t_module

One of the most important structures, describes executable module (.exe or DLL of any kind) loaded into the memory of the debugged application. Modules are listed in the sorted data of table module. Plugins should not attempt to modify module descriptions directly.

 typedef struct t_module {              // Descriptor of executable module
  ulong          base;                 // Base address of module
  ulong          size;                 // Size of memory occupied by module
  ulong          type;                 // Service information, TY_xxx+MOD_xxx
  wchar_t        modname[SHORTNAME];   // Short name of the module
  wchar_t        path[MAXPATH];        // Full name of the module
  wchar_t        version[TEXTLEN];     // Version of executable file
  ulong          fixupbase;            // Base of image in executable file
  ulong          codebase;             // Base address of module code block
  ulong          codesize;             // Size of module code block
  ulong          entry;                // Address of <ModuleEntryPoint> or 0
  ulong          sfxentry;             // Address of SFX-packed entry or 0
  ulong          winmain;              // Address of WinMain or 0
  ulong          database;             // Base address of module data block
  ulong          edatabase;            // Base address of export data table
  ulong          edatasize;            // Size of export data table
  ulong          idatatable;           // Base address of import data table
  ulong          iatbase;              // Base of Import Address Table
  ulong          iatsize;              // Size of IAT
  ulong          relocbase;            // Base address of relocation table
  ulong          relocsize;            // Size of relocation table
  ulong          resbase;              // Base address of resources
  ulong          ressize;              // Size of resources
  ulong          tlsbase;              // Base address of TLS directory table
  ulong          tlssize;              // Size of TLS directory table
  ulong          tlscallback;          // Address of first TLS callback or 0
  ulong          netentry;             // .NET entry (MOD_NETAPP only)
  ulong          clibase;              // .NET CLI header base (MOD_NETAPP)
  ulong          clisize;              // .NET CLI header base (MOD_NETAPP)
  t_netstream    netstr[NETSTREAM];    // Locations of default .NET streams
  t_metadata     metadata[MDTCOUNT];   // Descriptors of .NET MetaData tables
  ulong          sfxbase;              // Base of memory block with SFX
  ulong          sfxsize;              // Size of memory block with SFX
  ulong          rawhdrsize;           // Size of PE header in file
  ulong          memhdrsize;           // Size of PE header in memory
  int            nsect;                // Number of sections in the module
  t_secthdr      *sect;                // Extract from section headers
  int            nfixup;               // Number of 32-bit fixups
  ulong          *fixup;               // Array of 32-bit fixups
  t_jmpdata      jumps;                // Jumps and calls from this module
  t_nested       loopnest;             // Loop brackets
  t_nested       argnest;              // Call argument brackets
  t_simple       predict;              // Predicted ESP, EBP & results (sd_pred)
  t_sorted       strings;              // Resource strings (t_string)
  int            saveudd;              // UDD-relevant data is changed
  int            ncallmod;             // No. of called modules (max. NCALLMOD)
  wchar_t        callmod[NCALLMOD][SHORTNAME]; // List of called modules
} t_module;


Members:

base
Base address of the module in the memory space of debugged application. Usually, but not necessarily, modules are aligned at 0x10000
size
Size of the module in the memory space of debugged application, in bytes. Note that the memory occupied by module may be (and frequently is) non-continuous
type
Module attributes, a set of flags TY_xxx combined with the following module-specific flags:
MOD_MAIN - indicates main module (usually .exe)
MOD_SFX - module is recognized as self-extractable by OllyDbg
MOD_SFXDONE - original entry point of the self-extractable module was successfully found
MOD_RUNDLL - module is a DLL loaded by LOADDLL.EXE
MOD_SYSTEMDLL - system DLL (resides in the system directory)
MOD_SUPERSYS - system DLL with special rights. OllyDbg treats following DLLs as supersystem: ntdll, kernel32, user32, advapi32, shell32, gdi32
MOD_DBGDATA - debugging data (extracted and used by dbghelp.dll) is available
MOD_ANALYSED - module is already analysed
MOD_NODATA - module data is not yet available, most of t_module members are undefined
MOD_HIDDEN - module is loaded in stealth mode and is not reported by ToolHelp32 or similar APIs
MOD_NETAPP - .NET or mixed-mode application
MOD_RESOLVED - all static imports in the module are resolved. This flag is used internally by the Analyser and is not very reliable
modname
Short module name, as used by OllyDbg, derived from the name of the executable file (and usually coincides with it). Hidden modules with unknown executable get names Mod_XXXX, where XXXX is the 16 most significant bits of the module base in hexadecimal format
path
Fully qualified path to the executable file on the disk, or empty string if path is unknown
version
Version of the executable file, as returned by Getexeversion()
fixupbase
Defaut load address of the module. Fixups in the executable file are adjusted to this address. In most cases, main executable file is loaded on fixupbase, but DLLs are frequently reallocated
codebase
Base address of the code section mapped into memory, as reported in PE header. If necessary, OllyDbg may adjust or guess it
codesize
Size of the code section in the memory of the debugged process. If necessary, OllyDbg may adjust or guest it. Note that code section may consist of several PE sections which are not necessarily continuous in the memory
entry
Address of the module entry point in the memory of the debugged application. In the main executable file linker usually points this address to the initialization routine that makes compiler-dependent preparations and calls WinMain() or main(). For DLLs, initialization routine calls DllEntryPoint() (also known as DllMain())
sfxentry
Address of the real entry point of the original executable restored by self-extractor, or 0 if module is not self-extractable or real entry point is not yet known
winmain
Address of WinMain() in the memory of the debugged application, or 0 if address is unknown or this is not the main module
database
Base address of the data section mapped into the memory of the debugged application, as reported in PE header. If data base is not declared in the header, OllyDbg attempts to guess it using section names and attributes
edatabase
Base address of the export table in the memory of the debugged application. Note that export table does not necessarily start at the beginning of the section
edatasize
Size of the export table in bytes
idatatable
Base address of the import data in the memory of the debugged application. Note that import data does not necessarily start at the beginning of the section
iatbase
Base address of the Import Address Table (IAT)
iatsize
Size of the Import Address Table in bytes
relocbase
Base address of the fixup table in the memory of the debugged application. Note that fixup table does not necessarily start at the beginning of the section. Format of the fixup table is less than intuitive, OllyDbg extracts fixup data to a separate array (nfixup/fixup pair described below). Preferrable way to locate fixups is by calling Findfixup()
relocsize
Size of the fixup table in bytes
resbase
Base address of the resources in the memory of the debugged application
ressize
Size of the resources in bytes
tlsbase
Base address of the TLS directory (IMAGE_TLS_DIRECTORY) in the memory of the debugged application. TLS stays for Thread Local Storage and may specify one or more callback functions which are executed before entry point of the application is called
tlssize
Size of the TLS directory in bytes
tlscallback
Address of the first TLL callback function or 0 if there are no TLS callbacks in the debugged application
netentry
Address of the entry point of the .NET application
clibase
Address of the IMAGE_COR20_HEADER in the memory of the debugged application, or 0 if this is not a .NET/mixed module. IMAGE_COR20_HEADER defines layout of the .NET executable
clisize
Size of the IMAGE_COR20_HEADER, as specified in the PE header. Ignored by OllyDbg
netstr
Locations of default .NET streams (ASCII strings, GUIDs, Blob, UNICODE strings, MetaData tables) in the memory of the debugged application. Filled with zeros if this is not a .NET/mixed module. See t_netstream for details
metadata
Descriptors of .NET MetaData tables. Filled with zeros if this is not a .NET/mixed module. See t_metadata for details
sfxbase
Base address of the memory block containing self-extracting routine, or 0 if self-extractor was not detected
sfxsize
Size of the memory block containing self-extracting routine, or 0 if self-extractor was not detected
rawhdrsize
Size of PE headers (DOS, PE, sections) as declared in the PE Optional Header (member SizeOfHeaders)
memhdrsize
Size of PE headers rounded to the next multiple of the page size
nsect
Number of sections in the module
sect
List of sections defined in the executable file, array of nsect structures of type t_secthdr. Note that PE header is not a section. Note also that OllyDbg may merge two or more sections with similar attributes into the single memory block
nfixup
Number of fixups (adjustable absolute addresses) in the module. If nfixup is 0, probably fixups were stripped from the executable file
fixup
Array of 32-bit fixup locations, nfixup+1 doublewords long. Last element is set to 0. If nfixup is 0, fixup may be NULL. Preferrable way to locate fixups is by calling Findfixup()
jumps
Pointer of type t_jmpdata to the table of jumps and calls found in the module. Use Findjumpfrom(), Findlocaljumpscallsto() and similar functions to access this data
loopnest
Descriptor of nested data containing list of loops found in the module by the Analyser. Each item in the list is of type t_loopnest. Loops may be nested
argnest
Descriptor of nested data containing list of argument brackets that indicate the scope of the call parameters. Each item in the list is of type t_argnest. Argument brackets may be nested
predict
Descriptor of simple data table that keeps values of registers ESP and EBP and results of command execution predicted by the Analyser. Each item in the data is a structure of type sd_pred
strings
Descriptor of sorted data containing addresses of resource strings in the memory of the debugged application. Each data element is a structure of type t_string
saveudd
Flag indicating that some data kept in the .udd file was changed and OllyDbg should save it back to the disk when module unloads
ncallmod
Number of valid items in callmod
callmod
List of the short names of the modules statically referenced by the given module. Length of this list is limited to NCALLMOD, remaining names are ignored. OllyDbg uses this otherwise unreliable information to optimize the order in which the modules are analysed


See also:
Analyser, nested data, simple datasorted data, sd_pred, table, t_argnest, t_jmpdata, t_loopnest, t_metadata, t_nested, t_netstream, t_premod, t_secthdr, t_simple, t_sorted, t_string, Backupusercode(), Findfileoffset(), Findfixup(), Findmainmodule(), Findmodule(), Findmodulebyname(), Getexeversion(), Getmodulestring(), Issystem(), Ndisasm()