郁金香外挂技术-郁金香灬老师

 找回密码
 立即注册

QQ登录

只需一步,快速开始

扫一扫,访问微社区

郁金香终身VIP管理员QQ150330575项目合作(有实力的+)视频教程+每月更新+QQ群
飞郁视频分享(每周更新)
查看: 822|回复: 0

dbghelp PDB符号文件解析 结构 局部变量 全部变量 基址偏移

[复制链接]
发表于 2019-9-4 00:10:13 | 显示全部楼层 |阅读模式
dbghelp PDB符号文件解析 结构 局部变量 全部变量 基址偏移 定位示例代码不懂的 可以联系我  QQ 150330575
SymFreeDiaString
SymGetDiaSession
SymGetLineFromAddrEx
SymGetLineFromNameEx
SymGetLineNextEx
SymGetLinePrevEx
SymGetOmapBlockBase
_EFN_DumpImage
DbgHelpCreateUserDump
DbgHelpCreateUserDumpW
EnumDirTree
EnumDirTreeW
EnumerateLoadedModules
EnumerateLoadedModules64
EnumerateLoadedModulesEx
EnumerateLoadedModulesExW
EnumerateLoadedModulesW64
ExtensionApiVersion
FindDebugInfoFile
FindDebugInfoFileEx
FindDebugInfoFileExW
FindExecutableImage
FindExecutableImageEx
FindExecutableImageExW
FindFileInPath
FindFileInSearchPath
GetSymLoadError
GetTimestampForLoadedLibrary
ImageDirectoryEntryToData
ImageDirectoryEntryToDataEx
ImageNtHeader
ImageRvaToSection
ImageRvaToVa
ImagehlpApiVersion
ImagehlpApiVersionEx
MakeSureDirectoryPathExists
MiniDumpReadDumpStream
MiniDumpWriteDump
RangeMapAddPeImageSections
RangeMapCreate
RangeMapFree
RangeMapRead
RangeMapRemove
RangeMapWrite
RemoveInvalidModuleList
ReportSymbolLoadSummary
SearchTreeForFile
SearchTreeForFileW
SetCheckUserInterruptShared
SetSymLoadError
StackWalk
StackWalk64
StackWalkEx
SymAddSourceStream
SymAddSourceStreamA
SymAddSourceStreamW
SymAddSymbol
SymAddSymbolW
SymAddrIncludeInlineTrace
SymCleanup
SymCompareInlineTrace
SymDeleteSymbol
SymDeleteSymbolW
SymEnumLines
SymEnumLinesW
SymEnumProcesses
SymEnumSourceFileTokens
SymEnumSourceFiles
SymEnumSourceFilesW
SymEnumSourceLines
SymEnumSourceLinesW
SymEnumSym
SymEnumSymbols
SymEnumSymbolsEx
SymEnumSymbolsExW
SymEnumSymbolsForAddr
SymEnumSymbolsForAddrW
SymEnumSymbolsW
SymEnumTypes
SymEnumTypesByName
SymEnumTypesByNameW
SymEnumTypesW
SymEnumerateModules
SymEnumerateModules64
SymEnumerateModulesW64
SymEnumerateSymbols
SymEnumerateSymbols64
SymEnumerateSymbolsW
SymEnumerateSymbolsW64
SymFindDebugInfoFile
SymFindDebugInfoFileW
SymFindExecutableImage
SymFindExecutableImageW
SymFindFileInPath
SymFindFileInPathW
SymFromAddr
SymFromAddrW
SymFromIndex
SymFromIndexW
SymFromInlineContext
SymFromInlineContextW
SymFromName
SymFromNameW
SymFromToken
