Flag: Tornado!
Hurricane!
|
|
Topic created on: June 3, 2007 09:16 CDT by c1de0x  .
Hi all,
I am trying to extract the number of DWORD size parameters that each of the exported functions of a given generic PE module expects.
I can't rely on mangled names, or anything of that nature. I tried looking into dbghelp, but that doesn't seem to give me the information I require.
I know this is probably a solved problem, so can anybody please point me in the right direction.
Thanks,
c1de0x
As far as I know, there is no informations about number of arguments / size for exported functions. (On kernel case for SSDT, there's only the total size, but most functions are documented and its different).
Ilfak Guilfanov explains on his blog that it is hard, specially if you wanna support C++ binaries.
More information:
http://hexblog.com/2006/08/automated_binary_analysis_woes.html
good luck ;)
|
Surely there must be some way to extract this information? I have seen many API hooking tools which have lists of methods and their numbers of parameters.
I found it doubtful that they are performing this kind of analysis in order to determine those numbers.
Isn't there some easy way to determine the signature for an exported function?
|
Ok, after a lot of research and thought, it is clear that there is no 'simple' way to extract the number of formal parameters (arguments) an exported procedure expects. Neither the PEFormat's ExportAddressTable nor the PDB Symbol files stores this information.
Apparently the only reliable source for this information is header files, which I obviously can't rely on.
As such, I've come up with the following mechanism to determine the number of arguments a stdcall procedure expects:
push ebx
push ecx
...
sub esp, 0x400
mov ebx, esp
call ds:targetFunction
mov ecx, esp
sub ecx, ebx
Basically, we just preallocate a very large space (enough for 100 arguments) on the stack, and then simply call the 'target' function. The code relies on the fact that most (if not all) exported API functions use the stdcall CallingConvention. This means that they should clean their own arguments off the stack before returning, even when an error (such as an invalid argument value) occurs.
The code simply compares the value of the stack pointer prior to execution of the 'target' function with its value after execution: the difference is the number of bytes the function expects as arguments.
Note: In certain very exotic circumstances the process may simply bug-out when invalid arguments are passed. In such a case, this method will obviously not work.
Unfortunately, the more I think about it, the more certain I am that without doing some kind of call-site analysis (looking for add esp, etc.) I am not going to be able to determine cdecl/fastcall parameter counts.
The real question is, are there any windows 'native' libraries which Export non-stdcall functions? Does MSVC automatically set exported functions to __stdcall?
|
> c1de0x: > The real question is, are there any windows \'native\' libraries which Export non-stdcall functions? Does MSVC automatically set exported functions to __stdcall?
afaik there are cdecl calls as well and compiler adds add esp,no of params after they are called
if im remembering correctly
wsprintf and sprintf calls etc are all __CDECL
also pdb symbol holds param info mostly
try windbg
.fnent Api
.fnent USER32!MessageBoxA
Debugger function entry 07a75120 for:
(77d66476) USER32!MessageBoxA | (77d6649d) USER32!MessageBoxExA
Exact matches:
USER32!MessageBoxA = <no type information>
OffStart: 00026476
ProcSize: 0x47
Prologue: 0x0
Params: 0n4 (0x10 bytes)
Locals: 0n0 (0x0 bytes)
Registers: 0n0
.fnent kernel32!CreateSocketHandle
Debugger function entry 07ab4260 for:
(77ebbd2e) kernel32!CreateSocketHandle | (77ebbd38) kernel32!ZombifyActCt
x
Exact matches:
kernel32!CreateSocketHandle = <no type information>
OffStart: 0005bd2e
ProcSize: 0xa
Prologue: 0x0
Params: 0n0 (0x0 bytes)
Locals: 0n0 (0x0 bytes)
Registers: 0n0
.fnent kernel32!CreateFileW
Debugger function entry 07ab4280 for:
(77e7b091) kernel32!CreateFileW | (77e7b2af) kernel32!BaseIsThisAConsoleN
ame
Exact matches:
kernel32!CreateFileW = <no type information>
OffStart: 0001b091
ProcSize: 0x415
Prologue: 0x6
Params: 0n7 (0x1c bytes)
Locals: 0n23 (0x5c bytes)
Non-FPO
|
anonymouse: thanks!
Do you have any idea how/from where windbg extracts that info? I looked into the Sym* functions for retrieving symbols from PDB, and there wasn't any info on parameter numbers.
|
well i have gibberish logs but actually no idea :)
if you are an expert in com then get the DIA sdk and muck around those query intefaces IUNKNOWN::QUERYCRAP() AND ICANNEVERKNOW::MAKEBS()
i can say dbgeng.OutputFunctionEntry() (this is the function called by fnent
calls dbghelp a lot and one of following function is a pure Win32 Equivalent Function
one day i hope to find out and demystify this whole masked Charade till then all i can give you is the log below
all the functions that are called once twice or thrice should be investigated first
the rest are constructors,destructors,instructors,terminators,killers contractors ,tinkers tailors soldiers and spies
the first column is no of times it were called the second is address and third is apiname
1. 03093545 AddressMap::FindSegment
1. 030937D9 AddressMap::isectOffForSrcRva
1. 030244F0 ATL::AtlComPtrAssign
1. 03024370 ATL::CComPtr<IDiaSourceFile>::operator=
1. 030B9946 CAllSymsByAddrTrav::`vector deleting destructor'
1. 03097DAE CDiaEnumDbgTraversal<_IMAGE_SECTION_HEADER,5,CDbgTraversal<_I
1. 0309F4DB CDiaEnumLineNumbers::CDiaEnumLineNumbers
1. 0309DC6F CDiaEnumSymbolsByAddr::`vector deleting destructor'
1. 0309DD1A CDiaEnumSymbolsByAddr::`vector deleting destructor'
1. 0309DCCB CDiaEnumSymbolsByAddr::~CDiaEnumSymbolsByAddr
1. 0309DC32 CDiaEnumSymbolsByAddr::CDiaEnumSymbolsByAddr
1. 030A7DA7 CDiaEnumSymbolsByAddr::Next
1. 0309DC7C CDiaEnumSymbolsByAddr::QueryInterface
1. 030A7C76 CDiaEnumSymbolsByAddr::symbolByRVA
1. 03097006 CDiaEnumTraversal<CDiaEnumLineNumbers,CLineRow,IDiaLineNumber
1. 030970F7 CDiaEnumTraversal<CDiaEnumLineNumbers,CLineRow,IDiaLineNumber
1. 03098DD1 CDiaEnumTraversal<CDiaEnumLineNumbers,CLineRow,IDiaLineNumber
1. 0309E103 CDiaEnumTraversal<CDiaEnumLineNumbers,CLineRow,IDiaLineNumber
1. 030A5FED CDiaEnumTraversal<CDiaEnumLineNumbers,CLineRow,IDiaLineNumber
1. 03097641 CDiaEnumTraversal<CDiaEnumSegments,CSegMapRow,IDiaSegment,IDi
1. 03095C91 CDiaEnumTraversal<CDiaEnumSourceFiles,CSrcFileRow,IDiaSourceF
1. 030A51F0 CDiaSession::findLinesByRVA
1. 030A734E CDiaSession::findSymbolByAddr
1. 03096667 CDiaSession::findSymbolByRVA
1. 030958E7 CDiaSession::findSymbolByRVAEx
1. 0309FC08 CDiaSession::getSymbolsByAddr
1. 030A3C10 CDiaSession::makeEnum<CDiaEnumLineNumbers,CLineRow,IDiaEnumLi
1. 030A6A9F CDiaSession::ReturnObject<CDiaSymbol,CSymRow,IDiaSymbol>
1. 0309B179 CDiaSymbol::get_addressOffset
1. 0309B14E CDiaSymbol::get_addressSection
1. 030B850F CLineByAddrTrav::CLineByAddrTrav
1. 030B85F4 CLineByAddrTrav::CLineByAddrTrav
