void ReadComRegData(ComRegData entity)
{
if (entity == null)
{
return;
}
KernelWin.WriteLine("正在处理COM数据 {0}", typeof(ComRegData).Name);
UInt32 address = (UInt32)entity.Address + ImageBase;
VBStruct.Make <ComRegData>(entity, address, true);
if (entity.RegInfo2 == null || entity.RegInfo2.Length <= 0)
{
return;
}
foreach (ComRegInfo item in entity.RegInfo2)
{
KernelWin.WriteLine("COM组件 {0}", item.Name);
Int32 addr = (Int32)(item.Address + ImageBase);
VBStruct.Make <ComRegInfo>(item, address, true);
Bytes.MakeNameAnyway((UInt32)addr, "Com_" + item.Name);
}
}
void ReadPublicObjectDescriptor(ObjectTable entity)
{
if (entity == null || entity.Objects == null || entity.Objects.Length <= 0)
{
return;
}
KernelWin.WriteLine("正在处理 {0}", typeof(PublicObjectDescriptor).Name);
UInt32 address = (UInt32)entity.Object + ImageBase;
foreach (PublicObjectDescriptor item in entity.Objects)
{
KernelWin.WriteLine("对象 {0}", item.Name);
Int32 addr = (Int32)(item.Address + ImageBase);
VBStruct.Make <PublicObjectDescriptor>(item, address, true);
Bytes.MakeNameAnyway((UInt32)addr, item.Name);
//ReadPublicObjectDescriptor(item);
ReadObjectInfo(item.ObjectInfo2, item);
ReadOptionalObjectInfo(item.OptionalObjectInfo, item);
ReadProcName(item);
}
}
void ReadGUITable(VBHeader header)
{
if (header == null || header.GUITables == null || header.GUITables.Length <= 0)
{
return;
}
KernelWin.WriteLine("正在处理界面 {0}", typeof(GUITable).Name);
UInt32 address = (UInt32)header.GUITable;
for (int i = 0; i < header.GUITables.Length; i++)
{
GUITable item = header.GUITables[i];
String name = "GUITable_" + i.ToString("X2");
//if(item.FormPointer2!=null&&item.FormPointer2.
KernelWin.WriteLine("界面 {0}", name);
UInt32 addr = (UInt32)(item.Address + ImageBase);
VBStruct.Make <GUITable>(item, address, true);
Bytes.MakeNameAnyway(addr, name);
}
}
void ReadExternalTable(ProjectInfo entity)
{
if (entity == null || entity.ExternalTables == null || entity.ExternalTables.Length <= 0)
{
return;
}
KernelWin.WriteLine("正在处理 {0}", typeof(ExternalTable).Name);
UInt32 address = (UInt32)entity.ExternalTable + ImageBase;
foreach (ExternalTable item in entity.ExternalTables)
{
Int32 addr = (Int32)(item.Address + ImageBase);
VBStruct.Make <ExternalTable>(item, address, true);
Bytes.MakeNameAnyway((UInt32)addr, String.Format("{0}_{1}", item.ExternalLibrary2.LibraryName2, item.ExternalLibrary2.LibraryFunction2));
}
//for (int i = 1; i < entity.ExternalTables.Length; i++)
//{
// Int32 addr = (Int32)(entity.ExternalTables[i].Address + ImageBase);
// VBStruct.Make<ExternalTable>(entity.ExternalTables[i], address, true);
// Bytes.MakeNameAnyway((UInt32)addr, "GUITable_" + entity.ExternalTables[i].ExternalLibrary2.LibraryName2);
//}
}
private void treeView1_DoubleClick(object sender, EventArgs e)
{
if (!IsIDA)
{
return;
}
if (treeView1.SelectedNode == null)
{
return;
}
EntityBase2 entity = treeView1.SelectedNode.Tag as EntityBase2;
if (entity == null || entity.Address <= 0)
{
return;
