Ever wondered how Visual C++ encodes parameter info in the so-called decorated names?
This knowledge is close to useless, and the only time I needed it was when I tried to generate a DLL that needs to completely mimic another DLL’s exports. I wanted to re-create the original CPP & H file for a DLL that I had only the exports for. So I started looking on the Internet for info how decorated names are created. MSDN has just a little paragraph about decorated names stating:

A decorated name for a C++ function contains the following information:
The function name.
The class that the function is a member of, if it is a member function. This may include the class that encloses the function’s class, and so on.
The namespace the function belongs to (if it is part of a namespace).
The types of the function’s parameters.
The calling convention.
The return type of the function.

I found that info insufficient, so I decided to figure out the format by declaring functions and looking at the decorated name that the compiler generates. The conclusions I have made are for sure not complete, I just only went that far so that I can re-create the declaration of each of the functions in that DLL. But the result IMHO is usable and even if I have missed a type it can be easily added.

Here is what I have figured out about the format:

1. C++ decorated names start with a ‘?’ sign.
2. The name and namespace/class follows in format name@class@@
3. Visibility specifier follows:

A – private
I – protected
Q – public

4. Unknown character follows (always A)
5. Definition of the parameters (see below)
6. The decorated name ends with “@Z”

Ok, so number 5 of the above list is pretty general :). Let’s be a little more specific :).
Types can start with an arbitrary number of the following modifiers:

PA:	*
AA:	&
PB:	const *
QA:	*const
AB:	const &

The type signature follows. Here is the table:

E	this pointer
P6	Function pointer (complete function declaration follows)
D	char
X	void
F	short
J	long
H	int
M	float
N	double
O	long double
E	unsigned char
G	unsigned short
I	unsigned int
K	unsigned long
_J	__int64
_F	__int16
_H	__int32
_D	__int8
?	Type name follow terminated by @@
U	User type. If it starts with a digit – index of user type. If it starts with a letter – new user type. Consider the following example – the function void func(MyType *a, MyType b) has decorated name of ?func@@YAXPAUMyType@@U1@@Z
V	Similar to U. Not sure what it is about. Appears when the user type is the class that the method is member of.

Here is a class that will parse a decorated name, and print its declaration :) Have fun hooking C++ DLLs :)

CPPFunc.c
CPPFunc.h

Dumping exception information in Windows applications

Had to make a Windows application dump exception info into a file for debugging purposes. Generally MS provies a prety neat function for it – GetExceptionInformation. One tricky thing was getting the module file name of the process that generated the exception – I had to do VirtualQuery on the exception address, then use the mbi.AllocationBase as a module handle (didn’t figure that out myself, googled for it of course).

Anyway, since I lost more then 30 minutes for it I decided to share it. Use this source and the exception handle your main function like this:

int _tmain(int argc, _TCHAR* argv[])
{

__try
{
}
__except( GetExceptionInfo( GetExceptionInformation(), “error.log” ), EXCEPTION_EXECUTE_HANDLER )
{
}

}

This way, when an exception occurs a file error.log will be generated that looks like this:

Exception Code: C0000005, Address: 00401646
Module: C:\DUMP\DEBUG\DUMP.EXE
Registers:
EAX:00000000, EBX:0063F6B4, ECX:0063F644, EDX:00410078, ESI:000086D8, EDI:0063F668
SS:00000167, ESP:0063F62C, EBP:0063F654, CS:0000015F, EIP:00401646, Flags:00010246
DS:00000167, ES:00000167, FS:00003CD7, GS:00000000
Stack:
0063F668 000086D8 0063F6B4 0063FCF0 0063F62C 0063F45C 0063F69C 00401B48
004051C8 00000000 0063F660 5F43507B 0063FCF0 0063F680 BFF7363B 00000250