A lightweight, high-performance x86/x64 disassembly engine supporting both Windows kernel mode and user mode.
一个轻量级、高性能的 x86/x64 反汇编引擎,支持 Windows 内核模式和用户模式。
- Dual Mode Support / 双模式支持: Works in both Windows Kernel Mode (Driver) and User Mode
- Complete Instruction Set / 完整指令集: Supports all x86/x64 instructions including SSE/AVX
- Cross-Reference Analysis / 交叉引用分析: Tracks jumps, calls, and conditional branches
- Multiple Syntaxes / 多种语法: Intel and AT&T syntax support
- High Performance / 高性能: Optimized decoder with instruction caching
- Zero Dependencies / 零依赖: Self-contained, no external libraries required
- Visual Studio 2022 or later / 或更高版本
- Windows SDK 10.0.26100.0 or later / 或更高版本
- Platform Toolset / 平台工具集: v143
- Visual Studio 2022 or later / 或更高版本
- Windows SDK 10.0.26100.0 or later / 或更高版本
- Windows Driver Kit (WDK) 10.0.26100.0 or later / 或更高版本
- Platform Toolset / 平台工具集: WindowsKernelModeDriver10.0
#include "DisasmEngine.h"
// Create engine with default options / 使用默认选项创建引擎
disasm_engine_opts_t opts = disasm_engine_opts_default();
disasm_engine_t engine = disasm_engine_create(&opts);
// Code to disassemble / 要反汇编的代码
disasm_u8 code[] = {0x48, 0x89, 0x5C, 0x24, 0x08}; // mov [rsp+8], rbx
disasm_inst_t inst;
// Disassemble / 反汇编
disasm_status_t status = disasm_disassemble(
engine,
code,
sizeof(code),
0x140001000, // Address / 地址
&inst
);
if (status == DISASM_STATUS_SUCCESS) {
char buffer[256];
disasm_format_instruction(engine, &inst, buffer, sizeof(buffer));
printf("%s\n", buffer); // Output: mov [rsp+0x8], rbx
}
disasm_engine_destroy(engine);#include "DisasmEngine.h"
#include "XRef.h"
// Same API works in kernel mode / 相同的 API 在内核模式下工作
disasm_engine_opts_t opts = disasm_engine_opts_default();
opts.mode = DISASM_MODE_64BIT; // For x64 kernel / 用于 x64 内核
disasm_engine_t engine = disasm_engine_create(&opts);
// Read KiSystemCall64 address from MSR / 从 MSR 读取 KiSystemCall64 地址
ULONG64 kiSystemCall64 = __readmsr(0xC0000082);
// Analyze with cross-reference / 使用交叉引用分析
xref_table_t xref_table;
xref_init(&xref_table);
// Disassemble and analyze jumps/calls / 反汇编并分析跳转/调用
// ... (see Driver.c for complete example)
xref_cleanup(&xref_table);
disasm_engine_destroy(engine);| Function | Description / 描述 |
|---|---|
disasm_version() |
Get version string / 获取版本字符串 |
disasm_engine_opts_default() |
Get default options / 获取默认选项 |
disasm_engine_create() |
Create engine instance / 创建引擎实例 |
disasm_engine_destroy() |
Destroy engine instance / 销毁引擎实例 |
disasm_engine_set_opts() |
Set engine options / 设置引擎选项 |
disasm_engine_get_opts() |
Get engine options / 获取引擎选项 |
| Function | Description / 描述 |
|---|---|
disasm_disassemble() |
Disassemble single instruction / 反汇编单条指令 |
disasm_format_instruction() |
Format instruction to string / 格式化指令为字符串 |
disasm_one() |
Disassemble and format in one call / 一次性反汇编并格式化 |
| Function | Description / 描述 |
|---|---|
xref_init() |
Initialize xref table / 初始化交叉引用表 |
xref_cleanup() |
Cleanup xref table / 清理交叉引用表 |
xref_add() |
Add cross-reference / 添加交叉引用 |
xref_analyze_inst() |
Analyze instruction for jumps/calls / 分析指令的跳转/调用 |
xref_is_target() |
Check if address is jump target / 检查地址是否为跳转目标 |
typedef struct {
disasm_arch_mode_t mode; // DISASM_MODE_32BIT or DISASM_MODE_64BIT
disasm_syntax_t syntax; // DISASM_SYNTAX_INTEL or DISASM_SYNTAX_ATT
disasm_bool showAddress; // Show instruction address / 显示指令地址
disasm_bool showBytes; // Show machine bytes / 显示机器码
disasm_bool uppercase; // Uppercase mnemonics / 大写助记符
disasm_bool hexPrefix; // Show 0x prefix / 显示 0x 前缀
} disasm_engine_opts_t;DisasmRelease/
├── include/ # Header files / 头文件
│ ├── DisasmEngine.h # Main API header / 主 API 头文件
│ ├── DisasmTypes.h # Type definitions / 类型定义
│ ├── Decoder.h # Decoder interface / 解码器接口
│ ├── Formatter.h # Formatter interface / 格式化器接口
│ └── XRef.h # Cross-reference module / 交叉引用模块
├── src/ # Source files / 源文件
│ ├── DisasmEngine.c # Engine implementation / 引擎实现
│ ├── DecoderNew.c # Main decoder / 主解码器
│ ├── Formatter.c # Instruction formatter / 指令格式化器
│ └── XRef.c # Cross-reference analysis / 交叉引用分析
├── DisasmDriver/ # Windows Driver example / Windows 驱动示例
│ ├── Driver.c # Driver entry and test / 驱动入口和测试
│ └── DisasmDriver.inf
└── DisasmRelease.sln # Visual Studio solution / VS 解决方案
- Open
DisasmRelease.slnwith Visual Studio 2022 / 使用 Visual Studio 2022 打开解决方案 - Select configuration (Debug/Release) and platform (x64) / 选择配置 (Debug/Release) 和平台 (x64)
- Build solution (Ctrl+Shift+B) / 构建解决方案 (Ctrl+Shift+B)
- Ensure Windows Driver Kit (WDK) is installed / 确保已安装 Windows Driver Kit (WDK)
- Select DisasmDriver project in Solution Explorer / 在解决方案资源管理器中选择 DisasmDriver 项目
- Build the driver project / 构建驱动项目
# Open Developer Command Prompt for VS 2022 / 打开 VS 2022 开发者命令提示符
# User mode library / 用户模式库
msbuild DisasmRelease.sln /p:Configuration=Release /p:Platform=x64
# Kernel mode driver (requires WDK) / 内核模式驱动 (需要 WDK)
msbuild DisasmRelease.sln /p:Configuration=Release /p:Platform=x64 /t:DisasmDriver; FROM: FFFFF8002A208117
FFFFF8002A208125 48 89 45 B0 mov [rbp-0x50], rax
FFFFF8002A208129 90 nop
; FROM: FFFFF8002A20812A, FFFFF8002A208135
FFFFF8002A208140 48 8B 45 B0 mov rax, [rbp-0x50]
; FROM: address- Shows source addresses that jump to this location / 显示跳转到此位置的源地址- Indented disassembly lines / 缩进的反汇编行
- General Purpose / 通用指令: All x86/x64 integer instructions
- Control Transfer / 控制传输: JMP, CALL, RET, Jcc (all conditional jumps)
- Loop / 循环: LOOP, LOOPE, LOOPNE, JRCXZ
- SIMD / SIMD: SSE, SSE2, SSE3, SSSE3, SSE4, AVX, AVX2
- System / 系统: SYSENTER, SYSEXIT, SYSCALL, SYSRET
MIT License - See LICENSE file for details / 详见 LICENSE 文件
wuwowuren
Created for Windows kernel and user mode disassembly needs. 为 Windows 内核和用户模式反汇编需求而创建。