}
long address = entity.Address + entity.Info.ImageBase;
KernelWin.WriteLine("跳:0x{0:X}", address);
if (address > 0)
{
KernelWin.Jump((UInt32)address);
}
}
private void listView1_DoubleClick(object sender, EventArgs e)
{
Function function = GetSelected();
if (function == null)
{
return;
}
KernelWin.Jump(function.Start);
}
public static Boolean MakeStruct <TEntity>(Int32 address, Struct st) where TEntity : EntityBase <TEntity>, new()
{
//KernelWin.WriteLine("MakeStruct: 0x{0:X8} {1:X}h {2} ID={3}", address, (Int32)EntityBase<TEntity>.ObjectSize, st.Name, st.ID);
Bytes.MakeUnknown((UInt32)address, (UInt32)EntityBase <TEntity> .ObjectSize, 0);
Boolean ret = Bytes.MakeStruct(address, EntityBase <TEntity> .ObjectSize, (UInt32)st.ID);
if (!ret)
{
KernelWin.WriteLine("为 地址0x{0:X} 类型{1} 创建结构体 {2} 失败!", address, typeof(TEntity), st.Name);
}
return(ret);
}
void ReadProjectInfo2(ProjectInfo2 entity)
{
if (entity == null)
{
return;
}
KernelWin.WriteLine("正在处理 {0}", typeof(ProjectInfo2).Name);
UInt32 address = (UInt32)entity.Address + ImageBase;
VBStruct.Make <ProjectInfo2>(entity, address, true);
}
private void 修正ASPDLLToolStripMenuItem_Click(object sender, EventArgs e)
{
ThreadPool.QueueUserWorkItem(delegate(Object state)
{
try
{
FixASPToDll();
}
catch (Exception ex)
{
KernelWin.WriteLine(ex.ToString());
}
});
}
void ReadObjectTable(ObjectTable entity)
{
if (entity == null)
{
return;
}
KernelWin.WriteLine("正在处理 {0}", typeof(ObjectTable).Name);
UInt32 address = (UInt32)entity.Address + ImageBase;
VBStruct.Make <ObjectTable>(entity, address, true);
ReadProjectInfo2(entity.ProjectInfo22);
ReadPublicObjectDescriptor(entity);
}
void ReadProjectInfo(ProjectInfo entity)
{
if (entity == null)
{
return;
}
KernelWin.WriteLine("正在处理工程信息 {0}", typeof(ProjectInfo).Name);
UInt32 address = (UInt32)entity.Address + ImageBase;
VBStruct.Make <ProjectInfo>(entity, address, true);
Bytes.MakeLabelAnyway((UInt32)entity.StartOfCode, "StartOfCode");
Bytes.MakeLabelAnyway((UInt32)entity.EndOfCode, "EndOfCode");
Bytes.MakeLabelAnyway((UInt32)entity.VBAExceptionHandler, "VBAExceptionHandler");
Bytes.MakeLabelAnyway((UInt32)entity.NativeCode, "NativeCode");
ReadExternalTable(entity);
ReadObjectTable(entity.ObjectTable2);
}
void ReadExternalComponentTable(VBHeader header)
{
if (header == null || header.ExternalComponentTables == null || header.ExternalComponentTables.Length <= 0)
{
return;
}
KernelWin.WriteLine("正在处理外部组件 {0}", typeof(ExternalComponentTable).Name);
UInt32 address = (UInt32)header.ExternalComponentTable;
foreach (ExternalComponentTable item in header.ExternalComponentTables)
{
KernelWin.WriteLine("外部组件 {0}", item.Name2);
UInt32 addr = (UInt32)(item.Address + ImageBase);
VBStruct.Make <ExternalComponentTable>(item, addr, true);
Bytes.MakeNameAnyway(addr, "Ext_" + item.Name2);
}
}
void ReadHeader(BinaryReader reader)
{
KernelWin.WriteLine("正在处理头部 {0}", typeof(VBHeader).Name);
//Seek(reader, Header - ImageBase);
