从零开始,贝博集团论坛

快捷导航
广告联系qq1031180668贝博集团
查看: 28|回复: 0
打印 上一主题 下一主题

[逆向破解/内核驱动] dbghelp PDB符号文件解析 结构 局部变量 全部变量 基址偏移

[复制链接]
  • ta_mind

    2019-8-30 13:16
  • classn_01: 73 classn_02

    [LV.6]常住居民II

    1041

    主题

    1763

    帖子

    3623

    积分

    管理员

    Rank: 9Rank: 9Rank: 9

    积分
    3623

    最佳新人活跃会员热心会员推广达人宣传达人灌水之王突出贡献优秀版主荣誉管理论坛元老

    跳转到指定楼层
    楼主
    发表于 4?天前 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
    [C] syntaxhighlighter_viewsource syntaxhighlighter_copycode
    dbghelp PDB符号文件解析 结构 局部变量 全部变量 基址偏移 定位示例代码不懂的 可以联系我  QQ 150330575
    SymFreeDiaString
    SymGetDiaSession
    SymGetLineFromAddrEx
    SymGetLineFromNameEx
    SymGetLineNextEx
    SymGetLinePrevEx
    SymGetOmapBlockBase
    _EFN_DumpImage
    DbgHelpCreateUserDump
    DbgHelpCreateUserDumpW
    EnumDirTree
    EnumDirTreeW
    EnumerateLoadedModules
    EnumerateLoadedModules64
    EnumerateLoadedModulesEx
    EnumerateLoadedModulesExW
    EnumerateLoadedModulesW64
    ExtensionApiVersion
    FindDebugInfoFile
    FindDebugInfoFileEx
    FindDebugInfoFileExW
    FindExecutableImage
    FindExecutableImageEx
    FindExecutableImageExW
    FindFileInPath
    FindFileInSearchPath
    GetSymLoadError
    GetTimestampForLoadedLibrary
    ImageDirectoryEntryToData
    ImageDirectoryEntryToDataEx
    ImageNtHeader
    ImageRvaToSection
    ImageRvaToVa
    ImagehlpApiVersion
    ImagehlpApiVersionEx
    MakeSureDirectoryPathExists
    MiniDumpReadDumpStream
    MiniDumpWriteDump
    RangeMapAddPeImageSections
    RangeMapCreate
    RangeMapFree
    RangeMapRead
    RangeMapRemove
    RangeMapWrite
    RemoveInvalidModuleList
    ReportSymbolLoadSummary
    SearchTreeForFile
    SearchTreeForFileW
    SetCheckUserInterruptShared
    SetSymLoadError
    StackWalk
    StackWalk64
    StackWalkEx
    SymAddSourceStream
    SymAddSourceStreamA
    SymAddSourceStreamW
    SymAddSymbol
    SymAddSymbolW
    SymAddrIncludeInlineTrace
    SymCleanup
    SymCompareInlineTrace
    SymDeleteSymbol
    SymDeleteSymbolW
    SymEnumLines
    SymEnumLinesW
    SymEnumProcesses
    SymEnumSourceFileTokens
    SymEnumSourceFiles
    SymEnumSourceFilesW
    SymEnumSourceLines
    SymEnumSourceLinesW
    SymEnumSym
    SymEnumSymbols
    SymEnumSymbolsEx
    SymEnumSymbolsExW
    SymEnumSymbolsForAddr
    SymEnumSymbolsForAddrW
    SymEnumSymbolsW
    SymEnumTypes
    SymEnumTypesByName
    SymEnumTypesByNameW
    SymEnumTypesW
    SymEnumerateModules
    SymEnumerateModules64
    SymEnumerateModulesW64
    SymEnumerateSymbols
    SymEnumerateSymbols64
    SymEnumerateSymbolsW
    SymEnumerateSymbolsW64
    SymFindDebugInfoFile
    SymFindDebugInfoFileW
    SymFindExecutableImage
    SymFindExecutableImageW
    SymFindFileInPath
    SymFindFileInPathW
    SymFromAddr
    SymFromAddrW
    SymFromIndex
    SymFromIndexW
    SymFromInlineContext
    SymFromInlineContextW
    SymFromName
    SymFromNameW
    SymFromToken
    SymFromTokenW
    SymFunctionTableAccess
    SymFunctionTableAccess64
    SymFunctionTableAccess64AccessRoutines
    SymGetExtendedOption
    SymGetFileLineOffsets64
    SymGetHomeDirectory
    SymGetHomeDirectoryW
    SymGetLineFromAddr
    SymGetLineFromAddr64
    SymGetLineFromAddrW64
    SymGetLineFromInlineContext
    SymGetLineFromInlineContextW
    SymGetLineFromName
    SymGetLineFromName64
    SymGetLineFromNameW64
    SymGetLineNext
    SymGetLineNext64
    SymGetLineNextW64
    SymGetLinePrev
    SymGetLinePrev64
    SymGetLinePrevW64
    SymGetModuleBase
    SymGetModuleBase64
    SymGetModuleInfo
    SymGetModuleInfo64
    SymGetModuleInfoW
    SymGetModuleInfoW64
    SymGetOmaps
    SymGetOptions
    SymGetScope
    SymGetScopeW
    SymGetSearchPath
    SymGetSearchPathW
    SymGetSourceFile
    SymGetSourceFileChecksum
    SymGetSourceFileChecksumW
    SymGetSourceFileFromToken
    SymGetSourceFileFromTokenW
    SymGetSourceFileToken
    SymGetSourceFileTokenW
    SymGetSourceFileW
    SymGetSourceVarFromToken
    SymGetSourceVarFromTokenW
    SymGetSymFromAddr
    SymGetSymFromAddr64
    SymGetSymFromName
    SymGetSymFromName64
    SymGetSymNext
    SymGetSymNext64
    SymGetSymPrev
    SymGetSymPrev64
    SymGetSymbolFile
    SymGetSymbolFileW
    SymGetTypeFromName
    SymGetTypeFromNameW
    SymGetTypeInfo
    SymGetTypeInfoEx
    SymGetUnwindInfo
    SymInitialize
    SymInitializeW
    SymLoadModule
    SymLoadModule64
    SymLoadModuleEx
    SymLoadModuleExW
    SymMatchFileName
    SymMatchFileNameW
    SymMatchString
    SymMatchStringA
    SymMatchStringW
    SymNext
    SymNextW
    SymPrev
    SymPrevW
    SymQueryInlineTrace
    SymRefreshModuleList
    SymRegisterCallback
    SymRegisterCallback64
    SymRegisterCallbackW64
    SymRegisterFunctionEntryCallback
    SymRegisterFunctionEntryCallback64
    SymSearch
    SymSearchW
    SymSetContext
    SymSetExtendedOption
    SymSetHomeDirectory
    SymSetHomeDirectoryW
    SymSetOptions
    SymSetParentWindow
    SymSetScopeFromAddr
    SymSetScopeFromIndex
    SymSetScopeFromInlineContext
    SymSetSearchPath
    SymSetSearchPathW
    SymSrvDeltaName
    SymSrvDeltaNameW
    SymSrvGetFileIndexInfo
    SymSrvGetFileIndexInfoW
    SymSrvGetFileIndexString
    SymSrvGetFileIndexStringW
    SymSrvGetFileIndexes
    SymSrvGetFileIndexesW
    SymSrvGetSupplement
    SymSrvGetSupplementW
    SymSrvIsStore
    SymSrvIsStoreW
    SymSrvStoreFile
    SymSrvStoreFileW
    SymSrvStoreSupplement
    SymSrvStoreSupplementW
    SymUnDName
    SymUnDName64
    SymUnloadModule
    SymUnloadModule64
    UnDecorateSymbolName
    UnDecorateSymbolNameW
    WinDbgExtensionDllInit
    
    
    
    
    
    #include 
    #include 
    #include 
    #pragma comment(lib,"dbghelp.lib")
    
    #include "EnumGlobal_PdbSym.h"
    
    enum SymTagEnum
    {
        SymTagNull,
        SymTagExe,
        SymTagCompiland,
        SymTagCompilandDetails,
        SymTagCompilandEnv,
        SymTagFunction,
        SymTagBlock,
        SymTagData,
        SymTagAnnotation,
        SymTagLabel,
        SymTagPublicSymbol,
        SymTagUDT,
        SymTagEnum,
        SymTagFunctionType,
        SymTagPointerType,
        SymTagArrayType,
        SymTagBaseType,
        SymTagTypedef,
        SymTagBaseClass,
        SymTagFriend,
        SymTagFunctionArgType,
        SymTagFuncDebugStart,
        SymTagFuncDebugEnd,
        SymTagUsingNamespace,
        SymTagVTableShape,
        SymTagVTable,
        SymTagCustom,
        SymTagThunk,
        SymTagCustomType,
        SymTagManagedType,
        SymTagDimension,
        SymTagMax
    };
    
    // 添加MessageBoxTimeout支持
    extern "C"
    {
        int WINAPI MessageBoxTimeoutA(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType, IN WORD wLanguageId, IN DWORD dwMilliseconds);
        int WINAPI MessageBoxTimeoutW(IN HWND hWnd, IN LPCWSTR lpText, IN LPCWSTR lpCaption, IN UINT uType, IN WORD wLanguageId, IN DWORD dwMilliseconds);
    };
    #ifdef UNICODE
    #define MessageBoxTimeout MessageBoxTimeoutW
    #else
    #define MessageBoxTimeout MessageBoxTimeoutA
    #endif
    
    void CALLBACK EnumTypesByNameProc()
    {
    
    }
    BOOL CALLBACK EnumTypesByNameProc(
        __in PSYMBOL_INFO pSymInfo,
        __in ULONG SymbolSize,
        __in_opt PVOID UserContext
        )
    {
            //获取结构成员数量
             UINT ElementCount=0;
            BOOL br=SymGetTypeInfo(GetCurrentProcess(),pSymInfo->ModBase,pSymInfo->TypeIndex,TI_GET_CHILDRENCOUNT,(PVOID)&ElementCount);
    
            WCHAR* pBuffer=NULL;
            wprintf(L"EnumTypesByNameProc: %s %p\r\n",pBuffer,pBuffer);
              br=SymGetTypeInfo(GetCurrentProcess(),pSymInfo->ModBase,pSymInfo->TypeIndex,TI_GET_SYMNAME,(PVOID)&pBuffer);
            wprintf(L"EnumTypesByNameProc: %s %p\r\n",pBuffer,pBuffer);
    return TRUE;
    };
    
    #define szNtdllPathName "C:\\windows\\system32\\ntdll.dll"
      EnumGlobal_PdbSym::EnumGlobal_PdbSym()
    {
             DWORD Options = SymGetOptions();
    
            Options = Options | SYMOPT_DEBUG;
            SymSetOptions(Options);
    
      BOOL br= SymInitializeW(GetCurrentProcess(),L"C:\\symbols",TRUE);
    
            printf("SymInitializeW br=%d \r\n",br);
            HANDLE hFile = CreateFileA(szNtdllPathName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
            DWORD DllSize = GetFileSize(hFile, NULL);
    
            //
            DWORD64 modBase=(DWORD64)LoadLibraryA("ntdll.dll");
            DWORD64 BaseofDll=NULL;// //如果是加载的PDB文件 则此参数不参为0
            DWORD64 dw64Ret=SymLoadModuleEx(GetCurrentProcess(),NULL,szNtdllPathName,NULL,BaseofDll,DllSize,NULL,NULL);
            if (dw64Ret==0)
            {
                    MessageBoxTimeoutW(NULL,L"SymLoadModuleEx",L"ERROR44",MB_OK,0,10000);
                    return ;
            }
            //ERROR_SUCCESS;//0
            printf("SymLoadModuleEx dw64Ret=%p \r\n",dw64Ret);
            _SYMBOL_INFO symInfo={0};
            symInfo.SizeOfStruct=sizeof(_SYMBOL_INFO);
            //+0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO
    
            br=SymGetTypeFromName(GetCurrentProcess(),modBase,"_EPROCESS",&symInfo);// //_IMAGEHLP_GET_TYPE_INFO_PARAMS
             if (!br)
        {
                    //MessageBoxTimeoutW(NULL,L"SymInitializeW",L"ERROR33",MB_OK,0,10000);
                    printf("Line 114:GetLastError Code=%d ,%X \r\n",GetLastError(),GetLastError());
                    return ;
        }
    
    UINT32 ElementCount=0;
    _SYMBOL_INFO*pSymInfo=&symInfo;
    br=SymGetTypeInfo(GetCurrentProcess(),pSymInfo->ModBase,pSymInfo->TypeIndex,TI_GET_CHILDRENCOUNT,(PVOID)&ElementCount);
    
            DWORD dwSizeFind=sizeof(ULONG64)*(2+ElementCount);
            TI_FINDCHILDREN_PARAMS *pCP = (TI_FINDCHILDREN_PARAMS*)malloc(dwSizeFind);
            memset(pCP,0,dwSizeFind);
            pCP->Count = ElementCount;
            br= SymGetTypeInfo(GetCurrentProcess(),pSymInfo->ModBase,pSymInfo->TypeIndex,TI_FINDCHILDREN,pCP);
             //symInfo.ModBase
            //br= SymEnumTypesByName(GetCurrentProcess(),NULL,"*!*",EnumTypesByNameProc,NULL); //可用
    
             if (!br)
        {
                    //MessageBoxTimeoutW(NULL,L"SymGetTypeFromName",L"ERROR33",MB_OK,0,10000);
                    printf("Line 128:GetLastError Code=%d ,%X \r\n",GetLastError(),GetLastError());
                    printf("SymGetTypeFromName br=%d \r\n",br);
                    return ;
        }
             printf("\r\n");
            WCHAR *pNameW = NULL;
            for(int i = 0;i < ElementCount;++i)
            {
             printf("[%02d] TYPEID=%d ",i,pCP->ChildId);
            DWORD dwOffset=0;
            br=SymGetTypeInfo(GetCurrentProcess(),pSymInfo->ModBase,        pCP->ChildId,TI_GET_OFFSET,&dwOffset);
            if(SymGetTypeInfo(GetCurrentProcess(),pSymInfo->ModBase,        pCP->ChildId,TI_GET_SYMNAME,&pNameW))
            {
            wprintf(L"%08X:Name is %s\n",dwOffset,pNameW);
            LocalFree(pNameW);
            }
            else
            {
                    printf("GetLastError Code=%d \r\n",GetLastError());
            }
    
            }
    
            DWORD symTag=0;
            br=SymGetTypeInfo(
                    GetCurrentProcess(),
                    modBase,
                    symInfo.TypeIndex,
                    TI_GET_SYMTAG,
                    &symTag);
             if (!br)
        {
                    MessageBoxTimeoutW(NULL,L"SymGetTypeInfo",L"ERROR33",MB_OK,0,10000);
                    printf("SymGetTypeInfo br=%d \r\n",br);
                    return ;
        }
             //   SymTagUDT,//11 //用户定义类型,例如struct,class和union
             if (symTag==SymTagUDT)
             {
                    // printf(" symInfo.Name=%s \r\n",&symInfo.Name);
        //BOOL br= SymInitializeW(GetCurrentProcess(),L"C:\\symbols",TRUE);
            memset(&symInfo,0,sizeof(symInfo));
            symInfo.SizeOfStruct=sizeof(_SYMBOL_INFO);
            br=SymFromName(GetCurrentProcess(),"ZwOpenProcess",&symInfo);
            BOOL brNext= SymNext(GetCurrentProcess(),&symInfo); //获取全局符号的 可以用SymEnumSymbols(
            while(brNext)
            {
                    wprintf(L" symInfo.Name=%s \r\n",&symInfo.Name);
              brNext= SymNext(GetCurrentProcess(),&symInfo);
              
            }
             }
            return;
    }
    
    EnumGlobal_PdbSym::~EnumGlobal_PdbSym()
    {
    
    }

    帖子来源:郁金香
    不积跬步,无以至千里
    游客
    贝博官网下载 回复
    您需要登录后才可以回帖 登录 | 立即注册

    手机版|Archiver|小黑屋|sitemap| 从零开始,贝博集团论坛 - 一个单纯的贝博集团学习交流论坛 ( 豫ICP备15032706号 )

    GMT+8, 2019-9-11 20:44 , Processed in 1.097621 second(s), 23 queries .

    Powered by Discuz! X3.4

    ? 2001-2013 Comsenz Inc.

    快速回复 返回顶部 返回列表