From 58b494fef4c750b99598558792fddf8bbd967507 Mon Sep 17 00:00:00 2001 From: Pavel Yosifovich Date: Sat, 11 Feb 2023 17:17:02 -0500 Subject: [PATCH] added symbol names for addresses in disassembly view --- TotalPE/ExportsView.cpp | 2 +- TotalPE/PEStrings.cpp | 26 +++- TotalPE/PEStrings.h | 3 +- TotalPE/ScintillaView.cpp | 4 +- TotalPE/StructView.cpp | 6 +- TotalPE/TotalPE.rc | 286 +++++++++++++++++++++----------------- TotalPE/TotalPE.vcxproj | 5 + 7 files changed, 196 insertions(+), 136 deletions(-) diff --git a/TotalPE/ExportsView.cpp b/TotalPE/ExportsView.cpp index b84b2f7..414ad94 100644 --- a/TotalPE/ExportsView.cpp +++ b/TotalPE/ExportsView.cpp @@ -150,7 +150,7 @@ LRESULT CExportsView::OnDissassemble(WORD, WORD, HWND, BOOL&) const { auto code = m_PE.GetSpan(offset, size); ULONGLONG imageBase = m_PE->GetFileInfo()->IsPE64 ? m_PE->GetNTHeader()->NTHdr64.OptionalHeader.ImageBase : m_PE->GetNTHeader()->NTHdr32.OptionalHeader.ImageBase; - Frame()->CreateAssemblyView(code, offset + imageBase, exp.FuncRVA, + Frame()->CreateAssemblyView(code, exp.FuncRVA + imageBase, exp.FuncRVA, exp.Name.c_str(), TreeItemType::DirectoryExports); return 0; diff --git a/TotalPE/PEStrings.cpp b/TotalPE/PEStrings.cpp index a5a76d2..b5864f2 100644 --- a/TotalPE/PEStrings.cpp +++ b/TotalPE/PEStrings.cpp @@ -3,6 +3,7 @@ #include #include #include "..\External\Capstone\capstone.h" +#include #pragma comment(lib, "dbghelp") @@ -190,10 +191,27 @@ std::wstring PEStrings::ResourceTypeToString(WORD id) { return id >= _countof(types) ? L"" : types[id]; } -CStringA PEStrings::FormatInstruction(const cs_insn& inst) { - CStringA text; - text.Format("%llX %-10s %-40s ;", inst.address, inst.mnemonic, inst.op_str); -// text.Format("%-10s %-40s ;", inst.mnemonic, inst.op_str); +CStringA PEStrings::FormatInstruction(const cs_insn& inst, DiaSession const& symbols) { + CStringA text, extra; + static PCSTR branches[] = { "call", "je", "jmp", "jne", "js" }; + for (auto& br : branches) + if (_stricmp(inst.mnemonic, br) == 0) { + long disp; + auto address = strtoll(inst.op_str, nullptr, 16); + if (address != 0 && address != LLONG_MAX && address != LLONG_MIN) { + auto sym = symbols.GetSymbolByVA(address, SymbolTag::Null, &disp); + if (sym) { + extra = sym.Name().c_str(); + if (!extra.IsEmpty() && disp) + extra += std::format(" + 0x{:X}", disp).c_str(); + } + } + break; + } + + if (!extra.IsEmpty()) + extra = std::format("{} ({})", inst.op_str, (PCSTR)extra).c_str(); + text.Format("%llX %-10s %-55s;", inst.address, inst.mnemonic, !extra.IsEmpty() ? (PCSTR)extra : inst.op_str); for (int i = 0; i < inst.size; i++) text += std::format(" {:02X}", inst.bytes[i]).c_str(); return text; diff --git a/TotalPE/PEStrings.h b/TotalPE/PEStrings.h index b0a03fe..c7078b6 100644 --- a/TotalPE/PEStrings.h +++ b/TotalPE/PEStrings.h @@ -3,6 +3,7 @@ struct cs_insn; enum class SymbolTag; enum class LocationKind; +class DiaSession; enum class DllCharacteristics : unsigned short { None = 0, @@ -32,7 +33,7 @@ struct PEStrings abstract final { static std::wstring ToHex(ULONGLONG value); static std::wstring ToMemorySize(ULONGLONG size); static std::wstring ResourceTypeToString(WORD id); - static CStringA FormatInstruction(const cs_insn& inst); + static CStringA FormatInstruction(const cs_insn& inst, DiaSession const& symbols); static std::wstring ManagedTypeAttributesToString(CorTypeAttr attr); //static std::wstring MemberAttributesToString(const ManagedMember& member); static std::wstring MethodAttributesToString(CorMethodAttr attr); diff --git a/TotalPE/ScintillaView.cpp b/TotalPE/ScintillaView.cpp index a4d8e33..232abed 100644 --- a/TotalPE/ScintillaView.cpp +++ b/TotalPE/ScintillaView.cpp @@ -128,7 +128,7 @@ bool CScintillaView::SetAsmCode(std::span code, uint64_t addres cs_insn inst{}; CStringA text; while (cs_disasm_iter(handle, &bytes, &size, &address, &inst)) { - text += PEStrings::FormatInstruction(inst) + L"\r\n"; + text += PEStrings::FormatInstruction(inst, Frame()->GetSymbols()) + L"\r\n"; if (_strcmpi(inst.mnemonic, "ret") == 0) break; } @@ -252,7 +252,7 @@ LRESULT CScintillaView::OnDisassembleAtEnd(WORD, WORD, HWND, BOOL&) { cs_insn inst{}; CStringA text; while (cs_disasm_iter(handle, &bytes, &size, &address, &inst)) { - text += PEStrings::FormatInstruction(inst) + L"\r\n"; + text += PEStrings::FormatInstruction(inst, Frame()->GetSymbols()) + L"\r\n"; if (_strcmpi(inst.mnemonic, "ret") == 0) break; } diff --git a/TotalPE/StructView.cpp b/TotalPE/StructView.cpp index b84d098..0320621 100644 --- a/TotalPE/StructView.cpp +++ b/TotalPE/StructView.cpp @@ -27,14 +27,12 @@ LRESULT CStructView::OnCreate(UINT, WPARAM, LPARAM, BOOL&) { m_TL.Create(m_Splitter, rcDefault, nullptr, WS_CHILD | WS_VISIBLE | WS_CLIPCHILDREN | LVS_REPORT | LVS_SHAREIMAGELISTS | LVS_NOSORTHEADER); - m_TL.SetExtendedListViewStyle(LVS_EX_DOUBLEBUFFER | LVS_EX_FULLROWSELECT); + m_TL.SetExtendedListViewStyle(LVS_EX_DOUBLEBUFFER | LVS_EX_FULLROWSELECT | LVS_EX_INFOTIP); m_TL.SetImageList(Frame()->GetImageList(), LVSIL_SMALL); -// m_TL.SetIcons(AtlLoadIconImage(IDI_EXPANDED, 0, 16, 16), AtlLoadIconImage(IDI_COLLAPSED, 0, 16, 16)); m_TL.InsertColumn(0, L"Member", LVCFMT_LEFT, 250); m_TL.InsertColumn(1, L"Offset", LVCFMT_RIGHT, 60); m_TL.InsertColumn(2, L"Type", 0, 180); - m_TL.InsertColumn(3, L"Value", 0, 150); - m_TL.InsertColumn(4, L"Details", 0, 150); + m_TL.InsertColumn(3, L"Value", LVCFMT_RIGHT, 150); m_HexView.Create(m_Splitter, rcDefault, nullptr, WS_CHILD | WS_VISIBLE); m_HexView.SetStatic(true); diff --git a/TotalPE/TotalPE.rc b/TotalPE/TotalPE.rc index 564e849..6c0ed9f 100644 --- a/TotalPE/TotalPE.rc +++ b/TotalPE/TotalPE.rc @@ -1,14 +1,13 @@ // Microsoft Visual C++ generated resource script. // #include "resource.h" -#include -#include #define APSTUDIO_READONLY_SYMBOLS ///////////////////////////////////////////////////////////////////////////// // // Generated