x64dbg/x64dbg
x64dbg
/
x64dbg
1
0
Fork 0
Code Releases 5 Activity

DBG: added possibility for '?' as delimiter. this ignores exports (useful if there are exports called "entry" or "imagebase")

This commit is contained in:
Mr. eXoDia 2014-12-29 00:58:59 +01:00
parent ed5fbad687
commit 7deb13966e
2 changed files with 32 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
help/Input.htm
View File

@ -49,27 +49,38 @@ numbers are interpreted as hex by default. If you want to be sure, you can use
the "x" prefix or the "0x" prefix. Decimal numbers can be used by prefixing the
number with a "." (.123=7B).</P>
<P class=rvps3><U>basic calculations</U>: See "Calculations" for more information.</P>
<P class=rvps3><U>DLL exports</U>: Type
'GetProcAddress' and it will automatically be resolved to the actual address of
the function. To explicitly define from which module
to load the API, use: "[module].dll:[api]" or "[module]:[api]". In a similar
way you can resolve ordinals, try "[module]:[ordinal]". Another macro allows you to get the
loaded base of a module. Try "[module]:0",
"[module]:base", "[module]:imagebase" or "[module]:header". When "[module]" is an empty string (":0" for example), the
<P class=rvps3><U>DLL exports</U>
: Type 'GetProcAddress' and it will automatically be
resolved to the actual address of the function.
To explicitly define from which module to load the API, use:
"[module].dll:[api]" or "[module]:[api]". In a similar way you can resolve ordinals, try "[module]:[ordinal]". Another
macro allows you to get the loaded
base of a module. When "[module]" is an empty string (":GetProcAddress" for example), the
module that is currently selected in the CPU will be
used.</P>
<P class=rvps3><U>Loaded Module&nbsp;Bases</U>
: If you want to access the loaded module base,
you can write: "[module]:0", "[module]:base", "[module]:imagebase" or
"[module]:header". You can also use '?' as a delimiter instead of ':'. This is
useful if the module contains an export called "imagebase" for
example.</P>
<P class=rvps3><U>RVA/File Offset</U>:
If you want to access a module RVA you can either write "[module]:0+[rva]" or
you can write "[module]:$[rva]". If you want
to convert a file offset to a VA you can use "[module]:#[offset]". When "[module]" is
an empty string (":0" for example), the module that is currently selected in the CPU will
be used.</P>
<P class=rvps3><U>Module Entry Points</U>
<P class=rvps3><U>Module Entry Points</U> : To access a module entry point you can write "[module]:entry",
"[module]:oep" or "[module]:ep". Notice that when there are exports with the
names "entry",
: To
access a module entry point you can write "[module]:entry", "[module]:oep" or "[module]:ep". Notice that when
there are exports with the names "entry", "oep" or "ep" the address of these will be
returned instead.</P>
"oep" or
"ep" the address of these will be returned instead. You can also use '?' as
a delimiter instead of ':'. This is useful if the module contains an export called "entry"
for example.</P>
<P class=rvps3><U>labels/symbols</U>:
user-defined labels and symbols&nbsp;are a valid expressions.</P>
<P class=rvps3><STRONG>Input for arguments can always be done in any of

12
x64_dbg_dbg/value.cpp
View File

@ -1169,7 +1169,13 @@ bool valapifromstring(const char* name, uint* value, int* value_size, bool print
if(!value or !DbgIsDebugging())
return false;
//explicit API handling
const char* apiname = strstr(name, ":");
const char* apiname = strstr(name, ":"); //the ':' character cannot be in a path: http://msdn.microsoft.com/en-us/library/windows/desktop/aa365247(v=vs.85).aspx#naming_conventions
bool noexports = false;
if(!apiname)
{
apiname = strstr(name, "?"); //the '?' character cannot be in a path either
noexports = true;
}
if(apiname)
{
char modname[MAX_MODULE_SIZE] = "";
@ -1210,7 +1216,7 @@ bool valapifromstring(const char* name, uint* value, int* value_size, bool print
}
else
{
uint addr = (uint)GetProcAddress(mod, apiname);
uint addr = noexports ? 0 : (uint)GetProcAddress(mod, apiname);
if(!addr) //not found
{
if(scmp(apiname, "base") or scmp(apiname, "imagebase") or scmp(apiname, "header")) //get loaded base
@ -1234,7 +1240,7 @@ bool valapifromstring(const char* name, uint* value, int* value_size, bool print
uint ordinal;
if(valfromstring(apiname, &ordinal))
{
addr = (uint)GetProcAddress(mod, (LPCSTR)(ordinal & 0xFFFF));
addr = noexports ? 0 : (uint)GetProcAddress(mod, (LPCSTR)(ordinal & 0xFFFF));
if(!addr and !ordinal) //support for getting the image base using <modname>:0
addr = modbase;
}