SymFromTokenW
SymFunctionTableAccess
SymFunctionTableAccess64
SymFunctionTableAccess64AccessRoutines
SymGetExtendedOption
SymGetFileLineOffsets64
SymGetHomeDirectory
SymGetHomeDirectoryW
SymGetLineFromAddr
SymGetLineFromAddr64
SymGetLineFromAddrW64
SymGetLineFromInlineContext
SymGetLineFromInlineContextW
SymGetLineFromName
SymGetLineFromName64
SymGetLineFromNameW64
SymGetLineNext
SymGetLineNext64
SymGetLineNextW64
SymGetLinePrev
SymGetLinePrev64
SymGetLinePrevW64
SymGetModuleBase
SymGetModuleBase64
SymGetModuleInfo
SymGetModuleInfo64
SymGetModuleInfoW
SymGetModuleInfoW64
SymGetOmaps
SymGetOptions
SymGetScope
SymGetScopeW
SymGetSearchPath
SymGetSearchPathW
SymGetSourceFile
SymGetSourceFileChecksum
SymGetSourceFileChecksumW
SymGetSourceFileFromToken
SymGetSourceFileFromTokenW
SymGetSourceFileToken
SymGetSourceFileTokenW
SymGetSourceFileW
SymGetSourceVarFromToken
SymGetSourceVarFromTokenW
SymGetSymFromAddr
SymGetSymFromAddr64
SymGetSymFromName
SymGetSymFromName64
SymGetSymNext
SymGetSymNext64
SymGetSymPrev
SymGetSymPrev64
SymGetSymbolFile
SymGetSymbolFileW
SymGetTypeFromName
SymGetTypeFromNameW
SymGetTypeInfo
SymGetTypeInfoEx
SymGetUnwindInfo
SymInitialize
SymInitializeW
SymLoadModule
SymLoadModule64
SymLoadModuleEx
SymLoadModuleExW
SymMatchFileName
SymMatchFileNameW
SymMatchString
SymMatchStringA
SymMatchStringW
SymNext
SymNextW
SymPrev
SymPrevW
SymQueryInlineTrace
SymRefreshModuleList
SymRegisterCallback
SymRegisterCallback64
SymRegisterCallbackW64
SymRegisterFunctionEntryCallback
SymRegisterFunctionEntryCallback64
SymSearch
SymSearchW
SymSetContext
SymSetExtendedOption
SymSetHomeDirectory
SymSetHomeDirectoryW
SymSetOptions
SymSetParentWindow
SymSetScopeFromAddr
SymSetScopeFromIndex
SymSetScopeFromInlineContext
SymSetSearchPath
SymSetSearchPathW
SymSrvDeltaName
SymSrvDeltaNameW
SymSrvGetFileIndexInfo
SymSrvGetFileIndexInfoW
SymSrvGetFileIndexString
SymSrvGetFileIndexStringW
SymSrvGetFileIndexes
SymSrvGetFileIndexesW
SymSrvGetSupplement
SymSrvGetSupplementW
SymSrvIsStore
SymSrvIsStoreW
SymSrvStoreFile
SymSrvStoreFileW
SymSrvStoreSupplement
SymSrvStoreSupplementW
SymUnDName
SymUnDName64
SymUnloadModule
SymUnloadModule64
UnDecorateSymbolName
UnDecorateSymbolNameW
WinDbgExtensionDllInit





