Duncan Ogilvie
b8ae4b1496
DBG: invalidate symbol source when MODINFO is destroyed
2018-07-01 19:28:06 +02:00
Duncan Ogilvie
d70ed83a72
DBG: fix a bug in getLabel where jmp [MessageBoxA] would not be recognized correctly
2018-07-01 19:28:06 +02:00
Duncan Ogilvie
df31f0da45
DBG: change symbol load order + add debuggee.pdb to the search list
2018-07-01 19:28:05 +02:00
Duncan Ogilvie
4098dc8fb2
DBG: finally fix the handle leak in PDBDiaFile
2018-07-01 19:28:05 +02:00
Duncan Ogilvie
34279ebf08
GUI: fix performance bottleneck with Qt signals
2018-07-01 19:28:04 +02:00
Duncan Ogilvie
8af904fad6
DBG: fix assert in debug mode on pluginunloadall
2018-07-01 19:28:04 +02:00
Duncan Ogilvie
0bf7bd10ef
GUI: fix ReferenceView signals not being called correctly
2018-07-01 19:28:04 +02:00
Duncan Ogilvie
9e68ea3900
DBG: only store file hash in database if there is other data as well
2018-07-01 19:28:03 +02:00
Duncan Ogilvie
7d1afa0940
DBG+GUI: change layout of window title to be more helpful in the task bar
2018-07-01 19:28:03 +02:00
Duncan Ogilvie
05378fabb2
GUI: add copy header VA to disassembly menu
2018-07-01 19:28:03 +02:00
Duncan Ogilvie
2665df4eb3
DBG: added mod.headerva expression function
2018-07-01 19:28:03 +02:00
Duncan Ogilvie
87c3238de8
DBG (WIP): set up DIA file stream for profiling of a handle leak
2018-07-01 19:28:03 +02:00
Duncan Ogilvie
408b6eeff9
GUI: don't filter symbol list when not necessary
2018-07-01 19:28:02 +02:00
Duncan Ogilvie
62cd2bb915
BRIDGE: fix truncation crash in DbgGetLabelAt
2018-07-01 19:28:02 +02:00
Duncan Ogilvie
d79586d02b
DBG: fix a crash in the Cleanup in downslib
2018-07-01 19:28:02 +02:00
Duncan Ogilvie
70b3149599
WIP: new symbol gui mostly working
2018-07-01 19:28:02 +02:00
0bb2efcb2c
Improve performance and crash resistance when loading PE files containing 1000 or more sections. Tested on https://github.com/corkami/pocs/blob/master/PE/bin/65535sects.exe . Technically performance was already very good, but that was only due to crashing instantly
2018-07-01 19:28:01 +02:00
f515484790
ReadBaseRelocationTable() refactor. Is it better now? Dunno really. This method may be slightly easier to use with both SEC_COMMIT and SEC_IMAGE mappings in the future if needed, but in the end they pretty much do the same thing. At least some more TitanEngine calls were killed off so that's something I suppose
...
Replaced dark and brooding "..."s in error messages with exclamation marks to better emphasise that this stuff is serious
2018-07-01 19:28:01 +02:00
1f485f313e
DBG: more robust debug directory parsing. Validate the RVA, type and size bounds for each debug directory entry, and do not stop after the one unrecognised (non-CV) entry
...
Protect against PDB paths that do not have a null terminator in the PE codeview info
2018-07-01 19:28:01 +02:00
Duncan Ogilvie
14da6c4448
DBG: clean up downslib
2018-07-01 19:28:00 +02:00
6df9535ba4
Rewrite ReadTlsCallbacks() to use RtlImageDirectoryEntryToData and remove all TitanEngine calls. Also fix an anti-debug trick I found by accident: it is possible to have working TLS callbacks with a TLS directory size of 0. The loader does not check this field and always executes callbacks if they exist
2018-07-01 19:28:00 +02:00
28c03967c7
RvaToVa(): use SizeOfRawData instead of VirtualSize as the upper bound on section RVAs. This matches the behaviour of RtlImageRvaToSection for SEC_COMMIT mappings
2018-07-01 19:28:00 +02:00
a4638d2ea9
DBG: misc. changes and fixes in SymbolSourceDIA:
...