1. 030B8A83 CLineByAddrTrav::clone
1. 030B88A9 CLineByAddrTrav::next
1. 030B809F CLineByAddrTrav::nextBlock
1. 030B86BB CLineByAddrTrav::nextLine
1. 030B7EBF CLineByAddrTrav::nextMod
1. 030B8195 CLineByAddrTrav::reset
1. 030BB422 COMAPSymsByAddrTrav::`vector deleting destructor'
1. 030BB3FF COMAPSymsByAddrTrav::~COMAPSymsByAddrTrav
1. 030BB3C1 COMAPSymsByAddrTrav::COMAPSymsByAddrTrav
1. 030BE233 COMAPSymsByAddrTrav::FInit
1. 03048DB0 ConvertOmapToSrc
1. 0301FA80 diaGetLineFromAddr
1. 0301E580 diaGetSymFromAddr
1. 03020EB0 diaGetSymNextPrev
1. 03022950 error
1. 0302CD90 GetLineFromAddr
1. 03046B90 GetSymFromAddr
1. 03034A00 GetSymNextPrev
1. 03094640 LinesDataC13Cache::empty
1. 03094B75 LinesDataC13Cache::FInit
1. 03094097 LinesDataC13Cache::initAddrToLinesMap
1. 03044DA0 LookupFunctionEntryX86
1. 030D90EA Mod1::findC13Lines
1. 030D83AA Mod1::fInitC13LinesBuffer
1. 030D72CC Mod1::QueryImod
1. 030D982C Mod1::QueryLineFlags
1. 0302BF50 sciwInit
1. 03045250 SwSearchFpoData
1. 030945F4 SymCachePdb::ModCache::imod
1. 03095379 SymCachePdb::ModCache::lines
1. 03094C98 SymCachePdb::ModCache::LoadLines
1. 03039AF0 SymFromAddrW
1. 03036C90 SymFunctionTableAccess64
1. 03035910 SymGetLineFromAddrW64
1. 03034760 SymNextW
1. 030340E0 SympGetSymFromAddr
1. 03055AC0 vsGetSymNextPrev
2. 03093439 AddressMap::getSectionLength
2. 030B98A8 CAllSymsByAddrTrav::~CAllSymsByAddrTrav
2. 030BB345 CAllSymsByAddrTrav::CAllSymsByAddrTrav
2. 030BE1DD CAllSymsByAddrTrav::FInit
2. 03095CAC CBitVect<5>::SetAll
2. 03095AA8 CComPtrBase<SymRowNextPrevTrav>::Attach
2. 0309F4FF CDiaEnumLineNumbers::IIDEnum
2. 030A6A01 CDiaSession::ReturnOneObject<CDiaSymbol,CSymRow,IDiaSymbol>
2. 030B84EE CLineByAddrTrav::`vector deleting destructor'
2. 030B7E3B CLineByAddrTrav::~CLineByAddrTrav
2. 030BB3F2 COMAPSymsByAddrTrav::get
2. 030BDFBA COMAPSymsByAddrTrav::next
2. 0309CF8E LineRowImage::LineRowImage
2. 03031170 siw2siw
2. 03033550 SymSetOptions
2. 0302E3E0 symsrvSetCallback
3. 03094851 AddressMap::abs
3. 03024420 ATL::CComPtr<IDiaSourceFile>::CComPtr<IDiaSourceFile>
3. 030BD97F CAllSymsByAddrTrav::findNextAddress
3. 030BA383 CAllSymsByAddrTrav::get
3. 030BDB59 CAllSymsByAddrTrav::next
3. 03095B00 CDiaPropertyStorage<CDiaSymbol>::~CDiaPropertyStorage<CDiaSym
3. 0309699F CDiaPropertyStorage<CDiaSymbol>::CDiaPropertyStorage<CDiaSymb
3. 030A8372 CDiaSession::getSymbolId
3. 030A3E4F CDiaSymbol::`vector deleting destructor'
3. 030A44B9 CDiaSymbol::`vector deleting destructor'
3. 030A4488 CDiaSymbol::~CDiaSymbol
3. 030A3D21 CDiaSymbol::CDiaSymbol
3. 0309B0F8 CDiaSymbol::get_dataKind
3. 0309B0A5 CDiaSymbol::get_name
3. 030A842E CDiaSymbol::get_symIndexId
3. 030A852A CDiaSymbol::get_typeId
