public Stroka(GNIDA1 Prnt, mediana.INSTRUCTION Ins, string UpC = "", string Com = "", string SubC = "")
{
Parent = Prnt;
Inst = Ins;
UpComment = UpC;
Comment = Com;
SubComment = SubC;
addr = (uint)Prnt.FO2RVA(Ins.Addr);
}
public void LoadFile(string FName)
{
byte[] sf_prefixes = new byte[mediana.MAX_INSTRUCTION_LEN];
mediana.INSTRUCTION instr1 = new mediana.INSTRUCTION();
mediana.DISASM_INOUT_PARAMS param = new mediana.DISASM_INOUT_PARAMS();
RaiseLogEvent(this, "Loading " + FName);
assembly = Win32Assembly.LoadFile(FName);
MeDisasm = new mediana(assembly);
int i = 0;
foreach (Section sect in assembly.NTHeader.Sections)
{
RaiseLogEvent(this, i.ToString() + ". Creating a new segment " + sect.RVA.ToString("X8") + " - " + (sect.RVA + sect.VirtualSize).ToString("X8") + "... ... OK");
i++;
}
TFunc fnc = new TFunc((uint)assembly.NTHeader.OptionalHeader.ImageBase + assembly.NTHeader.OptionalHeader.Entrypoint.Rva, 0, 0, "main");
param.arch = mediana.ARCH_ALL;
param.sf_prefixes = sf_prefixes;
param.mode = mediana.DISMODE.DISASSEMBLE_MODE_32;
param.options = (byte)(mediana.DISASM_OPTION_APPLY_REL | mediana.DISASM_OPTION_OPTIMIZE_DISP);
param.bas = assembly.NTHeader.OptionalHeader.ImageBase;
MeDisasm.medi_disassemble(RVA2FO(fnc.Addr), ref instr1, ref param);
Console.WriteLine(instr1.mnemonic);
//MeDisasm.medi_dump(instr, buff, OUT_BUFF_SIZE, DUMP_OPTION_IMM_UHEX | DUMP_OPTION_DISP_HEX);
FullProcList.AddFunc(fnc);
foreach (ExportMethod func in assembly.LibraryExports)
{
TFunc tmpfunc = new TFunc((uint)assembly.NTHeader.OptionalHeader.ImageBase + func.RVA, 2, func.Ordinal, func.Name);
FullProcList.AddFunc(tmpfunc);
}
foreach (LibraryReference lib in assembly.LibraryImports)
{
foreach (ImportMethod func in lib.ImportMethods)
{
TFunc tmpfunc = new TFunc((uint)assembly.NTHeader.OptionalHeader.ImageBase + func.RVA, 3, func.Ordinal, func.Name, lib.LibraryName);
FullProcList.AddFunc(tmpfunc);
}
}
bw.WorkerSupportsCancellation = true;
bw.WorkerReportsProgress = false;
bw.DoWork += bw_DoWork;
bw.RunWorkerCompleted += bw_RunWorkerCompleted;
bw.RunWorkerAsync();
}
public ulong DisasmFunc(List <Stroka> lst, ulong addr, MyDictionary ProcList)
{
//List<Stroka> lst = new List<Stroka>();
List <ulong> Tasks = new List <ulong>();
List <ulong> DTasks = new List <ulong>();
List <int> LabelList = new List <int>();
ulong StartAdr = addr;
ulong EndAddr = addr;
DISASM_INOUT_PARAMS param = new DISASM_INOUT_PARAMS();
uint Len = 0;
byte[] sf_prefixes = new byte[Dasmer.MAX_INSTRUCTION_LEN];
param.arch = Dasmer.ARCH_ALL;
param.sf_prefixes = sf_prefixes;
param.mode = DISMODE.DISASSEMBLE_MODE_32;
param.options = (byte)(Dasmer.DISASM_OPTION_APPLY_REL | Dasmer.DISASM_OPTION_OPTIMIZE_DISP);
param.bas = assembly.ImageBase() + 2000;
IInstruction instr1 = new mediana.INSTRUCTION();
Tasks.Add(addr);
for (uint i = 0; Tasks.Count > 0; i++)
{
//instr1 = new mediana.INSTRUCTION();
Len = MeDisasm.disassemble(Tasks[0], out instr1, ref param);
if (EndAddr < (Tasks[0] + Len))
{
EndAddr = Tasks[0] + Len;
}
Console.WriteLine(instr1.mnemonic);
DTasks.Add(Tasks[0]);
Tasks.Remove(Tasks[0]);
lst.Add(new Stroka(this, instr1));
if (Len > 0)
{
switch (instr1.bytes[0])
{
case 0x0F: switch (instr1.bytes[1])
{
case 0x84: //jz
case 0x85: //jz
case 0x86: //jbe
int val = (int)((int)instr1.bytes[2] + (int)instr1.Addr + Len);
if (!LabelList.Contains(val))
{
if ((!DTasks.Contains((uint)val)) && (!Tasks.Contains((uint)val)))
{
Tasks.Add((uint)val);
}
//Tasks.Add((uint)val);//Add jmp adress to disasm tasks
val = (int)FO2RVA((ulong)val);
instr1.ops[0].value.imm.imm64 = (ulong)val;
LabelList.Add(val);
}
break;
}
break;
case 0x74: //Jz
case 0x75: //Jnz
{
int val = (int)((int)instr1.bytes[1] + (int)instr1.Addr + Len);
if (!LabelList.Contains(val))
{
if ((!DTasks.Contains((uint)val)) && (!Tasks.Contains((uint)val)))
{
Tasks.Add((uint)val);
}
//Tasks.Add((uint)val);//Add jmp adress to disasm tasks
val = (int)FO2RVA((ulong)val);
instr1.ops[0].value.imm.imm64 = (ulong)val;
LabelList.Add(val);
}
} break;
case 0xC2: //retn XX;
case 0xC3: //retn
goto _end; //Костыль
//continue;// Don't disasm after it
case 0xE8://Call;
int val3 = (int)instr1.bytes[1] + (int)Len + (int)instr1.Addr;
val3 = (int)FO2RVA((ulong)val3);
instr1.ops[0].value.imm.imm64 = (ulong)val3;
break;
case 0xEB://jmp;
int val1 = (int)instr1.bytes[1] + (int)Len + (int)instr1.Addr;
if (!LabelList.Contains(val1))
{
LabelList.Add(val1);
if ((!DTasks.Contains((uint)val1)) && (!Tasks.Contains((uint)val1)))
{
Tasks.Add((uint)val1);
}
//Tasks.Add((uint)val1);//Add jmp adress to disasm tasks
}
continue; // Don't disasm after it
case 0xE9: //jmp;
int val2 = (int)instr1.bytes[1] + (int)Len + (int)instr1.Addr;
if (!LabelList.Contains(val2))
{
if ((!DTasks.Contains((uint)val2)) && (!Tasks.Contains((uint)val2)))
{
Tasks.Add((uint)val2);
}
//Tasks.Add((uint)val2);//Add jmp adress to disasm tasks
val2 = (int)FO2RVA((ulong)val2);
instr1.ops[0].value.imm.imm64 = (ulong)val2;
LabelList.Add(val2);
}
continue;// Don't disasm after it
case 0xFF:
if (instr1.bytes[1] == 0x15)//Call
{
ulong a = instr1.disp.value.d64;
Console.WriteLine(a.ToString("X"));
if (ProcList.ContainsKey(a))
{
if (ProcList[a].FName.Contains("ExitProcess"))
{
continue;
}
}
}
break;
}
}
//Tasks.Add( instruction.Offset.FileOffset + (uint)instruction.Size);
if ((!DTasks.Contains(instr1.Addr + Len)) && (!Tasks.Contains(instr1.Addr + Len)))
{
Tasks.Add(instr1.Addr + Len);
}
instr1.Addr = FO2RVA(instr1.Addr);
// += assembly.NTHeader.OptionalHeader.ImageBase;
}
_end:
instr1.Addr = FO2RVA((ulong)instr1.Addr);
lst.Sort(delegate(Stroka x, Stroka y)
{
if (x.addr > y.addr)
{
return(1);
}
if (x.addr == y.addr)
{
return(0);
}
return(-1);
});
foreach (uint Addr in LabelList)
{
Stroka result = lst.Find(
delegate(Stroka sstr){ return(sstr.addr == Addr); }
);
if (result != null)
{
result.Label = "Loc_" + result.Inst.Addr.ToString("X8").Remove(0, 2);
}
}
return(EndAddr - StartAdr);
}
public ulong DisasmFunc(List<Stroka> lst, ulong addr, MyDictionary ProcList)
{
//List<Stroka> lst = new List<Stroka>();
List<ulong> Tasks = new List<ulong>();
List<ulong> DTasks = new List<ulong>();
List<int> LabelList = new List<int>();
ulong StartAdr = addr;
ulong EndAddr = addr;
DISASM_INOUT_PARAMS param = new DISASM_INOUT_PARAMS();
uint Len = 0;
byte[] sf_prefixes = new byte[Dasmer.MAX_INSTRUCTION_LEN];
param.arch = Dasmer.ARCH_ALL;
param.sf_prefixes = sf_prefixes;
param.mode = DISMODE.DISASSEMBLE_MODE_32;
