Most of the .Net developers would probably know, how to view or analyze a third party console application that is developed in .Net. This capability/skill would be required for various other roles like application re-packagers/integrators and Security Analysts/Researchers, etc.,. Here I’d be briefing about how to view the compiled Intermediate Language (IL) (Microsoft calls as a managed code) code of any executable (.exe application) that is developed in .Net.
Microsoft provides a tool named Ildasm.exe (Microsoft Windows Intermediate Language (IL) disassembler). This tools shipd along with the .Net developer IDE Visual Studio and you can have this downloaded from Microsoft.
About Intermediate Language (IL) disassembler:
This tool is usually located in …\Microsoft SDKs\Windows\v8.1A\bin\NETFX 4.5.1 Tools\Ildasm.exe of your Visual studio Installation folder.
Example:
C:\Temp\MyConsoleApp>which Ildasm.exe
/cygdrive/c/Program Files (x86)/Microsoft SDKs/Windows/v8.1A/bin/NETFX 4.5.1 Tools/Ildasm.exeC:\Temp\MyConsoleApp>
Using Intermediate Language (IL) disassembler:
Once you launch Ildasm.exe and open any of the .exe file, you’ll shown up with two sections a MANIFEST and App as shown below. You can also launch the application via command line as given below and have the more command line switches to customize how it presents the data.
C:\Temp\MyConsoleApp>ildasm MyConsoleApp.exe
C:\Temp\MyConsoleApp>
Viewing the Intermediate Language/Managed Code:
For this demonstration purpose I’ve created a simple Console App that has a Class named Program with a Method called Main that computes addition of two numbers and writes the result to the console.
In ildasm we see that our executable name is shown up beneath with a Class and Method details representing our App.ildasm IL code that is in Main function double click on the “Main : void()”
.method private hidebysig static void Main() cil managed { .entrypoint // Code size 38 (0x26) .maxstack 2 .locals init (int32 V_0, int32 V_1, int32 V_2) IL_0000: nop IL_0001: ldc.i4.3 IL_0002: stloc.0 IL_0003: ldc.i4.4 IL_0004: stloc.1 IL_0005: ldloc.0 IL_0006: ldloc.1 IL_0007: call int32 [MyClassLibrary1]MyClassLibrary.MyMath::AddNumbers(int32, int32) IL_000c: stloc.2 IL_000d: ldloc.2 IL_000e: call void [mscorlib]System.Console::WriteLine(int32) IL_0013: nop IL_0014: ldstr "Press any key to exit." IL_0019: call void [mscorlib]System.Console::WriteLine(string) IL_001e: nop IL_001f: call valuetype [mscorlib]System.ConsoleKeyInfo [mscorlib]System.Console::ReadKey() IL_0024: pop IL_0025: ret } // end of method Program::Main
<
p>
Analyzing the Intermediate Language/Managed Code:
If you have ever worked/know about machine language that consists of Memory Location and Opcode and Operands, it’s the same structure that IL code consists of.
Ildasm, tells us what sequence of instructions that are going to be executed in the Main() method.
From the example:
IL_0007: call int32 [MyClassLibrary1]MyClassLibrary.MyMath::AddNumbers(int32,int32)
This explains a call being made to the AddNumbers method of MyClassLibrary.MyMath class that receives two input integer arguments and returns an integer.
IL_000e: call void [mscorlib]System.Console::WriteLine(int32)
This explains a command that Writes output to the Console.
Additional capabilities of Ildasm:
You can get the complete Meta data of the executable by clicking View > MetaInfo > Show
You can view the Header (DOS) of the application by clicking on View > Headers
Finally, you can also have the diasssenmbled data dumped with various optional parameters as shown below:
You can have the dump saved in default .iL format or even in .txt (TEXT) format as shown below:
More Details:
When you attempt to launch a non .Net .exe application, it’s report below error indicating that required Header details are not readable to dis-assemble the .exe application:
—————————
ERROR
—————————
error : ‘C:\temp\BlueScreenView.exe’ has no valid CLR header and cannot be disassembled
—————————
OK
—————————
References:
