我们可以拆解(使用ILDASM)一NGEN-ED大会? [英] Can we disassemble (using ILDasm) an NGen-ed assembly?
问题描述
如果我NGEN程序集,它是正常的反汇编还是反汇编呢?
确定。我写了一个HelloWorld类库和随之而来的DLL被命名为NGenILDasmTest.dll。 - >目标为.NET FW 4
。这是VS 2010命令提示符下,我做了
GACUTIL -i NGenILDasmTest.dll
我可以看到安装在GAC大会。我跑ILDASM这样我就可以查看IL。 到目前为止好。
然后我跑
NGEN NGenILDasmTest.dll
(我没有指定NGEN任何选项)。而本次大会顺利拿到了编译。我所在的是一个名字NGenILDasmTest.ni.dll文件夹下
<$p$p><$c$c>C:\Windows\Assembly\NativeImages_v4.0.30319_32\NGenILDasmTest\81d49dd4c7df22fb3df530402b58ffc9现在,当我运行反汇编如下图所示。
ILDASM "C:\Windows\Assembly\NativeImages_v4.0.30319_32\NGenILDasmTest\81d49dd4c7df22fb3df530402b58ffc9\NGenILDasmTest.ni.dll"
我可以看到NGEN-ED大会的内容。这是正常的?
从技术上讲,NGEN生成本地CPU instrcutions为IL(显然在C的地方吧:\ WINDOWS \大会\ NAtiveImages_V4 ##### _ 32 - 在我的情况)。如果是这样的话,我怎么还是能看到NGEN-ED组件,使用反汇编IL?
请帮助我了解,'小东西',我很想念这里。
这是NGEN'ed大会是IL加上本土code。白细胞介素,不会被剥离出来。往往有困惑的NGEN程序集包含的只有的本机映像。仍然需要元数据的原始信息。
微软似乎没有对一个NGEN组件的内部很具体的信息。我们知道大多数信息来自逆向工程。
修改
安装.NET Framework 1.1后(耶..) - 看来,.NET 1.1 NGEN的没有的剥离出IL。它看起来像首发V2 - 白细胞介素保持。这似乎是为什么有矛盾的信息躺在附近.The确切原因似乎他改变了并不知道。
上有一些NGEN的内部(以及它是如何进行模糊处理一个非常糟糕的主意)这里的好文章:<一个href="http://www.woodmann.com/forum/entry.php?68-Rebuilding-native-.NET-exes-into-managed-.NET-exes-by-Exploiting-lefotver-IL">http://www.woodmann.com/forum/entry.php?68-Rebuilding-native-.NET-exes-into-managed-.NET-exes-by-Exploiting-lefotver-IL...
现在,有关NGEN有趣的是,它并不能消除IL或元数据,因为 而IL code未需要执行,所述元数据是,因为所有的字符串和其他 该方案需要被包含在元数据中的相关数据。因此,NGEN会将所有 元数据到本地EXE的。IL一节,并复制了IL code作为一种事后
If I NGen an assembly, is it normal that ildasm still disassembles it?
Ok. I wrote a HelloWorld class library and the ensuing dll is named NGenILDasmTest.dll. --> Targeted for the .Net fw 4.
From Vs 2010 command prompt, I did
gacutil -i NGenILDasmTest.dll
I could see the assembly installed in the GAC. And I ran ildasm so I could view the IL. So far so good.
Then I run
ngen NGenILDasmTest.dll
(I did not specify any options for ngen). And this assembly successfully got compiled. I located it with a name NGenILDasmTest.ni.dll under the folder
C:\Windows\Assembly\NativeImages_v4.0.30319_32\NGenILDasmTest\81d49dd4c7df22fb3df530402b58ffc9
Now, when I run ildasm like below
ildasm "C:\Windows\Assembly\NativeImages_v4.0.30319_32\NGenILDasmTest\81d49dd4c7df22fb3df530402b58ffc9\NGenILDasmTest.ni.dll"
I could see the contents of the Ngen-ed assembly. Is this normal?.
Technically speaking, Ngen generates native CPU instrcutions for the IL (and apparently places it under C:\windows\Assembly\NAtiveImages_V4.#####_32 - in my case). If that is the case, how am I still able to see the NGen-ed assembly as IL using ILDasm?
Please help me understand that 'little something' that I am missing here.
An NGEN'ed assembly is the IL plus native code. The IL is not stripped out. There is often confusion that NGen assemblies contain only the native image. The original information is still needed for metadata.
Microsoft doesn't seem to have very specific information on the internals of an NGen assembly. Most information that we know is from reverse engineering.
EDIT:
After installing the .NET Framework 1.1 (yay..) - it appears that .NET 1.1 NGen does strip out the IL. It looks like starting in v2 - the IL is kept. This seems to be why there is contradicting information lying around .The exact reason this change was made doesn't seem to be known.
There is a good article on some of ngen's internals (and how it is an extremely bad idea for obfuscation) here: http://www.woodmann.com/forum/entry.php?68-Rebuilding-native-.NET-exes-into-managed-.NET-exes-by-Exploiting-lefotver-IL...
Now, the interesting thing about Ngen is that it does not eliminate the IL or the metadata, because while the IL code is not needed for execution, the metadata is, because all the strings and other relevant data that the program needs are contained within the metadata. So, Ngen copies all the metadata to the .IL section of the native exe, and copies the IL code as an afterthought
这篇关于我们可以拆解(使用ILDASM)一NGEN-ED大会?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
