Linux capstone 反汇编引擎使用方法
最进在研究反汇编引擎,在google看到capstone反汇编工具,记录一下;capstone 官方网站:http://www.capstone-engine.org/github源码下载:https://github.com/aquynh/capstone下载源码之后://解压文件curtis@curtis-virtual-machine:~/Desktop$ unzip capstone-ma
最进在研究反汇编引擎,在google看到capstone反汇编工具,据说是IDA都使用了capstone的引擎,记录一下;
capstone 官方网站:http://www.capstone-engine.org/
github源码下载:https://github.com/aquynh/capstone
capstone在架构兼容性上来说是非常丰富了:Multi-architectures: Arm, Arm64 (Armv8), BPF, Ethereum Virtual Machine, M68K, M680X, Mips, MOS65XX, PowerPC, RISCV, Sparc, SystemZ, TMS320C64X, Web Assembly, XCore & X86 (include X86_64)
1.实测解码的速率并不是很快(原因是printf直接把信息往外丢,去掉prinf直接写文件14M内存bin文件耗时5s左右,甚至比intel-xed还快);
2.需要使用动态内存,从代码实现来看,传入文件多大就需要申请多大的内存,还要给disam buffer分配内存;
3.代码架构比较复杂,改造成本还是比较高;
下载源码之后:
//解压文件
curtis@curtis-virtual-machine:~/Desktop$ unzip capstone-master.zip
//编译文件
curtis@curtis-virtual-machine:~/Desktop/capstone-master$ ./make.sh
.........省略..........
make[1]: Leaving directory `/home/curtis/Desktop/capstone-master/tests'
make -C suite/fuzz
make[1]: Entering directory `/home/curtis/Desktop/capstone-master/suite/fuzz'
CC fuzz_disasm.o
CC drivermc.o
CC driverbin.o
LINK fuzz_disasm
LINK fuzz_bindisasm
make[1]: Leaving directory `/home/curtis/Desktop/capstone-master/suite/fuzz'
install -m0755 ./libcapstone.so.5 ./tests/
cd ./tests/ && rm -f libcapstone.so && ln -s libcapstone.so.5 libcapstone.so
//安装引擎,创建文件夹,把对应的库安装好,安装cstool工具
curtis@curtis-virtual-machine:~/Desktop/capstone-master$ sudo ./make.sh install
mkdir -p /usr/lib
install -m0755 ./libcapstone.so.5 /usr/lib
cd /usr/lib && rm -f libcapstone.so && ln -s libcapstone.so.5 libcapstone.so
install -m0644 ./libcapstone.a /usr/lib
mkdir -p /usr/include/capstone
install -m0644 include/capstone/*.h /usr/include/capstone
mkdir -p /usr/lib/pkgconfig
install -m0644 ./capstone.pc /usr/lib/pkgconfig
mkdir -p /usr/bin
install -m0755 cstool/cstool /usr/bin
//capstone so&a 库大小
curtis@curtis-virtual-machine:/usr/lib$ ls -alh | grep capstone
-rw-r--r-- 1 root root 5.7M 10月 26 17:57 libcapstone.a
lrwxrwxrwx 1 root root 16 10月 26 17:57 libcapstone.so -> libcapstone.so.5
-rwxr-xr-x 1 root root 4.4M 10月 26 17:57 libcapstone.so.5
//输出ins.asm大小
curtis@curtis-virtual-machine:~/Desktop$ ls -alh | grep ins.asm
-rwxr-xr-x 1 curtis curtis 395M 10月 28 10:40 ins.asm
//卸载capstone
curtis@curtis-virtual-machine:~/Desktop/capstone-master$ sudo ./make.sh uninstall
[sudo] password for curtis:
rm -rf /usr/include/capstone
rm -f /usr/lib/libcapstone.*
rm -f /usr/lib/pkgconfig/capstone.pc
rm -f /usr/bin/cstool
这里先讲讲cstool工具的具体使用方法;
curtis@curtis-virtual-machine:~/Desktop/capstone-master$ cstool
Cstool for Capstone Disassembler Engine v5.0.0
Syntax: cstool [-u|-d|-s|-v] <arch+mode> <assembly-hexstring> [start-address-in-hex-format]
The following <arch+mode> options are supported:
x16 16-bit mode (X86)
x32 32-bit mode (X86)
x64 64-bit mode (X86)
x16att 16-bit mode (X86), syntax AT&T
x32att 32-bit mode (X86), syntax AT&T
x64att 64-bit mode (X86), syntax AT&T
arm arm
armbe arm + big endian
thumb thumb mode
thumbbe thumb + big endian
cortexm thumb + cortex-m extensions
arm64 aarch64 mode
arm64be aarch64 + big endian
mips mips32 + little endian
mipsbe mips32 + big endian
mips64 mips64 + little endian
mips64be mips64 + big endian
ppc64 ppc64 + little endian
ppc64be ppc64 + big endian
sparc sparc
systemz systemz (s390x)
xcore xcore
m68k m68k + big endian
m68k40 m68k_040
tms320c64x TMS320C64x
m6800 M6800/2
m6801 M6801/3
m6805 M6805
m6808 M68HC08
m6809 M6809
m6811 M68HC11
cpu12 M68HC12/HCS12
hd6301 HD6301/3
hd6309 HD6309
hcs08 HCS08
evm Ethereum Virtual Machine
mos65xx MOS65XX family
Extra options:
-d show detailed information of the instructions
-u show immediates as unsigned
-s decode in SKIPDATA mode
-v show version & Capstone core build info
再看看REME中的具体实施例;
$cstool x32 "90 91"
也就是选择好cstool参数之后输入需要反汇汇编的编码;
//举个例子,想要看x86_64编码所对应的汇编代码:
488d 2551 3f60 01e8 d400 0000 488d 3ded ffff ff56 e8d7 0100 005e 4805 0060 f203 eb20 0f1f 4000 662e 0f1f 8400 0000 0000 e8ab 0000 0056 e8c5 1f00 005e 4805 00a0
curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ cstool -u x64 "488d 2551 3f60 01e8 d400 0000 488d 3ded ffff ff56 e8d7 0100 005e 4805 0060 f203 eb20 0f1f 4000 662e 0f1f 8400 0000 0000 e8ab 0000 0056 e8c5 1f00 005e 4805 00a0"
0 48 8d 25 51 3f 60 01 lea rsp, [rip + 0x1603f51]
7 e8 d4 00 00 00 call 0xe0
c 48 8d 3d ed ff ff ff lea rdi, [rip - 0x13]
13 56 push rsi
14 e8 d7 01 00 00 call 0x1f0
19 5e pop rsi
1a 48 05 00 60 f2 03 add rax, 0x3f26000
20 eb 20 jmp 0x42
22 0f 1f 40 00 nop dword ptr [rax]
26 66 2e 0f 1f 84 00 00 00 00 00 nop word ptr cs:[rax + rax]
30 e8 ab 00 00 00 call 0xe0
35 56 push rsi
36 e8 c5 1f 00 00 call 0x2000
3b 5e pop rsi
//成功反汇编出汇编代码
使用intel-xed反汇编同一编码;
curtis@curtis-virtual-machine:~/Desktop$ cat 11.txt | head -n 14
XDIS 0: MISC BASE 488D25513F6001 lea rsp, ptr [rip+0x1603f51]
XDIS 7: CALL BASE E8D4000000 call 0xe0
XDIS c: MISC BASE 488D3DEDFFFFFF lea rdi, ptr [rip-0x13]
XDIS 13: PUSH BASE 56 push rsi
XDIS 14: CALL BASE E8D7010000 call 0x1f0
XDIS 19: POP BASE 5E pop rsi
XDIS 1a: BINARY BASE 48050060F203 add rax, 0x3f26000
XDIS 20: UNCOND_BR BASE EB20 jmp 0x42
XDIS 22: WIDENOP BASE 0F1F4000 nop dword ptr [rax], eax
XDIS 26: WIDENOP BASE 662E0F1F840000000000 nop word ptr [rax+rax*1], ax
XDIS 30: CALL BASE E8AB000000 call 0xe0
XDIS 35: PUSH BASE 56 push rsi
XDIS 36: CALL BASE E8C51F0000 call 0x2000
XDIS 3b: POP BASE 5E pop rsi
1.打算添加两个功能,将传入code的参数改为传入文件的路径,反汇编时只需要传入文件路径即可;
2.添加输出参数,将反汇编代码写入文件;
3.添加一个参数,只要传入内存地址即可把该地址前后10条汇编指令打印出来;
功能一已经实现,代码就不公开了,效果如下:
curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ ./cstool -u x64 "/home/curtis/Desktop/ins.txt"
0 0f 1f 44 00 00 nop dword ptr [rax + rax]
5 55 push rbp
6 48 89 e5 mov rbp, rsp
9 5d pop rbp
a c3 ret
b 0f 1f 44 00 00 nop dword ptr [rax + rax]
功能二已经实现,代码就不公开了,效果如下:
//命令
curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ ./cstool -u x64 "/home/curtis/Desktop/ins.txt" -o "/home/curtis/Desktop/ins.asm"
//效果,成功将内容写入文件
curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ cat /home/curtis/Desktop/ins.asm
0x 0 48 8d 25 51 3f 60 01 lea rsp, [rip + 0x1603f51]
0x 7 e8 d4 00 00 00 call 0xe0
0x c 48 8d 3d ed ff ff ff lea rdi, [rip - 0x13]
0x13 56 push rsi
0x14 e8 d7 01 00 00 call 0x1f0
0x19 5e pop rsi
0x1a 48 05 00 60 b2 1e add rax, 0x1eb26000
0x20 eb 20 jmp 0x42
0x22 0f 1f 40 00 nop dword ptr [rax]
在实现这个功能的过程中发现如果使用-u参数的话,从添加log打印,代码已经限定count的值位312,那么如果你传入参数size大于312条汇编指令的话,剩余部分没有进行反汇编操作,仔细研究capstone代码之后,我们应该使用-s参数进行反汇编;
curtis@curtis-virtual-machine:~/Desktop/capstone-master/cstool$ ./cstool -s x64 "/home/curtis/Desktop/ins.txt"
0x 0 48 8d 25 51 3f 60 01 lea rsp, [rip + 0x1603f51]
0x 7 e8 d4 00 00 00 call 0xe0
0x c 48 8d 3d ed ff ff ff lea rdi, [rip - 0x13]
0x13 56 push rsi
0x14 e8 d7 01 00 00 call 0x1f0
0x19 5e pop rsi
0x1a 48 05 00 60 b2 1e add rax, 0x1eb26000
0x20 eb 20 jmp 0x42
0x22 0f 1f 40 00 nop dword ptr [rax]
.......省略.........
0x447b4 e8 27 2d 03 00 call 0x774e0
0x447b9 66 90 nop
0x447bb 41 83 fc 02 cmp r12d, 2
0x447bf 0f 8e 6f ff ff ff jle 0x44734
0x447c5 48 8d 7b 18 lea rdi, [rbx + 0x18]
0x447c9 e8 d2 fd ff ff call 0x445a0
0x447ce e9 61 ff ff ff jmp 0x44734
0x447d3 48 8b 05 12 e1 7f 01 mov rax, qword ptr [rip + 0x17fe112]
开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!
更多推荐
所有评论(0)