3. 030A3DDA CDiaSymbol::QueryInterface
3. 030B7E8A CLineByAddrTrav::done
3. 0309AF79 CSymRow::computeAddrs
3. 0308E5A1 dia::ISet::contains
3. 0309F2DC dia::Map<SYMBOL_ID_INTERNAL,unsigned long,dia::HashClassCRC<S
3. 030A3CDC dia::Map<SYMBOL_ID_INTERNAL,unsigned long,dia::HashClassCRC<S
3. 030A69C2 dia::Map<SYMBOL_ID_INTERNAL,unsigned long,dia::HashClassCRC<S
3. 03095681 dia::PDBCRC32::SigForPbCb
3. 0301A3D0 diaFillSymbolInfo
3. 0301A2C0 GetAddressFromRva
3. 030B8DDD LiAddr::operator--
3. 0308B25E MakeBSTR
3. 03095819 ReplaceBangWithTick
3. 03099E1D SymRowImage::get_dataKind
3. 0309A0E2 SymRowImage::get_locationType
3. 03099E53 SymRowImage::get_name
3. 03099B8D SymRowImage::get_self
3. 0309A909 SymRowImage::get_targetISect
3. 03099B20 SymRowImage::get_type
3. 030BA538 SymRowNextPrevTrav::SymRowNextPrevTrav
3. 030495B0 wwSymUnDNameInternal
4. 03099379 CDiaClassFactory::AddRef
4. 0309E560 CDiaEnumDbgTraversal<DiaAddressMapEntry,4,CDbgFileTraversal<D
4. 0309B1A4 CDiaSymbol::get_relativeVirtualAddress
4. 03045710 DoCallback
4. 03046610 FindProcessEntry
4. 03046F10 GetModuleForPC
4. 0303F560 LoadSymbols
4. 0309993B SymRowImage::get_rva
5. 030BDF71 CAllSymsByAddrTrav::init
5. 03068122 wcsncpy_s
6. 030947FD AddressMap::rva
6. 03024330 ATL::CComPtr<IDiaEnumLineNumbers>::operator&
6. 030BCEEC CAllSymsByAddrTrav::get
6. 0309B07A CDiaSymbol::get_symTag
6. 030B9999 COMAPSymsByAddrTrav::rvaSrc
6. 03099F2B SymRowImage::get_symTag
6. 0302E240 symsrvCacheOptions
6. 0302E2C0 symsrvRunOptionsCache
6. 0302E350 symsrvSetOptions
7. 03093660 AddressMap::FindPreLegoSegment
7. 03093746 AddressMap::isectOffForRva
8. 03024350 ATL::CComPtr<IDiaDataSource>::CComPtr<IDiaDataSource>
8. 030BDBD5 CAllSymsByAddrTrav::next
10. 03067660 _chkstk
10. 03068B74 _SEH_prolog4
10. 030956BF CComCriticalSection::Lock
10. 03095AC6 DiaLock<SymCache>::DiaLock<SymCache>
11. 03024460 ATL::CComPtr<IDiaDataSource>::~CComPtr<IDiaDataSource>
11. 030244D0 ATL::CComPtr<IDiaEnumSymbols>::operator->
11. 03067616 memset
12. 03094753 AddressMap::rvaSrc
14. 03095D2F CComPtrBase<CDiaEnumSegments>::CComPtrBase<CDiaEnumSegments>
15. 030A4883 CDiaStackFrame::AddRef
15. 0309F79D CDiaSymbol::Release
18. 03093494 AddressMap::FindPreLegoSection
19. 030BD80C CAllSymsByAddrTrav::getEnclosingSymbol
19. 030BCE34 CBlockByAddrTrav::CBlockByAddrTrav
19. 030BA29C CBlockByAddrTrav::next
19. 030BCE8A CDataByAddrTrav::CDataByAddrTrav
19. 030996B8 CDbgFileTraversal<DiaAddressMapEntry,&AddressMap::getOmapFrom
19. 030BCDB3 CFuncByAddrTrav::CFuncByAddrTrav
19. 030BB281 CGlobalDataByAddrTrav::CGlobalDataByAddrTrav
19. 030BA2DA CGlobalDataByAddrTrav::FInit
19. 030BA328 CGlobalDataByAddrTrav::next
19. 030BA5CA COneSymTrav::COneSymTrav