from the TEXTINCLUDE 2 resource. // +#include "winres.h" #include "atlres.h" ///////////////////////////////////////////////////////////////////////////// @@ -34,139 +33,36 @@ END 2 TEXTINCLUDE BEGIN - "#include ""atlres.h""\r\n" + "#include ""winres.h""\r\n" + "#include ""\r\n" + "#include ""\r\n" "\0" END 3 TEXTINCLUDE BEGIN + "\r\n" "\0" END -#endif // APSTUDIO_INVOKED - - -///////////////////////////////////////////////////////////////////////////// -// -// Menu -// +1 TEXTINCLUDE +BEGIN + "resource.h\0" +END -IDR_MAINFRAME MENU +2 TEXTINCLUDE BEGIN - POPUP "&File" - BEGIN - MENUITEM "&Run As Administrator...", ID_FILE_RUNASADMINISTRATOR - MENUITEM SEPARATOR - MENUITEM "&New Window\tCtrl+N", ID_FILE_NEW - MENUITEM "&Open...\tCtrl+O", ID_FILE_OPEN - MENUITEM "Open in a &New Window...", 32781 - MENUITEM "&Save...\tCtrl+S", ID_FILE_SAVE - MENUITEM "&Close", ID_FILE_CLOSE - MENUITEM SEPARATOR - POPUP "&Recent Files" - BEGIN - MENUITEM "(Empty)", ID_RECENTFILES_ - END - MENUITEM SEPARATOR - MENUITEM "E&xit", ID_APP_EXIT - END - POPUP "&Edit" - BEGIN - MENUITEM "&Copy\tCtrl+C", ID_EDIT_COPY - MENUITEM "&Paste\tCtrl+V", ID_EDIT_PASTE - END - POPUP "&View" - BEGIN - MENUITEM "&Find...\tCtrl+F", ID_EDIT_FIND - MENUITEM "Find &Next\tF3", ID_EDIT_FIND_NEXT - MENUITEM "Find &Previous\tShift+F3", ID_EDIT_FIND_PREVIOUS - MENUITEM SEPARATOR - MENUITEM "&Disassemble...", ID_VIEW_DISASSEMBLE - MENUITEM SEPARATOR - MENUITEM "&Status Bar", ID_VIEW_STATUS_BAR - END - POPUP "&PE" - BEGIN - MENUITEM "&Exports", ID_VIEW_EXPORTS - MENUITEM "&Imports", ID_VIEW_IMPORTS - MENUITEM "&Sections", ID_VIEW_SECTIONS - MENUITEM "&Directories", ID_VIEW_DIRECTORIES - MENUITEM "&Resources", ID_VIEW_RESOURCES - MENUITEM "&Manifest", ID_VIEW_MANIFEST - MENUITEM "&Version", ID_VIEW_VERSION - MENUITEM "&Debug", ID_VIEW_DEBUG - MENUITEM "Security", ID_PE_SECURITY - MENUITEM SEPARATOR - MENUITEM "Disassemble Entry Point", ID_PE_DISASSEMBLEENTRYPOINT - MENUITEM "Entire File in &Hex", ID_PE_ENTIREFILEINHEX - END - POPUP "&Options" - BEGIN - MENUITEM "&Always On Top", ID_OPTIONS_ALWAYSONTOP - MENUITEM "&Dark Mode", ID_OPTIONS_DARKMODE - MENUITEM "&Font...", ID_OPTIONS_FONT - MENUITEM "&Symbols...", ID_OPTIONS_SYMBOLS - END - POPUP "&Window" - BEGIN - MENUITEM "&Close\tCtrl+F4", ID_WINDOW_CLOSE - MENUITEM "Close &All", ID_WINDOW_CLOSE_ALL - MENUITEM "&New Window\tCtrl+N", ID_FILE_NEW - END - POPUP "&Help" - BEGIN - MENUITEM "&About Total PE...", ID_APP_ABOUT - MENUITEM SEPARATOR - MENUITEM "About &WIndows...", ID_HELP_ABOUTWINDOWS - END + "#include ""atlres.h""\r\n" + "\0" END -IDR_CONTEXT MENU +3 TEXTINCLUDE BEGIN - POPUP "general" - BEGIN - MENUITEM "&Copy\tCtrl+C", ID_EDIT_COPY - END - POPUP "bytesperline" - BEGIN - MENUITEM "8", ID_BYTESPERLINE_8 - MENUITEM "16", ID_BYTESPERLINE_16 - MENUITEM "24", ID_BYTESPERLINE_24 - MENUITEM "32", ID_BYTESPERLINE_32 - MENUITEM "48", ID_BYTESPERLINE_48 - MENUITEM "64", ID_BYTESPERLINE_64 - END - POPUP "icon" - BEGIN - MENUITEM "&Export...", ID_ICON_EXPORT - END - POPUP "export" - BEGIN - MENUITEM "&Disassemble...", ID_VIEW_DISASSEMBLE - MENUITEM SEPARATOR - MENUITEM "&Copy\tCtrl+C", ID_EDIT_COPY - END - POPUP "import" - BEGIN - MENUITEM "File Properties...", ID_IMPORT_FILEPROPERTIES - MENUITEM "&Go to File Location", ID_IMPORT_GOTOFILELOCATION - MENUITEM SEPARATOR - MENUITEM "&Copy\tCtrl+C", ID_EDIT_COPY - END - POPUP "hex" - BEGIN - MENUITEM "&Copy\tCtrl+C", ID_EDIT_COPY - MENUITEM "&Export...", ID_ICON_EXPORT - END - POPUP "assembly" - BEGIN - MENUITEM "&Copy\tCtrl+C", ID_EDIT_COPY - MENUITEM SEPARATOR - MENUITEM "Disassemble at the End", ID_ASSEMBLY_DISASSEMBLEATTHEEND - MENUITEM "Go to Address", ID_ASSEMBLY_GOTOADDRESS - END + "\0" END +#endif // APSTUDIO_INVOKED + ///////////////////////////////////////////////////////////////////////////// // @@ -177,6 +73,14 @@ END // remains consistent on all systems. IDR_MAINFRAME ICON "res\\TotalPE.ico" +IDI_COLLAPSED ICON "res\\Collapsed.ico" + +IDI_COLLAPSED2 ICON "res\\Collapsed2.ico" + +IDI_EXPANDED ICON "res\\Expanded.ico" + +IDI_EXPANDED2 ICON "res\\Expanded2.ico" + IDI_CHECK ICON "res\\check.ico" IDI_RADIO ICON "res\\circle.ico" @@ -297,6 +201,129 @@ IDI_DATA ICON "res\\Data.ico" IDI_GLOBE ICON "res\\globe.ico" + +///////////////////////////////////////////////////////////////////////////// +// +// Menu +// + +IDR_MAINFRAME MENU +BEGIN + POPUP "&File" + BEGIN + MENUITEM "&Run As Administrator...", ID_FILE_RUNASADMINISTRATOR + MENUITEM SEPARATOR + MENUITEM "&New Window\tCtrl+N", ID_FILE_NEW + MENUITEM "&Open...\tCtrl+O", ID_FILE_OPEN + MENUITEM "Open in a &New Window...", 32781 + MENUITEM "&Save...\tCtrl+S", ID_FILE_SAVE + MENUITEM "&Close", ID_FILE_CLOSE + MENUITEM SEPARATOR + POPUP "&Recent Files" + BEGIN + MENUITEM "(Empty)", ID_RECENTFILES_ + END + MENUITEM SEPARATOR + MENUITEM "E&xit", ID_APP_EXIT + END + POPUP "&Edit" + BEGIN + MENUITEM "&Copy\tCtrl+C", ID_EDIT_COPY + MENUITEM "&Paste\tCtrl+V", ID_EDIT_PASTE + END + POPUP "&View" + BEGIN + MENUITEM "&Find...\tCtrl+F", ID_EDIT_FIND + MENUITEM "Find &Next\tF3", ID_EDIT_FIND_NEXT + MENUITEM "Find &Previous\tShift+F3", ID_EDIT_FIND_PREVIOUS + MENUITEM SEPARATOR + MENUITEM "&Disassemble...", ID_VIEW_DISASSEMBLE + MENUITEM SEPARATOR + MENUITEM "&Status Bar", ID_VIEW_STATUS_BAR + END + POPUP "&PE" + BEGIN + MENUITEM "&Exports", ID_VIEW_EXPORTS + MENUITEM "&Imports", ID_VIEW_IMPORTS + MENUITEM "&Sections", ID_VIEW_SECTIONS + MENUITEM "&Directories", ID_VIEW_DIRECTORIES + MENUITEM "&Resources", ID_VIEW_RESOURCES + MENUITEM "&Manifest", ID_VIEW_MANIFEST + MENUITEM "&Version", ID_VIEW_VERSION + MENUITEM "&Debug", ID_VIEW_DEBUG + MENUITEM "Security", ID_PE_SECURITY + MENUITEM SEPARATOR + MENUITEM "Disassemble Entry Point", ID_PE_DISASSEMBLEENTRYPOINT + MENUITEM "Entire File in &Hex", ID_PE_ENTIREFILEINHEX + END + POPUP "&Options" + BEGIN + MENUITEM "&Always On