SmidgeonSoft Logo

Entry-points Using
PEBrowse Professional

Disassembling, Memory Dump

Wholesale Disassembling - Sections/.text/Disassemble

One of the questions I receive from time to time is if there is way ala DUMPBIN to produce a straight sequential disassembly listing of the entire module.  This can be done with PEBrowse in a two-step procedure.  First, navigate to the "Sections" node in the Index and select Disassemble from the popup menu.  The command produces a short disassembly listing; now select Edit/Refresh from the disassembly window and enter the value, "-1", into the edit field, press the refresh button and wait.  Depending on the size of the module and the speed of your machine, you will finally see after a pause a disassembly window containing a large number of instructions like the one you see in Figure 12.

Figure 12

If there is more than one section containing code, repeat the above for each new section.  You can then save the contents to a file by selecting Edit/Save to File... and continue your analysis with the newly created file.  Depending on the internal layout of the section, you may need to scroll down a ways before actually seeing meaningful code.

From a Memory Dump Window

You may recall from the debug symbol discussion seeing some items labeled, for example, "CDispatchEx: `vtable'" -- these identified virtual tables for a particular class.  Navigate to the CDispatchEx node, expand it, and double-click on its vtable entry.  You should now be viewing Figure 13, a memory dump window.

Figure 13

Select one of the lines and bring up the popup menu -- the Disassemble menu item should now point you at one to four more entry-points, each representing an address in the vtable to one of the member functions of CDispatchEx and our tenth entry-point type.  Actually, there is nothing special about this memory display window except for the fact that it identifies an area in memory that is laid out as a table of addresses.  In fact, with any memory display window you may find an entry-point that can be used as a starting point -- the .data or .idata sections are good places to begin a hunt.

prev page 1st page next page
Home | FAQ | News | Software | Documentation | SiteSearch | Licensing | Links | SiteIndex | AboutUs | ContactUs
Page best viewed at 1024x768.   Page last updated 2006-11-19.   This site is PIKT® powered.
Copyright © 1998-2006 Russell Osterlund.  All rights reserved.  SmidgeonSoft is a wholly-owned division of SmidgeonSoft, LLC.
Home FAQ News Software Documentation SiteSearch