TheDeveloperBlog.com


IL Disassembler Tutorial

IL Disassembler. Much of the .NET Framework is implemented with itself. It is possible to inspect its internals the same way you can look at any program's internals. We inspect the IL Disassembler—but do not disassemble it.

Visual Studio

Tutorial. Let's get started. If you have installed Visual Studio, browse to your Microsoft Windows SDK folder and look for the cyan thunderbolt in the Tools subfolder. It might be worthwhile to create a shortcut to the program.

DLL files. Because metadata for C# programs is stored in DLL files, you can open DLL files in IL Disassembler and look at the intermediate language embedded in them. EXE files can also be opened.

Next: Let's try the Microsoft .NET Framework itself for a demonstration. In this folder, I find the DLL files the Framework itself uses.

Folder location:

C:\Windows\Microsoft.NET\Framework\v4.0.30319


Open mscorlib. The most commonly used DLL file for the .NET Framework is mscorlib.dll. This file not the complete Framework, but stores the most common and important types. Open your mscorlib.dll file and look at the tree that appears.

Next, use the tree widget to browse into the System.String type. To do this, open System and then browse to System.String. Here, you can see the String type methods available in C# programs and internal methods.

Strings

Next: Let's look at the Contains method next. This method searches a string for a specific substring.


Contains. When you click on Contains, you will see a window with a yellow background. This shows the metadata header for this method. It also shows the method body, which is encoded in IL instructions.

IL

Method call. There is a call instruction in Contains. This points to the IndexOf method, which is also available for viewing in IL Disassembler. Contains is simply a wrapper method for IndexOf after all.

IndexOf

We can see the ldarg, ldc, call, clt, ceq, and ret instructions. The ldarg instruction pushes one of the formal parameters to the method onto the evaluation stack. The ldc instruction pushes a constant onto the stack.

Call transfers control to the specified method, passing the values on the evaluation stack as arguments. The clt instruction compares two values with a less than operation. Ceq compares two values with an equals operation.

And: Ret simply transfers control to whatever method called the Contains method.


Options. The IL Disassembler tool has several options on it. With "Show bytes", you can see the original bytes that are being interpreted by the disassembler. With "Quote all names", you can put type names inside quotation marks.

Also, with "Statistics", you can see interesting information about the DLL or EXE file you loaded. And with Dump, you can write the IL code from a DLL or EXE to a set of files. There are lots of options.


Summary. The IL Disassembler tool is worth looking into for people who want to learn more about the .NET Framework. It helps to have a basic understanding of the intermediate language, and how the evaluation stack works.

Tip: For practical development, IL Disassembler can instantly tell you what methods are called inside a certain Framework method.

And: IL Disassembler is helpful for many .NET Framework languages, including Visual C++ and VB.NET.

VB.NET