Top", ID_OPTIONS_ALWAYSONTOP + MENUITEM "&Dark Mode", ID_OPTIONS_DARKMODE + MENUITEM "&Font...", ID_OPTIONS_FONT + MENUITEM "&Symbols...", ID_OPTIONS_SYMBOLS + END + POPUP "&Window" + BEGIN + MENUITEM "&Close\tCtrl+F4", ID_WINDOW_CLOSE + MENUITEM "Close &All", ID_WINDOW_CLOSE_ALL + MENUITEM "&New Window\tCtrl+N", ID_FILE_NEW + END + POPUP "&Help" + BEGIN + MENUITEM "&About Total PE...", ID_APP_ABOUT + MENUITEM SEPARATOR + MENUITEM "About &WIndows...", ID_HELP_ABOUTWINDOWS + END +END + +IDR_CONTEXT MENU +BEGIN + POPUP "general" + BEGIN + MENUITEM "&Copy\tCtrl+C", ID_EDIT_COPY + END + POPUP "bytesperline" + BEGIN + MENUITEM "8", ID_BYTESPERLINE_8 + MENUITEM "16", ID_BYTESPERLINE_16 + MENUITEM "24", ID_BYTESPERLINE_24 + MENUITEM "32", ID_BYTESPERLINE_32 + MENUITEM "48", ID_BYTESPERLINE_48 + MENUITEM "64", ID_BYTESPERLINE_64 + END + POPUP "icon" + BEGIN + MENUITEM "&Export...", ID_ICON_EXPORT + END + POPUP "export" + BEGIN + MENUITEM "&Disassemble...", ID_VIEW_DISASSEMBLE + MENUITEM SEPARATOR + MENUITEM "&Copy\tCtrl+C", ID_EDIT_COPY + END + POPUP "import" + BEGIN + MENUITEM "File Properties...", ID_IMPORT_FILEPROPERTIES + MENUITEM "&Go to File Location", ID_IMPORT_GOTOFILELOCATION + MENUITEM SEPARATOR + MENUITEM "&Copy\tCtrl+C", ID_EDIT_COPY + END + POPUP "hex" + BEGIN + MENUITEM "&Copy\tCtrl+C", ID_EDIT_COPY + MENUITEM "&Export...", ID_ICON_EXPORT + END + POPUP "assembly" + BEGIN + MENUITEM "&Copy\tCtrl+C", ID_EDIT_COPY + MENUITEM SEPARATOR + MENUITEM "Disassemble at the End", ID_ASSEMBLY_DISASSEMBLEATTHEEND + MENUITEM "Go to Address", ID_ASSEMBLY_GOTOADDRESS + END +END + + ///////////////////////////////////////////////////////////////////////////// // // Dialog @@ -366,8 +393,8 @@ END // VS_VERSION_INFO VERSIONINFO - FILEVERSION 0,6,1,0 - PRODUCTVERSION 0,6,1,0 + FILEVERSION 0,6,2,0 + PRODUCTVERSION 0,6,2,0 FILEFLAGSMASK 0x3fL #ifdef _DEBUG FILEFLAGS 0x1L @@ -384,12 +411,12 @@ BEGIN BEGIN VALUE "CompanyName", "Pavel Yosifovich" VALUE "FileDescription", "Total PE - PE Viewer" - VALUE "FileVersion", "0.6.1.0" + VALUE "FileVersion", "0.6.2.0" VALUE "InternalName", "TotalPE" VALUE "LegalCopyright", "©2022-2023 Pavel Yosifovich" VALUE "OriginalFilename", "TotalPE.exe" VALUE "ProductName", "Total PE" - VALUE "ProductVersion", "0.6.1.0" + VALUE "ProductVersion", "0.6.2.0" END END BLOCK "VarFileInfo" @@ -537,3 +564,14 @@ END ///////////////////////////////////////////////////////////////////////////// + +#ifndef APSTUDIO_INVOKED +///////////////////////////////////////////////////////////////////////////// +// +// Generated from the TEXTINCLUDE 3 resource. +// + + +///////////////////////////////////////////////////////////////////////////// +#endif // not APSTUDIO_INVOKED + diff --git a/TotalPE/TotalPE.vcxproj b/TotalPE/TotalPE.vcxproj index 6201045..d0a110f 100644 --- a/TotalPE/TotalPE.vcxproj +++ b/TotalPE/TotalPE.vcxproj @@ -78,6 +78,9 @@ false + + false + Use @@ -302,6 +305,7 @@ + @@ -311,6 +315,7 @@ +