-
Notifications
You must be signed in to change notification settings - Fork 132
TheLibASM
Libasm is the disassembling engine provided to the ERESI framework. Libasm was started to provide a disassembly output to ELFsh with the intention to provide extended features, such as the support for several architectures, patching of instructions and low-level code analysis. Libasm now provides rich information on the code of binary files loaded in the ERESI framework, such as instruction and operands analysis, semantic attributes for instructions and operands, allowing straight-forward construction of the Control Flow Graph and the Call Graph (among others). Libasm relies on a a modular and extensible handling of instruction formats using the reflective vector data structure provided by libaspect, which lead to a uniform intregration of libasm features into the ERESI framework language.
Libasm can be used in many operations requesting an access to instructions information.
- Generate listing of instructions for basic blocks or functions on-demand.
- Helping at building different kind of flow graphs by assigning semantic attributes to instructions and operands.
- Searching for longuests sequences of valid instruction in a buffer.
- Searching for push or pop sequences in binary code.
- Disassembling Sparc opcodes with IA32 engine to check if code may be valid on both architecture.
Some libasm features are more portable than others. The current state of portability is as follow:
| Architecture | INTEL | SPARC | MIPS | ARM |
|---|---|---|---|---|
| Full disassembling into internal structures | Yes | Yes | YES | WIP |
| Instructions semantic annotations | Yes | Yes | YES | No |
| Operand semantic annotations | Yes | Yes | YES | No |
| Smart operand patching | WIP | No | No | No |
Unavailable features are the subject of contributions, if someone else has not taken over the implementation of the feature on the bts.
Here is a simple code wich display instruction operands.
#include <libasm.h>
/* opcodes to disassemble */
char *opcodes =
"BBBBBAhHisToldSlde43%:53_+12\"\x03\xde\x01\xd2\x80 ,./';[] [ ] 12 #@#$$";
int main()
{
asm_processor proc;
asm_instr ins;
char buffer[256];
int len;
int curr;
/* Intialize an asm_processor structure.
asm_init_arch(&proc, ASM_PROC_IA32);
curr = 0;
/* Looping on instructions */
while (curr < strlen(opcodes))
{
/* Disassemble opcodes of one max bytes */
len = asm_read_instr(&ins, opcodes + curr, 1, &proc);
if (len > 0)
{
att_dump_operand(&ins, 1, 0, buffer);
printf("op1 = '%s'\n", buffer);
memset(buffer, 0, sizeof(buffer));
att_dump_operand(&ins, 2, 0, buffer);
printf("op2 = '%s'\n", buffer);
memset(buffer, 0, sizeof(buffer));
att_dump_operand(&ins, 3, 0, buffer);
printf("op3 = '%s'\n", buffer);
/* add instruction length to disassembling offset */
curr += len;
}
else
{
/* some error occured. skip byte. */
curr++;
}
}
return (0);
}
Compile with :
cc -ggdb dump_operand.c -o dump_operand -I ../include/ -L.. -lasm \
-I ../../libaspect/include/ -L ../../libaspect/ -laspect32
This program simply prints instruction operands. It is there to illustrate a simple way to use libasm.
The Libasm library depends on other components from the ERESI framework :
- libaspect : the types specification library, for exporting its vectors, hash table and profiling API.
Libasm is one of the oldest component of the ERESI framework and has been widely presented in many articles:
-
Reverse engineering des systemes ELF/INTEL Libasm was firstly introduced in this french paper. IA32 assembly and libasm implementation are described to present control flow graphing and data flow projects.
-
Next Generation Debuggers for Reverse Engineering Libasm instruction annotations are introduced in this article which describe the new components of the ERESI framework related to debugging and code analysis.