Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disassemble support #23

Open
bjorn3 opened this issue Oct 9, 2019 · 10 comments
Open

Disassemble support #23

bjorn3 opened this issue Oct 9, 2019 · 10 comments

Comments

@bjorn3
Copy link

bjorn3 commented Oct 9, 2019

For example capstone could be used.
@m4b
Copy link
Owner

m4b commented Nov 14, 2019

@bjorn3 If you want to sketch out general api for what the cli would be for disassembly, I’d be interested.

Maybe just a few brief examples of proposed cli, along with expected output ?

@koutheir
Copy link
Contributor

LLVM disassembler is also an option here, instead of (or as an alternative to) capstone.

@bjorn3
Copy link
Author

bjorn3 commented Mar 21, 2022

That requires an LLVM installation when building and running.

@koutheir
Copy link
Contributor

That only requires LLVM shared libraries, not a full Clang toolchain. It's basically the same requirement as for libcapstone.

@bjorn3
Copy link
Author

bjorn3 commented Mar 21, 2022

Capstone-rs builds libcapstone.a as static library itself without having to install anything. This only takes like a minute. The LLVM shared libraries take much longer to build (just cloning llvm-project can take a minute depending on your internet connection), are way bigger and if you don't want to build it yourself you have to dynamically link it which adds a runtime dependency on LLVM unlike with capstone-rs.

@koutheir
Copy link
Contributor

koutheir commented Oct 4, 2022

FYI, disassembling code correctly requires support for relocating code sections (e.g., ELF's .text section), before starting the disassembly. Relocation is a considerable amount of work.

@bjorn3
Copy link
Author

bjorn3 commented Oct 4, 2022

Objdump doesn't relocate. Instead it provides an option to show relocation entries after the instruction that used them.

@koutheir
Copy link
Contributor

koutheir commented Oct 4, 2022

But that makes the disassembly way less useful and sometimes even confusing, especially when compared to the disassembly of the debugger.

@bjorn3
Copy link
Author

bjorn3 commented Oct 4, 2022

It only makes it a bit less useful IMHO. It is nice to have relocation support builtin, but as you said this is a considerable amount of effort. What you see in a debugger won't work for bingrep. In a debugger you see the disassembly relocated for the specific location that this instance of the program loads it at. Bingrep however would need to work with symbolic locations such that the disassembly is correct no matter where the object file or executable is loaded. I don't think many disassemblers support this.

@koutheir
Copy link
Contributor

Providing a useful ELF disassembly also requires parsing the procedure linkage table (PLT), in order to give an idea about which function is called by many calls/jumps. PLTs are platform-specific, and parsing them requires some poking and assumptions about code sequences generated by common compilers and linkers.

For this reason, for instance, the LLVM implementation of objdump only parses PLTs for AMD64, x86, and AArch64.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@koutheir @m4b @bjorn3