void ReadPublicObjectDescriptor(ObjectTable entity) { if (entity == null || entity.Objects == null || entity.Objects.Length <= 0) { return; } KernelWin.WriteLine("正在处理 {0}", typeof(PublicObjectDescriptor).Name); UInt32 address = (UInt32)entity.Object + ImageBase; foreach (PublicObjectDescriptor item in entity.Objects) { KernelWin.WriteLine("对象 {0}", item.Name); Int32 addr = (Int32)(item.Address + ImageBase); VBStruct.Make <PublicObjectDescriptor>(item, address, true); Bytes.MakeNameAnyway((UInt32)addr, item.Name); //ReadPublicObjectDescriptor(item); ReadObjectInfo(item.ObjectInfo2, item); ReadOptionalObjectInfo(item.OptionalObjectInfo, item); ReadProcName(item); } }
void ReadGUITable(VBHeader header) { if (header == null || header.GUITables == null || header.GUITables.Length <= 0) { return; } KernelWin.WriteLine("正在处理界面 {0}", typeof(GUITable).Name); UInt32 address = (UInt32)header.GUITable; for (int i = 0; i < header.GUITables.Length; i++) { GUITable item = header.GUITables[i]; String name = "GUITable_" + i.ToString("X2"); //if(item.FormPointer2!=null&&item.FormPointer2. KernelWin.WriteLine("界面 {0}", name); UInt32 addr = (UInt32)(item.Address + ImageBase); VBStruct.Make <GUITable>(item, address, true); Bytes.MakeNameAnyway(addr, name); } }
void ReadExternalTable(ProjectInfo entity) { if (entity == null || entity.ExternalTables == null || entity.ExternalTables.Length <= 0) { return; } KernelWin.WriteLine("正在处理 {0}", typeof(ExternalTable).Name); UInt32 address = (UInt32)entity.ExternalTable + ImageBase; foreach (ExternalTable item in entity.ExternalTables) { Int32 addr = (Int32)(item.Address + ImageBase); VBStruct.Make <ExternalTable>(item, address, true); Bytes.MakeNameAnyway((UInt32)addr, String.Format("{0}_{1}", item.ExternalLibrary2.LibraryName2, item.ExternalLibrary2.LibraryFunction2)); } //for (int i = 1; i < entity.ExternalTables.Length; i++) //{ // Int32 addr = (Int32)(entity.ExternalTables[i].Address + ImageBase); // VBStruct.Make<ExternalTable>(entity.ExternalTables[i], address, true); // Bytes.MakeNameAnyway((UInt32)addr, "GUITable_" + entity.ExternalTables[i].ExternalLibrary2.LibraryName2); //} }
void ReadComRegData(ComRegData entity) { if (entity == null) { return; } KernelWin.WriteLine("正在处理COM数据 {0}", typeof(ComRegData).Name); UInt32 address = (UInt32)entity.Address + ImageBase; VBStruct.Make <ComRegData>(entity, address, true); if (entity.RegInfo2 == null || entity.RegInfo2.Length <= 0) { return; } foreach (ComRegInfo item in entity.RegInfo2) { KernelWin.WriteLine("COM组件 {0}", item.Name); Int32 addr = (Int32)(item.Address + ImageBase); VBStruct.Make <ComRegInfo>(item, address, true); Bytes.MakeNameAnyway((UInt32)addr, "Com_" + item.Name); } }
void ReadProjectInfo2(ProjectInfo2 entity) { if (entity == null) { return; } KernelWin.WriteLine("正在处理 {0}", typeof(ProjectInfo2).Name); UInt32 address = (UInt32)entity.Address + ImageBase; VBStruct.Make <ProjectInfo2>(entity, address, true); }
void ReadProcName(PublicObjectDescriptor entity) { if (entity == null || entity.ProcNames == null || entity.ProcNames.Length <= 0) { return; } foreach (ProcName item in entity.ProcNames) { UInt32 addr = (UInt32)(item.Address + ImageBase); VBStruct.Make <ProcName>(item, addr, true); Bytes.MakeNameAnyway(addr, String.Format("{0}_{1}", entity.Name, item.FriendName)); } }
