Submit My Question - Recent Questions - Recent Answer
Msdn Tech >> Visual Studio >> Phoenix

Extracting import information from call instruction

Is there a documented approach to extracting the module information for an imported symbol when analyzing native IR? In particular, is there a way to retrieve this information from a specific CallInstruction (such as through the instruction's first source memory operand)?

For example, a call to __imp_free would be an indirect call through the IAT which should be easy to associate with a particular import module. Does Phoenix currently provide the functionality needed to extract this information?

[517 byte] By [mmiller] at [2008-2-27]
«« Send list attachments with eMail generated in Workflow
»» Show multitiff with picturebox
# 1

Yes, though the pointers run the other way (from iat to imported symbol) so you have to do a bit of searching to find the right one. Here's a code sample:

Code Snippet

foreach (Phx.IR.Instruction instruction in Phx.IR.Instruction.Iterator(functionUnit))

{

if (!instruction.IsCallInstruction)

{

continue;

}

Phx.IR.CallInstruction callInstruction = instruction.AsCallInstruction;

Phx.IR.Operand callTarget = callInstruction.CallTargetOperand;

if (!callTarget.IsMemory)

{

continue;

}

Phx.Symbols.Symbol memorySymbol = callTarget.Symbol;

if (memorySymbol == null || !memorySymbol.IsNonLocalVariableSymbol)

{

continue;

}

Phx.Symbols.GlobalVariableSymbol globalSymbol = memorySymbol.AsNonLocalVariableSymbol.GlobalSymbol;

// Now search the import modules for the PE File to find the import.

Phx.PEModuleUnit peModuleUnit = functionUnit.ParentPEModuleUnit;

foreach (Phx.Symbols.ImportModuleSymbol importModuleSymbol in peModuleUnit.ImportModuleSymbols)

{

foreach (Phx.Symbols.ImportSymbol importSymbol in importModuleSymbol.ImportSymbols)

{

if (importSymbol.ImportAddressTableSymbol == globalSymbol)

{

if (!emittedName)

{

Console.WriteLine("In {0}", functionUnit.NameString);

emittedName = true;

}

Console.WriteLine("Symbol {0} is {1} from {2}", globalSymbol, importSymbol, importModuleSymbol);

}

}

}

}

}

If you (put this in an analysis tool phase) and run this on testapp.exe, you get:

Code Snippet

Processing testapp.exe ...
In InitInstance
Symbol __imp__CreateWindowExA@48 is CreateWindowExA from USER32.dll
Symbol __imp__SetTimer@16 is SetTimer from USER32.dll
Symbol __imp__GetLocalTime@4 is GetLocalTime from KERNEL32.dll
Symbol __imp__ShowWindow@8 is ShowWindow from USER32.dll
Symbol __imp__UpdateWindow@4 is UpdateWindow from USER32.dll
In InitCoordinateSystem
Symbol __imp__SetMapMode@8 is SetMapMode from GDI32.dll
Symbol __imp__SetWindowExtEx@16 is SetWindowExtEx from GDI32.dll
Symbol __imp__SetViewportExtEx@16 is SetViewportExtEx from GDI32.dll
Symbol __imp__SetViewportOrgEx@16 is SetViewportOrgEx from GDI32.dll
...etc...

AndyAyers-MSFT at 2007-10-2 > top of Msdn Tech,Visual Studio,Phoenix...
# 2

Ah cool, this is basically how I went about implementing it last night, although I was relying on FindImport which was sub-optimal. The ImportAddressTableSymbol == globalSymbol makes things easier.

Do you think it would be worth adding an ImportSymbol accessor to the call target operand (as well as to the CallInstruction class)? Additionally, it might be worth having a FindImport that takes a global variable symbol, just to encapsulate things a bit more in case the approach changes in the future. I can see this type of code being needed for a number of analysis tools.

Thanks for the helpful pointers.

Matt

mmiller at 2007-10-2 > top of Msdn Tech,Visual Studio,Phoenix...
Visual Studio
Phoenix

Visual Studio Hot Topic

Visual Studio New Topic

Visual Studio

Java / MSDN / Linux Tech / PHP Tech / MSDN DotNet / MSDN TECH / Health Library / Programmers Tech / visual basic Tech / Developer Tech / Ipod faqs / Msdn China Tech

Site Classified