设为首页收藏一下又不会死!新人公告
切换到窄版

 找回密码
 立即注册→加入我们

QQ登录

只需一步,快速开始

搜索
热搜: 下载 VB C 实现 编写
技术宅的结界»论坛 计算机技术 技巧探讨 简单套用BeaEngine实现VB Disassembler
返回列表 发新帖
查看: 9960|回复: 2

简单套用BeaEngine实现VB Disassembler

[复制链接]
唐凌

65

主题

115

回帖

1万

积分

用户组: 超级版主

OS与VM研究学者

UID
1043
精华
35
威望
789 点
宅币
8294 个
贡献
1094 次
宅之契约
0 份
在线时间
2067 小时
注册时间
2015-8-15
发表于 2016-3-27 01:29:23 | 显示全部楼层 |阅读模式

欢迎访问技术宅的结界,请注册或者登录吧。

您需要 登录 才可以下载或查看,没有账号?立即注册→加入我们

×
本帖最后由 tangptr@126.com 于 2016-3-27 01:29 编辑

BeaEngine可谓是一个极其简单实用的一个反汇编引擎了,这里呢本人用VB制作了一个反汇编器,某些原因呢只做Win32的。
首先把网上的原版BeaEngine.lib下载下来,然后用它包装到到DLL里方便我们调用。
官方的BeaEngine.h是用来调用BeaEngine的,这里我们有必要把它翻译成VB的代码,这也挺耗时的,翻译结果如下。
  1. Option Explicit
  2. Public Declare Function Disasm Lib "BeaEngine.dll" Alias "_Disasm@4" (ByRef pDisasm As Disasm) As Integer
  3. Public Type REX_STRUCT
  4.     W As Byte
  5.     R As Byte
  6.     X As Byte
  7.     B As Byte
  8.     State As Byte
  9. End Type

  11. Public Type PRIFIX_INFO
  12.     Number As Integer
  13.     NbUndefined As Integer
  14.     LockPrefix As Byte
  15.     OperandSize As Byte
  16.     AddressSize As Byte
  17.     RepnePrefix As Byte
  18.     RepPrefix As Byte
  19.     FSPrefix As Byte
  20.     SSPrefix As Byte
  21.     GSPrefix As Byte
  22.     ESPrefix As Byte
  23.     CSPrefix As Byte
  24.     DSPrefix As Byte
  25.     BranchTaken As Byte
  26.     BranchNotTaken As Byte
  27.     Rex As REX_STRUCT
  28. End Type

  30. Public Type EFL_STRUCT
  31.     OF As Byte
  32.     SF As Byte
  33.     ZF As Byte
  34.     AF As Byte
  35.     PF As Byte
  36.     CF As Byte
  37.     TF As Byte
  38.     IF As Byte
  39.     DF As Byte
  40.     NT As Byte
  41.     RF As Byte
  42.     Alignment As Byte
  43. End Type

  45. Public Type MEMORY_TYPE
  46.     BaseRegister As Long
  47.     IndexRegister As Long
  48.     Scale As Long
  49.     DisplacementLow As Long
  50.     DisplacementHigh As Long
  51. End Type

  53. Public Type INSTRTTYPE
  54.     Category As Long
  55.     Opcode As Long
  56.     Mnemonic(1 To 16) As Byte
  57.     BranchType As Long
  58.     Flags As EFL_STRUCT
  59.     AddrValueLow As Long
  60.     AddrValueHigh As Long
  61.     ImmediateLow As Long
  62.     ImmediateHigh As Long
  63.     ImplicitModifiedRegs As Long
  64. End Type

  66. Public Type ARGTYPE
  67.     ArgMnemonic(1 To 32) As Byte
  68.     ARGTYPE As Long
  69.     ArgSize As Long
  70.     ArgPosition As Long
  71.     AccessMode As Long
  72.     Memory As MEMORY_TYPE
  73.     SegmentReg As Long
  74. End Type

  76. Public Type Disasm
  77.     EIP As Long
  78.     VirtualAddressLow As Long
  79.     VirtualAddressHigh As Long
  80.     SecurityBlock As Long
  81.     CompleteInstr(1 To 64) As Byte
  82.     Archi As Long
  83.     OptionsLow As Long
  84.     OptionsHigh As Long
  85.     Instruction As INSTRTTYPE
  86.     Argument1 As ARGTYPE
  87.     Argument2 As ARGTYPE
  88.     Argument3 As ARGTYPE
  89.     Prefix As PRIFIX_INFO
  90.     Reserved(1 To 40) As Long
  91. End Type

