search

wisk / medusa

An open source interactive disassembler
Other
1.04k stars 92 forks source link

Question: PE Function Symbols #23

Closed saeschdivara closed 9 years ago

saeschdivara commented 9 years ago

Hi, I wanted to know if symbols are the names of functions which are for now not analysed.

wisk commented 9 years ago

I'm not sure what you mean by symbol, medusa uses Label objects to associate an address with a name. Label embeds a Type which could be used by the Analyzer (see: Analyzer::DisassembleAllFunctionsTask::Run for instance).

Does this answer you question?

saeschdivara commented 9 years ago

So you are saying it is possible to implement but it as for now not? Meaning that debug information of the pe file is not used.

saeschdivara commented 9 years ago

I have seen that the analyser function is for windows not yet implemented:

bool WindowsOperatingSystem::AnalyzeFunction(Document& rDoc, Address const& rAddress)
{
  return true;
}
wisk commented 9 years ago

Exactly, this method is reserved for future to allow a specific analysis for a Windows function. For instance it could be used to track the used of SEH which doesn't exist on other operating system.

saeschdivara commented 9 years ago

SEH = ?

wisk commented 9 years ago

Structured Exception Handler this mechanism is used to handle exception (e.g. invalid memory access, div by 0, int 3...) in the program side.

saeschdivara commented 9 years ago

Where can I find the header information of the pe file? Or better do you store the information?

saeschdivara commented 9 years ago

Another question is: what do you analyse and what needs to be implemented?

wisk commented 9 years ago

It depends on what kind of information you are looking for:

At this time, TLS callback could be interesting since it acts as a imported Label (call before the entrypoint). Stuffs like resources, relocations, pe signature, mitigation... are not needed since they would not be handled by medusa. For instance relocation information is required to support image rebasing.

saeschdivara commented 9 years ago

Oh I think I found where my information would have lied but it is empty:

  u32 PointerToSymbolTable;
  u32 NumberOfSymbols;

Both say 0 during debugging. So I assume that my exe-file is not a debug version but has only their own information which they needed to store as string... Or do I see something wrong? Or is the PeFileHeader not fully read?

wisk commented 9 years ago

Well, I never really look on this part, so I could be wrong. I think these field are kind of deprecated, nowadays executables store a link to a .pdb file on a specific structures which is stored on the data directory IMAGE_DIRECTORY_ENTRY_DEBUG. It means your executable doesn't embed debugging information itself. You should give a try with official Microsoft executables, they usually include a link for a .pdb file which contains symbols (even if they are compiled in release mode). Usually executable compiled with Visual Studio includes a full path to a .pdb (which may not be included), sometime you have to rely on a symbol server (e.g. Microsoft executables, chrome...).

saeschdivara commented 9 years ago

Ok, this means that I cannot find the information if I don't have a file which is very likely for a custom exe, right?

wisk commented 9 years ago

yep