#include <stdio.h>
#include <Windows.h>
#include <DbgHelp.h>
#pragma comment(lib,"dbghelp.lib")

#include "EnumGlobal_PdbSym.h"

enum SymTagEnum
{
    SymTagNull,
    SymTagExe,
    SymTagCompiland,
    SymTagCompilandDetails,
    SymTagCompilandEnv,
    SymTagFunction,
    SymTagBlock,
    SymTagData,
    SymTagAnnotation,
    SymTagLabel,
    SymTagPublicSymbol,
    SymTagUDT,
    SymTagEnum,
    SymTagFunctionType,
    SymTagPointerType,
    SymTagArrayType,
    SymTagBaseType,
    SymTagTypedef,
    SymTagBaseClass,
    SymTagFriend,
    SymTagFunctionArgType,
    SymTagFuncDebugStart,
    SymTagFuncDebugEnd,
    SymTagUsingNamespace,
    SymTagVTableShape,
    SymTagVTable,
    SymTagCustom,
    SymTagThunk,
    SymTagCustomType,
    SymTagManagedType,
    SymTagDimension,
    SymTagMax
};

// 添加MessageBoxTimeout支持
extern "C"
{
    int WINAPI MessageBoxTimeoutA(IN HWND hWnd, IN LPCSTR lpText, IN LPCSTR lpCaption, IN UINT uType, IN WORD wLanguageId, IN DWORD dwMilliseconds);
    int WINAPI MessageBoxTimeoutW(IN HWND hWnd, IN LPCWSTR lpText, IN LPCWSTR lpCaption, IN UINT uType, IN WORD wLanguageId, IN DWORD dwMilliseconds);
};
#ifdef UNICODE
#define MessageBoxTimeout MessageBoxTimeoutW
#else
#define MessageBoxTimeout MessageBoxTimeoutA
#endif

void CALLBACK EnumTypesByNameProc()
{

}
BOOL CALLBACK EnumTypesByNameProc(
    __in PSYMBOL_INFO pSymInfo,
    __in ULONG SymbolSize,
    __in_opt PVOID UserContext
    )
{
        //获取结构成员数量
         UINT ElementCount=0;
        BOOL br=SymGetTypeInfo(GetCurrentProcess(),pSymInfo->ModBase,pSymInfo->TypeIndex,TI_GET_CHILDRENCOUNT,(PVOID)&ElementCount);

        WCHAR* pBuffer=NULL;
        wprintf(L"EnumTypesByNameProc: %s %p\r\n",pBuffer,pBuffer);
          br=SymGetTypeInfo(GetCurrentProcess(),pSymInfo->ModBase,pSymInfo->TypeIndex,TI_GET_SYMNAME,(PVOID)&pBuffer);
        wprintf(L"EnumTypesByNameProc: %s %p\r\n",pBuffer,pBuffer);
return TRUE;
};

#define szNtdllPathName "C:\\windows\\system32\\ntdll.dll"
  EnumGlobal_PdbSym::EnumGlobal_PdbSym()
{
         DWORD Options = SymGetOptions();

        Options = Options | SYMOPT_DEBUG;
        SymSetOptions(Options);

  BOOL br= SymInitializeW(GetCurrentProcess(),L"C:\\symbols",TRUE);

        printf("SymInitializeW br=%d \r\n",br);
        HANDLE hFile = CreateFileA(szNtdllPathName, GENERIC_READ, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL);
        DWORD DllSize = GetFileSize(hFile, NULL);

        //
        DWORD64 modBase=(DWORD64)LoadLibraryA("ntdll.dll");
        DWORD64 BaseofDll=NULL;// //如果是加载的PDB文件 则此参数不参为0
        DWORD64 dw64Ret=SymLoadModuleEx(GetCurrentProcess(),NULL,szNtdllPathName,NULL,BaseofDll,DllSize,NULL,NULL);
        if (dw64Ret==0)
        {
                MessageBoxTimeoutW(NULL,L"SymLoadModuleEx",L"ERROR44",MB_OK,0,10000);
                return ;
        }
        //ERROR_SUCCESS;//0
        printf("SymLoadModuleEx dw64Ret=%p \r\n",dw64Ret);
        _SYMBOL_INFO symInfo={0};
        symInfo.SizeOfStruct=sizeof(_SYMBOL_INFO);
        //+0x390 SeAuditProcessCreationInfo : _SE_AUDIT_PROCESS_CREATION_INFO

        br=SymGetTypeFromName(GetCurrentProcess(),modBase,"_EPROCESS",&symInfo);// //_IMAGEHLP_GET_TYPE_INFO_PARAMS
         if (!br)
    {
                //MessageBoxTimeoutW(NULL,L"SymInitializeW",L"ERROR33",MB_OK,0,10000);
                printf("Line 114:GetLastError Code=%d ,%X \r\n",GetLastError(),GetLastError());
                return ;
    }

UINT32 ElementCount=0;
_SYMBOL_INFO*pSymInfo=&symInfo;
br=SymGetTypeInfo(GetCurrentProcess(),pSymInfo->ModBase,pSymInfo->TypeIndex,TI_GET_CHILDRENCOUNT,(PVOID)&ElementCount);

        DWORD dwSizeFind=sizeof(ULONG64)*(2+ElementCount);
        TI_FINDCHILDREN_PARAMS *pCP = (TI_FINDCHILDREN_PARAMS*)malloc(dwSizeFind);
        memset(pCP,0,dwSizeFind);
        pCP->Count = ElementCount;
        br= SymGetTypeInfo(GetCurrentProcess(),pSymInfo->ModBase,pSymInfo->TypeIndex,TI_FINDCHILDREN,pCP);
         //symInfo.ModBase
        //br= SymEnumTypesByName(GetCurrentProcess(),NULL,"*!*",EnumTypesByNameProc,NULL); //可用

         if (!br)
    {
                //MessageBoxTimeoutW(NULL,L"SymGetTypeFromName",L"ERROR33",MB_OK,0,10000);
                printf("Line 128:GetLastError Code=%d ,%X \r\n",GetLastError(),GetLastError());
                printf("SymGetTypeFromName br=%d \r\n",br);
                return ;
    }
         printf("\r\n");
        WCHAR *pNameW = NULL;
        for(int i = 0;i < ElementCount;++i)
        {
         printf("[%02d] TYPEID=%d ",i,pCP->ChildId);
        DWORD dwOffset=0;
        br=SymGetTypeInfo(GetCurrentProcess(),pSymInfo->ModBase,        pCP->ChildId,TI_GET_OFFSET,&dwOffset);
        if(SymGetTypeInfo(GetCurrentProcess(),pSymInfo->ModBase,        pCP->ChildId,TI_GET_SYMNAME,&pNameW))
        {
        wprintf(L"%08X:Name is %s\n",dwOffset,pNameW);
        LocalFree(pNameW);
        }
        else
        {
                printf("GetLastError Code=%d \r\n",GetLastError());
        }

        }

        DWORD symTag=0;
        br=SymGetTypeInfo(
                GetCurrentProcess(),
                modBase,
                symInfo.TypeIndex,
                TI_GET_SYMTAG,
                &symTag);
         if (!br)
    {
                MessageBoxTimeoutW(NULL,L"SymGetTypeInfo",L"ERROR33",MB_OK,0,10000);
                printf("SymGetTypeInfo br=%d \r\n",br);
                return ;
    }
         //   SymTagUDT,//11 //用户定义类型,例如struct,class和union
         if (symTag==SymTagUDT)
         {
                // printf(" symInfo.Name=%s \r\n",&symInfo.Name);
    //BOOL br= SymInitializeW(GetCurrentProcess(),L"C:\\symbols",TRUE);
        memset(&symInfo,0,sizeof(symInfo));
        symInfo.SizeOfStruct=sizeof(_SYMBOL_INFO);
        br=SymFromName(GetCurrentProcess(),"ZwOpenProcess",&symInfo);
        BOOL brNext= SymNext(GetCurrentProcess(),&symInfo); //获取全局符号的 可以用SymEnumSymbols(
        while(brNext)
        {
                wprintf(L" symInfo.Name=%s \r\n",&symInfo.Name);
          brNext= SymNext(GetCurrentProcess(),&symInfo);
         
        }
         }
        return;
}

EnumGlobal_PdbSym::~EnumGlobal_PdbSym()
{

}



郁金香外挂教程,学习中...
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

限时限量优惠

QQ|小黑屋|手机版|郁金香外挂技术-郁金香灬老师 ( 苏ICP备10059359号 )

GMT+8, 2019-11-13 15:26 , Processed in 0.044370 second(s), 18 queries .

Powered by Discuz! X3.4

© 2001-2017 Comsenz Inc.

快速回复 返回顶部 返回列表