Uwe Bonnes wrote:
e.g. with the MFC libraries the snoop option crashes quite often, while without snoop the programm proceeds some more. Digging deeper for the crash in msdev.exe, I saw that a library has exported DATA entries mixed into the codesegment. Our snoop loader only checks for DATA entries in the PE DATA section and so happyly overwrites data. It seems that most exported DATA entries have a decorated name ending in @A or @B and by handling entries with that ending as DATA, the crash with msdev.exe happens at the same place with or without snoop.
Appended patch does this hacky search for DATA entries.
However I like to ask if there are other methods of distinguishing DATA and function references? Could the PE loader perhaps know? Or can we perhaps protect our snoop entries from being read as data and catch those exceptions? Any other idea?
For what it's worth, I reverse-engineered and documented the name decoration scheme used by Microsoft in 1999. My doc is at http://www.kegel.com/mangle.html You should probably not check for the @, as that's not always there. (I think a global variable int g; might have a decorated name ?g@3HA but don't quote me on that.)
The trailing A or B should be reliable. A trailing C indicates a const; maybe you should check for that, too (you'd know better than me). You may want to use presence of a '?' to detect a mangled name, tho. e.g.
if ((name[0] == '?') && ((name[len-1] == 'A') || (name[len-1] == 'B')))
(I have no idea if that's right, it's been two years since I touched this.) - Dan