i want to write a string of assembly code in c# and have it sent to some win32 api to compile and execute it and get the results back.
example:
string str = "MOV 1,2;XOR EBP,EBP"...
sounds like hard to do but any suggestion would be helpful.
I doubt there's a win API to compile & execute assembly.
Probably the best you could do is write a file, execute MASM (or whatever it's called these days), link it then execute the resulting program.
I can't imagine what you are trying to do but this would be pretty much the last way I would try to solve almost any problem!
If you want to compare native & managed code, just write two programs that do more or less the same thing. There is no reason to generate the assembly from .NET. You can use any suitable tool for this. MASM, debug etc.
AFAIK there is no assembler compiler available as a part of WinAPI. You would have to use some of the 3rd party compilers (and your program would need to redistribute it).
However, you can use ilasm which is a part of .NET framework. (Beware however that it's not an Intel32 compiler, its source is CIL code, so the instructions like xor ebp, ebp wouldn't work.)
Related
I am on a hunt to write a program that will be able to read assembly code from a specified .exe . What i am trying to do is to read the assembly code of a executable, in order to find instructions that i can replace with equivalent instructions, in order to obtain different byte code.
This is generally called a source scrambler / signature scrambler, that modifies assembly code in order to obtain different byte code which results in different signatures.
I was reading about the Assembly class in C# , but did not find anything that could return something like a IEnumerable that contains assembly code from the .exe
Is there anyone that can educate me on this? Is this even possible? Different approaches?
.NET does not really deal with Byte Code. All .NET Programms are turned into somthing called MSIL that is executed by teh .NET Runtime and only then turned into bytecode. The whole process is very similar to how JavaBytecode works.
As a result you get full access to the names of anything. You can even use .NEt Executeables like a .DLL file. But replacing stuff is not easy, outside of inheritance or replacing of the files.
The kind of bitwise manipulation you propably need, requires working with naked pointers. And the .NET Developers went out of their way so you would no ever have to use naked Pointers. You can still use them using Unsface code, but as this sounds like the primary use of your programm you are propably better of starting with something like native C++ instead. Really anything taht uses naked pointers as default, rather then a fallback.
I`ve being playing around with reversing of some obfuscated code out there and I have stumbled upon one tricky DLL that had a "method body" (IL code) in a byte[] array and was later on invoking it with dynamic invoke. Is analyzing MSIL the only way here?
How do you handle those?
I`ve spent hours researching online for tooling that would allow me to generate C# code (at least some basics) from IL in byte array. Is there truly none?
ldarg.0
ldarg.1
add
Would be great if something existed out there, that could with some basic MSIL like above would generate a + b.
MZ64, hello and welcome to SO!
Unfortunately what you're asking is a decompiler service/API/tool and that is simply not built into .NET framework. You may want to check various third party solution for this.
Back in the days, .NET Reflector was #1 tool used for that. Today there are various tools, notably dotPeek - and Reflector should still be around. You will have to pay some money for most of them, but you may find a good free tool (I tried and failed).
However, if you want to take the IL code as plain text and just try to run it, then you should use built-in ILGenerator.Emit(). Easiest way I can think of should be to map your plain text to OpCode/variables, and emit your IL line by line. I don't know if it helps but in theory it should be possible.
Look here for an example:
https://learn.microsoft.com/en-us/dotnet/framework/reflection-and-codedom/how-to-define-and-execute-dynamic-methods
I have a nice .net assembly of core matlab functions, created of course with the matlab compiler. For functions that accept numbers or arrays of numbers, this is fine; I can write code in c# without having to revert to matlab (well, the RCM has to be installed; that’s fine).
For functions that must reference other functions, however, the only way I can find so far to get a c# programme going is to compile both functions into the assembly. To explain better, let’s say I have a library in which I’ve stored the ode45 routine. If I want to solve a specific equation, let’s say something simple like dy/dx = -y, then I have to create a matlab script file which may be written as follows:
function dydx = diffeq(x, y)
dydx = -y
[obviously the analytical solution exists, but for the sake of this example let’s say I want to solve it this way]
Now in order to solve this equation, I would have to add this function as a method in my class to be compiled into the .net assembly. This of course ruins the generality of my library; I want application-specific equations in a different library to my core math function library. That is, the ODE45 method should reside in a “more core” library than the library in which the “diffeq” method would reside.
More than that, I would much prefer to create the “diffeq” method in a c# class that I can edit directly in e.g. VS2012. I would like to edit the equation directly rather than having to enter matlab each time and recompile an assembly.
To solve this problem, I have gone to the extent of decompiling the assembly which contains both the ode45 code and my differential equation method; it turns out the assembly is nothing but an interface to the MCR; the diffeq methods in the assembly return something like the following:
return mcr.EvaluateFunction(numArgsOut, “diffeq”, new object[0]);
We note that the function/method “diffeq” is not part of the MCR; MCR does not change. However, I can’t find the equation anywhere in the assembly.
Which begs the question “Dude, where’s my function?”
There is a ‘resources’ component of the assembly in which we find [classname].ctf, and in that we’ll find some machine code. This looks encrypted, but the equation might be hidden in there. If so, that would be a deliberate attempt to prevent when I am attempting, and kudos to MathWorks for making it impossible for me to avoid having to enter the matlab application!
However, there doesn’t seem to be anything in licensing to prevent what I want to do; I think it would be great if mathworks would allow as open an approach as that, but in the interrim, does anyone know how to do this?
The "MATLAB Compiler" has a somewhat misleading name. It is more of a deployment solution than a compiler in the actual sense (see note below). It is mainly intended to distribute MATLAB applications to end-users without requiring a full MATLAB installation on their part (only the royalty-free MCR runtime needs to be installed).
The MCR is in fact a stripped-down version of the MATLAB engine along with accompanying libraries.
When you use MATLAB Compiler to generate a binary package, the result is a target-specific wrapper (be it a standalone application, C/C++ shared library, Java package, or a .NET assembly) that calls the MCR runtime. The binary generated includes an embedded CTF archive containing all the original MATLAB content (your M-files and other dependencies) but in an encrypted form. When first executed, the CTF archive is extracted to a temp folder, and the M-files (still encrypted) are then interpreted by the MCR at runtime like typical MATLAB code.
There is an option in deploytool (mcc -C) to tell the compiler not to embed the CTF archive inside the binary as a resource, instead to place it as a seperate file next to the generated binary (this CTF archive can be inspected as a regular ZIP-file, but the source files inside are still encrypted of course).
See the following documentation page for more information:
Application Deployment Products and the Compiler Apps
PS: The truth is MATLAB Compiler started out as a product to convert MATLAB code into full C/C++ code which used the now discontinued "MATLAB C/C++ Math Library" (no runtime requirement, you just compile the generated C++ code and link to certain shared libraries; the result is a true compiled executable not a wrapper). This functionality completely changed around the time MATLAB 7 was released (the reason being that the old way only supported a subset of the MATLAB language, while using the current MCR mechanism enables deploying almost any code). Years later, MATLAB added a new product to replace the once-removed functionality of code translation, namely the MATLAB Coder.
How do you extract an RT_RCDATA section from a Win32 executable (preferably in C#)?
The only way I know how to do this currently is opening up the EXE in Visual Studio. I'd love to be able to do this entirely in C# if possible.
Thanks!
P/Invoke LoadResource will be your safest bet.
Otherwise you'll have to write your own P/E processor eg. PE Processor example. The processor isn't the end of the world, but as you can see much more involved than a P/Invoke.
Almost forgot,as far as tools go, most P/E browsers will do this for you. Eg. P/E Explorer, which is available but not really being developed. I've also used IDA Pro for stuff like this. A quick IDA plugin would do this easily.
I assume that you are trying to read a resource of type RCDATA from an executable (be aware that "executable section" means a different thing - it refers to the .text, .data, .rdata, etc parts of the PE file). If you want to read it from the current assembly, here is a tutorial showing how: Accessing Embedded Resources using GetManifestResourceStream, using the GetManifestResourceNames and GetManifestResourceStream methods.
If you don't want to read it from the current executable, you can use a method similar to the one shown here.
These methods have the advantage over PInvoke that they are 100% .NET and you don't have to fiddle with marshaling the arguments to/from platform data types and making sure that you validated all the return values.
Is there such a thing as an x86 assembler that I can call through C#? I want to be able to pass x86 instructions as a string and get a byte array back. If one doesn't exist, how can I make my own?
To be clear - I don't want to call assembly code from C# - I just want to be able to assemble code from instructions and get the machine code in a byte array.
I'll be injecting this code (which will be generated on the fly) to inject into another process altogether.
As part of some early prototyping I did on a personal project, I wrote quite a bit of code to do something like this. It doesn't take strings -- x86 opcodes are methods on an X86Writer class. Its not documented at all, and has nowhere near complete coverage, but if it would be of interest, I would be willing to open-source it under the New BSD license.
UPDATE:
Ok, I've created that project -- Managed.X86
See this project:
https://github.com/ZenLulz/MemorySharp
This project wraps the FASM assembler, which is written in assembly and as a compiled as Microsoft coff object, wrapped by a C++ project, and then again wrapped in C#. This can do exactly what you want: given a string of x86/x64 assembly, this will produce the bytes needed.
If you require the opposite, there is a port of the Udis86 disassembler, fully ported to C#, here:
https://github.com/spazzarama/SharpDisasm
This will convert an array of bytes into the instruction strings for x86/x64
Take a look at Phoenix from Microsoft Research.
Cosmos also has some interesting support for generating x86 code:
http://www.gocosmos.org/blog/20080428.en.aspx
Not directly from C# you can't. However, you could potentially write your own wrapper class that uses an external assembler to compile code. So, you would potentially write the assembly out to a file, use the .NET Framework to spin up a new process that executes the assembler program, and then use System.IO to open up the generated file by the assembler to pull out the byte stream.
However, even if you do all that, I would be highly surprised if you don't then run into security issues. Injecting executable code into a completely different process is becoming less and less possible with each new OS. With Vista, I believe you would definitely get denied. And even in XP, I think you would get an access denied exception when trying to write into memory of another process.
Of course, that raises the question of why you are needing to do this. Surely there's got to be a better way :).
Take a look at this: CodeProject: Using unmanaged code and assembly in C#.
I think you would be best off writing a native Win32 dll. You can then write a function in assembler that is exported from the dll. You can then use C# to dynamically link to the dll.
This is not quite the same as passing in a string and returning a byte array. To do this you would need an x86 assembler component, or a wrapper around masm.exe.
i don't know if this is how it works but you could just shellexecute an external compiler then loading the object generated in your byte array.