Skip to content

Commit 08119a4

Browse files
dmexdmex
committed
peview: Improve import/export ordinal name lookup, Fix import/export symbol lookup
1 parent 57fe40b commit 08119a4

File tree

2 files changed

+56
-115
lines changed

2 files changed

+56
-115
lines changed

tools/peview/expprp.c

Lines changed: 13 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -70,7 +70,7 @@ INT_PTR CALLBACK PvpPeExportsDlgProc(
7070
WCHAR number[PH_INT32_STR_LEN_1];
7171
WCHAR pointer[PH_PTR_STR_LEN_1];
7272

73-
PhPrintUInt64(number, i + 1);
73+
PhPrintUInt32(number, i + 1);
7474
lvItemIndex = PhAddListViewItem(lvHandle, MAXINT, number, NULL);
7575

7676
if (exportFunction.ForwardedName)
@@ -117,51 +117,45 @@ INT_PTR CALLBACK PvpPeExportsDlgProc(
117117
{
118118
if (exportFunction.Function)
119119
{
120-
PPH_STRING exportName;
120+
PPH_STRING exportSymbol = NULL;
121+
PPH_STRING exportSymbolName = NULL;
121122

122123
// Try find the export name using symbols.
123124
if (PvMappedImage.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
124125
{
125-
exportName = PhGetSymbolFromAddress(
126+
exportSymbol = PhGetSymbolFromAddress(
126127
PvSymbolProvider,
127128
(ULONG64)PTR_ADD_OFFSET(PvMappedImage.NtHeaders32->OptionalHeader.ImageBase, exportFunction.Function),
128129
NULL,
129130
NULL,
130-
NULL,
131+
&exportSymbolName,
131132
NULL
132133
);
133134
}
134135
else
135136
{
136-
exportName = PhGetSymbolFromAddress(
137+
exportSymbol = PhGetSymbolFromAddress(
137138
PvSymbolProvider,
138139
(ULONG64)PTR_ADD_OFFSET(PvMappedImage.NtHeaders->OptionalHeader.ImageBase, exportFunction.Function),
139140
NULL,
140141
NULL,
141-
NULL,
142+
&exportSymbolName,
142143
NULL
143144
);
144145
}
145146

146-
if (exportName)
147+
if (exportSymbolName)
147148
{
148-
static PH_STRINGREF unnamedText = PH_STRINGREF_INIT(L" (unnamed)");
149-
PH_STRINGREF exportNameText;
150-
PH_STRINGREF firstPart;
151-
PH_STRINGREF secondPart;
152-
153-
if (PhSplitStringRefAtLastChar(&exportName->sr, L'!', &firstPart, &secondPart))
154-
exportNameText = secondPart;
155-
else
156-
exportNameText = exportName->sr;
157-
158-
PhSetListViewSubItem(lvHandle, lvItemIndex, 2, PH_AUTO_T(PH_STRING, PhConcatStringRef2(&exportNameText, &unnamedText))->Buffer);
159-
PhDereferenceObject(exportName);
149+
PhSetListViewSubItem(lvHandle, lvItemIndex, 2, PH_AUTO_T(PH_STRING, PhConcatStringRefZ(&exportSymbolName->sr, L" (unnamed)"))->Buffer);
150+
PhDereferenceObject(exportSymbolName);
160151
}
161152
else
162153
{
163154
PhSetListViewSubItem(lvHandle, lvItemIndex, 2, L"(unnamed)");
164155
}
156+
157+
if (exportSymbol)
158+
PhDereferenceObject(exportSymbol);
165159
}
166160
else
167161
{

tools/peview/impprp.c

Lines changed: 43 additions & 96 deletions
Original file line numberDiff line numberDiff line change
@@ -63,48 +63,54 @@ PPH_STRING PvpQueryModuleOrdinalName(
6363
}
6464
else
6565
{
66-
if (exportFunction.Function)
66+
if (exportFunction.ForwardedName)
6767
{
68-
PPH_STRING symbolName;
68+
PPH_STRING forwardName;
6969