VBHeader header = HeaderInfo;
//header.Info = this;
//header.Read(reader);
//HeaderInfo = header;
UInt32 address = Header;
//if (!VBStruct.Make<VBHeader>(header)) throw new Exception("创建结构体失败!");
VBStruct.Make <VBHeader>(header, address, true);
ReadProjectInfo(header.ProjectInfo2);
ReadComRegData(header.ComRegisterData2);
ReadGUITable(header);
ReadExternalComponentTable(header);
}
private void button2_Click(object sender, EventArgs e)
{
List <IDCFunction> list = IDCFunction.FindAll();
if (list == null || list.Count <= 0)
{
return;
}
foreach (IDCFunction item in list)
{
String args = "";
if (item.Args != null && item.Args.Count > 0)
{
foreach (IDCValueTypes elm in item.Args)
{
args += " " + elm;
}
}
KernelWin.Msg("{0} {1} Flags={2}\n", item.Name, args, item.Flag);
}
}
public void ReadImportTable(BinaryReader reader)
{
Seek(reader, PEoffset + 0xD8);
UInt32 temp = reader.ReadUInt32() + reader.ReadUInt32() - 1 + ImageBase;
Imports = new Dictionary <uint, string>();
for (UInt32 ea = PEEntry - 6; ea <= PEEntry && ea > temp; ea -= 6)
{
if ((Bytes.Byte(ea) == 0xFF) && (Bytes.Byte(ea + 1) == 0x25)) //jmp Ds:xx_name
{
//Bytes.MakeCode(ea);
//Bytes.MakeLabel(ea, ("j_" + Bytes.GetTrueName(Bytes.Dword(ea + 2))));
//KernelWin.WriteLine("MakeCode 0x{0:X}", ea);
String name = Bytes.GetTrueName(Bytes.Dword(ea + 2));
Imports.Add(ea, name);
KernelWin.WriteLine("MakeLabel 0x{0:X} {1}", ea, name);
}
}
}
public bool Init()
{
try
{
//KernelWin.WriteLine("文件 {0}", FileName);
//FileReader.BaseStream.Seek(0x3c, SeekOrigin.Begin);
//Int32 n = FileReader.ReadInt32();
//FileReader.BaseStream.Seek(n + 0x34, SeekOrigin.Begin);
//n = FileReader.ReadInt32();
//KernelWin.WriteLine("镜像基址 0x{0:x}", n);
//Int32 PEentry = IDCFunction.EvalAndReturnLong("GetEntryPoint(GetEntryOrdinal(0))");
VBInfo info = VBInfo.Current;
info.Reader = FileReader;
info.ReadInfo(FileReader);
KernelWin.WriteLine("镜像基址:0x{0:X}", info.ImageBase);
KernelWin.WriteLine(" 入口:0x{0:X}", info.PEEntry);
KernelWin.WriteLine(" VB头:0x{0:X}", info.Header);
KernelWin.WriteLine(" VB签名:0x{0:X}", info.VBSig);
//info.ReadImportTable(FileReader);
//info.ReadBody(FileReader);
}
catch (Exception ex)
{
//KernelWin.Msg(ex.Message + Environment.NewLine);
KernelWin.WriteLine(ex.ToString());
return(false);
}
return(true);
}
private void 创建VB头结构体ToolStripMenuItem_Click(object sender, EventArgs e)
{
VBInfo.Current.ReadBody(VBInfo.Current.Reader);
KernelWin.WriteLine("分析完成!");
}
void FixASPToDll()
{
String str = @"AspToDllLog";
KernelWin.WriteLine("正在查找{0}", str);
UInt32 address = Search.FindTextDown(0, str);
KernelWin.WriteLine("0x{0:X8}", address);
if (address == Bytes.BadAddress)
{
str = @"\AspToDllLog.Log";
KernelWin.WriteLine("正在查找{0}", str);
address = Search.FindTextDown(0, str);
KernelWin.WriteLine("0x{0:X8}", address);
if (address == Bytes.BadAddress)
{
KernelWin.WriteLine("无法找到!");
return;
}
}
KernelWin.WriteLine("0x{0:X8}", address);
return;
// 找到第一个引用
address = Ref.GetFirstDataRefFrom(address);
