Are there any good VB/C# x86 disassembler libraries? [closed]
https://stackoverflow.com/questions/890213
-
23-08-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm looking for a library that will disassemble x86 code into some sort of object model that I can then use to write routines that analyze the code. I'm not interested in a library that converts x86 code to text disassembly--I've found more than a few of those, but they're not that useful since I want to do some work on top of the code that I disassemble. Oh, and I'd like it to be .Net code (VB or C# preferable).
Solution
Reflector doesn't do x86 as far as I know.
Your best bet is using the scripting or COM interface to OllyDbg or IDA Pro.
I would recommend IDA Pro if you can afford it. IDA has a very rich API, active development and lots of documentation. You can run it in autonomous mode, I believe using the '-AS' switch. See http://www.hex-rays.com/idapro/idadoc/417.htm for more info on the command line arguments.
I also ran into libdasm, but never used it, so not sure how good it is. libdasm looks like C/C++ so it should be simple to write an API wrapper in C#.
OTHER TIPS
An old question, but if someone else comes along and you are after a 100% C# .NET implementation rather than using interop, SharpDisasm provides an x86/x86-64 disassembler to both Intel and AT&T syntax. It decodes each instruction to an object that provides access to low-level information about the instruction (e.g. instruction size, operand number and types etc).
SharpDisasm is a full C# port of the libudis86 C-library disassembler.
The disassembler is exposed through the SharpDisam.Disassembler class.
Output from the provided example console app:
C:\>echo a1 c9 fd ff ff a1 37 02 00 00 b8 37 02 00 00 b4 09 8a
25 09 00 00 00 8b 04 6d 85 ff ff ff 89 45 f0| disasmcli 32
00000000 a1 c9 fd ff ff mov eax, [0xfffffdc9]
00000005 a1 37 02 00 00 mov eax, [0x237]
0000000a b8 37 02 00 00 mov eax, 0x237
0000000f b4 09 mov ah, 0x9
00000011 8a 25 09 00 00 00 mov ah, [0x9]
00000017 8b 04 6d 85 ff ff ff mov eax, [ebp*2-0x7b]
0000001e 89 45 f0 mov [ebp-0x10], eax
C:\>echo 488b05f7ffffff67668b40f06766035e1048030425ffff
000067660344bef04c0384980000008048a10000000000800000 | disasmcli 64
0000000000000000 48 8b 05 f7 ff ff ff mov rax, [rip-0x9]
0000000000000007 67 66 8b 40 f0 mov ax, [eax-0x10]
000000000000000c 67 66 03 5e 10 add bx, [esi+0x10]
0000000000000011 48 03 04 25 ff ff 00 00 add rax, [0xffff]
0000000000000019 67 66 03 44 be f0 add ax, [esi+edi*4-0x10]
000000000000001f 4c 03 84 98 00 00 00 80 add r8, [rax+rbx*4-0x80000000]
0000000000000027 48 a1 00 00 00 00 00 80 00 00 mov rax, [0x800000000000]
Necromancing, as quite some time has passed.
Yes, there are actually several.
Capstone.NET is pretty much feature-complete (libcapsone-port ARM, ARM64 (aka ARMv8/AArch64), M68K, Mips, PowerPC, Sparc, SystemZ, XCore, X86 (including X86_64). It supports most modern CPU extensions):
https://github.com/9ee1/Capstone.NET
http://www.capstone-engine.org/features.html
(MIT license)
Then, as already mentioned, there is SharpDisasm (libudis-port):
https://sharpdisasm.codeplex.com/
(Simplified BSD License (BSD))
Then there is Reko (x86-DECOMPILER)
https://github.com/uxmal/reko
(GNU General Public License)
There is ElfSharp to read ELF files:
https://github.com/konrad-kruczynski/elfsharp
(MIT & LLVM License)
Or read the PE format like this:
http://code.cheesydesign.com/?p=572
Or using PETools:
https://github.com/jsok/PETools
(MIT License)
There's also a tool to inspect lib files:
https://github.com/BlazingHeart/SymbolExplorer
There's also an x86 assembler library:
https://code.google.com/p/managed-x86/
And the ELF hashing function
https://damieng.com/blog/2007/11/24/calculating-elf-32-in-c-and-net
Plus there's a dedicated page at wikibooks:
https://en.wikibooks.org/wiki/X86_Disassembly/Disassemblers_and_Decompilers
There's also the snowman-decompiler, which uses Capstone:
https://github.com/yegord/snowman
There's also a fully managed x86 assembler: https://github.com/meikeric/managed-x86
