Get OpCode's size of function

Author:GStar

Main idea: Analyse jmp jcc etc. jump type command, That need find farthest address of command; Find ret command; If current command is ret and fartherst address of command, Function is End.

Code:

GetProcSize  proc  uses esi ebx edi pProc:DWORD
;eax    command length
;ebx    current command
;ecx    function addr
;esi    Current command address, and That is farthest address of command

  mov    esi,pProc
  mov   edi,esi
 
  invoke  GetCodeSize,esi
  .while  eax
    .if  eax == 2 && ( (byte ptr[esi] > 70H && byte ptr[esi] < 7FH) || byte ptr[esi] == 0EBH )
      movsx  ebx,byte ptr[esi+1]
    .elseif  eax == 5 && byte ptr[esi] == 0E9H
      mov   ebx,[esi+1]
    .elseif eax == 6 && byte ptr[esi] == 0FH && byte ptr[esi+1] > 80H && byte ptr[esi+1] < 8FH
      mov   ebx,[esi+2]
    .else
      .if  (byte ptr[esi] == 0C2H || byte ptr[esi] == 0C3H || byte ptr[esi] == 0CAH || byte ptr[esi] == 0CBH) && esi == edi
        lea   eax,[esi+eax]
        sub    eax,pProc
        ret
      .else
        xor    ebx,ebx
      .endif
    .endif
    add    esi,eax
    test  ebx,ebx
    .if  !sign?
      add   ebx,esi
      .if  ebx > edi
        mov   edi,ebx
      .endif
    .endif
    .if  esi > edi
      mov   edi,esi
    .endif
    invoke  GetCodeSize,esi
  .endw
  xor    eax,eax
  ret
GetProcSize endp

Remark:

1、GetCodeSize is lde32 disassembling engine.
2、The code has limtations, Cant's analysis jmp [xx] command；By behind jmp to ret command's function may be get full size. But can almost analyse by compiler generated.