250 likes | 368 Views
Disassembling for Fun. Jason Haley. Who is this guy?. Certifiable (MCSD.net certified that is) Blog – http://jasonhaley.com/blog Co-leader of Beantown .Net User Group Member of Boston Area Code Brew A nerd dinner organizer for Boston area TA for Programming .Net at Harvard
E N D
Disassembling for Fun Jason Haley
Who is this guy? • Certifiable (MCSD.net certified that is) • Blog – http://jasonhaley.com/blog • Co-leader of Beantown .Net User Group • Member of Boston Area Code Brew • A nerd dinner organizer for Boston area • TA for Programming .Net at Harvard • Sr. Software Engineer - Cheshire Software
Disassembling is useful • See how efficient a compiler is • Translate IL to a higher level language • View all pieces of an assembly • Extract resources • Edit source code to recompile
Example of disassembling • What is Round-tripping? • Demos: ILDasm, Reflector
Agenda • Define disassembling • Applied disassembling • Writing a disassembler
What is disassembling? • Disassembling is not reflection Demos: WinCV, Asmex • Disassemble or decompile Demos: ILDasm, Reflector
Agenda • Define disassembling • Applied disassembling • Writing a disassembler
What is in an assembly file? • PE/COFF File • CLR Header • Metadata • IL code
PE File • Portable Executable File Format PE/COFF headers Data directories Sections • Demos: Dumpbin, .Net Explorer
CLR Header • Contains CLR specific information “Required runtime” version Metadata location Managed resources location Strong name signature location • Demo: .Net Explorer
Metadata • Assembly metadata Metadata header Metadata streams (tables and heaps) • Demos: Monodis, Asmex, Spices.Net
IL Code • Recognizing the pieces Metadata table contents Metadata heap contents IL code • Demos: Metadata diagram, ILDasm, Dis#
Disassemblers/Decompilers • ILDasm • Monodis • DILE – Dotnet IL Editor • Reflector for .Net • Asmex – Free source .Net Assembly Examiner • Dis# - .Net decompiler • .Net Explorer • Spices.Net
DILE – Dotnet IL Editor • Open source (Zsolt Petreny) – http://sourceforge.net/projects/dile • Disassembles to IL • Quick search for name and tokens • Debugger functionality – can debug IL! • Demo: Debugging IL vs. Assembler
Reflector for .Net • Lutz Roeder – http://www.aisto.com/roeder/dotnet • Great code browsing tool • Add-ins created by community - http://csharp21.tripod.com/ReflectorAddIns • Demo: Reflector and its add-ins
Asmex – Assembly Examiner • Free source (Ben Peterson) - http://www.jbrowse.com/products/asmex/ • Graphical representation • Most pieces of an assembly • Demo: Look at the code
Agenda • Define disassembling • Applied disassembling • Writing a disassembler
Writing a disassembler • PE/COFF File • CLR Header • Metadata • IL Code
PE File • Finding the PE header Signatures (MS-DOS, PE) Necessary structures • Demos: Vijay
CLR Header • Finding the CLR Header Need information from PE Header Calculate the offset in file • Demos: Vijay
Metadata • Tables are a “normalized database” • Heaps String – zero-terminated character GUID – 16 byte binary objects Blob – binary object, preceded by its length • Manifest • Demos: metainfo, Vijay
IL Code • Getting to the IL code Signatures RVA Method format (tiny or fat) Method data section Exception handling clause (small or fat) • Demos: Dile, Vijay
Summary • What is disassembling? • What is a disassembler and what can it do for you? • Where can I find a disassembler? • What are some of the things you need to know to write your own disassembler? • Why do you care?
Resources • Inside Microsoft .Net IL Assembler – Serge Lidin • Standard ECMA-335 – CLI – http://ecma-international.org/publications/standards/Ecma-335.htm • Metadata diagram - Chris King • .Net SDK (especially ILDasm)