DBG: added 'modcallfind' command

2014-06-24 04:52:04 +02:00 · 2014-06-24 04:52:04 +02:00 · 43eb27258e
parent f1a2270d31
commit 43eb27258e
8 changed files with 82 additions and 7 deletions
--- a/x64_dbg_bridge/bridgemain.cpp
+++ b/x64_dbg_bridge/bridgemain.cpp
@ -272,8 +272,10 @@ BRIDGE_IMPEXP bool DbgGetLabelAt(duint addr, SEGMENTREG segment, char* text) //(
        if(!DbgMemIsValidReadPtr(addr))
            return false;
        DbgMemRead(addr, (unsigned char*)&addr_, sizeof(duint));
-        if(!_dbg_addrinfoget(addr_, SEG_DEFAULT, &info))
+        ADDRINFO ptrinfo = info;
+        if(!_dbg_addrinfoget(addr_, SEG_DEFAULT, &ptrinfo))
            return false;
+        sprintf_s(info.label, "&%s", ptrinfo.label);
    }
    strcpy(text, info.label);
    return true;
--- a/x64_dbg_dbg/_exports.cpp
+++ b/x64_dbg_dbg/_exports.cpp
@ -35,7 +35,7 @@ extern "C" DLL_EXPORT bool _dbg_memmap(MEMMAP* memmap)
    memset(memmap, 0, sizeof(MEMMAP));

    MEMORY_BASIC_INFORMATION mbi;
-    DWORD numBytes;
+    SIZE_T numBytes;
    uint MyAddress=0, newAddress=0;
    uint curAllocationBase=0;

@ -248,6 +248,24 @@ extern "C" DLL_EXPORT bool _dbg_addrinfoget(duint addr, SEGMENTREG segment, ADDR
                    strcpy(addrinfo->label, pSymbol->Name);
                retval=true;
            }
+            if(!retval) //search for CALL <jmp.&user32.MessageBoxA>
+            {
+                BASIC_INSTRUCTION_INFO basicinfo;
+                memset(&basicinfo, 0, sizeof(BASIC_INSTRUCTION_INFO));
+                if(disasmfast(addr, &basicinfo) && basicinfo.branch && !basicinfo.call && basicinfo.memory.value) //thing is a JMP
+                {
+                    uint val=0;
+                    if(memread(fdProcessInfo->hProcess, (const void*)basicinfo.memory.value, &val, sizeof(val), 0))
+                    {
+                        if(SymFromAddr(fdProcessInfo->hProcess, (DWORD64)val, &displacement, pSymbol) and !displacement)
+                        {
+                            if(settingboolget("Engine", "UndecorateSymbolNames") or !UnDecorateSymbolName(pSymbol->Name, addrinfo->label, MAX_LABEL_SIZE, UNDNAME_COMPLETE))
+                                sprintf_s(addrinfo->label, "JMP.&%s", pSymbol->Name);
+                            retval=true;
+                        }
+                    }
+                }
+            }
        }
    }
    if(addrinfo->flags&flagbookmark)
--- a/x64_dbg_dbg/addrinfo.cpp
+++ b/x64_dbg_dbg/addrinfo.cpp
@ -396,7 +396,7 @@ void commentcacheload(JSON root)
 ///label functions
 bool labelset(uint addr, const char* text, bool manual)
 {
-    if(!DbgIsDebugging() or !memisvalidreadptr(fdProcessInfo->hProcess, addr) or !text or strlen(text)>=MAX_LABEL_SIZE-1)
+    if(!DbgIsDebugging() or !memisvalidreadptr(fdProcessInfo->hProcess, addr) or !text or strlen(text)>=MAX_LABEL_SIZE-1 or strstr(text, "&"))
        return false;
    if(!*text) //NOTE: delete when there is no text
        return labeldel(addr);
@ -516,6 +516,10 @@ void labelcacheload(JSON root)
                strcpy(curLabel.text, text);
            else
                continue; //skip
+            int len=strlen(curLabel.text);
+            for(int i=0; i<len; i++)
+                if(curLabel.text[i]=='&')
+                    curLabel.text[i]=' ';
            const uint key=modhashfromname(curLabel.mod)+curLabel.addr;
            labels.insert(std::make_pair(key, curLabel));
        }
--- a/x64_dbg_dbg/instruction.cpp
+++ b/x64_dbg_dbg/instruction.cpp
@ -794,7 +794,7 @@ CMDRESULT cbInstrRefFind(int argc, char* argv[])
            size=0;
    uint ticks=GetTickCount();
    int found=reffind(addr, size, cbRefFind, (void*)value, false);
-    dprintf("%u references in %ums\n", found, GetTickCount()-ticks);
+    dprintf("%u reference(s) in %ums\n", found, GetTickCount()-ticks);
    varset("$result", found, false);
    return STATUS_CONTINUE;
 }
@ -859,7 +859,7 @@ CMDRESULT cbInstrRefStr(int argc, char* argv[])
            size=0;
    uint ticks=GetTickCount();
    int found=reffind(addr, size, cbRefStr, 0, false);
-    dprintf("%u references in %ums\n", found, GetTickCount()-ticks);
+    dprintf("%u string(s) in %ums\n", found, GetTickCount()-ticks);
    varset("$result", found, false);
    return STATUS_CONTINUE;
 }
@ -976,3 +976,52 @@ CMDRESULT cbInstrFind(int argc, char* argv[])
    DbgCmdExec("$result");
    return STATUS_CONTINUE;
 }
+
+//modcallfind [page]
+static bool cbModCallFind(DISASM* disasm, BASIC_INSTRUCTION_INFO* basicinfo, REFINFO* refinfo)
+{
+    if(!refinfo) //initialize
+    {
+        GuiReferenceDeleteAllColumns();
+        GuiReferenceAddColumn(2*sizeof(uint), "Address");
+        GuiReferenceAddColumn(0, "Disassembly");
+        GuiReferenceReloadData();
+        return true;
+    }
+    bool found=false;
+    if(basicinfo->call) //we are looking for calls
+    {
+        uint ptr=basicinfo->memory.value > 0 ? basicinfo->memory.value : basicinfo->addr;
+        char label[MAX_LABEL_SIZE]="";
+        found=DbgGetLabelAt(ptr, SEG_DEFAULT, label) && !labelget(ptr, label); //a non-user label
+    }
+    if(found)
+    {
+        char addrText[20]="";
+        sprintf(addrText, "%p", disasm->VirtualAddr);
+        GuiReferenceSetRowCount(refinfo->refcount+1);
+        GuiReferenceSetCellContent(refinfo->refcount, 0, addrText);
+        char disassembly[2048]="";
+        if(GuiGetDisassembly((duint)disasm->VirtualAddr, disassembly))
+            GuiReferenceSetCellContent(refinfo->refcount, 1, disassembly);
+        else
+            GuiReferenceSetCellContent(refinfo->refcount, 1, disasm->CompleteInstr);
+    }
+    return found;
+}
+
+CMDRESULT cbInstrModCallFind(int argc, char* argv[])
+{
+    uint addr;
+    if(argc<2 or !valfromstring(argv[1], &addr, true))
+        addr=GetContextData(UE_CIP);
+    uint size=0;
+    if(argc>=3)
+        if(!valfromstring(argv[2], &size, true))
+            size=0;
+    uint ticks=GetTickCount();
+    int found=reffind(addr, size, cbModCallFind, 0, false);
+    dprintf("%u call(s) in %ums\n", found, GetTickCount()-ticks);
+    varset("$result", found, false);
+    return STATUS_CONTINUE;
+}
--- a/x64_dbg_dbg/instruction.h
+++ b/x64_dbg_dbg/instruction.h
@ -51,5 +51,6 @@ CMDRESULT cbInstrSetstr(int argc, char* argv[]);
 CMDRESULT cbInstrGetstr(int argc, char* argv[]);

