public void LoadFile(string FName)
{
byte[] sf_prefixes = new byte[mediana.MAX_INSTRUCTION_LEN];
mediana.INSTRUCTION instr1 = new mediana.INSTRUCTION();
mediana.DISASM_INOUT_PARAMS param = new mediana.DISASM_INOUT_PARAMS();
RaiseLogEvent(this, "Loading " + FName);
assembly = Win32Assembly.LoadFile(FName);
MeDisasm = new mediana(assembly);
int i = 0;
foreach (Section sect in assembly.NTHeader.Sections)
{
RaiseLogEvent(this, i.ToString() + ". Creating a new segment " + sect.RVA.ToString("X8") + " - " + (sect.RVA + sect.VirtualSize).ToString("X8") + "... ... OK");
i++;
}
TFunc fnc = new TFunc((uint)assembly.NTHeader.OptionalHeader.ImageBase + assembly.NTHeader.OptionalHeader.Entrypoint.Rva, 0, 0, "main");
param.arch = mediana.ARCH_ALL;
param.sf_prefixes = sf_prefixes;
param.mode = mediana.DISMODE.DISASSEMBLE_MODE_32;
param.options = (byte)(mediana.DISASM_OPTION_APPLY_REL | mediana.DISASM_OPTION_OPTIMIZE_DISP);
param.bas = assembly.NTHeader.OptionalHeader.ImageBase;
MeDisasm.medi_disassemble(RVA2FO(fnc.Addr), ref instr1, ref param);
Console.WriteLine(instr1.mnemonic);
//MeDisasm.medi_dump(instr, buff, OUT_BUFF_SIZE, DUMP_OPTION_IMM_UHEX | DUMP_OPTION_DISP_HEX);
FullProcList.AddFunc(fnc);
foreach (ExportMethod func in assembly.LibraryExports)
{
TFunc tmpfunc = new TFunc((uint)assembly.NTHeader.OptionalHeader.ImageBase + func.RVA, 2, func.Ordinal, func.Name);
FullProcList.AddFunc(tmpfunc);
}
foreach (LibraryReference lib in assembly.LibraryImports)
{
foreach (ImportMethod func in lib.ImportMethods)
{
TFunc tmpfunc = new TFunc((uint)assembly.NTHeader.OptionalHeader.ImageBase + func.RVA, 3, func.Ordinal, func.Name, lib.LibraryName);
FullProcList.AddFunc(tmpfunc);
}
}
bw.WorkerSupportsCancellation = true;
bw.WorkerReportsProgress = false;
bw.DoWork += bw_DoWork;
bw.RunWorkerCompleted += bw_RunWorkerCompleted;
bw.RunWorkerAsync();
}
public long DisasmFunc(List <Stroka> lst, long addr, MyDictionary ProcList)
{
//List<Stroka> lst = new List<Stroka>();
List <long> Tasks = new List <long>();
List <long> DTasks = new List <long>();
List <int> LabelList = new List <int>();
long StartAdr = addr;
long EndAddr = addr;
mediana.DISASM_INOUT_PARAMS param = new mediana.DISASM_INOUT_PARAMS();
uint Len = 0;
byte[] sf_prefixes = new byte[mediana.MAX_INSTRUCTION_LEN];
param.arch = mediana.ARCH_ALL;
param.sf_prefixes = sf_prefixes;
param.mode = mediana.DISMODE.DISASSEMBLE_MODE_32;
param.options = (byte)(mediana.DISASM_OPTION_APPLY_REL | mediana.DISASM_OPTION_OPTIMIZE_DISP);
param.bas = assembly.NTHeader.OptionalHeader.ImageBase + 2000;
mediana.INSTRUCTION instr1 = new mediana.INSTRUCTION();
Tasks.Add(addr);
for (uint i = 0; Tasks.Count > 0; i++)
{
instr1 = new mediana.INSTRUCTION();
Len = MeDisasm.medi_disassemble(Tasks[0], ref instr1, ref param);
if (EndAddr < (Tasks[0] + Len))
{
EndAddr = Tasks[0] + Len;
}
Console.WriteLine(instr1.mnemonic);
