简单套用BeaEngine实现VB Disassembler
本帖最后由 tangptr@126.com 于 2016-3-27 01:29 编辑BeaEngine可谓是一个极其简单实用的一个反汇编引擎了,这里呢本人用VB制作了一个反汇编器,某些原因呢只做Win32的。
首先把网上的原版BeaEngine.lib下载下来,然后用它包装到到DLL里方便我们调用。
官方的BeaEngine.h是用来调用BeaEngine的,这里我们有必要把它翻译成VB的代码,这也挺耗时的,翻译结果如下。
Option Explicit
Public Declare Function Disasm Lib "BeaEngine.dll" Alias "_Disasm@4" (ByRef pDisasm As Disasm) As Integer
Public Type REX_STRUCT
W As Byte
R As Byte
X As Byte
B As Byte
State As Byte
End Type
Public Type PRIFIX_INFO
Number As Integer
NbUndefined As Integer
LockPrefix As Byte
OperandSize As Byte
AddressSize As Byte
RepnePrefix As Byte
RepPrefix As Byte
FSPrefix As Byte
SSPrefix As Byte
GSPrefix As Byte
ESPrefix As Byte
CSPrefix As Byte
DSPrefix As Byte
BranchTaken As Byte
BranchNotTaken As Byte
Rex As REX_STRUCT
End Type
Public Type EFL_STRUCT
OF As Byte
SF As Byte
ZF As Byte
AF As Byte
PF As Byte
CF As Byte
TF As Byte
IF As Byte
DF As Byte
NT As Byte
RF As Byte
Alignment As Byte
End Type
Public Type MEMORY_TYPE
BaseRegister As Long
IndexRegister As Long
Scale As Long
DisplacementLow As Long
DisplacementHigh As Long
End Type
Public Type INSTRTTYPE
Category As Long
Opcode As Long
Mnemonic(1 To 16) As Byte
BranchType As Long
Flags As EFL_STRUCT
AddrValueLow As Long
AddrValueHigh As Long
ImmediateLow As Long
ImmediateHigh As Long
ImplicitModifiedRegs As Long
End Type
Public Type ARGTYPE
ArgMnemonic(1 To 32) As Byte
ARGTYPE As Long
ArgSize As Long
ArgPosition As Long
AccessMode As Long
Memory As MEMORY_TYPE
SegmentReg As Long
End Type
Public Type Disasm
EIP As Long
VirtualAddressLow As Long
VirtualAddressHigh As Long
SecurityBlock As Long
CompleteInstr(1 To 64) As Byte
Archi As Long
OptionsLow As Long
OptionsHigh As Long
Instruction As INSTRTTYPE
Argument1 As ARGTYPE
Argument2 As ARGTYPE
Argument3 As ARGTYPE
Prefix As PRIFIX_INFO
Reserved(1 To 40) As Long
End Type
Public Const ESReg = 1
Public Const DSReg = 2
Public Const FSReg = 3
Public Const GSReg = 4
Public Const CSReg = 5
Public Const SSReg = 6
Public Const InvalidPrefix = 4
Public Const SuperfluousPrefix = 2
Public Const NotUsedPrefix = 0
Public Const MandatoryPrefix = 8
Public Const InUsePrefix = 1
Public Const LowPosition = 0
Public Const HighPosition = 1
Public Enum INSTRUCTION_TYPE
GENERAL_PURPOSE_INSTRUCTION = &H10000
FPU_INSTRUCTION = &H20000
MMX_INSTRUCTION = &H40000
SSE_INSTRUCTION = &H80000
SSE2_INSTRUCTION = &H100000
SSE3_INSTRUCTION = &H200000
SSSE3_INSTRUCTION = &H400000
SSE41_INSTRUCTION = &H800000
SSE42_INSTRUCTION = &H1000000
SYSTEM_INSTRUCTION = &H2000000
VM_INSTRUCTION = &H4000000
UNDOCUMENTED_INSTRUCTION = &H8000000
AMD_INSTRUCTION = &H10000000
ILLEGAL_INSTRUCTION = &H20000000
