Jump to content
Tuts 4 You

Capstone.net with a file

swell

By swell
in Programming and Coding

Recommended Posts

swell

swell

Posted
Posted

I try to use capstone.net: https://github.com/9ee1/Capstone.NET

The sample works fine with a byte array, but when I try it with a PE file it doesn't work.

I've replaced the byte array from sample with File.ReadAllBytes(filePath); but it doesn't work.

I suspect that I have to only give the code section to capstone and not the entire file. If this is the case, what is the best method to do it?

Thanks in advance!

kao

kao

Posted
Posted

Yes, it's a pure disassembler and knows nothing about file formats. :)


 


Use your favorite PE parser class to locate the code you're interested in. Quick & crappy example using dnlib:




PEImage pe = new PEImage(args[0]);

var entrypoint = pe.ToFileOffset(pe.ImageNTHeaders.OptionalHeader.AddressOfEntryPoint);
// just read 0x100 bytes from PE entrypoint

var strm = pe.CreateStream(entrypoint, 0x100);

byte[] bytes = new byte[0x100];

strm.Read(bytes, 0, 0x100);
// and disassemble them

using (var disassembler = CapstoneDisassembler.CreateX86Disassembler(DisassembleMode.Bit32))

{

            disassembler.EnableDetails = true;

            disassembler.Syntax = DisassembleSyntaxOptionValue.Intel;

            var instructions = disassembler.DisassembleAll(bytes);

            .....

}

  • Like 1
swell

swell

Posted
  • Author
Posted (edited)

Thanks Kao, one last question...

How do I know the size of the code section?

UPDATE:

The code starts at AddressOfEntryPoint & finishes at AddressOfEntryPoint + SizeOfCode?

Edited by swell
kao

kao

Posted
Posted

You don't. Because there is no dedicated "code section" in PE files.

In most EXE files, code is located in 1st section. Mixed mode assemblies mix .NET code, x86 code and data in 1st section. Some PE packers compress all sections and put their own code in last section. Drivers split their code in several sections, so that one-time-initialization code can be discarded after execution. But this is not a rule or anything..

So, you somehow need to figure out where in the exe is the code you're interested in.. ;-) Once you figure that one out, check the documentation of the PE parser you're using.

  • Like 1
swell

swell

Posted
  • Author
Posted

Thanks again Kao!

In my case it should be a fairly easy exe, so 1st section is the one to check! :)

atom0s

atom0s

Posted
Posted

If you have issues with Capstone, you could also check out SharpDisasm. I use it in one of my current projects and it's very straight forward to get working and use:

http://sharpdisasm.codeplex.com/

  • Like 1
swell

swell

Posted
  • Author
Posted

Thanks atom0s, it works very well for my needs!

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to topic listing
×
×
  • Create New...