当前位置: 文江博客话题详情

如何获取delphi生成的EXE的VMT表的地址(位置)

发布于 2024-11-08 22:56:50 字数 108 浏览 0 评论 0原文

我需要枚举用 delphi 编写的外部应用程序中使用的类 ,所以我需要访问VMT表来获取该信息,但我找不到任何关于如何在exe(由delphi生成)文件中查找VMT(虚拟方法表)的位置(地址)的文档。

原文

i need to enumerate the classes used in a external application written in delphi
, so i need access to the VMT table to get that information, but i can't find any documentation about how find the location (address) of the VMT (virtual-method table) in a exe (generated by delphi) file.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(3

九公里浅绿 2024-11-15 22:56:50

.exe 文件中没有一个 VMT。每个班级都有自己的 VMT。据我所知,没有可靠的方法来枚举可执行文件中的类。我假设可执行文件只是一个文件。唯一的方法是分析此类数据如何存储在 .exe 文件中。

但即使 .exe 正在运行,并且您可以访问其中一个对象,您也只能找到该对象的类的 VMT(在对象的偏移量 0 处)。这也将使您能够访问该类的基类,但仅此而已。

There is not one single VMT in an .exe file. Each class has its own VMT. There is, AFAICT, no reliable way to enumerate the classes in an executable. I assume the executable is only a file. The only way to do that is to analyze how such data is stored in an .exe file.

But even if the .exe is running, and you have access to one of the objects, you can merely find the VMT of the class of that object (at offset 0 of the object). This will also give you access to the base classes of the class, but that is about it.

回复 原文
不语却知心 2024-11-15 22:56:50

请注意,运行时类型信息存在差异,并且只有 VMT。如果您需要 RTTI 而不是 VMT 的类型信息(例如方法和类型的名称);如果您可以访问 VMT(您可以通过类类型的 RTTI 进行类型访问,请参见下文),则 VMT 将包含指向方法的指针列表,并且没有方法 mname、参数信息等。Delphi 不会为每个 VMT 创建类似 IDispatch 的信息以及每个类/接口..

直到 Delphi 2007,您都没有所有类型的列表,以后的版本可能是相同的,但我不确定。如果你有一个映射文件,你可以从中获取一些数据,或者你可以使用一些启发式方法来搜索该文件:Delphi 中的类型总是以指向 self 的指针开头(例如 e PPTypeInfo 指向 PTypeInfo)。由于 PTypeinfo 也具有特定的格式,因此您可以通过扫描可执行文件轻松检测到这些格式。

找到 PTypeInfo 后,您可以解析后面的数据,生成类型名称,然后获得 TypeData。对于此处的类类型,您可以找到指向包含正偏移量的 VMT 的类的指针。包含已发布方法/属性的类型将在类型数据之后显示这些内容。您可以在 TypInfo 单元中找到结构的所有详细信息。

除了映射文件之外,您永远找不到所有方法的所有地址;只有具有 RTTI 的方法(例如已发布的方法)才有具有名称的地址。只有选定的一组类型具有 RTTI(后来 Delphi 具有新的 RTTI 信息,但我不知道它们在模块中的构造)。

祝你好运。

Please note that there is a difference in runtime type info and only a VMT. If you need type information (like names of methods and types) that is RTTI and not a VMT; a VMT if you can reach it (you can via a type via the RTTI of a class type see below)will contain a list of pointers to methods and no method mnames, parameter information etc etc. Delphi does not create information like IDispatch for each and every class/interface..

Up to Delphi 2007 you do not have a list of all types, later versions are probably the same but I am not sure. If you have a map file you can get some data from that or you can use some heuristics to search through the file: types in Delphi are always prepended with a pointer to self (eg e PPTypeInfo pointing to the PTypeInfo). Since a PTypeinfo also has a specific format you can detect these quite easily with a scan through the executable.

Once a PTypeInfo is found you can parse the data that follows yielding the typename and following that you have the TypeData. For class types here you can find a poiter to the class which contains the VMT at possitive offsets. Types containing published methods / properties will have those after the type data. You can find all details of the structures in the unit TypInfo.

You will never find all addresses of all methods except in a map file; only methods with RTTI (eg are published) have an address with a name. Only a selected set of types have RTTI (later Delphi's have new RTTI information but I do not know their construct in a module).

Good luck.

回复 原文
哆兒滾 2024-11-15 22:56:50

是的,在某种程度上是可能的!

