FWdasm v0.01

Description

FWdasm is a free command line disassembler intended to be used to examine executable files. It is designed to be scriptable and able to quickly pull out specific information about an executable in a format that is easily parsed in an automated fashion. It is also able to dump large amounts of information in nicely formatted tables and cross-referenced assembly for manual analysis. Currently, only Microsoft PE executables are supported but support for other executable formats including ELF and analysis of raw binary streams (e.g. shellcode) will be added in the future.

The following sample output was generated by running FWdasm on itself using the following command line parameters:
C:\>fwdasm -vf fwdasm.exe -Ccos all -qlixSabfgTRdvvvv > out.txt
sample-output.zip

The parameters are described below. Note that there are multiple 'v' parameters passed. This increases the verbosity of the output and is intended for producing human friendly output. If no 'v' parameters are specified, output is in a format suitable for text parsing. Tables are output in csv format that can be imported into a spreadsheet application. Assembly is output without cross-reference information. As 'v' parameters are added, tabular data is formatted in SQL-like output tables, and the assembly code is more and more annoteded with offsets, call and branch target cross-references, string table references and external library calls.

Documentation

FWdasm version 0.01
Copyright (c) 2009, David J. Rager

Usage: fwdasm [options] -f filename [commands]

Options:
  -f <filename>	file name to process. once the filename is specified, the
		format is determined and the remaining command line arguments
		are processed as commands to the processing engine for the
		binary format type (i.e. PE, ELF, etc...)

  -v		show version information

  -V		show version information and exit

  -?		show this help

PE file format commands:
  -a		print the attribute certificate table

  -b		print the debug directory

  -c		print the COFF header

  -C		print the DOS header

  -d		attempt to disassemble the '.text' section

  -D <section>	attempt to disassemble the contents of a given section. may be
		used multiple times to specify multiple sections. a sectoin
		name of 'all' will attempt to disassemble the contents of all
		the sections.

  -e		print the entropy of the file

  -E <section>	print the entropy of a given section. may be used multiple
		times to specify multiple sections. if more than one section is
		specified, a combined entropy of all the specified sections is
		printed. a section name of 'all' will print the entropy of all
		sections

  -f		print the exception table

  -g		print tls directory

  -i		print the import directory

  -l		include section linenumber information (valid only when used
		with -s)

  -o		print the optional header

  -q		include section relocation information (valid only when used
		with -s)

  -Q <index>	print relocation information

		prints the relocation information from the relocation table at
		a given index. an index of 'all' or 0 will print all the
		relocation information

  -r <offset>	print the resource directory

		prints the resource information for a given item in the
		resource directory specified by 'offset'. an offset of 'all'
		will list all the resource information.

  -R		print the resource directory in a tree view

  -s <section>	list information about a particular section. may be used
		multiple times to list multiple sections. a section name of
		'all' will list all sections

  -S		print the symbol table

  -t		print the string table

		using -v two or more times will cause a linear scan of the
		entire executable that searches for all null terminated ascii
		strings. by default, strings with a minimum length of 4
		characters are reported. additional -v options will reduce this
		minimum character length by 1 each until a minimum length of 1
		character strings is reached. (this is a single character
		followed by a null terminator)

  -T		print the delay-load directory table

  -v		increase the verbosity of the output. can be used multiple
		times

  -x		print the export directory

License

FWdasm is freeware subject to the following terms:
FWdasm - v0.01

Copyright (c) 2009, David J. Rager

This program may be used and distributed free of charge as long as this license
and copyright remain intact.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. IN
FACT YOU PROBABLY SHOULDN'T USE IT AT ALL.

Download

fwdasm-0.01.zip (md5: d74c8bf1f91c8814384936acc1fb8b72)

Contact

Send any comments/suggestions/bugs to djrager@fourthDWALINwoods.com. (Remember to remove the dwarf!)