bool SymGetModuleList(std::vector<SYMBOLMODULEINFO>* List) { // // Inline lambda enum // auto EnumModules = [](LPCTSTR ModuleName, DWORD64 BaseOfDll, PVOID UserContext) -> BOOL { SYMBOLMODULEINFO curModule; curModule.base = (duint)BaseOfDll; // Terminate module name if one isn't found if(!ModNameFromAddr(curModule.base, curModule.name, true)) curModule.name[0] = '\0'; ((std::vector<SYMBOLMODULEINFO>*)UserContext)->push_back(curModule); return TRUE; }; // Execute the symbol enumerator (Force cast to STDCALL) if(!SafeSymEnumerateModules64(fdProcessInfo->hProcess, EnumModules, List)) { dputs("SymEnumerateModules64 failed!"); return false; } return true; }
bool FunctionAdd(uint Start, uint End, bool Manual) { // CHECK: Export/Command function if(!DbgIsDebugging()) return false; // Make sure memory is readable if(!MemIsValidReadPtr(Start)) return false; // Fail if boundary exceeds module size const uint moduleBase = ModBaseFromAddr(Start); if(moduleBase != ModBaseFromAddr(End)) return false; // Fail if 'Start' and 'End' are incompatible if(Start > End || FunctionOverlaps(Start, End)) return false; FUNCTIONSINFO function; ModNameFromAddr(Start, function.mod, true); function.start = Start - moduleBase; function.end = End - moduleBase; function.manual = Manual; // Insert to global table EXCLUSIVE_ACQUIRE(LockFunctions); functions.insert(std::make_pair(ModuleRange(ModHashFromAddr(moduleBase), Range(function.start, function.end)), function)); return true; }
bool ArgumentAdd(duint Start, duint End, bool Manual, duint InstructionCount) { // Make sure memory is readable if(!MemIsValidReadPtr(Start)) return false; // Fail if boundary exceeds module size auto moduleBase = ModBaseFromAddr(Start); if(moduleBase != ModBaseFromAddr(End)) return false; // Fail if 'Start' and 'End' are incompatible if(Start > End || ArgumentOverlaps(Start, End)) return false; ARGUMENTSINFO argument; if(!ModNameFromAddr(Start, argument.mod, true)) *argument.mod = '\0'; argument.start = Start - moduleBase; argument.end = End - moduleBase; argument.manual = Manual; argument.instructioncount = InstructionCount; return arguments.Add(argument); }
void StackEntryFromFrame(CALLSTACKENTRY* Entry, uint Address, uint From, uint To) { Entry->addr = Address; Entry->from = From; Entry->to = To; char label[MAX_LABEL_SIZE] = ""; ADDRINFO addrinfo; addrinfo.flags = flaglabel; if(_dbg_addrinfoget(Entry->to, SEG_DEFAULT, &addrinfo)) strcpy_s(label, addrinfo.label); char module[MAX_MODULE_SIZE] = ""; ModNameFromAddr(Entry->to, module, false); char returnToAddr[MAX_COMMENT_SIZE] = ""; if(*module) sprintf(returnToAddr, "%s.", module); if(!*label) sprintf(label, fhex, Entry->to); strcat(returnToAddr, label); if(Entry->from) { *label = 0; addrinfo.flags = flaglabel; if(_dbg_addrinfoget(Entry->from, SEG_DEFAULT, &addrinfo)) strcpy_s(label, addrinfo.label); *module = 0; ModNameFromAddr(Entry->from, module, false); char returnFromAddr[MAX_COMMENT_SIZE] = ""; if(*module) sprintf(returnFromAddr, "%s.", module); if(!*label) sprintf(label, fhex, Entry->from); strcat(returnFromAddr, label); sprintf_s(Entry->comment, "return to %s from %s", returnToAddr, returnFromAddr); } else sprintf_s(Entry->comment, "return to %s from ???", returnToAddr); }
