Disassemble support

Question

Disassemble support

bjorn3 opened this issue 5 years ago · comments

bjorn3 commented 5 years ago

For example capstone could be used.

m4b · Answer 1 · Thu Nov 14 2019 14:06:06 GMT+0800 (China Standard Time)

@bjorn3 If you want to sketch out general api for what the cli would be for disassembly, I’d be interested.

Maybe just a few brief examples of proposed cli, along with expected output ?

Koutheir Attouchi · Answer 2 · Mon Mar 21 2022 11:07:38 GMT+0800 (China Standard Time)

LLVM disassembler is also an option here, instead of (or as an alternative to) capstone.

bjorn3 · Answer 3 · Mon Mar 21 2022 18:54:58 GMT+0800 (China Standard Time)

That requires an LLVM installation when building and running.

Koutheir Attouchi · Answer 4 · Mon Mar 21 2022 20:26:54 GMT+0800 (China Standard Time)

That only requires LLVM shared libraries, not a full Clang toolchain. It's basically the same requirement as for libcapstone.

bjorn3 · Answer 5 · Mon Mar 21 2022 20:56:22 GMT+0800 (China Standard Time)

Capstone-rs builds libcapstone.a as static library itself without having to install anything. This only takes like a minute. The LLVM shared libraries take much longer to build (just cloning llvm-project can take a minute depending on your internet connection), are way bigger and if you don't want to build it yourself you have to dynamically link it which adds a runtime dependency on LLVM unlike with capstone-rs.

Koutheir Attouchi · Answer 6 · Tue Oct 04 2022 11:16:55 GMT+0800 (China Standard Time)

FYI, disassembling code correctly requires support for relocating code sections (e.g., ELF's .text section), before starting the disassembly. Relocation is a considerable amount of work.

bjorn3 · Answer 7 · Tue Oct 04 2022 16:50:18 GMT+0800 (China Standard Time)

Objdump doesn't relocate. Instead it provides an option to show relocation entries after the instruction that used them.

Koutheir Attouchi · Answer 8 · Tue Oct 04 2022 20:16:19 GMT+0800 (China Standard Time)

But that makes the disassembly way less useful and sometimes even confusing, especially when compared to the disassembly of the debugger.

bjorn3 · Answer 9 · Tue Oct 04 2022 20:28:42 GMT+0800 (China Standard Time)

It only makes it a bit less useful IMHO. It is nice to have relocation support builtin, but as you said this is a considerable amount of effort. What you see in a debugger won't work for bingrep. In a debugger you see the disassembly relocated for the specific location that this instance of the program loads it at. Bingrep however would need to work with symbolic locations such that the disassembly is correct no matter where the object file or executable is loaded. I don't think many disassemblers support this.

Koutheir Attouchi · Answer 10 · Mon Oct 10 2022 11:04:16 GMT+0800 (China Standard Time)

Providing a useful ELF disassembly also requires parsing the procedure linkage table (PLT), in order to give an idea about which function is called by many calls/jumps. PLTs are platform-specific, and parsing them requires some poking and assumptions about code sequences generated by common compilers and linkers.

For this reason, for instance, the LLVM implementation of objdump only parses PLTs for AMD64, x86, and AArch64.