Bruce's favorite x86/x64 disassembly library is BeaEngine by BeatriX (www.beaengine.org). Experiment with it by writing a program to disassemble a binary at its entry point.
This program is called the Burdensome Arbitrary Disassembler (BAD). You must supply the file name and address of the entry point as arguments. Parsing PE and ELF files is pretty trivial, but then it wouldn't be BAD.
#include <stdio.h> #include <stdlib.h> #include <stdint.h> #include <string.h> #define BEA_USE_STDCALL #include "headers/BeaEngine.h" void *read_file(void *dest, char *file_name, long *file_size) { FILE *fp; fp = fopen(file_name, "rb"); fseek(fp, 0, SEEK_END); *file_size = ftell(fp); dest = malloc(*file_size); rewind(fp); fread(dest, 1, *file_size, fp); fclose(fp); return dest; } void disassemble(char *file_name, uint64_t offset) { DISASM dsBea; uint16_t len = 0; uint8_t *pe_file = 0; long file_size; memset(&dsBea, 0, sizeof(DISASM)); dsBea.Archi = 64; pe_file = read_file(pe_file, file_name, &file_size); file_size -= (long) offset; dsBea.EIP = (uint64_t) &*&*(pe_file + offset); while(file_size > 0) { len = Disasm(&dsBea); if (len == UNKNOWN_OPCODE) break; dsBea.EIP += (uint64_t) len; file_size -= (long) len; puts(dsBea.CompleteInstr); } free(pe_file); } int main(int argc, char *argv[]) { disassemble(argv[1], atoi(argv[2])); return 0; }
Here is an example of disassembly:
C:\BAD\x64\Debug>bad test.exe 3312
sub rsp, 28h call 0047BCB0h call 0047AB50h add rsp, 28h ret ...
This matches IDA's output (besides mapping address offsets):
No comments :
Post a Comment