search

GrammaTech / ddisasm

A fast and accurate disassembler
https://grammatech.github.io/ddisasm/
GNU Affero General Public License v3.0
647 stars 59 forks source link

Request for PE32 file support #11

Closed rjzak closed 3 years ago

rjzak commented 4 years ago

I was trying to create a PE32 parser modeled after the ELF parser, but got caught up with trying to figure out the PE32 equivalents of:

Module->addAuxData<gtirb::schema::ElfSectionIndex>(std::move(SectionIndex));
Module->addAuxData<gtirb::schema::ElfSectionProperties>(std::move(SectionProperties));

I'm not familiar with this project, and this is probably a feature best left to those who are.

Trass3r commented 3 years ago

I guess you need: https://docs.microsoft.com/en-us/windows/win32/debug/pe-format#section-table-section-headers Is your code public?

kwarrick commented 3 years ago

We have just released PE32 and PE32+ support in version 1.4.0.

Please note that we currently only output MASM assembly syntax so reassembly should be done with ML and ML64.

For example,

ddisasm --asm test.asm test.exe
ml64 test.asm /link /subsystem:console /entry:__EntryPoint

Thanks again!

jrmuizel commented 3 years ago

Is it possible to get updated windows binaries built? i.e. replacements for these? https://grammatech.github.io/gtirb/pkgs/windows-release/

Trass3r commented 3 years ago

Yeah building it yourself is a painful experience.

Please note that we currently only output MASM assembly syntax so reassembly should be done with ML and ML64.

Or http://www.terraspace.co.uk/uasm.html

kwarrick commented 3 years ago

Is it possible to get updated windows binaries built? i.e. replacements for these? https://grammatech.github.io/gtirb/pkgs/windows-release/

We are working on the first tagged release of ddisasm now! This should include Windows binary builds.

Or http://www.terraspace.co.uk/uasm.html

I have not used uasm yet. Very interested, thank you.

jrmuizel commented 3 years ago

Yeah building it yourself is a painful experience.

Please note that we currently only output MASM assembly syntax so reassembly should be done with ML and ML64.

Or http://www.terraspace.co.uk/uasm.html

Or perhaps llvm-ml

Trass3r commented 3 years ago

Please note that we currently only output MASM assembly syntax so reassembly should be done with ML and ML64.

It did make a few mistakes:

error A2008: syntax error : pushal
error A2008: syntax error : popal
error A2152: coprocessor register cannot be first operand : fdivr ST(0)

Should be pushad/popad and fdivr ST(0),ST(0) (D8 F8).

And there are false positives where it identified RGB data in the resource section as references:

_RSRC SEGMENT
ALIGN 16
...
          BYTE 077H
          BYTE 077H
          BYTE 077H
          BYTE 000H
          DWORD $L_6b6b6b
          DWORD $L_5f5f5f
          DWORD $L_535353
          BYTE 047H
          BYTE 047H
          BYTE 047H
          BYTE 000H
kwarrick commented 3 years ago

@Trass3r Would you mind opening an issue with the failing binary, if possible?

I expect a number of these syntax errors as we push on PE32, the implicit operands for FDIV are a known problem. Seems like we haven't run into FDIVR yet.