Weekly digest 6

This is the sixth of (hopefully) many weekly digests. Basically it will highlight the things that happened to x64dbg and related projects during the week before.

Remove all breakpoints before detaching

When detaching x64dbg all breakpoints will be removed to prevent the debuggee from crashing when reaching breakpointed code.

Warnings when trying to set CIP to a non-executable page

When using the ‘Set New Origin Here’ option in the disassembler it will prompt you with a warning if the code there is not executable.

Fixed event filter plugin callbacks with Qt5

The PLUG_CB_WINEVENT callback is now working as intended again. This allows plugins to intercept and handle native window events that are usually handled by Qt. Multiline Ultimate Assembler uses this to handle hotkeys registered by the plugin. You can also use it to intercept mouse clicks and paint events for example.

Refactor command-related code

All commands have been cleanly organized in separate source files (matching the categories in the documentation). This should help new contributers to find the code they are looking for more easily.

Import multiple patches

You can now import multiple patch files from the patch manager. Just select multiple files in the browse dialog and enjoy patching!

Adjust width of status label for translations

The debug status label will now scale to the biggest translation width.

Active view API

Issue #917 has been partially addresses with this. The following code allows you to query the active view. The titles are subject to change, but the class names shouldn’t change.

ACTIVEVIEW activeView;
GuiGetActiveView(&activeView);
printf("activeTitle: %s, activeClass: %s\n", activeView.title, activeView.className);

Highlight ud2 and ud2b as unusual instructions

The ud2 in addition to various other unusual instructions are marked in red to draw attention when encountered.

Optimized menu order in the register view

In his blog post, kao mentioned that the context menu in the register view was bloated. This has now been addresses and menu options are roughly ordered to how often they are used in practice. If you see more issues like this, please let us know here.

Before:

After:

Lots of code improvements

Various static analysis runs with Coverity, ReSharper and Visual Studio provided lots of small bugs or anomalies and these have been fixed.

Allow debugging of AnyCPU .NET files

Pull request #1124 addressed a bug where .NET files with AnyCPU would not load in x64dbg because their headers had the wrong PE architecture.

Clarified SetMemoryBPX command

The SetMemoryBPX command has been slightly changed. There was confusion in issue #1123 what read, write and access mean exactly. This has been clarified in the documentation and the correct type of memory breakpoint is now set for ‘Access’ when using the GUI.

Improved follow in memory map

When using the follow in memory map option it will now scroll to the entry requested, it will also show the memory map if you weren’t looking at it already.

Highlight active view in CPU

The view that is currently active will be highlighted with a thin black border.

Print symbolic name on expression command

When typing an unknown command in the command bar your text will be evaluated as an expression and the result will be printed. When the expression resolves to a symbolic address it will now also display the symbol name.

Performance improvement of disasm command

The disasm command is now more responsive.

Corrected width of the Hex short dump

The default width of the ‘hex short’ dump view didn’t show all values, this has now been corrected.

Fixed bug with endianness in the float register editor

Issue #1127 has been fixed. When showing FPU registers as big endian the editor would interpret the values incorrectly.

Performance improvement in plugin loader

The plugin callback system didn’t have a separation on type, which meant that performance-critical locations that used plugin callbacks would pay for thing like menu callbacks. Every callback now has a separate list which solves the problem.

Type system

Issue #1108 that requests displaying types has been partially addressed. The basics of a type system have been implemented and you can now create and view types.

There is an example script available and the documentation is here. There will be a blog post later explaining the type system in more detail.

Fail assembling short jumps that don’t fit in 2 bytes

When assembling short jumps with keystone you could assemble short jumps that are not actually show. RaMMicHaeL has addressed this in pull request #1134.

Added plugin callback to filter symbols

Various symbols have no real meaning and these are filtered from view. Plugins can now register custom filter callbacks. This has been implemented by shamanas in pull request #1135.

Show comments/labels in the bookmark list

When listing bookmarks your comments/labels will now be shown in the list. This was implemented by Atvaark in pull request #1136.

Use reference view for varlist

The varlist command will now show variables in the reference view instead of the console.

Allow allocation at a specified address

The alloc command now has an optional second parameter that allows you to specify an address to allocate memory at (similar to VirtualAlloc).

Use CIP per default in imageinfo

The imageinfo command now uses CIP when no address is specified.

Final words

That has been about it for this week again. If you have any questions, contact us on Telegram, Gitter or IRC. If you want to see the changes in more detail, check the commit log.

You can always get the latest release of x64dbg here. If you are interested in contributing, check out this page.

Finally, if someone is interested in hiring me to work on x64dbg more, please contact me!