 CMDRESULT cbInstrFind(int argc, char* argv[]);
+CMDRESULT cbInstrModCallFind(int argc, char* argv[]);

 #endif // _INSTRUCTIONS_H
--- a/x64_dbg_dbg/value.cpp
+++ b/x64_dbg_dbg/value.cpp
@ -257,7 +257,7 @@ static bool isregister(const char* string)
    return false;
 }

-bool valflagfromstring(unsigned int eflags, const char* string)
+bool valflagfromstring(uint eflags, const char* string)
 {
    if(scmp(string, "cf"))
        return (bool)((int)(eflags&0x1)!=0);
--- a/x64_dbg_dbg/value.h
+++ b/x64_dbg_dbg/value.h
@ -11,7 +11,7 @@ bool valfromstring(const char* string, uint* value, bool silent, bool baseonly,
 bool valfromstring(const char* string, uint* value, bool silent, bool baseonly);
 bool valfromstring(const char* string, uint* value, bool silent);
 bool valfromstring(const char* string, uint* value);
-bool valflagfromstring(unsigned int eflags, const char* string);
+bool valflagfromstring(uint eflags, const char* string);
 bool valtostring(const char* string, uint* value, bool silent);

 #endif // _VALUE_H
--- a/x64_dbg_dbg/x64_dbg.cpp
+++ b/x64_dbg_dbg/x64_dbg.cpp
@ -181,6 +181,7 @@ static void registercommands()
    dbgcmdnew("DebugContinue\1con", cbDebugContinue, true); //set continue status
    dbgcmdnew("bpdll", cbBpDll, true); //set dll breakpoint
    dbgcmdnew("bcdll", cbBcDll, true); //remove dll breakpoint
+    dbgcmdnew("modcallfind", cbInstrModCallFind, true); //find intermodular calls
 }

 static bool cbCommandProvider(char* cmd, int maxlen)