#1
|
|||
|
|||
Which ARM64 disassembler engine best to use in a driver?
I'm porting a driver over to ARM64, that driver relays crucially on some un-exported kernel symbols,
it currently finds in exported functions the required addresses, in x86/x64 that's quite nice. Ho weever the ARM64 ISA seams to be quite a terrible mess in comparison, no way to find there anything "by hand", so to say. Hence I need a ARM64 disassembler engine that I could use to find what I need, could anyone here recommend me a reliable lightweight and free ARM64 disassembler engine which I could use? Cheers David |
#2
|
|||
|
|||
capstone ?
|
#3
|
|||
|
|||
ARM64 code is pretty simple to disassemble: four bytes per instruction, and it is enough to apply a bit mask (and a substraction sometimes, if register is encoded) to distinguish the required instructions.
|
#4
|
|||
|
|||
Yea seams not to be soo bad after all, i went with an approach like this:
Code:
for (i = 0; i < 0x40; i += 4, ptr += 4) { union { ULONG OP; struct { ULONG Rd : 5, immHi : 19, op1 : 5, immLo : 2, op2 : 1; }; } ADRP; ADRP.OP = *(ULONG*)ptr; if (ADRP.op1 == 0b10000 && ADRP.op2 == 0b1 && ADRP.Rd == 8) // adrp x8, #0x575000 { union { ULONG OP; struct { ULONG Rd : 5, Rn : 5, imm12 : 12, shift : 2, op1 : 5, S : 1, op2 : 1, sf : 1; }; } ADD; ADD.OP = *(ULONG*)(ptr + 4); if (ADD.sf == 0b1 && ADD.op2 == 0b0 && ADD.S == 0b0 && ADD.op1 == 0b10001 && ADD.shift == 0 && ADD.Rn == 8 && ADD.Rd == 12) // add x12, x8, #0xf80 { LONG delta = (ADRP.immHi << 2 | ADRP.immLo) << 12; delta += ADD.imm12; // Note: ADRP clears the lower 12 bits of the PC nt = ((ULONG_PTR)ptr & ~0xFFF) + delta; return (void*)nt; } } } |
#5
|
|||
|
|||
Capstone would be the most complete, battle proved and standalone disassembler framework that doesn't need to be part of other software to function. it's disassembly/disassembler framework that just works.
Also from its website Quote:
- reliable [✓] - lightweight [I don't know, it's it's a framework and support multiple architectures not just ARM64] - free ARM64 disassembler engine [✓] Edit: It look like you can build only selected architectures to suite your need, so lightweight [✓] I guess? https://www.capstone-engine.org/compile.html |
#6
|
|||
|
|||
For my use it still seam overkill, a small custom approach worked out great, see attachment.
|
Thread Tools | |
Display Modes | |
|
|