Example #1
0
 /// <summary>
 /// Initializes a new instance of the Instruction class, using a BeaEngine instruction.
 /// </summary>
 /// <param name="inst">the BeaEngine instruction</param>
 internal Instruction(BeaEngine._Disasm inst)
 {
     this.Address = (IntPtr)inst.VirtualAddr;
     this.Mnemonic = inst.Instruction.Mnemonic;
     this.stringRepresentation = inst.CompleteInstr;
     this.BranchTarget = (IntPtr)inst.Instruction.AddrValue;
     this.FlowType = Instruction.GetFlowControl(this.Mnemonic);
     this.NumBytes = (uint)inst.Length;
     this.Arg1 = new InstructionArgument(inst.Argument1);
     this.Arg2 = new InstructionArgument(inst.Argument2);
     this.Arg3 = new InstructionArgument(inst.Argument3);
 }
Example #2
0
        public static int[] GetAddressMaskLocs(ref byte[] bytes, uint[] rva) // Returns: list of address byte locations
        {
            if (rva.Length < 3)
            {
                return new int[] { }
            }
            ;
            UnmanagedBuffer buffer = new UnmanagedBuffer(ref bytes);

            BeaEngine._Disasm disasm = new BeaEngine._Disasm();
            ulong             begin  = (ulong)buffer.Ptr.ToInt64();
            ulong             end    = begin + (ulong)(rva[1] + rva[2]);

            disasm.InstructionPointer = (UIntPtr)(begin + rva[1]); // We start from section start, rather than entry point
            int result, off, n;

            List <int> locs = new List <int>();

            while (disasm.InstructionPointer.ToUInt64() < end)
            {
                result = BeaEngine.Disassemble(ref disasm, true);

                if (result == BeaEngine.UnknownOpcode) // This is not good practice, but not sure, what else I can do
                {
                    Console.WriteLine("UnknownOpcode (" + bytes[(int)(disasm.InstructionPointer.ToUInt64() - begin)].ToString("X2") + ") at: " + (disasm.InstructionPointer.ToUInt64() - begin).ToString() + " skipping 1 byte.");
                    result = 1;
                }
                if (result == BeaEngine.OutOfBlock)
                {
                    break;
                }
                //if (result < 5) // Does not contain address
                if (result > 4) // Mask addresses
                {
                    off  = result % 4;
                    n    = result - off;
                    off += (int)(disasm.InstructionPointer.ToUInt64() - begin);
                    for (int i = 0; i < n; i++)
                    {
                        locs.Add(off + i);
                    }
                }
                disasm.InstructionPointer = (UIntPtr)(disasm.InstructionPointer.ToUInt64() + (ulong)result);
            }
            return(locs.ToArray());
        }
    }
Example #3
0
        public static IEnumerable <_Disasm> Disassemble(byte[] data, UIntPtr address, Architecture architecture)
        {
            GCHandle h = GCHandle.Alloc(data, GCHandleType.Pinned);
            UInt64   EndCodeSection = (UInt64)h.AddrOfPinnedObject().ToInt64() + (ulong)data.Length;

            _Disasm d = new _Disasm();

            d.InstructionPointer = (UIntPtr)h.AddrOfPinnedObject().ToInt64();
            d.VirtualAddr        = address.ToUInt64();
            d.Architecture       = architecture;
            bool error = false;

            while (!error)
            {
                d.SecurityBlock = (uint)(EndCodeSection - d.InstructionPointer.ToUInt64());

                d.Length = BeaEngine.Disassemble(ref d);
                if (d.Length == BeaEngine.OutOfBlock)
                {
                    Console.WriteLine("disasm engine is not allowed to read more memory.");
                    error = true;
                }
                else if (d.Length == BeaEngine.UnknownOpcode)
                {
                    _Disasm yieldedInst = d;
                    d.InstructionPointer = d.InstructionPointer + 1;
                    d.VirtualAddr        = d.VirtualAddr + 1;
                    yield return(yieldedInst);
                }
                else
                {
                    _Disasm yieldedInst = d;
                    d.InstructionPointer = d.InstructionPointer + d.Length;
                    d.VirtualAddr        = d.VirtualAddr + (ulong)d.Length;
                    if (d.InstructionPointer.ToUInt64() >= EndCodeSection)
                    {
                        error = true;
                    }

                    yield return(yieldedInst);
                }
            }

            yield break;
        }
Example #4
0
 public static IEnumerable <_Disasm> Disassemble(byte[] data, IntPtr address, Architecture architecture)
 {
     return(BeaEngine.Disassemble(data, new UIntPtr((ulong)address.ToInt64()), architecture));
 }
Example #5
0
 public static IEnumerable <_Disasm> Disassemble(byte[] data, ulong address, Architecture architecture)
 {
     return(BeaEngine.Disassemble(data, new UIntPtr(address), architecture));
 }
Example #6
0
 internal static extern int Disassemble64Cheetah(ref BeaEngine._Disasm instruction);
Example #7
0
 internal static extern int Disassemble32(ref BeaEngine._Disasm instruction);
Example #8
0
 /// <summary>
 /// Initializes a new instance of the InstructionArgument class based on an argument.
 /// </summary>
 /// <param name="arg">the instruction argument</param>
 internal InstructionArgument(BeaEngine.ARGTYPE arg)
 {
     this.Mnemonic = arg.ArgMnemonic;
     this.AffectsMemory = arg.Details.HasFlag(BeaEngine.ArgumentDetails.MEMORY_TYPE);
 }