bool PatchSet(duint Address, unsigned char OldByte, unsigned char NewByte) { ASSERT_DEBUGGING("Export call"); // Address must be valid if(!MemIsValidReadPtr(Address)) return false; // Don't patch anything if the new and old values are the same if(OldByte == NewByte) return true; PATCHINFO newPatch; newPatch.addr = Address - ModBaseFromAddr(Address); newPatch.oldbyte = OldByte; newPatch.newbyte = NewByte; ModNameFromAddr(Address, newPatch.mod, true); // Generate a key for this address const duint key = ModHashFromAddr(Address); EXCLUSIVE_ACQUIRE(LockPatches); // Find any patch with this specific address auto found = patches.find(key); if(found != patches.end()) { if(found->second.oldbyte == NewByte) { // The patch was undone here patches.erase(found); return true; } // Keep the original byte from the previous patch newPatch.oldbyte = found->second.oldbyte; found->second = newPatch; } else { // The entry was never found, insert it patches.insert(std::make_pair(key, newPatch)); } return true; }
const char* SymGetSymbolicName(uint Address) { // // This resolves an address to a module and symbol: // [modname.]symbolname // char label[MAX_SYM_NAME]; // User labels have priority, but if one wasn't found, // default to a symbol lookup if(!LabelGet(Address, label)) { char buffer[sizeof(SYMBOL_INFO) + MAX_SYM_NAME * sizeof(char)]; PSYMBOL_INFO symbol = (PSYMBOL_INFO)buffer; symbol->SizeOfStruct = sizeof(SYMBOL_INFO); symbol->MaxNameLen = MAX_LABEL_SIZE; // Perform a symbol lookup DWORD64 displacement = 0; if(!SafeSymFromAddr(fdProcessInfo->hProcess, (DWORD64)Address, &displacement, symbol)) return nullptr; // If the symbol wasn't at offset 0 (start from the beginning) ignore it if(displacement != 0) return nullptr; // Terminate the string for sanity symbol->Name[symbol->MaxNameLen - 1] = '\0'; if(!bUndecorateSymbolNames || !SafeUnDecorateSymbolName(symbol->Name, label, MAX_SYM_NAME, UNDNAME_COMPLETE)) strcpy_s(label, symbol->Name); } // TODO: FIXME: STATIC VARIABLE static char symbolicname[MAX_MODULE_SIZE + MAX_SYM_NAME]; char modname[MAX_MODULE_SIZE]; if(ModNameFromAddr(Address, modname, false)) sprintf_s(symbolicname, "%s.%s", modname, label); else sprintf_s(symbolicname, "<%s>", label); return symbolicname; }
bool LoopAdd(uint Start, uint End, bool Manual) { // CHECK: Export function if(!DbgIsDebugging()) return false; // Loop must begin before it ends if(Start > End) return false; // Memory addresses must be valid if(!MemIsValidReadPtr(Start) || !MemIsValidReadPtr(End)) return false; // Check if loop boundaries are in the same module range const uint moduleBase = ModBaseFromAddr(Start); if(moduleBase != ModBaseFromAddr(End)) return false; // Loops cannot overlap other loops int finalDepth = 0; if(LoopOverlaps(0, Start, End, &finalDepth)) return false; // Fill out loop information structure LOOPSINFO loopInfo; loopInfo.start = Start - moduleBase; loopInfo.end = End - moduleBase; loopInfo.depth = finalDepth; loopInfo.manual = Manual; ModNameFromAddr(Start, loopInfo.mod, true); // Link this to a parent loop if one does exist if(finalDepth) LoopGet(finalDepth - 1, Start, &loopInfo.parent, 0); else loopInfo.parent = 0; EXCLUSIVE_ACQUIRE(LockLoops); // Insert into list loops.insert(std::make_pair(DepthModuleRange(finalDepth, ModuleRange(ModHashFromAddr(moduleBase), Range(loopInfo.start, loopInfo.end))), loopInfo)); return true; }
bool LabelSet(uint Address, const char* Text, bool Manual) { // CHECK: Exported/Command function if(!DbgIsDebugging()) return false; // A valid memory address must be supplied if(!MemIsValidReadPtr(Address)) return false; // Make sure the string is supplied, within bounds, and not a special delimiter if(!Text || Text[0] == '\1' || strlen(Text) >= MAX_LABEL_SIZE - 1) return false; // Labels cannot be "address" of actual variables if(strstr(Text, "&")) return false; // Delete the label if no text was supplied if(Text[0] == '\0') return LabelDelete(Address); // Fill out the structure data LABELSINFO labelInfo; labelInfo.manual = Manual; labelInfo.addr = Address - ModBaseFromAddr(Address); strcpy_s(labelInfo.text, Text); ModNameFromAddr(Address, labelInfo.mod, true); EXCLUSIVE_ACQUIRE(LockLabels); // Insert label by key const uint key = ModHashFromAddr(Address); if(!labels.insert(std::make_pair(ModHashFromAddr(key), labelInfo)).second) labels[key] = labelInfo; return true; }
bool CommentSet(uint Address, const char* Text, bool Manual) { // CHECK: Exported/Command function if(!DbgIsDebugging()) return false; // A valid memory address must be supplied if(!MemIsValidReadPtr(Address)) return false; // Make sure the string is supplied, within bounds, and not a special delimiter if(!Text || Text[0] == '\1' || strlen(Text) >= MAX_COMMENT_SIZE - 1) return false; // Delete the comment if no text was supplied if(Text[0] == '\0') return CommentDelete(Address); // Fill out the structure COMMENTSINFO comment; strcpy_s(comment.text, Text); ModNameFromAddr(Address, comment.mod, true); comment.manual = Manual; comment.addr = Address - ModBaseFromAddr(Address); // Key generated from module hash const uint key = ModHashFromAddr(Address); EXCLUSIVE_ACQUIRE(LockComments); // Insert if possible, otherwise replace if(!comments.insert(std::make_pair(key, comment)).second) comments[key] = comment; return true; }
///api functions bool apienumexports(uint base, EXPORTENUMCALLBACK cbEnum) { MEMORY_BASIC_INFORMATION mbi; VirtualQueryEx(fdProcessInfo->hProcess, (const void*)base, &mbi, sizeof(mbi)); uint size = mbi.RegionSize; Memory<void*> buffer(size, "apienumexports:buffer"); if(!MemRead((void*)base, buffer, size, 0)) return false; IMAGE_NT_HEADERS* pnth = (IMAGE_NT_HEADERS*)((uint)buffer + GetPE32DataFromMappedFile((ULONG_PTR)buffer, 0, UE_PE_OFFSET)); uint export_dir_rva = pnth->OptionalHeader.DataDirectory[0].VirtualAddress; uint export_dir_size = pnth->OptionalHeader.DataDirectory[0].Size; IMAGE_EXPORT_DIRECTORY export_dir; memset(&export_dir, 0, sizeof(export_dir)); MemRead((void*)(export_dir_rva + base), &export_dir, sizeof(export_dir), 0); unsigned int NumberOfNames = export_dir.NumberOfNames; if(!export_dir.NumberOfFunctions or !NumberOfNames) //no named exports return false; char modname[MAX_MODULE_SIZE] = ""; ModNameFromAddr(base, modname, true); uint original_name_va = export_dir.Name + base; char original_name[deflen] = ""; memset(original_name, 0, sizeof(original_name)); MemRead((void*)original_name_va, original_name, deflen, 0); char* AddrOfFunctions_va = (char*)(export_dir.AddressOfFunctions + base); char* AddrOfNames_va = (char*)(export_dir.AddressOfNames + base); char* AddrOfNameOrdinals_va = (char*)(export_dir.AddressOfNameOrdinals + base); for(DWORD i = 0; i < NumberOfNames; i++) { DWORD curAddrOfName = 0; MemRead(AddrOfNames_va + sizeof(DWORD)*i, &curAddrOfName, sizeof(DWORD), 0); char* cur_name_va = (char*)(curAddrOfName + base); char cur_name[deflen] = ""; memset(cur_name, 0, deflen); MemRead(cur_name_va, cur_name, deflen, 0); WORD curAddrOfNameOrdinals = 0; MemRead(AddrOfNameOrdinals_va + sizeof(WORD)*i, &curAddrOfNameOrdinals, sizeof(WORD), 0); DWORD curFunctionRva = 0; MemRead(AddrOfFunctions_va + sizeof(DWORD)*curAddrOfNameOrdinals, &curFunctionRva, sizeof(DWORD), 0); if(curFunctionRva >= export_dir_rva and curFunctionRva < export_dir_rva + export_dir_size) { char forwarded_api[deflen] = ""; memset(forwarded_api, 0, deflen); MemRead((void*)(curFunctionRva + base), forwarded_api, deflen, 0); int len = (int)strlen(forwarded_api); int j = 0; while(forwarded_api[j] != '.' and j < len) j++; if(forwarded_api[j] == '.') { forwarded_api[j] = 0; HINSTANCE hTempDll = LoadLibraryExA(forwarded_api, 0, DONT_RESOLVE_DLL_REFERENCES | LOAD_LIBRARY_AS_DATAFILE); if(hTempDll) { uint local_addr = (uint)GetProcAddress(hTempDll, forwarded_api + j + 1); if(local_addr) { uint remote_addr = ImporterGetRemoteAPIAddress(fdProcessInfo->hProcess, local_addr); cbEnum(base, modname, cur_name, remote_addr); } } } } else { cbEnum(base, modname, cur_name, curFunctionRva + base); } } return true; }