- Rename SetThreadDescription to SetWin10ThreadDescription, to clarify that this function isn't actually useful to anyone. (ha ha, OK... but seriously, the same name is also used by the Windows SDK which apparently takes precedence and gets added as a static import, making it impossible to start the debugger on OSes other than Windows 10)
- Thread names are a good idea and they even kind of work on older Windows versions with NtQueryInformationThread(ThreadQuerySetWin32StartAddress), which is what e.g. Process Explorer and Process Hacker use. What *doesn't* work so well is lambdas. Added static functions SymbolsThread() and SourceLinesThread() to replace these. (before: x64dbg.dll!<lambda_fc00d3fb731b14a9b4857ac068d657c4>::<lambda_invoker_cdecl>. after: x64dbg.dll!SymbolSourceDIA::SymbolsThread). These should probably be file statics instead of class members, but they need access to private class functions
- GetModuleHandleA -> GetModuleHandleW. The former just calls the latter but with an extra string allocation and pointless unicode conversion
- Fix pedantic Clang warnings about member initialization order in ctor
- Qualify type name in call to virtual function in destructor, as this will be statically resolved and won't call any potential future implementations in derived classes (this can be further 'fixed' by making either the function or the class final so you'll get a compile time error if you try to do this later)
2018-07-01 19:28:00 +02:00
9b0f9b5c59
Add clarifying comment/TODO re: invalid RVAs to ReadExportDirectory(). Don't feed your .avi collection to this function just yet
2018-07-01 19:28:00 +02:00
a94c250c5d
[DBG] Rewrite ReadImportDirectory()
...
- Obtain the directory directly using RtlImageDirectoryEntryToData and ditch TitanEngine conversion helpers
- Use OFTs instead of FTs if possible, with FTs only as fallback
- Answer the pop quiz questions in comments re: ntdll loader behaviour and handle these cases appropriately
- Use THUNK_VAL() to obtain OFT/FT values independent of process and file bitness
- Always use ULONG64 for AddressOfData to be able to test for IMAGE_ORDINAL_FLAG64. Also return ULONG64 from RvaToVa(), and rva2offset too as a result of this. This makes these functions compatible with both 32 and 64 bit files regardless of process bitness. There shouldn't be any functional changes due to this, otherwise will revert/fix
- Require an import by name to have a non-null name in addition to not having the ordinal flag set. Otherwise treat it as an import by ordinal
- The ordinal value of an import by ordinal is obtained by (val & 0xffff), not (val &= ~ordinalFlag). The ordinal flag is now always removed to ensure the RVA is valid
- Give imports by ordinal a 'name' the same way dbghelp does, e.g. Ordinal57. Previously imports by ordinal were not being shown in the Symbols tab due to having no name. TODO: if we have the PDB for the file being imported from, we can overwrite or append the real function name later using the importee's export directory
- RvaToVa(): assert that RVA 0 always returns VA 0, because if this isn't the case something is seriously messed up
2018-07-01 19:27:59 +02:00
5ad21c69ee
- ReadDebugDirectory(): add about 20 years worth of missing debug directory type names
...
- symbolsourcedia.h: Add _global.h #include to prevent various macros like WINVER and _WIN32_WINNT from being redefined because Windows.h was indirectly included first
2018-07-01 19:27:59 +02:00
fc9285ed2e
[DBG] Work on modinfo improvements:
...
- Add ImageNtHeaders() (clone of RtlImageNtHeaderEx which doesn't exist on XP) to obtain PE headers given a VA
- Add HEADER_FIELD() and THUNK_VAL() macros to module.h to allow accessing header fields independent of process and file bitness
- Add IMAGE_NT_HEADERS pointer to MODINFO, since anything related to parsing PEs needs this struct
- Read PE headers in GetModuleInfo(). Currently the headers are being parsed every time a TitanEngine helper function is called, the goal is to reduce this to once per module load
- GetModuleInfo(): eliminate all TitanEngine calls now that we have the headers
- Add RvaToVa() for SEC_COMMIT mappings. This can simultaneously serve as replacement for rva2offset helpers (pass base = 0). Preferably SEC_IMAGE should be used though as that way neither of these would be needed
- ReadExportDirectory(): use RtlImageDirectoryEntryToData() to obtain a PIMAGE_EXPORT_DIRECTORY and its size in one go to eliminate TitanEngine helper calls and RVA to offset conversions
- Answer burning questions re: Windows loader behaviour when parsing exports in comments
- (Minor) fix '>= 0' comparison against unsigned as this will always evaluate to true
- Add comment re: PDB search path order since it's wrong atm but I'm too scared of breaking something if I change this code myself
2018-07-01 19:27:59 +02:00
Duncan Ogilvie
013cd1e5f7
DBG: dont copy MODINFO and MODIMPORT/MODEXPORT structures
2018-07-01 19:27:59 +02:00
Duncan Ogilvie
4e88b399fe
Update DIA to 14.13.26128.0 + XP support
2018-07-01 19:27:58 +02:00
Duncan Ogilvie
aa8a215895
DBG: use win32 threads instead of std::thread
2018-07-01 19:27:58 +02:00
72ccf42298
Fix too early stream deletion.
2018-07-01 19:27:58 +02:00
cad8aed97d
Refactor PDB data loading via IStream, explicit file access.
2018-07-01 19:27:58 +02:00
c8af1f9144
Use correct PDBDiaFile instance.
2018-07-01 19:27:57 +02:00
Duncan Ogilvie
45b49995f3
DBG: fall back to resolving modules exports when no symbol is found
2018-07-01 19:27:57 +02:00
Duncan Ogilvie
73a5ffebd9
DBG: use export/import data from modules instead of from memory
2018-07-01 19:27:57 +02:00
Duncan Ogilvie
476bc093bc
DBG: add export and import parsing routines in module.cpp
...
#580
2018-07-01 19:27:57 +02:00
Duncan Ogilvie
bee62fbbf0
DBG: add missing locks for ModInfoFromAddr
2018-07-01 19:27:56 +02:00
Duncan Ogilvie
a2c52260f7
DBG: remove unused imports field from MODINFO
2018-07-01 19:27:56 +02:00
Duncan Ogilvie
4fa1b9a2a1
DBG: fix a buffer overflow in the symbol autocomplete function
2018-07-01 19:27:56 +02:00
0cbf519e66
Fix undecorated name being uninitialized.
2018-07-01 19:27:56 +02:00
Duncan Ogilvie
d5ae04dce4
DBG: fully implement symdownload command without dbghelp usage
2018-07-01 19:27:56 +02:00
Duncan Ogilvie
ff11a39533
DBG: attempt to load symbols from multiple locations
2018-07-01 19:27:55 +02:00
Duncan Ogilvie
637815b63d
DBG: symdownload now works without dbghelp
2018-07-01 19:27:55 +02:00
Duncan Ogilvie
ba6ad4cefc
DBG: initial version of Wininet download library
2018-07-01 19:27:55 +02:00
Duncan Ogilvie
3ab836225f
DBG: remove some useless dbghelp calls
2018-07-01 19:27:55 +02:00
Duncan Ogilvie
66017a7442
DBG: refactor SymbolInfo to use VA instead of RVA
2018-07-01 19:27:54 +02:00
Duncan Ogilvie
ffc168f44d
DBG: rename SymbolSourcePDB to SymbolSourceDIA
2018-07-01 19:27:54 +02:00
Duncan Ogilvie
aec262b88a
GUI: remove unused ColumnCompare class from StdTable
2018-07-01 19:27:54 +02:00
Duncan Ogilvie
73b30ed49b
DBG: actually use findSymbolsByPrefix
2018-07-01 19:27:54 +02:00
Duncan Ogilvie
876abcdf10
DBG: change findSymbolsByPrefix to take a callback
2018-07-01 19:27:53 +02:00
Duncan Ogilvie
a6ccf69e5b
DBG: implement SymAddrFromName (untested on large symbols, working on small)
2018-07-01 19:27:53 +02:00
Duncan Ogilvie
550a1ff45a
DBG: correct PDB signature format
2018-07-01 19:27:53 +02:00
Duncan Ogilvie
2ce2470ea1
DBG: implement a much nicer data structure for SymbolSourcePDB
2018-07-01 19:27:53 +02:00
Duncan Ogilvie
c7d0f50207
DBG: initial implementation of name-sorted symbol storage
2018-07-01 19:27:52 +02:00
Duncan Ogilvie
eb9d55ac61
DBG: read debug directory on ModLoad
2018-07-01 19:27:52 +02:00
Duncan Ogilvie
caa5b6273f
DBG: implement DiaLoadCallback for loadDataForExe
2018-07-01 19:27:52 +02:00
Duncan Ogilvie
4fadd01ad4
DBG: move files in 'Symbols' folder
2018-07-01 19:27:52 +02:00
4a1327a896
Only print on load failure if its not missing.
