Menu

#206 PE Analyzer - Exported function names missing and data sections disassembled

Fixed
nobody
PEAnalyzer (10)
High
Defect
2024-02-05
2023-04-03
Rohitab Batra
No

Exported Function Names

In previous versions of PE Analyzer, exported function names were visible in the disassembly. It was working fine till version 3.8.0. Since version 3.9.2 the exported functions are no longer shown in comments. I don't have versions between these two, so I'm not sure exactly when this issue started.

Here is part of the disassembly for kernel32.dll. The same addresses are shown. In the first instance, you can see the exported function GetCalendarSupportedDateRange. In the later versions, this comment is missing.

PE Analyzer 3.8.0 Disassembly
0180002878: 71 32                    jno         00000001800028ACh
018000287A: D9 36                    fstenv       [rsi]
018000287C: 46 8E 58 85              mov         seg?, word ptr [rax-7Bh]

; *****************************************************************************
; Exported function GetCalendarSupportedDateRange
; *****************************************************************************
0180002880: 48 83 EC 28              sub         rsp, 28h
0180002884: 4C 8B CA                 mov         r9, rdx
0180002887: 44 8B D1                 mov         r10d, ecx
018000288A: 33 D2                    xor         edx, edx
018000288C: 4D 85 C9                 test        r9, r9
PE Analyzer 3.9.4 Disassembly
0180002878: 71 32                    jno         00000001800028ACh
018000287A: D9 36                    fstenv       [rsi]
018000287C: 46 8E 58 85              mov         seg?, word ptr [rax-7Bh]
0180002880: 48 83 EC 28              sub         rsp, 28h
0180002884: 4C 8B CA                 mov         r9, rdx
0180002887: 44 8B D1                 mov         r10d, ecx
018000288A: 33 D2                    xor         edx, edx
018000288C: 4D 85 C9                 test        r9, r9

Data Sections

In the current version 3.9.4 data sections are disassembled as well. In version 3.8.0 they were displayed as bytes. Here is an example:

PE Analyzer 3.8.0 Disassembly
; *****************************************************************************
; section: .rdata
; *****************************************************************************
0180081000: E0 17 08 80  01 00 00 00  D2 9C 08 80  01 00 00 00 ; ................
0180081010: 48 9B 08 80  01 00 00 00  78 9B 08 80  01 00 00 00 ; H.......x.......
PE Analyzer 3.9.4 Disassembly
; *****************************************************************************
; section: .rdata
; *****************************************************************************
0180081000: E0 17                    loopne      0000000180081019h
0180081002: 08 80 01 00 00 00        or          byte ptr [rax+00000001h], al
0180081008: D2 9C 08 80 01 00 00     rcr         byte ptr [rax+rcx+00000180h], cl
018008100F: 00 48 9B                 add         byte ptr [rax-65h], cl
0180081012: 08 80 01 00 00 00        or          byte ptr [rax+00000001h], al
0180081018: 78 9B                    js          0000000180080FB5h
018008101A: 08 80 01 00 00 00        or          byte ptr [rax+00000001h], al

Entry Point

In version 3.8.0 when you disassembled a file, the cursor was positioned on the Entry Point. Well, actually it was positioned 6 lines above the entry point (which I was planning to report as a bug!). In the current version 3.9.4, the cursor is positioned at the beginning of the file. Here is an example. The first line is the position of the cursor when the disassembly is opened.

PE Analyzer 3.8.0 Disassembly
01800050BE: CC                       int3       
01800050BF: CC                       int3       

; *****************************************************************************
; Entry point
; *****************************************************************************
01800050C0: 48 89 5C 24 08           mov         qword ptr [rsp+08h], rbx
01800050C5: 48 89 74 24 10           mov         qword ptr [rsp+10h], rsi
01800050CA: 57                       push        rdi
PE Analyzer 3.9.4 Disassembly
; org    0x180000000   ; ImageBase

; *****************************************************************************
; section: .text
; *****************************************************************************
0180001000: 48 83 EC 28              sub         rsp, 28h
0180001004: 41 B8 0A 00 00 00        mov         r8d, 0000000Ah

Discussion

  • Vladimir Surguchev

    Vladimir Surguchev - 2023-04-03

    PEAnalyzer actually is under construction.
    I want to move to capstone reassembly library (and add ARM64 support). And process code hints also from at least Import Directory.
    I've started that process more then a year ago but did not finish it. I've commited some raw code to not lost the changes and have to turn off it partly.
    It is required more time than I can spend now.

     

    Last edit: Vladimir Surguchev 2023-04-03

  • Rohitab Batra

    Rohitab Batra - 2023-04-04

    I completely understand. These things take time. I found these features very useful and hope to see them back someday. Meanwhile, I will use the older version and keep an eye out for new releases.

    ARM support would be great to have as well. Thank you.

     

  • Vladimir Surguchev

    Vladimir Surguchev - 2023-04-14
    • status: New --> Accepted
     

  • Rohitab Batra

    Rohitab Batra - 2024-02-05

    This issue is resolved in the latest version 3.10.2. Please feel free to mark this ticket as fixed.

     

  • Vladimir Surguchev

    Vladimir Surguchev - 2024-02-05
    • status: Accepted --> Fixed
     

Anonymous
Anonymous

Add attachments
Cancel