dotscope 0.6.0

A high-performance, cross-platform framework for analyzing and reverse engineering .NET PE executables
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327

//! IL disassembly utilities
//!
//! This module handles disassembly of .NET assemblies using the detected
//! disassembler from TestCapabilities.

use crate::prelude::*;
use crate::test::mono::capabilities::{Disassembler, TestCapabilities};
use std::path::Path;
use std::process::Command;

/// Result of a disassembly operation
#[derive(Debug, Clone)]
pub struct DisassemblyResult {
    /// Whether disassembly succeeded
    pub success: bool,
    /// The disassembled IL output
    pub il_output: String,
    /// Error message (if failed)
    pub error: Option<String>,
    /// Which disassembler was used
    pub disassembler: Option<Disassembler>,
}

impl DisassemblyResult {
    /// Create a successful result
    pub fn success(il_output: String, disassembler: Disassembler) -> Self {
        Self {
            success: true,
            il_output,
            error: None,
            disassembler: Some(disassembler),
        }
    }

    /// Create a failed result
    pub fn failure(error: String) -> Self {
        Self {
            success: false,
            il_output: String::new(),
            error: Some(error),
            disassembler: None,
        }
    }

    /// Check if disassembly was successful
    pub fn is_success(&self) -> bool {
        self.success
    }

    /// Check if the failure is due to a missing/broken .NET framework
    ///
    /// This detects cases where a tool like dotnet-ildasm is installed but requires
    /// a .NET framework version that isn't available on the system.
    pub fn is_framework_error(&self) -> bool {
        if let Some(ref error) = self.error {
            // Common patterns for .NET framework version errors
            error.contains("You must install or update .NET to run this application")
                || error.contains("Framework:")
                    && error.contains("version")
                    && error.contains("was not found")
                || error.contains("The framework 'Microsoft.NETCore.App'")
        } else {
            false
        }
    }

    /// Check if the IL output contains a specific method
    pub fn contains_method(&self, method_name: &str) -> bool {
        // Look for method definition pattern: .method ... methodname (
        self.il_output.contains(&format!(" {} ", method_name))
            || self.il_output.contains(&format!(" {}(", method_name))
            || self.il_output.contains(".method") && self.il_output.contains(method_name)
    }

    /// Check if the IL output contains a specific class
    pub fn contains_class(&self, class_name: &str) -> bool {
        self.il_output.contains(".class") && self.il_output.contains(class_name)
    }

    /// Check if the IL output contains a specific instruction
    pub fn contains_instruction(&self, instruction: &str) -> bool {
        self.il_output.lines().any(|line| {
            let trimmed = line.trim();
            trimmed.starts_with(instruction) || trimmed.contains(&format!(" {} ", instruction))
        })
    }

    /// Get all method names found in the disassembly
    pub fn method_names(&self) -> Vec<String> {
        self.il_output
            .lines()
            .filter(|line| line.contains(".method"))
            .filter_map(|line| {
                // Extract method name from lines like:
                // .method public static void Main() cil managed
                // Find the last word before the parenthesis
                if let Some(paren_pos) = line.find('(') {
                    let before_paren = &line[..paren_pos];
                    before_paren
                        .split_whitespace()
                        .last()
                        .map(|s| s.to_string())
                } else {
                    None
                }
            })
            .collect()
    }
}

/// Disassemble an assembly using the detected disassembler
pub fn disassemble(
    capabilities: &TestCapabilities,
    assembly_path: &Path,
) -> Result<DisassemblyResult> {
    let disassembler = match capabilities.disassembler {
        Some(d) => d,
        None => {
            return Ok(DisassemblyResult::failure(
                "No IL disassembler available".to_string(),
            ))
        }
    };

    disassemble_with_caps(
        disassembler,
        assembly_path,
        capabilities.ildasm_path.as_deref(),
    )
}

/// Disassemble with a specific disassembler
pub fn disassemble_with(
    disassembler: Disassembler,
    assembly_path: &Path,
) -> Result<DisassemblyResult> {
    disassemble_with_caps(disassembler, assembly_path, None)
}

/// Disassemble with a specific disassembler, using capabilities for path resolution
fn disassemble_with_caps(
    disassembler: Disassembler,
    assembly_path: &Path,
    ildasm_path: Option<&Path>,
) -> Result<DisassemblyResult> {
    let output = match disassembler {
        Disassembler::Monodis => disassemble_with_monodis(assembly_path)?,
        Disassembler::Ildasm => disassemble_with_ildasm(assembly_path, ildasm_path)?,
        Disassembler::DotNetIldasm => disassemble_with_dotnet_ildasm(assembly_path)?,
    };

    let stdout = String::from_utf8_lossy(&output.stdout).to_string();
    let stderr = String::from_utf8_lossy(&output.stderr).to_string();

    if output.status.success() {
        Ok(DisassemblyResult::success(stdout, disassembler))
    } else {
        let error = if !stderr.is_empty() {
            stderr
        } else if !stdout.is_empty() {
            stdout
        } else {
            "Disassembly failed with unknown error".to_string()
        };
        Ok(DisassemblyResult::failure(error))
    }
}

/// Disassemble using monodis
fn disassemble_with_monodis(assembly_path: &Path) -> Result<std::process::Output> {
    Command::new("monodis")
        .arg(assembly_path)
        .output()
        .map_err(|e| Error::Other(format!("Failed to execute monodis: {}", e)))
}

/// Disassemble using ildasm
fn disassemble_with_ildasm(
    assembly_path: &Path,
    ildasm_path: Option<&Path>,
) -> Result<std::process::Output> {
    let cmd = ildasm_path
        .map(|p| p.as_os_str().to_os_string())
        .unwrap_or_else(|| std::ffi::OsString::from("ildasm"));

    Command::new(cmd)
        .arg("/text")
        .arg("/nobar")
        .arg(assembly_path)
        .output()
        .map_err(|e| Error::Other(format!("Failed to execute ildasm: {}", e)))
}

/// Disassemble using dotnet-ildasm
fn disassemble_with_dotnet_ildasm(assembly_path: &Path) -> Result<std::process::Output> {
    Command::new("dotnet-ildasm")
        .arg(assembly_path)
        .output()
        .map_err(|e| Error::Other(format!("Failed to execute dotnet-ildasm: {}", e)))
}

/// Verification result for checking specific elements in an assembly
#[derive(Debug)]
pub struct VerificationResult {
    /// Whether all checks passed
    pub success: bool,
    /// Individual check results
    pub checks: Vec<(String, bool)>,
    /// The disassembly result
    pub disassembly: DisassemblyResult,
}

impl VerificationResult {
    /// Check if all verifications passed
    pub fn is_success(&self) -> bool {
        self.success
    }

    /// Get failed checks
    pub fn failed_checks(&self) -> Vec<&str> {
        self.checks
            .iter()
            .filter(|(_, passed)| !passed)
            .map(|(name, _)| name.as_str())
            .collect()
    }
}

/// Verify that an assembly contains expected elements
pub fn verify(
    capabilities: &TestCapabilities,
    assembly_path: &Path,
    expected_methods: &[&str],
    expected_classes: &[&str],
) -> Result<VerificationResult> {
    let disassembly = disassemble(capabilities, assembly_path)?;

    if !disassembly.is_success() {
        return Ok(VerificationResult {
            success: false,
            checks: vec![("disassembly".to_string(), false)],
            disassembly,
        });
    }

    let mut checks = Vec::new();
    let mut all_passed = true;

    // Check for expected methods
    for method in expected_methods {
        let found = disassembly.contains_method(method);
        checks.push((format!("method:{}", method), found));
        if !found {
            all_passed = false;
        }
    }

    // Check for expected classes
    for class in expected_classes {
        let found = disassembly.contains_class(class);
        checks.push((format!("class:{}", class), found));
        if !found {
            all_passed = false;
        }
    }

    Ok(VerificationResult {
        success: all_passed,
        checks,
        disassembly,
    })
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::test::mono::compilation::{compile, templates};
    use tempfile::TempDir;

    #[test]
    fn test_disassembly_result() {
        let success = DisassemblyResult::success(
            ".method public static void Main()".to_string(),
            Disassembler::Monodis,
        );
        assert!(success.is_success());
        assert!(success.contains_method("Main"));

        let failure = DisassemblyResult::failure("Error".to_string());
        assert!(!failure.is_success());
    }

    #[test]
    fn test_disassemble_assembly() -> Result<()> {
        let caps = TestCapabilities::detect();
        if !caps.can_test() || !caps.can_disassemble() {
            println!("Skipping: no compiler/disassembler available");
            return Ok(());
        }

        let temp_dir = TempDir::new()?;
        let arch = caps.supported_architectures.first().unwrap();

        // Compile
        let compile_result = compile(
            &caps,
            templates::SIMPLE_CLASS,
            temp_dir.path(),
            "test",
            arch,
        )?;
        assert!(compile_result.is_success(), "Compilation failed");

        // Disassemble
        let disasm_result = disassemble(&caps, compile_result.assembly_path())?;
        assert!(
            disasm_result.is_success(),
            "Disassembly failed: {:?}",
            disasm_result.error
        );
        assert!(disasm_result.contains_method("Main"));
        assert!(disasm_result.contains_method("Add"));
        assert!(disasm_result.contains_class("TestClass"));

        Ok(())
    }
}