Skip to content

Instantly share code, notes, and snippets.

@ateleshev
Forked from grantseltzer/disassembler.go
Created December 10, 2020 19:48
Show Gist options
  • Save ateleshev/f8adfba14e5df6f4a17afb6d81c3b0be to your computer and use it in GitHub Desktop.
Save ateleshev/f8adfba14e5df6f4a17afb6d81c3b0be to your computer and use it in GitHub Desktop.
Full disassembler
package main
import (
"debug/elf"
"fmt"
"log"
"os"
"github.com/bnagy/gapstone"
)
func main() {
engine, err := gapstone.New(
gapstone.CS_ARCH_X86,
gapstone.CS_MODE_64,
)
if err != nil {
log.Fatal(err)
}
path := os.Args[0]
elfFile, err := elf.Open(path)
if err != nil {
log.Fatalf("error while opening ELF file %s: %+s", path, err.Error())
}
symbolTable, err := elfFile.Symbols()
if err != nil {
log.Fatalf("could not extract symbol table: %s", err.Error())
}
// extract the .text section
textSection := elfFile.Section(".text")
if textSection == nil {
log.Fatal("No text section")
}
// extract the raw bytes from the .text section
textSectionData, err := textSection.Data()
if err != nil {
log.Fatal(err)
}
// traverse through the symbol table
for _, symbol := range symbolTable {
if symbol.Size == 0 {
continue
}
// skip over any symbols that aren't functinons/methods
if symbol.Info != byte(2) && symbol.Info != byte(18) {
continue
}
// calculate starting and ending index of the symbol within the text section
symbolStartingIndex := symbol.Value - textSection.Addr
symbolEndingIndex := symbolStartingIndex + symbol.Size
// collect the bytes of the symbol
symbolBytes := textSectionData[symbolStartingIndex:symbolEndingIndex]
// disasemble the symbol
instructions, err := engine.Disasm(symbolBytes, symbol.Value, 0)
if err != nil {
log.Fatalf("could not disasemble symbol: %s", err)
}
// print out each instruction that's part of this symbol
fmt.Printf("\n\nSYMBOL %s\n", symbol.Name)
for _, ins := range instructions {
fmt.Printf("0x%x:\t%s\t\t%s\n", ins.Address, ins.Mnemonic, ins.OpStr)
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment