Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Capstone.net with a file

swell
swell
in Programming and Coding

Featured Replies

Posted

I try to use capstone.net: https://github.com/9ee1/Capstone.NET

The sample works fine with a byte array, but when I try it with a PE file it doesn't work.

I've replaced the byte array from sample with File.ReadAllBytes(filePath); but it doesn't work.

I suspect that I have to only give the code section to capstone and not the entire file. If this is the case, what is the best method to do it?

Thanks in advance!

Yes, it's a pure disassembler and knows nothing about file formats. :)


 


Use your favorite PE parser class to locate the code you're interested in. Quick & crappy example using dnlib:




PEImage pe = new PEImage(args[0]);

var entrypoint = pe.ToFileOffset(pe.ImageNTHeaders.OptionalHeader.AddressOfEntryPoint);
// just read 0x100 bytes from PE entrypoint

var strm = pe.CreateStream(entrypoint, 0x100);

byte[] bytes = new byte[0x100];

strm.Read(bytes, 0, 0x100);
// and disassemble them

using (var disassembler = CapstoneDisassembler.CreateX86Disassembler(DisassembleMode.Bit32))

{

            disassembler.EnableDetails = true;

            disassembler.Syntax = DisassembleSyntaxOptionValue.Intel;

            var instructions = disassembler.DisassembleAll(bytes);

            .....

}

    •
    • Like 1
    • Author

    Thanks Kao, one last question...

    How do I know the size of the code section?

    UPDATE:

    The code starts at AddressOfEntryPoint & finishes at AddressOfEntryPoint + SizeOfCode?

    Edited by swell

    You don't. Because there is no dedicated "code section" in PE files.

    In most EXE files, code is located in 1st section. Mixed mode assemblies mix .NET code, x86 code and data in 1st section. Some PE packers compress all sections and put their own code in last section. Drivers split their code in several sections, so that one-time-initialization code can be discarded after execution. But this is not a rule or anything..

    So, you somehow need to figure out where in the exe is the code you're interested in.. ;-) Once you figure that one out, check the documentation of the PE parser you're using.

    •
    • Like 1
    • Author

    Thanks again Kao!

    In my case it should be a fairly easy exe, so 1st section is the one to check! :)

    If you have issues with Capstone, you could also check out SharpDisasm. I use it in one of my current projects and it's very straight forward to get working and use:

    http://sharpdisasm.codeplex.com/

    •
    • Like 1
    • Author

    Thanks atom0s, it works very well for my needs!

    Create an account or sign in to comment

    Go to topic listing

    Configure browser push notifications
    Chrome (Android)
    1. Tap the lock icon next to the address bar.
    2. Tap Permissions → Notifications.
    3. Adjust your preference.
    Chrome (Desktop)
    1. Click the padlock icon in the address bar.
    2. Select Site settings.
    3. Find Notifications and adjust your preference.