FWdasm is a free command line disassembler intended to be used to examine executable files. It is designed to be scriptable and able to quickly pull out specific information about an executable in a format that is easily parsed in an automated fashion. It is also able to dump large amounts of information in nicely formatted tables and cross-referenced assembly for manual analysis. Currently, only Microsoft PE executables are supported but support for other executable formats including ELF and analysis of raw binary streams (e.g. shellcode) will be added in the future.The following sample output was generated by running FWdasm on itself using the following command line parameters:
C:\>fwdasm -vf fwdasm.exe -Ccos all -qlixSabfgTRdvvvv > out.txtsample-output.zip
The parameters are described below. Note that there are multiple 'v' parameters passed. This increases the verbosity of the output and is intended for producing human friendly output. If no 'v' parameters are specified, output is in a format suitable for text parsing. Tables are output in csv format that can be imported into a spreadsheet application. Assembly is output without cross-reference information. As 'v' parameters are added, tabular data is formatted in SQL-like output tables, and the assembly code is more and more annoteded with offsets, call and branch target cross-references, string table references and external library calls.
FWdasm version 0.01 Copyright (c) 2009, David J. Rager Usage: fwdasm [options] -f filename [commands] Options: -f <filename> file name to process. once the filename is specified, the format is determined and the remaining command line arguments are processed as commands to the processing engine for the binary format type (i.e. PE, ELF, etc...) -v show version information -V show version information and exit -? show this help PE file format commands: -a print the attribute certificate table -b print the debug directory -c print the COFF header -C print the DOS header -d attempt to disassemble the '.text' section -D <section> attempt to disassemble the contents of a given section. may be used multiple times to specify multiple sections. a sectoin name of 'all' will attempt to disassemble the contents of all the sections. -e print the entropy of the file -E <section> print the entropy of a given section. may be used multiple times to specify multiple sections. if more than one section is specified, a combined entropy of all the specified sections is printed. a section name of 'all' will print the entropy of all sections -f print the exception table -g print tls directory -i print the import directory -l include section linenumber information (valid only when used with -s) -o print the optional header -q include section relocation information (valid only when used with -s) -Q <index> print relocation information prints the relocation information from the relocation table at a given index. an index of 'all' or 0 will print all the relocation information -r <offset> print the resource directory prints the resource information for a given item in the resource directory specified by 'offset'. an offset of 'all' will list all the resource information. -R print the resource directory in a tree view -s <section> list information about a particular section. may be used multiple times to list multiple sections. a section name of 'all' will list all sections -S print the symbol table -t print the string table using -v two or more times will cause a linear scan of the entire executable that searches for all null terminated ascii strings. by default, strings with a minimum length of 4 characters are reported. additional -v options will reduce this minimum character length by 1 each until a minimum length of 1 character strings is reached. (this is a single character followed by a null terminator) -T print the delay-load directory table -v increase the verbosity of the output. can be used multiple times -x print the export directory
FWdasm - v0.01 Copyright (c) 2009, David J. Rager This program may be used and distributed free of charge as long as this license and copyright remain intact. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. IN FACT YOU PROBABLY SHOULDN'T USE IT AT ALL.