1*9a0e4156SSadaf EbrahimiVERSION 1.0 CLASS 2*9a0e4156SSadaf EbrahimiBEGIN 3*9a0e4156SSadaf Ebrahimi MultiUse = -1 'True 4*9a0e4156SSadaf Ebrahimi Persistable = 0 'NotPersistable 5*9a0e4156SSadaf Ebrahimi DataBindingBehavior = 0 'vbNone 6*9a0e4156SSadaf Ebrahimi DataSourceBehavior = 0 'vbNone 7*9a0e4156SSadaf Ebrahimi MTSTransactionMode = 0 'NotAnMTSObject 8*9a0e4156SSadaf EbrahimiEND 9*9a0e4156SSadaf EbrahimiAttribute VB_Name = "CDisassembler" 10*9a0e4156SSadaf EbrahimiAttribute VB_GlobalNameSpace = False 11*9a0e4156SSadaf EbrahimiAttribute VB_Creatable = True 12*9a0e4156SSadaf EbrahimiAttribute VB_PredeclaredId = False 13*9a0e4156SSadaf EbrahimiAttribute VB_Exposed = False 14*9a0e4156SSadaf EbrahimiOption Explicit 15*9a0e4156SSadaf Ebrahimi 16*9a0e4156SSadaf Ebrahimi'Capstone Disassembly Engine bindings for VB6 17*9a0e4156SSadaf Ebrahimi'Contributed by FireEye FLARE Team 18*9a0e4156SSadaf Ebrahimi'Author: David Zimmer <[email protected]>, <[email protected]> 19*9a0e4156SSadaf Ebrahimi'License: Apache 20*9a0e4156SSadaf Ebrahimi'Copyright: FireEye 2017 21*9a0e4156SSadaf Ebrahimi 22*9a0e4156SSadaf Ebrahimi 23*9a0e4156SSadaf Ebrahimi'NOTE: the VB code was built and tested against Capstone v3.0 rc4 24*9a0e4156SSadaf Ebrahimi' if the capstone C structures change, the VB code will have to 25*9a0e4156SSadaf Ebrahimi' be adjusted to match! 26*9a0e4156SSadaf Ebrahimi' 27*9a0e4156SSadaf Ebrahimi' instructions details are currently only implemented for x86 28*9a0e4156SSadaf Ebrahimi 29*9a0e4156SSadaf EbrahimiPublic arch As cs_arch 30*9a0e4156SSadaf EbrahimiPublic mode As cs_mode 31*9a0e4156SSadaf EbrahimiPublic hCapstone As Long 32*9a0e4156SSadaf EbrahimiPublic hLib As Long 33*9a0e4156SSadaf Ebrahimi 34*9a0e4156SSadaf EbrahimiPublic version As String 35*9a0e4156SSadaf EbrahimiPublic vMajor As Long 36*9a0e4156SSadaf EbrahimiPublic vMinor As Long 37*9a0e4156SSadaf Ebrahimi 38*9a0e4156SSadaf EbrahimiPublic errMsg As String 39*9a0e4156SSadaf EbrahimiPublic lastErr As cs_err 40*9a0e4156SSadaf Ebrahimi 41*9a0e4156SSadaf EbrahimiPrivate Function CheckPath(pth As String) As Long 42*9a0e4156SSadaf Ebrahimi 43*9a0e4156SSadaf Ebrahimi Dim hCap As Long, capPth As String, shimPth As String 44*9a0e4156SSadaf Ebrahimi 45*9a0e4156SSadaf Ebrahimi shimPth = pth & "\vbCapstone.dll" 46*9a0e4156SSadaf Ebrahimi capPth = pth & "\capstone.dll" 47*9a0e4156SSadaf Ebrahimi 48*9a0e4156SSadaf Ebrahimi If Not FileExists(shimPth) Then Exit Function 49*9a0e4156SSadaf Ebrahimi 50*9a0e4156SSadaf Ebrahimi hCap = LoadLibrary(capPth) 51*9a0e4156SSadaf Ebrahimi If hCap = 0 Then hCap = LoadLibrary("capstone.dll") 52*9a0e4156SSadaf Ebrahimi If hCap = 0 Then errMsg = "Could not find capstone.dll" 53*9a0e4156SSadaf Ebrahimi 54*9a0e4156SSadaf Ebrahimi CheckPath = LoadLibrary(shimPth) 55*9a0e4156SSadaf Ebrahimi 'If CheckPath = 0 Then MsgBox Err.LastDllError 56*9a0e4156SSadaf Ebrahimi 57*9a0e4156SSadaf EbrahimiEnd Function 58*9a0e4156SSadaf Ebrahimi 59*9a0e4156SSadaf EbrahimiPublic Function init(arch As cs_arch, mode As cs_mode, Optional enableDetails As Boolean = False) As Boolean 60*9a0e4156SSadaf Ebrahimi 61*9a0e4156SSadaf Ebrahimi errMsg = Empty 62*9a0e4156SSadaf Ebrahimi hLib = GetModuleHandle("vbCapstone.dll") 63*9a0e4156SSadaf Ebrahimi 64*9a0e4156SSadaf Ebrahimi If hLib = 0 Then hLib = CheckPath(App.path & "\bin\") 65*9a0e4156SSadaf Ebrahimi If hLib = 0 Then hLib = CheckPath(App.path & "\") 66*9a0e4156SSadaf Ebrahimi If hLib = 0 Then hLib = CheckPath(App.path & "\..\") 67*9a0e4156SSadaf Ebrahimi If hLib = 0 Then hLib = LoadLibrary("vbCapstone.dll") 68*9a0e4156SSadaf Ebrahimi 69*9a0e4156SSadaf Ebrahimi If hLib = 0 Then 70*9a0e4156SSadaf Ebrahimi errMsg = errMsg & " Could not load vbCapstone.dll" 71*9a0e4156SSadaf Ebrahimi Exit Function 72*9a0e4156SSadaf Ebrahimi End If 73*9a0e4156SSadaf Ebrahimi 74*9a0e4156SSadaf Ebrahimi Me.arch = arch 75*9a0e4156SSadaf Ebrahimi Me.mode = mode 76*9a0e4156SSadaf Ebrahimi 77*9a0e4156SSadaf Ebrahimi cs_version vMajor, vMinor 78*9a0e4156SSadaf Ebrahimi version = vMajor & "." & vMinor 79*9a0e4156SSadaf Ebrahimi 80*9a0e4156SSadaf Ebrahimi If cs_support(arch) = 0 Then 81*9a0e4156SSadaf Ebrahimi errMsg = "specified architecture not supported" 82*9a0e4156SSadaf Ebrahimi Exit Function 83*9a0e4156SSadaf Ebrahimi End If 84*9a0e4156SSadaf Ebrahimi 85*9a0e4156SSadaf Ebrahimi Dim handle As Long 'in vb class a public var is actually a property get/set can not use as byref to api.. 86*9a0e4156SSadaf Ebrahimi lastErr = cs_open(arch, mode, handle) 87*9a0e4156SSadaf Ebrahimi If lastErr <> CS_ERR_OK Then 88*9a0e4156SSadaf Ebrahimi errMsg = err2str(lastErr) 89*9a0e4156SSadaf Ebrahimi Exit Function 90*9a0e4156SSadaf Ebrahimi End If 91*9a0e4156SSadaf Ebrahimi 92*9a0e4156SSadaf Ebrahimi hCapstone = handle 93*9a0e4156SSadaf Ebrahimi If enableDetails Then 'vb bindings currently only support details for x86 94*9a0e4156SSadaf Ebrahimi If arch = CS_ARCH_X86 Then 95*9a0e4156SSadaf Ebrahimi cs_option handle, CS_OPT_DETAIL, CS_OPT_ON 96*9a0e4156SSadaf Ebrahimi End If 97*9a0e4156SSadaf Ebrahimi End If 98*9a0e4156SSadaf Ebrahimi 99*9a0e4156SSadaf Ebrahimi init = True 100*9a0e4156SSadaf Ebrahimi 101*9a0e4156SSadaf EbrahimiEnd Function 102*9a0e4156SSadaf Ebrahimi 103*9a0e4156SSadaf Ebrahimi'base