/// <summary> /// Initializes a new instance of the Instruction class, using a BeaEngine instruction. /// </summary> /// <param name="inst">the BeaEngine instruction</param> internal Instruction(BeaEngine._Disasm inst) { this.Address = (IntPtr)inst.VirtualAddr; this.Mnemonic = inst.Instruction.Mnemonic; this.stringRepresentation = inst.CompleteInstr; this.BranchTarget = (IntPtr)inst.Instruction.AddrValue; this.FlowType = Instruction.GetFlowControl(this.Mnemonic); this.NumBytes = (uint)inst.Length; this.Arg1 = new InstructionArgument(inst.Argument1); this.Arg2 = new InstructionArgument(inst.Argument2); this.Arg3 = new InstructionArgument(inst.Argument3); }
public static int[] GetAddressMaskLocs(ref byte[] bytes, uint[] rva) // Returns: list of address byte locations { if (rva.Length < 3) { return new int[] { } } ; UnmanagedBuffer buffer = new UnmanagedBuffer(ref bytes); BeaEngine._Disasm disasm = new BeaEngine._Disasm(); ulong begin = (ulong)buffer.Ptr.ToInt64(); ulong end = begin + (ulong)(rva[1] + rva[2]); disasm.InstructionPointer = (UIntPtr)(begin + rva[1]); // We start from section start, rather than entry point int result, off, n; List <int> locs = new List <int>(); while (disasm.InstructionPointer.ToUInt64() < end) { result = BeaEngine.Disassemble(ref disasm, true); if (result == BeaEngine.UnknownOpcode) // This is not good practice, but not sure, what else I can do { Console.WriteLine("UnknownOpcode (" + bytes[(int)(disasm.InstructionPointer.ToUInt64() - begin)].ToString("X2") + ") at: " + (disasm.InstructionPointer.ToUInt64() - begin).ToString() + " skipping 1 byte."); result = 1; } if (result == BeaEngine.OutOfBlock) { break; } //if (result < 5) // Does not contain address if (result > 4) // Mask addresses { off = result % 4; n = result - off; off += (int)(disasm.InstructionPointer.ToUInt64() - begin); for (int i = 0; i < n; i++) { locs.Add(off + i); } } disasm.InstructionPointer = (UIntPtr)(disasm.InstructionPointer.ToUInt64() + (ulong)result); } return(locs.ToArray()); } }
public static IEnumerable <_Disasm> Disassemble(byte[] data, UIntPtr address, Architecture architecture) { GCHandle h = GCHandle.Alloc(data, GCHandleType.Pinned); UInt64 EndCodeSection = (UInt64)h.AddrOfPinnedObject().ToInt64() + (ulong)data.Length; _Disasm d = new _Disasm(); d.InstructionPointer = (UIntPtr)h.AddrOfPinnedObject().ToInt64(); d.VirtualAddr = address.ToUInt64(); d.Architecture = architecture; bool error = false; while (!error) { d.SecurityBlock = (uint)(EndCodeSection - d.InstructionPointer.ToUInt64()); d.Length = BeaEngine.Disassemble(ref d); if (d.Length == BeaEngine.OutOfBlock) { Console.WriteLine("disasm engine is not allowed to read more memory."); error = true; } else if (d.Length == BeaEngine.UnknownOpcode) { _Disasm yieldedInst = d; d.InstructionPointer = d.InstructionPointer + 1; d.VirtualAddr = d.VirtualAddr + 1; yield return(yieldedInst); } else { _Disasm yieldedInst = d; d.InstructionPointer = d.InstructionPointer + d.Length; d.VirtualAddr = d.VirtualAddr + (ulong)d.Length; if (d.InstructionPointer.ToUInt64() >= EndCodeSection) { error = true; } yield return(yieldedInst); } } yield break; }
public static IEnumerable <_Disasm> Disassemble(byte[] data, IntPtr address, Architecture architecture) { return(BeaEngine.Disassemble(data, new UIntPtr((ulong)address.ToInt64()), architecture)); }
public static IEnumerable <_Disasm> Disassemble(byte[] data, ulong address, Architecture architecture) { return(BeaEngine.Disassemble(data, new UIntPtr(address), architecture)); }
internal static extern int Disassemble64Cheetah(ref BeaEngine._Disasm instruction);
internal static extern int Disassemble32(ref BeaEngine._Disasm instruction);
/// <summary> /// Initializes a new instance of the InstructionArgument class based on an argument. /// </summary> /// <param name="arg">the instruction argument</param> internal InstructionArgument(BeaEngine.ARGTYPE arg) { this.Mnemonic = arg.ArgMnemonic; this.AffectsMemory = arg.Details.HasFlag(BeaEngine.ArgumentDetails.MEMORY_TYPE); }