KernelWin.WriteLine("0x{0:X8}", address);
if (address == Bytes.BadAddress)
{
return;
}
KernelWin.WriteLine("0x{0:X8}", address);
// 找到函数
Function func = Function.FindByAddress(address);
if (func == null)
{
return;
}
address = Ref.GetFirstDataRefFrom(func.Start);
KernelWin.WriteLine("GetFirstDataRefFrom 0x{0:X8}", address);
while (address != Bytes.BadAddress)
{
KernelWin.WriteLine("0x{0:X8}", address);
// 开始处理
Function fun = Function.FindByAddress(address);
if (fun != null)
{
KernelWin.WriteLine(fun.Name);
}
// 下一个
address = Ref.GetNextDataRefFrom(func.Start, address);
}
}
private static void WriteLine(String format, params Object[] args)
{
KernelWin.Msg(format + Environment.NewLine, args);
}
void ReadOptionalObjectInfo(OptionalObjectInfo entity, PublicObjectDescriptor parent)
{
if (entity == null)
{
return;
}
UInt32 address = (UInt32)entity.Address + ImageBase;
VBStruct.Make <OptionalObjectInfo>(entity, address, true);
Bytes.MakeNameAnyway((UInt32)address, "OptInf_" + parent.Name);
if (entity.Controls != null && entity.Controls.Length > 0)
{
//address = (UInt32)entity.Address + ImageBase;
if (entity.Controls.Length == 1)
{
address = (UInt32)entity.Controls[0].Address + ImageBase;
VBStruct.Make <VBControl>(entity.Controls[0], address, true);
Bytes.MakeNameAnyway((UInt32)address, "Control_" + parent.Name);
}
else
{
foreach (VBControl item in entity.Controls)
{
address = (UInt32)item.Address + ImageBase;
VBStruct.Make <VBControl>(item, address, true);
Bytes.MakeNameAnyway((UInt32)address, "Control_" + parent.Name + "_" + item.Name2);
}
}
}
if (entity.EventLinks != null && entity.EventLinks.Length > 0)
{
Int32 i = 1;
foreach (EventLink2 item in entity.EventLinks)
{
address = (UInt32)item.Address + ImageBase;
VBStruct.Make <EventLink2>(item, address, true);
// 事件列表命名
String name = String.Empty;
if (parent.ProcNames != null && parent.ProcNames.Length > i - 1)
{
name = parent.Name + "_" + parent.ProcNames[i - 1].FriendName;
}
if (String.IsNullOrEmpty(name))
{
name = parent.Name + "_" + i.ToString("X2");
}
i++;
Bytes.MakeNameAnyway((UInt32)address, "Event_" + name);
// 跳转命名
address = (UInt32)item.Jump;
Bytes.MakeNameAnyway(address, "j" + name);
Bytes.MakeCode(address);
// 函数命名
if (Bytes.Byte(address) == 0xE9)
{
// Jump语句,下一个字就是函数起始地址
address = Bytes.Dword(address + 1) + address + 5;
Function func = Function.FindByAddress(address);
if (func == null)
{
// 如果函数不存在,则创建函数
Function.Add(address, Bytes.BadAddress);
func = Function.FindByAddress(address);
}
else
{
// 函数存在,但是函数的起始地址并不是当前行,表明这个函数分析有错,修改地址
if (func.Start != address)
{
//Function.Delete(func.Start);
//Function.Add(func.Start, address - 1);
func.End = address - 1;
Function.Add(address, Bytes.BadAddress);
func = Function.FindByAddress(address);
}
}
if (func == null)
{
KernelWin.WriteLine("0x{0:X} 创建函数失败!", address);
}
else
{
Bytes.MakeLabelAnyway(address, name);
}
}
}
}
}
private static void WriteLine(String msg)
{
KernelWin.Msg(msg + Environment.NewLine);
}