Added the Disassembler.

Author: BeneficialCode

WinArk/DisasmDlg.cpp

@@ -0,0 +1,107 @@
+#pragma once
+#include "resource.h"
+#include "HexEdit.h"
+#include "ApiReader.h"
+
+enum DisasmAddressType {
+	ADDRESS_TYPE_MODULE,
+	ADDRESS_TYPE_API,
+	ADDRESS_TYPE_SPECIAL
+};
+
+class DisasmAddressComment {
+public:
+	DWORD_PTR _address;
+	WCHAR _comment[512];
+	DisasmAddressType _type;
+	DWORD _moduleSize;
+
+	bool operator<(const DisasmAddressComment& rhs) {
+		return _address < rhs._address;
+	}
+};
+
+class CDisasmDlg :public CDialogImpl<CDisasmDlg>,
+	public CWinDataExchange<CDisasmDlg>, public CDialogResize<CDisasmDlg> {
+public:
+	enum {IDD = IDD_DISASSEMBLER};
+
+	CDisasmDlg(DWORD_PTR startAddress, ApiReader* _pApiReader);
+
+protected:
+	static const size_t DISASM_SIZE = 0x1000;
+	WCHAR _temp[512];
+	int _addressHistoryIndex = 0;
+
+	std::vector<DWORD_PTR> _addressHistories;
+	std::vector<DisasmAddressComment> _addressComments;
+
+	CListViewCtrl _ListDisassembler;
+	CHexEdit _address;
+
+	enum DisasmColumns {
+		Address = 0,
+		InstructionSize,
+		Opcodes,
+		Instruction,
+		Comment
+	};
+
+	CMenu _hMenuDisasm;
+
+	BOOL OnInitDialog(CWindow wndFocus, LPARAM lInitParam);
+	void OnContextMenu(CWindow wnd, CPoint point);
+	void OnExit(UINT uNotifyCode, int nID, CWindow wndCtl);
+	LRESULT OnNMCustomdraw(NMHDR* pnmh);
+	void OnDisassemble(UINT uNotifyCode, int nID, CWindow wndCtl);
+	void OnDisassembleBack(UINT uNotifyCode, int nID, CWindow wndCtl);
+	void OnDisassembleForward(UINT uNotifyCode, int nID, CWindow wndCtl);
+
+	void AddColumnsToDisassembler(CListViewCtrl& list);
+	bool DisplayDisassembly();
+
+	void CopyToClipboard(const WCHAR* pText);
+
+private:
+	ApiReader* _pApiReader = nullptr;
+	BYTE _data[DISASM_SIZE];
+
+	void ToUpperCase(WCHAR* pLowercase);
+	void DoColorInstruction(LPNMLVCUSTOMDRAW lpLVCustomDraw, DWORD_PTR itemIndex);
+	void FollowInstruction(int index);
+	bool GetDisassemblyComment(unsigned int index);
+
+	void DisassembleNewAddress(DWORD_PTR address);
+	void InitAddressCommentList();
+	void AddModuleAddressCommentEntry(DWORD_PTR address, DWORD moduleSize, const WCHAR* pModulePath);
+	void AnalyzeAddress(DWORD_PTR address, WCHAR* pComment);
+
+public:
+	BEGIN_DDX_MAP(CDisasmDlg)
+		DDX_CONTROL_HANDLE(IDC_LIST_DISASSEMBLER,_ListDisassembler)
+		DDX_CONTROL(IDC_DISASM_ADDRESS,_address)
+	END_DDX_MAP()
+
+	BEGIN_MSG_MAP(CDisasmDlg)
+		MSG_WM_INITDIALOG(OnInitDialog)
+		MSG_WM_CONTEXTMENU(OnContextMenu)
+
+		NOTIFY_HANDLER_EX(IDC_LIST_DISASSEMBLER,NM_CUSTOMDRAW,OnNMCustomdraw)
+
+		COMMAND_ID_HANDLER_EX(IDC_DISASM,OnDisassemble)
+		COMMAND_ID_HANDLER_EX(IDC_DISASM_BACK,OnDisassembleBack)
+		COMMAND_ID_HANDLER_EX(IDC_DISASM_FORWARD,OnDisassembleForward)
+		COMMAND_ID_HANDLER_EX(IDCANCEL,OnExit)
+		COMMAND_ID_HANDLER_EX(IDOK,OnExit)
+		CHAIN_MSG_MAP(CDialogResize<CDisasmDlg>)
+	END_MSG_MAP()
+
+	BEGIN_DLGRESIZE_MAP(CDisasmDlg)
+		DLGRESIZE_CONTROL(IDC_LIST_DISASSEMBLER, DLSZ_SIZE_X | DLSZ_SIZE_Y)
+		DLGRESIZE_CONTROL(IDC_DISASM, DLSZ_MOVE_X | DLSZ_MOVE_Y)
+		DLGRESIZE_CONTROL(IDC_DISASM_BACK, DLSZ_MOVE_X | DLSZ_MOVE_Y)
+		DLGRESIZE_CONTROL(IDC_DISASM_FORWARD, DLSZ_MOVE_X | DLSZ_MOVE_Y)
+		DLGRESIZE_CONTROL(IDC_DISASM_ADDRESS, DLSZ_MOVE_Y)
+		DLGRESIZE_CONTROL(IDC_DISASSEMBLE_ADDRESS, DLSZ_MOVE_Y)
+	END_DLGRESIZE_MAP()
+};

WinArk/DisasmDlg.h

@@ -1,9 +1,11 @@
 #pragma once
 
 
-class CHexEdit : public CWindowImpl<CHexEdit, CEdit>
+class CHexEdit : public CWindowImpl<CHexEdit, CEdit, CControlWinTraits>
 {
 public:
+	DECLARE_WND_CLASS(L"WTL_HexEdit")
+
 	static const short int _base = 16;
 	static const size_t _digits = sizeof(ULONG_PTR) * 2; // 2 digits/byte
 	static const size_t _strSize = _digits + 1;

WinArk/HexEdit.h

@@ -35,6 +35,36 @@ void ProcessAccessHelper::CloseProcessHandle() {
 	_pSelectedModule = nullptr;
 }
 
+DWORD ProcessAccessHelper::GetModuleHandlesFromProcess(const HANDLE hProcess, HMODULE** pphModues) {
+	DWORD count = 64;
+	DWORD needed = 0;
+	*pphModues = new HMODULE[count];
+	bool notEnough = true;
+
+	do
+	{
+		if (!EnumProcessModules(hProcess, *pphModues, count * sizeof(HMODULE), &needed)) {
+			delete[] * pphModues;
+			return 0;
+		}
+
+		if (count * sizeof(HMODULE) < needed) {
+			delete[] * pphModues;
+			count = needed / sizeof(HMODULE);
+			*pphModues = new HMODULE[count];
+		}
+		else {
+			notEnough = false;
+		}
+	} while (notEnough);
+
+	count = needed / sizeof(HMODULE);
+	if (count == 0) {
+		delete[] * pphModues;
+	}
+	return count;
+}
+
 #define PAGE_SIZE               (4096)
 
 bool ProcessAccessHelper::ReadMemoryFromProcess(DWORD_PTR address, SIZE_T size, LPVOID pData)

WinArk/ProcessAccessHelper.cpp

@@ -70,6 +70,7 @@ class ProcessAccessHelper {
 
 	static bool OpenProcessHandle(DWORD pid);
 	static void CloseProcessHandle();
+	static DWORD GetModuleHandlesFromProcess(const HANDLE hProcess, HMODULE** pphModues);
 
 	static bool GetProcessModules(HANDLE hProcess, std::vector<ModuleInfo>& moduleList);
 

WinArk/ProcessAccessHelper.h

@@ -5,6 +5,7 @@
 #include "IATSearcher.h"
 #include <PEParser.h>
 #include "ImportRebuilder.h"
+#include "DisasmDlg.h"
 
 
 CScyllaDlg::CScyllaDlg(const WinSys::ProcessManager& pm, ProcessInfoEx& px)
@@ -613,6 +614,9 @@ void CScyllaDlg::DisplayContextMenuImports(CWindow hwnd, CPoint pt) {
 				else
 					_importsHandling.InvalidateImport(over);
 				break;
+			case ID_IMPORTS_DISASSEMBLE:
+				StartDisassembler(over);
+				break;
 			case ID_EXPAND_ALL_NODES:
 				_importsHandling.ExpandAllTreeNodes();
 				break;
@@ -645,4 +649,29 @@ void CScyllaDlg::SetupImportsMenuItems(CTreeItem item) {
 	hSub.EnableMenuItem(ID_INVALIDATE, itemOnly);
 	hSub.EnableMenuItem(ID_CUT_THUNK, importOnly);
 	hSub.EnableMenuItem(ID_DELETE_TREE_NODE, itemOnly);
+}
+
+void CScyllaDlg::StartDisassembler(CTreeItem selectedTreeNode) {
+	DWORD_PTR address = _importsHandling.GetApiAddressByNode(selectedTreeNode);
+	if (address) {
+		BYTE test;
+		if (!ProcessAccessHelper::ReadMemoryFromProcess(address, sizeof(test), &test)) {
+			swprintf_s(_text, L"Can't read memory at " PRINTF_DWORD_PTR_FULL, address);
+			MessageBox(_text, L"Failure", MB_ICONERROR);
+		}
+		else {
+			CDisasmDlg disassembler(address, &_ApiReader);
+			disassembler.DoModal();
+		}
+	}
+}
+
+void CScyllaDlg::DisassemblerHandler() {
+	DWORD_PTR oep = _oepAddress.GetValue();
+	CDisasmDlg dlg(oep, &_ApiReader);
+	dlg.DoModal();
+}
+
+void CScyllaDlg::OnDisassembler(UINT uNotifyCode, int nID, CWindow wndCtl) {
+	DisassemblerHandler();
 }

WinArk/ScyllaDlg.cpp

@@ -49,6 +49,8 @@ class CScyllaDlg
 	void ShowInvalidImportsHandler();
 	void ShowSuspectImportsHandler();
 	void ClearImportsHandler();
+	void StartDisassembler(CTreeItem selectedTreeNode);
+	void DisassemblerHandler();
 
 	void OnInvalidImports(UINT uNotifyCode, int nID, CWindow wndCtl);
 	void OnSuspectImports(UINT uNotifyCode, int nID, CWindow wndCtl);
@@ -59,6 +61,7 @@ class CScyllaDlg
 	void OnDump(UINT uNotifyCode, int nID, CWindow wndCtl);
 	void OnFixDump(UINT uNotifyCode, int nID, CWindow wndCtl);
 	void OnPERebuild(UINT uNotifyCode, int nID, CWindow wndCtl);
+	void OnDisassembler(UINT uNotifyCode, int nID, CWindow wndCtl);
 
 	LRESULT OnTreeImportsDoubleClick(const NMHDR* pnmh);
 	LRESULT OnTreeImportsKeyDown(const NMHDR* pnmh);
@@ -138,6 +141,7 @@ class CScyllaDlg
 		COMMAND_ID_HANDLER_EX(IDC_BTN_DUMP, OnDump)
 		COMMAND_ID_HANDLER_EX(IDC_BTN_FIX_DUMP, OnFixDump)
 		COMMAND_ID_HANDLER_EX(IDC_BTN_PE_REBUILD,OnPERebuild)
+		COMMAND_ID_HANDLER_EX(ID_MISC_DISASSEMBLER,OnDisassembler)
 
 		COMMAND_ID_HANDLER_EX(IDC_BTN_CLEAR,OnClearImports)
 		COMMAND_ID_HANDLER_EX(IDC_BTN_SHOW_INVALID,OnInvalidImports)

WinArk/ScyllaDlg.h

@@ -338,6 +338,20 @@ BEGIN
     LISTBOX         IDC_LIST_LOG,0,267,413,72,LBS_SORT | LBS_NOINTEGRALHEIGHT | WS_VSCROLL | WS_HSCROLL | WS_TABSTOP
 END
 
+IDD_DISASSEMBLER DIALOGEX 0, 0, 463, 244
+STYLE DS_SETFONT | DS_FIXEDSYS | WS_POPUP | WS_CAPTION | WS_SYSMENU | WS_THICKFRAME
+EXSTYLE WS_EX_TOOLWINDOW
+CAPTION "Disassembler"
+FONT 8, "MS Shell Dlg", 400, 0, 0x1
+BEGIN
+    CONTROL         "",IDC_LIST_DISASSEMBLER,"SysListView32",LVS_REPORT | LVS_ALIGNLEFT | WS_BORDER | WS_TABSTOP,7,7,449,206
+    LTEXT           "Address:",IDC_DISASSEMBLE_ADDRESS,15,222,30,8
+    EDITTEXT        IDC_DISASM_ADDRESS,49,218,107,14,ES_AUTOHSCROLL
+    PUSHBUTTON      "<",IDC_DISASM_BACK,390,218,22,14
+    PUSHBUTTON      ">",IDC_DISASM_FORWARD,418,218,22,14
+    PUSHBUTTON      "Disassemble",IDC_DISASM,166,218,50,14
+END
+
 
 /////////////////////////////////////////////////////////////////////////////
 //
@@ -456,6 +470,14 @@ BEGIN
         TOPMARGIN, 1
         BOTTOMMARGIN, 349
     END
+
+    IDD_DISASSEMBLER, DIALOG
+    BEGIN
+        LEFTMARGIN, 7
+        RIGHTMARGIN, 456
+        TOPMARGIN, 7
+        BOTTOMMARGIN, 237
+    END
 END
 #endif    // APSTUDIO_INVOKED
 
@@ -565,6 +587,11 @@ BEGIN
     0
 END
 
+IDD_DISASSEMBLER AFX_DIALOG_LAYOUT
+BEGIN
+    0
+END
+
 
 /////////////////////////////////////////////////////////////////////////////
 //
@@ -878,7 +905,10 @@ BEGIN
         MENUITEM "&Dump",                       ID_FILE_DUMP
     END
     MENUITEM "Imports",                     ID_IMPORTS
-    MENUITEM "Misc",                        ID_MISC
+    POPUP "Misc"
+    BEGIN
+        MENUITEM "Disassembler",                ID_MISC_DISASSEMBLER
+    END
     MENUITEM "Help",                        ID_HELP33025
 END
 
@@ -917,6 +947,21 @@ BEGIN
         MENUITEM SEPARATOR
         MENUITEM "Expand all nodes",            ID_EXPAND_ALL_NODES
         MENUITEM "Collapse all nodes",          ID_COLLAPSE_ALL_NODES
+        MENUITEM SEPARATOR
+        MENUITEM "Disassemble",                 ID_IMPORTS_DISASSEMBLE
+    END
+END
+
+IDR_DISASM MENU
+BEGIN
+    POPUP "Disasm"
+    BEGIN
+        MENUITEM "Follow",                      ID_DISASM_FOLLOW
+        MENUITEM "Disassemble here",            ID_DISASM_DISASSEMBLE_HERE
+        MENUITEM "Copy Address",                ID_DISASM_COPY_ADDRESS
+        MENUITEM "Copy Size",                   ID_DISASM_COPY_SIZE
+        MENUITEM "Copy OpCodes",                ID_DISASM_COPY_OPCODES
+        MENUITEM "Copy Instructions",           ID_DISASM_COPY_INSTRUCTIONS
     END
 END
 

WinArk/WinArk.rc

@@ -255,6 +255,7 @@
     <ClCompile Include="BinaryValueDlg.cpp" />
     <ClCompile Include="BypassDlg.cpp" />
     <ClCompile Include="CallStackDlg.cpp" />
+    <ClCompile Include="DisasmDlg.cpp" />
     <ClCompile Include="ExplorerView.cpp" />
     <ClCompile Include="ExtensionTable.cpp" />
     <ClCompile Include="ExtensionTableDlg.cpp" />
@@ -429,6 +430,7 @@
     <ClInclude Include="ComHelper.h" />
     <ClInclude Include="CustomListView.h" />
     <ClInclude Include="CustomSplitterWindow.h" />
+    <ClInclude Include="DisasmDlg.h" />
     <ClInclude Include="ExplorerView.h" />
     <ClInclude Include="ExtensionTable.h" />
     <ClInclude Include="ExtensionTableDlg.h" />

WinArk/WinArk.vcxproj

@@ -534,6 +534,9 @@
     <ClCompile Include="ImportRebuilder.cpp">
       <Filter>Scylla</Filter>
     </ClCompile>
+    <ClCompile Include="DisasmDlg.cpp">
+      <Filter>Scylla</Filter>
+    </ClCompile>
   </ItemGroup>
   <ItemGroup>
     <ClInclude Include="stdafx.h">
@@ -1076,6 +1079,9 @@
     <ClInclude Include="ImportRebuilder.h">
       <Filter>Scylla</Filter>
     </ClInclude>
+    <ClInclude Include="DisasmDlg.h">
+      <Filter>Scylla</Filter>
+    </ClInclude>
   </ItemGroup>
   <ItemGroup>
     <ResourceCompile Include="WinArk.rc">