Keeps information about the CIL (.NET) command disassembled by Ndisasm(). Which fields of t_netasm will be filled depends on the parameter mode (combination of flags DA_xxx) passed to Ndisasm().
typedef struct t_netasm { // Disassembled .NET CIL command
ulong ip; // Address of first command byte
ulong size; // Full length of command, bytes
ulong cmdtype; // Type of command, N_xxx
ulong cmdsize; // Size of command, bytes
ulong opsize; // Size of operand, bytes, or 0 if none
ulong nswitch; // Size of following switch table, dwords
ulong jmpaddr; // Single jump/call destination or 0
ulong descriptor; // Descriptor (xx)xxxxxx or 0
ulong dataaddr; // Address of pointed object/data or 0
int errors; // Set of DAE_xxx
ulong optype; // Operand type, set of A_xxx
wchar_t optext[TEXTLEN]; // Operand, decoded to text
wchar_t dump[TEXTLEN]; // Hex dump of the command
wchar_t result[TEXTLEN]; // Fully decoded command as text
wchar_t comment[TEXTLEN]; // Comment that applies to whole command
} t_netasm;
Members:
ip
Address of
the disassembled CIL command, repeats parameter ip in the call to Ndisasm()
size
Full length of
the disassembled command, bytes
cmdtype
Type of the
disassembled command as a combination of flags N_xxx:
N_CMDTYPE - mask to extract type of command, one of the following:
N_CMD - ordinary command (none of listed below)
N_JMP - unconditional jump
N_JMC - conditional jump
N_CALL - call
N_RET - return (also return from exception)
N_SWITCH - switch, followed by nswitch cases. Note that in this case jmpaddr is set to 0
N_PREFIX - prefix, not a standalone command
N_DATA - decoded as data
N_BAD - bad or unrecognized command
N_POPMASK - mask to extract number of pops from the stack, one of the following:
N_POP0 - pops no arguments (default)
N_POP1 - pops 1 argument
N_POP2 - pops 2 arguments
N_POP3 - pops 3 arguments
N_POPX - pops variable number of arguments
N_PUSHMASK - mask to extract number of arguments pushed into the stack, one of the following:
N_PUSH0 - pushes no data (default)
N_PUSH1 - pushes 1 argument
N_PUSH2 - pushes 2 arguments
N_PUSHX - pushes 0 or 1 arguments
cmdsize
N_CMDTYPE - mask to extract type of command, one of the following:
N_CMD - ordinary command (none of listed below)
N_JMP - unconditional jump
N_JMC - conditional jump
N_CALL - call
N_RET - return (also return from exception)
N_SWITCH - switch, followed by nswitch cases. Note that in this case jmpaddr is set to 0
N_PREFIX - prefix, not a standalone command
N_DATA - decoded as data
N_BAD - bad or unrecognized command
N_POPMASK - mask to extract number of pops from the stack, one of the following:
N_POP0 - pops no arguments (default)
N_POP1 - pops 1 argument
N_POP2 - pops 2 arguments
N_POP3 - pops 3 arguments
N_POPX - pops variable number of arguments
N_PUSHMASK - mask to extract number of arguments pushed into the stack, one of the following:
N_PUSH0 - pushes no data (default)
N_PUSH1 - pushes 1 argument
N_PUSH2 - pushes 2 arguments
N_PUSHX - pushes 0 or 1 arguments
Size of the command, without operand
opsize
Size of the operand, bytes, or 0 if command contains no operand
nswitch
Number
of switch cases that follow command. Each case is 1 doubleword long 0x0F as part of the command
jmpaddr
Single jump or call destination, or 0 if command is neither jump nor call
descriptor
Descriptor in (xx)xxxxxx format
dataaddr
Address of the pointed object or data, or 0 if there is none
errors
List of
errors detected by Ndisasm() or DAE_NOERR
if no errors were detected. Several flags may be set at once:
DAE_BADCMD - unknown or unrecognized command
DAE_CROSS - command is longer than memory block passed to Ndisasm()
DAE_INTERN - internal error
optype
DAE_BADCMD - unknown or unrecognized command
DAE_CROSS - command is longer than memory block passed to Ndisasm()
DAE_INTERN - internal error
Type of the operand, a combination of flags A_xxx:
A_ARGMASK - mask to extract type of argument
A_NONE - no operand
A_OFFSET - 32-bit offset from next command
A_BYTEOFFS - 8-bit offset from next command
A_METHOD - 32-bit method descriptor
A_SIGNATURE - 32-bit signature of call types
A_TYPE - 32-bit type descriptor
A_FIELD - 32-bit field descriptor
A_STRING - 32-bit string descriptor
A_TOKEN - 32-bit token descriptor
A_INDEX1 - 8-bit immediate index constant
A_INDEX2 - 16-bit immediate index constant
A_SWCOUNT - 32-bit immediate switch count
A_INT1S - 8-bit immediate signed integer constant
A_INT4 - 32-bit immediate integer constant
A_INT8 - 64-bit immediate integer constant
A_FLOAT4 - 32-bit immediate floating point constant
A_FLOAT8 - 64-bit immediate floating point constant
A_NOLIST - 8-bit list following no. prefix
A_ALIGN - 8-bit alignment following unaligned. command
optext
A_ARGMASK - mask to extract type of argument
A_NONE - no operand
A_OFFSET - 32-bit offset from next command
A_BYTEOFFS - 8-bit offset from next command
A_METHOD - 32-bit method descriptor
A_SIGNATURE - 32-bit signature of call types
A_TYPE - 32-bit type descriptor
A_FIELD - 32-bit field descriptor
A_STRING - 32-bit string descriptor
A_TOKEN - 32-bit token descriptor
A_INDEX1 - 8-bit immediate index constant
A_INDEX2 - 16-bit immediate index constant
A_SWCOUNT - 32-bit immediate switch count
A_INT1S - 8-bit immediate signed integer constant
A_INT4 - 32-bit immediate integer constant
A_INT8 - 64-bit immediate integer constant
A_FLOAT4 - 32-bit immediate floating point constant
A_FLOAT8 - 64-bit immediate floating point constant
A_NOLIST - 8-bit list following no. prefix
A_ALIGN - 8-bit alignment following unaligned. command
Operand, decoded as a zero-terminated UNICODE string, filled only if flag DA_TEXT was set
dump
Command
dump as a zero-terminated UNICODE string, filled only if flag DA_DUMP was set
result
Disassembled
command as a zero-terminated UNICODE string, filled only if flag DA_TEXT was set
comment
Comment
or error message as a zero-terminated UNICODE string,
filled only if flag DA_OPCOMM was set
See also: