX = 5

RW = 3

class zelos.enums.HookType

Bases: object

class MEMORY

Bases: enum.Enum

Used by zelos.Zelos.hook_memory() to specify the memory event to hook on. View the registration function for more details.

INTERNAL_READ|INTERNAL_WRITE|INTERNAL_MAP are for hooking reads|writes|maps that are done by Zelos (such as those done within syscall implementations). Other read and writes only hook memory accesses done by instructions executed in the underlying emulator.

The callback for INTERNAL_MAP does not provide the data for the mapping in the callback. This is because we didn’t find an efficient way to do so, causing a drastic slowdown for hooks that didn’t need the actual mapped data.

READ = 1

WRITE = 2

READ_UNMAPPED = 3

WRITE_UNMAPPED = 4

READ_PROT = 5

WRITE_PROT = 6

READ_AFTER = 7

UNMAPPED = 8

PROT = 9

READ_INVALID = 10

WRITE_INVALID = 11

INVALID = 12

VALID = 13

INTERNAL_READ = 14

INTERNAL_WRITE = 15

INTERNAL_MAP = 16

class EXEC

Bases: enum.Enum

Used by zelos.Zelos.hook_execution(). If INST is chosen, the registered hook will be executed every time a single instruction is executed.

If BLOCK is chosen, the registered hook will be executed after every block of instructions is executed. A block is interpreted as a contiguous sequence of code where only the last instruction can modify control flow, typically a branch or return instruction.

View the registration function for more details.

INST = 1

BLOCK = 2

class THREAD

Bases: enum.Enum

Not usable yet through Zelos API

CREATE = 1

SWAP = 2

DESTROY = 3

class PROCESS

Bases: enum.Enum

Not usable yet through Zelos API

CREATE = 1

SWAP = 2

DESTROY = 3

class SYSCALL

Bases: enum.Enum

Used by zelos.Zelos.hook_syscalls().

If AFTER is chosen, the hook will be triggered after the syscall hass been executed.

View the registration function for more details.

AFTER = 1