public string getCallArgumentString(List <int> rows)
{
// Generates a merged argument string for the specified call rows.
if (rows.Any() && dataVis != null)
{
// Sort the rows, arguments will be displayed in call order
rows.Sort();
// Check the first datapoint
oSingleData datapoint = dataVis.getData(rows[0]);
if (datapoint == null)
{
return(string.Empty);
}
if (oFunctionMaster.destinationToFunction.ContainsKey(datapoint.destination))
{
// Loop through, printing the calls
string result = "";
for (int i = 0; i < rows.Count; i++)
{
datapoint = dataVis.getData(rows[i]);
oFunction function = ((oFunction)oFunctionMaster.destinationToFunction[datapoint.destination]);
result = result + datapoint.source.ToString("X") + " -> " + datapoint.destination.ToString("X") + Environment.NewLine + function.getArgumentString(datapoint).toString() + Environment.NewLine + Environment.NewLine;
}
// Finished merging
return(result.Trim());
}
return("ERROR: The function corresponding to address " + datapoint.destination.ToString("X") + " was not found.");
}
return("");
}
public bool isStackGood(oSingleData call)
{
if (addressRange.firstValue is uint)
{
// See if one of the calls satisfies this short range
return(call.esp >= (uint)addressRange.firstValue && call.esp <= (uint)addressRange.secondValue);
}
return(false);
}
public bool isFunctionAddress(oSingleData call)
{
if (call.destination == functionAddress)
{
return(true);
}
{
return(false);
}
}
public bool isArgumentGood(oSingleData call)
{
if (type == 1)
{
return(oMemoryFunctions.LookupAddressInMap(map, (uint)call.source).heapAddress !=
oMemoryFunctions.LookupAddressInMap(map, (uint)call.destination).heapAddress);
}
return(oMemoryFunctions.LookupAddressInMap(map, (uint)call.source).heapAddress ==
oMemoryFunctions.LookupAddressInMap(map, (uint)call.destination).heapAddress);
}
public bool fillOutHeapsStack(oSingleData call)
{
// Check to see if this is already in the heaps list
HEAP_INFO heap = oMemoryFunctions.LookupAddressInMap(oProcess.map, call.esp);
if (selectedHeaps.Contains(heap.heapAddress))
{
return(false);
}
selectedHeaps.Add(heap.heapAddress, heap);
return(false);
}
public bool hasDereferenceBinaryMatch(oSingleData call)
{
if (data.Length == 0)
{
return(true);
}
for (int i = 0; i < call.dereferences.Count(); i++)
{
// Ask the dereference if it is a match
if (call.dereferences[i].isBinaryMatch(data, onlyStartWith))
{
return(true);
}
}
return(false); // No derference match found
}
public bool hasDereferenceStringMatch(oSingleData call)
{
if (textMatch.Length == 0)
{
return(true);
}
for (int i = 0; i < call.dereferences.Count(); i++)
{
// Ask the dereference if it is a match
if (call.dereferences[i].isStringMatch(textMatch, caseSensitive))
{
return(true);
}
}
return(false); // No derference match found
}
/// <summary>
/// This generates the argument string based on the calling convention of this
/// function. It truncates the arguments at around the specified pixel width of the column.
/// </summary>
/// <param name="callRecording"></param>
/// <param name="columnWidth"></param>
/// <returns></returns>
public ARGUMENT_STRING_COLLECTION getArgumentString(oSingleData callRecording, int columnWidth, Font font)
{
// Get the argument string collection
ARGUMENT_STRING_COLLECTION arguments = getArgumentString(callRecording);
// Truncate the string values to approximately the right size
for (int i = 0; i < arguments.values.Count; i++)
{
// Test the indexTooLong value
string value = arguments.values[i];
string name = arguments.names[i];
Size size = TextRenderer.MeasureText(name + "=" + value, font);
if (size.Width > columnWidth - 2 && value.Length > 5)
{
// Too long of a string
int indexTooLong = value.Length;
int indexTooShort = 0;
// Make our next guess, that will reduce the set in half
int guess = (indexTooLong - indexTooShort) / 2 + indexTooShort; // Rounding down is nice.
while (guess != indexTooShort)
{
// Test this guess length
if (TextRenderer.MeasureText(name + "=" + value.Substring(0, guess) + "...", font).Width > columnWidth - 2)
{
indexTooLong = guess;
}
else
{
indexTooShort = guess;
}
// Make the next guess
guess = (indexTooLong - indexTooShort) / 2 + indexTooShort;
}
// We found the prefect length that is just shorter than the column width with the "..."
arguments.values[i] = value.Substring(0, guess) + "...";
}
}
return(arguments);
}
public bool isArgumentGood(oSingleData call)
{
if (call.arguments.Length > 0)
{
if (argumentRange.firstValue is byte)
{
// See if one of the calls satisfies this byte range
if ((call.eax & 0xff) >= (byte)argumentRange.firstValue && (call.eax & 0xff) <= (byte)argumentRange.secondValue)
{
return(true);
}
if ((call.ecx & 0xff) >= (byte)argumentRange.firstValue && (call.ecx & 0xff) <= (byte)argumentRange.secondValue)
{
return(true);
}
if ((call.edx & 0xff) >= (byte)argumentRange.firstValue && (call.edx & 0xff) <= (byte)argumentRange.secondValue)
{
return(true);
}
return(call.arguments.Any(t => ((t & 0x000000ff) >= (byte)argumentRange.firstValue) && ((t & 0x000000ff) <= (byte)argumentRange.secondValue)));
}
if (argumentRange.firstValue is short)
{
// See if one of the calls satisfies this short range
if ((call.eax & 0xffff) >= (short)argumentRange.firstValue && (call.eax & 0xffff) <= (short)argumentRange.secondValue)
{
return(true);
}
if ((call.ecx & 0xffff) >= (short)argumentRange.firstValue && (call.ecx & 0xffff) <= (short)argumentRange.secondValue)
{
return(true);
}
if ((call.edx & 0xffff) >= (short)argumentRange.firstValue && (call.edx & 0xffff) <= (short)argumentRange.secondValue)
{
return(true);
}
return(call.arguments.Any(t => ((t & 0x0000ffff) >= (short)argumentRange.firstValue) && ((t & 0x0000ffff) <= (short)argumentRange.secondValue)));
}
if (argumentRange.firstValue is int)
{
// See if one of the calls satisfies this short range
if (call.eax >= (int)argumentRange.firstValue && call.eax <= (int)argumentRange.secondValue)
{
return(true);
}
if (call.ecx >= (int)argumentRange.firstValue && call.ecx <= (int)argumentRange.secondValue)
{
return(true);
}
if (call.edx >= (int)argumentRange.firstValue && call.edx <= (int)argumentRange.secondValue)
{
return(true);
}
return(call.arguments.Any(t => (t >= (int)argumentRange.firstValue) && (t <= (int)argumentRange.secondValue)));
}
if (argumentRange.firstValue is uint)
{
// See if one of the calls satisfies this short range
if (call.eax >= (uint)argumentRange.firstValue && call.eax <= (uint)argumentRange.secondValue)
{
return(true);
}
if (call.ecx >= (uint)argumentRange.firstValue && call.ecx <= (uint)argumentRange.secondValue)
{
return(true);
}
if (call.edx >= (uint)argumentRange.firstValue && call.edx <= (uint)argumentRange.secondValue)
{
return(true);
}
return(call.arguments.Any(t => (t >= (uint)argumentRange.firstValue) && (t <= (uint)argumentRange.secondValue)));
}
if (argumentRange.firstValue is double)
{
// See if one of the calls satisfies this float range
if (oMemoryFunctions.IntToFloat(call.eax) >= (float)(double)argumentRange.firstValue && oMemoryFunctions.IntToFloat(call.eax) <= (float)(double)argumentRange.secondValue)
{
return(true);
}
if (oMemoryFunctions.IntToFloat(call.ecx) >= (float)(double)argumentRange.firstValue && oMemoryFunctions.IntToFloat(call.ecx) <= (float)(double)argumentRange.secondValue)
{
return(true);
}
if (oMemoryFunctions.IntToFloat(call.edx) >= (float)(double)argumentRange.firstValue && oMemoryFunctions.IntToFloat(call.edx) <= (float)(double)argumentRange.secondValue)
{
return(true);
}
return(call.arguments.Any(t => (oMemoryFunctions.IntToFloat((uint)t) >= (float)(double)argumentRange.firstValue) && (oMemoryFunctions.IntToFloat((uint)t) <= (float)(double)argumentRange.secondValue)));
}
}
return(false);
}
public bool isCallTo(oSingleData call)
{
return(functions.Contains(call.destination));
}
public bool isArgumentGood(oSingleData call)
{
return(call.arguments.Count() <= maxArgCount && call.arguments.Count() >= minArgCount);
}
public bool hasStringDereference(oSingleData call)
{
// Figure out if this dereference has a string dereference
return(call.hasStringDereference());
}
public bool hasDereference(oSingleData call)
{
return(call.dereferences.Count() > 0);
}
/// <summary>
/// This generates the argument string based on the calling convention of this
/// function.
/// </summary>
/// <param name="callRecording"></param>
public ARGUMENT_STRING_COLLECTION getArgumentString(oSingleData callRecording)
{
ARGUMENT_STRING_COLLECTION result = new ARGUMENT_STRING_COLLECTION();
result.names = new List <string>((int)numParams + 3);
result.values = new List <string>((int)numParams + 3);
if (arguments.Count < 3) // Must have all three registers at least.
