Re: Dynamic Disassembler (determine main() location at runtime)

1. I would enumerate the sections in the image (PE header) and look for the
one with the lowest address that contains the IMAGE_SCN_MEM_EXECUTE
characteristic.
It appears this is the method which will work somewhat reliably
(however, one cannot use MEM_IMAGE).

I hate the thought of "brute forcing" a search staing at
SYSTEM_INFORMATION minimun and Maximum address...

2. This information is available from processing the section header
corresponding to `.text'. Please note that there is no requirement that the
code section be named `.text', and there is furthermore no requirement that
there must only be one section with code. Also, there could be `dead space'
after the section for alignment reasons.
More bridges I have not crossed...

Please note that there is no requirement that the
code section be named `.text',
In this case, how does the loader/linker know the "executable"
segment?

Also, there could be `dead space'
after the section for alignment reasons.
I expect this. The current dead space seems to be 0x00 and 0xCC on
disk. Windows 2000 allocates Virtual Memory on 64KB boundaries for the
application (even though my current Intel x86 uses 4 KB pages). So, I
may see more dead space with a new BYTE fill character.

3. For the entrypoint address invoked by the loader, look at
`AddressOfEntryPoint' RVA field in the IMAGE_OPTIONAL_HEADER.
Interestingly, this seems to be placed at the 'End of the Executable'
in Memory. Startup Code, nhen, a CALL to an earlier are of executable
(main, wmain, etc).

BTW, I don't see why you would care if there is a jump stub for main or not;
it is executable and will produce the same result regardless. The OS loader
certainly doesn't care.
A flag in the sand - I helps with the discovery/learning of what is
really going on. If I determine that in memory main() is located at
0x00401E20, and I'm working around 0x004182E6, I can probably say I'm
off the mark.

Jeff

On Feb 8, 12:09 pm, "Skywing [MVP]"
<skywing_NO_SP...@xxxxxxxxxxxxxxxxxxx> wrote:
1. I would enumerate the sections in the image (PE header) and look for the
one with the lowest address that contains the IMAGE_SCN_MEM_EXECUTE
characteristic.
2. This information is available from processing the section header
corresponding to `.text'. Please note that there is no requirement that the
code section be named `.text', and there is furthermore no requirement that
there must only be one section with code. Also, there could be `dead space'
after the section for alignment reasons.
3. For the entrypoint address invoked by the loader, look at
`AddressOfEntryPoint' RVA field in the IMAGE_OPTIONAL_HEADER. For other
functions, without them being exported, you would have to rely on either
debug symbols or code flow analysis.

BTW, I don't see why you would care if there is a jump stub for main or not;
it is executable and will produce the same result regardless. The OS loader
certainly doesn't care.

--
Ken Johnson (Skywing)
Windows SDK MVPhttp://www.nynaeve.net"Jeffrey Walton" <noloa...@xxxxxxxxx> wrote in message

news:1170891286.106224.274650@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi Ken,

... but you didn't really describe what problem you were having
other than listing some observations about how there might be a jump stub
for main (perhaps due to incremental linking)...
Basically, I desire three pieces of information. The 'in memory' is
the caveat:

* First code page in memory
* Size of .text section in memory
* Location of function main()

One - First code page in memory:
Open Question

Two - Size of .text section in memory
I _think_ this is the same as on disk (considering the padding I am
observing based on page size boundaries).

Three - Location of function
I _think_ I can find an arbitrary function (my example uses main())
whether in Debug or Release.

Any comments would be greatly appreciated.

Jeff

int _tmain(int argc, _TCHAR* argv[])
{
const UINT PATH_SIZE = 2 * MAX_PATH;
TCHAR szFilename[ PATH_SIZE + 1 ] = { 0 };
__try {
/////////////////////////////////////////////////
/////////////////////////////////////////////////
if( 0 == GetModuleFileName( NULL, szFilename, PATH_SIZE ) )
{
std::cout << _T("Error Retrieving Process Filename") <<
std::endl;
__leave;
}
std::cout << _T("File: ") << szFilename << std::endl <<
std::endl;
/////////////////////////////////////////////////
/////////////////////////////////////////////////
PVOID pfnMain = (PVOID) &_tmain;
std::cout << _T("Original main(): ") << pfnMain << std::endl;
/////////////////////////////////////////////////
/////////////////////////////////////////////////
{
PBYTE pPossibleJump = static_cast<PBYTE>(pfnMain);
BYTE opcode = *pPossibleJump;
if( 0xE9 /* Jump */ != opcode )
{
std::cout << _T("main() is not a jump opcode... No
fixup applied");
std::cout << std::endl << std::endl;
}
else
{
DWORD dwJump =
*( reinterpret_cast<PDWORD>(pPossibleJump+1) );
pfnMain = pPossibleJump + dwJump + sizeof(opcode) +
sizeof(dwJump);

std::cout << _T("main() is a jump opcode... fixup
applied") << std::endl;
std::cout << _T("Calculated main() at ") << pfnMain;
std::cout << std::endl << std::endl;
}
}
...
}
__except( EXCEPTION_EXECUTE_HANDLER ) {
std::tcout << _T("Caught Exception") << std::endl;
}
}

On Feb 7, 4:38 pm, "Skywing [MVP]"
<skywing_NO_SP...@xxxxxxxxxxxxxxxxxxx> wrote:
What is the exact problem that you are trying to solve here? Your post
makes sense, but you didn't really describe what problem you were having
other than listing some observations about how there might be a jump stub
for main (perhaps due to incremental linking)...

--
Ken Johnson (Skywing)
Windows SDK MVP
http://www.nynaeve.net

"Jeffrey Walton" <noloa...@xxxxxxxxx> wrote in message:
news:1170882501.458467.173940@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Hi All,

I apologive for the cross post (I hope three is not considered too
bad). I wanted to enlist help from the kernel folks, and the power
debuggers...

SNIP

.

Relevant Pages

  • Re: both specifying now, Khalid and Hamza pined the recent tents in search of current notion
    ... equally squeeze Hakeem and Annie's protestant draper. ... rain insights. ... Gawd, I'll project the character. ... it will apparently guide the memory. ...
    (sci.crypt)
  • Re: Cohens paper on byte order
    ... memory space representing that variable. ... >> I meant by character by character.) ... > It is used for practical tasks by a lot of engineers working with ...
    (sci.crypt)
  • Re: Read from a file
    ... > I having a problem reading all characters from a file. ... the memory buffer that you want to contain the data read from the file. ... Then, when you want to print that value, it's a single character you ... want to print instead of a string. ...
    (comp.lang.c)
  • Re: Decoding strategy
    ... Does File Stream caches contents of file in memory? ... FileStream does buffer, which is in a sense a kind of caching. ... beginning of character, or maybe end of "previous" character? ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: Me three! Me three! - FO3 as an Exercise in Oblivion with Guns
    ... opportunity to recreate your character anyway. ... I guess their "life in vault" portrait had too much artistic value to ... There was no way to skip it, so I don't intend on a 2nd pass of the game unless there's some way to skip it with the console or a hack, seriously. ... Was just walking around a local store yesterday and saw there is a Dead Space DVD, supposedly a prequel movie to show what happened prior to the beginning of Dead Space... ...
    (comp.sys.ibm.pc.games.rpg)