19. 030BC888 CPubByAddrTrav::clone
19. 030BB06D CPubByAddrTrav::CPubByAddrTrav
19. 030BB09C CPubByAddrTrav::CPubByAddrTrav
19. 030B925A CPubByAddrTrav::next
19. 03093885 SymCache::findGlobalData
20. 0309F0EE AddRefIt<CTraversal<CFrameData> >
20. 030A3B38 CTraversal<CSegMapRow>::CTraversal<CSegMapRow>
21. 030C8702 PSGSI1::EnumPubsByAddr::EnumPubsByAddr
21. 030C87A8 PSGSI1::getEnumByAddr
21. 030D3806 PSGSI1::readThunkMap
22. 0308B232 AtlComPtrAssign
22. 030D415C PSGSI1::EnumPubsByAddr::locate
22. 030D3B4E PSGSI1::fInThunkTable
24. 0309EFCA SymBase::AddRef
25. 03092ED3 AddressMap::OmapFromSectionStart
25. 030D4325 PSGSI1::EnumPubsByAddr::get
25. 030D4284 PSGSI1::EnumPubsByAddr::next
28. 0308BC6E _GetSZUnicodeFromSZUTF8
28. 0308BC9B _GetSZUnicodeFromSZUTF8
28. 03095C40 CBitVect<126>::SetAll
28. 030BB0D8 CPubByAddrTrav::get
28. 030D3D8C DBI1::offForSym
28. 030C7608 DBI1::openModByImod
28. 030C9BB8 DBI1::OpenModFromImod
28. 030C6716 DBI1::QueryImodFromAddr
28. 030C66CE DBI1::QueryModFromAddr2
28. 030B1EE1 DiaBSTR::operator=
28. 030957DD DiaVariant::Clear
28. 030E14AF fGetSymName
28. 03095717 GetData::GetData
28. 030B2CB2 GetData::getSymData
28. 0309605F GetData::setCxtOffset
28. 030B8E95 GetPublicData::GetPublicData
28. 030B13AD GetTheData::disp_S_PUB32
28. 030B0C5D GetTheData::GetTheData
28. 030D3F3A GSI1::OffForSym
28. 030E0FEE hashSymRecTyp
28. 0309430C InternalOffStorage::start
28. 030B5B4A psymName<PUBSYM32>
28. 0308C09B SafeStackAllocator<1024>::AllocBytes
28. 0308BAE3 SafeStackAllocator<1024>::Free
28. 030C5ABD SC::SC
28. 030B2376 setStaticLoc
28. 030B5D17 SymbolDataSimpleImpl<4366,10>::getData
28. 03092020 SymCache::isCode
28. 03093BE5 SymCachePdb::imodFromAddr
28. 030B6CB9 SymDispatcher::SymDispatch
28. 030961FE SymRowImage::~SymRowImage
28. 030B1CAB SymRowImage::set_lexicalParent
28. 030B43D8 SymRowImage::set_name
28. 030B1D3E SymRowImage::set_self
28. 0309C1CE SymRowImage::SymRowImage
28. 030A9A87 UnicodeLengthOfUTF8
28. 030A9925 UnicodeLengthOfUTF8Cb
28. 030A9A2A UTF8ToUnicode
28. 030A95A0 UTF8ToUnicodeCch
29. 03099CA3 SymRowImage::get_iSect
29. 03099909 SymRowImage::get_iSectOffset
31. 0308AA8A DiaAllocString
31. 03067690 memcpy
38. 030B93F9 CDataByAddrTrav::find
38. 030BA1B4 CDataByAddrTrav::next
38. 030BA0F6 CFuncByAddrTrav::find
38. 030996E5 CModSymsByAddrTrav::CModSymsByAddrTrav
38. 030B9FF5 CModSymsByAddrTrav::FInit
38. 030D8294 Mod1::fReadAndConvertStSyms
38. 030D86B7 Mod1::QuerySymbols
38. 030930DF ModCache::blockByAddr
38. 0309320B ModCache::dataByAddr
38. 0309300D ModCache::fInitDataPositionCache
38. 03092F06 ModCache::fInitFuncPositionCache
38. 030C198C PDB1::fIsSZPDB
38. 03094700 SymCachePdb::ModCache::cbSyms