2018-07-01 19:27:52 +02:00
Duncan Ogilvie
b07611387f
GUI: implement initial version of ZehSymbolTable
...
beware of race conditions, but it appears to kinda work
2018-07-01 19:27:51 +02:00
Duncan Ogilvie
f68b830069
GUI: fix some weird includes
2018-07-01 19:27:51 +02:00
Duncan Ogilvie
7c30c5993b
GUI: introduce an additional AbstractStdTable layer to prepare for the new symbol view
2018-07-01 19:27:51 +02:00
Duncan Ogilvie
83005bdcda
GUI: remove sorting related functionality from AbstractTableView
2018-07-01 19:27:50 +02:00
ae5bb70203
Fix resolving symbol size always returning true.
2018-07-01 19:27:50 +02:00
80ad0e7df1
Minor cleanup.
2018-07-01 19:27:50 +02:00
59d166ecf4
Refactor PDBDiaFile query.
2018-07-01 19:27:50 +02:00
Duncan Ogilvie
82774e2445
DBG: use undocumented __unDNameEx function to significantly speed up symbol loading
...
Before:
Loaded 313534 line infos in 47.406
Loaded 140366 symbols in 171.640
After:
Loaded 313534 line infos in 4.187
Loaded 140366 symbols in 9.391
2018-07-01 19:27:50 +02:00
Duncan Ogilvie
a9782ac6c6
DBG: Don't show pointless module size in ModLoad
2018-07-01 19:27:49 +02:00
Duncan Ogilvie
995153cfc0
DBG: fix some truncation issues
2018-07-01 19:27:49 +02:00
058c14d8bf
Make source file strings unique, reduces a lot of memory.
2018-07-01 19:27:49 +02:00
bd08f67f47
Load symbols and source line in parallel.
2018-07-01 19:27:49 +02:00
7c6bfcd2c6
Use enumerators Next instead of index, slight performance improvement.
2018-07-01 19:27:48 +02:00
97fa3c1408
Lock when trying to read source lines.
2018-07-01 19:27:48 +02:00
ae050ea4a1
Fix source lines displayed with disp.
2018-07-01 19:27:48 +02:00
cad369f7a5
Refactor DbgHelp source line query references to new symbol interface.
2018-07-01 19:27:48 +02:00
ac6ee608e4
Add source line queries into new symbol interface.
2018-07-01 19:27:48 +02:00
2604384853
Refactor source line queries in DIA interface.
2018-07-01 19:27:47 +02:00
b68c89a12e
Hide undecorated name if identical to decorated.
2018-07-01 19:27:47 +02:00
d6fd79346e
Prioritize private symbols over public.
2018-07-01 19:27:47 +02:00
e648e27346
Use spinlock instead of critical section.
...
Use proper thread termination on destructor.
2018-07-01 19:27:47 +02:00
a0c94caaf6
Cleanup DIA interface some more.
2018-07-01 19:27:46 +02:00
d35996883e
Implement unloading.
