API tools faq
paste
Advertisement
class101

Distorm for C#/.NET (Distorm.cs)

class101
Jan 8th, 2013
497
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
C# 6.16 KB | None | 0 0
raw download clone embed print report
  1. /**
  2.  * A C#/.NET implementation of distorm, a powerful disassembler library for x86/AMD64
  3.  *
  4.  * To obtain distorm32.dll and distorm64.dll:
  5.  *
  6.  * distorm32: Get distorm3 sources, change target name to distorm32, UNDEFINE SUPPORT_64BIT_OFFSET
  7.  * distorm64: Get distorm3 sources, change target name to distorm64, define SUPPORT_64BIT_OFFSET
  8.  *
  9.  * Sample usages:
  10.  *    var d32 = new Distorm<ArchitectureIA32>();
  11.  *    or
  12.  *    var d64 = new Distorm<ArchitectureX64>();
  13.  *    and
  14.  *    replace in Distorm class instanciation the pointer "hereYourFunctionPointer" to your needs
  15.  *    
  16.  * Sample by Arnaud Dovi - https://www.ohloh.net/accounts/class101
  17.  *
  18.  **/
  19.  
  20. using System;
  21. using System.Runtime.InteropServices;
  22. using ArchC = yourNameSpace.ArchitectureCommon;
  23.  
  24. // ReSharper disable CheckNamespace
  25.  
  26. namespace yourNameSpace // ReSharper restore CheckNamespace
  27. {
  28.     // ReSharper disable InconsistentNaming
  29.     internal class Distorm<ArchT> where ArchT : ArchitectureCommon, new() // ReSharper restore InconsistentNaming
  30.     {
  31.         private readonly ArchT _arch = new ArchT();
  32.  
  33.         internal Distorm()
  34.         {
  35.             uint instructionCount;
  36.             object instructions = null;
  37.             IntPtr hereYourFunctionPointer;
  38.             ArchitectureCommon.DecodeResult result = _arch.distorm_decode(IntPtr.Zero, hereYourFunctionPointer, 20, ref instructions, ArchC.MaxInstructions, out instructionCount);
  39.             if (result != ArchitectureCommon.DecodeResult.DECRES_SUCCESS) return;
  40.         }
  41.     }
  42.  
  43.     internal abstract class ArchitectureCommon
  44.     {
  45.         internal const uint MaxInstructions = 20;
  46.         internal abstract DecodeResult distorm_decode(IntPtr codeOffset, IntPtr codePtr, int codeLen, ref object instructions, uint maxInstructions, out uint usedInstructionsCount);
  47.  
  48.         [Flags]
  49.         internal enum DecodeResult // ReSharper disable InconsistentNaming
  50.         {
  51.             DECRES_NONE = 0,
  52.             DECRES_SUCCESS = 1,
  53.             DECRES_MEMORYERR = 2,
  54.             DECRES_INPUTERR = 3,
  55.             DECRES_FILTERED = 4
  56.         }
  57.  
  58.         // ReSharper restore InconsistentNaming
  59.  
  60.         [Flags]
  61.         internal enum DecodeType
  62.         {
  63.             Decode16Bits = 0,
  64.             Decode32Bits = 1,
  65.             Decode64Bits = 2
  66.         }
  67.  
  68.         [StructLayout(LayoutKind.Sequential, CharSet = CharSet.Ansi)]
  69.         internal struct WString
  70.         {
  71.             internal uint length;
  72.             [MarshalAs(UnmanagedType.ByValTStr, SizeConst = 48)] internal string p; /* p is a null terminated string. */
  73.         }
  74.     }
  75.  
  76.     internal class ArchitectureIA32 : ArchitectureCommon
  77.     {
  78.         private const DecodeType DisasmType = DecodeType.Decode32Bits;
  79.  
  80.         // ReSharper disable RedundantAssignment
  81.         internal override DecodeResult distorm_decode(IntPtr codeOffset, IntPtr codePtr, int codeLen, ref object instructions, uint maxInstructions, out uint usedInstructionsCount) // ReSharper restore RedundantAssignment
  82.         {
  83.             instructions = new DecodedInst[MaxInstructions];
  84.             return distorm_decode32((uint) codeOffset, (uint) codePtr, codeLen, DisasmType, (DecodedInst[]) instructions, maxInstructions, out usedInstructionsCount);
  85.         }
  86.  
  87.         [DllImport("distorm32.dll", SetLastError = true, CallingConvention = CallingConvention.Cdecl, EntryPoint = "distorm_decode32", CharSet = CharSet.Ansi)]
  88.         private static extern DecodeResult distorm_decode32(uint codeOffset, uint codePtr, int codeLen, DecodeType disasmType, [Out, MarshalAs(UnmanagedType.LPArray)] DecodedInst[] result, uint maxInstructions,
  89.                                                             out uint usedInstructionsCount);
  90.  
  91.         [StructLayout(LayoutKind.Sequential)]
  92.         internal struct DecodedInst
  93.         {
  94.             internal readonly WString mnemonic;
  95.             /* Mnemonic of decoded instruction, prefixed if required by REP, LOCK etc. */
  96.  
  97.             internal readonly WString operands;
  98.             /* Operands of the decoded instruction, up to 3 operands, comma-seperated. */
  99.  
  100.             internal readonly WString instructionHex; /* Hex dump - little endian, including prefixes. */
  101.             internal readonly uint size; /* Size of decoded instruction. */
  102.             internal readonly uint offset; /* 32-bit unsigned integer start offset of the decoded instruction. */
  103.         }
  104.     }
  105.  
  106.     internal class ArchitectureX64 : ArchitectureIA32
  107.     {
  108.         private const DecodeType DisasmType = DecodeType.Decode64Bits;
  109.  
  110.         // ReSharper disable RedundantAssignment
  111.         internal override DecodeResult distorm_decode(IntPtr codeOffset, IntPtr codePtr, int codeLen, ref object instructions, uint maxInstructions, out uint usedInstructionsCount) // ReSharper restore RedundantAssignment
  112.         {
  113.             instructions = new DecodedInst[MaxInstructions];
  114.             return distorm_decode64((ulong) codeOffset, (ulong) codePtr, codeLen, DisasmType, (DecodedInst[]) instructions, maxInstructions, out usedInstructionsCount);
  115.         }
  116.  
  117.         [DllImport("distorm64.dll", SetLastError = true, CallingConvention = CallingConvention.Cdecl, EntryPoint = "distorm_decode64", CharSet = CharSet.Ansi)]
  118.         private static extern DecodeResult distorm_decode64(ulong codeOffset, ulong codePtr, int codeLen, DecodeType disasmType, [Out, MarshalAs(UnmanagedType.LPArray)] DecodedInst[] result, uint maxInstructions,
  119.                                                             out uint usedInstructionsCount);
  120.  
  121.         [StructLayout(LayoutKind.Sequential)]
  122.         internal new struct DecodedInst
  123.         {
  124.             internal readonly WString mnemonic;
  125.             /* Mnemonic of decoded instruction, prefixed if required by REP, LOCK etc. */
  126.  
  127.             internal readonly WString operands;
  128.             /* Operands of the decoded instruction, up to 3 operands, comma-seperated. */
  129.  
  130.             internal readonly WString instructionHex; /* Hex dump - little endian, including prefixes. */
  131.             internal readonly uint size; /* Size of decoded instruction. */
  132.             internal readonly ulong offset; /* 64-bit unsigned integer start offset of the decoded instruction. */
  133.         }
  134.     }
  135. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!