bool stackcommentget(duint addr, STACK_COMMENT* comment) { SHARED_ACQUIRE(LockSehCache); const auto found = SehCache.find(addr); if(found != SehCache.end()) { *comment = found->second; return true; } SHARED_RELEASE(); duint data = 0; memset(comment, 0, sizeof(STACK_COMMENT)); MemRead(addr, &data, sizeof(duint)); if(!MemIsValidReadPtr(data)) //the stack value is no pointer return false; duint size = 0; duint base = MemFindBaseAddr(data, &size); duint readStart = data - 16 * 4; if(readStart < base) readStart = base; unsigned char disasmData[256]; MemRead(readStart, disasmData, sizeof(disasmData)); duint prev = disasmback(disasmData, 0, sizeof(disasmData), data - readStart, 1); duint previousInstr = readStart + prev; BASIC_INSTRUCTION_INFO basicinfo; bool valid = disasmfast(disasmData + prev, previousInstr, &basicinfo); if(valid && basicinfo.call) //call { char label[MAX_LABEL_SIZE] = ""; ADDRINFO addrinfo; addrinfo.flags = flaglabel; if(_dbg_addrinfoget(data, SEG_DEFAULT, &addrinfo)) strcpy_s(label, addrinfo.label); char module[MAX_MODULE_SIZE] = ""; ModNameFromAddr(data, module, false); char returnToAddr[MAX_COMMENT_SIZE] = ""; if(*module) sprintf(returnToAddr, "%s.", module); if(!*label) sprintf_s(label, "%p", data); strcat(returnToAddr, label); data = basicinfo.addr; if(data) { *label = 0; addrinfo.flags = flaglabel; if(_dbg_addrinfoget(data, SEG_DEFAULT, &addrinfo)) strcpy_s(label, addrinfo.label); *module = 0; ModNameFromAddr(data, module, false); char returnFromAddr[MAX_COMMENT_SIZE] = ""; if(*module) sprintf_s(returnFromAddr, "%s.", module); if(!*label) sprintf_s(label, "%p", data); strcat_s(returnFromAddr, label); sprintf_s(comment->comment, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "return to %s from %s")), returnToAddr, returnFromAddr); } else sprintf_s(comment->comment, GuiTranslateText(QT_TRANSLATE_NOOP("DBG", "return to %s from ???")), returnToAddr); strcpy_s(comment->color, "!rtnclr"); // Special token for return address color; return true; } //string char string[MAX_STRING_SIZE] = ""; if(DbgGetStringAt(data, string)) { strncpy_s(comment->comment, string, _TRUNCATE); return true; } //label char label[MAX_LABEL_SIZE] = ""; ADDRINFO addrinfo; addrinfo.flags = flaglabel; if(_dbg_addrinfoget(data, SEG_DEFAULT, &addrinfo)) strcpy_s(label, addrinfo.label); char module[MAX_MODULE_SIZE] = ""; ModNameFromAddr(data, module, false); if(*module) //module { if(*label) //+label sprintf_s(comment->comment, "%s.%s", module, label); else //module only sprintf_s(comment->comment, "%s.%p", module, data); return true; } else if(*label) //label only { sprintf_s(comment->comment, "<%s>", label); return true; } return false; }
bool stackcommentget(uint addr, STACK_COMMENT* comment) { uint data = 0; memset(comment, 0, sizeof(STACK_COMMENT)); MemRead(addr, &data, sizeof(uint)); if(!MemIsValidReadPtr(data)) //the stack value is no pointer return false; uint size = 0; uint base = MemFindBaseAddr(data, &size); uint readStart = data - 16 * 4; if(readStart < base) readStart = base; unsigned char disasmData[256]; MemRead(readStart, disasmData, sizeof(disasmData)); uint prev = disasmback(disasmData, 0, sizeof(disasmData), data - readStart, 1); uint previousInstr = readStart + prev; BASIC_INSTRUCTION_INFO basicinfo; bool valid = disasmfast(disasmData + prev, previousInstr, &basicinfo); if(valid && basicinfo.call) //call { char label[MAX_LABEL_SIZE] = ""; ADDRINFO addrinfo; addrinfo.flags = flaglabel; if(_dbg_addrinfoget(data, SEG_DEFAULT, &addrinfo)) strcpy_s(label, addrinfo.label); char module[MAX_MODULE_SIZE] = ""; ModNameFromAddr(data, module, false); char returnToAddr[MAX_COMMENT_SIZE] = ""; if(*module) sprintf(returnToAddr, "%s.", module); if(!