Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Some Code for you mrexodia #2211

Closed
wants to merge 2,557 commits into from

Conversation

@VladlenaVashchenko
Copy link

commented Sep 9, 2019

Hi mrexodia,

Would you please add my code too. Can you pm me when free.

Thanks,
VV

mrexodia and others added 30 commits Jan 6, 2018
[DBG] Work on modinfo improvements:
- Add ImageNtHeaders() (clone of RtlImageNtHeaderEx which doesn't exist on XP) to obtain PE headers given a VA
- Add HEADER_FIELD() and THUNK_VAL() macros to module.h to allow accessing header fields independent of process and file bitness
- Add IMAGE_NT_HEADERS pointer to MODINFO, since anything related to parsing PEs needs this struct
- Read PE headers in GetModuleInfo(). Currently the headers are being parsed every time a TitanEngine helper function is called, the goal is to reduce this to once per module load
- GetModuleInfo(): eliminate all TitanEngine calls now that we have the headers
- Add RvaToVa() for SEC_COMMIT mappings. This can simultaneously serve as replacement for rva2offset helpers (pass base = 0). Preferably SEC_IMAGE should be used though as that way neither of these would be needed
- ReadExportDirectory(): use RtlImageDirectoryEntryToData() to obtain a PIMAGE_EXPORT_DIRECTORY and its size in one go to eliminate TitanEngine helper calls and RVA to offset conversions
- Answer burning questions re: Windows loader behaviour when parsing exports in comments
- (Minor) fix '>= 0' comparison against unsigned as this will always evaluate to true
- Add comment re: PDB search path order since it's wrong atm but I'm too scared of breaking something if I change this code myself
- ReadDebugDirectory(): add about 20 years worth of missing debug dir…
…ectory type names

- symbolsourcedia.h: Add _global.h #include to prevent various macros like WINVER and _WIN32_WINNT from being redefined because Windows.h was indirectly included first
[DBG] Rewrite ReadImportDirectory()
- Obtain the directory directly using RtlImageDirectoryEntryToData and ditch TitanEngine conversion helpers
- Use OFTs instead of FTs if possible, with FTs only as fallback
- Answer the pop quiz questions in comments re: ntdll loader behaviour and handle these cases appropriately
- Use THUNK_VAL() to obtain OFT/FT values independent of process and file bitness
- Always use ULONG64 for AddressOfData to be able to test for IMAGE_ORDINAL_FLAG64. Also return ULONG64 from RvaToVa(), and rva2offset too as a result of this. This makes these functions compatible with both 32 and 64 bit files regardless of process bitness. There shouldn't be any functional changes due to this, otherwise will revert/fix
- Require an import by name to have a non-null name in addition to not having the ordinal flag set. Otherwise treat it as an import by ordinal
- The ordinal value of an import by ordinal is obtained by (val & 0xffff), not (val &= ~ordinalFlag). The ordinal flag is now always removed to ensure the RVA is valid
- Give imports by ordinal a 'name' the same way dbghelp does, e.g. Ordinal57. Previously imports by ordinal were not being shown in the Symbols tab due to having no name. TODO: if we have the PDB for the file being imported from, we can overwrite or append the real function name later using the importee's export directory
- RvaToVa(): assert that RVA 0 always returns VA 0, because if this isn't the case something is seriously messed up
Add clarifying comment/TODO re: invalid RVAs to ReadExportDirectory()…
…. Don't feed your .avi collection to this function just yet
DBG: misc. changes and fixes in SymbolSourceDIA:
- Rename SetThreadDescription to SetWin10ThreadDescription, to clarify that this function isn't actually useful to anyone. (ha ha, OK... but seriously, the same name is also used by the Windows SDK which apparently takes precedence and gets added as a static import, making it impossible to start the debugger on OSes other than Windows 10)
- Thread names are a good idea and they even kind of work on older Windows versions with NtQueryInformationThread(ThreadQuerySetWin32StartAddress), which is what e.g. Process Explorer and Process Hacker use. What *doesn't* work so well is lambdas. Added static functions SymbolsThread() and SourceLinesThread() to replace these. (before: x64dbg.dll!<lambda_fc00d3fb731b14a9b4857ac068d657c4>::<lambda_invoker_cdecl>. after: x64dbg.dll!SymbolSourceDIA::SymbolsThread). These should probably be file statics instead of class members, but they need access to private class functions
- GetModuleHandleA -> GetModuleHandleW. The former just calls the latter but with an extra string allocation and pointless unicode conversion
- Fix pedantic Clang warnings about member initialization order in ctor
- Qualify type name in call to virtual function in destructor, as this will be statically resolved and won't call any potential future implementations in derived classes (this can be further 'fixed' by making either the function or the class final so you'll get a compile time error if you try to do this later)
RvaToVa(): use SizeOfRawData instead of VirtualSize as the upper boun…
…d on section RVAs. This matches the behaviour of RtlImageRvaToSection for SEC_COMMIT mappings
Rewrite ReadTlsCallbacks() to use RtlImageDirectoryEntryToData and re…
…move all TitanEngine calls. Also fix an anti-debug trick I found by accident: it is possible to have working TLS callbacks with a TLS directory size of 0. The loader does not check this field and always executes callbacks if they exist
mrexodia and others added 17 commits Jun 22, 2019
GUI: Added Implemented color (orange/cyan) directional differentiatio…
…n for sidebar jumps.

Existing configurations will use their color for forwards, and orange for backwards.
@codemanxpensive

This comment has been minimized.

mrexodia added 9 commits Aug 22, 2019
DBG: fix bugfix
closes #2206
@VladlenaVashchenko

This comment has been minimized.

Copy link

commented on 31443c2 Sep 9, 2019

Hello mrexodia,

It is good to know that you are working on find functions. would you please add support for string aswell. By the way the new code you updated would give search address back in results for find 0x400000, "{s:data}". The result will be 400000. We usually expect 0 if the search fails. The same goes for find 0x400000, "{s:}".

Please forgive my English, I have just started to learn it in college now.

Thanks,
VV

@mrexodia

This comment has been minimized.

Copy link
Member

commented Sep 13, 2019

Please try this again, I cannot even see what code you changed because you are so far behind development.

@mrexodia mrexodia closed this Sep 13, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
You can’t perform that action at this time.