xAnalyzer icon indicating copy to clipboard operation
xAnalyzer copied to clipboard

Published 20 hours ago verified publisher icon ThunderCls

Info about API arguments when CIP is in API CALL

Open therealdreg opened this issue 8 years ago • 6 comments

Hi, very good and useful project,

I have a new suggestion for the project.

Add a new window (or modify the actual args window) when CIP is in the API CALL.

When CIP is in API (or CIP is in a CALL API instruction), you know exactly the location of ARGS (Stack, registers etc). Then you can show this useful info in a friendly-way (like OllyDbg).

This feature can be very useful when the analysis make mistakes and you are debugging.

Something like this image (But we need other way because x64 call convention):

olly creatfile

therealdreg avatar Feb 11 '17 07:02 therealdreg

Hey David and thanks for passing by. Now, regarding this feature, actually x64dbg doesn´t have any means yet implemented that support comments and arguments in the stack widget, but yeah, I agree that it's a nice feature and it's in future plans to implement it when x64dbg allow this. I´m gonna leave this issue open, thanks

ThunderCls avatar Feb 11 '17 16:02 ThunderCls

I wonder if there is a way to re-use/re-purpose the destination preview dialog, to effectively have a floating tooltip that shows custom content - which might well include the call, the api name and parameters along with the actual values.

But ideally a custom widget to display the parameters contents would probably be more useful to view at a glance.

mrfearless avatar Feb 11 '17 18:02 mrfearless

Indeed mrfearless, It could be somehow done using the tooltip dialog I guess, but still, I think the nicest way to do it is using the very same stack widget in x64dbg

ThunderCls avatar Feb 11 '17 20:02 ThunderCls

In x64 convention the first params are in registers. How to paint the register params in stack widget in a friendly-way??

We need a direct-way to inspect the args info. Avoid use mouse clicks, press keys, etc. (can be a pain in the ass in a debug session). The OllyDbg-way is direct and clear.

I have two ideas:

We can use RSP-UNNUSED to make comments with registers info, something like this:

stack

Or we can modify convention widget and stack widget with the arg info, something like this:

convention widget

This last is the most clear way IMO.

therealdreg avatar Feb 12 '17 01:02 therealdreg

I think the better way to do it would be to use the registers args widget for x64 bits and draw there somehow the info regarding actual params and on the other hand for x86 bits it could be used the same approach but implemented in the stack widget, it would make much more sense.

ThunderCls avatar Feb 12 '17 03:02 ThunderCls

I was confused why this really useful feature has not being added to analyzer then the issue is from x64dbg 's comment support, hope that they would improve that soon☺

sttv9998877 avatar Aug 13 '21 11:08 sttv9998877