70-
// Try find the export name using symbols.
71-
if (PvMappedImage.Magic == IMAGE_NT_OPTIONAL_HDR32_MAGIC)
70+
forwardName = PhZeroExtendToUtf16(exportFunction.ForwardedName);
71+
72+
if (forwardName->Buffer[0] == '?')
7273
{
73-
symbolName = PhGetSymbolFromAddress(
74-
PvSymbolProvider,
75-
(ULONG64)PTR_ADD_OFFSET(PvMappedImage.NtHeaders32->OptionalHeader.ImageBase, exportFunction.Function),
76-
NULL,
77-
NULL,
78-
NULL,
79-
NULL
80-
);
74+
PPH_STRING undecoratedName;
75+
76+
if (undecoratedName = PhUndecorateSymbolName(PvSymbolProvider, forwardName->Buffer))
77+
PhMoveReference(&forwardName, undecoratedName);
8178
}
82-
else
79+
80+
PhMoveReference(&exportName, PhFormatString(L"%s (Forwarded)", forwardName->Buffer));
81+
PhDereferenceObject(forwardName);
82+
}
83+
else if (exportFunction.Function)
84+
{
85+
PPH_STRING exportSymbol = NULL;
86+
PPH_STRING exportSymbolName = NULL;
87+
88+
if (PhLoadModuleSymbolProvider(
89+
PvSymbolProvider,
90+
FileName->Buffer,
91+
(ULONG64)mappedImage.ViewBase,
92+
(ULONG)mappedImage.Size
93+
))
8394
{
84-
symbolName = PhGetSymbolFromAddress(
95+
// Try find the export name using symbols.
96+
exportSymbol = PhGetSymbolFromAddress(
8597
PvSymbolProvider,
86-
(ULONG64)PTR_ADD_OFFSET(PvMappedImage.NtHeaders->OptionalHeader.ImageBase, exportFunction.Function),
87-
NULL,
98+
(ULONG64)PTR_ADD_OFFSET(mappedImage.ViewBase, exportFunction.Function),
8899
NULL,
89100
NULL,
101+
&exportSymbolName,
90102
NULL
91103
);
92104
}
93105

94-
if (symbolName)
106+
if (exportSymbolName)
95107
{
96-
static PH_STRINGREF unnamedText = PH_STRINGREF_INIT(L" (unnamed)");
97-
PH_STRINGREF exportNameText;
98-
PH_STRINGREF firstPart;
99-
PH_STRINGREF secondPart;
100-
101-
if (PhSplitStringRefAtLastChar(&symbolName->sr, L'!', &firstPart, &secondPart))
102-
exportNameText = secondPart;
103-
else
104-
exportNameText = symbolName->sr;
105-
106-
exportName = PhCreateString2(&exportNameText);
108+
PhSetReference(&exportName, exportSymbolName);
109+
PhDereferenceObject(exportSymbolName);
107110
}
111+
112+
if (exportSymbol)
113+
PhDereferenceObject(exportSymbol);
108114
}
109115
}
110116

@@ -149,7 +155,7 @@ VOID PvpProcessImports(
149155
else
150156
name = PhZeroExtendToUtf16(importDll.Name);
151157

152-
PhPrintUInt64(number, ++(*Count)); // HACK
158+
PhPrintUInt32(number, ++(*Count)); // HACK
153159
lvItemIndex = PhAddListViewItem(ListViewHandle, MAXINT, number, NULL);
154160

