swell Posted August 31, 2015 Share Posted August 31, 2015 I try to use capstone.net: https://github.com/9ee1/Capstone.NET The sample works fine with a byte array, but when I try it with a PE file it doesn't work. I've replaced the byte array from sample with File.ReadAllBytes(filePath); but it doesn't work. I suspect that I have to only give the code section to capstone and not the entire file. If this is the case, what is the best method to do it? Thanks in advance! Link to comment
kao Posted August 31, 2015 Share Posted August 31, 2015 Yes, it's a pure disassembler and knows nothing about file formats. Use your favorite PE parser class to locate the code you're interested in. Quick & crappy example using dnlib: PEImage pe = new PEImage(args[0]); var entrypoint = pe.ToFileOffset(pe.ImageNTHeaders.OptionalHeader.AddressOfEntryPoint); // just read 0x100 bytes from PE entrypoint var strm = pe.CreateStream(entrypoint, 0x100); byte[] bytes = new byte[0x100]; strm.Read(bytes, 0, 0x100); // and disassemble them using (var disassembler = CapstoneDisassembler.CreateX86Disassembler(DisassembleMode.Bit32)) { disassembler.EnableDetails = true; disassembler.Syntax = DisassembleSyntaxOptionValue.Intel; var instructions = disassembler.DisassembleAll(bytes); ..... } 1 Link to comment
swell Posted August 31, 2015 Author Share Posted August 31, 2015 (edited) Thanks Kao, one last question... How do I know the size of the code section? UPDATE: The code starts at AddressOfEntryPoint & finishes at AddressOfEntryPoint + SizeOfCode? Edited August 31, 2015 by swell Link to comment
kao Posted August 31, 2015 Share Posted August 31, 2015 You don't. Because there is no dedicated "code section" in PE files.In most EXE files, code is located in 1st section. Mixed mode assemblies mix .NET code, x86 code and data in 1st section. Some PE packers compress all sections and put their own code in last section. Drivers split their code in several sections, so that one-time-initialization code can be discarded after execution. But this is not a rule or anything..So, you somehow need to figure out where in the exe is the code you're interested in.. ;-) Once you figure that one out, check the documentation of the PE parser you're using. 1 Link to comment
swell Posted August 31, 2015 Author Share Posted August 31, 2015 Thanks again Kao! In my case it should be a fairly easy exe, so 1st section is the one to check! Link to comment
atom0s Posted September 2, 2015 Share Posted September 2, 2015 If you have issues with Capstone, you could also check out SharpDisasm. I use it in one of my current projects and it's very straight forward to get working and use: http://sharpdisasm.codeplex.com/ 1 Link to comment
swell Posted September 7, 2015 Author Share Posted September 7, 2015 Thanks atom0s, it works very well for my needs! Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now