*label) sprintf(label, fhex, data); strcat(returnToAddr, label); data = basicinfo.addr; if(data) { *label = 0; addrinfo.flags = flaglabel; if(_dbg_addrinfoget(data, SEG_DEFAULT, &addrinfo)) strcpy_s(label, addrinfo.label); *module = 0; ModNameFromAddr(data, module, false); char returnFromAddr[MAX_COMMENT_SIZE] = ""; if(*module) sprintf(returnFromAddr, "%s.", module); if(!*label) sprintf(label, fhex, data); strcat_s(returnFromAddr, label); sprintf_s(comment->comment, "return to %s from %s", returnToAddr, returnFromAddr); } else sprintf_s(comment->comment, "return to %s from ???", returnToAddr); strcpy_s(comment->color, "#ff0000"); return true; } //string STRING_TYPE strtype; char string[512] = ""; if(disasmgetstringat(data, &strtype, string, string, 500)) { if(strtype == str_ascii) sprintf(comment->comment, "\"%s\"", string); else //unicode sprintf(comment->comment, "L\"%s\"", string); return true; } //label char label[MAX_LABEL_SIZE] = ""; ADDRINFO addrinfo; addrinfo.flags = flaglabel; if(_dbg_addrinfoget(data, SEG_DEFAULT, &addrinfo)) strcpy_s(label, addrinfo.label); char module[MAX_MODULE_SIZE] = ""; ModNameFromAddr(data, module, false); if(*module) //module { if(*label) //+label sprintf(comment->comment, "%s.%s", module, label); else //module only sprintf(comment->comment, "%s." fhex, module, data); return true; } else if(*label) //label only { sprintf(comment->comment, "<%s>", label); return true; } return false; }
int RefFind(duint Address, duint Size, CBREF Callback, void* UserData, bool Silent, const char* Name, REFFINDTYPE type) { char fullName[deflen]; char moduleName[MAX_MODULE_SIZE]; duint scanStart, scanSize; REFINFO refInfo; if(type == CURRENT_REGION) // Search in current Region { duint regionSize = 0; duint regionBase = MemFindBaseAddr(Address, ®ionSize, true); // If the memory page wasn't found, fail if(!regionBase || !regionSize) { if(!Silent) dprintf("Invalid memory page 0x%p\n", Address); return 0; } // Assume the entire range is used scanStart = regionBase; scanSize = regionSize; // Otherwise use custom boundaries if size was supplied if(Size) { duint maxsize = Size - (Address - regionBase); // Make sure the size fits in one page scanStart = Address; scanSize = min(Size, maxsize); } // Determine the full module name if(ModNameFromAddr(scanStart, moduleName, true)) sprintf_s(fullName, "%s (Region %s)", Name, moduleName); else sprintf_s(fullName, "%s (Region %p)", Name, scanStart); // Initialize disassembler Capstone cp; // Allow an "initialization" notice refInfo.refcount = 0; refInfo.userinfo = UserData; refInfo.name = fullName; RefFindInRange(scanStart, scanSize, Callback, UserData, Silent, refInfo, cp, true, [](int percent) { GuiReferenceSetCurrentTaskProgress(percent, "Region Search"); GuiReferenceSetProgress(percent); }); } else if(type == CURRENT_MODULE) // Search in current Module { SHARED_ACQUIRE(LockModules); auto modInfo = ModInfoFromAddr(Address); if(!modInfo) { if(!Silent) dprintf("Couldn't locate module for 0x%p\n", Address); return 0; } duint modBase = modInfo->base; duint modSize = modInfo->size; SHARED_RELEASE(); scanStart = modBase; scanSize = modSize; // Determine the