Hi all:
I have a problem about PE.I want to record the "function" when I execute a .exe file.for example I launch the "microsoft word" and click the "file" menu.
But I want to record this process and record all transfer function.

Could somebody tell me how to get Inside Function from PE file.It is not function in Import sections and export sections. and I open a PE file useing the Hex edit,but I do not find out the local function.please tell me the whys?
And tell me the transfering way about inside function.
Thank you very much!

welcome communion to me.
My Email: zhengxd@langchao.com

Your request is still a little unclear to me. Please try to explain further. Explaining the purpose of the whole thing might make it easier to understand too.

sounds like you need to study the pe file format

Since these two threads were from the same author, closely spaced in time, and appear to be directly related (at least on what can be determined at this point in time), I have taken the liberty to merge them together.

Regards,

Hi all:
My problem is the all function in the PE file.Include local and extern function in source code.They are get from other process or not. for example the source PE file use C/C++ at VC++6.0 platform.
I only get the export Function use the "depends" tool.The other function do not get.and I do not get the other function all the same when I open the .exe file use the Hex edit.
Please tell me whys?
Thank you very much.

My Email: zhengxd@langchao.com

Since this seems like a 3rd question on the same topic by the same author, I have also taken the liberty to merge the threads.

We would like to help you with your problem if we can understand exactly what you are asking, but please don't keep posting the same type of question in different threads.

Maybe from the 3 posts we can figure out what it is you need.

To start with, do you understand the basic PE structure? Have you read and understood the documentation here for example?

http://www.woodmann.com/forum/showthread.php?t=5384


Let's try this -

>I want to record the "function" when I execute a .exe file.for example I launch the "microsoft word" and click the "file" menu.
But I want to record this process and record all transfer function.

3 tools might do what you seem to be asking - Filemon, Regmon, an API monitor.

>Could somebody tell me how to get Inside Function from PE file.It is not function in Import sections and export sections. and I open a PE file useing the Hex edit,but I do not find out the local function.please tell me the whys?
And tell me the transfering way about inside function.

What do you mean by 'Inside Function'? If it's not an import or export then do you mean local calls or calls from a loaded dll?

Please try to clarify what you want.

Ok, my guess is that you are asking to be able to recover/pinpoint the different functions found in the source code of the program, from the binary after compiling the program, just like you can find the location of the exported functions? The problem is that no names are preserved for these "internal functions" during the compilation, so it is impossible to get them straight away. You have to disassemble and analyze the program manually, and "guess" which functions are which (if you don't have any debug symbols for the program that is, then you can get names for all memory addresses in the program).

IDA's FLIRT signatures for various compilers are very helpful. This leaves only the user written functions left to figure out, and even then, they are pretty simple because you can see what the code is doing (i.e., it's calling mktime or fread or whatever. Much nicer than only imports).

Anyway, FLIRT is pretty amazing. You can even create your own sigs, which is really handy when new versions of applications are being released often. This allows you to only have to deal with the functions that have changed. It isn't 100% accurate, but it handles the majority of the routines.

IDA rocks! Too bad it's so hard to buy.

Let me see if I understand you properly:

1. You can trace the exported functions of an executable using any tool that you want.
2. You can also trace the imported functions of an executable using any tool that you want.
3. What you CANNOT trace, is the actual local functions (as seen in a decent disassembler like IDA: for eg: sub_41234444)

If that is indeed the case, I would recommed you get a binary profiler (pretty hard to find) or use Microsoft Windebug or Ollydebug.

a. In case of Microsoft Windebug, breakpoint on all functions (import the bps from a file. Manually enter and you'll grow old)

b. Run the program and save the log file. Voila! You have the call list. If you want to see the hierarchy, then you have to use a command (forgot which, sorry, look up the docs)

c. If its Olly, you gotta run a trace.

d. Save the trace to a text file, run grep on it and get all lines with only CALL in them.

e. You're done.

Alternatively, you might try using Etch (but I doubt you'll find it now). A better idea is to use your own program to do the same. A good knowledge of C++/VB/PE Structure recommended.

If none of the above, I guess you'll have to repeat the question for the umpteenth time.

Have Phun

There are a couple "debug-less" profilers that I use, the first is of course VTune, and second is AMD's CodeAnalyst. AMD's CodeAnalyst is free and available from AMD's website. Neither profiler requires debug information or source code. Etch hasn't been maintained in quite some time, so I believe after the guy who wrote it got his thesis, he gave up.

OK, back to the question. If you don't want to use IDA's tree graph to determine what all functions are called from an exported function (and who they call, and who they call, etc.), then I would recomend a coverage check.

I'm fairly certain Olly supports coverage. What it does is automaticly place break points on EVERY instruction on your program. When the break point fires, the break point is automaticly removed and the program resumes. When the run is complete, instructions that don't have a break point are executed instructions, and instructions with remaining break points were not executed. Simple enough...

Usually this functionality is used for determining the completeness of your testing, but you can also use it to see any functions that might have been called by pointer-to-function (something that doesn't easily show up in IDA).

The SoftIce guys also have a wonderfull coverage tool, profesional grade with a price to match. It may require source, though, so I would try getting Olly to do it first.

Coverage is a bit easier than trace, because trace logs every instruction (including instructions that have already been executed). This information, while very usefull, can sometimes be quite large and distracting (especially with loops).

Anyway, if your zen with PE and a hex editor, you can add cool functions you find to the exports section. This is NOT for the faint of heart, and you will need to make sure that data it references are set up correctly (i.e. global or class variables that may have been set by what it expected to be a parent function).

This was a great deal more text than I expected to type...