2

I opened wsl.exe in IDA Pro v7 and follow some strings. I saw some strings with .cpp extension. Can anyone explain what are those .cpp file in that disassembly? Where can I find it? Are those hidden somewhere?

Here is an example: base\subsys\wsl\lxss\lxcmdlineshared\svccomm.cpp

IDA_cpp_file

Biswapriyo
  • 1,569
  • 1
  • 16
  • 34
  • Better look in pseudocode, but I suppose sub_140004430 is assert or log function not just print. Also notice 0x4A (174 in dec) most likely it is line number. – mblw Jun 01 '23 at 10:13

3 Answers3

8

I commented and then I've read malikcjm answer

So this is basically an extension of malikcjm's answer.

Suppose you have a code like this and load the compiled exe into ida 

#include <stdio.h>
void main (void){
    printf("%s\n" ,__FILE__);
}

You will get the cpp file reference

enter image description here

these __FILE__, __LINE__ etc are predefined macros that are defined in the C++ Standard as well as some Microsoft-specific predefined macros

take a look PRE_DEFINED_MACROS for a discussion and usage of these predefined macros

these predefined macros are not restricted to debug mode alone; they can be used in release mode also

here is example code that uses them in release mode

#include <windows.h>
#pragma comment (lib , "test.lib")
#pragma comment (lib , "kernel32.lib")
#pragma comment (lib , "user32.lib")
_declspec (dllexport) int  AddNum(int a, int b);
char buff[0x100] = { 0 };
PCHAR timepass(int a, PCHAR b) {
    wsprintfA(buff,"%d %s\n%s\t%s\t%s\n", a,b,__FUNCTION__,__FUNCDNAME__,__FUNCSIG__);
    OutputDebugStringA(buff);
    wsprintfA(buff,"we are done passing time\n");
    return buff;    
}
int main(void) {
    wsprintfA(buff, "3 + 5 = %x\n", AddNum(3, 5));
    OutputDebugStringA(buff);
    wsprintfA(buff, "%s\n", __FILE__);
    OutputDebugStringA(buff);
    wsprintfA(buff, "%s\n", __DATE__);
    OutputDebugStringA(buff);
    wsprintfA(buff, "%d\n", __LINE__);
    OutputDebugStringA(buff);
    wsprintfA(buff, "%s\n", __func__);
    OutputDebugStringA(buff);
    OutputDebugStringA(timepass(1337 , "we are now going to pass time"));
    return 0;
}

compiled and linked with 

 cl /nologo use%1.cpp /link /ENTRY:main /SUBSYSTEM:windows /RELEASE

executed in debugger would show 

>cdb -c "g;q" usetest.exe | tail -n 13
DLL_PROCESS_ATTACH Called

3 + 5 = 8
usetest.cpp
Mar  1 2018
20
main
1337 we are now going to pass time
timepass        ?timepass@@YAPADHPAD@Z  char *__cdecl timepass(int,char *)
we are done passing time
DLL_PROCESS_DETACH Called
quit:

If a PDB is available we can get the so called leaks from them too an example of file paths from an ntdll pdb 

e:\cvdump>cvdump -sf e:\SYMBOLS\ntdll.pdb\120028FA453F4CD5A6A404EC37396A582\ntdll.pdb >> leaks.txt

e:\cvdump>wc -l leaks.txt
860 leaks.txt

e:\cvdump>grep "daytona" leaks.txt  | grep ldrs
** Module: "o:\w7rtm.obj.x86fre\minkernel\ntdll\daytona\objfre\i386\ldrstart.obj"
** Module: "o:\w7rtm.obj.x86fre\minkernel\ntdll\daytona\objfre\i386\ldrsnap.obj"
Igor Skochinsky
  • 36,553
  • 7
  • 65
  • 115
blabb
  • 16,376
  • 1
  • 15
  • 30
  • this might be some kind of debug messages I guess.. – Paweł Łukasik Mar 01 '18 at 07:26
  • @PawełŁukasik those are predefined macros they are expanded to thier current values by preprocessor prior to compiling the code i added a link in the answer take a look – blabb Mar 01 '18 at 07:45
  • I know the FILE is a predefined, but I was commenting the fact of the fact of using it in a production code. I would expect to see it in Debug mode – Paweł Łukasik Mar 01 '18 at 07:48
  • @PawełŁukasik no they are not restricted to debug mode you can happily use them in release mode also i added a code sample too – blabb Mar 01 '18 at 08:58
  • yes, I also know that :) but I was more wondering why would they be left there for release mode :) it's leaking a bit of info – Paweł Łukasik Mar 01 '18 at 09:00
  • hehe well may be you are presuming it is release mode may be they are not and to be frank if you consider __ FILE __ to be leak then you can extract all of these leaks from pdb too – blabb Mar 01 '18 at 09:03
2

There are no *.cpp files in disassembly. It looks like automatically generated string file file path. It's sometimes used for logging. It can be generated if somewhere in the source code __FILE__ preprocessor directive was used.

Igor Skochinsky
  • 36,553
  • 7
  • 65
  • 115
malikcjm
  • 364
  • 1
  • 4
1

This is just a string in the binary file that, for some reason represents the file name and in this case a cpp file. Maybe this binary for some reason needs to access it on the system, or checks if they exists and does some work if so (or if not).

They are not hidden and unfortunately not available.

Paweł Łukasik
  • 4,912
  • 1
  • 14
  • 27
  • Is it a dead end? Should I care those string values? – Biswapriyo Feb 28 '18 at 21:36
  • it depends on the binary. Google search gives some links to Ubuntu subsystem for Windows - is that what you are looking at? – Paweł Łukasik Feb 28 '18 at 22:10
  • 1
    yes wsl.exe is linux subsystem for windows and those file names are src files that were used to compile (it remains there for using __ FILE __ debugprints – blabb Feb 28 '18 at 22:32