is a variant and currently accepts the following input types: 104*9a0e4156SSadaf Ebrahimi' x64 number held as currency type (ex. makeCur(&haabbccdd, &h11223344) ) 105*9a0e4156SSadaf Ebrahimi' int/long value (ex. &h1000 or 12345) 106*9a0e4156SSadaf Ebrahimi' numeric string or 0x/&h prefixed hex string (ex. "12345", "0x1200", "&haabbccdd") 107*9a0e4156SSadaf EbrahimiFunction disasm(ByVal base, code() As Byte, Optional count As Long = 0) As Collection 108*9a0e4156SSadaf Ebrahimi 109*9a0e4156SSadaf Ebrahimi Dim c As Long 110*9a0e4156SSadaf Ebrahimi Dim instAry As Long 111*9a0e4156SSadaf Ebrahimi Dim ret As New Collection 112*9a0e4156SSadaf Ebrahimi Dim ci As CInstruction 113*9a0e4156SSadaf Ebrahimi Dim i As Long 114*9a0e4156SSadaf Ebrahimi Dim address As Currency 115*9a0e4156SSadaf Ebrahimi 116*9a0e4156SSadaf Ebrahimi On Error Resume Next 117*9a0e4156SSadaf Ebrahimi 118*9a0e4156SSadaf Ebrahimi Set disasm = ret 119*9a0e4156SSadaf Ebrahimi 120*9a0e4156SSadaf Ebrahimi If TypeName(base) = "Currency" Then 121*9a0e4156SSadaf Ebrahimi address = base 122*9a0e4156SSadaf Ebrahimi Else 123*9a0e4156SSadaf Ebrahimi If TypeName(base) = "String" Then base = Replace(Trim(base), "0x", "&h") 124*9a0e4156SSadaf Ebrahimi address = lng2Cur(CLng(base)) 125*9a0e4156SSadaf Ebrahimi If Err.Number <> 0 Then 126*9a0e4156SSadaf Ebrahimi errMsg = "Could not convert base address to long" 127*9a0e4156SSadaf Ebrahimi Exit Function 128*9a0e4156SSadaf Ebrahimi End If 129*9a0e4156SSadaf Ebrahimi End If 130*9a0e4156SSadaf Ebrahimi 131*9a0e4156SSadaf Ebrahimi c = cs_disasm(Me.hCapstone, code(0), UBound(code) + 1, address, count, instAry) 132*9a0e4156SSadaf Ebrahimi If c = 0 Then Exit Function 133*9a0e4156SSadaf Ebrahimi 134*9a0e4156SSadaf Ebrahimi For i = 0 To c - 1 135*9a0e4156SSadaf Ebrahimi Set ci = New CInstruction 136*9a0e4156SSadaf Ebrahimi ci.LoadInstruction instAry, i, Me 137*9a0e4156SSadaf Ebrahimi ret.Add ci 138*9a0e4156SSadaf Ebrahimi Next 139*9a0e4156SSadaf Ebrahimi 140*9a0e4156SSadaf Ebrahimi cs_free instAry, c 141*9a0e4156SSadaf Ebrahimi 142*9a0e4156SSadaf EbrahimiEnd Function 143*9a0e4156SSadaf Ebrahimi 144*9a0e4156SSadaf Ebrahimi 145*9a0e4156SSadaf EbrahimiPrivate Sub Class_Terminate() 146*9a0e4156SSadaf Ebrahimi Dim msg As String 147*9a0e4156SSadaf Ebrahimi If DEBUG_DUMP Then 148*9a0e4156SSadaf Ebrahimi msg = "CDissembler.Terminate " & Hex(hCapstone) 149*9a0e4156SSadaf Ebrahimi If hCapstone <> 0 Then lastErr = cs_close(hCapstone) 150*9a0e4156SSadaf Ebrahimi Debug.Print msg & " : " & lastErr 151*9a0e4156SSadaf Ebrahimi End If 152*9a0e4156SSadaf EbrahimiEnd Sub 153*9a0e4156SSadaf Ebrahimi 154