38. 0309299D SymCachePdb::ModCache::LoadSymbols
41. 030C9B6D DBI1::getEnumContrib
41. 03093A3E SymCachePdb::getEnumContrib
42. 030C9A3E EnumSC::locate
43. 030DDBAD CDiaBase::Release
44. 03094318 InternalOffStorage::size
45. 030B977E AddressMap::getMapEntryIndex
45. 03096002 AddressMap::rvaSrc
45. 030BA572 COMAPSymsByAddrTrav::getBlkLen
45. 030B9967 COMAPSymsByAddrTrav::getMapEntryIndex
46. 030C993F EnumSC::next
49. 03092232 SymCachePdb::publics
50. 030D3E17 PSGSI1::EnumPubsByAddr::readSymbol
58. 03091E2E AddressMap::TranslateRvaThroughOMAP
62. 030D3C2E pdb_internal::EnumMap<unsigned int,void *,pdb_internal::HashC
67. 030C5CA3 DBI1::pmodiForImod
69. 030C6558 DBI1::getSecContribs
76. 030BA5A9 COneSymTrav::COneSymTrav
76. 030B9087 COneSymTrav::next
76. 030C9927 EnumSC::prev
77. 030933EC SymCache::modDetails
80. 0309691A CTraversal<_IMAGE_SECTION_HEADER>::CTraversal<_IMAGE_SECTION_
86. 03096971 CBitVect<126>::operator[]
90. 0306760A operator new
101. 03091C38 LiAddr::operator<
105. 0308ACC6 CDiaBase::CDiaBase
116. 03091BF0 LiAddr::operator==
122. 030C995C EnumSC::get
146. 030675FE operator delete
150. 030675E9 __security_check_cookie
172. 03091C11 LiAddr::operator<=
227. 0308AAF1 DiaFreeString
230. 03092E90 InternalStorage::size
252. 030D37B7 cmpAddrMap
302. 030C5B6C BITVEC::fTestBit
302. 030C8F5D DBI1::fReadSymRec
302. 030C7E14 DBI1::fReadSymRecPage
302. 030E1AFE fIsRefSym
302. 030C2EB7 fNeedsSzConversion
302. 030C5FC5 pdb_internal::VirtualBuffer::Contains
317. 030C5B52 SC::compareSC
604. 030C2C74 MapSymRecStToSz
632. 030C7353 DBI1::fValidPsym
632. 030CEC2F MSF_HB::extantSn
632. 030CED2B MSF_HB::GetCbStream
632. 030CE898 MSF_HB::validUserSn
638. 030B8D5C AddressMap::compareMapEntries
766. 030C5A83 SC40::IsAddrInSC
|
The debugger gets the number of arguments and locals from the FPO records in the PDB files. See http://msdn2.microsoft.com/en-us/library/ms679352.aspx
To get the FPO information from the DBGHELP API you can use the SymFunctionTableAccess64 function.
|
thanks asotirov
thats the only call thats called directly by dbgeng.OutputFunctionEntry()
and it is called only once
1. 03036C90 SymFunctionTableAccess64
|
Thanks a lot asotirov and anonymouse, I'll check that angle out immediately.
anonymouse: If I may ask, what did you use to generate that log?
|
> c1de0x: > anonymouse: If I may ask, what did you use to generate that log?
my favourite tool ollydbg :)
run trace -> profile module
|
Note: Registration is required to post to the forums.
|
|
|
|
There are 31,325 total registered users.
|
Oct/23 |
|
Oct/23 |
|
Oct/23 |
|
Oct/23 |
|
Oct/23 |
|
Oct/23 |
|
Oct/23 |
|
Oct/23 |
|
Oct/23 |
|
Oct/23 |
|
|
![[+] expand](/imagery/files/soysauce_blueprint.gif){kind=link}