Menu
▾
▴
Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help
|
From: GROETZ, M. A C. U. A. AFRL/R. <mic...@us...> - 2015-01-27 17:15:37
|
Okay, thanks for all your help. Michael Groetz | Leidos | Contractor Software Application Engineer Multi-Sensor Exploitation and Countermeasures Division (937) 528-8043 -----Original Message----- From: Nguyen Anh Quynh [mailto:aq...@gm...] Sent: Tuesday, January 27, 2015 11:22 AM To: Capstone disassembly framework (www.capstone-engine.org) Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help On Tue, Jan 27, 2015 at 10:16 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: I will research PE headers. Feature request - it would be nice if Capstone automatically skipped the PE header when you call cs_disasm. sorry this will not be possible: you can look at the API, and see that Capstone only deals with raw binary input, and has no knowledge of file formats. Capstone is designed to be clean & simple, with the target of doing one thing and doing it well. everything more complicated (such as dealing with PE files) must be built on top of it, at tool's level. I'm no C expert so the fact that I have to figure this out to get Capstone to do what I want it to do is almost a show stopper for me. I can figure it out, I just don't have a lot of time to do the research. no worry, you can always post your questions to this mailing list when you cannot find the answers yourself. cheers, Q -----Original Message----- From: Nguyen Anh Quynh [mailto:aq...@gm...] Sent: Friday, January 23, 2015 7:20 PM To: Capstone disassembly framework (www.capstone-engine.org) Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help On Sat, Jan 24, 2015 at 2:27 AM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: I guess I'm also confused by what you mean when you refer to illegal code. Seems like no matter what exe I try to disassemble, I get about 4 lines assembly instructions. you got the same output because you are trying to disassemble the same thing: all the EXE file share the same the first part as a EXE header. what you need to do is to disassemble code, not header, so you should start from the EXE entry pointer, not from the EXE header. to find the EXE entry pointer, read documentation about PE/PE+ format (PE is EXE header of 32bit EXE, PE+ is header of 64bit EXE). another way is to read source code of binary analysis program (such as http://radare.org) to see how they deal with EXE files. thanks, Q -----Original Message----- From: Nguyen Anh Quynh [mailto:aq...@gm...] Sent: Friday, January 23, 2015 10:38 AM To: Capstone disassembly framework (www.capstone-engine.org) Subject: Re: [Capstone-users] Capstone / NetBeans 8.0.2 Help On Fri, Jan 23, 2015 at 11:15 PM, GROETZ, MICHAEL A CTR USAF AFMC AFRL/RYWA <mic...@us...> wrote: When I try to disassemble Test.exe, I get the following: 0x1000: pop r10 0x1002: npop 0x1003 add byte ptr [rbx], a1 0x1005: add byte ptr [rbx], a1 i can see that you are trying to disasm Test.exe, but dont expect to see its code: you are actually reading from the beginning of Test.exe, where the PE header is. the actual code is way behind that. and by default, Capstone stops at the first ever illegal code, so you only see 4 assembly instructions like above. thanks. ------------------------------------------------------------------------------ New Year. New Location. New Benefits. New Data Center in Ashburn, VA. GigeNET is offering a free month of service with a new server in Ashburn. Choose from 2 high performing configs, both with 100TB of bandwidth. Higher redundancy.Lower latency.Increased capacity.Completely compliant. http://p.sf.net/sfu/gigenet _______________________________________________ Capstone-users mailing list Cap...@li... https://lists.sourceforge.net/lists/listinfo/capstone-users ------------------------------------------------------------------------------ Dive into the World of Parallel Programming. The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Capstone-users mailing list Cap...@li... https://lists.sourceforge.net/lists/listinfo/capstone-users |
