diff --git a/xAnalyzer/plugin.cpp b/xAnalyzer/plugin.cpp index 42a282e..677711f 100644 --- a/xAnalyzer/plugin.cpp +++ b/xAnalyzer/plugin.cpp @@ -136,7 +136,7 @@ PLUG_EXPORT void CBMENUENTRY(CBTYPE cbType, PLUG_CB_MENUENTRY* info) // COMMANDS MENUS // ------------------------------------------------------------------------ case MENU_ANALYZE_DISASM: - DbgCmdExec("xanal exe"); + DbgCmdExec("xanal module"); break; case MENU_ANALYZE_DISASM_FUNCT: DbgCmdExec("xanal function"); @@ -151,7 +151,7 @@ PLUG_EXPORT void CBMENUENTRY(CBTYPE cbType, PLUG_CB_MENUENTRY* info) DbgCmdExec("xanalremove function"); break; case MENU_REM_ANALYSIS_DISASM: - DbgCmdExec("xanalremove exe"); + DbgCmdExec("xanalremove module"); break; default: break; @@ -255,13 +255,13 @@ void pluginSetup() // disasm window menu _plugin_menuseticon(hMenuDisasm, &menu_icon); - _plugin_menuaddentry(hMenuDisasm, MENU_ANALYZE_DISASM_SELEC, "&Analyze Selection"); - _plugin_menuaddentry(hMenuDisasm, MENU_ANALYZE_DISASM_FUNCT, "&Analyze Function"); - _plugin_menuaddentry(hMenuDisasm, MENU_ANALYZE_DISASM, "&Analyze Executable"); + _plugin_menuaddentry(hMenuDisasm, MENU_ANALYZE_DISASM_SELEC, "&Analyze selection"); + _plugin_menuaddentry(hMenuDisasm, MENU_ANALYZE_DISASM_FUNCT, "&Analyze function"); + _plugin_menuaddentry(hMenuDisasm, MENU_ANALYZE_DISASM, "&Analyze module"); _plugin_menuaddseparator(hMenuDisasm); _plugin_menuaddentry(hMenuDisasm, MENU_REM_ANALYSIS_DISASM_SELEC, "&Remove analysis from selection"); _plugin_menuaddentry(hMenuDisasm, MENU_REM_ANALYSIS_DISASM_FUNCT, "&Remove analysis from function"); - _plugin_menuaddentry(hMenuDisasm, MENU_REM_ANALYSIS_DISASM, "&Remove analysis from executable"); + _plugin_menuaddentry(hMenuDisasm, MENU_REM_ANALYSIS_DISASM, "&Remove analysis from module"); // entries icons _plugin_menuentryseticon(pluginHandle, MENU_ANALYZE_DISASM_SELEC, &anal_select_icon); diff --git a/xAnalyzer/plugin.h b/xAnalyzer/plugin.h index 487de2a..5fba240 100644 --- a/xAnalyzer/plugin.h +++ b/xAnalyzer/plugin.h @@ -5,7 +5,7 @@ //plugin data #define PLUGIN_NAME "xAnalyzer" #define PLUGIN_VERSION 2 -#define PLUGIN_VERSION_STR "2.5.1" +#define PLUGIN_VERSION_STR "2.5.2" enum { diff --git a/xAnalyzer/pluginmain.cpp b/xAnalyzer/pluginmain.cpp index 2430826..9175b04 100644 --- a/xAnalyzer/pluginmain.cpp +++ b/xAnalyzer/pluginmain.cpp @@ -2,7 +2,8 @@ #include "plugin.h" // Variables -const char *szprojectnameInfo = "\n" PLUGIN_NAME " " PLUGIN_VERSION_STR" Plugin by ThunderCls 2018\n" +const char *szprojectnameInfo = "\n" PLUGIN_NAME " " PLUGIN_VERSION_STR + " Plugin by ThunderCls 2018\n" "Extended analysis for static code\n" "-> For latest release, issues, etc....\n" "-> For help type command \"xanal help\"\n" diff --git a/xAnalyzer/xanalyzer.cpp b/xAnalyzer/xanalyzer.cpp index d3e466f..b31f5a5 100644 --- a/xAnalyzer/xanalyzer.cpp +++ b/xAnalyzer/xanalyzer.cpp @@ -90,13 +90,14 @@ void OnBreakpoint(PLUG_CB_BREAKPOINT* bpInfo) Module::InfoFromAddr(bpInfo->breakpoint->addr, &mi); // if we hit the EP with a dbg one-shot EP BP if (bpInfo->breakpoint->type == bp_normal && - mi.entry == bpInfo->breakpoint->addr && + mi.entry == bpInfo->breakpoint->addr && + GetModuleEntryPoint(mi.name) == bpInfo->breakpoint->addr || strcmp(bpInfo->breakpoint->name, "entry breakpoint") == 0) { if (conf.auto_analysis) { if (!FileDbExists()) - DbgCmdExec("xanal exe"); + DbgCmdExec("xanal module"); else { GuiAddLogMessage("[xAnalyzer]: Analysis retrieved from data base\r\n"); @@ -139,7 +140,7 @@ bool cbExtendedAnalysis(int argc, char* argv[]) return true; } - if (strcmp(argv[1], "exe") == 0) // cmd "xanal exe" + if (strcmp(argv[1], "module") == 0) // cmd "xanal module" { completeAnal = true; DoExtendedAnalysis(); @@ -183,7 +184,7 @@ bool cbExtendedAnalysisRemove(int argc, char* argv[]) return true; } - if (strcmp(argv[1], "exe") == 0) // cmd "xanalremove exe" + if (strcmp(argv[1], "module") == 0) // cmd "xanalremove module" { completeAnal = true; RemoveAnalysis(); @@ -556,10 +557,10 @@ void DbgGetEntryExitPoints(duint *lpdwEntry, duint *lpdwExit) if (completeAnal) { - // Analyze entire executable + // Analyze entire module section // ----------------------------------------------------- Module::ModuleSectionInfo *modInfo = new Module::ModuleSectionInfo; - entry = GetContextData(UE_CIP); + entry = Disassembly::SelectionGetStart(); Module::NameFromAddr(entry, modname); if (conf.extended_analysis) @@ -635,10 +636,24 @@ void GetRegularAnalysisRange(duint *lpdwEntry, duint *lpdwExit, char *modname) { duint baseaddress; duint dwModSize; + + duint ep = GetModuleEntryPoint(modname); + if (ep == 0) + return; + + baseaddress = DbgMemFindBaseAddr(ep, &dwModSize); + + *lpdwEntry = ep; + *lpdwExit = (dwModSize + baseaddress) - 0x2D; +} + +// ------------------------------------------------------------------------------------ +// Gets a module EP +// ------------------------------------------------------------------------------------ +duint GetModuleEntryPoint(char *modname) +{ HMODULE base; - HMODULE hModule; - HANDLE hProcess; - MODULEINFO modinfo; + MODULEINFO modinfo = {0}; PROCESS_INFORMATION *pi; // Process only STARTING in the Entrypoint to end of code section @@ -646,14 +661,13 @@ void GetRegularAnalysisRange(duint *lpdwEntry, duint *lpdwExit, char *modname) base = (HMODULE)DbgModBaseFromName(modname); pi = TitanGetProcessInformation(); - hProcess = pi->hProcess; - GetModuleBaseName(hProcess, base, modbasename, MAX_MODULE_SIZE); - hModule = GetModuleHandle(modbasename); - GetModuleInformation(hProcess, hModule, &modinfo, sizeof(MODULEINFO)); - baseaddress = DbgMemFindBaseAddr((duint)modinfo.EntryPoint, &dwModSize); + if (pi == NULL) + return 0; - *lpdwEntry = (duint)modinfo.EntryPoint; - *lpdwExit = (dwModSize + baseaddress) - 0x2D; + GetModuleBaseName(pi->hProcess, base, modbasename, MAX_MODULE_SIZE); + GetModuleInformation(pi->hProcess, GetModuleHandle(modbasename), &modinfo, sizeof(MODULEINFO)); + + return (duint)modinfo.EntryPoint; } // ------------------------------------------------------------------------------------ @@ -714,7 +728,7 @@ void GetAnalysisBoundaries() char modname[MAX_MODULE_SIZE] = ""; Module::ModuleSectionInfo *modInfo = new Module::ModuleSectionInfo; - entry = GetContextData(UE_CIP); + entry = Disassembly::SelectionGetStart(); Module::NameFromAddr(entry, modname); mEntryPoint = Module::EntryFromAddr(entry); // gets the EP GetExtendedAnalysisRange(&mSectionLowerLimit, &lpdwExit, entry, modname, modInfo); // gets the first address of code section @@ -2708,10 +2722,10 @@ void DisplayHelp() "--------------------------------\r\n" "xanal selection : Performs a selection analysis\r\n" "xanal function : Performs a function analysis\r\n" - "xanal exe : Performs an entire executable analysis\r\n" + "xanal module : Performs an entire module code section analysis\r\n" "xanalremove selection : Removes a previous selection analysis\r\n" "xanalremove function : Removes a previous function analysis\r\n" - "xanalremove exe : Removes a previous entire executable analysis\r\n" + "xanalremove module : Removes a previous module code section analysis\r\n" "xanal help : Brings up this help text\r\n\n"; GuiAddLogMessage(pluginHelp); diff --git a/xAnalyzer/xanalyzer.h b/xAnalyzer/xanalyzer.h index ffd05f7..01b9775 100644 --- a/xAnalyzer/xanalyzer.h +++ b/xAnalyzer/xanalyzer.h @@ -69,6 +69,7 @@ void GetExtendedAnalysisRange(duint *lpdwEntry, duint *lpdwExit, duint entry, ch void GetRegularAnalysisRange(duint *lpdwEntry, duint *lpdwExit, char *modname); void GetFunctionAnalysisRange(duint *lpdwEntry, duint *lpdwExit, duint selectedAddr); void GetAnalysisBoundaries(); +duint GetModuleEntryPoint(char *modname); bool Strip_x64dbg_calls(LPSTR lpszCallText); void StripDbgCommentAddress(char *szComment); string StripFunctNameFromInst(char *instruction);