Chapter 22: Overview of Debuggers and Disassemblers

Do you remember the DEBUG.EXE program? As far as I know, it is still present in Windows XP. Unfortunately, Microsoft no longer supports it and it is practically useless. But do you remember how many things are related to it? That was the time of a legend.

This chapter describes many debuggers and disassemblers. It does not describe the three most famous ones, which deserve separate chapters and, accordingly , will be covered in the next two chapters.

Microsoft Utilities

EDIDBIN.EXE

This program has a promising name . Nevertheless, it hardly deserves to be called an editor. Its main goal is to convert object files in the OMF format into the COFF format. In addition, this utility allows for changing some other attributes of executable and object modules. If you specify the name of the object module in its command line, then, if that module is in the OMF format, it will be converted into the COFF format. Consider the command-line options of this program. They can be applied to both executable and object modules.

  • /BIND Allows you to specify the paths to dynamic link libraries (DLLs) that use this executable module. For example: EDITBIN/BIND: PATH =c:\edit;d:\dll EDIT.EXE .

  • /HEAP Specifies the heap size in bytes. For example: EDITBIN/HEAP: 100000,100000 (see the LINK.EXE options).

  • /LARGEADDRESSAWARE Specifies that the application operates with addresses larger than 2 GB.

  • /NOLOGO Suppresses the output of information about the program.

  • /REBASE Sets the module's base address. By default, the base address for an executable module is equal to 400000H, and for DLLs, it is 10000000H.

  • /RELEASE Sets the checksum in the header of the executable module.

  • /SECTION Changes the attributes of the sections of the executable module. The full format of this option is as follows :

     /SECTION:name[=newname][,attributes][,alignment] 
Table 22.1: Attribute values

Attribute

Value

C

Code

D

Discardable

E

Executable

I

Initialized data

K

Cached virtual memory

M

Link remove

O

Link information

P

Paged virtual memory

R

Read

S

Shared

U

Uninitialized data

w

Write

Table 22.2: The value of the alignment option

Option

Alignment (in bytes)

1

1

2

2

4

4

8

8

p

16

t

32

s

64

x

No alignment

  • /STACK Changes the value required for the executable module's stack. For example: EDITBIN /STACK:10000,10000 EDIT.EXE .

  • /SUBSYSTEM Redefines the subsystem, in which this program operates. For example, if the program has been translated with the /SUBSYSTEM: WINDOWS option, this setting can be changed without recompiling: EDITBIN /SUBSYSTEM: CONSOLE EDIT.EXE .

  • /SWAPRUN Sets the "move to swap file" attribute for the executable module.

  • /VERSION Sets the version for the executable module.

  • /WS (/WS: AGGRESSIVE) Sets the AGGRESSIVE attribute, which is used by operating systems of the Windows NT family.

This utility is useful for quickly changing attributes of executable and object modules.

DUMPBIN.EXE

This program is mainly used for the investigation of executable and object modules in the COFF format. It outputs information to the current console. The command-line options of this program are as follows:

  • /ALL Outputs all available information about the module except the Assembly code.

  • /ARCH Outputs information about the .arch section of the module header.

  • /ARCHIVEMEMBERS Outputs minimal information about the elements of the object library.

  • /DEPENDENTS Outputs the names of DLLs, from which the module imports functions.

  • /DIRECTIVES Outputs the contents of the .drectve section created by the compiler (only for object modules).

  • /DISASM Disassembles the contents of module sections using symbolic information (if present).

  • /EXPORTS Outputs the names exported by the module.

  • /HEADER Outputs headers of the module and all its sections. In the case of an object library, it outputs the headers of all object modules that make up that library.

  • /IMPORTS Outputs the names imported by this module.

  • /LINENUMBERS Outputs the line numbers of the object module (if it contains numbered lines).

  • /LINKERMEMBER[: {112}] Outputs all names defined as public in the object library.

    • /LINKERMEMBER:1 Outputs in the order, in which object modules follow each other in the library.

    • /LINKERMEMBER:2 First outputs the offset and the index of object modules, then outputs an alphabetically sorted list of names for each module.

    • /LINKERMEMBER Combines options 1 and 2.

  • /OUT Specifies the data that should be output to the file (i.e., /OUT:ED.TXT ) instead of to a console.

  • /PDATA Outputs the contents of exception tables.

  • /RAWDATA Outputs the dump of each file section. This option has the following variants: /RAWDATA:BYTE, /RAWDATA:SHORTS, /RAWDATA:LONGS, /RAWDATA:NONE , and /RAWDATA:, number . Here, number defines the length of the output strings.

  • /SUMMARY Outputs minimal information about sections.

  • /SYMBOLS Outputs the symbols table of the COFF file.

This program is a powerful disassembling tool. Suppose that the program name is PROG.ASM. Translate this program as follows:

 ml  /c /coff /Zi /Zd prog.asm     link /debug /subsystem:windows prog.obj 

In this case, in addition to the executable module PROG.EXE, another file, PROG.PDB, will appear. This file will contain the debug information. Now, issue the command DUMPBIN /DISASM /OUT:PROG.TXT PROG.EXE . As a result, you'll get the disassembled code, practically identical to the source code of the program. Part of this code is presented in Listing 22.1.

Listing 22.1: Fragment of the disassembled code
image from book
 _START: 0040101C: 6AO0         PUSH   0 0040101E: E843020000   CALL   _GetModuleHandleA@4 00401023: A344404000   MOV    [00404044],eax 00401028: C7051C404000 MOV    DWORD PTR  DS:[40401Ch],  4003h      03400000 00401032: C70520404000 MOV   DWORD PTR  DS: [404020h], offset @ILT+0(_WNDPROC@0)      05104000 0040103C: C70524404000 MOV   DWORD PTR  DS:[404024h],  0      00000000 00401046: C70528404000 MOV   DWORD PTR  DS:[404028h],  0      00000000 00401050: A144404000   MOV   EAX, .[00404044] 00401055: A32C404000   MOV   [0040402C],  EAX 0040105A: 68007F0000   PUSH  7F00h 0040105F: 6A00         PUSH  0 00401061: E8D6010000   CALL  _LoadIconA@8 00401066: A330404000   MOV   [00404030],  EAX 0040106B: 68037F0000   PUSH  7F03h 00401070: 6A00         PUSH  0 00401072: E8BF010000   CALL  _LoadCursorA@8 
image from book
 

As you can see, this is a transparent code that is practically no different from normal code written in Assembly language. Near the end of the file, interesting information can be found. Here is the fragment:

 LoadIconA@8: 0040123C: FF2510514000  JMP DWORD PTR [__IMP__LoadIconA@8] 

When a function is called, for example, _LoadIconA@8 , the jump is carried out to the address of the following command:

 JMP DWORD PTR  [__IMP__LoadIconA@8]. 

Because of this, you can declare _imp__LoadIconA@8 instead of LoadIcon@8 , which will somewhat improve the performance of your program. I didn't mention this possibility before because of two reasons:

  • The performance gain achieved using this approach is minimal.

  • TASM32 does everything in a slightly different manner. This topic is covered in more detail later in this chapter.



The Assembly Programming Master Book
The Assembly Programming Master Book
ISBN: 8170088178
EAN: 2147483647
Year: 2004
Pages: 140
Authors: Vlad Pirogov

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net