155161
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 1, name->Buffer);
@@ -177,95 +183,36 @@ VOID PvpProcessImports(
177183
}
178184
else
179185
{
180-
PLDR_DATA_TABLE_ENTRY moduleLdrEntry = NULL;
181-
PVOID moduleExportAddress = NULL;
182-
PVOID importModuleDllBase = NULL;
183-
PPH_STRING exportDllName = NULL;
186+
PPH_STRING exportDllName;
184187
PPH_STRING exportOrdinalName = NULL;
185-
PPH_STRING exportSymbolName = NULL;
186-
187-
//PPH_STRING baseDirectory;
188-
//
189-
//if (baseDirectory = PhGetBaseDirectory(PvFileName))
190-
//{
191-
// static DLL_DIRECTORY_COOKIE (WINAPI *AddDllDirectory_I)(
192-
// _In_ PCWSTR NewDirectory
193-
// );
194-
//
195-
// if (AddDllDirectory_I = PhGetDllProcedureAddress(L"kernel32.dll", "AddDllDirectory", 0))
196-
// {
197-
// AddDllDirectory_I(baseDirectory->Buffer);
198-
// }
199-
//}
200-
//
201-
//if (importModuleDllBase = LoadLibraryA(importDll.Name))
202-
//{
203-
// moduleLdrEntry = PhFindLoaderEntry(importModuleDllBase, NULL, NULL);
204-
// moduleExportAddress = PhGetDllBaseProcedureAddress(importModuleDllBase, NULL, importEntry.Ordinal);
205-
// exportOrdinalName = PhGetExportNameFromOrdinal(importModuleDllBase, importEntry.Ordinal);
206-
//}
207188

208189
if (exportDllName = PhConvertUtf8ToUtf16(importDll.Name))
209190
{
210191
PPH_STRING filePath;
211192

193+
// TODO: Implement ApiSet mappings for exportDllName. (dmex)
194+
// TODO: Add DLL directory to PhSearchFilePath for locating non-system images. (dmex)
195+
212196
if (filePath = PhSearchFilePath(exportDllName->Buffer, L".dll"))
213197
{
214198
PhMoveReference(&exportDllName, filePath);
215199
}
216200

217201
exportOrdinalName = PvpQueryModuleOrdinalName(exportDllName, importEntry.Ordinal);
202+
PhDereferenceObject(exportDllName);
218203
}
219204

220205
if (exportOrdinalName)
221206
{
222207
name = PhaFormatString(L"%s (Ordinal %u)", PhGetStringOrEmpty(exportOrdinalName), importEntry.Ordinal);
223208
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, PhGetString(name));
209+
PhDereferenceObject(exportOrdinalName);
224210
}
225211
else
226212
{
227-
if (moduleLdrEntry && moduleExportAddress)
228-
{
229-
if (PhLoadModuleSymbolProvider(
230-
PvSymbolProvider,
231-
moduleLdrEntry->FullDllName.Buffer,
232-
(ULONG64)importModuleDllBase,
233-
moduleLdrEntry->SizeOfImage
234-
))
235-
{
236-
exportSymbolName = PhGetSymbolFromAddress(
237-
PvSymbolProvider,
238-
(ULONG64)moduleExportAddress,
239-
NULL,
240-
NULL,
241-
NULL,
242-
NULL
243-
);
244-
}
245-
}
246-
247-
if (exportSymbolName)
248-
{
249-
PH_STRINGREF firstPart;
250-
PH_STRINGREF secondPart;
251-
252-
if (PhSplitStringRefAtLastChar(&exportSymbolName->sr, L'!', &firstPart, &secondPart))
253-
name = PhaFormatString(L"%s (Ordinal %u)", secondPart.Buffer, importEntry.Ordinal);
254-
else
255-
name = PhaFormatString(L"%s (Ordinal %u)", exportSymbolName->Buffer, importEntry.Ordinal);
256-
257-
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, name->Buffer);
258-
}
259-
else
260-
{
261-
name = PhaFormatString(L"(Ordinal %u)", importEntry.Ordinal);
262-
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, name->Buffer);
263-
}
213+
name = PhaFormatString(L"(Ordinal %u)", importEntry.Ordinal);
214+
PhSetListViewSubItem(ListViewHandle, lvItemIndex, 2, name->Buffer);
264215
}
265-
266-
if (exportSymbolName) PhDereferenceObject(exportSymbolName);
267-
if (exportOrdinalName) PhDereferenceObject(exportOrdinalName);
268-
if (exportDllName) PhDereferenceObject(exportDllName);
269216
}
270217
}
271218
}

0 commit comments

Comments
 (0)