Menu
▾
▴
Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help
|
From: Nguyen A. Q. <aq...@gm...> - 2015-01-27 16:22:18
|
On Tue, Jan 27, 2015 at 10:16 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: > I will research PE headers. > > Feature request - it would be nice if Capstone automatically skipped the > PE header when you call cs_disasm. > sorry this will not be possible: you can look at the API, and see that Capstone only deals with raw binary input, and has no knowledge of file formats. Capstone is designed to be clean & simple, with the target of doing one thing and doing it well. everything more complicated (such as dealing with PE files) must be built on top of it, at tool's level. > > I'm no C expert so the fact that I have to figure this out to get Capstone > to do what I want it to do is almost a show stopper for me. I can figure it > out, I just don't have a lot of time to do the research. > > no worry, you can always post your questions to this mailing list when you cannot find the answers yourself. cheers, Q > -----Original Message----- > From: Nguyen Anh Quynh [mailto:aq...@gm...] > Sent: Friday, January 23, 2015 7:20 PM > To: Capstone disassembly framework (www.capstone-engine.org) > Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help > > > > On Sat, Jan 24, 2015 at 2:27 AM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA > <mic...@us...> wrote: > > > I guess I'm also confused by what you mean when you refer to > illegal code. Seems like no matter what exe I try to disassemble, I get > about 4 lines assembly instructions. > > > > you got the same output because you are trying to disassemble the same > thing: all the EXE file share the same the first part as a EXE header. > > what you need to do is to disassemble code, not header, so you should > start from the EXE entry pointer, not from the EXE header. > > > to find the EXE entry pointer, read documentation about PE/PE+ format (PE > is EXE header of 32bit EXE, PE+ is header of 64bit EXE). > > another way is to read source code of binary analysis program (such as > http://radare.org) to see how they deal with EXE files. > > > thanks, > > Q > > > -----Original Message----- > From: Nguyen Anh Quynh [mailto:aq...@gm...] > Sent: Friday, January 23, 2015 10:38 AM > To: Capstone disassembly framework (www.capstone-engine.org) > Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help > > > > > On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC > AFRL/RYWA <mic...@us...> wrote: > > > When I try to disassemble Test.exe, I get the following: > > 0x1000: pop r10 > 0x1002: npop > 0x1003 add byte ptr [rbx], a1 > 0x1005: add byte ptr [rbx], a1 > > > > > i can see that you are trying to disasm Test.exe, but dont expect to see > its code: you are actually reading from the beginning of Test.exe, where > the PE header is. the actual code is way behind that. and by default, > Capstone stops at the first ever illegal code, so you only see 4 assembly > instructions like above. > > > thanks. > > > > > ------------------------------------------------------------------------------ > New Year. New Location. New Benefits. New Data Center in Ashburn, VA. > GigeNET is offering a free month of service with a new server in Ashburn. > Choose from 2 high performing configs, both with 100TB of bandwidth. > Higher redundancy.Lower latency.Increased capacity.Completely compliant. > http://p.sf.net/sfu/gigenet > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming. The Go Parallel Website, > sponsored by Intel and developed in partnership with Slashdot Media, is > your > hub for all things parallel software development, from weekly thought > leadership blogs to news, videos, case studies, tutorials and more. Take a > look and join the conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > Capstone-users mailing list > Cap...@li... > https://lists.sourceforge.net/lists/listinfo/capstone-users > |
