Which ARM64 disassembler engine best to use in a driver?

DavidXanatos · #1 04-04-2022, 04:24

I'm porting a driver over to ARM64, that driver relays crucially on some un-exported kernel symbols,
it currently finds in exported functions the required addresses, in x86/x64 that's quite nice.
Ho weever the ARM64 ISA seams to be quite a terrible mess in comparison, no way to find there anything "by hand", so to say.
Hence I need a ARM64 disassembler engine that I could use to find what I need,
could anyone here recommend me a reliable lightweight and free ARM64 disassembler engine which I could use?

Cheers
David

evlncrn8 · #2 04-04-2022, 16:47

capstone ?

DavidXanatos · #3 04-04-2022, 23:52

Yea seams not to be soo bad after all, i went with an approach like this:

Code:

    for (i = 0; i < 0x40; i += 4, ptr += 4) {

        union {
            ULONG OP;
            struct {
                ULONG
                    Rd : 5,
                    immHi : 19,
                    op1 : 5,
                    immLo : 2,
                    op2 : 1;
            };
        } ADRP;

        ADRP.OP = *(ULONG*)ptr;

        if (ADRP.op1 == 0b10000 && ADRP.op2 == 0b1 && ADRP.Rd == 8) // adrp x8, #0x575000
        {
            union {
                ULONG OP;
                struct {
                    ULONG
                        Rd : 5,
                        Rn : 5,
                        imm12 : 12,
                        shift : 2,
                        op1 : 5,
                        S : 1,
                        op2 : 1,
                        sf : 1;
                };
            } ADD;

            ADD.OP = *(ULONG*)(ptr + 4);

            if (ADD.sf == 0b1 && ADD.op2 == 0b0 && ADD.S == 0b0 && ADD.op1 == 0b10001 && ADD.shift == 0 && ADD.Rn == 8 && ADD.Rd == 12) // add  x12, x8, #0xf80
            {
                LONG delta = (ADRP.immHi << 2 | ADRP.immLo) << 12;
                delta += ADD.imm12;

                // Note: ADRP clears the lower 12 bits of the PC
                nt = ((ULONG_PTR)ptr & ~0xFFF) + delta;

         
                return (void*)nt;
            }
        }
    }

sh3dow · #4 04-29-2022, 03:56

Capstone would be the most complete, battle proved and standalone disassembler framework that doesn't need to be part of other software to function. it's disassembly/disassembler framework that just works.

Also from its website

Quote:

- Special support for embedding into firmware or OS kernel.

Capstone is designed to be able to easily embed into firmware & OS kernel. The framework can be built to be minimized, and with some special APIs provided by Capstone, the engine can be programmed to use in those special environments. Details are available here.

- reliable [✓]
- lightweight [I don't know, it's it's a framework and support multiple architectures not just ARM64]
- free ARM64 disassembler engine [✓]

Edit:
It look like you can build only selected architectures to suite your need, so lightweight [✓] I guess?
https://www.capstone-engine.org/compile.html

DavidXanatos · #5 04-30-2022, 01:52

For my use it still seam overkill, a small custom approach worked out great, see attachment.

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Question about PE format (ARM64)	DavidXanatos	General Discussion	0	04-28-2022 01:09
Windows on Arm64, x86/x64 emulation	DavidXanatos	General Discussion	20	04-09-2022 20:02
Basic Disassembler for Delphi port of Micro Length-Disassembler Engine 32	redbull	General Discussion	0	11-04-2005 04:56

The Following 3 Users Say Thank You to DavidXanatos For This Useful Post:
niculaita (04-30-2022), sh3dow (04-30-2022)