Rust Lab
All articles
A Binary Disassembler in Rust
Patterns & Architecture

A Binary Disassembler in Rust

Disassemblers are tools that translate machine code back into assembly language, providing insights into the inner workings of compiled…

By Luis SoaresJanuary 26, 2024Original on Medium

Disassemblers are tools that translate machine code back into assembly language, providing insights into the inner workings of compiled programs.

Today, let’s delve into the construction of a disassembler in Rust, leveraging the capabilities of the Capstone disassembly framework through the capstone crate.

Key Concepts

Disassembly

Disassembly is the process of converting machine code, the binary instructions that a computer directly executes, back into a human-readable assembly language. This process is crucial for reverse engineering, debugging, and understanding the low-level operations of software.

Assembly Language

Assembly language is a low-level programming language that closely represents the machine code instructions of a computer architecture. It provides mnemonics for operations (e.g., MOV, ADD, JMP) and is specific to a particular processor architecture (e.g., x86, ARM).

Capstone Disassembly Framework

Capstone is a lightweight, multi-platform, multi-architecture disassembly framework. It offers bindings for various programming languages, including Rust, making it accessible for a wide range of applications.

Capstone supports numerous architectures, such as x86, ARM, MIPS, and PowerPC, and provides detailed disassembly information, making it a versatile tool for building disassemblers.

Background on Capstone

Developed with reverse engineering and binary analysis in mind, Capstone provides a rich set of features:

  • Multi-architecture Support: Capstone can disassemble binary code for various architectures, making it highly versatile.
  • Detailed Instruction Decoding: It provides extensive details about disassembled instructions, including operands, instruction groups, and CPU flags affected.
  • Flexible Disassembly Modes: Capstone supports different disassembly modes, such as 16-bit, 32-bit, and 64-bit, accommodating various application needs.
  • Customizable Syntax: The output assembly syntax (e.g., Intel, AT&T) can be tailored to user preferences.

Core Components

  1. Engine: The Capstone engine is the primary component responsible for the disassembly process. It is initialized with specific parameters such as the target CPU architecture and mode (e.g., 32-bit, 64-bit). The engine is highly configurable, allowing users to set options like syntax (e.g., Intel, AT&T), detail level, and custom instruction boundaries.
  2. Decoders: For each supported architecture (e.g., x86, ARM, MIPS), Capstone has a dedicated decoder. These decoders are responsible for parsing the binary machine code and translating it into an intermediate representation (IR). The IR abstracts the machine code into a form that Capstone’s engine can analyze and process further.
  3. Instruction Set: Capstone includes comprehensive instruction sets for each supported architecture. These instruction sets define the properties and behaviors of each instruction, including operands, instruction groups (e.g., jump, call, return), and affected flags. This information is crucial for accurately disassembling and interpreting machine code.
  4. Syntax Converters: Capstone supports multiple assembly syntaxes, such as Intel and AT&T for x86 architecture. Syntax converters take the disassembled instructions from the IR and format them according to the selected syntax, making the output customizable to the user’s preferences.
  5. Detail API: When detail mode is enabled, Capstone provides extensive information about each disassembled instruction, including operands, instruction groups, CPU flags affected, and more. This detailed information is gathered from the instruction’s metadata and the architecture-specific details encoded in the machine code.

At a low level, Capstone performs numerous binary and bitwise operations to decode machine code. It handles various encoding schemes, opcode tables, and CPU-specific quirks. The framework meticulously manages endianness, instruction prefixes (e.g., operand-size override, address-size override in x86), and conditional code execution (e.g., ARM’s condition flags) to ensure accurate disassembly.

Building a Simple Disassembler

Step 1: Initialize Your Rust Project

Create a New Project: Open a terminal and run the following command to create a new Rust project:

cargo new rust_disassembler

Step 2: Add Dependencies

Open the Cargo.toml file located in your project directory and add the capstone and clap crates to your dependencies section:

[dependencies]
capstone = "0.10.0"  # Use the latest version available on crates.io
clap = "3.1.18"       # Adjust to the latest version as needed

Step 3: Set Up Command-Line Argument Parsing

Open the src/main.rs file and set up the clap crate to handle command-line arguments. For now, include an argument for the binary file path:

use clap::{App, Arg};

Practice what you learned

Reinforce this article with hands-on coding exercises and AI-powered feedback.

Model a Shape HierarchyBeginnerModel a Shape HierarchyBeginnerModel a Shape HierarchyBeginner
View all exercises

fn main() { let matches = Command::new("Rust Disassembler") .version("1.0") .author("Your Name your_email@example.com") .about("Disassembles binary files") .arg(Arg::new("FILE") .help("Sets the input file to use") .required(true) .index(1)) .get_matches(); let file_path = matches.get_one::<String>("FILE").expect("FILE is required"); let binary_data = read_binary_file(file_path).expect("Failed to read binary file"); // Placeholder for further steps }


### Step 4: Implement Binary File Reading

Extend `main.rs` to include a function that reads the specified binary file into a byte vector:

```rust
use std::fs::File;
use std::io::{self, Read};
use std::path::Path;

fn read_binary_file<P: AsRef<Path>>(path: P) -> io::Result<Vec<u8>> {
    let mut file = File::open(path)?;
    let mut buffer = Vec::new();
    file.read_to_end(&mut buffer)?;
    Ok(buffer)
}

Step 5: Initialize Capstone for Disassembly

Import Capstone in main.rs and set up the disassembly engine. This example uses the x86_64 architecture, but you can modify it for other architectures:

use capstone::prelude::*;

fn disassemble(code: &[u8]) {
    let cs = Capstone::new()
        .x86()
        .mode(arch::x86::ArchMode::Mode64)
        .syntax(arch::x86::ArchSyntax::Intel)
        .detail(true)  // Enable detailed disassembly
        .build()
        .expect("Failed to create Capstone disassembler");
    let insns = cs.disasm_all(code, 0x1000).expect("Failed to disassemble");  // Assuming 0x1000 as the base address
    for insn in insns.iter() {
        println!("0x{:x}: {:6} {}", insn.address(), insn.mnemonic().unwrap_or(""), insn.op_str().unwrap_or(""));
        // Placeholder for detailed output
    }
}

In the main function, read the binary file and pass its contents to the disassemble function:

// Inside main()
let binary_data = read_binary_file(file_path).expect("Failed to read binary file");
disassemble(&binary_data);

Step 6: Enhance Output with Capstone’s Detail API

Modify the disassemble function to include detailed information about each instruction, such as registers read and written:

// Inside the disassemble() function, after printing basic instruction info
if let Ok(detail) = cs.insn_detail(&insn) {
    println!("    Bytes: {:?}", insn.bytes());
    println!("    Read regs: {:?}", detail.regs_read());
    println!("    Write regs: {:?}", detail.regs_write());
    // Expand this section to include more details as needed
}

Step 7: Compile and Run Your Disassembler

Compile your project using Cargo:

cargo build

Execute your disassembler, providing the path to a binary file as an argument:

cargo run -- /path/to/your/binary/file

Advanced Usage

Handling Multiple Architectures

Capstone’s architecture-agnostic design allows for easy extension to other CPU architectures. You can abstract the initialization process into a function that takes an architecture parameter and returns a configured Capstone instance.

Analyzing Instruction Details

Capstone’s detailed mode enables access to a wealth of information about each instruction, such as operands, instruction groups, and affected CPU flags. Utilize the insn.detail() method to explore this data.

Custom Syntax and Modes

Adjust the disassembly syntax and mode to fit your needs. Capstone supports various syntax styles (e.g., Intel, AT&T) and modes (e.g., 16-bit, 32-bit) that can be configured during the initialization of the Capstone instance.

You can read all about the Capstone Disassembly Framework on its documentation.

Practice what you learned

Reinforce this article with hands-on coding exercises and AI-powered feedback.

Model a Shape HierarchyBeginnerModel a Shape HierarchyBeginnerModel a Shape HierarchyBeginner
View all exercises

Go deeper with these books

Written by the author of these articles — take your Rust skills to the next level.

From OOP to Idiomatic Rust cover
From OOP to Idiomatic RustA Mental Model Shift for Experienced Developers
Hands-On Rust Ownership cover
Hands-On Rust OwnershipFrom Basics to Real-World Projects
Rust Book BundleSave 37%
Both Rust books as PDFs for €25 €40
Browse all books

Want to practice Rust hands-on?

Go beyond reading — solve interactive exercises with AI-powered code review on Rust Lab.