为了描述它,您需要一种用于EXE文件的类浏览器,类似于IDE对帕斯卡单元的处理方式。

Revendepro的源代码说明了解决该问题的方法。

摘自http://www.ggoossen.net/revendepro/findingClasses.html(现在似乎是一个死链接):

  I := Code - vmtSelfPtr;
  while I < Code + CodeSize do
  begin
    // vmtSelfPtr must point to itself.
    if PPChar(I + vmtSelfPtr)^ = I then
    begin
        if PPChar(I + vmtParent)^ = nil then
        try
          // If no classParent then class can be object
          if (not UsePackages) and (TClass(I).ClassName = 'TObject') then
            // if class if object add it to classes.
            Add(TClass(I))
        except
          on EAccessViolation do
        end
        else
          // className must be in the code section.
          // classParent must be in the code section or the import section (when it is imported).
          if (PPChar(I + vmtClassName)^ <= Code + CodeSize) and
             (PPChar(I + vmtClassName)^ >= Code) and
             (((PPChar(I + vmtParent)^ <= Code + CodeSize) and
               (PPChar(I + vmtParent)^ >= Code)) or
              ((PPChar(I + vmtParent)^ <= ImportStart + ImportSize) and
               (PPChar(I + vmtParent)^ >= ImportStart))) then
          // Add possible class to possible class list.
          PossClasses.Add(I);
    end;
    Inc(I, 4);
  end;
   // Can't be more then 1 TObject.
  if (not TPEFileClass(PEFileClass).UsePackages) and (Count > 1) then
    raise EDecompilerError.Create('There can only be one TObject.');

  // If no classParent then class can be object
  if TClass(I).ClassName = 'TObject' then
    Add(TClass(I)) // if class if object add it to classes.

    // Add Classes to the list which parent is in the list.
  repeat
    Added := False;
    for J := PossClasses.Count -1 downto 0 do
    begin
      // Try to find parent class in classList
      if FindClass(TClass(PossClasses[J]).ClassParent) <> nil then
      begin
        // Class in class list
        Add(PossClasses[J]);
        PossClasses.Delete(J);
        Added := True;
      end;
      // Try to find parent class in a other package.
      for K := 0 to High(PEFiles) do
        if PEFiles[K].Classes.FindClass(TClass(PossClasses[J]).ClassParent) <> nil then
        begin
          // Class in class list
          Add(PossClasses[J]);
          PossClasses.Delete(J);
          Added := True;
          Break;
        end;
    end;
  until not Added;

免责声明:我从未测试过这些代码。

Yes it's possible to some extent!

To depict it, what you need is a kind of Class browser for EXE file similar to the way the IDE does with pascal unit.

The source code of Revendepro illustrate the way to tackle it.

Excerpts from http://www.ggoossen.net/revendepro/findingClasses.html (seems to be a dead link now):

  I := Code - vmtSelfPtr;
  while I < Code + CodeSize do
  begin
    // vmtSelfPtr must point to itself.
    if PPChar(I + vmtSelfPtr)^ = I then
    begin
        if PPChar(I + vmtParent)^ = nil then
        try
          // If no classParent then class can be object
          if (not UsePackages) and (TClass(I).ClassName = 'TObject') then
            // if class if object add it to classes.
            Add(TClass(I))
        except
          on EAccessViolation do
        end
        else
          // className must be in the code section.
          // classParent must be in the code section or the import section (when it is imported).
          if (PPChar(I + vmtClassName)^ <= Code + CodeSize) and
             (PPChar(I + vmtClassName)^ >= Code) and
             (((PPChar(I + vmtParent)^ <= Code + CodeSize) and
               (PPChar(I + vmtParent)^ >= Code)) or
              ((PPChar(I + vmtParent)^ <= ImportStart + ImportSize) and
               (PPChar(I + vmtParent)^ >= ImportStart))) then
          // Add possible class to possible class list.
          PossClasses.Add(I);
    end;
    Inc(I, 4);
  end;
   // Can't be more then 1 TObject.
  if (not TPEFileClass(PEFileClass).UsePackages) and (Count > 1) then
    raise EDecompilerError.Create('There can only be one TObject.');

  // If no classParent then class can be object
  if TClass(I).ClassName = 'TObject' then
    Add(TClass(I)) // if class if object add it to classes.

    // Add Classes to the list which parent is in the list.
  repeat
    Added := False;
    for J := PossClasses.Count -1 downto 0 do
    begin
      // Try to find parent class in classList
      if FindClass(TClass(PossClasses[J]).ClassParent) <> nil then
      begin
        // Class in class list
        Add(PossClasses[J]);
        PossClasses.Delete(J);
        Added := True;
      end;
      // Try to find parent class in a other package.
      for K := 0 to High(PEFiles) do
        if PEFiles[K].Classes.FindClass(TClass(PossClasses[J]).ClassParent) <> nil then
        begin
          // Class in class list
          Add(PossClasses[J]);
          PossClasses.Delete(J);
          Added := True;
          Break;
        end;
    end;
  until not Added;

Disclaimer: I never tested these codes.

回复 原文
~没有更多了~

关于作者

静水深流

暂无简介

0 文章
0 评论
22 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

lorenzathorton8

文章 0 评论 0

Zero

文章 0 评论 0

萧瑟寒风

文章 0 评论 0

mylayout

文章 0 评论 0

tkewei

文章 0 评论 0

17818769742

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文