Board.KolibriOS.org

Official KolibriOS board
http://board.kolibrios.org/

Stripped PE Dumper

http://board.kolibrios.org/viewtopic.php?t=3742

Page 1 of 1

Stripped PE Dumper

Posted: Thu Aug 23, 2018 10:27 am
by 0CodErr
В KolibriOS используется формат Stripped Portable Executable.
К сожалению, никакой спецификации на него найти не удалось.
Есть только такой файл для преобразования обычного PE в StrippedPE "/data/common/pestrip.asm"
А также в "kernel/trunk/const.inc" есть определения:
Spoiler:

Code: Select all

struct  STRIPPED_PE_HEADER
            Signature           dw ?
            Characteristics     dw ?
            AddressOfEntryPoint dd ?
            ImageBase           dd ?
            SectionAlignmentLog db ?
            FileAlignmentLog    db ?
            MajorOSVersion      db ?
            MinorOSVersion      db ?
            SizeOfImage         dd ?
            SizeOfStackReserve  dd ?
            SizeOfHeapReserve   dd ?
            SizeOfHeaders       dd ?
            Subsystem           db ?
            NumberOfRvaAndSizes db ?
            NumberOfSections    dw ?
    ends
    STRIPPED_PE_SIGNATURE = 0x4503 ; 'PE' xor 'S'
    SPE_DIRECTORY_IMPORT    = 0
    SPE_DIRECTORY_EXPORT    = 1
    SPE_DIRECTORY_BASERELOC = 2
А вот так в ядре происходит загрузка "kernel/trunk/core/peload.inc"
Для примера, скомпилированный "/drivers/mouse/commouse.asm" преобразовать можно так:

Code: Select all

    Set EXENAME=commouse.sys
    fasm pestrip.asm %EXENAME%
В результате преобразованный commouse.sys будет уже в формате StrippedPE.
В данный момент драйвера в KolibriOS имеют такой формат, кроме того, есть возможность собрать "programs/develop/libraries/console" в StrippedPE.
В принципе pestrip.asm должен преобразовывать и любые другие(не только для KolibriOS) файлы PE формата.

Утилита SPEDump выводит заголовок файла, заголовки секций, список импортируемых и экспортируемых функций.

Code: Select all

    Simple Stripped PE Binary File Dumper Version 0.1; 2018.
    Usage: SPEDump [<file>]
Скриншот:
Spoiler:
SPEDump.PNG
SPEDump.PNG (15.76 KiB)
Viewed 6785 times
то есть, получается вот такой вывод:
Spoiler:

Code: Select all

Simple Stripped PE Binary File Dumper Version 0.1; 2018.

Dump of "/rd/1/DRIVERS/UHCI.SYS"

File header
-----------
  Signature             = 4503
  Characteristics       = 210E
  AddressOfEntryPoint   = 3D3
  ImageBase             = 400000
  SectionAlignmentLog   = 5
  FileAlignmentLog      = 5
  MajorOSVersion        = 3
  MinorOSVersion        = A
  SizeOfImage           = 1740
  SizeOfStackReserve    = 1000
  SizeOfHeapReserve     = 10000
  SizeOfHeaders         = A0
  Subsystem             = 1
  NumberOfRvaAndSizes   = 3
  NumberOfSections      = 3

Section #1
-----------
  Name                  = .reloc
  VirtualSize           = 12A
  VirtualAddress        = 200
  SizeOfRawData         = 140
  PointerToRawData      = A0
  Flags                 = 42000040

Section #2
-----------
  Name                  = .text
  VirtualSize           = FFA
  VirtualAddress        = 340
  SizeOfRawData         = 1000
  PointerToRawData      = 1E0
  Flags                 = 60000020

Section #3
-----------
  Name                  = .data
  VirtualSize           = 3F4
  VirtualAddress        = 1340
  SizeOfRawData         = 400
  PointerToRawData      = 11E0
  Flags                 = C0000000

Imports
-------
  OriginalFirstThunk    = 0
  TimeDateStamp         = 0
  ForwarderChain        = 0
  Name                  = core.dll
  FirstThunk            = 1374
    AttachIntHandler
    MutexInit
    MutexLock
    MutexUnlock
    PciRead16
    PciRead8
    PciWrite16
    GetPhysAddr
    Kmalloc
    Kfree
    SysMsgBoardStr
    SysMsgBoard
    Sleep
    GetTimerTicks
    RegUSBDriver
    USBHCFunc
это вывод vmwgfx.dll:
Spoiler:

Code: Select all

Simple Stripped PE Binary File Dumper Version 0.1; 2018.

Dump of "vmwgfx.dll"

File header
-----------
  Signature             = 4503
  Characteristics       = 230E
  AddressOfEntryPoint   = A658
  ImageBase             = 0
  SectionAlignmentLog   = C
  FileAlignmentLog      = 9
  MajorOSVersion        = 4
  MinorOSVersion        = 0
  SizeOfImage           = 1D000
  SizeOfStackReserve    = 200000
  SizeOfHeapReserve     = 100000
  SizeOfHeaders         = 400
  Subsystem             = 3
  NumberOfRvaAndSizes   = 3
  NumberOfSections      = 7

Section #1
-----------
  Name                  = .text
  VirtualSize           = 14C78
  VirtualAddress        = 1000
  SizeOfRawData         = 14E00
  PointerToRawData      = 400
  Flags                 = 60500060

Section #2
-----------
  Name                  = .text.un
  VirtualSize           = B30
  VirtualAddress        = 16000
  SizeOfRawData         = C00
  PointerToRawData      = 15200
  Flags                 = 60300020

Section #3
-----------
  Name                  = .rdata
  VirtualSize           = 230
  VirtualAddress        = 17000
  SizeOfRawData         = 400
  PointerToRawData      = 15E00
  Flags                 = 40300040

Section #4
-----------
  Name                  = .data
  VirtualSize           = 12CC
  VirtualAddress        = 18000
  SizeOfRawData         = 1400
  PointerToRawData      = 16200
  Flags                 = C0300040

Section #5
-----------
  Name                  = .bss
  VirtualSize           = FC0
  VirtualAddress        = 1A000
  SizeOfRawData         = 0
  PointerToRawData      = 0
  Flags                 = C0400080

Section #6
-----------
  Name                  = .idata
  VirtualSize           = 3AC
  VirtualAddress        = 1B000
  SizeOfRawData         = 400
  PointerToRawData      = 17600
  Flags                 = C0300040

Section #7
-----------
  Name                  = .reloc
  VirtualSize           = D1C
  VirtualAddress        = 1C000
  SizeOfRawData         = E00
  PointerToRawData      = 17A00
  Flags                 = 42300040

Imports
-------
  OriginalFirstThunk    = 1B028
  TimeDateStamp         = 0
  ForwarderChain        = 0
  Name                  = core.dll
  FirstThunk            = 1B0B0
    AllocKernelSpace
    AllocPage
    CancelTimerHS
    CreateEvent
    CreateThread
    Delay
    DestroyEvent
    FreeKernelSpace
    FreePage
    GetCpuFreq
    GetDisplay
    GetService
    GetTimerTicks
    KernelAlloc
    KernelFree
    MapIoMem
    MapPage
    MutexInit
    MutexLock
    MutexUnlock
    PciApi
    PciRead16
    PciRead32
    PciRead8
    PciWrite16
    PciWrite32
    RaiseEvent
    RegService
    SetScreen
    SysMsgBoardStr
    TimerHS
    WaitEvent
    WaitEventTimeout
вот ради интереса вывод информации(импорт и экспорт) преобразованной Windows библиотеки:
Spoiler:

Code: Select all

Simple Stripped PE Binary File Dumper Version 0.1; 2018.

