Home > Tech > Disassembling .NET/mono assemblies

Disassembling .NET/mono assemblies

When an application is compiled against the .NET or mono framework, it is actually compiled to something called MSIL or CIL….Microsoft Intermediate Language / Common Intermediate Language.

The power of the .NET / mono framework is that when you execute that code on your system, the CLR (Common Language Runtime) will JIT (just in time) compile your application for the hardware it’s running on. That means you get a 64-bit app when run on 64-bit systems and a 32-bit app on 32-bit systems.

This also means that if you can read MSIL / CIL, you can rather easily disassemble these programs. The mono disassembler is a great tool for the job. ILSpy is a very good GUI alternative.

The monodis program is used to dump the contents of an ECMA CIL image. You can execute it by typing:

$ monodis FILE.exe

The following options are supported:

–output=FILENAME

Write output into FILENAME.

–mscorlib

For non-corlib assemblies, use “mscorlib” as the assembly name. This is useful for round-tripping the IL with ilasm.

–assembly

Dumps the contents of the assembly table

–assemblyref

Dumps the contents of the assemblyref table

–classlayout

Dumps the contents of the classlayout table

–constant

Dumps the contents of the constant table

–event

Dumps the contents of the event table

–exported

Dumps the contents of the ExportedTypes table

–fields

Dumps the contents of the fields table

–file

Dumps the contents of the file table

–interface

Dumps the contents of the interface table

–manifest

Dumps the contents of the manifest table.

–memberref

Dumps the contents of the memberref table

–method

Dumps the contents of the method table

–methodsem

Dumps the contents of the methodsem table

–module

Dumps the contents of the module table

–moduleref

Dumps the contents of the moduleref table

–mresources

Dumps embedded managed resources

–param

Dumps the contents of the param table

–property

Dumps the contents of the property table

–propertymap

Dumps the contents of the propertymap table

–typedef

Dumps the contents of the typedef table

–typeref

Dumps the contents of the typeref table If no flags are specified the program dumps the content of the image in a format that can be used to rountrip the code.

Advertisements
Categories: Tech
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s