full module name if(ModNameFromAddr(scanStart, moduleName, true)) sprintf_s(fullName, "%s (%s)", Name, moduleName); else sprintf_s(fullName, "%s (%p)", Name, scanStart); // Initialize disassembler Capstone cp; // Allow an "initialization" notice refInfo.refcount = 0; refInfo.userinfo = UserData; refInfo.name = fullName; RefFindInRange(scanStart, scanSize, Callback, UserData, Silent, refInfo, cp, true, [](int percent) { GuiReferenceSetCurrentTaskProgress(percent, "Module Search"); GuiReferenceSetProgress(percent); }); } else if(type == ALL_MODULES) // Search in all Modules { bool initCallBack = true; std::vector<MODINFO> modList; ModGetList(modList); if(!modList.size()) { if(!Silent) dprintf("Couldn't get module list"); return 0; } // Initialize disassembler Capstone cp; // Determine the full module sprintf_s(fullName, "All Modules (%s)", Name); // Allow an "initialization" notice refInfo.refcount = 0; refInfo.userinfo = UserData; refInfo.name = fullName; for(duint i = 0; i < modList.size(); i++) { scanStart = modList[i].base; scanSize = modList[i].size; if(i != 0) initCallBack = false; RefFindInRange(scanStart, scanSize, Callback, UserData, Silent, refInfo, cp, initCallBack, [&i, &modList](int percent) { float fPercent = (float)percent / 100.f; float fTotalPercent = ((float)i + fPercent) / (float)modList.size(); int totalPercent = (int)floor(fTotalPercent * 100.f); char tst[256]; strcpy_s(tst, modList[i].name); GuiReferenceSetCurrentTaskProgress(percent, modList[i].name); GuiReferenceSetProgress(totalPercent); }); } } GuiReferenceSetProgress(100); GuiReferenceReloadData(); return refInfo.refcount; }
SCRIPT_EXPORT bool Script::Module::NameFromAddr(duint addr, char* name) { return ModNameFromAddr(addr, name, true); }
extern "C" DLL_EXPORT bool _dbg_addrinfoget(duint addr, SEGMENTREG segment, ADDRINFO* addrinfo) { if(!DbgIsDebugging()) return false; bool retval = false; if(addrinfo->flags & flagmodule) //get module { if(ModNameFromAddr(addr, addrinfo->module, false)) //get module name retval = true; } if(addrinfo->flags & flaglabel) { if(LabelGet(addr, addrinfo->label)) retval = true; else //no user labels { DWORD64 displacement = 0; char buffer[sizeof(SYMBOL_INFO) + MAX_SYM_NAME * sizeof(char)]; PSYMBOL_INFO pSymbol = (PSYMBOL_INFO)buffer; pSymbol->SizeOfStruct = sizeof(SYMBOL_INFO); pSymbol->MaxNameLen = MAX_LABEL_SIZE; if(SafeSymFromAddr(fdProcessInfo->hProcess, (DWORD64)addr, &displacement, pSymbol) && !displacement) { pSymbol->Name[pSymbol->MaxNameLen - 1] = '\0'; if(!bUndecorateSymbolNames || !SafeUnDecorateSymbolName(pSymbol->Name, addrinfo->label, MAX_LABEL_SIZE, UNDNAME_COMPLETE)) strcpy_s(addrinfo->label, pSymbol->Name); retval = true; } if(!retval) //search for CALL <jmp.&user32.MessageBoxA> { BASIC_INSTRUCTION_INFO basicinfo; memset(&basicinfo, 0, sizeof(BASIC_INSTRUCTION_INFO)); if(disasmfast(addr, &basicinfo) && basicinfo.branch && !basicinfo.call && basicinfo.memory.value) //thing is a JMP { uint val = 0; if(MemRead(basicinfo.memory.value, &val, sizeof(val))) { if(SafeSymFromAddr(fdProcessInfo->hProcess, (DWORD64)val, &displacement, pSymbol) && !displacement) { pSymbol->Name[pSymbol->MaxNameLen - 1] = '\0'; if(!bUndecorateSymbolNames || !SafeUnDecorateSymbolName(pSymbol->Name, addrinfo->label, MAX_LABEL_SIZE, UNDNAME_COMPLETE)) sprintf_s(addrinfo->label, "JMP.