One of the most important structures, describes executable module (.exe or DLL of any kind) loaded into the memory of the debugged application. Modules are listed in the sorted data of table module. Plugins should not attempt to modify module descriptions directly.
typedef struct t_module { // Descriptor of executable module
ulong base; // Base address of module
ulong size; // Size of memory occupied by module
ulong type; // Service information, TY_xxx+MOD_xxx
wchar_t modname[SHORTNAME]; // Short name of the module
wchar_t path[MAXPATH]; // Full name of the module
wchar_t version[TEXTLEN]; // Version of executable file
ulong fixupbase; // Base of image in executable file
ulong codebase; // Base address of module code block
ulong codesize; // Size of module code block
ulong entry; // Address of <ModuleEntryPoint> or 0
ulong sfxentry; // Address of SFX-packed entry or 0
ulong winmain; // Address of WinMain or 0
ulong database; // Base address of module data block
ulong edatabase; // Base address of export data table
ulong edatasize; // Size of export data table
ulong idatatable; // Base address of import data table
ulong iatbase; // Base of Import Address Table
ulong iatsize; // Size of IAT
ulong relocbase; // Base address of relocation table
ulong relocsize; // Size of relocation table
ulong resbase; // Base address of resources
ulong ressize; // Size of resources
ulong tlsbase; // Base address of TLS directory table
ulong tlssize; // Size of TLS directory table
ulong tlscallback; // Address of first TLS callback or 0
ulong netentry; // .NET entry (MOD_NETAPP only)
ulong clibase; // .NET CLI header base (MOD_NETAPP)
ulong clisize; // .NET CLI header base (MOD_NETAPP)
t_netstream netstr[NETSTREAM]; // Locations of default .NET streams
t_metadata metadata[MDTCOUNT]; // Descriptors of .NET MetaData tables
ulong sfxbase; // Base of memory block with SFX
ulong sfxsize; // Size of memory block with SFX
ulong rawhdrsize; // Size of PE header in file
ulong memhdrsize; // Size of PE header in memory
int nsect; // Number of sections in the module
t_secthdr *sect; // Extract from section headers
int nfixup; // Number of 32-bit fixups
ulong *fixup; // Array of 32-bit fixups
t_jmpdata jumps; // Jumps and calls from this module
t_nested loopnest; // Loop brackets
t_nested argnest; // Call argument brackets
t_simple predict; // Predicted ESP, EBP & results (sd_pred)
t_sorted strings; // Resource strings (t_string)
int saveudd; // UDD-relevant data is changed
int ncallmod; // No. of called modules (max. NCALLMOD)
wchar_t callmod[NCALLMOD][SHORTNAME]; // List of called modules
} t_module;
Members:
base
Base
address of the module in the memory space of debugged application.
Usually, but not necessarily, modules are aligned at 0x10000
size
Size
of the module in the memory space of debugged application, in bytes.
Note that the memory occupied by module may be (and frequently is)
non-continuous
type
Module attributes, a set of flags TY_xxx combined with the following module-specific flags:
MOD_MAIN - indicates main module (usually .exe)
MOD_SFX - module is recognized as self-extractable by OllyDbg
MOD_SFXDONE - original entry point of the self-extractable module was successfully found
MOD_RUNDLL - module is a DLL loaded by LOADDLL.EXE
MOD_SYSTEMDLL - system DLL (resides in the system directory)
MOD_SUPERSYS - system DLL with special rights. OllyDbg treats following DLLs as supersystem: ntdll, kernel32, user32, advapi32, shell32, gdi32
MOD_DBGDATA - debugging data (extracted and used by dbghelp.dll) is available
MOD_ANALYSED - module is already analysed
MOD_NODATA - module data is not yet available, most of t_module members are undefined
MOD_HIDDEN - module is loaded in stealth mode and is not reported by ToolHelp32 or similar APIs
MOD_NETAPP - .NET or mixed-mode application
MOD_RESOLVED - all static imports in the module are resolved. This flag is used internally by the Analyser and is not very reliable
modname
MOD_MAIN - indicates main module (usually .exe)
MOD_SFX - module is recognized as self-extractable by OllyDbg
MOD_SFXDONE - original entry point of the self-extractable module was successfully found
MOD_RUNDLL - module is a DLL loaded by LOADDLL.EXE
MOD_SYSTEMDLL - system DLL (resides in the system directory)
MOD_SUPERSYS - system DLL with special rights. OllyDbg treats following DLLs as supersystem: ntdll, kernel32, user32, advapi32, shell32, gdi32
MOD_DBGDATA - debugging data (extracted and used by dbghelp.dll) is available
MOD_ANALYSED - module is already analysed
MOD_NODATA - module data is not yet available, most of t_module members are undefined
MOD_HIDDEN - module is loaded in stealth mode and is not reported by ToolHelp32 or similar APIs
MOD_NETAPP - .NET or mixed-mode application
MOD_RESOLVED - all static imports in the module are resolved. This flag is used internally by the Analyser and is not very reliable
Short
module name, as used by OllyDbg, derived from the name of the
executable file (and usually coincides with it). Hidden modules with
unknown executable get names Mod_XXXX, where XXXX is the 16 most
significant bits of the module base in hexadecimal format
path
Fully qualified path to the executable file on the disk, or empty string if path is unknown
version
Version of the executable file, as returned by Getexeversion()
fixupbase
Defaut
load address of the module. Fixups in the executable file are adjusted
to this address. In most cases, main executable file is loaded on fixupbase, but DLLs are frequently reallocated
codebase
Base address of the code section mapped into memory, as reported in PE header. If necessary, OllyDbg may adjust or guess it
codesize
Size of the code
section in the memory of the debugged process. If necessary, OllyDbg
may adjust or guest it. Note that code section may consist of
several PE sections which are not necessarily continuous in the memory
entry
Address
of the module entry point in the memory of the debugged application. In
the main executable file linker usually points this address to the
initialization routine that makes compiler-dependent preparations and
calls WinMain() or main(). For DLLs, initialization routine calls DllEntryPoint() (also known as DllMain())
sfxentry
Address
of the real entry point of the original executable restored by
self-extractor, or 0 if module is not self-extractable or real entry
point is not yet known
winmain
Address of WinMain() in the memory of the debugged application, or 0 if address is unknown or this is not the main module
database
Base
address of the data section mapped into the memory of the debugged
application, as reported in PE header. If data base is not declared in
the header, OllyDbg attempts to guess it using section names and
attributes
edatabase
Base address of the export table in the memory of the debugged application. Note that export table does not necessarily start at the beginning of the section
edatasize
Size of the export table in bytes
idatatable
Base
address of the import data in the memory of the debugged application.