DTasks.Add(Tasks[0]);
Tasks.Remove(Tasks[0]);
lst.Add(new Stroka(this, instr1));
switch (instr1.bytes[0])
{
case 0x0F: switch (instr1.bytes[1])
{
case 0x84: //jz
case 0x85: //jz
case 0x86: //jbe
int val = (int)((int)instr1.bytes[2] + (int)instr1.Addr + Len);
if (!LabelList.Contains(val))
{
if ((!DTasks.Contains((uint)val)) && (!Tasks.Contains((uint)val)))
{
Tasks.Add((uint)val);
}
//Tasks.Add((uint)val);//Add jmp adress to disasm tasks
val = (int)FO2RVA((ulong)val);
instr1.ops[0].value.imm.imm64 = (ulong)val;
LabelList.Add(val);
}
break;
}
break;
case 0x74: //Jz
case 0x75: //Jnz
{
int val = (int)((int)instr1.bytes[1] + (int)instr1.Addr + Len);
if (!LabelList.Contains(val))
{
if ((!DTasks.Contains((uint)val)) && (!Tasks.Contains((uint)val)))
{
Tasks.Add((uint)val);
}
//Tasks.Add((uint)val);//Add jmp adress to disasm tasks
val = (int)FO2RVA((ulong)val);
instr1.ops[0].value.imm.imm64 = (ulong)val;
LabelList.Add(val);
}
} break;
case 0xC2: //retn XX;
case 0xC3: //retn
goto _end;
//continue;// Don't disasm after it
case 0xE8: //Call;
int val3 = (int)instr1.bytes[1] + (int)Len + (int)instr1.Addr;
val3 = (int)FO2RVA((ulong)val3);
instr1.ops[0].value.imm.imm64 = (ulong)val3;
break;
case 0xEB: //jmp;
int val1 = (int)instr1.bytes[1] + (int)Len + (int)instr1.Addr;
if (!LabelList.Contains(val1))
{
LabelList.Add(val1);
if ((!DTasks.Contains((uint)val1)) && (!Tasks.Contains((uint)val1)))
{
Tasks.Add((uint)val1);
}
//Tasks.Add((uint)val1);//Add jmp adress to disasm tasks
}
continue; // Don't disasm after it
case 0xE9: //jmp;
int val2 = (int)instr1.bytes[1] + (int)Len + (int)instr1.Addr;
if (!LabelList.Contains(val2))
{
if ((!DTasks.Contains((uint)val2)) && (!Tasks.Contains((uint)val2)))
{
Tasks.Add((uint)val2);
}
//Tasks.Add((uint)val2);//Add jmp adress to disasm tasks
val2 = (int)FO2RVA((ulong)val2);
instr1.ops[0].value.imm.imm64 = (ulong)val2;
LabelList.Add(val2);
}
continue; // Don't disasm after it
case 0xFF:
if (instr1.bytes[1] == 0x15) //Call
{
long a = (long)instr1.disp.value.d64;
Console.WriteLine(a.ToString("X"));
if (ProcList.ContainsKey(a))
{
if (ProcList[a].FName.Contains("ExitProcess"))
{
continue;
}
}
}
break;
}
//Tasks.Add( instruction.Offset.FileOffset + (uint)instruction.Size);
if ((!DTasks.Contains((long)instr1.Addr + Len)) && (!Tasks.Contains((long)instr1.Addr + Len)))
{
Tasks.Add((long)instr1.Addr + Len);
}
instr1.Addr = FO2RVA((ulong)instr1.Addr);
// += assembly.NTHeader.OptionalHeader.ImageBase;
}
_end:
instr1.Addr = FO2RVA((ulong)instr1.Addr);
lst.Sort(delegate(Stroka x, Stroka y)
{
if (x.addr > y.addr)
{
return(1);
}
if (x.addr == y.addr)
{
return(0);
}
return(-1);
});
foreach (uint Addr in LabelList)
{
Stroka result = lst.Find(
delegate(Stroka sstr){ return(sstr.addr == Addr); }
);
if (result != null)
{
result.Label = "Loc_" + result.Inst.Addr.ToString("X8").Remove(0, 2);
}
}
return(EndAddr - StartAdr);
}
