MHS finally uses the function/structure/typedef/enum database and the upcoming release lets you add your own custom ones as well.
Here, a custom structure/template has been mapped over RAM in the Hex Editor.
Clicking on the members in the dockable window at the bottom highlights it in the Hex Editor.
You can easily see the types and values of all members.
The structures/templates are dynamic as well. In a .EXE file there is a pointer to the PE header. My structure uses a dynamic array to fill the gap from the initial header to the _IMAGE_NT_HEADERS highlighted in the picture. The gap changes size on every .EXE file, but so does the size of the dynamic array, allowing the same template to map all .EXE files.
The editor is now more compact, faster, and easier to use.
Here I have 2 members with dynamic array sizes:
Pad, with an array size of (
AddressOfNewExeHeader-40h) fills the space from the DOS header to the NT header.
SectionTable, with an array size of (
NtHeader::FileHeader::NumberOfSections) correctly maps the number of sections in the image.
There are over 1,800 predefined structures and over 4,500 predefined typedefs, so you don’t have to remake common structures. You can override predefined structures with your own as well (if you ever delete yours, the predefined one will still be there).
The Future:
As noted above, the Disassembler currently shows parameter types and names.
The next step is to take these dynamic templates and map them automatically as they are encountered while single-stepping through code.
As you step through with the Disassembler, the parameters of the current function will be mapped to RAM and the values of all of their members will be shown clearly.
Furthermore, statements such as
MOV EAX, [EBP-4] may be replaced with
MOV EAX, [rRect.width], optionally of course.
L. Spiro
Our songs remind you of songs you’ve never heard.