Note that import data does not necessarily start at the beginning of
the section
iatbase
Base address of the Import Address Table (IAT)
iatsize
Size of the Import Address Table in bytes
relocbase
Base address of the fixup table in the memory of the debugged application. Note
that fixup table does not necessarily start at the beginning of
the section. Format of the fixup table is less than intuitive,
OllyDbg extracts fixup data to a separate array (nfixup/fixup pair described below). Preferrable way to locate fixups is by calling Findfixup()
relocsize
Size of the fixup table in bytes
resbase
Base address of the resources in the memory of the debugged application
ressize
Size of the resources in bytes
tlsbase
Base address of the TLS directory (IMAGE_TLS_DIRECTORY)
in the memory of the debugged application. TLS stays for Thread Local
Storage and may specify one or more callback functions which are
executed before entry point of the application is called
tlssize
Size of the TLS directory in bytes
tlscallback
Address of the first TLL callback function or 0 if there are no TLS callbacks in the debugged application
netentry
Address of the entry point of the .NET application
clibase
Address of the IMAGE_COR20_HEADER in the memory of the debugged application, or 0 if this is not a .NET/mixed module. IMAGE_COR20_HEADER defines layout of the .NET executable
clisize
Size of the IMAGE_COR20_HEADER, as specified in the PE header. Ignored by OllyDbg
netstr
Locations of
default .NET streams (ASCII strings, GUIDs, Blob, UNICODE strings,
MetaData tables) in the memory of the debugged application. Filled with
zeros if this is not a .NET/mixed module. See t_netstream for details
metadata
Descriptors of .NET MetaData tables. Filled with zeros if this is not a .NET/mixed module. See t_metadata for details
sfxbase
Base address of the memory block containing self-extracting routine, or 0 if self-extractor was not detected
sfxsize
Size of the memory block containing self-extracting routine, or 0 if self-extractor was not detected
rawhdrsize
Size of PE headers (DOS, PE, sections) as declared in the PE Optional Header (member SizeOfHeaders)
memhdrsize
Size of PE headers rounded to the next multiple of the page size
nsect
Number of sections in the module
sect
List of sections defined in the executable file, array of nsect structures of type t_secthdr.
Note that PE header is not a section. Note also that OllyDbg may merge
two or more sections with similar attributes into the single memory
block
nfixup
Number of fixups (adjustable absolute addresses) in the module. If nfixup is 0, probably fixups were stripped from the executable file
fixup
Array of 32-bit fixup locations, nfixup+1 doublewords long. Last element is set to 0. If nfixup is 0, fixup may be NULL. Preferrable way to locate fixups is by calling Findfixup()
jumps
Pointer of type t_jmpdata to the table of jumps and calls found in the module. Use Findjumpfrom(), Findlocaljumpscallsto() and similar functions to access this data
loopnest
Descriptor of nested data containing list of loops found in the module by the Analyser. Each item in the list is of type t_loopnest. Loops may be nested
argnest
Descriptor of nested data containing list of argument brackets that indicate the scope of the call parameters. Each item in the list is of type t_argnest. Argument brackets may be nested
predict
Descriptor of simple data table that keeps values of registers ESP and EBP and results of command execution predicted by the Analyser. Each item in the data is a structure of type sd_pred
strings
Descriptor of sorted data containing addresses of resource strings in the memory of the debugged application. Each data element is a structure of type t_string
saveudd
Flag indicating
that some data kept in the .udd file was changed and OllyDbg should
save it back to the disk when module unloads
ncallmod
Number of valid items in callmod
callmod
List of the short names of the modules statically referenced by the given module. Length of this list is limited to NCALLMOD,
remaining names are ignored. OllyDbg uses this otherwise unreliable
information to optimize the order in which the modules are analysed
See also:
Analyser, nested data, simple data, sorted data, sd_pred, table, t_argnest, t_jmpdata, t_loopnest, t_metadata, t_nested, t_netstream, t_premod, t_secthdr, t_simple, t_sorted, t_string, Backupusercode(), Findfileoffset(), Findfixup(), Findmainmodule(), Findmodule(), Findmodulebyname(), Getexeversion(), Getmodulestring(), Issystem(), Ndisasm()