SharpDisasm 1.1.11

Install-Package SharpDisasm -Version 1.1.11
dotnet add package SharpDisasm --version 1.1.11
<PackageReference Include="SharpDisasm" Version="1.1.11" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add SharpDisasm --version 1.1.11
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: SharpDisasm, 1.1.11"
#r directive can be used in F# Interactive, C# scripting and .NET Interactive. Copy this into the interactive tool or source code of the script to reference the package.
// Install SharpDisasm as a Cake Addin
#addin nuget:?package=SharpDisasm&version=1.1.11

// Install SharpDisasm as a Cake Tool
#tool nuget:?package=SharpDisasm&version=1.1.11
The NuGet Team does not provide support for this client. Please contact its maintainers for support.

SharpDisasm

SharpDisam is a C# disassembler able to decode binary executable code for the x86 and x86-64 CPU architectures into disassembled instructions.

Build status

About

The disassembler is able to decode more than 4 million 64-bit instructions a second (with an average instruction length of 7-bytes). When also translating the instructions to Intel syntax the number of instructions per second is around 2 million instructions per second.

The library is a C# port of the Udis86 disassembler originally written in C. The ported portion of SharpDisam is a straight port of the C Udis86 library to C# with no attempt to change the logic and make the code base more C# friendly. This was done intentionally so that future updates to the Udis86 library can be ported across without too much hassle. The SharpDisam.Disassembler class wraps the original Udis86 API in order to present a C# friendly interface to the underlying API.

The opcode table "optable.xml" is used to generate the opcode lookup tables with a T4 template "OpTable.tt". This generates an output that is comparable to the output of the original Python scripts used with Udis86 (ud_itab.py and ud_opcode.py).

Classes

  • SharpDisasm.Disassembler - provides convenient access to the underlying libudis86 implementation through an enumerator or by explicitly requesting the next instruction to be decoded.
  • SharpDisasm.Instruction - represents a decoded instruction.
  • SharpDisasm.Operand - represents an operand of a decoded instruction.
  • SharpDisasm.Translators.Translator - abstract base class for implementing translators to output an instruction to assembler code.
  • SharpDisasm.Translators.IntelTranslator - an Intel syntax translator. This is the default translator (found on the static SharpDisasm.Disassembler.Translator property)
  • SharpDisasm.Translators.ATTTranslator - an AT&T syntax translator. Assign an instance of this to the SharpDisasm.Disassembler.Translator property to use this syntax.

Example

Below is the output of the following console application that decodes a Hex string into instructions. It can accept instructions typed in as a single line, or piped in from a the command line or a text file.

C:\>echo a1 c9 fd ff ff a1 37 02 00 00 b8 37 02 00 00 b4 09 8a 
25 09 00 00 00 8b 04 6d 85 ff ff ff 89 45 f0| disasmcli 32

00000000 a1 c9 fd ff ff                 mov eax, [0xfffffdc9]
00000005 a1 37 02 00 00                 mov eax, [0x237]
0000000a b8 37 02 00 00                 mov eax, 0x237
0000000f b4 09                          mov ah, 0x9
00000011 8a 25 09 00 00 00              mov ah, [0x9]
00000017 8b 04 6d 85 ff ff ff           mov eax, [ebp*2-0x7b]
0000001e 89 45 f0                       mov [ebp-0x10], eax

C:\>echo 8b0550000000488b05f7ffffff67668b40f06766035e1048030425ffff
000067660344bef04c0384980000008048a10000000000800000 | disasmcli 64

0000000000000000 8b 05 50 00 00 00              mov eax, [rip+0x50]
0000000000000006 48 8b 05 f7 ff ff ff           mov rax, [rip-0x9]
000000000000000d 67 66 8b 40 f0                 mov ax, [eax-0x10]
0000000000000012 67 66 03 5e 10                 add bx, [esi+0x10]
0000000000000017 48 03 04 25 ff ff 00 00        add rax, [0xffff]
000000000000001f 67 66 03 44 be f0              add ax, [esi+edi*4-0x10]
0000000000000025 4c 03 84 98 00 00 00 80        add r8, [rax+rbx*4-0x80000000]
000000000000002d 48 a1 00 00 00 00 00 80 00 00  mov rax, [0x800000000000]

C:\>echo 8b0550000000488b05f7ffffff67668b40f06766035e1048030425ffff
000067660344bef04c0384980000008048a10000000000800000 | disasmcli 64 resolveRip

0000000000000000 8b 05 50 00 00 00              mov eax, [0x56]
0000000000000006 48 8b 05 f7 ff ff ff           mov rax, [0x4]
000000000000000d 67 66 8b 40 f0                 mov ax, [eax-0x10]
0000000000000012 67 66 03 5e 10                 add bx, [esi+0x10]
0000000000000017 48 03 04 25 ff ff 00 00        add rax, [0xffff]
000000000000001f 67 66 03 44 be f0              add ax, [esi+edi*4-0x10]
0000000000000025 4c 03 84 98 00 00 00 80        add r8, [rax+rbx*4-0x80000000]
000000000000002d 48 a1 00 00 00 00 00 80 00 00  mov rax, [0x800000000000]

Here is the source of the disasmcli console application used above.