2018-07-01 19:27:46 +02:00
0ea92f26eb
Remove unused functions from DIA interface.
2018-07-01 19:27:46 +02:00
Duncan Ogilvie
1b94728118
DBG: buggy implementation of symbol enum
2018-07-01 19:27:46 +02:00
Duncan Ogilvie
03a609c954
lf to crlf
2018-07-01 19:27:45 +02:00
4e2f307052
Tabs to spaces
2018-07-01 19:27:45 +02:00
626695f233
Add PDB load cancellation.
2018-07-01 19:27:45 +02:00
01f0a824ab
Fix marking symbol with wrong type.
2018-07-01 19:27:45 +02:00
b176fb7e46
Initial for async symbol loading.
2018-07-01 19:27:44 +02:00
3a3afa3744
Remove unused DbgHelp loading.
2018-07-01 19:27:44 +02:00
bd173bf01e
Refactor symbol loading/query to use a common interface.
2018-07-01 19:27:44 +02:00
121486a137
Initial implementation of LRU.
...
Initial implementation of MSDIA.
2018-07-01 19:27:44 +02:00
Duncan Ogilvie
607c5a94e6
GUI: refactor formatOpcodeString + fix underline of relocations
2018-07-01 19:04:38 +02:00
Duncan Ogilvie
67e095efb5
GUI: don't add same thing to the history twice
2018-07-01 19:04:38 +02:00
Duncan Ogilvie
95cacb3732
DBG: add information to Zydis command
2018-07-01 19:04:38 +02:00
Duncan Ogilvie
d24d045105
ZYDIS: fix uninitialized variable in BytesGroup function
2018-07-01 19:04:38 +02:00
Duncan Ogilvie
3a2ce72dd2
rename curByte1 to curByte
2018-07-01 19:04:38 +02:00
Duncan Ogilvie
c46dc0aaca
fix crash in formatOpcodeString
2018-07-01 19:04:38 +02:00
40c00a4d01
fixed relocations
2018-07-01 19:04:38 +02:00
4cbf8ac7f1
Restore old code for patch&relocation
2018-07-01 19:04:38 +02:00
606d3cec2e
Added patches and relocations
2018-07-01 19:04:38 +02:00
6c472a34e4
fixed problem with immediates
2018-07-01 19:04:38 +02:00
712bd6f78a
test
2018-07-01 19:04:38 +02:00
58825d4522
Edit inactive breakpoint
2018-06-19 18:51:36 +02:00
c2f999c6ea
Delete inactive breakpoint in Breakpoints View
2018-06-19 18:51:36 +02:00
3b5d9eeb86
temporary
2018-06-19 18:51:36 +02:00
380df7ba2e
minor parsing bug
2018-06-19 18:51:36 +02:00
ddbeeefab4
Special format to find an inactive breakpoint to edit it.
2018-06-19 18:51:36 +02:00
b59798db6f
minor enhancements about SymbolView&breakpointcpp&SearchListView
2018-06-19 18:51:36 +02:00
Duncan Ogilvie
12e9127799
DBG: support for an edge case in HandlesGetName where the process itself doesn't have query access
2018-06-19 18:30:13 +02:00
f8c67ef2ab
show PID or TID in handles view
2018-06-19 18:30:13 +02:00
Duncan Ogilvie
f5fa7de918
DBG: better message in _dbg_animatecommand
2018-06-11 03:13:25 +02:00
0ab417f5b4
Animation help; Restore empty graph help
2018-06-11 03:12:50 +02:00
71847bb385
set conditional breakoint
2018-06-11 03:12:49 +02:00
ee56954a0c
Use a more useful example for switch condition
2018-06-11 03:12:49 +02:00
2df55a3fa6
Load language menu only when needed
2018-06-11 03:12:49 +02:00
5acf7eb182
Added some icons for Log view and Trace view
2018-06-10 23:56:33 +08:00
Duncan Ogilvie
db17e323fe
DBG: more message fixes
2018-06-03 17:47:01 +02:00
Duncan Ogilvie
01960c556b
fix some whitespace in strings
2018-06-03 17:43:30 +02:00
1cd3cfc469
fix mistakes
2018-06-03 17:43:30 +02:00
4cf5508b5f
add error descriptions to x64dbg failure messages
2018-06-03 17:43:30 +02:00
Duncan Ogilvie
4ea3a8e3af
GUI: actually fix the crash, derp
2018-05-17 17:14:12 +02:00
Duncan Ogilvie
291039eb17
GUI: fix crash in new HexEditDialog
2018-05-17 17:05:11 +02:00
40ab0ed1ae
Fix pasting CR/LF text to CR/LF hex editor
2018-05-13 20:38:53 +02:00
781b0dd89c
Add CR/LF option to text editor
2018-05-13 20:38:53 +02:00
e714824a0d
restore current tab index
2018-05-13 20:38:53 +02:00
49a1c861f0
Make hex editor dialog resizable & Fix copying IP addr.