Dump of "ablockc.dll"

File header
-----------
  Signature             = 4503
  Characteristics       = 230E
  AddressOfEntryPoint   = 1540
  ImageBase             = 400000
  SectionAlignmentLog   = C
  FileAlignmentLog      = 9
  MajorOSVersion        = 4
  MinorOSVersion        = 0
  SizeOfImage           = 6000
  SizeOfStackReserve    = 100000
  SizeOfHeapReserve     = 100000
  SizeOfHeaders         = 400
  Subsystem             = 2
  NumberOfRvaAndSizes   = 3
  NumberOfSections      = 4

Section #1
-----------
  Name                  = .text
  VirtualSize           = 124E
  VirtualAddress        = 1000
  SizeOfRawData         = 1400
  PointerToRawData      = 400
  Flags                 = 60000020

Section #2
-----------
  Name                  = .data
  VirtualSize           = 31C
  VirtualAddress        = 3000
  SizeOfRawData         = 200
  PointerToRawData      = 1800
  Flags                 = C0000040

Section #3
-----------
  Name                  = .link
  VirtualSize           = 479
  VirtualAddress        = 4000
  SizeOfRawData         = 600
  PointerToRawData      = 1A00
  Flags                 = C0000040

Section #4
-----------
  Name                  = .rloc
  VirtualSize           = 7C
  VirtualAddress        = 5000
  SizeOfRawData         = 200
  PointerToRawData      = 2000
  Flags                 = 42000040

Imports
-------
  OriginalFirstThunk    = 4078
  TimeDateStamp         = 0
  ForwarderChain        = 0
  Name                  = ADVAPI32.DLL
  FirstThunk            = 4110
    RegOpenKeyExA
    RegCloseKey

  OriginalFirstThunk    = 4084
  TimeDateStamp         = 0
  ForwarderChain        = 0
  Name                  = KERNEL32.DLL
  FirstThunk            = 411C
    CloseHandle
    ExitProcess
    FlushFileBuffers
    GetCommandLineA
    GetEnvironmentStringsA
    GetLastError
    GetModuleHandleA
    GetStartupInfoA
    GetSystemInfo
    GetVersionExA
    GlobalAlloc
    GlobalFree
    ReadFile
    SetEndOfFile
    SetErrorMode
    SetFilePointer
    SetLastError
    Sleep
    WriteFile

  OriginalFirstThunk    = 40D4
  TimeDateStamp         = 0
  ForwarderChain        = 0
  Name                  = OLEAUT32.DLL
  FirstThunk            = 416C
    SysAllocStringByteLen
    SysFreeString
    SysStringByteLen

  OriginalFirstThunk    = 40E4
  TimeDateStamp         = 0
  ForwarderChain        = 0
  Name                  = USER32.DLL
  FirstThunk            = 417C
    CreateDialogIndirectParamA
    CreateDialogParamA
    CreateWindowExA
    DialogBoxIndirectParamA
    MessageBeep
    MessageBoxA
    SendMessageA
    DialogBoxParamA

  OriginalFirstThunk    = 4108
  TimeDateStamp         = 0
  ForwarderChain        = 0
  Name                  = GDI32.DLL
  FirstThunk            = 41A0
    MoveToEx

Exports
-------
  Characteristics       = 0
  TimeDateStamp         = 3039
  MajorVersion          = 0
  MinorVersion          = 0
  Name                  = ABLOCKC.DLL
  Base                  = 1
  NumberOfFunctions     = 2
  NumberOfNames         = 2
  AddressOfFunctions    = 4448
  AddressOfNames        = 4450
  AddressOfNameOrdinals = 4458
    LIBMAIN
    QePlugIn
Для сборки требуется:
  • dcc32 — Delphi compiler
    omf2d — utility for converting from Borland omf to Intel omf
    link — Microsoft linker
    ld — GNU linker
    objcopy — utility to convert object files
Также необходимо в make.bat задать пути:
  • KOLIBRIOS_PAS - path to KolibriOS.pas
    KOLIBRIOS_LIB - path to KolibriOS.lib

KolibriOS.lib можно взять из темы Delphi7 examples http://board.kolibrios.org/viewtopic.php?f=33&t=3469
SPEDump.7z (4.23 KiB)
Downloaded 316 times

Re: Stripped PE Dumper

Posted: Sat Sep 01, 2018 12:19 pm
by 0CodErr
Существует версия под Windows, вот скриншот с выводом информации об одном из драйверов KolibriOS:
Spoiler:
SPEDump.png
SPEDump.png (27.61 KiB)
Viewed 6621 times
В Windows можно сделать перенаправление

Code: Select all

SPEDump kernel32.dll > dump.txt
чем я и воспользовался.
Это вывод информации о сконвертированной в StrippedPE для теста с помощью pestrip.asm Windows библиотеки kernel32.dll:
Spoiler:

Code: Select all

Simple Stripped PE Binary File Dumper Version 0.1; 2018.

Dump of "kernel32.dll"

File header
-----------
  Signature             = 4503
  Characteristics       = 210E
  AddressOfEntryPoint   = B5AE
  ImageBase             = 7C800000
  SectionAlignmentLog   = C
  FileAlignmentLog      = 9
  MajorOSVersion        = 4
  MinorOSVersion        = 0
  SizeOfImage           = F6000
  SizeOfStackReserve    = 40000
  SizeOfHeapReserve     = 100000
  SizeOfHeaders         = 400
  Subsystem             = 3
  NumberOfRvaAndSizes   = 7
  NumberOfSections      = 4

Section #1
-----------
  Name                  = .text
  VirtualSize           = 81FB5
  VirtualAddress        = 1000
  SizeOfRawData         = 82000
  PointerToRawData      = 400
  Flags                 = 60000020

Section #2
-----------
  Name                  = .data
  VirtualSize           = 43A0
  VirtualAddress        = 83000
  SizeOfRawData         = 2400
  PointerToRawData      = 82400
  Flags                 = C0000040

Section #3
-----------
  Name                  = .rsrc
  VirtualSize           = 6773C
  VirtualAddress        = 88000
  SizeOfRawData         = 67800
  PointerToRawData      = 84800
  Flags                 = 40000040

Section #4
-----------
  Name                  = .reloc
  VirtualSize           = 5BDC
  VirtualAddress        = F0000
  SizeOfRawData         = 5C00
  PointerToRawData      = EC000
  Flags                 = 42000040

Imports
-------
  OriginalFirstThunk    = 806A4
  TimeDateStamp         = 0
  ForwarderChain        = 0
  Name                  = ntdll.dll
  FirstThunk            = 1000
    _wcsnicmp
    NtFsControlFile
    NtCreateFile
    RtlAllocateHeap
    RtlFreeHeap
    NtOpenFile
    NtQueryInformationFile
    NtQueryEaFile
    RtlLengthSecurityDescriptor
    NtQuerySecurityObject
    NtSetEaFile
    NtSetSecurityObject
    NtSetInformationFile
    CsrClientCallServer
    NtDeviceIoControlFile
    NtClose
    RtlInitUnicodeString
    wcscspn
    RtlUnicodeToMultiByteSize
    wcslen
    _memicmp
    memmove
    NtQueryValueKey
    NtOpenKey
    NtFlushKey
    NtSetValueKey
    NtCreateKey
    RtlNtStatusToDosError
    RtlFreeUnicodeString
    RtlDnsHostNameToComputerName
    wcsncpy
    RtlUnicodeStringToAnsiString
    RtlxUnicodeStringToAnsiSize
    NlsMbCodePageTag
    RtlAnsiStringToUnicodeString
    RtlInitAnsiString
    RtlCreateUnicodeStringFromAsciiz
    wcschr
    wcsstr
    RtlPrefixString
    _wcsicmp
    RtlGetFullPathName_U
    RtlGetCurrentDirectory_U
    NtQueryInformationProcess
    RtlUnicodeStringToOemString
    RtlReleasePebLock
    RtlEqualUnicodeString
    RtlAcquirePebLock
    RtlFreeAnsiString
    RtlSetCurrentDirectory_U
    RtlTimeToTimeFields
    NtSetSystemTime
    RtlTimeFieldsToTime
    NtQuerySystemInformation
    RtlSetTimeZoneInformation
    NtSetSystemInformation
    RtlCutoverTimeToSystemTime
    _allmul
    DbgBreakPoint
    RtlFreeSid
    RtlSetDaclSecurityDescriptor
    RtlCreateSecurityDescriptor
    RtlAddAccessAllowedAce
    RtlCreateAcl
    RtlLengthSid
    RtlAllocateAndInitializeSid
    DbgPrint
    NtOpenProcess
    CsrGetProcessId
    DbgUiDebugActiveProcess
    DbgUiConnectToDbg
    DbgUiIssueRemoteBreakin
    NtSetInformationDebugObject
    DbgUiGetThreadDebugObject
    NtQueryInformationThread
    DbgUiConvertStateChangeStructure
    DbgUiWaitStateChange
    DbgUiContinue
    DbgUiStopDebugging
    RtlDosPathNameToNtPathName_U
    RtlIsDosDeviceName_U
    RtlCreateAtomTable
    NtAddAtom
    RtlAddAtomToAtomTable
    NtFindAtom
    RtlLookupAtomInAtomTable
    NtDeleteAtom
    RtlDeleteAtomFromAtomTable
    NtQueryInformationAtom
    RtlQueryAtomInAtomTable
    RtlOemStringToUnicodeString
    RtlMultiByteToUnicodeN
    RtlUnicodeToMultiByteN
    RtlMultiByteToUnicodeSize
    RtlPrefixUnicodeString
    RtlLeaveCriticalSection
    RtlEnterCriticalSection
    NtEnumerateValueKey
    RtlIsTextUnicode
    NtReadFile
    NtAllocateVirtualMemory
    NtUnlockFile
    NtLockFile
    RtlAppendUnicodeStringToString
    RtlAppendUnicodeToString
    RtlCopyUnicodeString
    NtFreeVirtualMemory
    NtWriteFile
    RtlCreateUnicodeString
    RtlFormatCurrentUserKeyPath
    RtlGetLongestNtPathLength
    NtDuplicateObject
    NtQueryKey
    NtEnumerateKey
    NtDeleteValueKey
    RtlEqualString
    CsrFreeCaptureBuffer
    CsrCaptureMessageString
    CsrAllocateCaptureBuffer
    strncpy
    RtlCharToInteger
    RtlUpcaseUnicodeChar
    RtlUpcaseUnicodeString
    CsrAllocateMessagePointer
    NtQueryObject
    wcscmp
    RtlCompareMemory
    NtQueryDirectoryObject
    NtQuerySymbolicLinkObject
    NtOpenSymbolicLinkObject
    NtOpenDirectoryObject
    NtCreateIoCompletion
    NtSetIoCompletion
    NtRemoveIoCompletion
    NtSetInformationProcess
    NtQueryDirectoryFile
    RtlDeleteCriticalSection
    NtNotifyChangeDirectoryFile
    NtWaitForSingleObject
    RtlInitializeCriticalSection
    NtQueryVolumeInformationFile
    NtFlushBuffersFile
    RtlDeactivateActivationContextUnsafeFast
    RtlActivateActivationContextUnsafeFast
    NtCancelIoFile
    NtReadFileScatter
    NtWriteFileGather
    wcscpy
    NtOpenSection
    NtMapViewOfSection
    NtFlushVirtualMemory
    RtlFlushSecureMemoryCache
    NtUnmapViewOfSection
    NtCreateSection
    NtQueryFullAttributesFile
    swprintf
    NtQueryAttributesFile
    RtlDetermineDosPathNameType_U
    NtRaiseHardError
    NtQuerySystemEnvironmentValueEx
    RtlGUIDFromString
    NtSetSystemEnvironmentValueEx
    RtlInitString
    RtlUnlockHeap
    RtlSetUserValueHeap
    RtlFreeHandle
    RtlAllocateHandle
    RtlLockHeap
    RtlSizeHeap
    RtlGetUserInfoHeap
    RtlReAllocateHeap
    RtlIsValidHandle
    RtlCompactHeap
    RtlImageNtHeader
    NtProtectVirtualMemory
    NtQueryVirtualMemory
    NtLockVirtualMemory
    NtUnlockVirtualMemory
    NtFlushInstructionCache
    NtAllocateUserPhysicalPages
    NtFreeUserPhysicalPages
    NtMapUserPhysicalPages
    NtMapUserPhysicalPagesScatter
    NtGetWriteWatch
    NtResetWriteWatch
    NtSetInformationObject
    CsrNewThread
    CsrClientConnectToServer
    RtlCreateTagHeap
    LdrSetDllManifestProber
    RtlSetThreadPoolStartFunc
    RtlEncodePointer
    _stricmp
    wcscat
    RtlCreateHeap
    RtlDestroyHeap
    RtlExtendHeap
    RtlQueryTagHeap
    RtlUsageHeap
    RtlValidateHeap
    RtlGetProcessHeaps
    RtlWalkHeap
    RtlSetHeapInformation
    RtlQueryHeapInformation
    RtlInitializeHandleTable
    RtlExtendedLargeIntegerDivide
    NtCreateMailslotFile
    RtlFormatMessage
    RtlFindMessage
    LdrUnloadDll
    LdrUnloadAlternateResourceModule
    LdrDisableThreadCalloutsForDll
    strchr
    LdrGetDllHandle
    LdrUnlockLoaderLock
    LdrAddRefDll
    RtlComputePrivatizedDllName_U
    RtlPcToFileHeader
    LdrLockLoaderLock
    RtlGetVersion
    RtlVerifyVersionInfo
    LdrEnumerateLoadedModules
    RtlUnicodeStringToInteger
    LdrLoadAlternateResourceModule
    RtlDosApplyFileIsolationRedirection_Ustr
    LdrLoadDll
    LdrGetProcedureAddress
    LdrFindResource_U
    LdrAccessResource
    LdrFindResourceDirectory_U
    RtlImageDirectoryEntryToData
    _strcmpi
    NtSetInformationThread
    NtOpenThreadToken
    NtCreateNamedPipeFile
    RtlDefaultNpAcl
    RtlDosSearchPath_Ustr
    RtlInitUnicodeStringEx
    RtlQueryEnvironmentVariable_U
    RtlAnsiCharToUnicodeChar
    RtlIntegerToChar
    NtSetVolumeInformationFile
    RtlIsNameLegalDOS8Dot3
    NtQueryPerformanceCounter
    sprintf
    NtPowerInformation
    NtInitiatePowerAction
    NtSetThreadExecutionState
    NtRequestWakeupLatency
    NtGetDevicePowerState
    NtIsSystemResumeAutomatic
    NtRequestDeviceWakeup
    NtCancelDeviceWakeupRequest
    NtWriteVirtualMemory
    LdrShutdownProcess
    NtTerminateProcess
    RtlRaiseStatus
    RtlSetEnvironmentVariable
    RtlExpandEnvironmentStrings_U
    NtReadVirtualMemory
    RtlCompareUnicodeString
    RtlQueryRegistryValues
    NtCreateJobSet
    NtCreateJobObject
    NtIsProcessInJob
    RtlEqualSid
    RtlSubAuthoritySid
    RtlInitializeSid
    NtQueryInformationToken
    NtOpenProcessToken
    NtResumeThread
    NtAssignProcessToJobObject
    CsrCaptureMessageMultiUnicodeStringsInPlace
    NtCreateThread
    NtCreateProcessEx
    LdrQueryImageFileExecutionOptions
    RtlDestroyEnvironment
    NtQuerySection
    NtQueryInformationJobObject
    RtlGetNativeSystemInformation
    RtlxAnsiStringToUnicodeSize
    NtOpenEvent
    NtQueryEvent
    NtTerminateThread
    wcsrchr
    NlsMbOemCodePageTag
    RtlxUnicodeStringToOemSize
    NtAdjustPrivilegesToken
    RtlImpersonateSelf
    wcsncmp
    RtlDestroyProcessParameters
    RtlCreateProcessParameters
    RtlInitializeCriticalSectionAndSpinCount
    NtSetEvent
    NtClearEvent
    NtPulseEvent
    NtCreateSemaphore
    NtOpenSemaphore
    NtReleaseSemaphore
    NtCreateMutant
    NtOpenMutant
    NtReleaseMutant
    NtSignalAndWaitForSingleObject
    NtWaitForMultipleObjects
    NtDelayExecution
    NtCreateTimer
    NtOpenTimer
    NtSetTimer
    NtCancelTimer
    NtCreateEvent
    RtlCopyLuid
    strrchr
    _vsnwprintf
    RtlReleaseActivationContext
    RtlActivateActivationContextEx
    RtlQueryInformationActivationContext
    NtOpenThread
    LdrShutdownThread
    RtlFreeThreadActivationContextStack
    NtGetContextThread
    NtSetContextThread
    NtSuspendThread
    RtlRaiseException
    RtlDecodePointer
    towlower
    RtlClearBits
    RtlFindClearBitsAndSet
    RtlAreBitsSet
    NtQueueApcThread
    NtYieldExecution
    RtlRegisterWait
    RtlDeregisterWait
    RtlDeregisterWaitEx
    RtlQueueWorkItem
    RtlSetIoCompletionCallback
    RtlCreateTimerQueue
    RtlCreateTimer
    RtlUpdateTimer
    RtlDeleteTimer
    RtlDeleteTimerQueueEx
    CsrIdentifyAlertableThread
    RtlApplicationVerifierStop
    _alloca_probe
    RtlDestroyQueryDebugBuffer
    RtlQueryProcessDebugInformation
    RtlCreateQueryDebugBuffer
    RtlCreateEnvironment
    RtlFreeOemString
    strstr
    toupper
    isdigit
    atol
    tolower
    NtOpenJobObject
    NtTerminateJobObject
    NtSetInformationJobObject
    RtlAddRefActivationContext
    RtlZombifyActivationContext
    RtlActivateActivationContext
    RtlDeactivateActivationContext
    RtlGetActiveActivationContext
    DbgPrintEx
    LdrDestroyOutOfProcessImage
    LdrAccessOutOfProcessResource
    LdrFindCreateProcessManifest
    LdrCreateOutOfProcessImage
    RtlNtStatusToDosErrorNoTeb
    RtlpApplyLengthFunction
    RtlGetLengthWithoutLastFullDosOrNtPathElement
    RtlpEnsureBufferSize
    RtlMultiAppendUnicodeStringBuffer
    _snwprintf
    RtlCreateActivationContext
    RtlFindActivationContextSectionString
    RtlFindActivationContextSectionGuid
    _allshl
    RtlNtPathNameToDosPathName
    RtlUnhandledExceptionFilter
    CsrCaptureMessageBuffer
    NtQueryInstallUILanguage
    NtQueryDefaultUILanguage
    wcspbrk
    RtlOpenCurrentUser
    RtlGetDaclSecurityDescriptor
    NtCreateDirectoryObject
    _wcslwr
    _wtol
    RtlIntegerToUnicodeString
    NtQueryDefaultLocale
    _strlwr
    RtlUnwind

Exports
-------
  Characteristics       = 0
  TimeDateStamp         = 44AB9AE0
  MajorVersion          = 0
  MinorVersion          = 0
  Name                  = KERNEL32.dll
  Base                  = 1
  NumberOfFunctions     = 3B5
  NumberOfNames         = 3B5
  AddressOfFunctions    = 2644
  AddressOfNames        = 3518
  AddressOfNameOrdinals = 43EC
    ActivateActCtx
    AddAtomA
    AddAtomW
    AddConsoleAliasA
    AddConsoleAliasW
    AddLocalAlternateComputerNameA
    AddLocalAlternateComputerNameW
    AddRefActCtx
    AddVectoredExceptionHandler
    AllocConsole
    AllocateUserPhysicalPages
    AreFileApisANSI
    AssignProcessToJobObject
    AttachConsole
    BackupRead
    BackupSeek
    BackupWrite
    BaseCheckAppcompatCache
    BaseCleanupAppcompatCache
    BaseCleanupAppcompatCacheSupport
    BaseDumpAppcompatCache
    BaseFlushAppcompatCache
    BaseInitAppcompatCache
    BaseInitAppcompatCacheSupport
    BaseProcessInitPostImport
    BaseQueryModuleData
    BaseUpdateAppcompatCache
    BasepCheckWinSaferRestrictions
    Beep
    BeginUpdateResourceA
    BeginUpdateResourceW
    BindIoCompletionCallback
    BuildCommDCBA
    BuildCommDCBAndTimeoutsA
    BuildCommDCBAndTimeoutsW
    BuildCommDCBW
    CallNamedPipeA
    CallNamedPipeW
    CancelDeviceWakeupRequest
    CancelIo
    CancelTimerQueueTimer
    CancelWaitableTimer
    ChangeTimerQueueTimer
    CheckNameLegalDOS8Dot3A
    CheckNameLegalDOS8Dot3W
    CheckRemoteDebuggerPresent
    ClearCommBreak
    ClearCommError
    CloseConsoleHandle
    CloseHandle
    CloseProfileUserMapping
    CmdBatNotification
    CommConfigDialogA
    CommConfigDialogW
    CompareFileTime
    CompareStringA
    CompareStringW
    ConnectNamedPipe
    ConsoleMenuControl
    ContinueDebugEvent
    ConvertDefaultLocale
    ConvertFiberToThread
    ConvertThreadToFiber
    CopyFileA
    CopyFileExA
    CopyFileExW
    CopyFileW
    CopyLZFile
    CreateActCtxA
    CreateActCtxW
    CreateConsoleScreenBuffer
    CreateDirectoryA
    CreateDirectoryExA
    CreateDirectoryExW
    CreateDirectoryW
    CreateEventA
    CreateEventW
    CreateFiber
    CreateFiberEx
    CreateFileA
    CreateFileMappingA
    CreateFileMappingW
    CreateFileW
    CreateHardLinkA
    CreateHardLinkW
    CreateIoCompletionPort
    CreateJobObjectA
    CreateJobObjectW
    CreateJobSet
    CreateMailslotA
    CreateMailslotW
    CreateMemoryResourceNotification
    CreateMutexA
    CreateMutexW
    CreateNamedPipeA
    CreateNamedPipeW
    CreateNlsSecurityDescriptor
    CreatePipe
    CreateProcessA
    CreateProcessInternalA
    CreateProcessInternalW
    CreateProcessInternalWSecure
    CreateProcessW
    CreateRemoteThread
    CreateSemaphoreA
    CreateSemaphoreW
    CreateSocketHandle
    CreateTapePartition
    CreateThread
    CreateTimerQueue
    CreateTimerQueueTimer
    CreateToolhelp32Snapshot
    CreateVirtualBuffer
    CreateWaitableTimerA
    CreateWaitableTimerW
    DeactivateActCtx
    DebugActiveProcess
    DebugActiveProcessStop
    DebugBreak
    DebugBreakProcess
    DebugSetProcessKillOnExit
    DecodePointer
    DecodeSystemPointer
    DefineDosDeviceA
    DefineDosDeviceW
    DelayLoadFailureHook
    DeleteAtom
    DeleteCriticalSection
    DeleteFiber
    DeleteFileA
    DeleteFileW
    DeleteTimerQueue
    DeleteTimerQueueEx
    DeleteTimerQueueTimer
    DeleteVolumeMountPointA
    DeleteVolumeMountPointW
    DeviceIoControl
    DisableThreadLibraryCalls
    DisconnectNamedPipe
    DnsHostnameToComputerNameA
    DnsHostnameToComputerNameW
    DosDateTimeToFileTime
    DosPathToSessionPathA
    DosPathToSessionPathW
    DuplicateConsoleHandle
    DuplicateHandle
    EncodePointer
    EncodeSystemPointer
    EndUpdateResourceA
    EndUpdateResourceW
    EnterCriticalSection
    EnumCalendarInfoA
    EnumCalendarInfoExA
    EnumCalendarInfoExW
    EnumCalendarInfoW
    EnumDateFormatsA
    EnumDateFormatsExA
    EnumDateFormatsExW
    EnumDateFormatsW
    EnumLanguageGroupLocalesA
    EnumLanguageGroupLocalesW
    EnumResourceLanguagesA
    EnumResourceLanguagesW
    EnumResourceNamesA
    EnumResourceNamesW
    EnumResourceTypesA
    EnumResourceTypesW
    EnumSystemCodePagesA
    EnumSystemCodePagesW
    EnumSystemGeoID
    EnumSystemLanguageGroupsA
    EnumSystemLanguageGroupsW
    EnumSystemLocalesA
    EnumSystemLocalesW
    EnumTimeFormatsA
    EnumTimeFormatsW
    EnumUILanguagesA
    EnumUILanguagesW
    EnumerateLocalComputerNamesA
    EnumerateLocalComputerNamesW
    EraseTape
    EscapeCommFunction
    ExitProcess
    ExitThread
    ExitVDM
    ExpandEnvironmentStringsA
    ExpandEnvironmentStringsW
    ExpungeConsoleCommandHistoryA
    ExpungeConsoleCommandHistoryW
    ExtendVirtualBuffer
    FatalAppExitA
    FatalAppExitW
    FatalExit
    FileTimeToDosDateTime
    FileTimeToLocalFileTime
    FileTimeToSystemTime
    FillConsoleOutputAttribute
    FillConsoleOutputCharacterA
    FillConsoleOutputCharacterW
    FindActCtxSectionGuid
    FindActCtxSectionStringA
    FindActCtxSectionStringW
    FindAtomA
    FindAtomW
    FindClose
    FindCloseChangeNotification
    FindFirstChangeNotificationA
    FindFirstChangeNotificationW
    FindFirstFileA
    FindFirstFileExA
    FindFirstFileExW
    FindFirstFileW
    FindFirstVolumeA
    FindFirstVolumeMountPointA
    FindFirstVolumeMountPointW
    FindFirstVolumeW
    FindNextChangeNotification
    FindNextFileA
    FindNextFileW
    FindNextVolumeA
    FindNextVolumeMountPointA
    FindNextVolumeMountPointW
    FindNextVolumeW
    FindResourceA
    FindResourceExA
    FindResourceExW
    FindResourceW
    FindVolumeClose
    FindVolumeMountPointClose
    FlushConsoleInputBuffer
    FlushFileBuffers
    FlushInstructionCache
    FlushViewOfFile
    FoldStringA
    FoldStringW
    FormatMessageA
    FormatMessageW
    FreeConsole
    FreeEnvironmentStringsA
    FreeEnvironmentStringsW
    FreeLibrary
    FreeLibraryAndExitThread
    FreeResource
    FreeUserPhysicalPages
    FreeVirtualBuffer
    GenerateConsoleCtrlEvent
    GetACP
    GetAtomNameA
    GetAtomNameW
    GetBinaryType
    GetBinaryTypeA
    GetBinaryTypeW
    GetCPFileNameFromRegistry
    GetCPInfo
    GetCPInfoExA
    GetCPInfoExW
    GetCalendarInfoA
    GetCalendarInfoW
    GetComPlusPackageInstallStatus
    GetCommConfig
    GetCommMask
    GetCommModemStatus
    GetCommProperties
    GetCommState
    GetCommTimeouts
    GetCommandLineA
    GetCommandLineW
    GetCompressedFileSizeA
    GetCompressedFileSizeW
    GetComputerNameA
    GetComputerNameExA
    GetComputerNameExW
    GetComputerNameW
    GetConsoleAliasA
    GetConsoleAliasExesA
    GetConsoleAliasExesLengthA
    GetConsoleAliasExesLengthW
    GetConsoleAliasExesW
    GetConsoleAliasW
    GetConsoleAliasesA
    GetConsoleAliasesLengthA
    GetConsoleAliasesLengthW
    GetConsoleAliasesW
    GetConsoleCP
    GetConsoleCharType
    GetConsoleCommandHistoryA
    GetConsoleCommandHistoryLengthA
    GetConsoleCommandHistoryLengthW
    GetConsoleCommandHistoryW
    GetConsoleCursorInfo
    GetConsoleCursorMode
    GetConsoleDisplayMode
    GetConsoleFontInfo
    GetConsoleFontSize
    GetConsoleHardwareState
    GetConsoleInputExeNameA
    GetConsoleInputExeNameW
    GetConsoleInputWaitHandle
    GetConsoleKeyboardLayoutNameA
    GetConsoleKeyboardLayoutNameW
    GetConsoleMode
    GetConsoleNlsMode
    GetConsoleOutputCP
    GetConsoleProcessList
    GetConsoleScreenBufferInfo
    GetConsoleSelectionInfo
    GetConsoleTitleA
    GetConsoleTitleW
    GetConsoleWindow
    GetCurrencyFormatA
    GetCurrencyFormatW
    GetCurrentActCtx
    GetCurrentConsoleFont
    GetCurrentDirectoryA
    GetCurrentDirectoryW
    GetCurrentProcess
    GetCurrentProcessId
    GetCurrentThread
    GetCurrentThreadId
    GetDateFormatA
    GetDateFormatW
    GetDefaultCommConfigA
    GetDefaultCommConfigW
    GetDefaultSortkeySize
    GetDevicePowerState
    GetDiskFreeSpaceA
    GetDiskFreeSpaceExA
    GetDiskFreeSpaceExW
    GetDiskFreeSpaceW
    GetDllDirectoryA
    GetDllDirectoryW
    GetDriveTypeA
    GetDriveTypeW
    GetEnvironmentStrings
    GetEnvironmentStringsA
    GetEnvironmentStringsW
    GetEnvironmentVariableA
    GetEnvironmentVariableW
    GetExitCodeProcess
    GetExitCodeThread
    GetExpandedNameA
    GetExpandedNameW
    GetFileAttributesA
    GetFileAttributesExA
    GetFileAttributesExW
    GetFileAttributesW
    GetFileInformationByHandle
    GetFileSize
    GetFileSizeEx
    GetFileTime
    GetFileType
    GetFirmwareEnvironmentVariableA
    GetFirmwareEnvironmentVariableW
    GetFullPathNameA
    GetFullPathNameW
    GetGeoInfoA
    GetGeoInfoW
    GetHandleContext
    GetHandleInformation
    GetLargestConsoleWindowSize
    GetLastError
    GetLinguistLangSize
    GetLocalTime
    GetLocaleInfoA
    GetLocaleInfoW
    GetLogicalDriveStringsA
    GetLogicalDriveStringsW
    GetLogicalDrives
    GetLongPathNameA
    GetLongPathNameW
    GetMailslotInfo
    GetModuleFileNameA
    GetModuleFileNameW
    GetModuleHandleA
    GetModuleHandleExA
    GetModuleHandleExW
    GetModuleHandleW
    GetNamedPipeHandleStateA
    GetNamedPipeHandleStateW
    GetNamedPipeInfo
    GetNativeSystemInfo
    GetNextVDMCommand
    GetNlsSectionName
    GetNumaAvailableMemory
    GetNumaAvailableMemoryNode
    GetNumaHighestNodeNumber
    GetNumaNodeProcessorMask
    GetNumaProcessorMap
    GetNumaProcessorNode
    GetNumberFormatA
    GetNumberFormatW
    GetNumberOfConsoleFonts
    GetNumberOfConsoleInputEvents
    GetNumberOfConsoleMouseButtons
    GetOEMCP
    GetOverlappedResult
    GetPriorityClass
    GetPrivateProfileIntA
    GetPrivateProfileIntW
    GetPrivateProfileSectionA
    GetPrivateProfileSectionNamesA
    GetPrivateProfileSectionNamesW
    GetPrivateProfileSectionW
    GetPrivateProfileStringA
    GetPrivateProfileStringW
    GetPrivateProfileStructA
    GetPrivateProfileStructW
    GetProcAddress
    GetProcessAffinityMask
    GetProcessHandleCount
    GetProcessHeap
    GetProcessHeaps
    GetProcessId
    GetProcessIoCounters
    GetProcessPriorityBoost
    GetProcessShutdownParameters
    GetProcessTimes
    GetProcessVersion
    GetProcessWorkingSetSize
    GetProfileIntA
    GetProfileIntW
    GetProfileSectionA
    GetProfileSectionW
    GetProfileStringA
    GetProfileStringW
    GetQueuedCompletionStatus
    GetShortPathNameA
    GetShortPathNameW
    GetStartupInfoA
    GetStartupInfoW
    GetStdHandle
    GetStringTypeA
    GetStringTypeExA
    GetStringTypeExW
    GetStringTypeW
    GetSystemDefaultLCID
    GetSystemDefaultLangID
    GetSystemDefaultUILanguage
    GetSystemDirectoryA
    GetSystemDirectoryW
    GetSystemInfo
    GetSystemPowerStatus
    GetSystemRegistryQuota
    GetSystemTime
    GetSystemTimeAdjustment
    GetSystemTimeAsFileTime
    GetSystemTimes
    GetSystemWindowsDirectoryA
    GetSystemWindowsDirectoryW
    GetSystemWow64DirectoryA
    GetSystemWow64DirectoryW
    GetTapeParameters
    GetTapePosition
    GetTapeStatus
    GetTempFileNameA
    GetTempFileNameW
    GetTempPathA
    GetTempPathW
    GetThreadContext
    GetThreadIOPendingFlag
    GetThreadLocale
    GetThreadPriority
    GetThreadPriorityBoost
    GetThreadSelectorEntry
    GetThreadTimes
    GetTickCount
    GetTimeFormatA
    GetTimeFormatW
    GetTimeZoneInformation
    GetUserDefaultLCID
    GetUserDefaultLangID
    GetUserDefaultUILanguage
    GetUserGeoID
    GetVDMCurrentDirectories
    GetVersion
    GetVersionExA
    GetVersionExW
    GetVolumeInformationA
    GetVolumeInformationW
    GetVolumeNameForVolumeMountPointA
    GetVolumeNameForVolumeMountPointW
    GetVolumePathNameA
    GetVolumePathNameW
    GetVolumePathNamesForVolumeNameA
    GetVolumePathNamesForVolumeNameW
    GetWindowsDirectoryA
    GetWindowsDirectoryW
    GetWriteWatch
    GlobalAddAtomA
    GlobalAddAtomW
    GlobalAlloc
    GlobalCompact
    GlobalDeleteAtom
    GlobalFindAtomA
    GlobalFindAtomW
    GlobalFix
    GlobalFlags
    GlobalFree
    GlobalGetAtomNameA
    GlobalGetAtomNameW
    GlobalHandle
    GlobalLock
    GlobalMemoryStatus
    GlobalMemoryStatusEx
    GlobalReAlloc
    GlobalSize
    GlobalUnWire
    GlobalUnfix
    GlobalUnlock
    GlobalWire
    Heap32First
    Heap32ListFirst
    Heap32ListNext
    Heap32Next
    HeapAlloc
    HeapCompact
    HeapCreate
    HeapCreateTagsW
    HeapDestroy
    HeapExtend
    HeapFree
    HeapLock
    HeapQueryInformation
    HeapQueryTagW
    HeapReAlloc
    HeapSetInformation
    HeapSize
    HeapSummary
    HeapUnlock
    HeapUsage
    HeapValidate
    HeapWalk
    InitAtomTable
    InitializeCriticalSection
    InitializeCriticalSectionAndSpinCount
    InitializeSListHead
    InterlockedCompareExchange
    InterlockedDecrement
    InterlockedExchange
    InterlockedExchangeAdd
    InterlockedFlushSList
    InterlockedIncrement
    InterlockedPopEntrySList
    InterlockedPushEntrySList
    InvalidateConsoleDIBits
    IsBadCodePtr
    IsBadHugeReadPtr
    IsBadHugeWritePtr
    IsBadReadPtr
    IsBadStringPtrA
    IsBadStringPtrW
    IsBadWritePtr
    IsDBCSLeadByte
    IsDBCSLeadByteEx
    IsDebuggerPresent
    IsProcessInJob
    IsProcessorFeaturePresent
    IsSystemResumeAutomatic
    IsValidCodePage
    IsValidLanguageGroup
    IsValidLocale
    IsValidUILanguage
    IsWow64Process
    LCMapStringA
    LCMapStringW
    LZClose
    LZCloseFile
    LZCopy
    LZCreateFileW
    LZDone
    LZInit
    LZOpenFileA
    LZOpenFileW
    LZRead
    LZSeek
    LZStart
    LeaveCriticalSection
    LoadLibraryA
    LoadLibraryExA
    LoadLibraryExW
    LoadLibraryW
    LoadModule
    LoadResource
    LocalAlloc
    LocalCompact
    LocalFileTimeToFileTime
    LocalFlags
    LocalFree
    LocalHandle
    LocalLock
    LocalReAlloc
    LocalShrink
    LocalSize
    LocalUnlock
    LockFile
    LockFileEx
    LockResource
    MapUserPhysicalPages
    MapUserPhysicalPagesScatter
    MapViewOfFile
    MapViewOfFileEx
    Module32First
    Module32FirstW
    Module32Next
    Module32NextW
    MoveFileA
    MoveFileExA
    MoveFileExW
    MoveFileW
    MoveFileWithProgressA
    MoveFileWithProgressW
    MulDiv
    MultiByteToWideChar
    NlsConvertIntegerToString
    NlsGetCacheUpdateCount
    NlsResetProcessLocale
    NumaVirtualQueryNode
    OpenConsoleW
    OpenDataFile
    OpenEventA
    OpenEventW
    OpenFile
    OpenFileMappingA
    OpenFileMappingW
    OpenJobObjectA
    OpenJobObjectW
    OpenMutexA
    OpenMutexW
    OpenProcess
    OpenProfileUserMapping
    OpenSemaphoreA
    OpenSemaphoreW
    OpenThread
    OpenWaitableTimerA
    OpenWaitableTimerW
    OutputDebugStringA
    OutputDebugStringW
    PeekConsoleInputA
    PeekConsoleInputW
    PeekNamedPipe
    PostQueuedCompletionStatus
    PrepareTape
    PrivCopyFileExW
    PrivMoveFileIdentityW
    Process32First
    Process32FirstW
    Process32Next
    Process32NextW
    ProcessIdToSessionId
    PulseEvent
    PurgeComm
    QueryActCtxW
    QueryDepthSList
    QueryDosDeviceA
    QueryDosDeviceW
    QueryInformationJobObject
    QueryMemoryResourceNotification
    QueryPerformanceCounter
    QueryPerformanceFrequency
    QueryWin31IniFilesMappedToRegistry
    QueueUserAPC
    QueueUserWorkItem
    RaiseException
    ReadConsoleA
    ReadConsoleInputA
    ReadConsoleInputExA
    ReadConsoleInputExW
    ReadConsoleInputW
    ReadConsoleOutputA
    ReadConsoleOutputAttribute
    ReadConsoleOutputCharacterA
    ReadConsoleOutputCharacterW
    ReadConsoleOutputW
    ReadConsoleW
    ReadDirectoryChangesW
    ReadFile
    ReadFileEx
    ReadFileScatter
    ReadProcessMemory
    RegisterConsoleIME
    RegisterConsoleOS2
    RegisterConsoleVDM
    RegisterWaitForInputIdle
    RegisterWaitForSingleObject
    RegisterWaitForSingleObjectEx
    RegisterWowBaseHandlers
    RegisterWowExec
    ReleaseActCtx
    ReleaseMutex
    ReleaseSemaphore
    RemoveDirectoryA
    RemoveDirectoryW
    RemoveLocalAlternateComputerNameA
    RemoveLocalAlternateComputerNameW
    RemoveVectoredExceptionHandler
    ReplaceFile
    ReplaceFileA
    ReplaceFileW
    RequestDeviceWakeup
    RequestWakeupLatency
    ResetEvent
    ResetWriteWatch
    RestoreLastError
    ResumeThread
    RtlCaptureContext
    RtlCaptureStackBackTrace
    RtlFillMemory
    RtlMoveMemory
    RtlUnwind
    RtlZeroMemory
    ScrollConsoleScreenBufferA
    ScrollConsoleScreenBufferW
    SearchPathA
    SearchPathW
    SetCPGlobal
    SetCalendarInfoA
    SetCalendarInfoW
    SetClientTimeZoneInformation
    SetComPlusPackageInstallStatus
    SetCommBreak
    SetCommConfig
    SetCommMask
    SetCommState
    SetCommTimeouts
    SetComputerNameA
    SetComputerNameExA
    SetComputerNameExW
    SetComputerNameW
    SetConsoleActiveScreenBuffer
    SetConsoleCP
    SetConsoleCommandHistoryMode
    SetConsoleCtrlHandler
    SetConsoleCursor
    SetConsoleCursorInfo
    SetConsoleCursorMode
    SetConsoleCursorPosition
    SetConsoleDisplayMode
    SetConsoleFont
    SetConsoleHardwareState
    SetConsoleIcon
    SetConsoleInputExeNameA
    SetConsoleInputExeNameW
    SetConsoleKeyShortcuts
    SetConsoleLocalEUDC
    SetConsoleMaximumWindowSize
    SetConsoleMenuClose
    SetConsoleMode
    SetConsoleNlsMode
    SetConsoleNumberOfCommandsA
    SetConsoleNumberOfCommandsW
    SetConsoleOS2OemFormat
    SetConsoleOutputCP
    SetConsolePalette
    SetConsoleScreenBufferSize
    SetConsoleTextAttribute
    SetConsoleTitleA
    SetConsoleTitleW
    SetConsoleWindowInfo
    SetCriticalSectionSpinCount
    SetCurrentDirectoryA
    SetCurrentDirectoryW
    SetDefaultCommConfigA
    SetDefaultCommConfigW
    SetDllDirectoryA
    SetDllDirectoryW
    SetEndOfFile
    SetEnvironmentVariableA
    SetEnvironmentVariableW
    SetErrorMode
    SetEvent
    SetFileApisToANSI
    SetFileApisToOEM
    SetFileAttributesA
    SetFileAttributesW
    SetFilePointer
    SetFilePointerEx
    SetFileShortNameA
    SetFileShortNameW
    SetFileTime
    SetFileValidData
    SetFirmwareEnvironmentVariableA
    SetFirmwareEnvironmentVariableW
    SetHandleContext
    SetHandleCount
    SetHandleInformation
    SetInformationJobObject
    SetLastConsoleEventActive
    SetLastError
    SetLocalPrimaryComputerNameA
    SetLocalPrimaryComputerNameW
    SetLocalTime
    SetLocaleInfoA
    SetLocaleInfoW
    SetMailslotInfo
    SetMessageWaitingIndicator
    SetNamedPipeHandleState
    SetPriorityClass
    SetProcessAffinityMask
    SetProcessPriorityBoost
    SetProcessShutdownParameters
    SetProcessWorkingSetSize
    SetStdHandle
    SetSystemPowerState
    SetSystemTime
    SetSystemTimeAdjustment
    SetTapeParameters
    SetTapePosition
    SetTermsrvAppInstallMode
    SetThreadAffinityMask
    SetThreadContext
    SetThreadExecutionState
    SetThreadIdealProcessor
    SetThreadLocale
    SetThreadPriority
    SetThreadPriorityBoost
    SetThreadUILanguage
    SetTimeZoneInformation
    SetTimerQueueTimer
    SetUnhandledExceptionFilter
    SetUserGeoID
    SetVDMCurrentDirectories
    SetVolumeLabelA
    SetVolumeLabelW
    SetVolumeMountPointA
    SetVolumeMountPointW
    SetWaitableTimer
    SetupComm
    ShowConsoleCursor
    SignalObjectAndWait
    SizeofResource
    Sleep
    SleepEx
    SuspendThread
    SwitchToFiber
    SwitchToThread
    SystemTimeToFileTime
    SystemTimeToTzSpecificLocalTime
    TerminateJobObject
    TerminateProcess
    TerminateThread
    TermsrvAppInstallMode
    Thread32First
    Thread32Next
    TlsAlloc
    TlsFree
    TlsGetValue
    TlsSetValue
    Toolhelp32ReadProcessMemory
    TransactNamedPipe
    TransmitCommChar
    TrimVirtualBuffer
    TryEnterCriticalSection
    TzSpecificLocalTimeToSystemTime
    UTRegister
    UTUnRegister
    UnhandledExceptionFilter
    UnlockFile
    UnlockFileEx
    UnmapViewOfFile
    UnregisterConsoleIME
    UnregisterWait
    UnregisterWaitEx
    UpdateResourceA
    UpdateResourceW
    VDMConsoleOperation
    VDMOperationStarted
    ValidateLCType
    ValidateLocale
    VerLanguageNameA
    VerLanguageNameW
    VerSetConditionMask
    VerifyConsoleIoHandle
    VerifyVersionInfoA
    VerifyVersionInfoW
    VirtualAlloc
    VirtualAllocEx
    VirtualBufferExceptionHandler
    VirtualFree
    VirtualFreeEx
    VirtualLock
    VirtualProtect
    VirtualProtectEx
    VirtualQuery
    VirtualQueryEx
    VirtualUnlock
    WTSGetActiveConsoleSessionId
    WaitCommEvent
    WaitForDebugEvent
    WaitForMultipleObjects
    WaitForMultipleObjectsEx
    WaitForSingleObject
    WaitForSingleObjectEx
    WaitNamedPipeA
    WaitNamedPipeW
    WideCharToMultiByte
    WinExec
    WriteConsoleA
    WriteConsoleInputA
    WriteConsoleInputVDMA
    WriteConsoleInputVDMW
    WriteConsoleInputW
    WriteConsoleOutputA
    WriteConsoleOutputAttribute
    WriteConsoleOutputCharacterA
    WriteConsoleOutputCharacterW
    WriteConsoleOutputW
    WriteConsoleW
    WriteFile
    WriteFileEx
    WriteFileGather
    WritePrivateProfileSectionA
    WritePrivateProfileSectionW
    WritePrivateProfileStringA
    WritePrivateProfileStringW
    WritePrivateProfileStructA
    WritePrivateProfileStructW
    WriteProcessMemory
    WriteProfileSectionA
    WriteProfileSectionW
    WriteProfileStringA
    WriteProfileStringW
    WriteTapemark
    ZombifyActCtx
    _hread
    _hwrite
    _lclose
    _lcreat
    _llseek
    _lopen
    _lread
    _lwrite
    lstrcat
    lstrcatA
    lstrcatW
    lstrcmp
    lstrcmpA
    lstrcmpW
    lstrcmpi
    lstrcmpiA
    lstrcmpiW
    lstrcpy
    lstrcpyA
    lstrcpyW
    lstrcpyn
    lstrcpynA
    lstrcpynW
    lstrlen
    lstrlenA
    lstrlenW
Получилось

Code: Select all

NumberOfRvaAndSizes   = 7
В SPEDump определено вот так:

Code: Select all

Const
  SPE_DIRECTORY_IMPORT    = 0;
  SPE_DIRECTORY_EXPORT    = 1;
  SPE_DIRECTORY_BASERELOC = 2;

  SPE_MAX_DIRECTORY_ENTRIES = SPE_DIRECTORY_BASERELOC;

Type
  TDataDirectory = Packed Record
    VirtualAddress: Dword;
    Size:           Dword;
  End;

  PDataDirectory = ^TDataDirectory;

  TDataDirectoryArray = Packed Array[0..SPE_MAX_DIRECTORY_ENTRIES] Of TDataDirectory;

  PDataDirectoryArray = ^TDataDirectoryArray;
В const.inc тоже определено только

Code: Select all

  SPE_DIRECTORY_IMPORT    = 0
  SPE_DIRECTORY_EXPORT    = 1
  SPE_DIRECTORY_BASERELOC = 2
но в pestrip.asm есть константы:

Code: Select all

  IMAGE_DIRECTORY_ENTRY_EXPORT = 0
  IMAGE_DIRECTORY_ENTRY_IMPORT = 1
  IMAGE_DIRECTORY_ENTRY_RESOURCE = 2
  IMAGE_DIRECTORY_ENTRY_EXCEPTION = 3
  IMAGE_DIRECTORY_ENTRY_BASERELOC = 5
  IMAGE_DIRECTORY_ENTRY_TLS = 9
  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT = 11
их как раз 7, надо полагать, все эти интересующие данные тоже сохраняются, вероятно, в таком порядке(судя по коду):
  • IMPORT, EXPORT, BASERELOC, EXCEPTION, TLS, BOUND_IMPORT, RESOURCE
Спецификации нет, к сожалению.
Тем не менее, на правильность работы SPEDump это не влияет — данные всё равно выводятся верно, так как смещение вычисляется как раз с учётом NumberOfRvaAndSizes, а именно:

Code: Select all

StrippedSectionHeader := PStrippedSectionHeader(Dword(StrippedPEHeader) + SizeOf(TStrippedPEHeader) + NumberOfRvaAndSizes * SizeOf(TDataDirectory));
SPEDump.7z (28.36 KiB)
Downloaded 305 times

Re: Stripped PE Dumper

Posted: Sat Sep 01, 2018 5:42 pm
by theonlymirage
Определение есть ещё в файле: \programs\system\os\pe.inc там же есть и peloader.inc с комментариями. Думаю, что последнее тебе и нужно...
0CodErr wrote:Спецификации нет, к сожалению.
Спецификация - формат Portable Executable. Полезные ссылки: Как вижу ситуацию я (100% где-то ошибаюсь): хотелось реализовать хороший драйвер мыши -> появилась необходимость в поддержке формата PE -> началась реализация формата PE, использовался COFF -> реализовать поддержку PE целиком затратно плюс не было необходимости (планировалось использовать только для драйверов и не хотелось увеличивать размер, поэтому всё лишнее выпиливалось). Дальше драйвера перешли на то, что получилось и успешно работало, но это была не полная поддержка PE и её нужно было как-то обозвать. И решив, что это будет "Stripped", clevermouse сделала очень красиво с сигнатурой:

Code: Select all

dw      'PE' xor 'S'

Re: Stripped PE Dumper

Posted: Sat Sep 01, 2018 7:13 pm
by 0CodErr
theonlymirage wrote:Определение есть ещё в файле: \programs\system\os\pe.inc там же есть и peloader.inc с комментариями.
Да, тут полезной информации побольше.
Ну про Microsoft PE это я и сам знаю. В теме CoffDump http://board.kolibrios.org/viewtopic.php?f=9&t=3577 лежит в первом же сообщении pecoff.pdf — спецификация от 2017 года.
Интересует именно спецификация Stripped PE.
Исходный код, работающий со Stripped PE, не может считаться спецификацией — он лишь выполняет определённую задачу, не более.
Непонятно, какие фичи поддерживаются, а какие нет.
Возможно, существуют дополнительные фичи, с которыми существующий код не работает, но они тоже имеют значение.
Спецификация должна быть конкретная — а то в Microsoft PE время от времени тоже вносятся изменения.

ИМХО, один из минусов — чтобы получить Stripped PE, нужно сначала обязательно получить Microsoft PE.
theonlymirage wrote:реализовать поддержку PE целиком затратно
Я бы сказал реализовать поддержку вообще чего-нибудь затратно :)
В общем, я за разработку и развитие нужных и удобных именно конкретно вот в этой ОС инструментов.

А про поддержку, формат и загрузку библиотек уже обсуждалось, например, тут

Re: Stripped PE Dumper

Posted: Wed Aug 17, 2022 2:55 am
by Valery
У меня есть C-версия этой программы:
spedump.kex (2.38 KiB)
Downloaded 74 times
Исходники:
spedump.7z (12.17 KiB)
Downloaded 75 times
Демонстрационное видео: https://drive.google.com/file/d/1uE0wp ... sp=sharing

Стоит ли мне развивать эту тему (в духе cObj: cSpe)?

Re: Stripped PE Dumper

Posted: Thu Aug 25, 2022 9:49 am
by Valery
Eсли использовать новый системный вызов <68.27>, то размер файла можно значительно сократить:
cSpe.kex (1.5 KiB)
Downloaded 78 times
Исходники:
Downloaded 75 times
Демонстрационное видео:
https://drive.google.com/file/d/1yvvsEC ... sp=sharing
All times are UTC+03:00
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited