Dumpbin strange strings

calypso · May 03, 2014, 12:17:43 AM

Hi forum,

I am parsing some functions in ntdll (to include branch instructions). After running dumpbin and redirecting output to a file, then fixing up and organizing the bytecode into BBs (because screw IDA, I want character dammit) I get various lines such as:

...
push offset ??_C@_0BN@PAEIMCDF@DLL?5name?3?5?$CFwZ?5DLL?5path?3?5?$CFwZ?6?$AA@FNODOBFM@
...
push offset ??_C@0M@GDHEIPHC@LdrpLoadDll?$AA@FNODOBFM@
...

What is that '??_C@' gunk? Are they strings in the data section of the ntdll that I dumped? I couldn't find any solid information elsewhere.

Zen · May 03, 2014, 03:58:58 AM

Just taking a wild guess,...these are probably mangled function names.

Vortex · May 03, 2014, 08:43:07 PM

Hi calypso,

Zen is right. They are C++ functions and they can have very complicated symbols.

Calling conventions for different C++ compilers and operating systems :

QuoteThis document contains details about data representation, function calling conventions, register usage conventions, name mangling schemes, etc. for many different C++ compilers and operating systems.

http://agner.org/optimize/#manuals

http://agner.org/optimize/calling_conventions.pdf

TWell · May 03, 2014, 09:33:04 PM

If it is from microsoft use undname.exe to UnDecorate that name.

In dbghelp.lib is UnDecorateSymbolName()

The MASM Forum

News:

Dumpbin strange strings

calypso

Zen

Vortex

TWell