&%s", pSymbol->Name); retval = true; } } } } if(!retval) //search for module entry { uint entry = ModEntryFromAddr(addr); if(entry && entry == addr) { strcpy_s(addrinfo->label, "EntryPoint"); retval = true; } } } } if(addrinfo->flags & flagbookmark) { addrinfo->isbookmark = BookmarkGet(addr); retval = true; } if(addrinfo->flags & flagfunction) { if(FunctionGet(addr, &addrinfo->function.start, &addrinfo->function.end)) retval = true; } if(addrinfo->flags & flagloop) { if(LoopGet(addrinfo->loop.depth, addr, &addrinfo->loop.start, &addrinfo->loop.end)) retval = true; } if(addrinfo->flags & flagcomment) { *addrinfo->comment = 0; if(CommentGet(addr, addrinfo->comment)) retval = true; else { DWORD dwDisplacement; IMAGEHLP_LINE64 line; line.SizeOfStruct = sizeof(IMAGEHLP_LINE64); if(SafeSymGetLineFromAddr64(fdProcessInfo->hProcess, (DWORD64)addr, &dwDisplacement, &line) && !dwDisplacement) { char filename[deflen] = ""; strcpy_s(filename, line.FileName); int len = (int)strlen(filename); while(filename[len] != '\\' && len != 0) len--; if(len) len++; sprintf_s(addrinfo->comment, "\1%s:%u", filename + len, line.LineNumber); retval = true; } else if(!bOnlyCipAutoComments || addr == GetContextDataEx(hActiveThread, UE_CIP)) //no line number { DISASM_INSTR instr; String temp_string; String comment; ADDRINFO newinfo; char ascii[256 * 2] = ""; char unicode[256 * 2] = ""; memset(&instr, 0, sizeof(DISASM_INSTR)); disasmget(addr, &instr); int len_left = MAX_COMMENT_SIZE; for(int i = 0; i < instr.argcount; i++) { memset(&newinfo, 0, sizeof(ADDRINFO)); newinfo.flags = flaglabel; STRING_TYPE strtype = str_none; if(instr.arg[i].constant == instr.arg[i].value) //avoid: call <module.label> ; addr:label { if(instr.type == instr_branch || !disasmgetstringat(instr.arg[i].constant, &strtype, ascii, unicode, len_left) || strtype == str_none) continue; switch(strtype) { case str_none: break; case str_ascii: temp_string = instr.arg[i].mnemonic; temp_string.append(":\""); temp_string.append(ascii); temp_string.append("\""); break; case str_unicode: temp_string = instr.arg[i].mnemonic; temp_string.append(":L\""); temp_string.append(unicode); temp_string.append("\""); break; } } else if(instr.arg[i].memvalue && (disasmgetstringat(instr.arg[i].memvalue, &strtype, ascii, unicode, len_left) || _dbg_addrinfoget(instr.arg[i].memvalue, instr.arg[i].segment, &newinfo))) { switch(strtype) { case str_none: if(*newinfo.label) { temp_string = "["; temp_string.append(instr.arg[i].mnemonic); temp_string.append("]:"); temp_string.append(newinfo.label); } break; case str_ascii: temp_string = "["; temp_string.append(instr.arg[i].mnemonic); temp_string.append("]:"); temp_string.append(ascii); break; case str_unicode: temp_string = "["; temp_string.append(instr.arg[i].mnemonic); temp_string.append("]:"); temp_string.append(unicode); break; } } else if(instr.arg[i].value && (disasmgetstringat(instr.arg[i].value, &strtype, ascii, unicode, len_left) || _dbg_addrinfoget(instr.arg[i].value, instr.arg[i].segment, &newinfo))) { if(instr.type != instr_normal) //stack/jumps (eg add esp,4 or jmp 401110) cannot directly point to strings strtype = str_none; switch(strtype) { case str_none: if(*newinfo.label) { temp_string = instr.arg[i].mnemonic; temp_string.append(":"); temp_string.append(newinfo.label); } break; case str_ascii: temp_string = instr.arg[i].mnemonic; temp_string.append(":\""); temp_string.append(ascii); temp_string.append("\""); break; case str_unicode: temp_string = instr.arg[i].mnemonic; temp_string.append(":L\""); temp_string.append(unicode); temp_string.append("\""); break; } } else continue; if(!strstr(comment.c_str(), temp_string.c_str())) { if(comment.length()) comment.append(", "); comment.append(temp_string); retval = true; } } comment.resize(MAX_COMMENT_SIZE - 2); String fullComment = "\1"; fullComment += comment; strcpy_s(addrinfo->comment, fullComment.c_str()); } } } return retval; }