void ReadObjectTable(ObjectTable entity) { if (entity == null) { return; } KernelWin.WriteLine("正在处理 {0}", typeof(ObjectTable).Name); UInt32 address = (UInt32)entity.Address + ImageBase; VBStruct.Make <ObjectTable>(entity, address, true); ReadProjectInfo2(entity.ProjectInfo22); ReadPublicObjectDescriptor(entity); }
void ReadObjectInfo(ObjectInfo entity, PublicObjectDescriptor parent) { if (entity == null) { return; } UInt32 address = (UInt32)entity.Address + ImageBase; VBStruct.Make <ObjectInfo>(entity, address, true); Bytes.MakeNameAnyway((UInt32)address, "Inf_" + parent.Name); if (entity.PrivateObject2 != null) { address = (UInt32)entity.PrivateObject2.Address + ImageBase; VBStruct.Make <PrivateObjectDescriptor>(entity.PrivateObject2, address, true); Bytes.MakeNameAnyway((UInt32)address, "FormList_" + parent.Name); } }
void ReadProjectInfo(ProjectInfo entity) { if (entity == null) { return; } KernelWin.WriteLine("正在处理工程信息 {0}", typeof(ProjectInfo).Name); UInt32 address = (UInt32)entity.Address + ImageBase; VBStruct.Make <ProjectInfo>(entity, address, true); Bytes.MakeLabelAnyway((UInt32)entity.StartOfCode, "StartOfCode"); Bytes.MakeLabelAnyway((UInt32)entity.EndOfCode, "EndOfCode"); Bytes.MakeLabelAnyway((UInt32)entity.VBAExceptionHandler, "VBAExceptionHandler"); Bytes.MakeLabelAnyway((UInt32)entity.NativeCode, "NativeCode"); ReadExternalTable(entity); ReadObjectTable(entity.ObjectTable2); }
void ReadExternalComponentTable(VBHeader header) { if (header == null || header.ExternalComponentTables == null || header.ExternalComponentTables.Length <= 0) { return; } KernelWin.WriteLine("正在处理外部组件 {0}", typeof(ExternalComponentTable).Name); UInt32 address = (UInt32)header.ExternalComponentTable; foreach (ExternalComponentTable item in header.ExternalComponentTables) { KernelWin.WriteLine("外部组件 {0}", item.Name2); UInt32 addr = (UInt32)(item.Address + ImageBase); VBStruct.Make <ExternalComponentTable>(item, addr, true); Bytes.MakeNameAnyway(addr, "Ext_" + item.Name2); } }
void ReadHeader(BinaryReader reader) { KernelWin.WriteLine("正在处理头部 {0}", typeof(VBHeader).Name); //Seek(reader, Header - ImageBase); VBHeader header = HeaderInfo; //header.Info = this; //header.Read(reader); //HeaderInfo = header; UInt32 address = Header; //if (!VBStruct.Make<VBHeader>(header)) throw new Exception("创建结构体失败!"); VBStruct.Make <VBHeader>(header, address, true); ReadProjectInfo(header.ProjectInfo2); ReadComRegData(header.ComRegisterData2); ReadGUITable(header); ReadExternalComponentTable(header); }
void ReadOptionalObjectInfo(OptionalObjectInfo entity, PublicObjectDescriptor parent) { if (entity == null) { return; } UInt32 address = (UInt32)entity.Address + ImageBase; VBStruct.Make <OptionalObjectInfo>(entity, address, true); Bytes.MakeNameAnyway((UInt32)address, "OptInf_" + parent.Name); if (entity.Controls != null && entity.Controls.Length > 0) { //address = (UInt32)entity.Address + ImageBase; if (entity.Controls.Length == 1) { address = (UInt32)entity.Controls[0].Address + ImageBase; VBStruct.Make <VBControl>(entity.Controls[0], address, true); Bytes.MakeNameAnyway((UInt32)address, "Control_" + parent.Name); } else { foreach (VBControl item in entity.Controls) { address = (UInt32)item.Address + ImageBase; VBStruct.Make <VBControl>(item, address, true); Bytes.MakeNameAnyway((UInt32)address, "Control_" + parent.Name + "_" + item.Name2); } } } if (entity.EventLinks != null && entity.EventLinks.Length > 0) { Int32 i = 1; foreach (EventLink2 item in entity.EventLinks) { address = (UInt32)item.Address + ImageBase; VBStruct.Make <EventLink2>(item, address, true); // 事件列表命名 String name = String.Empty; if (parent.ProcNames != null && parent.ProcNames.Length > i - 1) { name = parent.Name + "_" + parent.ProcNames[i - 1].FriendName; } if (String.IsNullOrEmpty(name)) { name = parent.Name + "_" + i.ToString("X2"); } i++; Bytes.MakeNameAnyway((UInt32)address, "Event_" + name); // 跳转命名 address = (UInt32)item.Jump; Bytes.MakeNameAnyway(address, "j" + name); Bytes.MakeCode(address); // 函数命名 if (Bytes.Byte(address) == 0xE9) { // Jump语句,下一个字就是函数起始地址 address = Bytes.Dword(address + 1) + address + 5; Function func = Function.FindByAddress(address); if (func == null) { // 如果函数不存在,则创建函数 Function.Add(address, Bytes.BadAddress); func = Function.FindByAddress(address); } else { // 函数存在,但是函数的起始地址并不是当前行,表明这个函数分析有错,修改地址 if (func.Start != address) { //Function.Delete(func.Start); //Function.Add(func.Start, address - 1); func.End = address - 1; Function.Add(address, Bytes.BadAddress); func = Function.FindByAddress(address); } } if (func == null) { KernelWin.WriteLine("0x{0:X} 创建函数失败!", address); } else { Bytes.MakeLabelAnyway(address, name); } } } } }
/// <summary> /// 创建并标识结构体 /// </summary> /// <typeparam name="TEntity">结构体实体类型</typeparam> /// <param name="entity">结构体数据实体</param> /// <param name="address">结构体基地址,引用类型的成员可能需要该地址作为相对地址</param> /// <param name="canPostfix">当名称已存在时,是否允许使用后缀</param> /// <returns></returns> public static Struct Make <TEntity>(TEntity entity, UInt32 address, Boolean canPostfix) where TEntity : EntityBase <TEntity>, new() { Int32 addr = (Int32)(entity.Address + entity.Info.ImageBase); Struct st = VBStruct.Create <TEntity>(entity, address, canPostfix); if (st == null) { throw new Exception(String.Format("为类型{0}创建结构体失败!", typeof(TEntity))); } Bytes.MakeNameAnyway((UInt32)addr, typeof(TEntity).Name); //KernelWin.WriteLine("MakeStruct: 0x{0:X8} {1:X}h {2}", addr, (Int32)EntityBase<TEntity>.ObjectSize, st.Name); //Bytes.MakeStruct(addr, (Int32)EntityBase<TEntity>.ObjectSize, st.Name); MakeStruct <TEntity>(addr, st); // 处理结构体成员中的字符串 Dictionary <String, DataFieldItem> dic = DataFieldItem.GetFields(typeof(TEntity)); foreach (DataFieldItem item in dic.Values) { if (item.Attribute.RefType != typeof(String)) { continue; } // 先直接取地址 Int32 temp = Convert.ToInt32(item.Property.GetValue(entity, null)); if (temp <= 0) { continue; } UInt32 address2 = (UInt32)temp; switch (item.Attribute.RefKind) { case RefKinds.Virtual: break; case RefKinds.Relative: // 相对,加上前面的结构体基地址 address2 += (UInt32)entity.Address; break; case RefKinds.Auto: // 如果小于基址,可能是相对地址 if (address2 < entity.Info.ImageBase && address2 > 0) { address2 += (UInt32)entity.Address; } break; case RefKinds.Absolute: throw new Exception("不支持的类型:" + item.Attribute.RefKind); } if (address2 <= 0) { continue; } // 标为字符串 //Bytes.MakeUnknown(address2, 0); Bytes.MakeAscii(address2, (Int32)Bytes.BadAddress, StringType.C); } return(st); }