In 2020, I expressed my intention to do compiler, disassembler and QR code generator in Compiler and Disassembler, does anyone want to join? thread started by my previous user account.

Despite the criticism, e.g.


...I still plan to go ahead with a x86 disassembler.

While I am still studying the decoding of CPU opcodes, I have finished the program to read EXE file and dump it code section.

In part 1 (I hope there will part 2 in coming weeks or months), I will share how to find the code section in EXE file.

In the mean time, you can find my code repo "exedump" on GitHub:


You may also refer to PE Format

1. Open file, read the beginning of file
2. If 'MZ', go to next step, if not quit
3. Set file position to 0x3C, read the DWORD offset value (start of PE)
4. Set file position to value read in previous step
5. If 'PE,0,0", go to next step, if not quit
6. Read adjacent WORD for machine type (optional)
7. Read next adjacent WORD for number of section
8. Set file position to 0x18 relative to 'start of PE'
9. Read magic number WORD value (for 32-bit or 64-bit PE)
10. Set file position to 0x2C relative to 'start of PE'
11. Read BaseOfCode DWORD value
12. If magic number (read in step 9) is 0x10B,
set file position to 0xF8 relative to 'start of PE', or else
set file position to 0x108 relative to 'start of PE'
13. Read section table (each table is 40 bytes long)
Its VirtualAddress, SizeOfRawData, PointerToRawData DWORD values
14. If VirtualAddress is equal to BaseOfCode (read in step 11) then go to print hexdump
If not match, then loop until 'number of section' (read in step 7)

You may ask why don't just use AddressOfEntryPoint? Well, because it is relative virtual address, not file offset on disk.
To set file position on disk, have to read section table (or section headers), I mean "code section", for its PointerToRawData.
But how we do know it is code section? I use a trick here, by comparing VirtualAddress found in each section table with BaseOfCode found in header.
For example: (Virtual address)



The virtual address is unique for each section, so if my BaseOfCode is 0x2000, then I know the '.text' section is code section.

Until part 2!

This post has been edited by FlierMate4: Mar 14 2023, 12:20 PM

Why not contribute to and explore existing frameworks?

https://github.com/qilingframework/qiling
or
https://github.com/capstone-engine/capstone

Thank you for the suggestion, I know qiling uses capstone, and I know this is open-source, but I can learn better if I start one from scratch, further more, mine will be just supporting up to i386 instruction set, no extension set and no x64. I believe I will be more ready to join other open-source project after gaining experience from doing my own.
So, maybe later. BTW, I still remember you are rockstar malware analyzt, good!

if your objective is to write a disassembler, you should consider separating out the parser of executables and the disassembling engine into separate modules as your project matures.
Also using a higher level language for the disassembler would make it easier to maintain and for others to contribute to

This post has been edited by KLKS: Mar 13 2023, 07:18 PM

Following! Interesting project. Great job!

There's also Zydis, which is a dedicated x86/64 disassembler engine.
https://github.com/zyantific/zydis.

Capstone is more generic across architectures and platforms, so it fits perfectly to what Qiling is for.

.........

This post has been edited by Tullamarine: May 16 2023, 05:05 AM

From other disassembler source code I found, actually there is a better to tell which section is code section:



Next time should use this approach, more reliable.

Hi guys, I give up doing my own disassembler, too much work.
Instead, I rely on Zydis (like that one recommended by @junyian), it requires Zydis.dll (600KB) to run.

Hosted on this GitHub repo:

https://github.com/exedumper/disasm/

Supports x86 and x64 EXE / DLL.

This post has been edited by Tullamarine: May 16 2023, 05:06 AM

............

This post has been edited by Tullamarine: May 25 2023, 02:26 AM

I try to use "Zydis" as hash tag in Twitter, but surprisingly Zydis is a brand name of psychotropic drugs. And many of posts with "Zydis" were referrring to the medication.

I was too rush when finishing the disasm.asm project, hence I confuse how to put a 32-bit unsigned integer into one of a pair of two 32-bit uint parameter. (Have to consider little-endianness in x86).

Below is the necessary changes (so that runtime address in disassembled instruction for conditional jump is correct):


This post has been edited by Tullamarine: May 23 2023, 06:44 PM

Thanks @junyian for your likes.

Below is screenshot of my disasm.exe, disassembling write.exe (WordPad) on the fly in command prompt window.



Notably "int3" is used in MSVC programs that shipped with Windows as padding byte for alignment. You will notice a sequence of "int3" through out these programs.

But my disasm.asm doesn't have code flow analysis, anything in code section will be disassembled regardless of data or code.
Yes, some programs may have data in code section, but these data (or data string) are not executed. So if data is interpreted as code and disassembled by my disasm.asm, then the output is wrong.

In the case, always use high-end disassembler like IDA or Ghidra.

You should start disassembling from the entry point. Not the start of the .code section

.......

This post has been edited by FlierMate: Jun 5 2023, 08:10 PM

PE-bear is so powerful, that my EXEDUMP.EXE and DISASM.EXE are just two tiny functions of it.

https://github.com/exedumper/exed (A variant of EXEDUMP)
https://github.com/exedumper/disasm

(Both repos above were abandoned and no longer maintained, please don't submit PR)

For more updated version of exed and disasm, please download attachment of this post:
 disasm.zip ( 223.21k ) Number of downloads: 4

 exed.zip ( 2.8k ) Number of downloads: 5


Bug fix: disasm - Runtime address endianness, command-line parsing for PowerShell
exed - Command-line parsing for PowerShell



This post has been edited by MatQuasar: Oct 15 2023, 11:24 PM

For those people who make compiler for windows system, also need to study PE Format.

Ref :
PE Format - Win32 apps | Microsoft Learn
https://learn.microsoft.com/en-us/windows/w...debug/pe-format

Portable Executable - Wikipedia
https://en.wikipedia.org/wiki/Portable_Executable

I also recommend PE Tutorial by Tomasz Grysztar:

https://board.flatassembler.net/topic.php?t=20690

Also, an old document on PE format spec:

https://bytepointer.com/resources/oleary_pe_format.htm



This post has been edited by MatQuasar: Oct 15 2023, 07:34 PM