ionicons-v5-d 0.17.0 (1e425fc3)
Updated on 21/12/2024, 05:32:53.

Disassembler

 API

Introduction

LIEF extended exposes a user-friendly API to disassemble code in different places of executable formats for the following architectures: x86/x86-64, ARM, AArch64, RISC-V, Mips, PowerPC, eBPF.

You can start disassembling code within a binary by using the
lief::generic::Binary::disassemble lief::generic::Binary::disassemble_symbol lief::generic::Binary::disassemble_address lief::generic::Binary::disassemble_slice LIEF::Binary::disassemble() lief.Binary.disassemble() lief.Binary.disassemble_from_bytes()
functions that is exposed in the abstraction layer:
import lief

elf = lief.ELF.parse("/bin/hello")

inst: lief.assembly.Instruction = ...

for inst in elf.disassemble(0x400120):
    print(inst)
From a design perspective, the disassembler returns a lazy iterator which outputs a
lief::assembly::Instructions LIEF::assembly::Instruction lief.assembly.Instruction
instance when it evaluates the instruction at the address associated with the iterator’s position.

Thus, when calling elf.disassemble_address(0x400), nothing is disassembled until the iterator is processed.

An instruction is represented by the object:
lief::assembly::Instructions LIEF::assembly::Instruction lief.assembly.Instruction
which is extended by the following objects for each supported architecture:

In Python, one can check the effective type of a lief.assembly.Instruction with isinstance(...):

inst: lief.assembly.Instruction = ...

if isinstance(inst, lief.assembly.riscv.Instruction):
   opcode: lief.assemble.riscv.OPCODE = inst.opcode

In C++, downcasting can be done using the function: LIEF::assembly::Instruction::as():

std::unique_ptr<LIEF::assembly::Instruction> inst = ...;

if (const auto* riscv_inst = inst->as<LIEF::assembly::riscv::Instruction>())
{
  LIEF::assembly::riscv::OPCODE opcode = riscv_inst->opcode();
}

In Rust, instructions are represented by the enum lief::assembly::Instructions. Thus, you can write:

fn check_opcode(inst: &lief::assembly::Instructions) {
  if let lief::assembly::Instructions::RiscV(riscv) = inst {
    println!("{:?}", riscv.opcode());
  }
}

Note

You can also check the assembler documentation here: Assembler

For the architectures x86/x86-64 and AArch64 we can also iterate over the instruction’s operands:

import lief

inst: lief.assembly.aarch64.Instruction

for inst in macho.disassemble(0x400120):
    print(inst)
    # Check inst properties
    if inst.is_branch:
        print(f"Resolved: {inst.branch_target}")

    for idx, operand in enumerate(inst.operands):
        if isinstance(operand, lief.assembly.aarch64.operands.Register):
            print(f"op[{idx}]: REG - {operand.value}")
        if isinstance(operand, lief.assembly.aarch64.operands.Memory):
            print(f"op[{idx}]: MEM - {operand.base}")
        if isinstance(operand, lief.assembly.aarch64.operands.PCRelative):
            print(f"op[{idx}]: PCR - {operand.value}")
        if isinstance(operand, lief.assembly.aarch64.operands.Immediate):
            print(f"op[{idx}]: IMM - {operand.value}")

You can check the documentation of these architectures for more details about the exposed API.

Use Cases

DWARF Function

In addition to the regular
lief::generic::Binary::disassemble lief::generic::Binary::disassemble_symbol lief::generic::Binary::disassemble_address lief::generic::Binary::disassemble_slice LIEF::Binary::disassemble() lief.Binary.disassemble() lief.Binary.disassemble_from_bytes()
API, one can use
lief::dwarf::Function::instructions LIEF::dwarf::Function::instructions() lief.dwarf.Function.instructions
to disassemble a DWARF function.

Warning

lief::dwarf::Function::instructions LIEF::dwarf::Function::instructions() lief.dwarf.Function.instructions
is only working if the DWARF debug info is embedded in the binary. This is the default behavior for ELF binaries but this is not the case for Mach-O .dSYM files.
import lief

elf = lief.ELF.parse("/bin/hello")

main = elf.debug_info.find_function("main")

for inst in .instructions:
    print(inst)

Dyld Shared Cache

A disassembling API is also provided for the
lief::dsc::DyldSharedCache lief.dsc.DyldSharedCache LIEF::dsc::DyldSharedCache
object:
lief::dsc::DyldSharedCache::disassemble lief.dsc.DyldSharedCache.disassemble() LIEF::dsc::DyldSharedCache::disassemble()
:
import lief

dyld_cache: lief.dsc.DylibSharedCache = lief.dsc.load("macos-15.0.1/")

for inst in dyld_cache.disassemble(0x1886f4a44):
    print(inst)

Technical Details

The disassembler is based on the LLVM’s MC layer which is known to be efficient and accurate for disassembling code. This LLVM’s MC layer has already been used by other projects like capstone or more recently Nyxstone.

Compared to Capstone, LIEF uses a mainstream LLVM version with limited modifications on the MC layer. On the other hand, it does not expose a C API, supports fewer architectures than Capstone, and does not expose a standalone API.

Note

The current LLVM version is 19.1.2.

Compared to Nyxstone’s disassembler, LLVM is hidden from the public API which means that LLVM does not need to be installed on the system. On the other hand, it does not expose a standalone API.

The major difference between LIEF’s disassembler and the other projects is that it does not expose a standalone API to disassemble arbitrary code. The disassembler is bound to the object from which the API is exposed (
lief::generic::Binary lief.Binary LIEF::Binary
,
lief::dwarf::Function lief.dwarf.Function LIEF::dwarf::Function
,
lief::dsc::DyldSharedCache::disassemble lief.dsc.DyldSharedCache.disassemble() LIEF::dsc::DyldSharedCache::disassemble()
, …).

Python API

C++ API

Rust API: lief::assembly