Jump to content
Tuts 4 You
Sign in to follow this  
swell

Capstone.net with a file

Recommended Posts

swell

I try to use capstone.net: https://github.com/9ee1/Capstone.NET

The sample works fine with a byte array, but when I try it with a PE file it doesn't work.

I've replaced the byte array from sample with File.ReadAllBytes(filePath); but it doesn't work.

I suspect that I have to only give the code section to capstone and not the entire file. If this is the case, what is the best method to do it?

Thanks in advance!

Share this post


Link to post
kao

Yes, it's a pure disassembler and knows nothing about file formats. :)


 


Use your favorite PE parser class to locate the code you're interested in. Quick & crappy example using dnlib:



PEImage pe = new PEImage(args[0]);
var entrypoint = pe.ToFileOffset(pe.ImageNTHeaders.OptionalHeader.AddressOfEntryPoint); // just read 0x100 bytes from PE entrypoint
var strm = pe.CreateStream(entrypoint, 0x100);
byte[] bytes = new byte[0x100];
strm.Read(bytes, 0, 0x100); // and disassemble them
using (var disassembler = CapstoneDisassembler.CreateX86Disassembler(DisassembleMode.Bit32))
{
            disassembler.EnableDetails = true;
            disassembler.Syntax = DisassembleSyntaxOptionValue.Intel;
            var instructions = disassembler.DisassembleAll(bytes);
            .....
}

  • Like 1

Share this post


Link to post
swell

Thanks Kao, one last question...

How do I know the size of the code section?

UPDATE:

The code starts at AddressOfEntryPoint & finishes at AddressOfEntryPoint + SizeOfCode?

Edited by swell (see edit history)

Share this post


Link to post
kao

You don't. Because there is no dedicated "code section" in PE files.

In most EXE files, code is located in 1st section. Mixed mode assemblies mix .NET code, x86 code and data in 1st section. Some PE packers compress all sections and put their own code in last section. Drivers split their code in several sections, so that one-time-initialization code can be discarded after execution. But this is not a rule or anything..

So, you somehow need to figure out where in the exe is the code you're interested in.. ;-) Once you figure that one out, check the documentation of the PE parser you're using.

  • Like 1

Share this post


Link to post
swell

Thanks again Kao!

In my case it should be a fairly easy exe, so 1st section is the one to check! :)

Share this post


Link to post
atom0s

If you have issues with Capstone, you could also check out SharpDisasm. I use it in one of my current projects and it's very straight forward to get working and use:

http://sharpdisasm.codeplex.com/

  • Like 1

Share this post


Link to post
swell

Thanks atom0s, it works very well for my needs!

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...