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
namespace disasmcli
{
    class Program
    {
        static void Main(string[] args)
        {
            // Determine the architecture mode or us 32-bit by default
            SharpDisasm.ArchitectureMode mode = SharpDisasm.ArchitectureMode.x86_32;
            if (args.Length > 0)
            {
                switch (args[0])
                {
                    case "16": { mode = SharpDisasm.ArchitectureMode.x86_16; break; }
                    case "32": { mode = SharpDisasm.ArchitectureMode.x86_32; break; }
                    case "64": { mode = SharpDisasm.ArchitectureMode.x86_64; break; }
                    default:
                        break;
                }
                if (args.Length > 1)
                {
                    if (args[1].ToLower() == "resolverip")
                    {
                        SharpDisasm.Disassembler.Translator.ResolveRip = true;
                    }
                }
            }
            // Allow input >256 chars
            Console.SetIn(new StreamReader(Console.OpenStandardInput(8192)));
            StringBuilder input = new StringBuilder();
            while (Console.In.Peek() != -1)
            {
                input.Append(Console.In.ReadLine());
            }
            // Configure the translator to output instruction addresses and instruction binary as hex
            SharpDisasm.Disassembler.Translator.IncludeAddress = true;
            SharpDisasm.Disassembler.Translator.IncludeBinary = true;
            
            // Create the disassembler
            var disasm = new SharpDisasm.Disassembler(
                HexStringToByteArray(input.ToString().Replace(" ", "")), 
                mode, 0, true);
            // Disassemble each instruction and output to console
            foreach (var insn in disasm.Disassemble())
                Console.Out.WriteLine(insn.ToString());
        }
        static byte[] HexStringToByteArray(string hex)
        {
            return Enumerable.Range(0, hex.Length)
                             .Where(x => x % 2 == 0)
                             .Select(x => Convert.ToByte(hex.Substring(x, 2), 16))
                             .ToArray();
        }
    }
}

LICENSE

SharpDisam is Copyright (c) 2015 Justin Stenning and is distributed under the 2-clause "Simplified BSD License".

Portions of the project are ported from Udis86 Copyright (c) 2002-2012, Vivek Thampi vivek.mt@gmail.com https://github.com/vmt/udis86 distributed under the 2-clause "Simplified BSD License".

  • .NETFramework 3.5

    • No dependencies.
  • .NETFramework 4.0

    • No dependencies.
  • .NETFramework 4.5

    • No dependencies.
  • .NETStandard 2.0

    • No dependencies.

NuGet packages (4)

Showing the top 4 NuGet packages that depend on SharpDisasm:

Package Downloads
libReloaded

The main library for the development of Reloaded Mod Loader Modifications. Provides you with JIT X86/64 Assembly, Memory Buffers, X86/64 Function Calling, X86/64 Function Hooking, X86/64 Custom Function Hooking (Usercall/Userpurge), X86/64 Function Pointers, Virtual Function Table Hooking/Calling, Native Array Utilities, Pattern/Signature Scanning, Reading/Writing Memory, Memory Page Management, Easy DLL Injector, Thread Management and more.

Reloaded.Hooks

Advanced native function hooks for x86, x64. Welcome to the next level!

ERC.Net-x86

ERC.Net is a collection of tools designed to assist in debugging Windows application crashes. ERC.Net supports both 64 and 32 bit applications, can parse DLL/EXE headers, identify compile time flags such as ASLR, DEP and SafeSEH, generate non repeating patterns, generate platform specific egg hunters, identify process information such as loaded modules and running threads, read the TEB of a specific thread, assist with identifying numerous types of memory vulnerabilities and has numerous other use cases.

ERC.Net-x64

ERC.Net is a collection of tools designed to assist in debugging Windows application crashes. ERC.Net supports both 64 and 32 bit applications, can parse DLL/EXE headers, identify compile time flags such as ASLR, DEP and SafeSEH, generate non repeating patterns, generate platform specific egg hunters, identify process information such as loaded modules and running threads, read the TEB of a specific thread, assist with identifying numerous types of memory vulnerabilities and has numerous other use cases.

GitHub repositories (5)

Showing the top 5 popular GitHub repositories that depend on SharpDisasm:

Repository Stars
ashmind/SharpLab
.NET language playground
Squalr/Squalr
Squalr Memory Editor - Game Hacking Tool Written in C#
CCob/BeaconEye
Hunts out CobaltStrike beacons and logs operator command output
kkokosa/Tune
The Ultimate .NET Experiment
zodiacon/PEExplorer
Portable Executable Explorer
Version Downloads Last updated
1.1.11 33,477 5/24/2018
1.1.9 1,117 12/28/2017
1.1.5 2,884 2/6/2016
1.0.2 954 7/11/2015

1.1.11
1. Added ability to resolve RIP relative addresses in ASM outputting
2. 64-bit definition fixes for a number of instructions
3. Support for .NET Standard target
   
1.1.9
1. Added support for offset into IAssemblyCode
2. Fix exceptions on invalid instructions (contributed by ste-art)
3. Fix ATT syntax for enter/bound mnemonics being dropped
4. Translator internals refactored (better code reuse)
5. A few Debug.Asserts replaced with exceptions for Translator and Instruction.ToString
1.1.5
1. Use of unsafe replaced with an assembly code reader interface
1.0.2
1. Full port of udis86 C-library into C#
2. Wrapper class Disassembler for those not familiar with the libudis86 C-library