среда, 18 декабря 2013 г.

Capstone

I play a bit today with this disasm library with BSD license and I should note that it is now virtually unusable
  1. size of libcapstone.so is 6.5Mb and even if you remove arch/Mips, arch/AArch64 and arch/ARM from Makefile size of libcapstone.so is still 3.5Mb. Just to compare - size of libudis86.a on the same machine is only 452Kb
  2. with udis86 you can easy remove tables with mnemonics (for example they are useless in code analyzers) but this is hard to do with capstone - every arch/mapping.c file contains mix of register names, mnemonic tabs and insn_map structures
  3. X86GenDisassemblerTables.inc has size 37Mb ! Authors claim "That is the price to pay for good performance". Perhaps, but 37Mb - it's too much IMHO
  4. It seems also that it is very hard to build a library that will fill cs_x86 structure and does not contain references to xprintf or other CRT functions (for example if you plan to use this library in kernel mode driver)

понедельник, 16 декабря 2013 г.

ida 6.5

changelog
PC: handle code sequences which load imagebase value into a temporary register (common in x64 Windows code)
yeah, finally I don`t need to recompile my plugin wpic64 for each new ida version

added win8_um.til and wdk8_km.til for Windows8 WDK (user and kernel mode headers)
he-he. How about WdfFunctions ?