void CR_Module::DumpImportSymbols() { PIMAGE_IMPORT_DESCRIPTOR descs; CR_StringSet dll_names; CR_DeqSet<CR_ImportSymbol> symbols; descs = ImportDescriptors(); if (descs == NULL) return; printf("\n### IMPORTS ###\n"); printf(" Characteristics: 0x%08lX\n", descs->Characteristics); printf(" TimeDateStamp: 0x%08lX (%s)\n", descs->TimeDateStamp, CrGetTimeStampString(descs->TimeDateStamp)); printf(" ForwarderChain: 0x%08lX\n", descs->ForwarderChain); printf(" Name: 0x%08lX (%s)\n", descs->Name, reinterpret_cast<char *>(GetData(descs->Name))); printf(" \n"); if (!_GetImportDllNames(dll_names)) return; for (DWORD i = 0; i < dll_names.size(); ++i) { printf(" %s\n", dll_names[i].c_str()); if (Is64Bit()) printf(" RVA VA HINT FUNCTION NAME\n"); else printf(" RVA VA HINT FUNCTION NAME\n"); if (_GetImportSymbols(i, symbols)) { for (DWORD j = 0; j < symbols.size(); j++) { if (Is64Bit()) { CR_Addr64 addr = VA64FromRVA(symbols[j].dwRVA); printf(" %08lX %08lX%08lX ", symbols[j].dwRVA, HILONG(addr), LOLONG(addr)); } else if (Is32Bit()) { CR_Addr32 addr = VA32FromRVA(symbols[j].dwRVA); printf(" %08lX %08lX ", symbols[j].dwRVA, addr); } if (symbols[j].Name.wImportByName) printf("%4X %s\n", symbols[j].wHint, symbols[j].pszName); else printf("Ordinal %d\n", symbols[j].Name.wOrdinal); } printf(" \n"); } } }
BOOL CR_ModuleEx::_PrepareForDisAsm32() { if (!IsModuleLoaded() || !Is32Bit()) return FALSE; _CreateInfo32(); if (Info32()->Entrances().size()) { return TRUE; } // register entrances auto RVA = RVAOfEntryPoint(); CR_Addr32 va = VA32FromRVA(RVA); Info32()->Entrances().emplace(va); { auto codefunc = make_shared<CR_CodeFunc32>(); codefunc->Addr() = va; codefunc->Name() = "EntryPoint"; codefunc->StackArgSizeRange().Set(0); codefunc->FuncFlags() |= cr_FF_CDECL; Info32()->MapAddrToCodeFunc().emplace(va, codefunc); MapRVAToFuncName().emplace(RVA, codefunc->Name()); MapFuncNameToRVA().emplace(codefunc->Name(), RVA); } // exporting functions are entrances for (auto& e_symbol : ExportSymbols()) { va = VA32FromRVA(e_symbol.dwRVA); if (!AddressInCode32(va)) { continue; } Info32()->Entrances().emplace(va); MapRVAToFuncName().emplace(e_symbol.dwRVA, e_symbol.pszName); MapFuncNameToRVA().emplace(e_symbol.pszName, e_symbol.dwRVA); } return TRUE; } // CR_ModuleEx::_PrepareForDisAsm32
void CR_Module::DumpDelayLoad() { if (DelayLoadDescriptors().empty()) { LoadDelayLoad(); if (DelayLoadDescriptors().empty()) return; } printf("\n### DELAY LOAD ###\n"); const std::size_t size = DelayLoadDescriptors().size(); DWORD rva; if (Is64Bit()) { CR_Addr64 addr; for (std::size_t i = 0; i < size; ++i) { printf(" ### Descr #%u ###\n", static_cast<int>(i)); printf(" NAME %-8s %-8s\n", "RVA", "VA"); rva = DelayLoadDescriptors()[i].grAttrs; addr = VA64FromRVA(rva); printf(" Attrs: %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr)); rva = DelayLoadDescriptors()[i].rvaDLLName; addr = VA64FromRVA(rva); printf(" DLL Name: %s\n", (LPCSTR)(LoadedImage() + rva)); printf(" : %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr)); rva = DelayLoadDescriptors()[i].rvaHmod; addr = VA64FromRVA(rva); printf(" Module: %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr)); rva = DelayLoadDescriptors()[i].rvaIAT; addr = VA64FromRVA(rva); printf(" IAT: %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr)); rva = DelayLoadDescriptors()[i].rvaINT; addr = VA64FromRVA(rva); printf(" INT: %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr)); rva = DelayLoadDescriptors()[i].rvaBoundIAT; addr = VA64FromRVA(rva); printf(" BoundIAT: %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr)); rva = DelayLoadDescriptors()[i].rvaUnloadIAT; addr = VA64FromRVA(rva); printf(" UnloadIAT: %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr)); const char *pszTime = CrGetTimeStampString(DelayLoadDescriptors()[i].dwTimeStamp); printf(" dwTimeStamp: 0x%08lX (%s)", DelayLoadDescriptors()[i].dwTimeStamp, pszTime); } } else if (Is32Bit()) { CR_Addr32 addr; for (std::size_t i = 0; i < size; ++i) { printf(" ### Descr #%u ###\n", static_cast<int>(i)); printf(" NAME %-8s %-8s\n", "RVA", "VA"); rva = DelayLoadDescriptors()[i].grAttrs; addr = VA32FromRVA(rva); printf(" Attrs: %08lX %08lX\n", rva, addr); rva = DelayLoadDescriptors()[i].rvaDLLName; addr = VA32FromRVA(rva); printf(" DLL Name: %s\n", (LPCSTR)(LoadedImage() + rva)); printf(" : %08lX %08lX\n", rva, addr); rva = DelayLoadDescriptors()[i].rvaHmod; addr = VA32FromRVA(rva); printf(" Module: %08lX %08lX\n", rva, addr); rva = DelayLoadDescriptors()[i].rvaIAT; addr = VA32FromRVA(rva); printf(" IAT: %08lX %08lX\n", rva, addr); rva = DelayLoadDescriptors()[i].rvaINT; addr = VA32FromRVA(rva); printf(" INT: %08lX %08lX\n", rva, addr); rva = DelayLoadDescriptors()[i].rvaBoundIAT; addr = VA32FromRVA(rva); printf(" BoundIAT: %08lX %08lX\n", rva, addr); rva = DelayLoadDescriptors()[i].rvaUnloadIAT; addr = VA32FromRVA(rva); printf(" UnloadIAT: %08lX %08lX\n", rva, addr); const char *pszTime = CrGetTimeStampString(DelayLoadDescriptors()[i].dwTimeStamp); printf(" dwTimeStamp: 0x%08lX (%s)", DelayLoadDescriptors()[i].dwTimeStamp, pszTime); } } printf("\n\n"); }
void CR_Module::DumpExportSymbols() { PIMAGE_EXPORT_DIRECTORY pDir = ExportDirectory(); if (pDir == NULL) return; //DWORD dwNumberOfNames = pDir->NumberOfNames; //DWORD dwAddressOfFunctions = pDir->AddressOfFunctions; //DWORD dwAddressOfNames = pDir->AddressOfNames; //DWORD dwAddressOfOrdinals = pDir->AddressOfNameOrdinals; //LPDWORD pEAT = (LPDWORD)GetData(dwAddressOfFunctions); //LPDWORD pENPT = (LPDWORD)GetData(dwAddressOfNames); //LPWORD pOT = (LPWORD)GetData(dwAddressOfOrdinals); printf("\n### EXPORTS ###\n"); printf(" Characteristics: 0x%08lX\n", pDir->Characteristics); printf(" TimeDateStamp: 0x%08lX (%s)\n", pDir->TimeDateStamp, CrGetTimeStampString(pDir->TimeDateStamp)); printf(" Version: %u.%u\n", pDir->MajorVersion, pDir->MinorVersion); printf(" Name: 0x%08lX (%s)\n", pDir->Name, reinterpret_cast<char *>(GetData(pDir->Name))); printf(" Base: 0x%08lX (%lu)\n", pDir->Base, pDir->Base); printf(" NumberOfFunctions: 0x%08lX (%lu)\n", pDir->NumberOfFunctions, pDir->NumberOfFunctions); printf(" NumberOfNames: 0x%08lX (%lu)\n", pDir->NumberOfNames, pDir->NumberOfNames); printf(" AddressOfFunctions: 0x%08lX\n", pDir->AddressOfFunctions); printf(" AddressOfNames: 0x%08lX\n", pDir->AddressOfNames); printf(" AddressOfNameOrdinals: 0x%08lX\n", pDir->AddressOfNameOrdinals); printf(" \n"); printf(" %-50s %-5s ; %-8s %-8s\n", "FUNCTION NAME", "ORDI.", "RVA", "VA"); for (DWORD i = 0; i < ExportSymbols().size(); ++i) { CR_ExportSymbol& symbol = ExportSymbols()[i]; if (symbol.dwRVA) { if (Is64Bit()) { CR_Addr64 va = VA64FromRVA(symbol.dwRVA); if (symbol.pszName) printf(" %-50s @%-4lu ; %08lX %08lX%08lX\n", symbol.pszName, symbol.dwOrdinal, symbol.dwRVA, HILONG(va), LOLONG(va)); else printf(" %-50s @%-4lu ; %08lX %08lX%08lX\n", "(No Name)", symbol.dwOrdinal, symbol.dwRVA, HILONG(va), LOLONG(va)); } else if (Is32Bit()) { CR_Addr32 va = VA32FromRVA(symbol.dwRVA); if (symbol.pszName) printf(" %-50s @%-4lu ; %08lX %08lX\n", symbol.pszName, symbol.dwOrdinal, symbol.dwRVA, va); else printf(" %-50s @%-4lu ; %08lX %08lX\n", "(No Name)", symbol.dwOrdinal, symbol.dwRVA, va); } } else { if (symbol.pszName) printf(" %-50s @%-4lu ; (forwarded to %s)\n", "(No Name)", symbol.dwOrdinal, symbol.pszForwarded); else printf(" %-50s @%-4lu ; (forwarded to %s)\n", "(No Name)", symbol.dwOrdinal, symbol.pszForwarded); } } printf("\n\n"); }