SNOOP: How to find out if an DLL entry is a DATA reference?

Dan Kegel dank at
Mon Aug 13 19:01:38 CDT 2001

Uwe Bonnes wrote:
> e.g. with the MFC libraries the snoop option crashes quite often, while
> without snoop the programm proceeds some more. Digging deeper for the crash in
> msdev.exe, I saw that a library has exported DATA entries mixed into the
> codesegment. Our snoop loader only checks for DATA entries in the PE DATA
> section and so happyly overwrites data. It seems that most exported DATA
> entries have a decorated name ending in @A or @B and by handling entries with
> that ending as DATA, the crash with msdev.exe happens at the same place with
> or without snoop.
> Appended patch does this hacky search for DATA entries.
> However I like to ask if there are other methods of distinguishing DATA and
> function references? Could the PE loader perhaps know? Or can we perhaps
> protect our snoop entries from being read as data and catch those exceptions?
> Any other idea?

For what it's worth, I reverse-engineered and documented the name
decoration scheme used by Microsoft in 1999.  My doc is at
You should probably not check for the @, as that's not always there.
(I think a global variable
   int g;
might have a decorated name
   ?g at 3HA
but don't quote me on that.)

The trailing A or B should be reliable.
A trailing C indicates a const; maybe you should check for that, too
(you'd know better than me).
You may want to use presence of a '?' to detect a mangled name, tho.  e.g.

  if ((name[0] == '?') && ((name[len-1] == 'A') || (name[len-1] == 'B')))

(I have no idea if that's right, it's been two years since I touched this.)
- Dan

"I have seen the future, and it licks itself clean." -- Bucky Katt

More information about the wine-devel mailing list