  93. Public Const ESReg = 1
  94. Public Const DSReg = 2
  95. Public Const FSReg = 3
  96. Public Const GSReg = 4
  97. Public Const CSReg = 5
  98. Public Const SSReg = 6

  100. Public Const InvalidPrefix = 4
  101. Public Const SuperfluousPrefix = 2
  102. Public Const NotUsedPrefix = 0
  103. Public Const MandatoryPrefix = 8
  104. Public Const InUsePrefix = 1

  106. Public Const LowPosition = 0
  107. Public Const HighPosition = 1

  109. Public Enum INSTRUCTION_TYPE
  110.     GENERAL_PURPOSE_INSTRUCTION = &H10000
  111.     FPU_INSTRUCTION = &H20000
  112.     MMX_INSTRUCTION = &H40000
  113.     SSE_INSTRUCTION = &H80000
  114.     SSE2_INSTRUCTION = &H100000
  115.     SSE3_INSTRUCTION = &H200000
  116.     SSSE3_INSTRUCTION = &H400000
  117.     SSE41_INSTRUCTION = &H800000
  118.     SSE42_INSTRUCTION = &H1000000
  119.     SYSTEM_INSTRUCTION = &H2000000
  120.     VM_INSTRUCTION = &H4000000
  121.     UNDOCUMENTED_INSTRUCTION = &H8000000
  122.     AMD_INSTRUCTION = &H10000000
  123.     ILLEGAL_INSTRUCTION = &H20000000
  124.     AES_INSTRUCTION = &H40000000
  125.     CLMUL_INSTRUCTION = &H80000000
  126.     DATA_TRANSFER = &H1
  127.     ARITHMETIC_INSTRUCTION
  128.     LOGICAL_INSTRUCTION
  129.     SHIFT_ROTATE
  130.     BIT_UInt8
  131.     CONTROL_TRANSFER
  132.     STRING_INSTRUCTION
  133.     InOutINSTRUCTION
  134.     ENTER_LEAVE_INSTRUCTION
  135.     FLAG_CONTROL_INSTRUCTION
  136.     SEGMENT_REGISTER
  137.     MISCELLANEOUS_INSTRUCTION
  138.     COMPARISON_INSTRUCTION
  139.     LOGARITHMIC_INSTRUCTION
  140.     TRIGONOMETRIC_INSTRUCTION
  141.     UNSUPPORTED_INSTRUCTION
  142.     LOAD_CONSTANTS
  143.     FPUCONTROL
  144.     STATE_MANAGEMENT
  145.     CONVERSION_INSTRUCTION
  146.     SHUFFLE_UNPACK
  147.     PACKED_SINGLE_PRECISION
  148.     SIMD128bits
  149.     SIMD64bits
  150.     CACHEABILITY_CONTROL
  151.     FP_INTEGER_CONVERSION
  152.     SPECIALIZED_128bits
  153.     SIMD_FP_PACKED
  154.     SIMD_FP_HORIZONTAL
  155.     AGENT_SYNCHRONISATION
  156.     PACKED_ALIGN_RIGHT
  157.     PACKED_SIGN
  158.     PACKED_BLENDING_INSTRUCTION
  159.     PACKED_TEST
  160.     PACKED_MINMAX
  161.     HORIZONTAL_SEARCH
  162.     PACKED_EQUALITY
  163.     STREAMING_LOAD
  164.     INSERTION_EXTRACTION
  165.     DOT_PRODUCT
  166.     SAD_INSTRUCTION
  167.     ACCELERATOR_INSTRUCTION
  168.     ROUND_INSTRUCTION
  169. End Enum

  171. Public Enum EFLAGS_STATE
  172.     TE = 1
  173.     MO = 2
  174.     RE = 4
  175.     SE = 8
  176.     UN = &H10
  177.     PR = &H20
  178. End Enum

