Hi forum,
I am parsing some functions in ntdll (to include branch instructions). After running dumpbin and redirecting output to a file, then fixing up and organizing the bytecode into BBs (because screw IDA, I want character dammit) I get various lines such as:
...
push offset ??_C@_0BN@PAEIMCDF@DLL?5name?3?5?$CFwZ?5DLL?5path?3?5?$CFwZ?6?$AA@FNODOBFM@
...
push offset ??_C@0M@GDHEIPHC@LdrpLoadDll?$AA@FNODOBFM@
...
What is that '??_C@' gunk? Are they strings in the data section of the ntdll that I dumped? I couldn't find any solid information elsewhere.
Just taking a wild guess,...these are probably mangled function names.
Hi calypso,
Zen is right. They are C++ functions and they can have very complicated symbols.
Calling conventions for different C++ compilers and operating systems :
QuoteThis document contains details about data representation, function calling conventions, register usage conventions, name mangling schemes, etc. for many different C++ compilers and operating systems.
http://agner.org/optimize/#manuals
http://agner.org/optimize/calling_conventions.pdf
If it is from microsoft use undname.exe to UnDecorate that name.
In dbghelp.lib is UnDecorateSymbolName()