5

I've been trying to dump all of the imported API function calls for a set of PE files.

I have noticed that the majority of the PE files have a set of "weird" looking import functions. These are greatly increasing my number of unique function calls, even though I feel like alot of them are the same function calls.

Upon further research, I found out this is due to name-mangling and I am currently looking for a solution to be able to get the original function call names (in the sense that its a bit more readable and perhaps this could reduce my number of unique function calls) in Python if its possible rather than in C++.

Some examples of what I'm getting:

?underflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ
?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z
??0exception@@QAE@ABQBD@Z
??0exception@@QAE@ABQBDH@Z
??0exception@@QAE@ABV0@@Z
??1exception@@UAE@XZ

versus 

RegDeleteValueW
RegEnumKeyExW
RegCloseKey
RegQueryValueExW
RegSetValueExW
EidolonMK
  • 313
  • 2
  • 9
  • Possible duplicate of [How to unmangle exported symbols from C++ in dynamic libraries in XCode on OSX](https://stackoverflow.com/questions/4506487/how-to-unmangle-exported-symbols-from-c-in-dynamic-libraries-in-xcode-on-osx) – underscore_d Jul 24 '17 at 08:58
  • or [function to mangle/demangle functions](https://stackoverflow.com/questions/4939636/function-to-mangle-demangle-functions) – underscore_d Jul 24 '17 at 08:59

1 Answers1

2

Demangling C++ symbols is not easy in general. There are various "styles" and other complexities.

One option is to use command line tool. On Windows it is undname, on *nix you can use nm, demangle, c++filt and other utilities.

Another option is to try to use compiler code that implements demangling. LLVM, for instance, has built-in Itanium ABI demangler. There should something like that for GCC too.

arrowd
  • 33,231
  • 8
  • 79
  • 110
  • Thanks for the response. I had a question then, since you're speaking about various styles. Lets say the examples I gave (the ones including exception). Will all of these have the same function names? because you see my intention is to just extract the function names, I don't need to know about the arguments or their types, all I need to know about the definition is the function name, so whats the best way to just extract the exact function names from these mangled names? – EidolonMK Jul 24 '17 at 08:56
  • How do you plan to use that function "name" you extracted? The problem is that whole gibberish **is** a name. Functions like `RegDeleteValueW` are so nice looking because they are "C" (on Windows it is more complex than that, but that's irrelevant). So, having just `setbuf` instead `?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z` wouldn't help you. – arrowd Jul 24 '17 at 11:23
  • i'm trying to create a unique set of function calls that have been used across my set of PE files .. thus removing the duplicate function "names" across all my PE files.. so if they are all calling functions with the same name however passing different arguments (causing it to have a different import function name)... i won't have different unique function calls for each, but instead a single with the function name – EidolonMK Jul 24 '17 at 15:28
  • Well, export them as C functions, optionally with a `__stdcall` calling convention on Windows. – arrowd Sep 16 '17 at 12:55