param.options = (byte)(Dasmer.DISASM_OPTION_APPLY_REL | Dasmer.DISASM_OPTION_OPTIMIZE_DISP);
param.bas = assembly.ImageBase()+2000;
IInstruction instr1 = new mediana.INSTRUCTION();
Tasks.Add(addr);
for (uint i = 0; Tasks.Count > 0; i++)
{
//instr1 = new mediana.INSTRUCTION();
Len = MeDisasm.disassemble(Tasks[0], out instr1, ref param);
if (EndAddr < (Tasks[0] + Len)) EndAddr = Tasks[0] + Len;
Console.WriteLine(instr1.mnemonic);
DTasks.Add(Tasks[0]);
Tasks.Remove(Tasks[0]);
lst.Add(new Stroka(this, instr1));
if(Len>0)
switch (instr1.bytes[0])
{
case 0x0F: switch(instr1.bytes[1])
{
case 0x84://jz
case 0x85://jz
case 0x86://jbe
int val = (int)((int)instr1.bytes[2] + (int)instr1.Addr + Len);
if (!LabelList.Contains(val))
{
if ((!DTasks.Contains((uint)val)) && (!Tasks.Contains((uint)val))) Tasks.Add((uint)val);
//Tasks.Add((uint)val);//Add jmp adress to disasm tasks
val = (int)FO2RVA((ulong)val);
instr1.ops[0].value.imm.imm64 = (ulong)val;
LabelList.Add(val);
}break;
}
break;
case 0x74://Jz
case 0x75://Jnz
{
int val = (int)((int)instr1.bytes[1] + (int)instr1.Addr + Len);
if (!LabelList.Contains(val))
{
if ((!DTasks.Contains((uint)val)) && (!Tasks.Contains((uint)val))) Tasks.Add((uint)val);
//Tasks.Add((uint)val);//Add jmp adress to disasm tasks
val = (int)FO2RVA((ulong)val);
instr1.ops[0].value.imm.imm64 = (ulong)val;
LabelList.Add(val);
}
} break;
case 0xC2://retn XX;
case 0xC3://retn
goto _end;//Костыль
//continue;// Don't disasm after it
case 0xE8://Call;
int val3 = (int)instr1.bytes[1] + (int)Len + (int)instr1.Addr;
val3 = (int)FO2RVA((ulong)val3);
instr1.ops[0].value.imm.imm64 = (ulong)val3;
break;
case 0xEB://jmp;
int val1 = (int)instr1.bytes[1] + (int)Len + (int)instr1.Addr;
if (!LabelList.Contains(val1))
{
LabelList.Add(val1);
if((!DTasks.Contains((uint)val1)) && (!Tasks.Contains((uint)val1))) Tasks.Add((uint)val1);
//Tasks.Add((uint)val1);//Add jmp adress to disasm tasks
}
continue;// Don't disasm after it
case 0xE9://jmp;
int val2 = (int)instr1.bytes[1] + (int)Len + (int)instr1.Addr;
if (!LabelList.Contains(val2))
{
if ((!DTasks.Contains((uint)val2)) && (!Tasks.Contains((uint)val2))) Tasks.Add((uint)val2);
//Tasks.Add((uint)val2);//Add jmp adress to disasm tasks
val2 = (int)FO2RVA((ulong)val2);
instr1.ops[0].value.imm.imm64 = (ulong)val2;
LabelList.Add(val2);
}
continue;// Don't disasm after it
case 0xFF:
if (instr1.bytes[1] == 0x15)//Call
{
ulong a = instr1.disp.value.d64;
Console.WriteLine(a.ToString("X"));
if(ProcList.ContainsKey(a))
if(ProcList[a].FName.Contains("ExitProcess"))continue;
}
break;
}
//Tasks.Add( instruction.Offset.FileOffset + (uint)instruction.Size);
if ((!DTasks.Contains(instr1.Addr + Len)) && (!Tasks.Contains(instr1.Addr + Len)))
Tasks.Add(instr1.Addr + Len);
instr1.Addr = FO2RVA(instr1.Addr);
// += assembly.NTHeader.OptionalHeader.ImageBase;
}
_end:
instr1.Addr = FO2RVA((ulong)instr1.Addr);
lst.Sort(delegate(Stroka x, Stroka y)
{
if (x.addr > y.addr) return 1;
if (x.addr == y.addr) return 0;
return -1;
});
foreach (uint Addr in LabelList)
{
Stroka result = lst.Find(
delegate(Stroka sstr){return sstr.addr == Addr;}
);
if (result != null)
{
result.Label = "Loc_" + result.Inst.Addr.ToString("X8").Remove(0, 2);
}
}
return EndAddr-StartAdr;
}
