t_netasm
Keeps
information about the CIL (.NET) command disassembled by Ndisasm().
Which fields of t_netasm
will be filled depends on the parameter mode (combination
of flags DA_xxx)
passed to Ndisasm().
typedef
struct t_netasm
{
// Disassembled .NET CIL command
ulong
ip;
// Address of first command byte
ulong
size;
// Full length of command, bytes
ulong
cmdtype;
// Type of command, N_xxx
ulong
cmdsize;
// Size of command, bytes
ulong
opsize;
// Size of operand, bytes, or 0 if none
ulong
nswitch;
// Size of following switch table, dwords
ulong
jmpaddr;
// Single jump/call destination or 0
ulong
descriptor;
// Descriptor (xx)xxxxxx or 0
ulong
dataaddr;
// Address of pointed object/data or 0
int
errors;
// Set of DAE_xxx
ulong
optype;
// Operand type, set of A_xxx
wchar_t
optext[TEXTLEN]; // Operand, decoded to
text
wchar_t
dump[TEXTLEN]; // Hex dump of
the command
wchar_t
result[TEXTLEN]; // Fully decoded command
as text
wchar_t
comment[TEXTLEN]; // Comment that applies to
whole command
} t_netasm;
Members:
ip
Address of
the disassembled CIL command, repeats parameter ip in the call to Ndisasm()
size
Full length of
the disassembled command, bytes
cmdtype
Type of the
disassembled command as a combination of flags N_xxx:
N_CMDTYPE - mask to extract type of command, one of the following:
N_CMD - ordinary command (none of listed below)
N_JMP - unconditional jump
N_JMC - conditional jump
N_CALL - call
N_RET - return (also return from exception)
N_SWITCH - switch, followed by nswitch cases. Note that in this case jmpaddr is set to 0
N_PREFIX - prefix, not a standalone command
N_DATA - decoded as data
N_BAD - bad or unrecognized command
N_POPMASK - mask to extract number of pops from the stack, one of the following:
N_POP0 - pops no arguments (default)
N_POP1 - pops 1 argument
N_POP2 - pops 2 arguments
N_POP3 - pops 3 arguments
N_POPX - pops variable number of arguments
N_PUSHMASK - mask to extract number of arguments pushed into the stack, one of the following:
N_PUSH0 - pushes no data (default)
N_PUSH1 - pushes 1 argument
N_PUSH2 - pushes 2 arguments
N_PUSHX - pushes 0 or 1 arguments
cmdsize
Size of the command, without operand
opsize
Size of the operand, bytes, or 0 if command contains no operand
nswitch
Number
of switch cases that follow command. Each case is 1 doubleword long 0x0F as part of the command
jmpaddr
Single jump or call destination, or 0 if command is neither jump nor call
descriptor
Descriptor in (xx)xxxxxx format
dataaddr
Address of the pointed object or data, or 0 if there is none
errors
List of
errors detected by Ndisasm() or DAE_NOERR
if no errors were detected. Several flags may be set at once:
DAE_BADCMD -
unknown or unrecognized command
DAE_CROSS -
command is longer than memory block passed to Ndisasm()
DAE_INTERN -
internal error
optype
Type of the operand, a combination of flags A_xxx:
A_ARGMASK - mask to extract type of argument
A_NONE - no operand
A_OFFSET - 32-bit offset from next command
A_BYTEOFFS - 8-bit offset from next command
A_METHOD - 32-bit method descriptor
A_SIGNATURE - 32-bit signature of call types
A_TYPE - 32-bit type descriptor
A_FIELD - 32-bit field descriptor
A_STRING - 32-bit string descriptor
A_TOKEN - 32-bit token descriptor
A_INDEX1 - 8-bit immediate index constant
A_INDEX2 - 16-bit immediate index constant
A_SWCOUNT - 32-bit immediate switch count
A_INT1S - 8-bit immediate signed integer constant
A_INT4 - 32-bit immediate integer constant
A_INT8 - 64-bit immediate integer constant
A_FLOAT4 - 32-bit immediate floating point constant
A_FLOAT8 - 64-bit immediate floating point constant
A_NOLIST - 8-bit list following no. prefix
A_ALIGN - 8-bit alignment following unaligned. command
optext
Operand, decoded as a zero-terminated UNICODE string, filled only if flag DA_TEXT was set
dump
Command
dump as a zero-terminated UNICODE string, filled only if flag DA_DUMP was set
result
Disassembled
command as a zero-terminated UNICODE string, filled only if flag DA_TEXT was set
comment
Comment
or error message as a zero-terminated UNICODE string,
filled only if flag DA_OPCOMM was set
See
also: