def read_export_table(base): """An image file is mapped into memory at address 'base'. Read the export table and return a list of exported symbols. This example prints the first exported function names of the python dll: >>> import sys, pprint >>> read_export_table(sys.dllhandle)[:4] ['PyArg_Parse', 'PyArg_ParseTuple', 'PyArg_ParseTupleAndKeywords', 'PyArg_UnpackTuple'] >>> """ size = _imagehlp.c_ulong() ptr = _imagehlp.ImageDirectoryEntryToData( base, True, # MappedAsImage _imagehlp.IMAGE_DIRECTORY_ENTRY_EXPORT, # Index into Directory Entry size) export_dir = _imagehlp.IMAGE_EXPORT_DIRECTORY.from_address(ptr) pnt_headers = _imagehlp.ImageNtHeader(base) def rva2va(rva): # The image contains Relative Virtual Addresses, while we must # use Virtual Addresses in the mapped file. This function # converts RVA to VA. return _imagehlp.ImageRvaToVa(pnt_headers, base, rva, None) ## def dump(s): ## print s ## for name, typ in s._fields_: ## print name, getattr(s, name) ## dump(export_dir) ## dump(pnt_headers[0]) # export_dir.AddressOfNames is the RVA of an array. Each entry in the # array is an RVA pointing to an ASCIIZ string containing the export # name. The array is lexically sorted to allow binary search. va_ptr = rva2va(export_dir.AddressOfNames) result = [] for i in range(export_dir.NumberOfNames): rva = _imagehlp.c_int.from_address( va_ptr + _imagehlp.sizeof(_imagehlp.c_void_p) * i).value va = rva2va(rva) result.append(_imagehlp.string_at(va)) return result
def symbol_name(name, flags=UNDNAME_COMPLETE): """ Undecorates a decorated C++ symbol name. >>> symbol_name('?AfxGetResourceHandle@@YGPAUHINSTANCE__@@XZ') 'struct HINSTANCE__ * __stdcall AfxGetResourceHandle(void)' >>> >>> symbol_name('?DEREncode@AsymmetricAlgorithm@CryptoPP@@QBEXAAVBufferedTransformation@2@@Z') 'public: void __thiscall CryptoPP::AsymmetricAlgorithm::DEREncode(class CryptoPP::BufferedTransformation &)const ' >>> """ buf = _imagehlp.create_string_buffer(1000) res = _imagehlp.UnDecorateSymbolName(name, buf, _imagehlp.sizeof(buf), flags) if res: return buf[:res] raise _imagehlp.WinError()
def read_export_table(base): """An image file is mapped into memory at address 'base'. Read the export table and return a list of exported symbols. This example prints the first exported function names of the python dll: >>> import sys, pprint >>> read_export_table(sys.dllhandle)[:4] ['PyArg_Parse', 'PyArg_ParseTuple', 'PyArg_ParseTupleAndKeywords', 'PyArg_UnpackTuple'] >>> """ size = _imagehlp.c_ulong() ptr = _imagehlp.ImageDirectoryEntryToData(base, True, # MappedAsImage _imagehlp.IMAGE_DIRECTORY_ENTRY_EXPORT, # Index into Directory Entry size ) export_dir = _imagehlp.IMAGE_EXPORT_DIRECTORY.from_address(ptr) pnt_headers = _imagehlp.ImageNtHeader(base) def rva2va(rva): # The image contains Relative Virtual Addresses, while we must # use Virtual Addresses in the mapped file. This function # converts RVA to VA. return _imagehlp.ImageRvaToVa(pnt_headers, base, rva, None) ## def dump(s): ## print s ## for name, typ in s._fields_: ## print name, getattr(s, name) ## dump(export_dir) ## dump(pnt_headers[0]) # export_dir.AddressOfNames is the RVA of an array. Each entry in the # array is an RVA pointing to an ASCIIZ string containing the export # name. The array is lexically sorted to allow binary search. va_ptr = rva2va(export_dir.AddressOfNames) result = [] for i in range(export_dir.NumberOfNames): rva = _imagehlp.c_int.from_address(va_ptr + _imagehlp.sizeof(_imagehlp.c_void_p) * i).value va = rva2va(rva) result.append(_imagehlp.string_at(va)) return result