2014-10-25 05:11:16 +08:00
|
|
|
/**************************************************************************************************
|
|
|
|
|
|
|
|
Verteron Disassembler Engine
|
|
|
|
Version 1.0
|
|
|
|
|
|
|
|
Remarks : Freeware, Copyright must be included
|
|
|
|
|
|
|
|
Original Author : Florian Bernd
|
2015-03-20 00:13:37 +08:00
|
|
|
Modifications : athre0z
|
2014-10-25 05:11:16 +08:00
|
|
|
|
2015-03-20 00:13:37 +08:00
|
|
|
Last change : 19. March 2015
|
2014-10-25 05:11:16 +08:00
|
|
|
|
|
|
|
* Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
|
|
* of this software and associated documentation files (the "Software"), to deal
|
|
|
|
* in the Software without restriction, including without limitation the rights
|
|
|
|
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
|
|
* copies of the Software, and to permit persons to whom the Software is
|
|
|
|
* furnished to do so, subject to the following conditions:
|
|
|
|
*
|
|
|
|
* The above copyright notice and this permission notice shall be included in all
|
|
|
|
* copies or substantial portions of the Software.
|
|
|
|
*
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
|
|
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
|
|
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
|
|
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
|
|
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
|
|
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
|
|
* SOFTWARE.
|
|
|
|
|
|
|
|
**************************************************************************************************/
|
2015-03-16 23:37:15 +08:00
|
|
|
|
2014-11-18 03:54:30 +08:00
|
|
|
#include <VXDisassembler.h>
|
2014-11-01 10:42:37 +08:00
|
|
|
#include <Windows.h>
|
|
|
|
|
2014-11-18 03:54:30 +08:00
|
|
|
int main(int argc, char* argv[])
|
2014-10-30 06:26:17 +08:00
|
|
|
{
|
2015-03-20 00:13:37 +08:00
|
|
|
VX_UNUSED(argc); VX_UNUSED(argv);
|
|
|
|
|
2015-03-16 23:37:15 +08:00
|
|
|
// TODO: port to C
|
|
|
|
/*
|
|
|
|
|
2014-11-01 10:42:37 +08:00
|
|
|
// Find module base in memory
|
2014-11-18 03:54:30 +08:00
|
|
|
void *moduleBase = GetModuleHandle("kernel32.dll");
|
2015-03-16 23:37:15 +08:00
|
|
|
uintptr_t baseAddress = (uintptr_t)moduleBase;
|
|
|
|
|
2014-11-01 10:42:37 +08:00
|
|
|
// Parse PE headers
|
2015-03-16 23:37:15 +08:00
|
|
|
PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)moduleBase;
|
2014-11-01 10:42:37 +08:00
|
|
|
if (dosHeader->e_magic != IMAGE_DOS_SIGNATURE)
|
|
|
|
{
|
|
|
|
return 1;
|
|
|
|
}
|
2015-03-16 23:37:15 +08:00
|
|
|
|
|
|
|
PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)(baseAddress + dosHeader->e_lfanew);
|
2014-11-01 10:42:37 +08:00
|
|
|
if (ntHeaders->Signature != IMAGE_NT_SIGNATURE)
|
|
|
|
{
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
// Initialize disassembler
|
|
|
|
VXInstructionInfo info;
|
|
|
|
VXInstructionDecoder decoder;
|
|
|
|
VXExactSymbolResolver resolver;
|
|
|
|
VXIntelInstructionFormatter formatter;
|
2014-11-03 22:15:48 +08:00
|
|
|
#ifdef _M_X64
|
2014-11-01 10:42:37 +08:00
|
|
|
decoder.setDisassemblerMode(VXDisassemblerMode::M64BIT);
|
2014-11-03 22:15:48 +08:00
|
|
|
#else
|
|
|
|
decoder.setDisassemblerMode(VXDisassemblerMode::M32BIT);
|
|
|
|
#endif
|
2014-11-01 10:42:37 +08:00
|
|
|
formatter.setSymbolResolver(&resolver);
|
|
|
|
// Initialize output stream
|
|
|
|
std::ofstream out;
|
|
|
|
out.open(".\\output.txt");
|
|
|
|
// Find all call and jump targets
|
|
|
|
uint64_t subCount = 0;
|
|
|
|
uint64_t locCount = 0;
|
|
|
|
PIMAGE_SECTION_HEADER sectionHeader =
|
|
|
|
reinterpret_cast<PIMAGE_SECTION_HEADER>(
|
|
|
|
reinterpret_cast<uintptr_t>(ntHeaders) + sizeof(IMAGE_NT_HEADERS)
|
|
|
|
+ ntHeaders->FileHeader.SizeOfOptionalHeader - sizeof(IMAGE_OPTIONAL_HEADER));
|
|
|
|
for (unsigned int i = 0; i < ntHeaders->FileHeader.NumberOfSections; ++i)
|
|
|
|
{
|
|
|
|
if (sectionHeader->Characteristics & IMAGE_SCN_CNT_CODE)
|
|
|
|
{
|
|
|
|
VXMemoryDataSource input(reinterpret_cast<const void*>(
|
|
|
|
baseAddress + sectionHeader->VirtualAddress), sectionHeader->SizeOfRawData);
|
|
|
|
decoder.setDataSource(&input);
|
|
|
|
decoder.setInstructionPointer(baseAddress + sectionHeader->VirtualAddress);
|
|
|
|
while (decoder.decodeInstruction(info))
|
|
|
|
{
|
2014-11-03 22:15:48 +08:00
|
|
|
// Skip invalid and non-relative instructions
|
2014-11-01 10:42:37 +08:00
|
|
|
if ((info.flags & IF_ERROR_MASK) || !(info.flags & IF_RELATIVE))
|
|
|
|
{
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
switch (info.mnemonic)
|
|
|
|
{
|
|
|
|
case VXInstructionMnemonic::CALL:
|
|
|
|
resolver.setSymbol(VDECalcAbsoluteTarget(info, info.operand[0]),
|
|
|
|
std::string("sub_" + std::to_string(subCount)).c_str());
|
|
|
|
subCount++;
|
|
|
|
break;
|
|
|
|
case VXInstructionMnemonic::JMP:
|
|
|
|
case VXInstructionMnemonic::JO:
|
|
|
|
case VXInstructionMnemonic::JNO:
|
|
|
|
case VXInstructionMnemonic::JB:
|
|
|
|
case VXInstructionMnemonic::JNB:
|
|
|
|
case VXInstructionMnemonic::JE:
|
|
|
|
case VXInstructionMnemonic::JNE:
|
|
|
|
case VXInstructionMnemonic::JBE:
|
|
|
|
case VXInstructionMnemonic::JA:
|
|
|
|
case VXInstructionMnemonic::JS:
|
|
|
|
case VXInstructionMnemonic::JNS:
|
|
|
|
case VXInstructionMnemonic::JP:
|
|
|
|
case VXInstructionMnemonic::JNP:
|
|
|
|
case VXInstructionMnemonic::JL:
|
|
|
|
case VXInstructionMnemonic::JGE:
|
|
|
|
case VXInstructionMnemonic::JLE:
|
|
|
|
case VXInstructionMnemonic::JG:
|
|
|
|
case VXInstructionMnemonic::JCXZ:
|
|
|
|
case VXInstructionMnemonic::JECXZ:
|
|
|
|
case VXInstructionMnemonic::JRCXZ:
|
|
|
|
resolver.setSymbol(VDECalcAbsoluteTarget(info, info.operand[0]),
|
|
|
|
std::string("loc_" + std::to_string(locCount)).c_str());
|
|
|
|
locCount++;
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
sectionHeader++;
|
|
|
|
}
|
|
|
|
// Add entry point symbol
|
|
|
|
resolver.setSymbol(baseAddress + ntHeaders->OptionalHeader.AddressOfEntryPoint, "EntryPoint");
|
|
|
|
// Add exported symbols
|
|
|
|
if (ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress > 0)
|
|
|
|
{
|
|
|
|
PIMAGE_EXPORT_DIRECTORY exports =
|
|
|
|
reinterpret_cast<PIMAGE_EXPORT_DIRECTORY>(reinterpret_cast<LPBYTE>(baseAddress) +
|
|
|
|
ntHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
|
|
|
|
PDWORD address =
|
|
|
|
reinterpret_cast<PDWORD>(reinterpret_cast<LPBYTE>(baseAddress) +
|
|
|
|
exports->AddressOfFunctions);
|
|
|
|
PDWORD name =
|
|
|
|
reinterpret_cast<PDWORD>(reinterpret_cast<LPBYTE>(baseAddress) +
|
|
|
|
exports->AddressOfNames);
|
|
|
|
PWORD ordinal =
|
|
|
|
reinterpret_cast<PWORD>(reinterpret_cast<LPBYTE>(baseAddress) +
|
|
|
|
exports->AddressOfNameOrdinals);
|
|
|
|
for(unsigned int i = 0; i < exports->NumberOfNames; ++i)
|
|
|
|
{
|
|
|
|
resolver.setSymbol(baseAddress + address[ordinal[i]],
|
|
|
|
reinterpret_cast<char*>(baseAddress) + name[i]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
// Disassemble
|
|
|
|
sectionHeader =
|
|
|
|
reinterpret_cast<PIMAGE_SECTION_HEADER>(
|
|
|
|
reinterpret_cast<uintptr_t>(ntHeaders) + sizeof(IMAGE_NT_HEADERS)
|
|
|
|
+ ntHeaders->FileHeader.SizeOfOptionalHeader - sizeof(IMAGE_OPTIONAL_HEADER));
|
|
|
|
for (unsigned int i = 0; i < ntHeaders->FileHeader.NumberOfSections; ++i)
|
|
|
|
{
|
|
|
|
if (sectionHeader->Characteristics & IMAGE_SCN_CNT_CODE)
|
|
|
|
{
|
|
|
|
VXMemoryDataSource input(reinterpret_cast<const void*>(
|
|
|
|
baseAddress + sectionHeader->VirtualAddress), sectionHeader->SizeOfRawData);
|
|
|
|
decoder.setDataSource(&input);
|
|
|
|
decoder.setInstructionPointer(baseAddress + sectionHeader->VirtualAddress);
|
|
|
|
while (decoder.decodeInstruction(info))
|
|
|
|
{
|
|
|
|
uint64_t offset;
|
|
|
|
const char *symbol = resolver.resolveSymbol(info, info.instrAddress, offset);
|
|
|
|
if (symbol)
|
|
|
|
{
|
|
|
|
out << symbol << ": " << std::endl;
|
|
|
|
}
|
|
|
|
out << " " << std::hex << std::setw(16) << std::setfill('0')
|
|
|
|
<< info.instrAddress << " ";
|
|
|
|
if (info.flags & IF_ERROR_MASK)
|
|
|
|
{
|
|
|
|
out << "db " << std::hex << std::setw(2) << std::setfill('0')
|
|
|
|
<< static_cast<int>(info.data[0]) << std::endl;
|
|
|
|
} else
|
|
|
|
{
|
|
|
|
out << formatter.formatInstruction(info) << std::endl;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
sectionHeader++;
|
|
|
|
}
|
|
|
|
out.close();
|
2015-03-16 23:37:15 +08:00
|
|
|
*/
|
|
|
|
|
2014-10-30 06:26:17 +08:00
|
|
|
return 0;
|
|
|
|
}
|