AES_INSTRUCTION = &H40000000
CLMUL_INSTRUCTION = &H80000000
DATA_TRANSFER = &H1
ARITHMETIC_INSTRUCTION
LOGICAL_INSTRUCTION
SHIFT_ROTATE
BIT_UInt8
CONTROL_TRANSFER
STRING_INSTRUCTION
InOutINSTRUCTION
ENTER_LEAVE_INSTRUCTION
FLAG_CONTROL_INSTRUCTION
SEGMENT_REGISTER
MISCELLANEOUS_INSTRUCTION
COMPARISON_INSTRUCTION
LOGARITHMIC_INSTRUCTION
TRIGONOMETRIC_INSTRUCTION
UNSUPPORTED_INSTRUCTION
LOAD_CONSTANTS
FPUCONTROL
STATE_MANAGEMENT
CONVERSION_INSTRUCTION
SHUFFLE_UNPACK
PACKED_SINGLE_PRECISION
SIMD128bits
SIMD64bits
CACHEABILITY_CONTROL
FP_INTEGER_CONVERSION
SPECIALIZED_128bits
SIMD_FP_PACKED
SIMD_FP_HORIZONTAL
AGENT_SYNCHRONISATION
PACKED_ALIGN_RIGHT
PACKED_SIGN
PACKED_BLENDING_INSTRUCTION
PACKED_TEST
PACKED_MINMAX
HORIZONTAL_SEARCH
PACKED_EQUALITY
STREAMING_LOAD
INSERTION_EXTRACTION
DOT_PRODUCT
SAD_INSTRUCTION
ACCELERATOR_INSTRUCTION
ROUND_INSTRUCTION
End Enum
Public Enum EFLAGS_STATE
TE = 1
MO = 2
RE = 4
SE = 8
UN = &H10
PR = &H20
End Enum
Public Enum ARGUMENTS_TYPE
NO_ARGUMENT = &H10000000
REGISTER_TYPE = &H20000000
MEMORY_TYPE = &H40000000
CONSTANT_TYPE = &H80000000
MMX_REG = &H10000
GENERAL_REG = &H20000
FPU_REG = &H40000
SSE_REG = &H80000
CR_REG = &H100000
DR_REG = &H200000
SPECIAL_REG = &H400000
MEMORY_MANAGEMENT_REG = &H800000
SEGMENT_REG = &H1000000
RELATIVE_ = &H4000000
ABSOLUTE_ = &H8000000
READ_ = &H1
WRITE_ = &H2
REG0 = &H1
REG1 = &H2
REG2 = &H4
REG3 = &H8
REG4 = &H10
REG5 = &H20
REG6 = &H40
REG7 = &H80
REG8 = &H100
REG9 = &H200
REG10 = &H400
REG11 = &H800
REG12 = &H1000
REG13 = &H2000
REG14 = &H4000
REG15 = &H8000
End Enum
Public Enum SPECIAL_INFO
UNKNOWN_OPCODE = -1
OUT_OF_BLOCK = 0
NoTabulation = &H0
Tabulation = &H1
MasmSyntax = &H0
GoAsmSyntax = &H100
NasmSyntax = &H200
ATSyntax = &H400
PrefixedNumeral = &H10000
SuffixedNumeral = &H0
ShowSegmentRegs = &H1000000
End Enum
上述的声明被放入了mod_BeaEngine.bas,反汇编的具体效果如下图所示:
只要我们加入读取内核内存的功能,就连当前状态的内核函数都是可以进行反汇编的!这里我们演示方便套用了ZwSystemDebugControl,利用ZwSystemDebugControl读内核内存的代码如下:
Public Declare Function ZwSystemDebugControl Lib "ntdll.dll" (ByVal SysDbgCode As Long, ByVal InputBuffer As Long, ByVal InputBufferLength As Long, ByVal OutputBuffer As Long, ByVal OutputBufferLength As Long, ByRef ReturnLength As Long) As Long
Public Type MEMORY_CHUNKS
Address As Long
pData As Long
nSize As Long
End Type
Public Sub ReadKernelMemory(ByVal dest As Long, ByVal src As Long, ByVal cch As Long)
Dim mc As MEMORY_CHUNKS
Dim st As Long, ret As Long
With mc
.Address = src
.pData = dest
.nSize = cch
End With
st = ZwSystemDebugControl(8, VarPtr(mc), Len(mc), 0, 0, ret)
End Sub
效果甚好,在对比WinDbg的情况下如图所示:
当然咯也可以实现对PE文件中代码的反汇编,只要搞好逻辑,自己实现IDA这样的好东西貌似不成问题,这里不再举例。 附件名666 www. vbasm.zip 下载代码不回帖是一种很欠扁的行为
页:
[1]