2018-05-13 20:38:53 +02:00
8de0520dc9
string editor works
2018-05-13 20:38:53 +02:00
facf8ac223
Removed data copy dialog
2018-05-13 20:38:53 +02:00
dce0e11713
data copy working
2018-05-13 20:38:53 +02:00
9741c06798
Disable data copy in find pattern dialog
2018-05-13 20:38:53 +02:00
dba3178428
Improved design. Added codepage warning.
2018-05-13 20:38:53 +02:00
1f7352e0a0
design
2018-05-13 20:38:53 +02:00
Duncan Ogilvie
3f33ad44cc
DBG+GUI: update zydis and fix some issues related to formatting
...
closes #1904
closes #1898
2018-04-05 00:20:31 +02:00
Duncan Ogilvie
3f754c0bfc
DBG: fix an out of bounds access on expression "([esp])"
2018-03-26 02:14:49 +02:00
Duncan Ogilvie
fa902f5df7
GUI: set shortcut for copy file offset in CPUDisassembly
...
closes #1916
2018-03-20 10:25:59 +01:00
Duncan Ogilvie
5bf0e7fb7b
PROJECT: fix zydis_wrapper project to not include nonexistent files
2018-03-05 23:52:20 +01:00
Duncan Ogilvie
1c1a48bcee
DBG: fix heuristic string detection near the end of a page
...
related to #1906
2018-03-05 23:52:07 +01:00
Duncan Ogilvie
f8e4ed4f1f
DBG: fix bug with operand size in TraceRecord
2018-03-04 23:00:13 +01:00
Duncan Ogilvie
8da82cf569
PROJECT: remove keystone
2018-03-04 22:41:00 +01:00
Duncan Ogilvie
e5f950308a
PROJECT: remove capstone
2018-03-04 22:35:01 +01:00
Duncan Ogilvie
55d99b5647
DBG+GUI: replace Capstone with Zydis in trace record
2018-03-04 22:32:08 +01:00
Duncan Ogilvie
0343280cb5
DBG+GUI: update to Zydis v2.0.0
2018-03-04 22:22:54 +01:00
Duncan Ogilvie
49167e92c6
DBG+GUI: fix many application verifier issues
2018-03-04 22:04:37 +01:00
Duncan Ogilvie
53e621c175
DBG: replace WAITID_STOP with a more reliable method
...
closes #1852
2018-03-04 22:04:04 +01:00
e2dcda5498
removed unnecessary include
2018-03-02 10:17:14 +01:00
5a28eb7d30
ASM styles added
2018-03-02 10:17:14 +01:00
da8d90f674
Enhancements to the Data Copy dialog
2018-03-02 10:17:14 +01:00
96b8038f88
Added ASCII field for edit registers dialog
2018-03-02 10:17:14 +01:00
Duncan Ogilvie
c5ce4313b4
DBG+GUI: update Zydis to the latest version
2018-02-24 13:42:59 +01:00
Duncan Ogilvie
289a6b1911
GUI: mnemonic help and brief now work better with prefixes
2018-02-24 12:43:48 +01:00
Duncan Ogilvie
Mattiwatti
ZehMatt
torusrxxx
ThunderCls