  180. Public Enum ARGUMENTS_TYPE
  181.     NO_ARGUMENT = &H10000000
  182.     REGISTER_TYPE = &H20000000
  183.     MEMORY_TYPE = &H40000000
  184.     CONSTANT_TYPE = &H80000000
  185.     MMX_REG = &H10000
  186.     GENERAL_REG = &H20000
  187.     FPU_REG = &H40000
  188.     SSE_REG = &H80000
  189.     CR_REG = &H100000
  190.     DR_REG = &H200000
  191.     SPECIAL_REG = &H400000
  192.     MEMORY_MANAGEMENT_REG = &H800000
  193.     SEGMENT_REG = &H1000000
  194.     RELATIVE_ = &H4000000
  195.     ABSOLUTE_ = &H8000000
  196.     READ_ = &H1
  197.     WRITE_ = &H2
  198.     REG0 = &H1
  199.     REG1 = &H2
  200.     REG2 = &H4
  201.     REG3 = &H8
  202.     REG4 = &H10
  203.     REG5 = &H20
  204.     REG6 = &H40
  205.     REG7 = &H80
  206.     REG8 = &H100
  207.     REG9 = &H200
  208.     REG10 = &H400
  209.     REG11 = &H800
  210.     REG12 = &H1000
  211.     REG13 = &H2000
  212.     REG14 = &H4000
  213.     REG15 = &H8000
  214. End Enum

  216. Public Enum SPECIAL_INFO
  217.     UNKNOWN_OPCODE = -1
  218.     OUT_OF_BLOCK = 0
  219.     NoTabulation = &H0
  220.     Tabulation = &H1
  221.     MasmSyntax = &H0
  222.     GoAsmSyntax = &H100
  223.     NasmSyntax = &H200
  224.     ATSyntax = &H400
  225.     PrefixedNumeral = &H10000
  226.     SuffixedNumeral = &H0
  227.     ShowSegmentRegs = &H1000000
  228. End Enum
复制代码

上述的声明被放入了mod_BeaEngine.bas,反汇编的具体效果如下图所示:

应用反汇编

应用反汇编
只要我们加入读取内核内存的功能,就连当前状态的内核函数都是可以进行反汇编的!这里我们演示方便套用了ZwSystemDebugControl,利用ZwSystemDebugControl读内核内存的代码如下:
  1. Public Declare Function ZwSystemDebugControl Lib "ntdll.dll" (ByVal SysDbgCode As Long, ByVal InputBuffer As Long, ByVal InputBufferLength As Long, ByVal OutputBuffer As Long, ByVal OutputBufferLength As Long, ByRef ReturnLength As Long) As Long
  2. Public Type MEMORY_CHUNKS
  3.     Address As Long
  4.     pData As Long
  5.     nSize As Long
  6. End Type
  7. Public Sub ReadKernelMemory(ByVal dest As Long, ByVal src As Long, ByVal cch As Long)
  8. Dim mc As MEMORY_CHUNKS
  9. Dim st As Long, ret As Long
  10. With mc
  11.     .Address = src
  12.     .pData = dest
  13.     .nSize = cch
  14. End With
  15. st = ZwSystemDebugControl(8, VarPtr(mc), Len(mc), 0, 0, ret)
  16. End Sub
复制代码

效果甚好,在对比WinDbg的情况下如图所示:

内核反汇编

内核反汇编
当然咯也可以实现对PE文件中代码的反汇编,只要搞好逻辑,自己实现IDA这样的好东西貌似不成问题,这里不再举例。

vbasm.zip

65.98 KB, 下载次数: 30

下载代码不回帖是一种很欠扁的行为
回复

使用道具 举报

cyycoish

85

主题

175

回帖

3990

积分

用户组: 超级版主

No. 418

UID
418
精华
14
威望
53 点
宅币
1974 个
贡献
1582 次
宅之契约
0 份
在线时间
252 小时
注册时间
2014-8-9
发表于 2016-3-27 02:12:29 | 显示全部楼层
附件名666 www. vbasm.zip
In the beginning I was not the best.
And the world was also not the best.
But I still know that I am who I am.
Because I think that it is good.
I have been working hard.
I have been keeping growth with the world.
And it was so.
回复 赞! 靠!

使用道具 举报

bigwind

2

主题

59

回帖

458

积分

用户组: 中·技术宅

UID
2364
精华
0
威望
0 点
宅币
397 个
贡献
0 次
宅之契约
0 份
在线时间
53 小时
注册时间
2017-3-30
发表于 2018-8-2 22:07:09 | 显示全部楼层
下载代码不回帖是一种很欠扁的行为
回复 赞! 靠!

使用道具 举报

返回列表 发新帖

QQ|Archiver|小黑屋|技术宅的结界 ( 滇ICP备16008837号 )|网站地图

GMT+8, 2024-4-20 08:24 , Processed in 0.035428 second(s), 32 queries , Gzip On.

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表