void CR_Module::DumpImportSymbols()
{
PIMAGE_IMPORT_DESCRIPTOR descs;
CR_StringSet dll_names;
CR_DeqSet<CR_ImportSymbol> symbols;
descs = ImportDescriptors();
if (descs == NULL)
return;
printf("\n### IMPORTS ###\n");
printf(" Characteristics: 0x%08lX\n", descs->Characteristics);
printf(" TimeDateStamp: 0x%08lX (%s)\n", descs->TimeDateStamp,
CrGetTimeStampString(descs->TimeDateStamp));
printf(" ForwarderChain: 0x%08lX\n", descs->ForwarderChain);
printf(" Name: 0x%08lX (%s)\n", descs->Name, reinterpret_cast<char *>(GetData(descs->Name)));
printf(" \n");
if (!_GetImportDllNames(dll_names))
return;
for (DWORD i = 0; i < dll_names.size(); ++i)
{
printf(" %s\n", dll_names[i].c_str());
if (Is64Bit())
printf(" RVA VA HINT FUNCTION NAME\n");
else
printf(" RVA VA HINT FUNCTION NAME\n");
if (_GetImportSymbols(i, symbols))
{
for (DWORD j = 0; j < symbols.size(); j++)
{
if (Is64Bit())
{
CR_Addr64 addr = VA64FromRVA(symbols[j].dwRVA);
printf(" %08lX %08lX%08lX ", symbols[j].dwRVA,
HILONG(addr), LOLONG(addr));
}
else if (Is32Bit())
{
CR_Addr32 addr = VA32FromRVA(symbols[j].dwRVA);
printf(" %08lX %08lX ", symbols[j].dwRVA, addr);
}
if (symbols[j].Name.wImportByName)
printf("%4X %s\n", symbols[j].wHint, symbols[j].pszName);
else
printf("Ordinal %d\n", symbols[j].Name.wOrdinal);
}
printf(" \n");
}
}
}
BOOL CR_ModuleEx::_PrepareForDisAsm32() {
if (!IsModuleLoaded() || !Is32Bit())
return FALSE;
_CreateInfo32();
if (Info32()->Entrances().size()) {
return TRUE;
}
// register entrances
auto RVA = RVAOfEntryPoint();
CR_Addr32 va = VA32FromRVA(RVA);
Info32()->Entrances().emplace(va);
{
auto codefunc = make_shared<CR_CodeFunc32>();
codefunc->Addr() = va;
codefunc->Name() = "EntryPoint";
codefunc->StackArgSizeRange().Set(0);
codefunc->FuncFlags() |= cr_FF_CDECL;
Info32()->MapAddrToCodeFunc().emplace(va, codefunc);
MapRVAToFuncName().emplace(RVA, codefunc->Name());
MapFuncNameToRVA().emplace(codefunc->Name(), RVA);
}
// exporting functions are entrances
for (auto& e_symbol : ExportSymbols()) {
va = VA32FromRVA(e_symbol.dwRVA);
if (!AddressInCode32(va)) {
continue;
}
Info32()->Entrances().emplace(va);
MapRVAToFuncName().emplace(e_symbol.dwRVA, e_symbol.pszName);
MapFuncNameToRVA().emplace(e_symbol.pszName, e_symbol.dwRVA);
}
return TRUE;
} // CR_ModuleEx::_PrepareForDisAsm32
void CR_Module::DumpDelayLoad()
{
if (DelayLoadDescriptors().empty())
{
LoadDelayLoad();
if (DelayLoadDescriptors().empty())
return;
}
printf("\n### DELAY LOAD ###\n");
const std::size_t size = DelayLoadDescriptors().size();
DWORD rva;
if (Is64Bit())
{
CR_Addr64 addr;
for (std::size_t i = 0; i < size; ++i)
{
printf(" ### Descr #%u ###\n", static_cast<int>(i));
printf(" NAME %-8s %-8s\n", "RVA", "VA");
rva = DelayLoadDescriptors()[i].grAttrs;
addr = VA64FromRVA(rva);
printf(" Attrs: %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr));
rva = DelayLoadDescriptors()[i].rvaDLLName;
addr = VA64FromRVA(rva);
printf(" DLL Name: %s\n", (LPCSTR)(LoadedImage() + rva));
printf(" : %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr));
rva = DelayLoadDescriptors()[i].rvaHmod;
addr = VA64FromRVA(rva);
printf(" Module: %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr));
rva = DelayLoadDescriptors()[i].rvaIAT;
addr = VA64FromRVA(rva);
printf(" IAT: %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr));
rva = DelayLoadDescriptors()[i].rvaINT;
addr = VA64FromRVA(rva);
printf(" INT: %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr));
rva = DelayLoadDescriptors()[i].rvaBoundIAT;
addr = VA64FromRVA(rva);
printf(" BoundIAT: %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr));
rva = DelayLoadDescriptors()[i].rvaUnloadIAT;
addr = VA64FromRVA(rva);
printf(" UnloadIAT: %08lX %08lX%08lX\n", rva, HILONG(addr), LOLONG(addr));
