Hatschi Posted December 9, 2020 Posted December 9, 2020 (edited) I'm trying to write my own PE reader and would like to get the size of an export function. But this information is not provided in the export directory of the PE header. How can I get the size? This must be possible somehow, for exampled dbghelp knows where the function starts and ends. I have the same problem when trying to parse a PDB file. I can get the actual offset of the public symbol but not its size. Any ideas? Edited December 9, 2020 by Hatschi
LCF-AT Posted December 9, 2020 Posted December 9, 2020 Hi, I think your on the wrong track.Never heard that the size of an function (Export) is stored into PE Header.So what do you think how that should be work without reading / having source?Of course I'am not sure for 100% anymore but I think you do think wrong in that case (otherwise I do).The PDB files is created by compiler who has the source to know all infos etc. Question is why you wanna get the size of an function and store them into your own PE Header as extra info?The info isnt stored into normal PE Header only basic information which can also be created / add by manually PE Header buildings or by PE Header tools etc.Size of an Ex-function isnt a basic info and also not necessary to find a place into PE Header somewhere (if so then I should know that from the past). As I said, not sure anymore since I dont reverse anymore (rusty) about that but lets see what the other memeber will say about that. PS: Otherwise just explain it some more in detail.You wanted to know this size right?Just made a example image... greetz 1
Hatschi Posted December 9, 2020 Author Posted December 9, 2020 (edited) Thanks for replying to me. I know that this information does not exist in the PE header. But for some reason dbghelp.dll is able to get this information. Dbghelp.dll is used by many applications to read symbol information. This includes tools like x64dbg and Cheat Engine. x64dbg won't show it but Cheat Engine does: PE Header only tells where RtlVirtualUnwind starts but CE (in fact, dbghelp.dll) knows where the functions ends. And tells CheatEngine that its function size is +0x4F. This becomes even more clear if you write your own dbhelp.dll wrapper. Because you can call: SymFromAddr on dbghelp.dll which returns the symbol + its offset. So if you call this on the address of "KERNEL32.RtlVirtualUnwind+41". It tells you that the symbol is "RtlVirtualUnwind" and its offset is +0x41. It can only do this by knowing the function size. But I haven't found the source of dbghelp.dll to see how its doing this. I thought maybe someone else might know this. //edit: Apart from that, calling SymEnumSymbols to enumerate the symbols returns SymbolInfo structs which SizeOfStruct field tells you the size of the function. And this works without pdb file and without internet connection. So where does it get this information from?! Edited December 9, 2020 by Hatschi
kao Posted December 9, 2020 Posted December 9, 2020 You are trying to adjust facts to match your theory. That's called wishful thinking. Don't do that. 23 minutes ago, Hatschi said: It can only do this by knowing the function size. It only knows address where function "A" starts. And it knows where the next function (call it "B") starts. All addresses between start of "A" and start of "B" are *assumed* to belong to function "A". If function consists of several blocks, dbghelp.dll can locate only 1st block of the function, and the rest will not have proper names. One example would be CreateProcessInternalW in 64bit Win7 / 64bit Win10 1809 (and probably other builds). 37 minutes ago, Hatschi said: SymEnumSymbols to enumerate the symbols returns SymbolInfo structs which SizeOfStruct field tells you the size of the function. And this works without pdb file and without internet connection. It. Does. Not. And MSDN specifically tells you that. 1) SYMBOL_INFO field "SizeOfStruct" is size of the returned SYMBOL_INFO structure and has absolutely nothing to do with the size of the function. 2) If you meant SYMBOL_INFO field called "Size", then MSDN helpfully explains this: Quote Size The symbol size, in bytes. This value is meaningful only if the module symbols are from a pdb file; otherwise, this value is typically zero and should be ignored. And finally, if you meant parameter SymbolSize passed to SymEnumSymbols callback, Quote SymbolSize The size of the symbol, in bytes. The size is calculated and is actually a guess. In some cases, this value can be zero. 3
Shlomo Posted December 10, 2020 Posted December 10, 2020 I want to learn hacking, this is very useful
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now