SNOOP: How to find out if an DLL entry is a DATA reference?
Dan Kegel
dank at kegel.com
Mon Aug 13 19:01:38 CDT 2001
Uwe Bonnes wrote:
> e.g. with the MFC libraries the snoop option crashes quite often, while
> without snoop the programm proceeds some more. Digging deeper for the crash in
> msdev.exe, I saw that a library has exported DATA entries mixed into the
> codesegment. Our snoop loader only checks for DATA entries in the PE DATA
> section and so happyly overwrites data. It seems that most exported DATA
> entries have a decorated name ending in @A or @B and by handling entries with
> that ending as DATA, the crash with msdev.exe happens at the same place with
> or without snoop.
>
> Appended patch does this hacky search for DATA entries.
>
> However I like to ask if there are other methods of distinguishing DATA and
> function references? Could the PE loader perhaps know? Or can we perhaps
> protect our snoop entries from being read as data and catch those exceptions?
> Any other idea?
For what it's worth, I reverse-engineered and documented the name
decoration scheme used by Microsoft in 1999. My doc is at
http://www.kegel.com/mangle.html
You should probably not check for the @, as that's not always there.
(I think a global variable
int g;
might have a decorated name
?g at 3HA
but don't quote me on that.)
The trailing A or B should be reliable.
A trailing C indicates a const; maybe you should check for that, too
(you'd know better than me).
You may want to use presence of a '?' to detect a mangled name, tho. e.g.
if ((name[0] == '?') && ((name[len-1] == 'A') || (name[len-1] == 'B')))
(I have no idea if that's right, it's been two years since I touched this.)
- Dan
--
"I have seen the future, and it licks itself clean." -- Bucky Katt
More information about the wine-devel
mailing list