const char *pszTime = CrGetTimeStampString(DelayLoadDescriptors()[i].dwTimeStamp);
printf(" dwTimeStamp: 0x%08lX (%s)",
DelayLoadDescriptors()[i].dwTimeStamp, pszTime);
}
}
else if (Is32Bit())
{
CR_Addr32 addr;
for (std::size_t i = 0; i < size; ++i)
{
printf(" ### Descr #%u ###\n", static_cast<int>(i));
printf(" NAME %-8s %-8s\n", "RVA", "VA");
rva = DelayLoadDescriptors()[i].grAttrs;
addr = VA32FromRVA(rva);
printf(" Attrs: %08lX %08lX\n", rva, addr);
rva = DelayLoadDescriptors()[i].rvaDLLName;
addr = VA32FromRVA(rva);
printf(" DLL Name: %s\n", (LPCSTR)(LoadedImage() + rva));
printf(" : %08lX %08lX\n", rva, addr);
rva = DelayLoadDescriptors()[i].rvaHmod;
addr = VA32FromRVA(rva);
printf(" Module: %08lX %08lX\n", rva, addr);
rva = DelayLoadDescriptors()[i].rvaIAT;
addr = VA32FromRVA(rva);
printf(" IAT: %08lX %08lX\n", rva, addr);
rva = DelayLoadDescriptors()[i].rvaINT;
addr = VA32FromRVA(rva);
printf(" INT: %08lX %08lX\n", rva, addr);
rva = DelayLoadDescriptors()[i].rvaBoundIAT;
addr = VA32FromRVA(rva);
printf(" BoundIAT: %08lX %08lX\n", rva, addr);
rva = DelayLoadDescriptors()[i].rvaUnloadIAT;
addr = VA32FromRVA(rva);
printf(" UnloadIAT: %08lX %08lX\n", rva, addr);
const char *pszTime = CrGetTimeStampString(DelayLoadDescriptors()[i].dwTimeStamp);
printf(" dwTimeStamp: 0x%08lX (%s)",
DelayLoadDescriptors()[i].dwTimeStamp, pszTime);
}
}
printf("\n\n");
}
void CR_Module::DumpExportSymbols()
{
PIMAGE_EXPORT_DIRECTORY pDir = ExportDirectory();
if (pDir == NULL)
return;
//DWORD dwNumberOfNames = pDir->NumberOfNames;
//DWORD dwAddressOfFunctions = pDir->AddressOfFunctions;
//DWORD dwAddressOfNames = pDir->AddressOfNames;
//DWORD dwAddressOfOrdinals = pDir->AddressOfNameOrdinals;
//LPDWORD pEAT = (LPDWORD)GetData(dwAddressOfFunctions);
//LPDWORD pENPT = (LPDWORD)GetData(dwAddressOfNames);
//LPWORD pOT = (LPWORD)GetData(dwAddressOfOrdinals);
printf("\n### EXPORTS ###\n");
printf(" Characteristics: 0x%08lX\n", pDir->Characteristics);
printf(" TimeDateStamp: 0x%08lX (%s)\n", pDir->TimeDateStamp, CrGetTimeStampString(pDir->TimeDateStamp));
printf(" Version: %u.%u\n", pDir->MajorVersion, pDir->MinorVersion);
printf(" Name: 0x%08lX (%s)\n", pDir->Name, reinterpret_cast<char *>(GetData(pDir->Name)));
printf(" Base: 0x%08lX (%lu)\n", pDir->Base, pDir->Base);
printf(" NumberOfFunctions: 0x%08lX (%lu)\n", pDir->NumberOfFunctions, pDir->NumberOfFunctions);
printf(" NumberOfNames: 0x%08lX (%lu)\n", pDir->NumberOfNames, pDir->NumberOfNames);
printf(" AddressOfFunctions: 0x%08lX\n", pDir->AddressOfFunctions);
printf(" AddressOfNames: 0x%08lX\n", pDir->AddressOfNames);
printf(" AddressOfNameOrdinals: 0x%08lX\n", pDir->AddressOfNameOrdinals);
printf(" \n");
printf(" %-50s %-5s ; %-8s %-8s\n", "FUNCTION NAME", "ORDI.", "RVA", "VA");
for (DWORD i = 0; i < ExportSymbols().size(); ++i)
{
CR_ExportSymbol& symbol = ExportSymbols()[i];
if (symbol.dwRVA)
{
if (Is64Bit())
{
CR_Addr64 va = VA64FromRVA(symbol.dwRVA);
if (symbol.pszName)
printf(" %-50s @%-4lu ; %08lX %08lX%08lX\n",
symbol.pszName, symbol.dwOrdinal, symbol.dwRVA,
HILONG(va), LOLONG(va));
else
printf(" %-50s @%-4lu ; %08lX %08lX%08lX\n",
"(No Name)", symbol.dwOrdinal, symbol.dwRVA,
HILONG(va), LOLONG(va));
}
else if (Is32Bit())
{
CR_Addr32 va = VA32FromRVA(symbol.dwRVA);
if (symbol.pszName)
printf(" %-50s @%-4lu ; %08lX %08lX\n",
symbol.pszName, symbol.dwOrdinal, symbol.dwRVA, va);
else
printf(" %-50s @%-4lu ; %08lX %08lX\n",
"(No Name)", symbol.dwOrdinal, symbol.dwRVA, va);
}
}
else
{
if (symbol.pszName)
printf(" %-50s @%-4lu ; (forwarded to %s)\n",
"(No Name)", symbol.dwOrdinal, symbol.pszForwarded);
else
printf(" %-50s @%-4lu ; (forwarded to %s)\n",
"(No Name)", symbol.dwOrdinal, symbol.pszForwarded);
}
}
printf("\n\n");
}
