VERSION 1.0 CLASS | |
BEGIN | |
MultiUse = -1 'True | |
Persistable = 0 'NotPersistable | |
DataBindingBehavior = 0 'vbNone | |
DataSourceBehavior = 0 'vbNone | |
MTSTransactionMode = 0 'NotAnMTSObject | |
END | |
Attribute VB_Name = "CDisassembler" | |
Attribute VB_GlobalNameSpace = False | |
Attribute VB_Creatable = True | |
Attribute VB_PredeclaredId = False | |
Attribute VB_Exposed = False | |
Option Explicit | |
'Capstone Disassembly Engine bindings for VB6 | |
'Contributed by FireEye FLARE Team | |
'Author: David Zimmer <david.zimmer@fireeye.com>, <dzzie@yahoo.com> | |
'License: Apache | |
'Copyright: FireEye 2017 | |
'NOTE: the VB code was built and tested against Capstone v3.0 rc4 | |
' if the capstone C structures change, the VB code will have to | |
' be adjusted to match! | |
' | |
' instructions details are currently only implemented for x86 | |
Public arch As cs_arch | |
Public mode As cs_mode | |
Public hCapstone As Long | |
Public hLib As Long | |
Public version As String | |
Public vMajor As Long | |
Public vMinor As Long | |
Public errMsg As String | |
Public lastErr As cs_err | |
Private Function CheckPath(pth As String) As Long | |
Dim hCap As Long, capPth As String, shimPth As String | |
shimPth = pth & "\vbCapstone.dll" | |
capPth = pth & "\capstone.dll" | |
If Not FileExists(shimPth) Then Exit Function | |
hCap = LoadLibrary(capPth) | |
If hCap = 0 Then hCap = LoadLibrary("capstone.dll") | |
If hCap = 0 Then errMsg = "Could not find capstone.dll" | |
CheckPath = LoadLibrary(shimPth) | |
'If CheckPath = 0 Then MsgBox Err.LastDllError | |
End Function | |
Public Function init(arch As cs_arch, mode As cs_mode, Optional enableDetails As Boolean = False) As Boolean | |
errMsg = Empty | |
hLib = GetModuleHandle("vbCapstone.dll") | |
If hLib = 0 Then hLib = CheckPath(App.path & "\bin\") | |
If hLib = 0 Then hLib = CheckPath(App.path & "\") | |
If hLib = 0 Then hLib = CheckPath(App.path & "\..\") | |
If hLib = 0 Then hLib = LoadLibrary("vbCapstone.dll") | |
If hLib = 0 Then | |
errMsg = errMsg & " Could not load vbCapstone.dll" | |
Exit Function | |
End If | |
Me.arch = arch | |
Me.mode = mode | |
cs_version vMajor, vMinor | |
version = vMajor & "." & vMinor | |
If cs_support(arch) = 0 Then | |
errMsg = "specified architecture not supported" | |
Exit Function | |
End If | |
Dim handle As Long 'in vb class a public var is actually a property get/set can not use as byref to api.. | |
lastErr = cs_open(arch, mode, handle) | |
If lastErr <> CS_ERR_OK Then | |
errMsg = err2str(lastErr) | |
Exit Function | |
End If | |
hCapstone = handle | |
If enableDetails Then 'vb bindings currently only support details for x86 | |
If arch = CS_ARCH_X86 Then | |
cs_option handle, CS_OPT_DETAIL, CS_OPT_ON | |
End If | |
End If | |
init = True | |
End Function | |
'base is a variant and currently accepts the following input types: | |
' x64 number held as currency type (ex. makeCur(&haabbccdd, &h11223344) ) | |
' int/long value (ex. &h1000 or 12345) | |
' numeric string or 0x/&h prefixed hex string (ex. "12345", "0x1200", "&haabbccdd") | |
Function disasm(ByVal base, code() As Byte, Optional count As Long = 0) As Collection | |
Dim c As Long | |
Dim instAry As Long | |
Dim ret As New Collection | |
Dim ci As CInstruction | |
Dim i As Long | |
Dim address As Currency | |
On Error Resume Next | |
Set disasm = ret | |
If TypeName(base) = "Currency" Then | |
address = base | |
Else | |
If TypeName(base) = "String" Then base = Replace(Trim(base), "0x", "&h") | |
address = lng2Cur(CLng(base)) | |
If Err.Number <> 0 Then | |
errMsg = "Could not convert base address to long" | |
Exit Function | |
End If | |
End If | |
c = cs_disasm(Me.hCapstone, code(0), UBound(code) + 1, address, count, instAry) | |
If c = 0 Then Exit Function | |
For i = 0 To c - 1 | |
Set ci = New CInstruction | |
ci.LoadInstruction instAry, i, Me | |
ret.Add ci | |
Next | |
cs_free instAry, c | |
End Function | |
Private Sub Class_Terminate() | |
Dim msg As String | |
If DEBUG_DUMP Then | |
msg = "CDissembler.Terminate " & Hex(hCapstone) | |
If hCapstone <> 0 Then lastErr = cs_close(hCapstone) | |
Debug.Print msg & " : " & lastErr | |
End If | |
End Sub | |