{
return(result);
}
int dereferenceIndex = callRecording.dereferences.Count() - 1;
string deref;
// ECX, __fastcall argument 1, __thiscall 'this' pointer
if (dereferenceIndex >= 0 &&
callRecording.dereferences[dereferenceIndex].argumentIndex == 0)
{
// ECX with dereference
result.values.Add(arguments[0].getValueString(callRecording.ecx, callRecording.dereferences[dereferenceIndex]));
result.names.Add(arguments[0].getName());
dereferenceIndex--;
}
else
{
// ECX no dereference
result.values.Add(arguments[0].getValueString(callRecording.ecx));
result.names.Add(arguments[0].getName());
}
// EDX, __fastcall argument 2
if (dereferenceIndex >= 0 &&
callRecording.dereferences[dereferenceIndex].argumentIndex == 1)
{
// EDX with dereference
result.values.Add(arguments[1].getValueString(callRecording.edx, callRecording.dereferences[dereferenceIndex]));
result.names.Add(arguments[1].getName());
dereferenceIndex--;
}
else
{
// EDX no dereference
result.values.Add(arguments[1].getValueString(callRecording.edx));
result.names.Add(arguments[1].getName());
}
// EAX, __fastcall argument 3 on borland
if (dereferenceIndex >= 0 &&
callRecording.dereferences[dereferenceIndex].argumentIndex == 2)
{
// EAX with dereference
result.values.Add(arguments[2].getValueString(callRecording.eax, callRecording.dereferences[dereferenceIndex]));
result.names.Add(arguments[2].getName());
dereferenceIndex--;
}
else
{
// EAX no dereference
result.values.Add(arguments[2].getValueString(callRecording.eax));
result.names.Add(arguments[2].getName());
}
// STACK ARGUMENTS
// Create room for the variables
for (int i = 0; i < callRecording.arguments.Count(); i++)
{
result.values.Add("");
result.names.Add("");
}
// Load the data into the variables
for (int i = callRecording.arguments.Count() - 1; i >= 0; i--)
{
if (dereferenceIndex >= 0 &&
callRecording.dereferences[dereferenceIndex].argumentIndex == i + 4)
{
// Stack argument with dereference
result.values[i + 3] = (arguments[i + 3].getValueString(callRecording.arguments[i], callRecording.dereferences[dereferenceIndex]));
result.names[i + 3] = arguments[i + 3].getName();
dereferenceIndex--;
}
else
{
// Stack argument no dereference
result.values[i + 3] = arguments[i + 3].getValueString(callRecording.arguments[i]);
result.names[i + 3] = arguments[i + 3].getName();
}
}
return(result);
}
/// <summary>
/// Returns the row and column text for a listgridview of calls.
/// </summary>
/// <param name="row">Cell row</param>
/// <param name="column">Cell column</param>
/// <returns></returns>
public Object getCallListCell(int row, int column, int columnWidth, Font font)
{
if (dataVis == null)
{
return("");
}
// Get this row and column
if (row < dataVis.getCallCount() && row >= 0)
{
// Get the call in question
oSingleData call = dataVis.getData(row);
if (call == null)
{
return("");
}
HEAP_INFO heap;
string name;
switch (column)
{
case 0:
return(row.ToString());
case 1:
// Source address
heap = oMemoryFunctions.LookupAddressInMap(oProcess.map, call.source);
// Generate the string representation of this address
if (heap.associatedModule != null)
{
name = heap.associatedModule.ModuleName + " + 0x" +
(call.source - (uint)heap.associatedModule.BaseAddress).ToString("X") +
" (0x" + call.source.ToString("X") + ")";
}
else
{
name = "0x" + call.source.ToString("X");
}
return(name);
case 2:
// Destination address
heap = oMemoryFunctions.LookupAddressInMap(oProcess.map, call.destination);
// Generate the string representation of this address
if (heap.associatedModule != null)
{
name = heap.associatedModule.ModuleName + " + 0x" +
(call.destination - (uint)heap.associatedModule.BaseAddress).ToString("X")
+ " (0x" + call.destination.ToString("X") + ")";
}
else
{
name = "0x" + call.destination.ToString("X");
}
// Add the function name if known
if (oFunctionMaster.destinationToFunction.ContainsKey(call.destination))
{
oFunction function = (oFunction)oFunctionMaster.destinationToFunction[call.destination];
if (function.name != "")
{
name = function.name + " - " + name;
}
if (function.disabled)
{
name = @"DISABLED - " + name;
}
}
return(name);
case 3:
// Arguments
oFunction functionBase = (oFunction)oFunctionMaster.destinationToFunction[call.destination];
if (functionBase == null)
{
return("error, null associated function");
}
// Return the function data pair with the specified column width restriction
if (columnWidth > 0)
{
return(functionBase.getArgumentString(call, columnWidth, font).toString());
}
return(functionBase.getArgumentString(call).toString());
default:
return("?");
}
}
return("?");
}
public bool contains(oSingleData rowData)
{
// Check if this dataset contains rowData
return(this.data.Contains(rowData));
}
